CyberSecurity news
FlagThis
|
Pierluigi Paganini@Security Affairs
//
Apple has released security updates to address actively exploited zero-day vulnerabilities impacting older iPhones and Macs. The patches aim to fix flaws that could allow malicious actors to elevate privileges or execute arbitrary code on affected devices. These updates address CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, and are now available for iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
The vulnerabilities include a use-after-free bug in the Core Media component (CVE-2025-24085), an authorization issue in the Accessibility component (CVE-2025-24200), and an out-of-bounds write issue in the WebKit component (CVE-2025-24201). Apple addressed the flaw in iOS 18.3.1, iPadOS 18.3.1, and 17.7.5, released on February 10, 2025. CVE-2025-24200 specifically allowed attackers with physical access to locked devices to disable USB Restricted Mode. Users of older devices, including iPhone 6s, iPhone 7, iPhone 8, iPhone X, iPad Air 2, and various iPad Pro models, are urged to update their systems to safeguard against potential threats. Recommended read:
References :
jane.mccallion@futurenet.com (Jane@itpro.com
//
AI Bots Suffocate Wikipedia with Scraped Content - Wikimedia Foundation is facing a surge in bandwidth usage due to AI bots scraping the site, causing a 50% bandwidth increase and raising operational costs.
ImgSrc: cdn.mos.cms.fut
References:
Platformer
, The Register - Software
,
The Wikimedia Foundation, which oversees Wikipedia, is facing a surge in bandwidth usage due to AI bots scraping the site for data to train AI models. Representatives from the Wikimedia Foundation have stated that since January 2024, the bandwidth used for downloading multimedia content has increased by 50%. This increase is not attributed to human readers, but rather to automated programs that are scraping the Wikimedia Commons image catalog of openly licensed images.
This unprecedented level of bot traffic is straining Wikipedia's infrastructure and increasing costs. The Wikimedia Foundation has found that at least 65% of the resource-consuming traffic to the website is coming from bots, even though bots only account for about 35% of overall page views. This is because bots often gather data from less popular articles, which requires fetching content from the core data center, consuming more computing resources. In response, Wikipedia’s site managers have begun imposing rate limits or banning offending AI crawlers. Recommended read:
References :
@The DefendOps Diaries
//
A vulnerability in Verizon's Call Filter feature exposed customers' incoming call history, allowing unauthorized access to call logs. Security researcher Evan Connelly discovered the flaw in the Verizon Call Filter iOS app, revealing that it was possible to access the incoming call logs for any Verizon Wireless number through an unsecured API request. The vulnerability was reported to Verizon on February 22, 2025, and acknowledged by the company two days later. The flaw was subsequently fixed by March 25, 2025.
The vulnerability was rooted in the backend API used by the Verizon Call Filter app, which failed to verify that the phone number requested for call history matched the authenticated user’s number. An attacker with a valid JSON Web Token (JWT) could manipulate the request header and retrieve call logs for any Verizon customer. This oversight allowed modification of the phone number being sent, and data could be received back for Verizon numbers not associated with the signed-in user, raising significant privacy and safety concerns for Verizon Wireless customers. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
References:
securityaffairs.com
, bishopfox.com
,
CISA has added a new Apache Tomcat vulnerability, identified as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence that the flaw is being actively exploited in the wild, posing a significant risk to organizations utilizing affected versions of Apache Tomcat. The vulnerability is a path equivalence issue within Apache Tomcat.
To mitigate the risk posed by CVE-2025-24813, impacted users are urged to upgrade their Apache Tomcat installations to the latest secure versions. Specifically, upgrades to Apache Tomcat 11.0.3 or later, Apache Tomcat 10.1.35 or later, or Apache Tomcat 9.0.99 or later are recommended. The advisory also includes IPS protection measures to detect and block potential attack attempts targeting this vulnerability affecting the Apache Tomcat web server. Recommended read:
References :
Waqas@hackread.com
//
Royal Mail is currently investigating a data breach after a threat actor leaked over 144GB of data allegedly stolen from its systems. The breach is believed to have originated from a compromise at Spectos GmbH, a third-party data collection and analytics service provider for Royal Mail. The leaked data includes sensitive information such as customer personally identifiable information (PII), internal communications including Zoom meeting recordings, operational data like delivery routes, and marketing infrastructure data including Mailchimp mailing lists.
