Security News

The six-year case is the culmination of a Meta lawsuit filed in 2019, which argued that the NSO Group repeatedly attacked WhatsApp with spyware vectors, continuing to break into its systems even as the social media giant patched vulnerabilities.

by The Record

Cybercriminals are using fake Social Security Administration emails to distribute the ScreenConnect RAT (Remote Access Trojan) and compromise…

by Hackread

CISA added CVE-2025-34028 to its Known Exploited Vulnerabilities catalog, citing active attacks in the wild.

by Dark Reading

The five-year legal battle between the Meta-owned company and the most notorious spyware maker in the world ends with a huge win for WhatsApp.

by TechCrunch

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command

by The Hacker News

The vulnerability, which has a CVSS score of 9.8, is under attack and allows threat actors to remotely execute arbitrary commands on servers running the agentic AI builder.

by Dark Reading

A new analysis of TM Signal’s source code appears to show that the app sends users’ message logs in plaintext. At least one top Trump administration official used the app.

by WIRED Security News

House members pushed Homeland Security Secretary Kristi Noem for answers about a large proposed cut to CISA spending and a promised national cybersecurity plan from the White House.

by The Record

by Hack The Box Blog

Katie Sutton, nominated to serve as assistant secretary of defense for cyber policy, told lawmakers that the U.S. needs to be able to effectively respond to cyberattacks.

by The Record

The biggest sources of risk in the cloud are misconfigurations, IAM failures, and infrastructure that is unprepared to handle cross-domain threats. Learn how AI-powered cloud security tools can help security teams identify and mitigate these risks.

by Darktrace

Now the US director of national intelligence, Gabbard failed to follow basic cybersecurity practices on several of her personal accounts, leaked records reviewed by WIRED reveal.

by WIRED Security News

Qilin became the top ransomware group in April amid uncertainty over the status of RansomHub, according to a Cyble blog post published today. RansomHub’s data leak site (DLS) went offline on April 1, and DragonForce claimed it had taken over RansomHub’s infrastructure and appealed to RansomHub affiliates to join it. Instead, it appears that Qilin may have gained the most from the uncertainty, Cyble reported, as Qilin took over the top spot in April with 74 claimed victims (image below). DragonForce ended the month with 21 claimed victims. [caption id=""attachment_102432"" align=""aligncenter"" width=""1200""] Qilin emerged as the top ransomware group in April (Cyble)[/caption] Cyble said the RansomHub-DragonForce saga “highlights not only the volatility within the cybercriminal underworld but also the high-stakes competition driving rapid evolution in ransomware capabilities.” Ransomware Attacks Declined in April The total number of claimed ransomware attacks declined in April, Cyble said, as the uncertainty and chaos among the top groups may have had some effect. Cyble recorded 450 claimed ransomware victims in April, down from 564 in March, but noted that “the long-term trend for ransomware attacks remains decidedly upward so April’s decline could be reversed as soon as new RaaS leaders are established.” The U.S. led once again with 234 attacks, 52% of the global total (image below) and more than twice as many attacks as all of Europe (108). [caption id=""attachment_102434"" align=""aligncenter"" width=""1200""] April 2025 ransomware attacks by country (Cyble)[/caption] Cyble noted some variations among the leading ransomware groups in global regions. RALord, a new group, was prominent in the META region (Middle East, Turkey and Africa), while Sarcoma claimed a number of victims in the Asia-Pacific and Australia-New Zealand regions. Play was the most active ransomware group targeting the U.S., with 42 victims. Ransomware Attacks Threaten Software Supply Chain Cyble recorded two new ransomware groups in April: Silent Team, which claimed two victims, a U.S.-based engineering company and a Canadian aerospace manufacturer; and Gunra, which claimed three victims – a Japan-based real estate company, a medical firm in Egypt, and a Panama-based beverage and distribution company. Cyble noted a number of potentially serious ransomware incidents in April, some of which could result in software supply chain and downstream customer attacks. An IT services subsidiary of a large international conglomerate may have been victimized by the Akira ransomware group. The Play ransomware group claimed two U.S.-based software companies that provide critical services such as security applications, network operations center (NOC) solutions, and business consulting software, “raising concerns about potential downstream supply chain impacts.” Akira claimed responsibility for compromising a U.S.-based energy cooperative that supplies electricity to rural areas in ten northeast Georgia counties. Ransomware as a Service (RaaS) affiliate DevMan, working with DragonForce, claimed to have compromised a Chinese critical infrastructure construction company, and Qilin and DevMan claimed to compromise a Taiwan-based LCD technology company and a UAE-based IT and IT services company. Qilin claimed a France-based software provider serving the transportation and logistics industry as a victim. Exfiltrated data included source code, product development materials, and other sensitive data. Qilin also claimed a major South Korean industrial conglomerate as a victim. The Hellcat ransomware group said it compromised a China-based company specializing in display technologies and electronic solutions. The Rhysida ransomware group claimed as a victim a U.S.-based company involved in engineering, architecture, and critical infrastructure projects. Cyble said the incidents highlight “the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats. Even as leading threat groups change, consistent application of good security practices is critical for building organizational resilience and limiting the impact of any cyberattacks that do occur.”

by The Cyber Express

Warlord believed to be using control over the Karen region as a hub for fraud and cybercrime activities.

by SC Media

After a 2021 data breach exposed the data of 76 million customers, settlement checks are finally being sent out. Here''s what you need to know.

by ZDNET Security

Cybersecurity researchers have lifted the lid on two threat actors that orchestrate investment scams through spoofed celebrity endorsements and conceal their activity through traffic distribution systems (TDSes). The activity clusters have been codenamed Reckless Rabbit and Ruthless Rabbit by DNS threat intelligence firm Infoblox. The attacks have been observed to lure victims with bogus

by The Hacker News

Cybercriminals aren’t always loud and obvious. Sometimes, they play it quiet and smart. One of the tricks of…

by Hackread

Threat actors started exploiting a vulnerability in Samsung MagicINFO only days after a PoC exploit was published. Arctic Wolf researchers observed threat actors beginning to exploit a high-severity vulnerability, tracked as CVE-2024-7399 (CVSS score: 8.8), in the Samsung MagicINFO content management system (CMS) just days after proof-of-concept (PoC) exploit code was publicly released. The vulnerability […]

by Security Affairs

Simplistic “commodity” ransomware makes it easy to launch low-skill attacks.

by SC Media

by SC Media

It wasn''t ransomware headlines or zero-day exploits that stood out most in this year''s Verizon 2025 Data Breach Investigations Report (DBIR) — it was what fueled them. Quietly, yet consistently, two underlying factors played a role in some of the worst breaches: third-party exposure and machine credential abuse. According to the 2025 DBIR, third-party involvement in breaches doubled

by The Hacker News

With over 2,000 cyber security businesses across the UK the government plans to target cyber as a priority to grow the economy

by ComputerWeekly

Disney was hit by two major 2024 cyberattacks, an ex-employee’s sabotage and a hacker’s AI trap, exposing internal…

by Hackread

Microsoft has warned that using pre-made templates, such as out-of-the-box Helm charts, during Kubernetes deployments could open the door to misconfigurations and leak valuable data. ""While these ''plug-and-play'' options greatly simplify the setup process, they often prioritize ease of use over security,"" Michael Katchinskiy and Yossi Weizman from the Microsoft Defender for Cloud Research team

by The Hacker News

Organised by Eskenzi PR in media partnership with the IT Security Guru, the Most Inspiring Women in Cyber Awards aim to shed light on the remarkable women in our industry. The following is a feature on one of 2024’s Top 20 women selected by an esteemed panel of judges. Presented in a Q&A format, the nominee’s answers are […] The post MIWIC25: Stephanie Itimi, Director of Information Protection and Compliance, Age UK, Founder & Chair, Seidea CIC appeared first on IT Security Guru.

by IT Security Guru

By taking immediate actions, organizations can ensure that shadow AI is prevented and used constructively where possible. The post Applying the OODA Loop to Solve the Shadow AI Problem appeared first on SecurityWeek.

by SecurityWeek

SentinelOne protects users from local upgrade bypass techniques by implementing controls like the Local Upgrade Authorization feature. The post Protection Against Local Upgrade Technique Described in Aon Research appeared first on SentinelOne.

by SentinelOne

Let’s explore the critical role of Modbus in energy and manufacturing systems, then demonstrate real-world exploitation techniques using Docker-based simulations and the custom-built Python tool M.A.T.R.I.X.

by SpiderLabs Blog

Microsoft Entra ID (formerly Azure Active Directory) is the backbone of modern identity management, enabling secure access to the applications, data, and services your business relies on. As hybrid work and cloud adoption accelerate, Entra ID plays an even more central role — managing authentication, enforcing policy, and connecting users across distributed environments. That prominence also

by The Hacker News

Low-code AI builder is a leading tool for building agentic AI workflows.

by SC Media

The California Privacy Protection Agency (CPPA) on Tuesday announced a six-figure fine and an order demanding significant business practice changes for a national clothing retailer which allegedly used a flawed privacy portal.

by The Record

If your organization is one of the many facing increasing unauthorized technology adoption, follow this strategic five-day plan to combat shadow IT.

by ITPro Today

The vulnerabilities affect SonicWall''s SMA devices for secure remote access, which have been heavily targeted by threat actors in the past.

by Dark Reading

Toyota Financial Services (TFS) has begun notifying customers of a data breach discovered in early February 2025 that exposed sensitive personal information, including names and Social Security numbers. Affected individuals were informed via letters mailed on May 1, nearly three months after the incident was first identified. The breach was detected on February 7, 2025, … The post Toyota Financial Services Notifies Customers of Data Breach appeared first on CyberInsider.

by Cyber Insider

The agency is expected to make the cuts by the end of year, however that deadline could change as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years.

by The Record

CTG''s Chad Alessi discusses the cybersecurity challenges facing middle-market companies.

by SC Media

Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups. Still, the long-term trend for ransomware attacks remains decidedly upward (chart below) so April’s decline could be reversed as soon as new RaaS leaders are established.  ~ Rasomware attacks by month 2021-2025 For now, the uncertainty at RansomHub – which went offline at the start of April but plans to return – resulted in new groups taking over the top global attack spots. Qilin, which gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April (chart below), followed by Akira at 70, Play with 50, Lynx with 31 attacks, and NightSpire at 24. DragonForce, which claimed to be taking over RansomHub’s infrastructure, claimed 21 victims in April, up from 16 in March.  Top ransomware groups April 2025 RansomHub, which has led all groups since early 2024, claimed just three attacks, all on April 1, the day the group’s data leak site (DLS) went offline.  In a note to clients, Cyble said the RansomHub-DragonForce clash “highlights not only the volatility within the cybercriminal underworld but also the high-stakes competition driving rapid evolution in ransomware capabilities.”  Meanwhile, hacktivist groups are increasingly moving into ransomware, suggesting no shortage of threat actors willing to use this destructive malware.  While no industry was spared the scourge of ransomware attacks in April, several attacks hit software and IT companies, raising the potential for downstream supply chain impacts.  U.S. Again Leads in Ransomware Attacks  The U.S. once again led all countries in ransomware attacks, with 234 attacks, or 52% of the global total, followed by Canada, Germany, Italy and the UK (chart below).  Regional Ransomware Impact (Top 5) In the U.S., the Play ransomware group claimed the most attacks with 42 (chart below), followed by Qilin, Akira, Lynx and DragonForce, which was largely focused on U.S. targets.  U.S. ransomware groups April 2025 In the UK and Europe, Akira was the top attacker, while Spain and Switzerland rounded out the top five European countries for ransomware attacks (charts below). There were 108 claimed attacks in total in the region.  Europe & UK ransomware groups April 2025 Europe & UK ransomware attacks April 2025 In the META region (Middle East, Turkey and Africa), RALord – a new group that emerged in March – and Cicada3301 were the top attackers, while Egypt, the UAE and Saudi Arabia were the most attacked countries (charts below). There were 12 claimed attacks in total in the META region in April.  META ransomware groups April 2025 META ransomware attacks by country The Asia-Pacific region (APAC) saw 36 attacks in April 2025, with Qilin, Akira and NightSpire the top attackers, and Taiwan and Singapore the most attacked countries (charts below).  Top APAC ransomware groups April 2025 APAC ransomware attacks by country Australia and New Zealand saw nine claimed attacks, seven in Australia and two in New Zealand, while Sarcoma, Qilin and Akira were the top attackers (chart below).  ANZ ransomware groups April 2025 Ransomware Attacks and New Groups  Cyble observed the emergence of two new ransomware groups in April.  Silent Team surfaced with an onion data leak site (DLS), claiming two victims: a U.S.-based engineering company and a Canadian aerospace manufacturer. According to the leak site, the group allegedly exfiltrated 2.85 TB of data across 597,028 files and posted multiple samples showing internal documents, ID scans, technical schematics, database structures, engineering blueprints of aircraft, and other sensitive documents. The Silent Team DLS design mimics that of Hunters International. No known encryptor samples have yet surfaced.  A newly identified ransomware group, tentatively named Gunra by the threat intelligence community, has surfaced with an onion data leak site. The group has listed three victims so far: a Japan-based real estate company; a medical firm in Egypt; and a Panama-based beverage and distribution company.  Below are some of the potentially more sensitive incidents involving ransomware groups in April.  An IT services subsidiary of a large international conglomerate confirmed that it was impacted by a ransomware incident, believed to be the responsibility of the Akira ransomware group. The incident may have impacted multiple projects tied to government entities, raising broader concerns about potential supply chain effects.  The Play ransomware group claimed responsibility for compromising two U.S.-based software companies that provide critical services such as security applications, network operations center (NOC) solutions, and business consulting software, raising concerns about potential downstream supply chain impacts. The attackers claim to have exfiltrated private and personal confidential data, client documents, budgets, payroll information, accounting records, tax documents, IDs, and other sensitive financial information. Given the nature of the services provided by the victims, Cyble said there is a heightened risk of broader disruption across multiple sectors reliant on the companies’ software and consulting offerings.  Akira ransomware group claimed responsibility for compromising a U.S.-based energy cooperative that supplies electricity to rural areas across ten northeast Georgia counties.  RaaS affiliate and threat actor DevMan announced a new set of victims on their DLS, including a Chinese critical infrastructure construction company, and claimed to exfiltrate 50 GB of data and encrypting it with DragonForce ransomware. Previously, DevMan has claimed to be working with Qilin and Apos RaaS groups, and the recent claims add DragonForce to their multi-RaaS affiliations. To date DevMan has claimed nine victims, mostly in affiliation with Qilin. Qilin and DevMan also claimed to compromise a Taiwan-based LCD technology company and a UAE-based IT & IT services company.  Qilin claimed responsibility for compromising a France-based software provider serving the transportation and logistics industry. The group claims that it encrypted the company’s network and exfiltrated over 1.1TB of data, including offers, videos, archives, contracts, ACS-related data, source code, customer documents, logistics data, databases, OneDrive-stored files, product development materials, and employee personal records. Qilin also claims to have compromised a major South Korean industrial conglomerate, including the theft of over 1TB of sensitive data.  Hellcat ransomware group allegedly compromised a China-based company specializing in display technologies and electronic solutions. The threat actor claims to have exfiltrated 166 GB of data, including blueprints, financial records, and internal correspondence.  The Rhysida ransomware group claimed responsibility for compromising a U.S.-based company involved in engineering, architecture, and critical infrastructure projects.  Conclusion  The ever-present and growing threat of ransomware highlights the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats.  Even as leading threat groups change, consistent application of good security practices is critical for building organizational resilience and limiting the impact of any cyberattacks that do occur. Those basic defensive and cyber hygiene practices include prioritizing vulnerabilities based on risk, protecting web-facing assets, segmenting networks and critical assets, implementing ransomware-resistant backups and Zero Trust principles, proper configuration and secrets protection, hardened endpoints and infrastructure, and network, endpoint and cloud monitoring.  Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.  For more free threat intelligence data, see Cyble’s monthly threat landscape and other research reports (registration required).  The post Ransomware Attacks April 2025: Qilin Emerges from Chaos  appeared first on Cyble.

by CYBLE

A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers. [...]

by BleepingComputer

Sonatype''s Brian Fox discusses how unmanaged open source AI presents serious risk to organizations.

by SC Media

As attacks accelerate, security leaders must act to gain visibility across their entire institution''s network and systems and continuously educate their users on best practices.

by Dark Reading

Building strong, resilient cybersecurity is essential. On the other hand, obsolete, redundant, and defective cybersecurity technologies can make things worse — much worse.

by ITPro Today

BeyondTrust''s Morey Haber discusses its annual Microsoft Vulnerabilities report.

by SC Media

Threat actors launch second wave of attacks on SAP NetWeaver, exploiting webshells from a recent zero-day vulnerability. In April, ReliaQuest researchers warned that a zero-day vulnerability, tracked as CVE-2025-31324 (CVSS score of 10/10), in SAP NetWeaver is potentially being exploited. Thousands of internet-facing applications are potentially at risk. The flaw in SAP NetWeaver Visual Composer Metadata Uploader […]

by Security Affairs

Co-op has officially confirmed that hackers accessed and exfiltrated member data in a recent cyberattack, marking a significant escalation in a wave of coordinated intrusions targeting UK retail giants. The breach affects the personal data of members, though no financial information or passwords appear to have been compromised. The announcement came directly from Shirine Khoury-Haq, … The post Co-op Confirms Member Data Breach Following Cyberattack Incident appeared first on CyberInsider.

by Cyber Insider

A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to anyone who asked for it.

by Malwarebytes Labs

The UFO-like design of AirTags makes them a pain to attach to things. But I found a solution that makes the best finder tags available much easier to use.

by ZDNET Security

Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. [...]

by BleepingComputer

Barracuda is excited to announce a new generation of advanced web security devices. Get the details in this post.

by Barracuda

Google has patched 47 Android vulnerabilities in its May update, including an actively exploited FreeType vulnerability.

