CyberSecurity news
FlagThis
|
@cyberscoop.com
//
Microsoft has issued its July 2025 Patch Tuesday updates, a crucial monthly release that addresses a significant number of vulnerabilities across its product lines. This release tackles a total of 130 CVEs, with 10 of them classified as critical. Notably, while no vulnerabilities were reported as actively exploited in the wild at the time of the release, one flaw in Microsoft SQL Server (CVE-2025-49719) has been publicly disclosed. This information disclosure vulnerability, rated as important with a CVSS score of 7.5, means that technical details are available, potentially increasing the risk of future exploitation. Organizations should prioritize patching this vulnerability, particularly as it affects SQL Server versions 2016 through 2022 and does not require authentication to exploit, potentially exposing sensitive data like credentials.
Among the critical vulnerabilities addressed, a particularly concerning one is a remote code execution (RCE) flaw in Windows SPNEGO Extended Negotiation (NEGOEX), designated CVE-2025-47981. This vulnerability carries a high CVSS score of 9.8 and is described as a heap-based buffer overflow, allowing an unauthenticated attacker to execute code remotely on a target system with low attack complexity and no user interaction. The nature of this flaw makes it a prime target for attackers seeking initial access or lateral movement within networks. Microsoft has also highlighted critical RCE vulnerabilities in Microsoft Office, with several rated as "more likely" to be exploited, including some that can be triggered via the preview pane without requiring a user to open a document, posing a significant risk to users' security. The July Patch Tuesday also includes fixes for vulnerabilities in Microsoft SharePoint, with an RCE flaw that requires authenticated access but could allow an attacker to execute code on the server. Additionally, vulnerabilities impacting Windows Hyper-V and other system components have been addressed. With a total of 130 CVEs patched, including numerous critical flaws, it is imperative for all organizations to review and apply these updates promptly to protect their systems and data from potential exploitation. The proactive patching of these vulnerabilities is essential for maintaining a strong security posture against the ever-evolving threat landscape. Recommended read:
References :
@socprime.com
//
A critical vulnerability, identified as CVE-2025-5777 and nicknamed "CitrixBleed 2," has been discovered in Citrix NetScaler ADC and Gateway. This memory disclosure vulnerability allows unauthenticated remote attackers to extract sensitive information, including session tokens and credentials, from affected devices. Security researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirm that this flaw is being actively exploited in the wild. The vulnerability is particularly concerning due to its similarity to the infamous CVE-2023-4966, or "CitrixBleed," which also led to widespread exploitation and session hijacking. The ease of exploitation and the potential for bypassing multi-factor authentication (MFA) make this a significant threat to organizations globally.
Exploitation of CitrixBleed 2 reportedly began as early as mid-June, with proof-of-concept exploits now publicly available. This has led to a surge in scanning activity as attackers search for vulnerable systems. The U.S. government has been alerted to the severity of the threat, with CISA issuing an urgent directive for federal agencies to patch their NetScaler systems within 24 hours. Despite this, concerns remain that a significant portion of Citrix customers have not yet applied the necessary patches, mirroring the delayed response seen during the previous CitrixBleed crisis. The ability for attackers to hijack existing user sessions and gain unauthorized access to critical systems highlights the urgent need for immediate mitigation. The technical details of CVE-2025-5777 reveal that it stems from insufficient input validation, leading to memory overreads when NetScaler is configured as a Gateway or an AAA virtual server. Attackers can trigger a memory leak by sending specially crafted HTTP requests to the NetScaler login endpoint. The leaked memory can contain sensitive session tokens, allowing attackers to impersonate authenticated users and bypass MFA, thereby gaining access to internal networks. The potential consequences of successful exploitation range from data breaches and ransomware attacks to the disruption of critical operations across various sectors, including finance and healthcare. Organizations are strongly advised to update their Citrix NetScaler devices to the latest fixed versions immediately. Recommended read:
References :
@cyberpress.org
//
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.
Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries. The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness. Recommended read:
References :
@socprime.com
//
Citrix NetScaler ADC and Gateway systems are currently facing a critical security threat, identified as CVE-2025-5777, and widely nicknamed "CitrixBleed 2". This vulnerability, similar to the infamous CitrixBleed from 2023, allows unauthenticated attackers to exploit memory overread issues. This exploitation can lead to the disclosure of sensitive information, including session tokens and user credentials, enabling attackers to bypass multi-factor authentication and hijack active remote sessions. Security researchers have noted that exploitation of this flaw began as early as mid-June, with evidence pointing to its use in active hacking campaigns.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. This designation carries significant weight, and CISA has issued a stern warning, urging federal civilian agencies to apply necessary patches within 24 hours. The urgency stems from the understanding that vulnerabilities like this are frequent vectors for malicious cyber actors, posing a substantial risk to government and corporate networks. While Citrix initially released guidance and patches in June, concerns have been raised about the vendor's response in acknowledging the widespread exploitation of this critical flaw. The exploitation of CitrixBleed 2, alongside other critical vulnerabilities like CVE-2025-5349 and CVE-2025-6543, presents a significant risk to organizations. CVE-2025-5777 specifically allows attackers to steal session tokens, effectively enabling them to impersonate authenticated users and bypass security measures like MFA. This is a direct echo of the impact of the original CitrixBleed vulnerability, which was widely abused by nation-state actors and ransomware groups. The ongoing exploitation means that a considerable portion of the Citrix NetScaler user base may still be vulnerable, underscoring the critical need for immediate patching and diligent security practices. Recommended read:
References :
@blog.checkpoint.com
//
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.
In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi. The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access. Recommended read:
References :
@databreaches.net
//
McDonald's has been at the center of a significant data security incident involving its AI-powered hiring tool, Olivia. The vulnerability, discovered by security researchers, allowed unauthorized access to the personal information of approximately 64 million job applicants. This breach was attributed to a shockingly basic security flaw: the AI hiring platform's administrator account was protected by the default password "123456." This weak credential meant that malicious actors could potentially gain access to sensitive applicant data, including chat logs containing personal details, by simply guessing the username and password. The incident raises serious concerns about the security measures in place for AI-driven recruitment processes.
The McHire platform, which is utilized by a vast majority of McDonald's franchisees to streamline the recruitment process, collects a wide range of applicant information. Researchers were able to access chat logs and personal data, such as names, email addresses, phone numbers, and even home addresses, by exploiting the weak password and an additional vulnerability in an internal API. This means that millions of individuals who applied for positions at McDonald's may have had their private information compromised. The ease with which this access was gained highlights a critical oversight in the implementation of the AI hiring system, underscoring the risks associated with inadequate security practices when handling large volumes of sensitive personal data. While the security vulnerability has reportedly been fixed, and there are no known instances of the exposed data being misused, the incident serves as a stark reminder of the potential consequences of weak security protocols, particularly with third-party vendors. The responsibility for maintaining robust cybersecurity standards falls on both the companies utilizing these technologies and the vendors providing them. This breach emphasizes the need for rigorous security testing and the implementation of strong, unique passwords and multi-factor authentication to protect applicant data from falling into the wrong hands. Companies employing AI in sensitive processes like hiring must prioritize data security to maintain the trust of job seekers and prevent future breaches. Recommended read:
References :
@securelist.com
//
Developers using the AI-powered coding assistant Cursor have fallen victim to a sophisticated crypto heist, losing an estimated $500,000. The incident involved a malicious extension, disguised as a legitimate tool for Solidity developers, which was distributed through the Open VSX marketplace. This marketplace, which serves as a source for extensions for AI development tools like Cursor, does not undergo the same stringent security checks as other marketplaces, creating a vulnerability that attackers exploited. The fake extension, titled "Solidity Language," managed to gain tens of thousands of downloads, likely boosted by bot activity, and successfully deceived even experienced users.
