@The DefendOps Diaries
//
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.
Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources. Recommended read:
References :
@The DefendOps Diaries
//
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.
The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security. Recommended read:
References :
Michael Kan@PCMag UK security
//
North Korean threat actors are expanding their IT worker scams to Europe, according to recent reports from Google's Threat Intelligence Group and other security researchers. These actors, posing as remote IT staff, are targeting companies in Germany, Portugal, and the UK, seeking employment in various sectors, including the defense industry and government. This shift comes after increased awareness and crackdowns in the United States made it more difficult for them to maintain employment there. The ultimate goal of this scheme is to generate revenue for the North Korean government, steal sensitive data, and potentially extort companies.
The North Korean IT workers use fabricated identities, claiming nationalities from countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the US, and Vietnam. They often operate multiple personas simultaneously, with one individual found to have at least 12 identities across Europe and the US. To secure employment, they provide fake references, build rapport with recruiters, and even utilize online platforms like Upwork, Telegram, and Freelancer. Payments are typically facilitated through cryptocurrency to obfuscate the flow of funds back to North Korea. This sophisticated operation highlights the global reach and adaptability of North Korean cyber threat actors. Recommended read:
References :
Matt Swayne@The Quantum Insider
//
References:
The Quantum Insider
, The Quantum Insider
,
Recent developments highlight ongoing efforts to transition to quantum-safe cryptography. The UK's National Cyber Security Centre (NCSC) has provided a roadmap for post-quantum cryptography (PQC) migration, urging organizations to complete a discovery phase by 2028, high-priority migration activities by 2031, and full transition by 2035. This roadmap aligns with similar initiatives, such as the US focus on post-quantum cryptography, signaling a global push to mitigate the threat posed by future quantum computers. Unisys has also launched Post-Quantum Cryptography services to strengthen cybersecurity
ETSI has launched a new post-quantum security standard designed to protect critical data from future quantum computing threats. The standard introduces Covercrypt, a hybrid encryption system that secures data by allowing only authorized users to access session keys based on specific user attributes, ensuring both current and future quantum-safe protection. Organizations are already adopting ETSI’s standard to enhance security infrastructure and comply with future-proof cryptographic requirements. Furthermore, OpenSSL 3.5 is integrating PQC methods. Recommended read:
References :
Nazy Fouladirad@AI Accelerator Institute
//
References:
hiddenlayer.com
, AI Accelerator Institute
,
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.
Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products. The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems. Recommended read:
References :
@The GreyNoise Blog
//
Cybersecurity researchers have issued a warning about a significant surge in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways. Nearly 24,000 unique IP addresses have been observed attempting to access these portals, raising concerns among experts. The activity is suspected to be a coordinated effort aimed at identifying exposed or vulnerable systems, potentially as a precursor to targeted exploitation. GreyNoise, a threat intelligence firm, has indicated that this pattern suggests a systematic probing of network defenses.
The surge reportedly began on March 17, 2025, with the number of unique IP addresses involved peaking at nearly 20,000 per day before tapering off around March 26. Of the total IPs involved, a smaller subset of 154 have been flagged as malicious. The United States and Canada have been identified as the primary sources of the traffic, while systems in the United States, the United Kingdom, Ireland, Russia, and Singapore are the main targets. Organizations using Palo Alto Networks products are urged to take immediate steps to secure their login portals. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Apple has released security updates to address actively exploited zero-day vulnerabilities impacting older iPhones and Macs. The patches aim to fix flaws that could allow malicious actors to elevate privileges or execute arbitrary code on affected devices. These updates address CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, and are now available for iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
The vulnerabilities include a use-after-free bug in the Core Media component (CVE-2025-24085), an authorization issue in the Accessibility component (CVE-2025-24200), and an out-of-bounds write issue in the WebKit component (CVE-2025-24201). Apple addressed the flaw in iOS 18.3.1, iPadOS 18.3.1, and 17.7.5, released on February 10, 2025. CVE-2025-24200 specifically allowed attackers with physical access to locked devices to disable USB Restricted Mode. Users of older devices, including iPhone 6s, iPhone 7, iPhone 8, iPhone X, iPad Air 2, and various iPad Pro models, are urged to update their systems to safeguard against potential threats. Recommended read:
References :
@The DefendOps Diaries
//
A critical authentication bypass vulnerability, identified as CVE-2025-2825, is actively being exploited in CrushFTP file transfer software. Attackers are leveraging publicly available proof-of-concept code to gain unauthenticated access to unpatched devices. The flaw affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, with security analysts confirming that a significant number of instances remain unpatched despite the availability of patches since March 26, 2025. Project Discovery has published a technical write-up and PoC for the bypass.
