@betanews.com
//
A new proof-of-concept rootkit, dubbed Curing, has been developed by ARMO researchers to demonstrate a significant security blindspot in Linux runtime security. This rootkit leverages the 'io_uring' interface, a Linux asynchronous I/O mechanism, to bypass traditional system call monitoring. This means that many existing security tools like Falco, Tetragon, and even Microsoft Defender are unable to detect malicious activity carried out using this method, leaving systems vulnerable to stealthy rootkit attacks. The vulnerability stems from the fact that io_uring allows user applications to perform actions without relying on standard system calls, rendering security tools that depend on system call monitoring ineffective.
io_uring was introduced in Linux kernel version 5.1 in March 2019, designed to improve I/O operation efficiency by using circular buffers (submission queue and completion queue) between the kernel and user space. However, ARMO's Curing rootkit exploits this mechanism to communicate with a command-and-control server, fetch commands, and execute them on the infected host without triggering traditional security alerts. This is achieved by performing operations using io_uring instead of direct system calls. ARMO's analysis found that popular Linux runtime security tools are blind to io_uring-based operations. This is because these tools rely heavily on system call hooking, a method bypassed by io_uring. While the security risks associated with io_uring have been acknowledged, as evidenced by Google's decision to limit its use across Android, ChromeOS, and its production servers due to its exploitation potential, a broader industry solution is still needed to address this Linux kernel blindspot effectively. Recommendations for detecting io_uring-based threats include monitoring for anomalous usage of io_uring, leveraging Kernel Runtime Security Instrumentation (KRSI), and identifying alternative hook points across the Linux stack. Recommended read:
References :
CISA@Alerts
//
References:
blogs.jpcert.or.jp
, thecyberexpress.com
,
A new wave of cyberattacks has been detected targeting Ivanti Connect Secure VPN devices, exploiting the zero-day vulnerability CVE-2025-0282. This vulnerability is being leveraged to deploy a previously unseen malware called DslogdRAT, along with a Perl-based web shell. The attacks, which initially targeted organizations in Japan around December 2024, involve the web shell being used for remote command execution, ultimately leading to the installation of DslogdRAT for persistence and command-and-control (C2) communication. Researchers at JPCERT/CC have been closely analyzing this malware and the methods used in these attacks.
The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server. Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise. Recommended read:
References :
@www.csa.gov.sg
//
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-34028, has been discovered in Commvault Command Center. This security flaw, rated a severity of 9.0 out of 10, allows unauthenticated remote attackers to execute arbitrary code on affected installations. The vulnerability stems from a path traversal issue that can lead to a complete compromise of the Command Center environment. Commvault acknowledged the flaw in an advisory released on April 17, 2025, highlighting the potential for attackers to gain control of the system without requiring authentication.
Commvault Command Center versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release are impacted by this vulnerability. The root cause lies within the "deployWebpackage.do" endpoint, which is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack. This is because there is no filtering as to what hosts can be communicated with. Attackers can exploit this by sending an HTTP request to the vulnerable endpoint, causing the Commvault instance to retrieve a malicious ZIP file from an external server. Once retrieved, the contents of the ZIP file are unzipped into a temporary directory under the attacker's control. The vulnerability was discovered and reported by Sonny Macdonald, a researcher at watchTowr Labs, on April 7, 2025. watchTowr published technical details and a proof-of-concept (PoC) exploit on April 24, 2025, increasing the urgency for users to apply the necessary patches. Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25, urging all users to upgrade immediately. The vulnerability was last modified by NIST’s National Vulnerability Database on April 23. watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability. Recommended read:
References :
@www.microsoft.com
//
Microsoft Threat Intelligence is reporting a significant rise in cyberattacks targeting unsecured Kubernetes clusters. These attacks are primarily aimed at illicit cryptocurrency mining, with threat actors exploiting vulnerabilities such as unsecured workload identities and inactive accounts to gain unauthorized access to containerized environments. Data from Microsoft indicates that a concerning 51% of workload identities remained inactive in the past year, creating numerous potential entry points for attackers. The increasing adoption of containers-as-a-service among organizations has expanded the attack surface, making it more attractive for cybercriminals seeking to profit from stolen computing resources.