The malicious extension operated by silently executing PowerShell scripts and installing remote access tools on the victim's computer. Upon installation, the extension contacted a command-and-control server to download and run these harmful scripts. The attackers then leveraged the installed remote access application, ScreenConnect, to gain full control of the compromised system. This allowed them to upload additional malicious payloads, specifically targeting the developer's crypto wallet passphrases and ultimately siphoning off approximately $500,000 in cryptocurrency assets. The attackers also employed algorithm tricks to ensure the malicious extension ranked highly in search results, further increasing its visibility and the likelihood of it being downloaded by unsuspecting developers. This incident highlights a growing trend of attacks that leverage vulnerabilities within the open-source software ecosystem. While the Solidity Language extension itself offered no actual functionality, its deceptive appearance and elevated search ranking allowed it to trick users into installing malware. Security experts are urging developers to exercise extreme caution when installing extensions, emphasizing the importance of verifying extension authors and using robust security tools. The weaponization of AI-enhanced development tools serves as a stark reminder that the very tools designed to enhance productivity can be turned into vectors for significant financial loss if not handled with the utmost security awareness. Recommended read:
References :
Eric Geller@cybersecuritydive.com
//
References:
www.cybersecuritydive.com
Businesses are facing a growing wave of sophisticated phishing attacks, with mobile-based scams seeing a significant surge. Reports indicate that nearly six in ten companies have experienced incidents involving voice or text phishing that resulted in executive impersonation. Despite the prevalence of these attacks, with 77% of companies experiencing at least one such incident in the past six months, a concerningly low number of businesses, only half of those surveyed, express significant concern. This overconfidence leaves organizations more vulnerable than they realize, as attackers increasingly leverage mobile channels to trick employees into revealing credentials. These tactics often bypass traditional security measures, making detection incredibly difficult until irreversible damage has occurred.
The threat landscape is further complicated by the emergence of AI-generated content used to create highly convincing phishing lures. Researchers have noted that AI-powered search engine summaries are mistakenly suggesting phishing sites when users are attempting to find legitimate login pages. This fusion of AI and social engineering techniques makes these scams harder to identify and defend against. Compounding these issues, a major data leak involving McDonald's recruitment chatbot, Olivia, highlighted a critical security oversight. An administrator account was found using the default password "123456," potentially exposing sensitive data from over 60 million job applications. This breach underscores how basic security flaws can lead to massive data exposure in even advanced systems. To combat this escalating threat, companies are strongly advised to bolster their security awareness training programs and implement more robust security measures. The use of AI in crafting phishing campaigns, coupled with the pervasive nature of mobile attacks and basic security vulnerabilities, creates a more dangerous environment for businesses. Organizations must prioritize comprehensive training that educates employees on recognizing these advanced social engineering tactics and reinforce the importance of strong, unique passwords and multi-factor authentication across all systems. Proactive security strategies are essential to protect sensitive data and maintain operational integrity in the face of evolving cyber threats. Recommended read:
References :
David Jones@cybersecuritydive.com
//
The cybersecurity community is on high alert due to the active exploitation of a critical vulnerability in Citrix NetScaler devices, known as CitrixBleed 2 (CVE-2025-5777). This flaw allows attackers to perform dangerous memory leak attacks, potentially exposing sensitive user credentials and other confidential data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially recognized the severity of this threat by adding it to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. Federal agencies have been given a strict 24-hour deadline to patch affected systems, underscoring the urgency of the situation and the significant risk posed to government and enterprise networks.
CitrixBleed 2, which researchers have noted shares similarities with a previous critical vulnerability in Citrix NetScaler (CVE-2023-4966), enables attackers to bypass multi-factor authentication (MFA) and hijack user sessions. This memory leak vulnerability, stemming from insufficient input validation, allows unauthenticated attackers to read sensitive information from NetScaler devices configured as Gateways or AAA virtual servers. The exploitation of this flaw appears to have begun in late June, with reports indicating that some attackers may be linked to ransomware groups. The ease with which session tokens can be stolen and replayed to impersonate authenticated users presents a substantial threat to organizations relying on these Citrix products for remote access. In response to the escalating threat, cybersecurity researchers have confirmed widespread scanning and probing activity for the vulnerability. The U.S. CISA's inclusion of CVE-2025-5777 on its Known Exploited Vulnerabilities list serves as a strong warning to all organizations to prioritize patching their Citrix NetScaler ADC and Gateway devices immediately. Failure to do so leaves networks vulnerable to sophisticated attacks that can lead to significant data breaches and operational disruptions. Organizations are strongly advised to apply the latest security patches and updates as soon as possible to mitigate the risks associated with this critical vulnerability. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Critical SQL Injection Flaw in Fortinet FortiWeb - Fortinet's FortiWeb product has a critical SQL injection vulnerability (CVE-2025-25257) in its Fabric Connector, allowing arbitrary command execution.