by Malwarebytes Labs

A missing authentication vulnerability (CVE-2025-3248) in Langflow, a web application for building AI-driven agents, is being exploited by attackers in the wild, CISA has confirmed by adding it to its Known Exploited Vulnerabilities (KEV) catalog. About CVE-2025-3248 Langflow is an open-source, Python-based app that allows users to create AI agents (e.g., chatbots assistants) and workflows without actually writing any code. Instead, they simply drag, drop and chain LLM components and add the neccessary inputs. Unfortunately, … More → The post RCE flaw in tool for building AI agents exploited by attackers (CVE-2025-3248) appeared first on Help Net Security.

by Help Net Security

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Langflow flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Langflow flaw, tracked as CVE-2025-3248 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog. Langflow is a popular tool used for building agentic AI workflows.  CVE-2025-3248 is a […]

by Security Affairs

Whether your organization is already in the cloud or just starting to plan your migration, security is a top priority. This webinar will help you to better understand your options for cloud migration as well as learn how to prioritize cloud security and compliance before you’re even in the cloud using resources from the Center for Internet Security (CIS). The post Webinar: Securely migrating to the cloud appeared first on Help Net Security.

by Help Net Security

John Kindervag is best known for developing the Zero Trust Model. He is a hacker, but not within our common definition of a hacker today. The post Hacker Conversations: John Kindervag, a Making not Breaking Hacker appeared first on SecurityWeek.

by SecurityWeek

by KnowBe4

A leak of information on American military operations caused a major political incident in March 2025. The Security Think Tank considers what can CISOs can learn from this potentially fatal error.

by ComputerWeekly

Immersive launched AppSec Range Exercises, expanding its AppSec solution beyond hands-on labs to help cyber leaders and practitioners prove and improve their capabilities as part of a holistic cyber readiness program. The new product offers range exercises for Engineering, AppSec and DevSecOps teams to embed security into workflows, reduce friction, and ignite secure development practices at scale. Enterprises face mounting pressure to improve application security, but legacy developer training fails to meet the speed and … More → The post Immersive delivers a team-based approach to application security training appeared first on Help Net Security.

by Help Net Security

We explore the differences between Windows Server Standard Edition and Windows Server Datacenter Edition licenses to help you make the most cost-effective decision.

by ITPro Today

Threat actors are revisiting SAP NetWeaver instances to leverage webshells deployed via a recent zero-day vulnerability. The post Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise appeared first on SecurityWeek.

by SecurityWeek

The Legal Aid Agency (LAA), an executive agency of the UK''s Ministry of Justice that oversees billions in legal funding, warned law firms of a security incident and said the attackers might have accessed financial information. [...]

by BleepingComputer

We are thrilled to share that Barracuda has been honored with six prestigious awards recognizing our leadership and innovation in email security, managed XDR and data protection.

by Barracuda

Rami Khaled Ahmed, a 36-year-old from Yemen, has been charged for launching ransomware attacks between 2021 and 2023. The post US Charges Yemeni Man for Black Kingdom Ransomware Attacks appeared first on SecurityWeek.

by SecurityWeek

The head of the agency’s Computer Security Division and roughly a dozen of his subordinates took the Trump administration’s retirement offers, placing key programs at risk.

by Cybersecurity Dive

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has tagged a Langflow remote code execution vulnerability as actively exploited, urging organizations to apply security updates and mitigations as soon as possible. [...]

by BleepingComputer

A new academic study demonstrates that even subtle sounds emitted by a computer mouse can leak sensitive information. Researchers from the University of Padua, TU Delft, and UC Irvine have shown that acoustic side-channel attacks (ASCAs) targeting mouse movements are feasible and pose real security risks. The research team designed a series of experiments to … The post New Acoustic Side-Channel Attack Infers Mouse Movement with 96% Accuracy appeared first on CyberInsider.

by Cyber Insider

Microsoft is investigating a new Microsoft 365 outage affecting multiple services across North America, including the company''s Teams collaboration platform. [...]

by BleepingComputer

Threat actors started exploiting a vulnerability in Samsung MagicINFO only days after a PoC exploit was published. The post Samsung MagicINFO Vulnerability Exploited Days After PoC Publication appeared first on SecurityWeek.

by SecurityWeek

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS…

by Hackread

CISA warns organizations that threat actors are exploiting a critical-severity vulnerability in low-code AI builder Langflow. The post Critical Vulnerability in AI Builder Langflow Under Attack appeared first on SecurityWeek.

by SecurityWeek

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild. The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges. ""The most severe of

by The Hacker News

Spending plans come amid rising concerns over third-party cyber risk. 

by Cybersecurity Dive

Misconfigured Apache Pinot instances can and have enabled threat actors to gain access to sensitive information.  The post Microsoft Warns of Attackers Exploiting Misconfigured Apache Pinot Installations appeared first on SecurityWeek.

by SecurityWeek

Security researchers have confirmed active exploitation of a critical vulnerability in Samsung’s MagicINFO 9 Server (CVE-2024-7399), with recent attacks linking the flaw to Mirai botnet deployment. The vulnerability enables unauthenticated attackers to upload arbitrary files and achieve remote code execution, posing a serious risk to digital signage systems managed by the software. Arctic Wolf was … The post Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet appeared first on CyberInsider.

by Cyber Insider

Google addressed 46 Android security vulnerabilities, including one issue that has been exploited in attacks in the wild. Google’s monthly security updates for Android addressed 46 flaws, including a high-severity vulnerability, tracked as CVE-2025-27363 (CVSS score of 8.1), that has been exploited in the wild. The company did not disclose any details regarding the attacks […]

by Security Affairs

These AI agents, part of the Gemini in Security suite, aim to reduce the burden of repetitive tasks and accelerate processes such as writing regular expressions.

by SC Media

Agentless cloud security is gaining traction as a more efficient, scalable way to safeguard multi-cloud environments without the complexity of installing software agents on every workload.

by SC Media

You can''t protect what you can''t see. From shadow IT to supplier risk, modern attack surfaces are sprawling fast — and External Attack Surface Management (EASM) is how security teams take back control. Learn from Outpost24 how EASM powers proactive digital risk protection. [...]

by BleepingComputer

Lampion malware distributors are now using the social engineering method ClickFix. Read our analysis of a recent campaign. The post Lampion Is Back With ClickFix Lures appeared first on Unit 42.

by Palo Alto Networks - Unit42

Learn more about the framework Talos IR uses to conduct proactive threat hunts, and how we can help you stay one step ahead of emerging threats.

by Cisco Talos Blog

The study identifies ransomware, identity threats, insider risks, and cloud-based vulnerabilities as key challenges.

by SC Media

An easily and remotely exploitable vulnerability (CVE-2024-7399) affecting Samsung MagicINFO, a platform for managing content on Samsung commercial displays, is being leveraged by attackers. Exploit attempts have been flagged by the SANS Internet Storm Center and Arctic Wolf researchers: the attackers are using the vulnerability to upload and execute a script that contains a downloader for a Mirai bot. About CVE-2024-7399 Samsung MagicINFO is a digital signage management platform that is used to create, schedule, … More → The post Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399) appeared first on Help Net Security.

by Help Net Security

A recently disclosed critical security flaw impacting the open-source Langflow platform has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-3248, carries a CVSS score of 9.8 out of a maximum of 10.0. ""Langflow contains a missing

by The Hacker News

Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability. [...]

by BleepingComputer

Today, Microsoft announced new Windows experiences for Copilot+ PCs, including AI agents that will make changing settings on your Windows computer easier. [...]

by BleepingComputer

Vibe coding has attracted much attention in recent weeks with the release of many AI-driven tools. This blog answers some of the Frequently Asked Questions (FAQ) around vibe coding.BackgroundVibe coding is gaining popularity as large language models (LLMs) continue to mature and AI-driven development tools are becoming increasingly available. This blog answers Frequently Asked Questions (FAQ) regarding vibe coding.FAQWhat is “Vibe Coding”?The term ‘vibe coding’ was coined in a tweet from Andrej Karpathy. It describes a method of developing code with AI where the AI takes instruction, writes code and fixes errors, all with minimal review. This often includes blindly accepting whatever code the AI has written and whatever changes are suggested. Frequently it will also include usage of a speech-to-text application so the coder can talk directly to the AI.There''s a new kind of coding I call ""vibe coding"", where you fully give in to the vibes, embrace exponentials, and forget that the code even exists. It''s possible because the LLMs (e.g. Cursor Composer w Sonnet) are getting too good. Also I just talk to Composer with SuperWhisper…— Andrej Karpathy (@karpathy) February 2, 2025There’s currently some debate around the definition of ‘vibe coding.’ As initially coined, it means using AI tools for code development and blindly accepting what the AI creates without vetting it. There is some semantic diffusion, though, and it’s becoming synonymous with AI assisted code development where you can use AI tools to assist your normal development process.What are the benefits to vibe coding?Vibe coding is incredibly powerful for churning out proofs of concept (PoCs), minimum viable products (MVPs) and other prototype projects. In a more organized approach, it’s great at helping make focused changes to existing codebases.What are the risks of vibe coding?Currently, vibe coding tends to be fairly myopic. The following are a few of the risks we’ve observed with vibe coding:Refactoring. Refactoring code involves changing how code works in several spots throughout a codebase. Often, an AI coding tool will suggest a refactor, but miss several places in the codebase that needed to be changed.Large codebase exceeds context windows. Usually the entire codebase will be larger than the LLM’s context window (the amount of text it can store in its ‘memory’), so the application must correctly identify the relevant code to read and understand.Introduction of security flaws. Security flaws may exist in generated code.Slopsquatting. Slopsquatting is a term used to describe attackers creating malicious packages matching the names of packages that are commonly hallucinated by LLMs when vibe coding.Poorly written or difficult to maintain code. The application may write good code for a specific area of the project, but it may not fit well with the overall style or structure of the project.How can I mitigate these risks?Here are a few steps you can take to mitigate the risks of vibe coding:Conduct a code review of anything vibe coded. Code review is paramount. Ensure that you have engineers that understand the vibe code that was written and can perform a comprehensive review. Never blindly accept the results of your vibe coding for production.Lean on your Secure Software Development Life Cycle (SSDLC) and development, security, and operations tools. Don’t abandon your SSDLC or DevSecOps solutions. Continue to use tools like Snyk, Veracode and SonarQube when vibe coding.Test, test, test. Continue to test vibe-coded software and scripts in lower environments and perform end-to-end integration and unit testing.How do I get started?Just feel the vibes and let the AI do the work. While we say that in jest, successful (and less risky) methods involve using multiple AI tools to draft a specification, refine it and then pass it on to the coding agent. Harper Reed’s blog explains this process as part of a very good workflow. Here''s our summary of his guidance::Use an LLM to draft a detailed plan first. Give the LLM a prompt indicating you’d like it to ask you detailed questions about the project design and architecture until you have a useful specification.Ask for prompts. Ask the LLM to generate a series of prompts from that specification that you can pass to an AI coding tool.Walk through the prompts with an AI agent. Ask your AI coding agent to walk through the prompts. Accept the changes as-is if you like (or if you’re feeling lucky).Routinely test after each prompt. Test after every prompt and ask the AI coding tool to fix any errors or tweak any issues as they arise.Use version tracking solutions like git to take snapshots. Use git to take a snapshot after each testing cycle. The agent can alter your code drastically so it’s very useful to have a way to roll back changes.Now you have a new application!What types of applications are available to help with vibe coding?Several types of applications are available for vibe coding. There are Integrated Development Environments (IDEs) and IDE extensions, tools that integrate with a continued integration/continuous delivery (CI/CD) pipeline, and then there are the LLMs and LLM desktop applications themselves. Some examples of each:IDEs & IDE extensions:CursorClineGitHub CopilotBolt.newLovableCodeium WindSurfReplitCI/CD IntegrationsCodeRabbit AIgraphite devLLM Desktop AppsClaude DesktopAiderSo I can get rid of all of my junior engineers?No! That’s a terrible idea. The tools listed above are great at augmenting and enhancing the development process, but they make mistakes and need trained eyes to ensure quality engineering. They are great at helping to write code, but right now, not great at engineering products. Plus, if there are no more junior engineers, there won’t be anyone to promote to senior engineers in a few years.How do vibe coding apps work?These apps work just like any other AI applications. They include a set of ‘system prompts’ instructing an LLM on how to act. The prompt then includes the text of the files open in an IDE and their content in a structured method that an LLM can understand. More information, such as closed files, directory structure, etc, might be included. This creates a large prompt that is sent to the selected LLM. For instance, one popular extension’s system prompt includes:You are an AI programming assistant. When asked for your name, you must respond with ""GitHub Copilot"". Follow the user''s requirements carefully & to the letter. Follow Microsoft content policies. Avoid content that violates copyrights. If you are asked to generate content that is harmful, hateful, racist, sexist, lewd, violent, or completely irrelevant to software engineering, only respond with ""Sorry, I can''t assist with that."" Keep your answers short and impersonal. You can answer general programming questions and perform the following tasks: * Ask a question about the files in your current workspace * Explain how the code in your active editor works * Make changes to existing code * Review the selected code in your active editor * Generate unit tests for the selected code * Propose a fix for the problems in the selected code * Scaffold code for a new file or project in a workspace * Create a new Jupyter Notebook * Ask questions about VS Code * Generate query parameters for workspace search * Ask how to do something in the terminal * Explain what just happened in the terminalThe applications then have several “tools” available for the LLM to use to edit files and run commands. The same popular extension includes this, giving an insight into how it interacts with the user:The active document is the source code the user is looking at right now. You have read access to the code in the active document, files the user has recently worked with and open tabs. You are able to retrieve, read and use this code to answer questions. You cannot retrieve code that is outside of the current project. You can only give one reply for each conversation turn.What configuration options are available?Many tools have customizable settings where you can indicate libraries or docs to look at. Some tools have favorite libraries and versions set in their system prompts. You can also ask to use specific libraries and languages.Is Tenable looking into safety and security concerns around vibe coding?Yes, Tenable Research is actively researching vibe coding methods, tools and results, and will be sharing more of our findings in future publications on the Tenable blog.

by Tenable

Customs and Border Protection has called for tech companies to pitch real-time face recognition technology that can capture everyone in a vehicle—not just those in the front seats.

by WIRED Security News

A new BYOI technique lets attackers bypass SentinelOne EDR, disable protection, and deploy Babuk ransomware by exploiting the agent upgrade process. Aon’s Stroz Friedberg discovered a new “Bring Your Own Installer” (BYOI)  EDR bypass technique that exploits a flaw in SentinelOne’s upgrade process to bypass its anti-tamper protections, leaving endpoints unprotected. Stroz Friedberg researchers did […]

by Security Affairs

Android’s May 2025 security update includes patches for an exploited vulnerability in the FreeType open source rendering engine. The post Android Update Patches FreeType Vulnerability Exploited as Zero-Day appeared first on SecurityWeek.

by SecurityWeek

The importance of the MITRE-run Common Vulnerabilities and Exposures (CVE) Program shouldn’t be understated. For 25 years, it has acted as the point of reference for cybersecurity professionals to understand and mitigate security flaws. By providing a standardized method for naming and cataloguing known vulnerabilities, it offers defenders a shared language for understanding, prioritizing, and responding to real-world threats. The program has traditionally relied on US government funding to sustain operations and, unfortunately, and equivalent … More → The post What a future without CVEs means for cyber defense appeared first on Help Net Security.

by Help Net Security

RSA announced cybersecurity innovations that defend organizations against the next wave of AI powered identity attacks, including IT Help Desk bypasses, malware, social engineering, and other threats. These advancements are especially critical for organizations implementing passwordless strategies. Among the highlights is the new RSA Help Desk Live Verify (patent pending), a feature that prevents social engineering and technical support scams. With bi-directional identity verification, RSA Help Desk Live Verify ensures that both users and IT … More → The post RSA helps organizations secure passwordless environments appeared first on Help Net Security.