The investigation is ongoing to determine the full extent of the breach and its potential impact. Royal Mail has stated that there is currently no impact on operations. The incident serves as a stark reminder of the vulnerabilities inherent in modern supply chains and the critical need for robust vendor management and security protocols. The breach highlights the potential for identity theft, phishing attacks, and reputational damage arising from compromised vendor access. Recommended read:
References :
SC Staff@scmagazine.com
//
An ongoing cryptomining campaign, attributed to the threat actor JINX-0126, has successfully compromised over 1,500 internet-exposed PostgreSQL servers. Attackers are exploiting instances with weak credentials, allowing them to deploy XMRig-C3 cryptocurrency miners using fileless techniques. This campaign is an evolution of the PG_MEM malware activity, initially detected in August, and demonstrates sophisticated evasion tactics. These include deploying binaries with unique hashes per target and executing the miner payload filelessly.
Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines. Recommended read:
References :
@The DefendOps Diaries
//
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.
Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources. Recommended read:
References :
@The DefendOps Diaries
//
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.
The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security. Recommended read:
References :
Nazy Fouladirad@AI Accelerator Institute
//
References:
hiddenlayer.com
, AI Accelerator Institute
,
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.
Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products. The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems. Recommended read:
References :
@The DefendOps Diaries
//
North Korean IT Scams Expand Into Europe - North Korean IT workers are expanding their remote work scams to Europe, exploiting job hiring sites and posing a cybersecurity threat to European businesses.
ImgSrc: thedefendopsdia
North Korean IT workers are expanding their remote work scams into Europe following increased crackdowns in the United States. Google security researchers have identified a shift in focus towards European companies, with these North Korean operatives attempting to secure remote IT positions using fabricated identities and credentials. The workers are reportedly targeting organizations in Germany, Portugal, and the United Kingdom, and may use AI-generated profile photos to enhance their credibility during video interviews.
This expansion poses a growing cybersecurity threat to European businesses. The IT workers often claim to be based in other countries, connecting via laptop farms to fraudulently secure remote freelance IT positions. Once inside a company, they may engage in cyber espionage and data theft to generate revenue for the North Korean government, including its weapons development programs. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access European portals, potentially as a precursor to targeted exploitation, highlighting the scale and coordinated nature of this operation. Recommended read:
References :
Matt Kapko@CyberScoop
//
References:
Threats | CyberScoop
, SiliconANGLE
,
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.
This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments. Recommended read:
References :
Dissent@DataBreaches.Net
//
References:
DataBreaches.Net
, The Register - Security
,
A former GCHQ intern, Hasaan Arshad, has pleaded guilty to violating the Computer Misuse Act by transferring top-secret data from a secure GCHQ computer to his work phone. He then moved the data to a personal hard drive connected to his home PC. Arshad admitted to the unauthorized acts, which prosecutors say involved a "top secret" tool worth millions of pounds. The tool was developed using a "significant amount" of taxpayer money.
Arshad, a student at the University of Manchester, was arrested and his home searched in September 2022. While he claimed his actions stemmed from curiosity and a desire to further develop the software, the incident underscores the risk of insider threats. Cybersecurity experts highlight the need for organizations to implement strict access controls, restrict removable media, and manage mobile device capabilities in sensitive areas to prevent such breaches. Recommended read:
References :
@upguard.com
//
API Security Firm APIsec Exposes Customer Data - API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data.
ImgSrc: cdn.prod.websit
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.
The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025. The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts." Recommended read:
References :
|