ImgSrc: blogger.googleu
Fortinet has issued a critical patch for a severe SQL injection vulnerability affecting its FortiWeb product. Identified as CVE-2025-25257, the flaw resides within the Fabric Connector feature. This vulnerability allows an unauthenticated attacker to execute arbitrary commands and potentially gain access to sensitive information on affected systems. The issue stems from improper input sanitization, enabling attackers to manipulate SQL queries through specially crafted HTTP requests. The vulnerability has a high severity score of 9.8 out of 10, highlighting the significant risk it poses to organizations.
The vulnerability specifically impacts multiple versions of FortiWeb, including versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The FortiWeb Fabric Connector acts as a crucial middleware, connecting FortiWeb web application firewalls with other Fortinet products for dynamic security updates. Attackers can exploit this flaw by sending malicious SQL payloads within HTTP Authorization headers, bypassing authentication controls and potentially leading to remote code execution. Researchers have demonstrated that this SQL injection can be escalated to achieve full system compromise by leveraging MySQL's INTO OUTFILE statement to write files to the server and executing them via Python scripts. Given the critical nature of this vulnerability and the availability of proof-of-concept exploits, Fortinet strongly urges all users of affected FortiWeb versions to apply the provided patches immediately. Organizations should update to FortiWeb 7.6.4, 7.4.8, 7.2.11, 7.0.11, or later versions to mitigate the risk of exploitation. As a temporary workaround, disabling the HTTP/HTTPS administrative interface can also help reduce exposure until the patches can be applied. Swift action is crucial to prevent potential data breaches and unauthorized access to sensitive systems. Recommended read:
References :
@cyberscoop.com
//
Cybersecurity researchers have identified a critical set of vulnerabilities, collectively named PerfektBlue, affecting OpenSynergy's BlueSDK Bluetooth stack. These flaws, which can be chained together to achieve remote code execution, pose a significant risk to millions of vehicles. Automakers such as Mercedes-Benz, Volkswagen, and Skoda are confirmed to be impacted, along with an additional unnamed manufacturer. The vulnerabilities could allow attackers, within Bluetooth range, to compromise infotainment systems, potentially leading to unauthorized access to sensitive vehicle functions.
The PerfektBlue attack leverages a chain of vulnerabilities including a critical use-after-free flaw in the AVRCP service (CVE-2024-45434) and issues within L2CAP and RFCOMM protocols. Successful exploitation can enable attackers to execute arbitrary code on a car's system, potentially allowing them to track GPS coordinates, record audio, access contact lists, and even pivot to more critical systems. While infotainment systems are often isolated, the effectiveness of this separation varies by manufacturer, meaning some attacks could provide a pathway to controlling core vehicle functions. OpenSynergy confirmed these vulnerabilities last year and released patches in September 2024. However, many automakers have yet to implement these crucial updates, leaving millions of vehicles exposed. The attack requires an attacker to pair with the target vehicle's infotainment system via Bluetooth, a process that can vary in user interaction depending on the manufacturer's implementation. While patches are available, the widespread delay in deployment means that a significant number of cars remain vulnerable to this potentially far-reaching exploit. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
GPUHammer Attack Targets NVIDIA GPUs - A new 'GPUHammer' attack targets NVIDIA GPUs, degrading AI model accuracy; NVIDIA recommends enabling ECC.
ImgSrc: blogger.googleu
A significant security vulnerability, dubbed GPUHammer, has been demonstrated against NVIDIA GPUs, specifically targeting GDDR6 memory. Researchers from the University of Toronto have successfully executed a Rowhammer attack variant on an NVIDIA A6000 GPU, causing bit flips in the memory. This type of attack exploits the physical behavior of DRAM chips, where rapid access to one memory row can induce errors, or bit flips, in adjacent rows. While Rowhammer has been a known issue for CPUs, this marks the first successful demonstration against a discrete GPU, raising concerns about the integrity of data and computations performed on these powerful processors, especially within the burgeoning field of artificial intelligence.