by Help Net Security

HACK-ERA CTF — Intra University Round Walkthrough…I recently organized a National Level Capture The Flag (CTF) Event titled HACK-ERA CTF under the banner of Grafest at Graphic Era Deemed University. The event brought together security enthusiasts and challenged them with real-world inspired scenarios ranging from web exploitation and OSINT to binary analysis. With participation from students across multiple departments, and states of the country. The event was both competitive and educational.In this write-up, I’ll be walking through the solution to the Intra-University Round, breaking down the thought process behind it, and sharing insights into what made it both fun and tricky.Challenge 1: The Hidden ProfileFind a way to access other accounts.Challenge 1 : The Hidden ProfileMission Brief for Challenge 1: The Hidden ProfileYou’ve recently joined a promising tech company, excited to dive into their internal dashboard. After logging in, you’re greeted by a sleek, modern interface, showcasing your profile information. The dashboard is impressive, and you can navigate through various sections with ease. One day, while checking your profile, you notice a profile icon at the top-right of the screen. Clicking it takes you to a page with your personal details — a short bio, recent projects, and more. It’s all looking good until you realize that below your information, there’s a bio that doesn’t seem to belong to you. Intrigued, you try clicking around and experimenting. Could it be possible that others’ profiles are exposed this way? Something seems off, but you’re not sure what.NOTE: NO BRUTEFORCE ATTACK SHOULD PERFORM IF ANYONE FOUNDS TO BE DOING THAT THE INDIVIDUAL OR THE TEAM WILL BE DISQUALIFIED…Username: vivek.kapoorPassword: vivekpassIn this CTF Challenge…you have provided with a Website named TaskMaster which contains a login page and track the activities of the employee.First, let’s login to the portal using the username and password given in the Mission brief.We got a dashboard where all the activities of Vivek Kapoor is monitored…This website is under developed because most of the buttons are not working properly…but after clicking on the profile icon (also mentioned in the mission brief). I got the profile of Vivek Kapoor which includes his username, email, bio, recent activities and much more….So, Let’s fire-up the burpsuite to intercept and analyze this request. First, send the request of /profile to repeater.And by looking at the request….You can see it is using a reg_id parameter which is used to tell the server which reg_id data I want to display….And that’s the vulnerability called IDOR (Insecure Direct Object Reference).To confirm the vulnerability….Let’s update the value of reg_id to 1006 and click on Send.And as you can see we got the information about user named Meera Rathore.And Similarly, by updating reg_id to 1004 we got our first Flag.1. What is the email of Sneha Verma?Ans: sneha.verma@infosec.orgFor the second flag we need to find the reg_id of the admin user and after trying some random values we got the admin user reg_id which is 1000.And we got our second flag….2. Who is the admin user?Answer: rajneesh_adminAnd after just bit of scrolling in the response of the admin reg_id request, we got our final flag.3. What is the flag? Format of the flag….FLAG{abcd}Answer: FLAG{1d0r_vuln_3xp0s3d_admin_access}Challenge 2: The Last TransmissionFind a way to get the flag.Mission Brief:Late one night, you receive an encrypted email from an unknown source. The only attachment is a file named hidden_document.pdf. The message in the email header reads: “If you’re reading this, it’s already too late. Trust the layers.” — A. You open the file — it loads without error, displaying what seems to be an ordinary image inside a PDF. But something doesn’t feel right. Why would A. send just a picture? What’s the secret? Only one way to find out.In this CTF Challenge you have provided with a PDF file which doesn’t seems like a PDF (as per mission brief)So, to confirm its Identity let’s use file command.And, you can see the file command reveal that this pdf is actually a JPEG file not a PDF file.So, let’s rename this hidden_document.pdf to hidden_image.jpeg.After renaming the image…let’s look at what this image contains using open command (which is used to open a file with a default application).And we got the image of ELON MUSK.. which looks normal NO PIXEL DISTURBANCE…Now, let’s see what’s the METADATA using exiftool commandAnd we got a password but we don’t know whose password is this?Let’s check the FLAG inside the strings inside the image using strings command and filter out the FLAG using grep command.Unfortunately, we got nothing inside the strings. Let’s move to the next step and check for hidden files inside the image (Steganography) using steghide command. It’ll ask for the password and we already have one from METADATA.And…..You can see we got the flag.txt file which contains the FLAG for this Challenge.What is the Flag?Answer: FLAG{n0t_4ll_pdfs_4re_wh4t_th3y_s33m}I hope you all have enjoyed the HACK-ERA CTF Event and learn a lot of things….Stay tuned for the future CTF Events…And if you want to practice CTF regularly join our WhatsApp Community where we do CTFs on weekly basis…join us.TILL THEN KEEP LEARNING….KEEP EXPLORING….AND MOST IMPORTANT DO HACKING….HACK-ERA CTF — Intra University Round Walkthrough… was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

2025 Mobile App Pentesting Guide: Tools, Techniques & Real-World ExamplesMobile apps are omnipresent — from social media and enterprise to payment wallets. But most are still open to attack. This handbook is your step-by-step tutorial on pentesting mobile apps in 2025 with code snippets, tool instructions, and advice.Tools SetupBelow is a quick Android (Linux/macOS) setup:# Install ADB (Android Debug Bridge)sudo apt install android-tools-adb# Install MobSF (in a virtual environment)git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.gitcd Mobile-Security-Framework-MobSF./setup.shTo decompile an Android APK:# Use JADXjadx openexploit.apk -d outputfolder# Use APKToolapktool d openexploit.apk -o decompiledTo capture HTTPS traffic (make sure Burp Suite is installed)Prefer watching instead of reading? Here’s a quick video guidehttps://medium.com/media/021186f701c4c768c84ea63cd4857f71/hrefInformation GatheringSimple reconnaissance on an APK file:# Show APK permissionsaapt dump permissions openexploit.apk# Analyze the manifestunzip -p openexploit.apk AndroidManifest.xmlCheck for:android:debuggable=”true”Exported activities, services, and receivers.Static AnalysisDecompile and read the source code for hardcoded secrets:# Using JADXjadx-gui openexploit.apkLook for:String apiKey = "openexploit_api_key";Scan res/values/strings.xml, assets/, and .so native libraries for secrets.Dynamic AnalysisIntercept API calls:Use Burp Suite and manipulate app traffic. Set your proxy and monitor requests. Look for JWTs, session cookies, API parameters.Bypass SSL Pinning using Frida:# Android SSL pinning bypass (Frida script)frida -U -n com.target.openexploit -l frida-ssl-bypass.jsSample code snippet of frida-ssl-bypass.js:Java.perform(function () { var X509TrustManager = Java.use(''javax.net.ssl.X509TrustManager''); var SSLContext = Java.use(''javax.net.ssl.SSLContext''); var TrustManager = Java.registerClass({ name: ''org.wooyun.TrustManager'', implements: [X509TrustManager], methods: { checkClientTrusted: function () {}, checkServerTrusted: function () {}, getAcceptedIssuers: function () { return []; } } }); var TrustManagers = [TrustManager.$new()]; var SSLContextInit = SSLContext.init; SSLContext.init.implementation = function (keyManager, trustManager, secureRandom) { SSLContextInit.call(this, keyManager, TrustManagers, secureRandom); };});API TestingUtilize Burp Suite to fuzz and test API security.Bypass authentication:POST /api/user/profile HTTP/1.2Host: www.openexploit.inAuthorization: Bearer [XXXX-XXXX-XXXX-XXXX]Try expired authentication tokensRemove token and validate if the endpoint still worksTry Insure Direct Object Reference(changind IDs)Use Curl for API testing:curl -X GET https://api.openexploit.in/user/123 \ -H "Authorization: Bearer authtoken-xxx-xx-xxx-xxx"See if you are able to:View other user dataChange rolesInitiate admin endpointsLocal Data Storage AnalysisPull data from Android emulator/device:# List app packagesadb shell pm list packages# Pull openexploit app data (only if rooted)adb rootadb shellcd /data/data/com.target.openexploit/sCheck these:shared_prefs/ — does any.xml contain credentials?databases/ — dump SQLite DBs using sqlite3:sqlite3 openexploit.dbsqlite> .tablessqlite> SELECT * FROM users;Reverse Engineering and Code InjectionInject into runtime using Frida + Objection.# Install Objectionpip install objection# Bypass root detectionobjection -g com.target.openexploit explore# Inside the shellandroid root disableHooking methods using Frida:Java.perform(function () { var Login = Java.use("com.app.login.LoginActivity"); Login.checkCredentials.implementation = function (user, pass) { console.log("User: " + user + ", Pass: " + pass); return true; // force login success };});ReportingWrite an organized report in OWASP MASVS standards. Here is a sample report format:Title: Hardcoded API Key in Source CodeRisk: HighAffected Component: openexploit.apk > MainActivity.javaProof: String apiKey = “XXXX-XXXX-XXXX-XXXX”;Impact: Exposed API key can permit unauthorized API calls.Recommendation: Place API keys in a secure backend. Never store secrets in app code.You can use tools such as Dradis or Faraday to document findings.Mobile Common VulnerabilitiesInsecure StorageSSL PinningAPI AuthenticationExported ComponentsHardcoded SecretsDebuggable BuildsCode InjectionResource ReferenceOWASP MASVS & MSTGFridaMobile Security Testing Guide GitHubAndroid Pentesting Cheat SheetTryHackMeConclusionMobile app pentesting in 2025 is an most demanding skill for ethical hackers and security engineers. As digital identity moves towards mobile-based, AI-empowered apps, and sophisticated APIs, finding weaknesses is more critical than ever before.Begin small. Practice testing test apps. And always have legal consent prior to testing live apps.2025 Mobile App Pentesting Guide: Tools, Techniques & Real-World Examples was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Hello Hunters, as you all know, XSS is one of the most common web vulnerabilities, often underestimated but capable of causing severe…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Ethically — but note — this used to work great with phone under android 10Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Discover the difference between containers and virtual machines, their benefits, and use cases to make smarter infrastructure decisions.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Exploiting a stored XSS in GitLab’s repository viewer for $2000Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Learn how to create effective threat profiles to identify and prioritize relevant cyber threats for your organization.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

🔐 How Hackers Exploit CORS MisconfigurationsContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

How can we understand the impact of hackers and hacktivists on global cybersecurity?Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Phishing attacks are evolving. Gone are the days of clumsy, error-ridden emails that were easy to spot – today’s campaigns harness advanced techniques to bypass even the latest defences. A new approach is needed

by ComputerWeekly

Resecurity found a new smishing kit called ‘Panda Shop,’ mimicking Smishing Triad tactics with improved features and new templates. Resecurity (USA) was the first company to identify the Smishing Triad, a group of Chinese cybercriminals targeting consumers across the globe. In August 2023, our team was able to identify their activity and locate the smishing […]

by Security Affairs

Computer Weekly visited RAF Lossiemouth to see how its fleet of Boeing P-8A surveillance aircraft, supported by NetApp storage, keep watch over the North Atlantic gap

by ComputerWeekly

In this Help Net Security interview, Dylan Owen, CISO at Nightwing, talks about what it really takes to build an effective defense: choosing the right frameworks, setting up processes, and getting everyone on the same page. Drawing on both military and private sector experience, Owen explains how preparation, communication, and constant adjustment are key to building a more proactive security approach. What specific frameworks, processes, or organizational alignments do you believe are essential for effective … More → The post What it really takes to build a resilient cyber program appeared first on Help Net Security.

by Help Net Security

A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub. [...]

by BleepingComputer

Most attacks don’t start with malware; they begin with a message that seems completely normal, whether it comes through email, a phone call, or a chat, and that is exactly what makes them so effective. These threats rely on psychological manipulation to bypass people, not firewalls. Pressure is applied, authority is faked, and communication is mimicked. Social engineering threats account for most cyberthreats faced by individuals in 2024, according to Avast. Some people are easier … More → The post How cybercriminals exploit psychological triggers in social engineering attacks appeared first on Help Net Security.

by Help Net Security

In this Help Net Security video, Joshua McKenty, CEO of Polyguard, talks about how to protect yourself from deepfake and AI threats, which are getting harder to spot and easier to launch. Attackers can clone your voice or face, steal your data, or trick you into bad decisions. Simple steps like using multi-factor authentication, a password manager, and modern email security can make a big difference. Everyone is a target now, not just CEOs. The post Key tips to stay safe from deepfake and AI threats appeared first on Help Net Security.

by Help Net Security

​Microsoft has fixed a known issue preventing Windows 11 24H2 feature updates from being delivered via Windows Server Update Services (WSUS) after installing the April 2025 security updates. [...]

by BleepingComputer

Application Security Specialist Signify | Netherlands | On-site – View job details As an Application Security Specialist, you will define and deploy the application security strategy for security improvements to be in pair with the industry and its benchmarks. Coordinate and perform security and vulnerability assessments, code reviews, pen tests and verifications, and drives remediation. Identify, assess, and manage risks to meet the security needs of the organization. CloudOps – Security TeKnowledge | UAE | … More → The post Cybersecurity jobs available right now: May 6, 2025 appeared first on Help Net Security.

by Help Net Security

With the long-awaited Data (Use & Access) Bill returning to the House of Commons on 7 May, there remain pros and cons in the bill in relation to financial crime and cyber security

by ComputerWeekly

Segregation of duties (SoD) is an internal control mechanism designed to prevent errors and fraud by ensuring at least two individuals are responsible for the separate parts of any task.

by ComputerWeekly

A high-fidelity emulation of the DPRK''s largest cryptocurrency heist via a compromised macOS developer and AWS pivots.

by Elastic Security Lab

ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)

by Exploit DB

Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

by Exploit DB

Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)

by Exploit DB

<p>OverviewIn web and mobile applications, we’ve been fortunate over the years to have such widespread use of HTTPS by way of TLS. The proliferation of HTTPS is in no small part due to Let’s Encrypt, which provides free…</p>

by TrustedSec

ProxyBlobing (@_atsika), SonicWall n-days (@SinSinology), Drag and Pwnd (@d4d89704243), Loki C2 2.0 (@0xBoku), GraphSpy 1.5.0 (@RedByte1337), and more!

by Bad Sector Labs

Cybersecurity researchers have disclosed a series of now-patched security vulnerabilities in Apple''s AirPlay protocol that, if successfully exploited, could enable an attacker to take over susceptible devices supporting the proprietary wireless technology. The shortcomings have been collectively codenamed AirBorne by Israeli cybersecurity company Oligo. ""These vulnerabilities can be chained by

by The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions

by The Hacker News

The communications app TeleMessage, which was spotted on former US national security adviser Mike Waltz''s phone, has suspended “all services” as it investigates reports of at least one breach.

by WIRED Security News

TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…

by Hackread

Documented in a series of social media posts, cybersecurity experts shared with Dark Reading their insights on RSAC 2025 throughout the week.

by Dark Reading

Researchers from Arctic Wolf Labs detailed a new spear-phishing campaign that targets hiring managers and recruiters by posing as a job seeker.

by Dark Reading

Law enforcement has been successful in disrupting cybercrime syndicates in Cambodia and the Philippines, forcing organized crime groups to relocate in other regions.

by Barracuda

While passkeys offer enhanced security against phishing and credential theft, implementation hurdles, cross-platform inconsistencies, and user experience challenges pose significant barriers to widespread adoption.

by Dark Reading

Here are practical insights on how secure digital communication not only safeguards data but also supports mental well-being.

by ITPro Today

Industry experts at RSAC 2025 called for urgent accountability in addressing technology''s negative impact on youth, highlighting concerns about Internet anonymity, mental health, and the growing disconnect between generations.

by Dark Reading

A hacker has exploited a vulnerability in TeleMessage, which provides modded versions of encrypted messaging apps such as Signal, Telegram, and WhatsApp, to extract archived messages and other data relating to U.S. government officials and companies who used the tool, 404 Media reported. TeleMessage came into the spotlight last week after it was reported that […]

by TechCrunch

After stealing sensitive data from Disney, Ryan Mitchell Kramer claimed to be part of a Russian hacktivist group protecting artists'' rights and ensuring they receive fair compensation for their work.

by Dark Reading

Google’s Android security update for May 2025 patches a zero-day vulnerability in the FreeType font library that is currently being exploited in the wild, alongside dozens of high-severity flaws across the system, framework, and various hardware components. The zero-day, tracked as CVE-2025-27363, resides in the System component and stems from a memory handling bug in … The post Android May 2025 Security Update Fixes Actively Exploited FreeType Zero-Day appeared first on CyberInsider.

by Cyber Insider

Hackers claiming to be part of the hacktivist group Anonymous claimed the data breach.

by TechCrunch

The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. [...]

by BleepingComputer

Brave Software has rolled out a new privacy feature in version 1.78 of its Android browser, giving users the ability to manually block unwanted page elements with a simple tap. This enhancement extends the browser’s existing ad and tracker-blocking capabilities by allowing finer, user-controlled customization of web content visibility. Brave Software is known for developing … The post Brave for Android Now Lets You Tap to Remove Annoying Page Elements appeared first on CyberInsider.

by Cyber Insider

This May marks the fifth annual Maintainer Month, and there are lots of treats in store: new badges, special discounts, events with experts, and more. The post Welcome to Maintainer Month: Events, exclusive discounts, and a new security challenge appeared first on The GitHub Blog.

by The GitHub Blog

Kelly Benefits has determined that the impact of the recently disclosed data breach is much bigger than initially believed. Benefits and payroll solutions firm Kelly & Associates Insurance Group, aka Kelly Benefits, announced that the impact of a recently disclosed data breach is much bigger than initially estimated. The U.S.-based company provides benefits, payroll, and […]

by Security Affairs

Get guidance on key tenets of the EU CRA and how Legit can help address them.

by Legit Security

What if attackers aren''t breaking in—they''re already inside, watching, and adapting? This week showed a sharp rise in stealth tactics built for long-term access and silent control. AI is being used to shape opinions. Malware is hiding inside software we trust. And old threats are returning under new names. The real danger isn’t just the breach—it’s not knowing who’s still lurking in your

by The Hacker News

Let’s be honest: if you''re one of the first (or the first) security hires at a small or midsize business, chances are you''re also the unofficial CISO, SOC, IT Help Desk, and whatever additional roles need filling. You’re not running a security department. You are THE security department. You''re getting pinged about RFPs in one area, and reviewing phishing alerts in another, all while sifting

by The Hacker News

ESET has discovered Spellbinder, a new tool used by the China-linked cyber espionage group TheWizards to conduct AitM…

by Hackread

A new ""Bring Your Own Installer"" EDR bypass technique is exploited in attacks to bypass SentinelOne''s tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. [...]

by BleepingComputer

Your lazy passwords are putting you and your company at risk.

by ZDNET Security

The Pentagon will lay out new security requirements and approval processes for the software it purchases.

by Cybersecurity Dive

The History of SSH Port 22, Surviving the Digital Extinction, AI Coding: Killing the Joy?, Raycast Lands on iOS, Judge to Apple: ""This is Not a Negotiation!"", Stripe CEO on Moving Fast, Replace Your $700/hr Coach with AI?

by Hive Five

The proposed $491 million cut is being positioned as a “refocusing”of CISA on its core mission “while eliminating weaponization and waste.” The post White House Proposal Slashes Half-Billion From CISA Budget appeared first on SecurityWeek.

by SecurityWeek

Microsoft warns about the security risks posed by default configurations in Kubernetes deployments, particularly those using out-of-the-box Helm charts, which could publicly expose sensitive data. [...]

by BleepingComputer

This week on the Lock and Code podcast, we speak with Emanuel Maiberg and Jason Koebler about Overwatch, an AI chatbot tool sold to US police.

by Malwarebytes Labs

Are you aiming to develop an innovative startup that will make a boom effect in the modern market?…

by Hackread

Cybersecurity threats aren’t just aimed at servers or customer databases. They also target a company’s most vital but…

by Hackread

Learn how Cloudflare tackles the challenge of scaling global service health metrics to safely release new software across our global network.

by Cloudflare

When designed with strong governance principles, AI can drive innovation while maintaining the people''s trust and security.