The dynamic nature of Kubernetes environments poses significant challenges for security teams. The rapid deployment and scaling of containers make it difficult to detect runtime anomalies and trace the origins of security breaches. Attackers often exploit misconfigured resources, outdated container images, inadequate network segmentation, and overly permissive access controls to infiltrate these environments. Observed attack vectors include compromising cloud credentials, deploying malicious container images, exploiting the Kubernetes API, conducting node-level and pod escape attacks, and injecting unauthorized network traffic. A recent example involved the use of the AzureChecker.exe tool to launch password spray attacks against cloud tenants, leading to the creation of cryptomining containers within compromised resource groups. To combat these evolving threats, Microsoft has been working with MITRE to update the Kubernetes threat matrix and the ATT&CK for Containers matrix. This provides a structured framework for organizations to systematically assess and mitigate attack surfaces in containerized environments. Security best practices highlighted include implementing immutable container policies, enforcing strong authentication, employing rigorous vulnerability management, using admission controllers, establishing image assurance policies, and continuously monitoring API activity. Furthermore, a Docker malware campaign has been discovered exploiting Teneo Web3 nodes by faking heartbeat signals to earn crypto, showcasing the diverse methods attackers are using to generate revenue from compromised container environments. Recommended read:
References :
Bill Toulas@BleepingComputer
//
Yale New Haven Health (YNHHS) has confirmed a significant data breach impacting 5.5 million patients. The cybersecurity incident, which occurred in March, involved unauthorized access to YNHHS systems, leading to the potential theft of sensitive personal information. The exposed data includes names, dates of birth, medical record numbers, and in some instances, Social Security numbers and health insurance details. YNHHS has alerted affected patients and is working with law enforcement and cybersecurity experts to investigate the breach.
Mandiant's incident response team was brought in to help contain the breach. The healthcare system began notifying affected patients via mail on April 14. The organization is affiliated with Yale University and Yale School of Medicine and is Connecticut's largest provider of its kind, with five hospitals and medical clinics throughout the US state as well as New York and Rhode Island. This cyberattack is considered one of the largest healthcare data breaches of the year. YNHHS has stated that the incident has not affected its ability to provide patient care, with the patient portal and electronic medical records functioning normally. The incident serves as a stark reminder of the increasing cyber threats faced by healthcare organizations and underscores the critical need for robust security measures to safeguard patient data. Recommended read:
References :
@gradientflow.com
//
References:
techcrunch.com
, Kyle Wiggers ?
,
The increasing urgency to secure AI systems, particularly superintelligence, is becoming a matter of national security. This focus stems from concerns about potential espionage and the need to maintain control over increasingly powerful AI. Experts like Jeremy and Edouard Harris, founders of Gladstone AI, are urging US policymakers to balance the rapid development of AI with the inherent risks of losing control over these systems. Their research highlights vulnerabilities in critical US infrastructure that would need addressing in any large-scale AI initiative, raising questions about security compromises and power centralization.
Endor Labs, a company specializing in securing AI-generated code, has secured $93 million in Series B funding, highlighting the growing importance of this field. Recognizing that AI-generated code introduces new security challenges, Endor Labs offers a platform that reviews code, identifies risks, and recommends fixes, even offering automated application. Their tools include a plug-in for AI-powered programming platforms like Cursor and GitHub Copilot, scanning code in real-time to flag potential issues. The rise of Generative AI presents unique security concerns as it moves beyond lab experiments and into critical business workflows. Unlike traditional software, Large Language Models (LLMs) introduce vulnerabilities that are more akin to human fallibility, requiring security measures that go beyond traditional code exploits. Prompt injection, where carefully crafted inputs manipulate LLMs, and a compromised AI supply chain are major risks, which requires tools like Endor Labs to ensure the security and integrity of AI driven code. Recommended read:
References :
Sojun Ryu,@Securelist
//
The Lazarus Group, a North Korea-linked advanced persistent threat (APT), is behind a new cyber espionage campaign named "Operation SyncHole." This operation has targeted at least six major South Korean organizations across software, IT, financial, semiconductor manufacturing, and telecommunications industries. The earliest signs of compromise were detected in November 2024. Kaspersky GReAT experts uncovered the campaign, revealing that Lazarus employed a sophisticated combination of watering hole attacks and exploitation of vulnerabilities in South Korean software products.