The practical implications of GPUHammer are particularly alarming for machine learning models. In a proof-of-concept demonstration, researchers were able to degrade the accuracy of a deep neural network model from 80% to a mere 0.1% by inducing a single bit flip. This degradation highlights the vulnerability of AI infrastructure, which increasingly relies on GPUs for parallel processing and complex calculations. Such attacks could compromise the reliability and trustworthiness of AI systems, impacting everything from image recognition to complex decision-making processes. NVIDIA has acknowledged these findings and is urging its customers to implement specific security measures to defend against this threat. In response to the GPUHammer attack, NVIDIA is strongly recommending that customers enable System-level Error Correction Codes (ECC) on their GDDR6 GPUs. ECC is a hardware-level mechanism designed to detect and correct errors in memory, and it has been proven to effectively neutralize the Rowhammer threat. NVIDIA's guidance applies to a wide range of its professional and data center GPU architectures, including Blackwell, Hopper, Ada, Ampere, and Turing. While consumer-grade GPUs may have limited ECC support, the company emphasizes that its enterprise-grade and data center solutions, many of which have ECC enabled by default, are the recommended choice for applications requiring enhanced security assurance. This proactive measure aims to protect users from data tampering and maintain the integrity of critical workloads. Recommended read:
References :
@industrialcyber.co
//
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against U.S. infrastructure, with a notable 133% surge reported by Nozomi Networks Labs. This increase in malicious activity, observed during May and June of 2025, directly coincides with heightened geopolitical tensions involving Iran. The primary sectors targeted by these operations are transportation and manufacturing, indicating a strategic focus on critical infrastructure within the United States. U.S. government agencies, including CISA and the Department of Homeland Security, have issued advisories warning of these threats, urging organizations to bolster their cybersecurity postures.
The resurgence of the Pay2Key Ransomware-as-a-Service (RaaS) is a key element in this escalation. This operation, linked to the Fox Kitten APT group, is reportedly offering an increased profit share of 80% to affiliates specifically targeting perceived enemies of Iran, such as the United States and Israel. This financially motivated scheme has already collected substantial extortion payments, underscoring the real-world impact of these cyber operations. Several well-known Iranian APT groups, including MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice, have been identified as active participants in these campaigns, employing tactics ranging from sophisticated espionage to disruptive attacks. In response to this evolving threat landscape, organizations within the transportation and manufacturing sectors are strongly advised to enhance their cyber defenses. This includes vigilant monitoring for Iranian APT activity and reviewing overall security frameworks. The U.S. government’s warnings highlight the strategic intent behind these attacks, which aim to advance foreign policy objectives and potentially disrupt critical services. Security professionals must remain informed about the evolving capabilities and targeting methodologies of these nation-state actors to effectively mitigate the growing cybersecurity risks. Recommended read:
References :
@gbhackers.com
//
SLOW#TEMPEST Evolving Malware Obfuscation Evasion Techniques - The SLOW#TEMPEST group is employing advanced malware with dynamic jumps and obfuscated calls to evade detection, countered by CPU emulation.
ImgSrc: blogger.googleu
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.
At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow. Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM. Recommended read:
References :
@thehackernews.com
//
References:
Cyber Security News
, securityaffairs.com
,
Cybersecurity researchers have uncovered critical vulnerabilities in Kigen's eSIM technology, potentially impacting billions of Internet of Things (IoT) devices and mobile networks worldwide. Security Explorations, a research lab, demonstrated that they could compromise Kigen's eUICC cards, a component essential for eSIM functionality. The attack allowed researchers to extract private encryption keys and download arbitrary eSIM profiles from major mobile network operators. This breach raises significant concerns about identity theft and the potential interception of communications for a vast number of connected devices.
The exploitation of these flaws builds upon prior Java Card research from 2019, which highlighted fundamental weaknesses in virtual machine implementations. Researchers were able to bypass security measures on the eUICC chip, which is designed to securely store and manage mobile carrier profiles. By exploiting type confusion vulnerabilities, they gained unauthorized access to the chip's memory, enabling the extraction of critical cryptographic keys like the private ECC key for GSMA certificates. This effectively undermined the trust model that underpins the entire eSIM ecosystem, as the eSIM profiles themselves and the Java applications stored on the chip were found to lack proper isolation or protection. While Kigen has acknowledged the issue and deployed mitigations, including hardening bytecodes and tightening test profile rules, concerns remain regarding the root cause of the vulnerability. The GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, has been identified as a contributing factor, allowing for the installation of unverified or malicious applets. Although the latest version of the GSMA standard addresses this, the existence of these fundamental flaws in widely deployed eSIM technology highlights the ongoing challenges in securing the rapidly expanding IoT landscape and the potential for widespread compromise if not adequately addressed. Recommended read:
References :
@training.invokere.com
//
References:
malware.news
, thedfirreport.com
,
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.