by Dark Reading

Apple has updated parental controls on its devices. We explore how the new features work, what vulnerabilities there are, and whether you need additional protection.

by Kaspersky

The new investment values Doppel at $205 million and provides runway to meet enterprise demand for AI-powered threat detection tools. The post Doppel Banks $35M for AI-Based Digital Risk Protection appeared first on SecurityWeek.

by SecurityWeek

Apple is collaborating with AI startup Anthropic on a new version of Xcode, creating an AI-assisted programming platform that can write, edit, and test code for developers.

by ITPro Today

Check out the April updates in Compliance Plus so you can stay on top of featured compliance training content.

by KnowBe4

Although passkeys remain an evolving ecosystem, we''d be wise to embrace tomorrow''s authentication standard today. Here are ZDNET''s 10 recommendations for reaching passkey paradise.

by ZDNET Security

From border crossings to data breaches, there are more reasons than ever to protect your smartphone. Here''s a practical guide to securing your device and your digital life.

by ZDNET Security

ZENDATA Cybersecurity is proud to announce its strategic partnership with Reboot Coding Institute (Reboot01), Bahrain’s premier coding institute. Together, we’re onboarding and developing Bahraini cybersecurity talent for our operations in the region and beyond. This innovative collaboration reflects our unwavering commitment to fostering local competencies, driving regional innovation, and empowering the next generation of cybersecurity […] The post ZENDATA Cybersecurity Partners with Reboot Coding Institute appeared first on ZENDATA Cybersecurity.

by Zendata

A hacker stole data from TeleMessage, exposing messages from its modified Signal, WhatsApp, and other apps sold to the U.S. government. A hacker stole customer data from TeleMessage, an Israeli firm selling modified versions of popular messaging apps, such as Signal and WhatsApp, to the U.S. government. “The data stolen by the hacker contains the […]

by Security Affairs

For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered […] The post 5th May – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Cloudflare’s Q1 2025 DDoS Threat Report: DDoS attacks surged 358% YoY to 20.5M. Germany hit hardest; gaming and…

by Hackread

MintsLoader is a malware loader delivering the GhostWeaver RAT via a multi-stage chain using obfuscated JavaScript and PowerShell. Recorded Future researchers observed MintsLoader delivering payloads like GhostWeaver via obfuscated scripts, evading detection with sandbox/VM checks, and uses DGA and HTTP C2. MintsLoader is a malware loader that was first spotted in 2024, the loader has […]

by Security Affairs

Three major retail brands, including Harrods and M&S, have been targeted in recent weeks.

by Cybersecurity Dive

A vulnerability has been identified in Apache Parquet Java, which could leave systems exposed to remote code execution (RCE) attacks. Apache Parquet contributor Gang Wu discovered, this flaw, tracked as CVE-2025-46762, in the parquet-avro module and publicly disclosed it on May 2. This security issue impacts all versions of Apache Parquet Java up to and including version 1.15.1, allowing malicious actors to execute arbitrary code on vulnerable systems.  Technical Breakdown of CVE-2025-46762  At the core of this vulnerability is the insecure schema parsing process within the parquet-avro module. The flaw enables attackers to inject malicious code into the metadata of a Parquet file, specifically within the Avro schema. When a vulnerable system reads the file, this malicious code is automatically executed, paving the way for Remote Code Execution (RCE).  For systems utilizing the ""specific"" or ""reflect"" data models (rather than the safer ""generic"" model), the risk is especially pronounced. While the ""generic"" model remains unaffected by this vulnerability, the default configuration of trusted packages still leaves certain code execution paths open, potentially allowing the exploit to be triggered by pre-approved Java packages, such as java.util.  Affected Systems and Scope of the Issue  The impact of CVE-2025-46762 extends to all Apache Parquet Java versions up to 1.15.1. A wide range of applications, especially those leveraging the parquet-avro module in big data frameworks like Apache Spark, Hadoop, and Flink, are vulnerable to this threat. These platforms rely on the module for deserialization and schema parsing, which opens a potential attack surface if the system is reading Parquet files with malicious Avro schema data.  [caption id=""attachment_102422"" align=""alignnone"" width=""1218""] Apache Parquet Java 1.15.2 Release Notes (GitHub)[/caption] For organizations managing data pipelines, especially those processing Parquet files in big data ecosystems, the threat is considerable. If unpatched, an attacker could inject malicious Parquet files into the data stream, enabling exploitation through backend vulnerabilities.  Mitigation Strategies  The Apache Software Foundation has urged all users to address this issue urgently. There are two primary mitigation strategies available:  Upgrade to Apache Parquet Java 1.15.2: This release fully resolves the issue by tightening the boundaries on trusted packages, ensuring that malicious code cannot execute through the existing configuration.  Patch for Users on Version 1.15.1: For those unable to immediately upgrade, it is recommended to set the JVM system property -Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES="""" to empty. This will mitigate the risk by blocking the execution of code from potentially malicious packages.  Moreover, organizations are advised to audit their data pipelines to prioritize the use of the generic Avro model, which remains impervious to vulnerability. Implementing this model wherever feasible can reduce the risk of RCE attacks via CVE-2025-46762.  Unpatched systems vulnerable to CVE-2025-46762 face not only direct attacks but also the risk of supply chain exploits, where compromised Parquet files could trigger backend execution of malicious code, leading to widespread system failures.   Security experts have highlighted the severe threat of Remote Code Execution (RCE), which can result in data breaches, unauthorized access, and other malicious activities. Given the nature of this vulnerability and its impact on large-scale data environments, quick action is essential.   Users of Apache Parquet Java versions up to 1.15.1 are strongly advised to upgrade to version 1.15.2 or apply the necessary patches to mitigate these risks, ensuring the protection of their systems against exploitation. 

by The Cyber Express

The threat actors known as Golden Chickens have been attributed to two new malware families dubbed TerraStealerV2 and TerraLogger, suggesting continued development efforts to fine-tune and diversify their arsenal. ""TerraStealerV2 is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information,"" Recorded Future Insikt Group said. ""TerraLogger, by contrast

by The Hacker News

Artem Stryzhak, a Ukrainian national, has been extradited from Spain to the United States to face charges related to a global ransomware operation that used the notorious Nefilim ransomware strain. The 2025 extradition is an important step in a years-long investigation into a cyber-extortion campaign that targeted multinational corporations and caused millions of dollars in losses.  On April 30, Stryzhak was brought to the U.S. after his arrest in Spain in June 2024. Federal prosecutors in Brooklyn unsealed a superseding indictment earlier today, charging him with conspiracy to commit fraud and related computer crimes, including extortion. His arraignment is scheduled before U.S. Magistrate Judge Robert Levy in the Eastern District of New York.  International Operation Targets Cybercrime Using Nefilim Ransomware Strain  According to U.S. Attorney John Durham, “As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment. If victims did not pay, the criminals then leaked the data online.” Durham emphasized the importance of the extradition, stating it demonstrated that cybercriminals operating from overseas are not beyond the reach of American law.  The FBI also stressed the importance of international cooperation in bringing cybercriminals to justice. “The successful extradition of the defendant is a significant achievement in that ongoing collaboration, and it sends a clear message: those who attempt to hide behind international borders to target American citizens will face justice,” said Christopher J.S. Johnson, Special Agent in Charge of the FBI''s Springfield, Illinois Field Office.  The Nefilim ransomware strain, at the center of this case, was used to compromise and encrypt the computer networks of businesses across the globe. According to court documents, these ransomware attacks resulted in substantial financial damage, stemming not only from ransom payments but also from extensive disruptions to the victims’ IT systems.  Customized Attacks on High-Revenue Companies  Stryzhak allegedly joined the Nefilim ransomware operation in June 2021, after receiving access to the ransomware''s core code in exchange for 20% of his ransom earnings. Operating under a personal account on the Nefilim platform—referred to as the “panel”—Stryzhak even questioned whether he should use a different alias to avoid detection by the FBI if the panel were ever compromised.  The Nefilim ransomware group primarily focused on companies based in the U.S., Canada, and Australia, typically those with over $100 million in annual revenue. In one 2021 exchange, a Nefilim administrator encouraged Stryzhak to focus on firms with revenues exceeding $200 million. Before launching an attack, the conspirators conducted detailed reconnaissance, using online tools to assess potential targets'' financial standing and infrastructure. Once inside a victim’s network, Stryzhak and his co-conspirators exfiltrated sensitive data. Victims were then presented with ransom notes that threatened to leak their data publicly on “Corporate Leaks” websites—online platforms managed by the Nefilim administrators—if the ransom was not paid.  The investigation and prosecution of Artem Stryzhak’s involvement in the Nefilim ransomware scheme is being led by the National Security and Cybercrime Section of the U.S. Attorney’s Office. While the charges remain allegations and Stryzhak is presumed innocent until proven guilty, he faces up to five years in federal prison if convicted.

by The Cyber Express

A wave of cyberattacks targeting major UK retailers has prompted the National Cyber Security Centre (NCSC) to issue an urgent advisory, warning of increasingly sophisticated social engineering tactics and stressing the importance of resilience beyond perimeter defenses. The announcement comes in the wake of serious incidents involving Marks & Spencer, Co-op, and Harrods. While attribution … The post NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers appeared first on CyberInsider.

by Cyber Insider

A cloned version of the Signal app used by U.S. government agencies — including members of the Trump administration — was hacked in under 30 minutes, exposing archived messages from agencies like Customs and Border Protection (CBP), financial institutions, and others. The compromised tool is a modified Signal client developed by TeleMessage, an Israeli firm … The post Signal Clone App Used by Trump Officials Breached in Minutes appeared first on CyberInsider.

by Cyber Insider

The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.

by WIRED Security News

The generative AI early adopter has worked to improve data management as it aims for better model accuracy and performance to bolster decision-making. 

by Cybersecurity Dive

Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025. The UK’s National Cyber Security Centre (NCSC) is currently working alongside these retailers to investigate the attacks and mitigate potential damage. In an official statement, NCSC CEO Dr Richard Horne addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public. The NCSC continues to work closely with organizations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture. These incidents should act as a wake-up call to all organizations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.” Harrods Cyberattack Prompts Emergency Response Harrods, the world-renowned luxury department store, confirmed that it had recently faced an attempted breach of its IT systems. The Harrods cyberattack occurred in late April and led the retailer to restrict internet access at some sites as a precaution. However, the company assured customers that its physical stores—including the flagship Knightsbridge store, H Beauty outlets, and airport branches—remained fully operational. Online shopping at harrods.com also continued without disruption. In a statement, Harrods noted: “We recently experienced attempts to gain unauthorized access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe, and as a result, we have restricted internet access at our sites today. Currently, all sites... remain open to welcome customers.” The retailer has not disclosed whether customer data was compromised, but pledged to provide updates as the investigation progresses. Marks & Spencer Cyberattack Tied to Ransomware Group Around the same period, Marks & Spencer experienced its cybersecurity breach, reportedly linked to the hacking collective Scattered Spider. The attack involved the DragonForce ransomware, which disrupted M&S’s online operations. Online orders were suspended temporarily, and customers faced stock shortages in several physical stores. An official company update issued on 25 April 2025 acknowledged the cyber incident, stating: “We have made the decision to pause taking orders via our M&S.com websites and apps. Our product range remains available to browse online. Our experienced team—supported by leading cyber experts—is working extremely hard to restart online and app shopping.” Official Communication from M&S on Cyber Incident Sources close to the investigation estimate that Marks & Spencer could face millions in revenue losses due to the breach. Although no customer action was required at the time, the company promised ongoing communication as new information became available. Co-op Confirms Data Extraction in Cyberattack The most recent case involves the Co-op, which issued an update on 2nd May 2025, confirming that hackers had successfully accessed and extracted data from one of its systems. While financial details were not compromised, the breach exposed the names and contact information of a large number of current and former members. A Co-op spokesperson emphasized the complexity of the situation, stating, “We are continuing to experience sustained malicious attempts by hackers to access our systems. This is a highly complex situation, which we continue to investigate in conjunction with the NCSC and the NCA.” The Co-op has since implemented enhanced security protocols and apologized to members, expressing regret over the exposure of personal data. Conclusion With three major UK retailers affected in quick succession, the NCSC has stepped up efforts to coordinate national cybersecurity defenses. It is urging all organizations, not just those in retail, to assess their cyber resilience and adopt best practices for prevention and recovery. The incidents affecting Harrods, Marks & Spencer, and the Co-op are being seen as part of a larger trend of cyberattacks targeting high-profile organizations. As investigations continue, the NCSC remains central to coordinating the response and preventing further escalation. References https://www.ncsc.gov.uk/news/retailers-incident https://corporate.marksandspencer.com/media/press-releases/cyber-incident-further-update-0 https://www.co-operative.coop/media/news-releases/cyber-incident-update The post Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences appeared first on Cyble.

by CYBLE

What''s driving the cloud forward in 2025? AI and the continuing shift from on-premises workloads.

by ITPro Today

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, the first of two parts, we explore how exposure management can help ease the pain of having too many siloed security tools. You can read the entire Exposure Management Academy series here. To address complex security challenges, cybersecurity teams are employing a wide variety of tools to keep their organizations safe. Large organizations use as many as 140 security tools to solve specific issues. As a result, it’s a huge challenge to coordinate and monitor all those tools so, stuck in their siloes, they’ve failed to live up to their promise. As a result, exposures linger and risks grow. When tools for vulnerability management, endpoint detection and response (EDR), cloud security and application security testing — and the teams responsible for using them — all operate in siloes, it''s difficult for you to understand where your true exposures lie. Without the ability to gain a full picture of your organization''s risk, whenever a senior executive asks questions about the organization’s risk posture, you probably launch a mad scramble across siloed sources of data on multiple spreadsheets, with no easy way to obtain an accurate assessment of risk. What if there were a way to ease this pain? What if all siloes streamed data into a centralized repository where you could analyze it all contextually and create unified workflows to streamline remediation? Better yet, what if you could use this contextualized data to get a complete view of the riskiest areas of your attack surface and quickly show your executives where the organization is most exposed? Sounds like a good idea, doesn’t it? But it’s more than just a concept now. The core of an effective exposure management program rests on the need to break down siloes and unify security data from multiple tools so you can quickly gain a cohesive and continuous view of your organization’s risk. Security professionals face three main challenges from tool sprawl. We outline them here and share how an exposure management program and platform can help.Challenge 1: Overcoming operational inefficienciesIn an attempt to stay secure, organizations have bolted on numerous tools, with the average organization working with 60 to 80 and, as we noted earlier, some using as many as 140. Each tool operates independently, creating siloes that don’t communicate with each other. What does this look like in practice? Each of these tools requires security teams to follow a process that involves: Analyzing the data Prioritizing issuesManaging exposures based on riskTaking action such as deploying compensating control, changing configuration and/or creating a remediation ticketCreating reports to communicate updates or statusMultiply these steps by the number of tools in use and we’ll wager that “efficient” isn’t the first word that pops into your head. Making matters worse, blind spots crop up where you need visibility.Talk to a CISO or anyone on a security team and you’ll hear a common refrain: “My data is spread across too many tools.” “I don’t have the context I need.” “It’s difficult to prioritize risks or even answer basic security questions.”These complaints underscore how the life of security teams is complicated by all those tools they added in an attempt to improve security. Instead of achieving the peace of mind these tools promised, security teams are dealing with more headaches — the operational inefficiencies of constantly jumping from one silo to the next and using multiple tools with redundant workflows. Problem is, the bad guys don’t care about your security siloes. They search for your weakest links and move laterally across platforms and identities, looking to exploit issues without regard for those artificial barriers. One solution is to look for an exposure management platform that can ingest the various types of security data and knit together this patchwork of information and tools. An exposure management platform helps you correlate all your information and puts it in context so it’s easier to understand where your true exposures lie. Must have: A breadth of integrationsWhen you’re evaluating exposure management software, ask whether the platform can ingest data from your array of security tools, including vulnerability management, dynamic application security testing, cloud security posture management, and endpoint detection and response.Challenge 2: Dealing with so many spreadsheets If you went into security to protect assets and fight the bad guys, we’d bet you didn’t count on being an Excel and PowerPoint jockey as well. But that’s the lot in life for most security professionals. You spend countless hours manually consolidating reports and coordinating your efforts across siloed security tools, which gets in the way of remediating your most critical exposures.All of the data those tools produce is important for an effective exposure management program. Using spreadsheets to collect and analyze their findings is so “late 1900s.” So you need a platform that integrates and streams it directly into risk scoring engines, dashboards and workflows. An exposure management platform can help you do just that.With the right integration, exposure management platforms will:Give you a cohesive view into your entire attack surface: By ingesting datasets from a variety of security tools, including vulnerability data, cloud configuration baselines, identity graphs and behavioral indicators, an exposure management platform lets you continuously monitor and fix the places where your organization is most exposed. Relieve the “spreadsheet scramble”: By normalizing and correlating data into a unified view, an exposure management platform enables you to analyze the output from your many siloed tools in a centralized view, giving you insights you can’t get from spreadsheets. You’ll be able to analyze all your siloed security data across domains like endpoints, cloud, identity and applications all in one place.Give you a more accurate picture of risk: This centralized view of your vast array of security tools means you’ll always be ready to answer questions like: “Where are we exposed?” and “Are we at risk?”Enable you to prioritize your remediation efforts: An exposure management platform can analyze the data from across your siloed tools and provide automated prioritization recommendations. You’ll be able to zero in on the true exposures across your ecosystem.Must have: Unify visibility Look for an exposure management tool that deduplicates and normalizes data, provides business and technical data in context, and enables consistent risk scoring that can help address your true exposures. Challenge 3: Maximizing the value of existing toolsThose security tools all have a reason for being. You had a problem, found a solution, installed the tool and were off to the races. But if you can’t monitor or track all those tools, how do you know if you’re getting any value at all?And how do you spot overlapping capabilities and redundant processes? The short answer: You don’t. As Peter Drucker famously said, “You can’t manage what you don’t measure.” When security tools operate in isolation, disconnected from one another, they fail to deliver their true value. So how will you ever know their ROI? An exposure management platform centralizes all the security data coming from these tools. It deduplicates and normalizes all your security data, which helps streamline processes, cut costs and extract the most from your existing security investments. Plus, you’ll understand the technical and business context of those combined data sets and you’ll be able to create a consistent risk scoring approach that can identify and address your true exposures. Must have: Prioritize actual exposuresFind an exposure management platform that provides the context you need across all your security tools so you can prioritize actual exposures. With these connections in place, the team will be more effective and you’ll get your arms around the return on investment of all those tools.TakeawaysOrganizations that continue to operate with siloed visibility will struggle to keep up with building threats. The ability to unify data across multiple siloed security tools is no longer a nice-to-have; it is a requirement for understanding and addressing risk in an interconnected world.The ability to analyze previously isolated data coming from multiple tools in a unified way enables security teams to make well-informed decisions, reduce attack paths and proactively defend against emerging threats. In next week’s Exposure Management Academy post, we’ll dig a bit deeper and look at ways exposure management can move you from disparate sources to a unified view of your exposures.Have a question about exposure management you’d like us to tackle?We’re all ears. Share your question and maybe we’ll feature it in a future post. MktoForms2.loadForm(""//info.tenable.com"", ""934-XQB-568"", 14070);

by Tenable

A list of topics we covered in the week of April 27 to May 3 of 2025

by Malwarebytes Labs

Supply chain attack via 21 backdoored Magento extensions hit 500–1,000 e-stores, including a $40B multinational. Sansec researchers reported that multiple vendors were hacked in a coordinated supply chain attack, the experts discovered that a backdoor was hidden in 21 applications. Curiously, the malicious code was injected 6 years ago, but the supply chain attack was […]

by Security Affairs

Drowning in spreadsheets for access reviews? There’s a smarter solution.