The attackers strategically leveraged vulnerabilities in widely used software such as Cross EX and Innorix Agent. Cross EX is a legitimate software prevalent in South Korea, enabling security software in online banking and government websites, while Innorix Agent is a file transfer solution. By compromising legitimate South Korean media websites, the attackers redirected specific visitors to attacker-controlled infrastructure where malicious scripts were executed, exploiting vulnerabilities in Cross EX. A vulnerability in Innorix Agent facilitated lateral movement, enabling further deployment of malware across internal networks. The campaign involved the use of updated variants of Lazarus's malicious tools, including ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE. The attackers exploited a "one-day" vulnerability in Innorix Agent for lateral movement. Researchers assess that the redirected site may have executed a malicious script, targeting a potential flaw in Cross EX installed on the target PC, and launching malware. The infection sequence has been observed adopting two phases, using ThreatNeedle and wAgent in the early stages and then SIGNBT and COPPERHEDGE for establishing persistence. Recommended read:
References :
@socprime.com
//
References:
industrialcyber.co
, socprime.com
The Billbug espionage group, also known as Lotus Blossom, Lotus Panda, and Bronze Elgin, is actively targeting government and critical sectors in Southeast Asia through a coordinated cyber intrusion campaign. Security researchers at Symantec have uncovered that this China-linked group compromised multiple organizations within a single Southeast Asian country between August 2024 and February 2025. The campaign marks a continuation of previously documented attacks in the region, showcasing the persistent threat posed by state-sponsored actors.
The attackers are employing sophisticated techniques, including DLL sideloading, to infiltrate systems. They are exploiting legitimate software from reputable vendors like Trend Micro and Bitdefender to load malicious loaders. Specifically, a Trend Micro binary named tmdbglog.exe is being used to sideload a malicious DLL named tmdglog.dll, which decrypts and executes further malicious code. Similarly, a Bitdefender binary, bds.exe, is abused to sideload a harmful file called log.dll. This DLL decrypts another file, winnt.config, and injects its payload into a Windows system process, systray.exe. The targets of this campaign include a government ministry, an air traffic control organization, a telecommunications provider, and a construction company. Additionally, the group has targeted a news agency in another Southeast Asian country and an air freight organization in a neighboring country. The attackers are using new custom tools, including loaders, credential stealers, and a reverse SSH tool. Indicators of compromise (IOCs) related to Billbug activity have been identified, linking this campaign to the group's known tactics and infrastructure. These findings underscore the need for robust security measures and threat intelligence sharing to defend against such advanced cyber espionage efforts. Recommended read:
References :
@www.volexity.com
//
Russian threat actors have been actively targeting Microsoft 365 accounts belonging to individuals and organizations with connections to Ukraine and human rights causes. These malicious actors are exploiting legitimate OAuth 2.0 authentication workflows to gain unauthorized access. Researchers at Volexity have been monitoring these campaigns since early March 2025, observing a shift in tactics from previous device code phishing attempts to methods that rely more heavily on direct interaction with targets. These new attacks involve convincing victims to click on links and provide Microsoft-generated codes.
These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes. Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights. Recommended read:
References :
@cyberpress.org
//
A new variant of the Lumma Stealer malware has been identified, showing significant advancements in its stealth and persistence. Researchers at the Trellix Advanced Research Center analyzed the new variant, discovering features such as code flow obfuscation and dynamic API resolution that help it evade detection. Lumma Stealer, originally introduced in 2022, has rapidly evolved and poses a serious threat to personal and organizational data by targeting sensitive information stored on infected systems.
Lumma Stealer, also known as LummaC2, has gained popularity in underground forums with over a thousand active subscribers as of March 2025. The malware uses deceptive methods such as fake CAPTCHA pages, mimicking Google reCAPTCHA or Cloudflare challenges, to trick users into executing malicious commands. These fraudulent pages are often hosted on compromised websites offering pirated content or cryptocurrency services, enticing unsuspecting users to initiate the infection chain. The malware's infection chain is complex and difficult to detect. It involves downloading a .zip file, extracting the malware, and establishing persistence through the Windows Registry's Run key. More advanced attacks hide the malware within seemingly harmless .mp3 or .png files, triggered via the mshta.exe HTML application engine, deploying layers of encryption, anti-debugging techniques, and detection evasion mechanisms. The stealer targets sensitive data, including cryptocurrency wallet credentials, 2FA codes, browser-stored passwords, and financial information, which it transmits to attacker-controlled domains. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Russian military personnel are being targeted by a new Android spyware campaign that disguises itself as a legitimate Alpine Quest mapping application. The spyware, dubbed Android.Spy.1292.origin, is distributed through unofficial channels, including Russian Android app catalogs and a fake Telegram channel promoting a pirated "Pro" version of the app. Once installed, the trojanized app functions like the original Alpine Quest, a popular navigation tool used by outdoor enthusiasts and also relied upon by Russian soldiers in military zones due to its offline capabilities. This allows the malware to remain undetected while it secretly harvests sensitive data from the compromised device.