The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics. The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection. Recommended read:
References :
Aman Mishra@gbhackers.com
//
Compromised WordPress Plugin Enables Code Injection - Hackers compromised the Gravity Forms WordPress plugin, injecting malicious code and creating backdoors for remote code execution and data exfiltration.
ImgSrc: blogger.googleu
Hackers have successfully compromised the popular WordPress plugin Gravity Forms, embedding malicious code into versions downloaded directly from the official gravityforms.com website. This sophisticated supply chain attack targets a significant portion of WordPress websites relying on Gravity Forms for form creation and data collection. The attackers are reportedly exploiting a vulnerability within the plugin, specifically targeting the gf_api_token parameter. This allows them to inject malicious PHP code into core plugin files, such as gravityforms/common.php and includes/settings/class-settings.php, creating backdoors that can lead to remote code execution and unauthorized access.
The malicious campaign was first detected when security researchers observed suspicious HTTP POST requests to a newly registered domain, gravityapi.org, which served as a command-and-control server. The injected malware is capable of exfiltrating sensitive WordPress site data, including URLs, plugin lists, user counts, and environment details, transmitting this information to the attacker-controlled domain. Upon receiving a response, the malware can deploy further payloads, such as writing a backdoored PHP file to the server that masquerades as legitimate content management tools. This backdoor enables attackers to execute arbitrary code, create new administrator accounts, upload files, and manipulate site content with devastating effects. In response to the discovered vulnerability, Gravity Forms has swiftly released version 2.9.13 of the plugin, which is confirmed to be free of the backdoor. Additionally, the registrar Namecheap has suspended the malicious gravityapi.org domain to disrupt ongoing exploitation efforts. Website administrators are strongly advised to update their Gravity Forms plugin to the latest version immediately to mitigate the risk of compromise. Monitoring network traffic for suspicious activity, particularly POST requests to the identified malicious domain, is also a crucial step in preventing unauthorized access and code execution on affected WordPress sites. Recommended read:
References :
@www.helpnetsecurity.com
//
Bitwarden Launches MCP Server for Secure AI Integration - Bitwarden launched its Model Context Protocol server for secure integration of AI agents with credential management.
ImgSrc: img.helpnetsecu
Bitwarden Unveils Model Context Protocol Server for Secure AI Agent Integration
Bitwarden has launched its Model Context Protocol (MCP) server, a new tool designed to facilitate secure integration between AI agents and credential management workflows. The MCP server is built with a local-first architecture, ensuring that all interactions between client AI agents and the server remain within the user's local environment. This approach significantly minimizes the exposure of sensitive data to external threats. The new server empowers AI assistants by enabling them to access, generate, retrieve, and manage credentials while rigorously preserving zero-knowledge, end-to-end encryption. This innovation aims to allow AI agents to handle credential management securely without the need for direct human intervention, thereby streamlining operations and enhancing security protocols in the rapidly evolving landscape of artificial intelligence. The Bitwarden MCP server establishes a foundational infrastructure for secure AI authentication, equipping AI systems with precisely controlled access to credential workflows. This means that AI assistants can now interact with sensitive information like passwords and other credentials in a managed and protected manner. The MCP server standardizes how applications connect to and provide context to large language models (LLMs), offering a unified interface for AI systems to interact with frequently used applications and data sources. This interoperability is crucial for streamlining agentic workflows and reducing the complexity of custom integrations. As AI agents become increasingly autonomous, the need for secure and policy-governed authentication is paramount, a challenge that the Bitwarden MCP server directly addresses by ensuring that credential generation and retrieval occur without compromising encryption or exposing confidential information. This release positions Bitwarden at the forefront of enabling secure agentic AI adoption by providing users with the tools to seamlessly integrate AI assistants into their credential workflows. The local-first architecture is a key feature, ensuring that credentials remain on the user’s machine and are subject to zero-knowledge encryption throughout the process. The MCP server also integrates with the Bitwarden Command Line Interface (CLI) for secure vault operations and offers the option for self-hosted deployments, granting users greater control over system configurations and data residency. The Model Context Protocol itself is an open standard, fostering broader interoperability and allowing AI systems to interact with various applications through a consistent interface. The Bitwarden MCP server is now available through the Bitwarden GitHub repository, with plans for expanded distribution and documentation in the near future. Recommended read:
References :
@cyble.com
//
Cyble threat intelligence researchers have uncovered a global phishing campaign leveraging the LogoKit phishing kit. This sophisticated kit is being used to target government, banking, and logistics sectors. The initial discovery stemmed from a phishing link mimicking the Hungary CERT login page, highlighting the campaign's ability to impersonate legitimate websites to steal credentials.