by Cybersecurity Dive

Check out the new learning path that covers the OWASP Top 10 risks for open source software.

by Snyk

by CrowdStrike

by CrowdStrike

watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover…

by Hackread

Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system''s primary disk and render it unbootable. The names of the packages are listed below - github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy ""Despite appearing legitimate,

by The Hacker News

An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years. The activity, which lasted from at least May 2023 to February 2025, entailed ""extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future

by The Hacker News

The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States. Rami Khaled Ahmed of Sana''a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one

by The Hacker News

Riot’s “anti-cheat artisan” Phillip Koskinas explains how he and his team go after cheaters and cheat developers to protect the integrity of games, such as Valorant and League of Legends.

by TechCrunch

Plus: France blames Russia for a series of cyberattacks, the US is taking steps to crack down on a gray market allegedly used by scammers, and Microsoft pushes the password one step closer to death.

by WIRED Security News

A series of cyberattacks have struck multiple major British retailers in recent weeks, and a ransomware gang has reportedly claimed responsibility.

by Dark Reading

According to the New York Department of Financial Services, finance companies operating in New York — even if not based there — must implement a variety of protections against unauthorized access to IT systems.

by Dark Reading

A photo taken this week showed Mike Waltz using an app that looks like—but is not—Signal to communicate with top officials. ""I don''t even know where to start with this,"" says one expert.

by WIRED Security News

Widespread employee exhaustion persists — but the freelance platform''s new research shows ways workers are proactively managing their engagement with work.

by ITPro Today

Data brokers gather and sell personal information to various companies. Unfortunately, these brokers suffer from data breaches just like any other company.

by Barracuda

The app claims it uses end-to-end encryption, but spilled its users'' dating preferences and granular location data to the open web.

by TechCrunch

Ireland''s Data Protection Commission (DPC) on Friday fined popular video-sharing platform TikTok €530 million ($601 million) for infringing data protection regulations in the region by transferring European users'' data to China. ""TikTok infringed the GDPR regarding its transfers of EEA [European Economic Area] User Data to China and its transparency requirements,"" the DPC said in a statement. ""

by The Hacker News

Powered by insights from our 3.3M+ cybersecurity community and today’s industry needs, here’s what’s new at Hack The Box from the past three months.

by Hack The Box Blog

Software teams need to follow security best practices to eliminate the leak of secrets, as threat actors increase their scanning for configuration and repository files.

by Dark Reading

Passwords are becoming things of the past. Passkeys are more secure, easier to manage, and speed up the log in process

by Malwarebytes Labs

Run by the team at workflow orchestration and AI platform Tines, the Tines library features pre-built workflows shared by security practitioners from across the community - all free to import and deploy through the platform’s Community Edition. A recent standout is a workflow that automates monitoring for security advisories from CISA and other vendors, enriches advisories with CrowdStrike

by The Hacker News

While law enforcement has identified and arrested several alleged members, the notorious threat group continues to wreak havoc.

by Dark Reading

In early 2025, Darktrace uncovered SocGholish-to-RansomHub intrusion chains, including loader and C2 activity, alongside credential harvesting via WebDAV and SCF abuse. Learn more about SocGholish and its kill chain here!

by Darktrace

Microsoft announced sweeping updates to accelerate the shift away from passwords, introducing passwordless defaults for new accounts and a revamped sign-in experience that prioritizes usability and security. The announcement marks a new chapter in Microsoft''s decade-long effort to replace passwords with more secure and intuitive authentication methods. The company has formally taken the Passkey Pledge, … The post Microsoft Drops Passwords in Favor of Passkeys on New Accounts appeared first on CyberInsider.

by Cyber Insider

The president’s budget proposal repeated a debunked claim about the nation’s cyber agency engaging in censorship.

by Cybersecurity Dive

The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. ""MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts,"" Recorded Future''s Insikt Group said in a report shared with The Hacker News. ""The malware employs sandbox and virtual machine evasion techniques, a domain

by The Hacker News

Harrods, the iconic British luxury department store, has confirmed that it was recently targeted in a cybersecurity incident, becoming the third major UK retailer in just a few days to report a cyber incident. The Harrods cyberattack follows similar breaches at Marks & Spencer and the Co-op.   The cyberattack on Harrods prompted the department store to take precautionary steps, including limiting online access while assuring customers that its physical stores and online shopping were still operational.  The incident, which occurred in late April 2025, saw hackers attempt to gain unauthorized access to Harrods’ systems. The UK retailer restricted internet access at its sites as a precautionary measure but assured customers that its flagship Knightsbridge store, H Beauty branches, and airport outlets remained open. Additionally, online shopping services continued without interruption.  Response to the Harrods Cyberattack In a statement provided to The Cyber Express, the company confirmed the incident, stating, ""We recently experienced attempts to gain unauthorized access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe, and as a result, we have restricted internet access at our sites today. Currently, all sites, including our Knightsbridge store, H beauty stores, and airport stores, remain open to welcome customers. Customers can also continue to shop via harrods.com.""  Harrods has not yet provided additional details on the scale or potential consequences of the breach, including whether customer data was affected. Customers were reassured that no action was needed on their part at this time, with the retailer promising to provide updates as the situation evolves.  Rising Concerns in the Retail Sector The Harrods cyberattack comes on the heels of similar incidents that recently disrupted operations at Marks & Spencer and the Co-op. Marks & Spencer, for example, revealed a cyberattack linked to the hacking group ""Scattered Spider"" that caused widespread disruptions to online ordering systems and stock shortages in some physical stores. The attack, which reportedly involved the deployment of DragonForce ransomware, has cost Marks & Spencer millions in lost sales. Online orders were suspended for several days, and authorities are still investigating the incident.  Meanwhile, the Co-op also reported an attempted network breach, prompting it to take precautionary measures such as shutting down parts of its IT systems and requiring staff to verify their identities during remote meetings. These measures were implemented to mitigate the risk of eavesdropping by cybercriminals.  The National Cyber Security Centre (NCSC), which oversees the UK’s cybersecurity efforts, has expressed concern over the growing number of attacks targeting the retail sector. Richard Horne, the NCSC’s CEO, emphasized that these incidents should serve as a wake-up call for retailers to bolster their defenses against cyber threats. He confirmed that the NCSC was collaborating closely with all affected companies to fully understand the nature of these attacks and to offer expert advice to the wider retail sector.  Conclusion   The ongoing investigations into the recent attacks on Harrods, Marks & Spencer, and the Co-op highlight the advancements of cybercriminals targeting high-profile UK retailers. While no direct link between the incidents has been established, experts speculate that shared vulnerabilities or common suppliers may be involved. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We''ll update this post once we have more information on the incident and or any new statement from the retailer. 

by The Cyber Express

The Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding two vulnerabilities, CVE-2024-38475 and CVE-2023-44221, that are currently being actively exploited. These vulnerabilities present substantial cybersecurity risks to organizations, particularly those in the federal sector. Both vulnerabilities have been linked to high-profile products, Apache HTTP Server and SonicWall SMA100, which are widely used in various industries.  CVE-2024-38475: Apache HTTP Server Improper Escaping of Output One of the newly added vulnerabilities, CVE-2024-38475, affects Apache HTTP Server versions up to 2.4.59. Discovered by security researcher Orange Tsai from DEVCORE, this vulnerability arises due to improper escaping of output in the mod_rewrite module. The flaw allows attackers to manipulate URLs, mapping them to unintended filesystem paths that are typically inaccessible via normal web requests. This could lead to unauthorized code execution or the disclosure of sensitive source code.  This issue specifically affects server contexts where substitutions in mod_rewrite, using backreferences or variables in the first segment of the substitution, can be exploited. As a result, attackers can craft malicious URLs that trick the server into executing arbitrary commands or revealing internal files. Apache has recommended the use of a rewrite flag, ""UnsafePrefixStat,"" for users who need to maintain compatibility with broken RewriteRules, provided they ensure the substitution is properly constrained.  The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output) and affects Apache HTTP Server versions 2.4.0 through 2.4.59. Users are advised to upgrade to the latest patch to mitigate the risks associated with this vulnerability.  CVE-2023-44221: SonicWall SMA100 OS Command Injection The second vulnerability added to the catalog, CVE-2023-44221, impacts SonicWall’s SMA100 series SSL-VPN appliances. This vulnerability stems from an issue in the SSL-VPN management interface, where improper neutralization of special elements can lead to OS command injection. Attackers with administrative privileges can exploit this flaw to inject arbitrary commands, potentially leading to the execution of malicious commands on the underlying operating system.  This vulnerability has been assigned a CVSS v3 score of 7.2, indicating a high level of severity. It primarily affects SonicWall SMA 200, 210, 400, 410, and 500v models running versions 10.2.1.9-57sv or earlier. SonicWall has released patches to address this issue, urging users to upgrade to version 10.2.1.10-62sv or higher.  CVE-2023-44221 is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), making it an important vector for remote attackers to compromise systems. SonicWall has also acknowledged that the vulnerability is being actively exploited in the wild, further heightening its potential threat to affected organizations.  Conclusion CISA plays a pivotal role in identifying and cataloging vulnerabilities to protect federal and private sector systems from active exploitation, as evidenced by its addition of CVE-2024-38475 and CVE-2023-44221 to the Known Exploited Vulnerabilities Catalog. Organizations are urged to take immediate action, such as applying patches for affected Apache HTTP Server versions and upgrading SonicWall SMA100 devices to secure firmware versions, to mitigate these threats.  

by The Cyber Express

Gutting CISA won''t just lose us a partner. It will lose us momentum. And in this game, that''s when things break.

by Dark Reading

The Irish Data Protection Commission (DPC) has imposed a €530 million fine on TikTok, concluding a major inquiry into the social media giant''s unlawful transfers of personal data belonging to European Economic Area (EEA) users to China, and its failure to meet key transparency obligations under the GDPR. The investigation, conducted by the DPC in … The post TikTok Fined €530 Million in Ireland Over Data Transfers to China appeared first on CyberInsider.

by Cyber Insider

Keeper Security, the provider of zero-trust and zero-knowledge Privileged Access Management (PAM) software protecting passwords, passkeys, privileged accounts, secrets and remote connections, today announced a multi-year renewal of its partnership with Atlassian Williams Racing.  “We’re thrilled to continue our synergistic partnership with Atlassian Williams Racing as part of our strategy in forging long-term relationships with […] The post Keeper Security renews Atlassian Williams Racing F1 partnership appeared first on IT Security Guru.

by IT Security Guru

Check out the 21 new pieces of training content added in April, alongside the always fresh content update highlights, new features and events. 

by KnowBe4

A quarter century ago, a former computer science student from the Philippines accidentally unleashed one of the most destructive computer viruses in modern history.

by SpiderLabs Blog

Modern API security demands more than just parsing definitions—it requires dynamic testing built on real-world experience. Invicti’s DAST-first approach combines comprehensive scanning, intelligent discovery, and proven techniques to uncover, validate, and prioritize vulnerabilities across today’s complex API environments. The post The evolution of DAST: Meeting the API security challenge appeared first on Invicti.

by Invicti

A leak of information on American military operations caused a major political incident in March 2025. The Security Think Tank considers what can CISOs can learn from this potentially fatal error.

by ComputerWeekly

The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers

by ComputerWeekly

A year after Microsoft announced passkeys support for consumer accounts, the tech giant has announced a big change that pushes individuals signing up for new accounts to use the phishing-resistant authentication method by default. ""Brand new Microsoft accounts will now be ''passwordless by default,''"" Microsoft''s Joy Chik and Vasu Jakkal said. ""New users will have several passwordless options for

by The Hacker News

The Justice Department under Trump has now settled three cases that bear the hallmarks of a Biden-era cyber enforcement initiative.

by Cybersecurity Dive

Who Is the DragonForce Ransomware Group? DragonForce is a relatively new ransomware operation that emerged in late 2023 and quickly evolved into a Ransomware-as-a-Service (RaaS) “cartel”. Unlike single-group ransomware gangs, DragonForce recruits affiliate hackers and even other RaaS groups, offering them its ransomware platform under a white-labelmodel. In other words, affiliates can carry out attacks using DragonForce’s infrastructure and encryptor while branding the attack as their own. DragonForce’s operators take a 20% cut of any ransom but handle the heavy lifting (malware development, leak site, payment negotiation) on their servers. SIMULATE THIS THREAT FOR FREE - NO SETUP

by Picus Security

The software vendor added variations to its family of large action models for on-device implementation, limited GPU resources and industrial applications.

by Cybersecurity Dive

Organised by Eskenzi PR in media partnership with the IT Security Guru, the Most Inspiring Women in Cyber Awards aim to shed light on the remarkable women in our industry. The following is a feature on one of 2024’s Top 20 women selected by an esteemed panel of judges. Presented in a Q&A format, the nominee’s answers are […] The post MIWIC25: Marine Ruhamanya, Cybersecurity Senior Manager appeared first on IT Security Guru.

by IT Security Guru

Your Amazon Fire Stick, Chromecast, and other streaming devices gather personal data for different purposes. If that concerns you, here''s how to regain some control.

by ZDNET Security

Cutting through security noise, Datadog''s 2025 State of DevSecOps report finds most critical alerts aren''t actually critical.