The spyware collects a wide range of information, including the user's phone number, contact lists, geolocation data, and a list of files stored on the device. This data is then sent to a remote command-and-control server and a Telegram bot controlled by the attackers. The attackers are particularly interested in retrieving confidential documents shared via messaging apps like Telegram and WhatsApp. The malware also targets a specific file called "locLog" created by Alpine Quest, which logs detailed user movement data. By stealing this file, the attackers can reconstruct the victim's movements over time, enabling surveillance. Security researchers at Doctor Web discovered the campaign and noted the modular design of the spyware, which allows attackers to expand its capabilities by downloading additional modules. This can enable the exfiltration of specific content and execute a wider spectrum of malicious tasks. The attacks mirror tactics previously deployed by Russian groups against Ukrainian soldiers, seeking to access data from military apps and encrypted messaging apps. Experts advise downloading Android apps only from trusted app marketplaces and avoiding downloading "free" paid versions of software from dubious sources to mitigate the risk posed by such threats. Recommended read:
References :
Bill Toulas@BleepingComputer
//
South Korea's largest mobile operator, SK Telecom, is grappling with the aftermath of a malware attack that has potentially exposed the sensitive Universal Subscriber Identity Module (USIM) data of its customers. The company detected the breach on Saturday, April 19, 2025, at 11 PM local time, prompting immediate action to delete the malware and isolate affected equipment. While SK Telecom has not confirmed any misuse of the compromised data thus far, the incident raises significant concerns about the security of customer information and the potential for identity theft and fraud. Millions of SK Telecom customers are potentially at risk following USIM data compromise.
The compromised USIM data acts as a key to a customer's digital identity, and unauthorized access can enable threat actors to impersonate individuals and access sensitive personal and financial information. This vulnerability extends to the potential for SIM card cloning, where fraudsters can duplicate USIMs to intercept calls, messages, and data for illegal activities. As the largest mobile carrier in South Korea, serving over 29 million subscribers, SK Telecom's breach highlights broader vulnerabilities within the telecommunications infrastructure. The incident has prompted calls for strengthened cybersecurity protocols across the industry to prevent future attacks of this nature. The SK Telecom malware attack serves as a crucial lesson for the entire telecom industry, underscoring the need for robust security measures and regulatory compliance. The potential risks associated with USIM data exposure, including identity theft, fraud, and broader infrastructure vulnerabilities, emphasize the importance of protecting personal identity information stored on USIMs. This incident highlights the importance of strengthening cybersecurity protocols across the industry to protect against similar threats. In response, government agencies are expected to launch investigations and reassess regulatory frameworks to ensure the security and privacy of customer data in the telecommunications sector. Recommended read:
References :
@cyberalerts.io
//
A massive ad fraud operation dubbed "Scallywag" has been disrupted after researchers uncovered its scheme of generating up to 1.4 billion fraudulent ad requests daily. This operation monetized pirating and URL shortening websites through specially crafted WordPress plugins. These plugins, including Soralink, Yu Idea, WPSafeLink, and the Droplink extension, facilitated the insertion of ad-laden intermediary pages between piracy catalog sites and the desired pirated content, forcing users to interact with numerous ads and wait times.