The LogoKit is designed to enhance credibility and increase the likelihood of successful credential theft. The phishing attacks often embed the victim's email address in the URL, pre-filling the username field on the spoofed login page. This personalized approach, combined with the kit's ability to dynamically generate convincing phishing pages, makes it a potent threat. CRIL analyzes show that the kit uses brand assets from Clearbit and Google Favicon to create realistic-looking login pages. These phishing campaigns are part of a larger trend of surging identity attacks. Reports indicate a significant increase in cyberattacks targeting user logins. Cybercriminals are increasingly turning to sophisticated phishing-as-a-service platforms to conduct BEC schemes and ransomware disasters. Organizations should implement strong DNS security measures to protect against such threats. Recommended read:
References :
@gbhackers.com
//
AI Coding and Signed Drivers Increase Attack Surface - AI coding increases the cyber attack surface, code-signed drivers are used for kernel-level attacks, and slopsquatting exploits coding agent workflows.
ImgSrc: blogger.googleu
References:
Cyber Security News
, gbhackers.com
The rise of AI-assisted coding is introducing new security challenges, according to recent reports. Researchers are warning that the speed at which AI pulls in dependencies can lead to developers using software stacks they don't fully understand, thus expanding the cyber attack surface. John Morello, CTO at Minimus, notes that while AI isn't inherently good or bad, it magnifies both positive and negative behaviors, making it crucial for developers to maintain oversight and ensure the security of AI-generated code. This includes addressing vulnerabilities and prioritizing security in open source projects.
Kernel-level attacks on Windows systems are escalating through the exploitation of signed drivers. Cybercriminals are increasingly using code-signing certificates, often fraudulently obtained, to masquerade malicious drivers as legitimate software. Group-IB research reveals that over 620 malicious kernel-mode drivers and 80-plus code-signing certificates have been implicated in campaigns since 2020. A particularly concerning trend is the use of kernel loaders, which are designed to load second-stage components, giving attackers the ability to update their toolsets without detection. A new supply-chain attack, dubbed "slopsquatting," is exploiting coding agent workflows to deliver malware. Unlike typosquatting, slopsquatting targets AI-powered coding assistants like Claude Code CLI and OpenAI Codex CLI. These agents can inadvertently suggest non-existent package names, which malicious actors then pre-register on public registries like PyPI. When developers use the AI-suggested installation commands, they unknowingly install malware, highlighting the need for multi-layered security approaches to mitigate this emerging threat. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
Ingram Micro, a global IT distributor, has confirmed it was hit by a SafePay ransomware attack, causing a significant outage affecting its websites and internal systems. The attack, which began on July 3, 2025, has disrupted order processing and shipments, impacting customers, vendor partners, and others who rely on the company's services. Ingram Micro, one of the world's largest technology distributors with approximately 24,000 employees and $48 billion in revenue in 2024, is working diligently to restore affected systems.
The company's initial response involved proactively taking certain systems offline and implementing other mitigation measures to secure the environment. Leading cybersecurity experts were engaged to assist with the investigation, and law enforcement was notified. Ingram Micro said that internal alerts, investigation protocols, and communications with key clients and stakeholders were immediately initiated, a statement was released to explain the suspected vulnerabilities exploited by the ransomware. Sources indicate that the SafePay ransomware group gained access through Ingram Micro's GlobalProtect VPN platform. The attack has impacted various systems, including the company's AI-powered Xvantage distribution platform and the Impulse license provisioning platform, leading to shipment backlogs and licensing interruptions across platforms such as Microsoft 365 and Dropbox. While it remains unclear if data was encrypted, the ransomware note claimed to have stolen various types of information. As a result, Ingram Micro's customers may experience delays as the company focuses on restoring its systems. Recommended read:
References :
|