by ITPro Today

In this special edition of the Cybersecurity Snapshot, we’re highlighting some of the most valuable guidance offered by the U.S. Cybersecurity and Infrastructure Security Agency in the past 12 months. Check out best practices, recommendations and insights on protecting your cloud environments, OT systems, software development processes and more.In case you missed it, here’s CISA’s advice on six cybersecurity areas.1 - How to choose cyber secure OT productsIf your organization is shopping around for operational technology (OT) products, CISA published a guide in January 2025 aimed at helping OT operators choose OT products designed with strong cybersecurity features.Titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” the publication highlights 12 cybersecurity elements that OT products should have, including:Support for controlling and tracking modifications to configuration settingsLogging of all actions using open-standard logging formatsRigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updatesStrong authentication methods, such as role-based access control and phishing-resistant multi-factor authentication, to prevent unauthorized accessProtection of the integrity and confidentiality of data at rest and in transit  According to CISA, many OT products aren’t designed and developed securely, so they ship with issues such as weak authentication, known vulnerabilities and insecure default settings. In fact, the agency says it’s common for hackers to specifically target OT products they know are insecure, instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products that are built securely.“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.Back in September 2024, CISA sounded the alarm on critical infrastructure organizations’ susceptibility to common, well-known attack methods in its “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report.The report’s findings are based on risk and vulnerability assessments (RVAs) of the security of 143 critical infrastructure organizations that CISA and the U.S. Coast Guard conducted in 2023.Specifically, CISA and USCG assessors had the most success gaining initial access, attaining network permanence, evading defenses and moving laterally by using valid accounts, phishing schemes and default credentials — all simple attack methods.For example, the use of valid accounts, which are legitimate accounts whose login credentials have been compromised, was the most successful attack technique for achieving:Initial access (41.3%)Persistence (42.2%)Privilege escalation (44.7%)Valid-account use also ranked as the second most successful attack technique for evading defenses. (Source: “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report, September 2024)The report offers troves of recommendations to critical infrastructure organizations, including:Adopt a secure password policy that requires phishing-resistant multi-factor authentication for remote access; strong passwords; unique credentials, and more.Maintain a comprehensive asset inventory, and keep software updated and patched.Segment networks and block outbound connections from internet-facing servers to prevent lateral movement and privilege escalation.For more information about protecting critical infrastructure environments and about operational technology (OT) security, check out these Tenable resources:“Critical Infrastructure Cybersecurity: Disrupt OT Attack Vectors in the New Era of Distrust” (white paper)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“Enhancing Critical Infrastructure Cybersecurity for Water Utilities” (infographic)“Adhering to the NIST Framework with Tenable OT Security” (data sheet)“Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)2 - What SBOMs are and how to implement themLooking to learn more about software bills of materials (SBOMs), which in theory help boost your software supply chain security by listing all ingredients in a software product, such as an application?In October 2024, CISA updated the document “Framing Software Component Transparency,” which offers foundational guidance about SBOMs, such as what they are and how to implement them. SBOMs’ purpose is to provide granular visibility into all software components in your environment. Thus, an SBOM should help you locate all instances of a component with a newly disclosed flaw, such as a critical vulnerability — as happened with the Log4j utility.However, the software industry is still working through complex SBOM-related challenges in areas including standards, data comprehensiveness and interoperability.“Framing Software Component Transparency” zeroes in on the challenge of “universally identifying and defining certain aspects of software components.”Specifically, the CISA guidance states the need to:Establish a minimum set of baseline attributes for identifying components “with sufficient relative uniqueness.”Identify optional attributes beyond the baseline ones.Correlate SBOMs with third-party sources for analysis purposes. A few months later, CISA tackled a related topic: secure software development.The best practices are organized into two categories — software development process goals and product design goals — and include:Software development process goals:Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.Separate all software development environments, including development, build and test, to reduce the lateral movement risk.Enforce multi-factor authentication across all software development environments.Securely store and transmit credentials.Product design goalsReduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.Provide timely security patches to customers.Don’t use default password in your products.Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” CISA said in a statement.For more information about SBOMs:“How Our Business Complies with SBOM Recommendations” (DevProJournal)“How to create an SBOM, with example and template” (TechTarget)“SBOMs – Software Supply Chain Security’s Future or Fantasy?” (SecurityWeek)For more information about secure software development:“CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills” (Tenable)“Secure Development” (Software Engineering Institute, Carnegie Mellon Univ.)“Secure Software Development Framework” (NIST)3 - Key takeaways from red team exercisesIn July 2024, CISA published a must-read report explaining how its red team probed a large federal agency’s network, quickly found a way in and stayed undetected for months.The 29-page report details the so-called SilentShield assessment from CISA’s red team, explains what the agency’s security team should have done differently and offers concrete recommendations and best practices you might find worth reviewing.Mimicking the modus operandi of a typical nation-state attacker, CISA’s red team exploited a known vulnerability on an unpatched web server, gaining access to the agency’s Solaris environment. Separately, the red team also breached the network’s Windows environment via a phishing attack. Once inside, the red team exploited other weaknesses, such as unsecured admin credentials, to extend the scope of the breach, which went undetected for five months. At that point, CISA alerted the agency about the SilentShield operation.CISA has authorization to conduct SilentShield assessments, whose purpose is to work with the impacted agency and help its security team strengthen its cyberdefenses.Here’s a brief sampling of the assessed agency’s security weaknesses:Lack of sufficient prevention and detection controls, including an inadequate firewall between its perimeter and internal networks; and insufficient network segmentationFailure to effectively collect, retain and analyze logs, which hampered defensive analysts’ ability to gather necessary informationBureaucratic processes and siloed teamsReliance on flagging “known” indicators of compromise (IOCs) instead of using behavior-based detectionLack of familiarity with the identity and access management system (IAM), which wasn’t tested against credential-manipulation techniques nor were its anomalous-behavior alerts monitoredRecommendations include:Deploy internal and external firewallsImplement strong network segmentationEnroll all accounts in the IAM system, and make sure it’s not vulnerable to credential manipulationCentralize logging and use tool-agnostic detectionTo get more details, read the report, titled “CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth.”For more information about the threat from nation-state cyber attackers:“What CISOs Need to Know About Nation-State Actors” (InformationWeek)“4 Ways to Defend Against Nation-State Attacks” (BankInfoSecurity)“Growing Nation-State Alliances Increase U.S. Cyber Risks” (Government Technology)“Nation-State Hackers Leverage Zero-Day Vulnerabilities to Penetrate MITRE Cybersecurity Research Network” (CPO Magazine)4 - How to implement secure practices for cloud servicesIn a move to boost the U.S. government’s cloud security, CISA released in December 2024 a set of required cybersecurity actions for federal civilian agencies — mostly focused on applying secure configuration baselines to their cloud apps.The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01 — titled “Implementing Secure Practices for Cloud Services.” “Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” CISA said in a statement.The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services.  “The scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365,” Tenable Staff Research Engineer Mark Beblow explained in a recent blog about this directive.“CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive,” he added.Earlier in 2024, CISA joined the National Security Agency to publish five information sheets detailing cloud security best practices and mitigations in areas including cloud IAM; keys management; network segmentation and encryption; and data protection.Here are the links to the documents:Use Secure Cloud Identity and Access Management PracticesUse Secure Cloud Key Management PracticesImplement Network Segmentation and Encryption in Cloud EnvironmentsSecure Data in the CloudMitigate Risks from Managed Service Providers in Cloud EnvironmentsTo get more details and analysis on these cloud security best practices and mitigations, read the blog “CISA and NSA Cloud Security Best Practices: Deep Dive” from Tenable Senior Research Engineer Zan Liffick.To learn more about cloud security, check out these Tenable resources:“Establishing a Cloud Security Program: Best Practices and Lessons Learned” (blog)“Empower Your Cloud: Mastering CNAPP Security” (white paper)“Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)“10 Considerations for Securing Stateful Persistent Volumes Attached to Kubernetes Pods and Applications” (white paper)5 - How to design software more securelyCISA has been pushing its “Secure by Design” program, which encourages software manufacturers to build cybersecurity into the design of their products, which the agency firmly believes would dramatically lower cyber risk.Examples of this effort are CISA’s calls to stamp out well-known software flaws that nonetheless remain prevalent in applications and other software products, such as traversal vulnerabilities, OS command injection vulnerabilities and cross-site scripting vulnerabilities. Also part of the program is the Secure by Design pledge, an initiative CISA launched in May 2024 to encourage software manufacturers to voluntarily commit to secure software development practices, such as using multi-factor authentication and being more transparent in vulnerability reporting.Tenable was one of the 68 original signatories of the pledge. “This initiative is a commitment to enhance the security posture of our products and, by extension, the broader digital ecosystem,” Tenable CSO and Head of Research Bob Huber wrote in a blog.As part of the Secure by Design initiative, CISA also reached out to technology buyers, encouraging them to seek software products designed and built securely. To help technology buyers make this assessment, CISA, joined by cyber agencies from the Five Eyes countries — Australia, Canada, New Zealand, U.S. and U.K. — published the guide “Secure-by-Design: Choosing Secure and Verifiable Technologies.”The 40-page document seeks “to assist procuring organizations to make informed, risk-based decisions” about digital products and services, and is aimed at executives, cybersecurity teams, product developers, risk advisers, procurement specialists and others.“It is important that customers increasingly demand manufacturers embrace and provide products and services that are secure-by-design and secure-by-default,” reads the guide.  The authoring agencies define the secure-by-design principles that software manufacturers should follow when building digital products and services. Here’s a sampling:Adopt a proactive, security-focused approachAlign cybersecurity goals across all levels of the organization Mitigate threats through software design, development, architecture and security measuresDesign, build and deliver software with fewer vulnerabilitiesThe guide is divided into two main sections: External procurement considerations, which is by far the longest; and internal procurement considerations. Topics covered include:Supply chain risk managementOpen source software usageData sharingDevelopment processMaintenance and supportContracts, licensing and service level agreementsFor more information about the secure-by-design concept:CISA’s “Secure by Design” home page“What Will It Take to Adopt Secure by Design Principles?” (Information Week)“10 security-by-design principles to include in the SDLC” (TechTarget)“Secure Product Design Cheat Sheet” (OWASP)“Lock Down the Software Supply Chain With ''Secure by Design''” (Dark Reading)6 - The importance of adopting a common security posture for your organizationIs your company considering implementing a consistent and uniform set of foundational cybersecurity practices for all teams and departments throughout the organization? If so, you might want to check out how CISA plans to lead such an effort across 100-plus federal agencies.CISA will be in charge of the project, which it detailed in the document “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan,” announced in September 2024.The goal: To standardize the cybersecurity operations of civilian agencies in the executive branch, known by the acronym FCEB, to ensure they can all properly manage cyber risk in today’s complex and fast-evolving threat landscape.Currently, these agencies architect their IT and cybersecurity operations independently, and consequently their ability to manage cyber risk varies. “There is no cohesive or consistent baseline security posture across all FCEB agencies” and as a result “the FCEB remains vulnerable,” CISA says in the FOCAL plan’s document.The FOCAL plan focuses on five core areas:Asset managementVulnerability managementDefensible architectureCyber supply-chain risk managementIncident detection and response“The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities,” CISA said in a statement.To get more details, check out the Tenable blog “CISA Releases FOCAL Plan to Help Federal Agencies Reduce Cyber Risk” from Tenable Director of Security Engineering Garrett Cook.

by Tenable

VPNs shield you from spying and online tracking. Our favorite travel VPNs offer fast speeds, massive server networks, unlimited connections, and more.

by ZDNET Security

A employee at Elon Musk''s artificial intelligence company xAI leaked a private key on GitHub that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for working with internal data from Musk''s companies, including SpaceX, Tesla and Twitter/X, KrebsOnSecurity has learned.

by Krebs on Security

This vulnerability allows remote attackers to execute arbitrary code on affected installations of MATE Desktop Atril Document Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of MATE Desktop Atril Document Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8.

by Zero Day Initiative Advisories

This year''s top cyber challenges include cloud authorization sprawl, ICS cyberattacks and ransomware, a lack of cloud logging, and regulatory constraints keeping defenders from fully utilizing AI''s capabilities.

by Dark Reading

A panelist of SANS Institute leaders detailed current threats and provided actionable steps for enterprises to consider.

by Dark Reading

Programs leveraging AI agents are increasingly popular. Nine attack scenarios using open-source agent frameworks show how bad actors target these applications. The post AI Agents Are Here. So Are the Threats. appeared first on Unit 42.

by Palo Alto Networks - Unit42

Security audits are a crucial component of an organization’s cybersecurity strategy. However, despite their importance, they are not as commonly conducted as you might think.

by Barracuda

Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name ""WP-antymalwary-bot.php,"" comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code. ""Pinging functionality that can report back to a command-and-control (C&C) server

by The Hacker News

To our valued KnowBe4 customers, partners, and community. I wanted to share some exciting developments happening at KnowBe4.

by KnowBe4

Recently, I covered a T-Mobile scam where a friend of mine narrowly avoided losing money. In that scam, the attackers called up pretending to be from T-Mobile offering him a cannot-pass-up 30% discount on future T-Mobile bills.

by KnowBe4

Email is still the most common attack vector for cyber threats, according to a new report from Barracuda.

by KnowBe4

Real IDs have been in the works since 2005. Are their security standards still rigorous enough in 2025?

by Dark Reading

U.S. legislation to criminalize non-consensual intimate images, videos and deepfakes has passed Congress with the overwhelming support of both parties, and even social media companies have voiced support for the bill. The Take It Down Act – short for the bill’s full title, “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act” – also creates processes and requirements for removing non-consensual intimate imagery (NCII) within 48 hours of notification by victims. But some critics say the legislation, while well intended, doesn’t do enough to ensure that it won’t be misused to suppress lawful speech. The bill is awaiting President Donald Trump’s signature, but as both he and First Lady Melania Trump have voiced support for the bill, it is expected to become law. Take It Down Act Provisions The bill, which takes aim at revenge porn and other malicious or harmful uses of intimate images, would make it a federal crime to knowingly share – or threaten to share – non-consensual intimate images, including deepfakes generated by AI. Penalties include fines and imprisonment of up to two years for offenses involving adults, and imprisonment of up to three years for those involving minors. Online platforms would be required to remove NCII within 48 hours of notification by victims. In an effort to restrict abuses of the law, it excludes content that is a “matter of public concern,” commercial pornography, and materials used for legitimate purposes such as medical uses, law enforcement, national security and legal cases. Some Say Law Needs More Protections Against Misuse Some advocacy groups fear the law as written could be abused to remove lawful speech, among other concerns. The Electronic Frontier Foundation (EFF) said the law gives “the powerful a dangerous new route to manipulate platforms into removing lawful speech that they simply don''t like.” “The takedown provision in TAKE IT DOWN applies to a much broader category of content—potentially any images involving intimate or sexual content—than the narrower NCII definitions found elsewhere in the bill,” EFF said in a statement. “The takedown provision also lacks critical safeguards against frivolous or bad-faith takedown requests. Services will rely on automated filters, which are infamously blunt tools. They frequently flag legal content, from fair-use commentary to news reporting. The law’s tight time frame requires that apps and websites remove speech within 48 hours, rarely enough time to verify whether the speech is actually illegal. As a result, online service providers, particularly smaller ones, will likely choose to avoid the onerous legal risk by simply depublishing the speech rather than even attempting to verify it.” EFF said the law “pressures platforms to actively monitor speech, including speech that is presently encrypted. The law thus presents a huge threat to security and privacy online.” The Cyber Civil Rights Initiative (CCRI) welcomed the criminalization of non-consensual distribution of intimate images (NDII), but echoed EFF’s concerns about the takedown provisions. “While we welcome the long-overdue federal criminalization of NDII, we regret that it is combined with a takedown provision that is highly susceptible to misuse and will likely be counter-productive for victims,” CCRI said. CCRI also took exception to a provision “that would seemingly allow a person to disclose intimate images without consent” if the disclosing person also appears in the image. The group said it has “serious concerns about the constitutionality, efficacy, and potential misuse” of the Act’s notice and removal provision: “While we wholeheartedly support the expeditious removal of nonconsensual intimate content and have long called for increased legal accountability for tech platforms that choose to distribute unlawful content, CCRI objects to the notice and removal provision because it is (1) unlikely to accomplish these goals and (2) likely to be selectively and improperly misused for political or ideological purposes that endanger the very communities most affected by image-based sexual abuse.” Unlike the Digital Millennium Copyright Act (DMCA), the Take It Down Act fails to include safeguards against false reports, CCRI said.

by The Cyber Express

Joe talks about how helping the helpers can put a fire in you and the importance of keeping nonprofits cybersecure.

by Cisco Talos Blog

Cyberwire wrote: ""WIRED has published a report on North Korea''s efforts to obtain remote IT positions at foreign companies, noting that these fraudulent workers are now using AI tools to cheat on coding tests and technical interviews. The threat actors are also using deepfake technology to bypass ID checks. The primary goal of these workers is to earn a paycheck for Pyongyang, though they also occasionally use their access to conduct espionage or launch financially motivated attacks.

by KnowBe4

Security Operations Center (SOC) teams are facing a fundamentally new challenge — traditional cybersecurity tools are failing to detect advanced adversaries who have become experts at evading endpoint-based defenses and signature-based detection systems. The reality of these “invisible intruders” is driving a significant need for a multi-layered approach to detecting threats,

by The Hacker News

Microsoft has set May 5 as the deadline for bulk email compliance. In this Tech Tip, we show how organizations can still make the deadline.

by Dark Reading

Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an ""influence-as-a-service"" operation to engage with authentic accounts across Facebook and X. The sophisticated activity, branded as financially-motivated, is said to have used its AI tool to orchestrate 100 distinct personas on the two social media platforms, creating a

by The Hacker News

The recent attacks on Marks and Spencer, Harrods and the Co-op show why it is essential for organisations to have a strategy to communicate effectively with customers affected