HUMAN, a bot and fraud detection company, played a critical role in dismantling Scallywag's operations. The researchers identified anomalous traffic patterns, such as elevated ad impression volume and forced user interactions on seemingly innocuous WordPress blogs. By flagging suspicious domains and working with ad providers to block fraudulent bid requests, HUMAN successfully cut off 95% of the Scallywag fraud-as-a-service operation. Scallywag's success relied heavily on cloaking and obfuscation techniques to evade detection. When ad platforms or advertisers directly visited the intermediary pages, they appeared as benign blogs. Only users redirected from piracy catalog sites encountered the ad-heavy, incentive-laden versions. The takedown has prompted many of Scallywag's affiliates to seek other scams, but the threat actors have shown resilience by rotating domains and moving to other monetization models, highlighting the need for continuous vigilance against ad fraud. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability has been discovered in Active! Mail, a web-based email client popular among large Japanese organizations. The vulnerability, identified as CVE-2025-42599, is a stack-based buffer overflow that allows remote attackers to execute arbitrary code on affected systems. This flaw, which has a CVSS score of 9.8, poses a significant threat to over 2,250 organizations in Japan, potentially impacting more than 11 million accounts. The severity of this vulnerability stems from the fact that it can be exploited by unauthenticated attackers, meaning they do not need any login credentials to carry out an attack.
This zero-day remote code execution vulnerability is actively being exploited in attacks targeting large organizations in Japan. Successful exploitation of CVE-2025-42599 can lead to full server compromise, data theft, service disruption, or the installation of malware. Given that Active! Mail is a vital component in many Japanese-language business environments, including corporations, universities, government agencies, and banks, the potential impact is substantial. It is crucial to note that Active! mail is used in over 2,250 organizations, boasting over 11,000,000 accounts, making it a significant player in the country's business webmail market. In response to the active exploitation of this vulnerability, Qualitia, the developer of Active! Mail, released a security bulletin and a corrective patch on April 18, 2025. Users are strongly urged to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible to mitigate the risk. The Japan Computer Emergency Response Team (JPCERT) has also issued an advisory emphasizing the urgency of applying the patch. For organizations unable to update immediately, JPCERT recommends configuring Web Application Firewalls (WAF) to inspect HTTP request bodies and block excessively large multipart/form-data headers as a temporary mitigation strategy. Recommended read:
References :
@securityonline.info
//
Cybercriminals are exploiting a legitimate Microsoft utility called mavinject.exe to inject malicious Dynamic Link Libraries (DLLs) into unsuspecting systems. This technique allows attackers to bypass security measures and execute sophisticated malicious payloads while appearing to be a benign process. Mavinject.exe is a command-line utility designed for Application Virtualization (App-V) environments, intended for injecting DLLs into specific processes. Because it's signed by Microsoft and has been a default component of Windows since version 1607, it is typically whitelisted by security solutions.
The exploitation of mavinject.exe involves using key Windows APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. These APIs allow attackers to retrieve a handle to the target process, allocate memory within it, write the DLL path to the allocated memory, and create a new thread to load and execute the malicious DLL. By leveraging mavinject.exe, threat actors can achieve external code execution while circumventing detection, as the utility is considered a trusted application. This technique is categorized as Signed Binary Proxy Execution. Several Advanced Persistent Threat (APT) groups have been observed using mavinject.exe in real-world attacks. Earth Preta (Mustang Panda), a Chinese government-supported APT group, has used it to inject malicious DLLs, like backdoors, into legitimate processes such as waitfor.exe after initial access through phishing emails. The Lazarus Group has also employed mavinject.exe to inject malware into explorer.exe. Security measures recommended include monitoring mavinject.exe execution with specific arguments and API calls and, when not using App-V, blocking the utility altogether. Recommended read:
References :
Zack Whittaker@techcrunch.com
//
Marks & Spencer (M&S), a major British retailer, has confirmed that it is currently managing a cybersecurity incident. This confirmation follows several days of reported service disruptions affecting store operations and customer experiences. The company issued a statement acknowledging the incident and apologized to customers for any inconvenience caused. M&S has implemented operational changes to protect the business and its customers during this time.
Customer impact includes disruptions to contactless payments, online orders, and the Click & Collect service. Some customers reported issues as far back as Saturday through social media platform X, ranging from returns being unavailable to Click & Collect orders being delayed or unavailable. While M&S stated that stores remain open, the website and app are operating normally, and contactless payments are working again, the company is working hard to resolve the remaining technical issues. M&S claims it serves 32 million customers every year. In response to the cyber incident, Marks & Spencer has engaged external cybersecurity experts to investigate the matter and strengthen its network security. The company has also notified the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). While the exact nature of the cyberattack and the extent of any potential data breach have not been fully disclosed, M&S has assured customers that it is taking the situation seriously and will provide updates as appropriate. Customer trust is incredibly important to the company and if the situation changes an update will be provided as appropriate. Recommended read:
References :
|