by ComputerWeekly

Introduction Without any doubt, time and again life grants benefits to people who make their purchases earliest. The digital environment provides opportunities for cybercriminals to exploit this short period of time. These time-based system flaws allow experienced users to conquer the system. The lack of proper safeguards during multiple-step tasks on websites produces a short period when reality becomes unclear. Two people enter the same door at once yet both ignore the other since they neither notice the passing experience. Online shoppers can use the short period of reality-blurring to get premium leather jackets at unprecedented bargains through the stores’ systems. The basic understanding of how to send various server requests at the perfect times can yield desired results without formal computer science qualifications. We will immediately start with a practical demonstration based on PortSwigger’s simulated shopping website vulnerability in this lab. Viewers will observe the process of vulnerability identification followed by typical tool usage and comprehend the crucial nature of time in securing online platforms. Core-Concepts Race Condition A race condition happens when two or more threads/processes handle the same data at the same time where the ending results depend on the exact timing of execution. Programmers fail to manage sequences properly which enables attackers to bypass logical operations that include withdrawing too much from the account and skipping security protocols and record discrepancies. Frequently found in: Financial apps (e.g., double spending) Booking/reservation systems Under parallel request situations APIs demonstrate weaknesses. TOCTOU (Time-Of-Check to Time-Of-Use) In this subtype of race condition an application checks and then uses a resource state which creates an opportunity for attackers to modify the resource between these moments. Accessing an empty room and assuming no entry occurred during your absence demonstrates a Real-World Analogy of TOCTOU. Example Attack Scenario: The application performs a write permission check and subsequently the attacker establishes an intentional symbolic link redirect to a critical file which the application prevails to modify by mistake. Common Attack Vectors Attack SurfaceScenarioExample 1. Web ServersMultiple concurrent HTTP requests to critical endpointsPOST /withdraw, POST /checkout Vulnerable if backend fails to lock operations correctly- 2. DatabasesRead-modify-write race conditionsApp reads balance → parallel withdrawals → all succeed 3. File SystemsOperations on shared directories without lockingUpload a file → replace with symlink before processing (/tmp, /uploads) Blackbox Testing Lab 1: Limit Overrun Race Conditions: FieldDetails Lab URL:https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun Objective:Purchase the Lightweight L33t Leather Jacket for an unintended price Lab Credentials:wiener:peter Note:Requires Burp Suite 2023.9 or higher to send parallel requests Now login with your lab credentials and now add the lightweight l33t leather jacket to your cart and proceed to checkout. Now explore the web application functionality and do make sure you apply your coupon. Now intercept the response, and send this to repeater more than 10 times. Make sure you right-click on tab on repeater and make sure this option to group all the repeater tabs and select send group (parallel). Add all the labs to a single tab group, toggle the send button (the downward button) and make sure you have atleast 30 repeater tabs, just hit ctrl+R on the intercepted request to replicate the requests. Hit sent group (parallel) and notice that you should get discount and only a bill payment of something near to twenty dollars. Since the shop has $50 credit, you should be able to make this purchase. Once the purchase has been completed then you should have solved the lab. Whitebox Testing Lab 2: Diogene’s Rage FieldDetails Lab URL:https://app.hackthebox.com/challenges/Diogenes''%2520Rage Objective:Exploit a race condition to win a game unfairly or bypass business logic constraints Lab Credentials:Login usually not required; interact directly with the web challenge Note:Use Burp Suite or a custom script (e.g., Python + threading or ffuf) to trigger the race condition effectively Let’s start by examining the vulnerable code pattern we’re trying to detect. Now the vulnerability exists inside web_diogenes_rage/challenge/routes/index.js and the following code snippet causes the race condition vulnerability. You could read the other files to understand how web application works, how database works and authentication works, but core vulnerability resides inside routes/index.js router.post(''/api/coupons/apply'', AuthMiddleware, async (req, res) => { return db.getUser(req.data.username) .then(user => { if (user.coupons.includes(coupon_code)) { return res.status(401).send(""Coupon already redeemed!""); } // ... other logic ... db.setCoupon(user.username, coupon_code); // Race condition here! }); }); The issue here is straightforward but dangerous, the application checks if a user has already redeemed a coupon, then updates the database in a non-atomic operation. If a user sends multiple concurrent requests, they could potentially redeem the same coupon multiple times before any check reflects the updated state. Now based on this vulnerability, let’s write semgrep rule to detect it’s vulnerability. Now if this is your first time hearing about this tool then fear now, this tool is used to detect vulnerability in code, and used yaml templates to detect vulnerabilities. You can install semgrep on your machine and get started using this URL Attempt 1: The Naive Await-Based Rule My first instinct was to craft a rule looking for the await pattern: pattern: | async (req, res) => { const user = await $DB.getUser(...); if (!$CALL.includes(...)) { await $DB.addBalance(...); } } This rule failed immediately because the target code used promise chains (.then()) rather than await. A reminder that we need to match the actual code structure, not just the logical flow. Attempt 2: Overly Generic Promise Pattern Next, I tried a more generic approach: pattern: | $DB.getUser($USERNAME).then($USER => { ... }) While this matched the structure better, it was far too broad. It would flag any database query followed by a promise chain, regardless of whether it represented a race condition. The signal-to-noise ratio would be unbearable in a real codebase. Attempt 3: Syntax Errors with Ellipsis My third attempt tried to be more specific about the vulnerable pattern: pattern: | $DB.getUser($USERNAME).then($USER => { ... if ($USER.coupons.includes($COUPON)) { ... } ... $DB.setCoupon(...); }) This rule failed with parsing errors. The ellipsis operator (...) in Semgrep can be tricky - it needs to be used in a way that preserves valid syntax in the target language. The Winning Solution: Finding Balance After several trials and attempts, I landed on a solution that works: rules: - id: race-condition-toctou-nodejs patterns: - pattern-inside: | $DB.getUser($USERNAME).then($USER => { ... if ($USER.coupons.includes($COUPON)) { ... } ... $DB.setCoupon($USER.username, $COUPON); }) message: ""TOCTOU Race Condition: Non-atomic coupon redemption detected"" languages: [javascript] severity: ERROR Testing our semgrep rule: Let’s run the below command to scan index.js. ┌──(semgrep)─(kali㉿kali)-[~/Downloads/web_diogenes_rage/challenge] └─$ semgrep --config race-condition-toctou.yaml routes/index.js ┌──── ○○○ ────┐ │ Semgrep CLI │ └─────────────┘ Why This Rule Works The rule searches within particular callback scope through pattern-inside syntax to prevent syntax-related errors. This rule recognizes the precise operational series which produces the vulnerability by first fetching user data and next assessing coupon status before executing non-atomic update commands. The ellipsis operators are correctly placed to create empty blocks which do not violate JavaScript syntax constraints. Real-World Considerations and Trade-offs Our rule might flag legitimate code that has additional protections, such as: Implementations using database-level locks Code with custom synchronization mechanisms Transactions that make the operations atomic False Negatives Our rule will miss race conditions if: Different method names are used (e.g., updateCoupon instead of setCoupon) The code uses a different pattern to achieve the same functionality The race condition involves different resources or patterns For example, this variant would slip through: db.updateUser(user.username, { coupons: [...user.coupons, coupon_code] }); // Not detected! Further-improvements Now based on this limitations we have created one more rule, that detects the vulnerability in code, now feel free to test this code in real time environment and do let me know if it fails or detects vulnerabilities. Exploitation: To keep the blog short and concise, you can refer to this writeup credit goes to the author, and you can read, understand, execute the python script to get the flag. The fix: Here’s how to patch the TOCTOU vulnerability in the /api/coupons/apply endpoint and harden the code against race conditions. Step 1: Modify routes/index.js : router.post(''/api/coupons/apply'', AuthMiddleware, async (req, res) => { let transaction; try { // Start transaction transaction = await db.beginTransaction(); // Get user WITH row lock (FOR UPDATE) const user = await db.getUserForUpdate(req.data.username); if (!user) { await db.registerUser(req.data.username); user = { username: req.data.username, balance: 0.00, coupons: [] }; } const { coupon_code } = req.body; if (!coupon_code) { await db.rollback(transaction); return res.status(400).json({ error: ""Missing coupon code!"" }); } // Atomic check + update if (user.coupons.includes(coupon_code)) { await db.rollback(transaction); return res.status(400).json({ error: ""Coupon already redeemed!"" }); } const coupon = await db.getCouponValue(coupon_code); if (!coupon) { await db.rollback(transaction); return res.status(404).json({ error: ""Invalid coupon!"" }); } // Atomic operations await db.addBalance(user.username, coupon.value); await db.setCoupon(user.username, coupon_code); // Commit await db.commit(transaction); return res.json({ message: ""Coupon redeemed successfully!"" }); } catch (error) { if (transaction) await db.rollback(transaction); console.error(""Coupon redemption error:"", error); return res.status(500).json({ error: ""Internal server error"" }); } }); Key Changes: Uses database transactions to lock the user row (SELECT ... FOR UPDATE). Performs check (includes) and updates (addBalance, setCoupon) atomically. Step 2: Update Database Helper (database.js) Add transaction support to your database module: // database.js class Database { async beginTransaction() { const conn = await this.pool.getConnection(); await conn.query(''START TRANSACTION''); return conn; } async commit(conn) { await conn.query(''COMMIT''); conn.release(); } async rollback(conn) { await conn.query(''ROLLBACK''); conn.release(); } async getUserForUpdate(username) { const [user] = await this.pool.query( ''SELECT * FROM users WHERE username = ? FOR UPDATE'', [username] ); return user; } // Existing methods: getUser, addBalance, setCoupon... } Conclusion Creating proficient static analysis rules for race conditions proves difficult yet ambitious work. The TOCTOU vulnerability vulnerability detection rule we created works properly as an element within an extensive security framework. Semgrep presents itself as a strong security tool although mastering both the target code patterns and patterns syntax requires thorough proficiency. Ongoing practice along with rule refinement will make your code analysis become more efficient at identifying bugs which would otherwise slip to production. Until next time keep exploring and feel free to try some labs on portswigger, play some ctfs from CTFtime, and keep hacking !

by HACKLIDO

For over a decade, application security teams have faced a brutal irony: the more advanced the detection tools became, the less useful their results proved to be. As alerts from static analysis tools, scanners, and CVE databases surged, the promise of better security grew more distant. In its place, a new reality took hold—one defined by alert fatigue and overwhelmed teams. According to OX

by The Hacker News

Russian companies have been targeted as part of a large-scale phishing campaign that''s designed to deliver a known malware called DarkWatchman. Targets of the attacks include entities in the media, tourism, finance and insurance, manufacturing, retail, energy, telecom, transport, and biotechnology sectors, Russian cybersecurity company F6 said. The activity is assessed to be the work of a

by The Hacker News

Organizations are underestimating the advanced technology''s risks to the software supply chain, according to a new LevelBlue report.

by Dark Reading

OSP Cyber Academy today announced a strategic new partnership with Bahrain’s National Cyber Security Centre (NCSC) to deliver cyber safety education to 70,000 students across the Kingdom. The partnership introduces culturally tailored, gamified cyber awareness courses designed to enhance students’ understanding of digital citizenship and cyber security best practices. There are a total of four interactive […] The post OSP Cyber Academy Cyber Awareness Courses Integrated into Bahraini School Curriculum appeared first on IT Security Guru.

by IT Security Guru

Co-op has confirmed that it was forced to shut down parts of its systems following an attempted cyber intrusion, raising fresh concerns over the growing wave of cyberattacks targeting the UK retail sector. The incident, which emerged late last week, reportedly disrupted access to some of Co-op’s backend systems and virtual desktops. While customer-facing services, […] The post Co-op Hack Triggers Swift Cyber Response Amid Rising Retail Threats appeared first on IT Security Guru.

by IT Security Guru

How one unreasonable client got lucky during a cyber incident, despite their unreasonable response to the threat.

by Dark Reading

People are using ChatGPT’s new image generator to take part in viral social media trends. But using it also puts your privacy at risk—unless you take a few simple steps to protect yourself.

by WIRED Security News

Often regarded as the ''soap opera effect,'' motion smoothing can enhance gaming and live sports, but tends to be distracting for everything else. Here''s how to disable it.

by ZDNET Security

How to make the most of the new features in Sophos Firewall v21.5.

by Sophos News

Enterprise data backup platform Commvault has revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928 but emphasized there is no evidence of unauthorized data access. ""This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance,"" the company

by The Hacker News

Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact

by ComputerWeekly

Microsoft''s David Weston describes the new feature as the most significant architectural Windows security change in a generation.

by Dark Reading

You can now connect to Cloudflare''s first publicly available remote Model Context Protocol (MCP) servers from any MCP client that supports remote servers.

by Cloudflare

We’re teaming up with Anthropic, Asana, Atlassian, Block, Intercom, Linear, PayPal, Sentry, Stripe, and Webflow to launch new remote MCP servers, built on Cloudflare, to enable Claude users to manage

by Cloudflare

Russia''s cyberattacks on Ukraine have increased dramatically, targeting the country''s government and defense infrastructure.

by Dark Reading

Discover how HTB has helped the global leader in industrial automation solutions set a new standard for cybersecurity excellence.

by Hack The Box Blog

Here''s everything you need to know about the partnership and upcoming CTF event.

by Hack The Box Blog

Researchers found a set of vulnerabilities that puts all devices leveraging Apple''s AirPlay at risk.

by Malwarebytes Labs

Protecting against supply chain cyber-attacks means safeguarding not just your network, but your customers’ trust. Learn why securing vendor relationships is essential in today’s threat landscape.

by Darktrace

A methodological examination of how malicious actors exploit visual generative models The post The evolving role of AI-generated media in shaping disinformation campaigns  appeared first on DFRLab.

by DFRLab

The tech giant''s cloud profits more than doubled year over year as it invested more than $17 billion, primarily in servers and data centers.

by Cybersecurity Dive

SonicWall has revealed that two now-patched security flaws impacting its SMA100 Secure Mobile Access (SMA) appliances have been exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-44221 (CVSS score: 7.2) - Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to

by The Hacker News

A leak of information on American military operations caused a major political incident in March 2025. The Security Think Tank considers what can CISOs can learn from this potentially fatal error.

by ComputerWeekly

Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop

by ComputerWeekly

These 3 cybersecurity threats may not be the most sophisticated, but they''re the most effective—and serious—threats for small businesses.

by Malwarebytes Labs

Smarter TV operating systems bring added convenience - but also new privacy concerns, especially from automatic content recognition (ACR), which quietly tracks everything you watch.

by ZDNET Security

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google''s security team this week.

by Malwarebytes Labs

While both secure by design and DevSecOps aim to integrate security into software development, they differ in their approach. Here''s how.

by ITPro Today

Threat actors are bypassing MFA with adversary-in-the-middle attacks via reverse proxies. Phishing-as-a-Service tools like Evilproxy make these threats harder to detect.

by Cisco Talos Blog

Despite the rising use of biometrics, passkeys, and identity-based threat detection tools, one thing remains clear: passwords continue to be the frontline defence for digital access and often, the weakest link. Tomorrow is World Password Day, and cybersecurity experts are warning that while passwords are here for now, how we manage them needs to change […] The post World Password Day 2025: Rethinking Security in the Age of MFA and Passkeys appeared first on IT Security Guru.

by IT Security Guru

With password best practices continuing to evolve, now''s a good time for a refresher. Consider this your annual cybersecurity to-do list.

by ZDNET Security

According to Bloomberg''s AI researchers, the increasingly popular framework can vastly increase your chances of getting dangerous answers. What can you do?

by ZDNET Security

For years, North Korea has been secretly placing young IT workers inside Western companies. With AI, their schemes are now more devious—and effective—than ever.

by WIRED Security News

Explore the security risks of AI-generated code and how Snyk & ServiceNow offer AI-powered developer security integrated with enterprise workflows for effective remediation.

by Snyk

The China-linked cyber-operations group, better known as Lotus Panda, uses its own custom malware to focus on government agencies and private companies in Hong Kong, the Philippines, Taiwan, and Vietnam.

by Dark Reading

If you want a browser focused on security, you must know its approach to privacy and data collection. These are the best secure browsers of 2025.

by ZDNET Security

Microsoft - NTLM Hash Disclosure Spoofing (library-ms)

by Exploit DB

ZTE ZXV10 H201L - RCE via authentication bypass

by Exploit DB

Daikin Security Gateway 14 - Remote Password Reset

by Exploit DB

Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing

by Exploit DB

There was much to see at RSAC 2025. Read the recap about a few highlights from the expo floor.

by Recorded Future

Insikt Group reveals two emerging malware strains—TerraStealerV2 and TerraLogger—linked to Golden Chickens, a threat actor behind credential theft and keylogging MaaS platforms. Learn how these tools operate and evolve.

by Recorded Future

<p>In my experience, most organizations are prepared to discuss the scope of penetration tests when preparing for an External or Internal Penetration Test, but when it comes time to discuss specifics about a web…</p>

by TrustedSec

This vulnerability allows remote attackers to escalate privileges on affected installations of Webmin. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-2774.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-20175.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2025-20170.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-20173.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-20176.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-20175.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2025-20174.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2025-20171.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-20172.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-20172.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-20172.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-20172.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Cisco IOS XE. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2025-20169.

by Zero Day Initiative Advisories

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology BeeStation BST150-4T devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2024-10445.

by Zero Day Initiative Advisories

Cisco joins the agentic AI wave with the introduction of advanced LLMs to autonomously verify and investigate attacks.

by Dark Reading

A 23-year-old Scottish man thought to be a member of the prolific Scattered Spider cybercrime group was extradited last week from Spain to the United States, where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.

by Krebs on Security

The chat infrastructure and data-leak site of the notorious ransomware-as-a-service group has been inactive since March 31, according to security vendors.

by Dark Reading

Jen Easterly, former director of CISA, discussed the first 100 days of the second Trump administration and criticized the president''s "mandate for loyalty" during a panel at RSAC 2025.

by Dark Reading

As the field of artificial intelligence (AI) continues to evolve at a rapid pace, fresh research has found how techniques that render the Model Context Protocol (MCP) susceptible to prompt injection attacks could be used to develop security tooling or identify malicious tools, according to a new report from Tenable. MCP, launched by Anthropic in November 2024, is a framework designed to connect

by The Hacker News

While nation-state actors are demonstrating how easily they can infiltrate US networks, government officials don''t seem to have a clear vision for what comes next.

by Dark Reading

Researchers at INKY warn that criminals are impersonating the US Department of Homeland Security to launch phishing scams.

by KnowBe4

A friend of mine got a call on his phone and he regrettably picked it up. The number was 267-332-3644. The area code is from Bucks County, PA, where he used to live many years ago.

by KnowBe4

The number of infostealers delivered via phishing emails increased by 84% last year, according to a new report from IBM’s X-Force researchers. Threat actors are using these malware strains to steal credentials for use in follow-on attacks.

by KnowBe4

A SLAAC-spoofing, adversary-in-the-middle campaign is hiding the WizardNet backdoor malware inside updates for legitimate software and popular applications.

by Dark Reading

A new study found that code generated by AI is more likely to contain made-up information that can be used to trick software into interacting with malicious code.

by WIRED Security News

Two alleged victims came forward claiming they received a spyware notification from Apple.

by TechCrunch

Nation-state threat actors are using generative AI tools to refine their attack techniques, but they aren’t yet using GenAI to create new attack vectors, according to a presentation at this week’s RSAC Conference that offered insight into how hackers are using GenAI tools. “Our analysis shows that while AI is a useful tool for common tasks, we haven’t yet seen indications of adversaries developing any fundamentally new attack vectors with these models,” Sandra Joyce, VP for Google Threat Intelligence, told the RSAC 2025 Conference. “Ultimately attackers are using GenAI the way many of us are, as a productivity tool. They help to brainstorm, to refine their work, that sort of thing.” The role of AI in cybersecurity was a key topic in well over 100 sessions at the annual RSAC Conference, which became independent from security vendor RSA in 2022 and rebranded as RSAC this year. Iran, China and North Korea Threat Groups are Biggest GenAI Users Joyce said APT groups from more than 20 countries accessed Google’s public Gemini GenAI services. Iranian threat actors were the heaviest users, and Google also saw “notable activity” from China and North Korea-linked threat actors. Guardrails and security measures restricted adversarial capabilities, Joyce said, and more malicious requests generated safety responses from Gemini. Threat actors are using Gemini’s GenAI capabilities for four attack phases in particular, she said. Those attack phases are: Reconnaissance Vulnerability research Malicious scripting Evasion techniques “These are existing attack phases being made more efficient, not fundamentally new AI-driven attacks,” she said. Joyce didn’t say how Google was able to correlate Gemini use with specific threat groups, but she gave several examples of how nation-state threat actors are using GenAI tools. Iranian advanced persistent threat (APT) groups used Gemini to research “specific defense systems,” seeking information on topics such as unmanned aerial vehicles, jamming F-35 fighter jets, anti-drone systems, and Israel’s missile defense systems. North Korean APT actors researched nuclear technology and power plants in South Korea, including location and information on the security status of specific plants. Threat actors are also using GenAI for help with malware development. A North Korean APT group used Gemini for assistance developing code for sandbox evasion and to detect VM environments. Threat groups are also using GenAI to develop phishing lures and campaigns, including seeking help with translation and localization, such as requests for “fluent specific colloquial English,” Joyce said. Developing personas to make phishing campaigns more convincing is another APT use. GenAI Helps Cybersecurity Defenders Too Joyce said a number of effective security use cases are also making GenAI useful to security teams. She cited vulnerability detection, incident workflows, malware analysis and fuzzing as some defensive GenAI use cases. Also at the conference, Jeetu Patel, Cisco Executive Vice President and Chief Product Officer, unveiled the Foundation AI security model, an open source alerting and workflow Large Language Model (LLM) that was purpose-built for security. The Foundation AI base model is currently available on Hugging Face, and a multi-step reasoning model will be released soon, Patel said.

by The Cyber Express

Pinterest has a plan to fix its AI mess.

by ZDNET Security

We’ve identified the most common locations where malware hides—so you don’t have to.

by ThreatDown

How Many Gaps Are Hiding in Your Identity System? It’s not just about logins anymore. Today’s attackers don’t need to “hack” in—they can trick their way in. Deepfakes, impersonation scams, and AI-powered social engineering are helping them bypass traditional defenses and slip through unnoticed. Once inside, they can take over accounts, move laterally, and cause long-term damage—all without

by The Hacker News

A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks. ""Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and

by The Hacker News

By simulating business environments or running software while incorporating real-time data from production systems, companies can model the impact of software updates, exploits, or disruptions.

by ITPro Today

Keeper Security has announced the launch of its Browser Extension 17.1. The significant update to Keeper’s award-winning cybersecurity software brings enhanced autofill customisation to its browser extension, along with expanded PAM capabilities and a new AI-powered tool to improve issue resolution. Keeper Security CTO and Co-founder Craig Lurey: “At Keeper, we’re relentless in our mission […] The post Keeper Security Enhances Browser Extension With New Autofill Controls, PAM Support And Snapshot Tool appeared first on IT Security Guru.

by IT Security Guru

Everyone has cybersecurity stories involving family members. Here’s a relatively common one. The conversation usually goes something like this:  “The strangest thing happened to my streaming account. I got locked out of my account, so I had to change my password. When I logged back in, all my shows were gone. Everything was in Spanish and there were all these Spanish shows I’ve never seen

by The Hacker News

Cybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022. RomCom ""employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while continuously evolving its infrastructure – leveraging

by The Hacker News

Cybersecurity researchers have revealed that RansomHub''s online infrastructure has ""inexplicably"" gone offline as of April 1, 2025, prompting concerns among affiliates of the ransomware-as-a-service (RaaS) operation. Singaporean cybersecurity company Group-IB said that this may have caused affiliates to migrate to Qilin, given that ""disclosures on its DLS [data leak site] have doubled since

by The Hacker News

Cybercriminals are increasingly leveraging AI-generated phishing and social engineering tactics methods. Here are six ways organizations can defend against such attacks.

by ITPro Today

Dan Gorecki and Scott Brammer''s interactive session during RSAC Conference 2025 encouraged security professionals to rethink their security postures and address evolving and emerging risks.

by Dark Reading

API security pros Salt Security have announced the launch of the Salt Model Context Protocol (MCP) Server at RSAC 2025, giving enterprise teams a novel access point of interaction with their API infrastructure, leveraging natural language and artificial intelligence (AI). Built on the open MCP standard, Salt’s MCP Server enables AI agents to discover, understand, and analyse […] The post Salt Security Launches the First MCP Server to Revolutionise API Security in the Age of AI appeared first on IT Security Guru.

by IT Security Guru

At RSAC 2025, SOCRadar have unveiled SOCRadar Copilot, an AI-powered cybersecurity assistant designed to enhance platform efficiency, share knowledge and insights, and automate routine security operations. It will help time-strapped security teams to streamline security processes and reporting, all while continuously learning, adapting and evolving to help security teams be proactive and future-proof their defences […] The post SOCRadar Launches AI-Powered Cybersecurity Assistant ‘Copilot’ appeared first on IT Security Guru.

by IT Security Guru

Five judges have found the Investigatory Powers Tribunal has no statutory powers to impose financial sanctions against police and intelligence services. Their findings raise significant and serious concerns about the integrity of our legal system.

by ComputerWeekly

Opportunistic threat actors targeted Portuguese and Spanish speakers by spoofing Portugal''s national airline in a campaign offering compensation for delayed or disrupted flights.

by Dark Reading

I''ve been testing AI content detectors for two years now. They''re getting more and more reliable.

by ZDNET Security

What happens when two titans of cybersecurity (Rebecca Taylor, Threat Intelligence Knowledge Manager and Researcher at Secureworks, a Sophos company, and Amelia Hewitt, Founder of CybAid and Managing Director at Hewitt Partnerships) join forces to write a book? Securely Yours: An Agony Aunt’s Guide to Surviving Cyber! Securely Yours is a practical Agony Aunt-style guide […] The post Q&A – Securely Yours: An Agony Aunt’s Guide to Surviving Cyber appeared first on IT Security Guru.

by IT Security Guru

March 2025 saw a huge number of ransomware attacks, and the Pennsylvania State Education Association quietly notify over 500,000 current and former teachers that hackers infiltrated its networks last year.

by ThreatDown

Google''s Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices. While the total number of zero-days dropped from 98 in 2023 to 75 in 2024, the data points to a continued evolution in adversary behavior and more sophisticated targeting of enterprise tech stacks. [caption id=""attachment_102371"" align=""aligncenter"" width=""421""] (Source: Google Threat Intelligence Group)[/caption] Enterprise Tool Attacks Hit Record Enterprise software and networking appliances accounted for 44% of all zero-day vulnerabilities exploited in 2024—a record high. GTIG reported that threat actors gravitated toward products like VPNs, security gateways, and cloud infrastructure tools, recognizing their privileged position in organizational networks and their potential to bypass endpoint detection. Among the most targeted were products from Ivanti, Palo Alto Networks, and Cisco. Exploits in these systems typically allowed for remote code execution or privilege escalation, often requiring no exploit chain. This shift signals a widening threat surface for enterprise defenders and points to attackers optimizing for high-impact intrusions with minimal exposure. [caption id=""attachment_102369"" align=""aligncenter"" width=""518""] Number of unique enterprise vendors targeted (Source: Google Threat Intelligence Group)[/caption] In a notable twist, security software itself emerged as a frequent target. GTIG observed 20 zero-days exploited in networking and security tools—over 60% of all enterprise-specific zero-days. These tools are highly attractive because they''re deeply embedded in the infrastructure they protect and are often not monitored by traditional endpoint detection and response (EDR) tools. Vulnerabilities in these products can give attackers immediate high-privilege access, GTIG warned. The report called for EDR vendors to adapt their visibility strategies to account for these increasingly targeted platforms. End-User Platforms: A Relative Decline Although end-user technologies still made up the majority of zero-day activity (56%), GTIG saw a significant drop in exploitation for browsers and mobile platforms. Chrome remained the most targeted browser, but attacks fell by nearly a third. Mobile zero-day usage halved from the previous year. In contrast, Windows exploitation rose again—22 zero-days were tracked in Microsoft''s OS, up from 16 the previous year. With Windows still ubiquitous in enterprise and home environments, threat actors continue to find value in chaining privilege escalation bugs and kernel exploits. [caption id=""attachment_102373"" align=""aligncenter"" width=""489""] Zero-days in end-user products in 2023 and 2024 (Source: Google Threat Intelligence Group)[/caption] The Players Behind the Exploits State-sponsored espionage remains the primary driver behind zero-day use, accounting for over 50% of all attributed cases. PRC-affiliated actors exploited five zero-days, primarily in Ivanti appliances, in complex campaigns like one executed by UNC5221. North Korean groups, meanwhile, tied with China for the first time, also exploiting five zero-days. These campaigns often blended espionage with financially motivated attacks, such as ad fraud and ransomware precursors. Commercial surveillance vendors (CSVs) like Cellebrite continued to play a major role, especially in physical-access attack chains. Although GTIG noted fewer CSV-attributed zero-days than in 2023, the researchers attributed this decline to improved operational security rather than reduced activity. Most Attacked Vulnerability Types Three vulnerability types led the charts in 2024: use-after-free, command injection, and cross-site scripting. Many of these were tied to core enterprise tools, suggesting attackers are deliberately seeking out systemic weaknesses. Google''s report took CVE-2024-44308 and CVE-2024-44309 as key examples—used together in a WebKit exploit chain to steal authentication cookies from government users visiting compromised websites. In another case, the CIGAR threat group leveraged CVE-2024-49039 in Firefox to escalate privileges from a sandboxed browser process all the way to SYSTEM. What''s Ahead GTIG expects enterprise product targeting to grow even further in 2025. The report urges vendors of business infrastructure and security software to invest in secure-by-design principles, embrace zero-trust architectures, and harden remote access pathways. More broadly, Google says zero-day prevention isn''t just about patching quickly. It involves proactive mitigation strategies, tighter access controls, and architectural decisions that limit blast radius if a vulnerability is exploited. Attackers are learning what defenders overlook, the report concludes. The industry needs to evolve to defend not just endpoints, but the systems that secure them. For those keeping score, zero-days may have dropped in volume this year, but they got smarter, stealthier, and a whole lot more dangerous for the enterprise world.

by The Cyber Express

Users complained GPT-4o was too ''sycophantic.'' Here''s why and what happens now.

by ZDNET Security

Secretary Noem asks the cybersecurity community to get in touch with CISA to help reshape the agency to focus on finding efficiencies.

by Dark Reading

This is a foolproof guide to intercepting traffic from mobile applications built on Flutter, which historically have been especially challenging to intercept. The post Intercepting Traffic for Mobile Applications that Bypass the System Proxy appeared first on Black Hills Information Security, Inc..

by Black Hills Information Security

We''re continuing to make it easier for developers to bring their services into the AI ecosystem with the Model Context Protocol (MCP) with two new updates.

by Cloudflare

Fake emails pretending to come from the US Social Security Administration try to get targets to install ScreenConnect for remote access.

by Malwarebytes Labs

Leaders at federal research organizations DARPA, ARPA-I, and ARPA-H discussed the myriad obstacles in addressing critical infrastructure security at RSAC Conference 2025.

by Dark Reading

The U.K. grocery and retail giant said the unspecified cyber incident is affecting its back office and call centers.

by TechCrunch

Relationships are complicated. When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along? Node.js, the most popular JavaScript runtime in the world, uses a set of triplets to execute its CI/CD pipelines: a GitHub App, GitHub Actions workflows, and Jenkins pipelines. Like […] The post Agent of Chaos: Hijacking NodeJS’s Jenkins Agents appeared first on Praetorian.

by Praetorian

World Password Day: tips for creating unique and strong passwords, how to best remember them, and what neural networks have to do with this.

by Kaspersky

IT admins need a safety net. Extended detection and response platforms, particularly those that are backed by a 24/7 security operations center, can provide one.

by Barracuda

Artificial intelligence is rapidly reshaping the cyber security landscape—but how exactly is it being used, and what risks does it introduce? At Check Point Research, we set out to evaluate the current AI security environment by examining real-world threats, analyzing how researchers and attackers are leveraging AI, and assessing how today’s security tools are evolving […] The post Exploring the State of AI in Cyber Security: Past, Present, and Future appeared first on Check Point Research.

by Check Point Research

Paste, Click, Compromised The post Analyzing LummaStealer’s FakeCAPTCHA Delivery Tactics appeared first on Binary Defense.

by Binary Defense

Meta on Tuesday announced LlamaFirewall, an open-source framework designed to secure artificial intelligence (AI) systems against emerging cyber risks such as prompt injection, jailbreaks, and insecure code, among others. The framework, the company said, incorporates three guardrails, including PromptGuard 2, Agent Alignment Checks, and CodeShield. PromptGuard 2 is designed to detect direct

by The Hacker News

Control characters like SOH, STX, EOT and ETX were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I''ll dive into the forgotten mechanics

by PortSwigger Research

JPMorgan Chase security chief Patrick Opet laments the state of SaaS security in an open letter to the industry and calls on software providers to do more to enhance resilience

by ComputerWeekly

MCP tools are implicated in several new attack techniques. Here''s a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands.BackgroundOver the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks.Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more.Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.Experiments with MCPFor my research, I used the 5ire client because it makes it incredibly simple to switch out and restart MCP servers and switch between LLMs. In 5ire, I can easily configure our MCP servers (for this test case, I’ve already configured the reference MCP weather server):Tenable Research using the 5ire client, April 2025Anatomy of an MCP serverLet’s talk about how an MCP server is written and configured. First, we define a simple MCP server in Python with FastMCP. The FastMCP library makes it fairly simple to get up and running with MCP.I can use this framework to develop several different servers and tools for my experiments. Now that I’ve got the framework, I’ll create a tool.Now that I know how to create a simple tool in Python, let’s see what else I can do.Logging tool useMultiple MCP servers can be configured in an MCP host and each server can have multiple tools. As I was exploring this new technology, I wondered if there was a way to log all tool calls across configured MCP servers. This is doable at the MCP host level or via each MCP server, but I asked myself: why not find another way? I wanted to log all MCP tool calls that the host makes, so I decided to see if I could create a tool that would insert itself before any other tool calls and log information about those tool calls.Let’s break down the above MCP tool:I start out with a decorator from FastMCP (1) to indicate this is an MCP tool.Then I define the function (2) with all of the parameters I want. The function name and parameters are exposed to the LLM and the LLM is intelligent enough to infer how to populate them.Next is the description (3). This is the meat of the tool, instructing the LLM to insert this tool before any other tool call. You can read through the parameters and what I’m trying to accomplish. It may seem a little repetitive, but this is the current iteration that seems to work well across different models.Then, I write it to a file (4). I could use Python’s ‘logger’ here, but I had issues getting that working with the MCP clients we used. In most of our testing, it wasn’t easy to get anything written to stdout, so we chose logging to a file instead.Finally, we return a nice message thanking the AI and passing the name of the actual tool to run (5).In testing, some models had no problem inserting the tool before any other tool call. Some did it sporadically, while others did not unless we asked about it.Source: Tenable Research, April 2025As the image above shows, the LLM runs the logging tool just before it runs the weather tool I requested. The logging tool then logs information about the tool it was asked to run, including the MCP server name, MCP tool name and description, and the user prompt that caused the LLM to try to run that tool. In this case, it actually logs twice, but I wasn’t able to investigate why.Tool filtering / firewallUsing the same method, I can block unapproved tools from running.Here I’m using the same technique to run prior to other tools calls. In this case I’m simply looking for the tool name to match a string `get_alerts`. If it matches, I tell the LLM not to run the tool. Sometimes it respects this!Source: Tenable Research, April 2025MCP introspectionThis method of using the tool description block to ask the LLM to run this tool before other tools could clearly be abused. Can I use a similar technique to find out about other tools in use that ask for a similar hierarchy? I give it a try:Note that I’m logging to the same log file so that it’s easier to see what’s happening. In a real world scenario, these tools would likely log to separate files.Source: Tenable Research, April 2025Here we can see that log_other_inline_tools runs after the logging tool in this case. The tool then logs the other “inline” tool that the LLM is aware of. It then lists the other available tools.Can this technique be used to extract the LLM system prompt?Maybe. Here’s what I tried:You can see in the return value that I tried to trick the model further by giving it a score at the end, so maybe it’ll think I’m really doing some sort of analysis.Source: Tenable Research, April 2025Source: Tenable Research, April 2025Source: Tenable Research, April 2025Source: Tenable Research, April 2025Source: Tenable Research, April 2025It seems like the LLM models vary between something realistic and complete hallucination. Remember that the models try to figure out how to fill out the tool’s parameters. So, if they don’t have a good idea of what goes where, they may just make it up. Based on my testing, it looks like Claude Sonnet 3.7 displays a piece of the prompt it has around running tools. Google Gemini 2.5 Pro Experimental seems to do the same. OpenAI’s GPT-4o puts variations in the log each time, so it seems like it’s just made up. It should also be noted that directly asking for the system prompt is successful for some models while unsuccessful for others. Regardless, some prompt text is still sent to the logging tool. While I can’t say for certain if I’m seeing actual developer instructions or hallucinated text, these tests may be useful to facilitate other research.ConclusionTools should require explicit approval before running in most MCP Host applications. In fact, this is required by the MCP specification. Still, there are many ways in which tools can be used to do things that may not be strictly understood by the specification. Here I’ve demonstrated a few interesting techniques that could be used to develop security tooling, perform research or to help identify other malicious tools. These methods rely on LLM prompting via the description and return values of the MCP tools themselves. Since LLMs are non-deterministic, so, too, are the results. Lots of things could affect the results here: the model in use, temperature and safety settings, specific language, etc. Additionally, the descriptions used to instruct the LLM to do different things with the tools may need to be different depending on the model used. I’ve had varying results with different models, though I haven’t tested every case on every model.Some of these techniques could be used to advance both positive and negative goals. We believe that some can be used to further LLM and MCP research.The code from this blog can be found on github.ReferencesWhile working on this blog, I saw some great work by Trail of Bits dubbing one of the techniques used here “jumping the line.” I offer one possible detection method in the MCP Introspection section of this post. In that section, I show the use of an MCP tool to identify other MCP tools requesting to run first.

by Tenable

A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack

by ComputerWeekly

As AI gets embedded in corporate systems, experts warn of emerging security risks caused by influencing retrieval augmentation systems

by ComputerWeekly

A high court in the Indian state of Karnataka has ordered the blocking of end-to-end encrypted email provider Proton Mail across the country. The High Court of Karnataka, on April 29, said the ruling was in response to a legal complaint filed by M Moser Design Associated India Pvt Ltd in January 2025. The complaint alleged its staff had received e-mails containing obscene, abusive

by The Hacker News