The vulnerability stems from improper handling of HTTP requests utilizing S3-style authorization headers. Attackers can craft malicious AWS S3-style authorization headers containing a valid username, bypassing password verification. Once access is gained, attackers can execute administrative commands, download sensitive files, create new administrator accounts, and upload malicious payloads, potentially leading to complete system compromise. CrushFTP has addressed this in version 11.3.1 by introducing a new security parameter, s3_auth_lookup_password_supported, set to false by default. Recommended read:
References :
Dissent@DataBreaches.Net
//
References:
DataBreaches.Net
, The Register - Security
,
A former GCHQ intern, Hasaan Arshad, has pleaded guilty to violating the Computer Misuse Act by transferring top-secret data from a secure GCHQ computer to his work phone. He then moved the data to a personal hard drive connected to his home PC. Arshad admitted to the unauthorized acts, which prosecutors say involved a "top secret" tool worth millions of pounds. The tool was developed using a "significant amount" of taxpayer money.
Arshad, a student at the University of Manchester, was arrested and his home searched in September 2022. While he claimed his actions stemmed from curiosity and a desire to further develop the software, the incident underscores the risk of insider threats. Cybersecurity experts highlight the need for organizations to implement strict access controls, restrict removable media, and manage mobile device capabilities in sensitive areas to prevent such breaches. Recommended read:
References :
Microsoft Threat@Microsoft Security Blog
//
Microsoft has uncovered 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders using its AI-powered Security Copilot. These bootloaders are critical components, with GRUB2 commonly used in Linux distributions like Ubuntu, and U-Boot and Barebox prevalent in embedded and IoT devices. The identified vulnerabilities include integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison, potentially enabling threat actors to gain control and execute arbitrary code.
Water Gamayun, a suspected Russian hacking group, has been linked to the exploitation of CVE-2025-26633 (MSC EvilTwin) to deploy SilentPrism and DarkWisp. The group uses malicious provisioning packages, signed .msi files, and Windows MSC files to deliver information stealers and backdoors. These backdoors, SilentPrism and DarkWisp, enable persistence, system reconnaissance, data exfiltration, and remote command execution. The threat actors transitioned to their own infrastructure for staging and command-and-control purposes after using a GitHub repository to push various kinds of malware families. Recommended read:
References :
@upguard.com
//
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.
The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025. The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts." Recommended read:
References :
do son@securityonline.info
//
References:
securityonline.info
, Cyber Security News
,
Russia-aligned cyber threat groups UAC-0050 and UAC-0006 are actively using bulletproof hosting infrastructures to conduct cyberattacks globally. These networks, often obscured by offshore shell companies, provide a shield for malicious activities including espionage, financial theft, and psychological operations. Intrinsec analysts have uncovered campaigns blending cyber espionage, financial theft, and psychological warfare, primarily targeting Ukraine and its allies with tactics like bomb threats and fake banking transactions.
These threat groups heavily rely on bulletproof hosting providers to evade detection. Entities like Global Connectivity Solutions LLP and Railnet LLC act as legal fronts, using offshore shell companies in jurisdictions like Seychelles to make attribution and legal action difficult. This infrastructure also supports ransomware groups like Black Basta and RansomHub and involves frequent IP migrations across autonomous systems, further complicating efforts to block malicious activities. UAC-0050 has also engaged in psychological operations, such as sending bomb threats to Ukrainian institutions under the guise of the "Fire Cells Group." Recommended read:
References :
do son@securityonline.info
//
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.
The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Security researchers have uncovered a rise in hackers exploiting WordPress mu-plugins to inject malicious code. The mu-plugins directory, designed for automatically loading essential plugins, is being used to conceal malware, enabling persistent remote access and site redirection. Because these plugins are automatically enabled and not visible in the standard WordPress plugin interface, attackers can maintain a stealthy foothold, bypassing typical security checks. This allows them to inject spam, hijack site images, and maintain long-term control over compromised sites.
Researchers at Sucuri have identified three distinct types of malicious code being deployed. One variant redirects site visitors to external malicious websites, often disguised as browser updates serving malware. Another executes a webshell, providing attackers with remote code execution capabilities. The third injects spam onto the website, replacing images with explicit content and hijacking outbound links to malicious popups. The goal of this spam injection is often to promote scams or manipulate SEO rankings. These tactics are used to target website visitors while evading detection by search engines and administrators. Website administrators are advised to include the mu-plugins directory in their regular security scans to detect and remove any unrecognized or suspicious files. Security experts recommend ensuring WordPress, plugins, and themes are updated and employing strong passwords with two-factor authentication. If a compromise is suspected, all unauthorized admin accounts and malicious files should be removed to prevent reinfection. These measures are crucial to securing WordPress sites against this evolving threat. Recommended read:
References :
Lenart Bermejo@feeds.feedburner.com
//
Earth Alux, a China-linked advanced persistent threat (APT) group, has been identified launching cyberespionage attacks aimed at critical industries. Since the second quarter of 2023, this group has been targeting organizations in the Asia-Pacific (APAC) and Latin American regions, with a focus on sectors including government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Trend Micro's monitoring and investigation efforts have uncloaked the group's stealthy activities and advanced techniques, highlighting the significant risk they pose to sensitive data and operational continuity.
Earth Alux primarily employs the VARGEIT malware as its main backdoor and control tool. VARGEIT is utilized at multiple stages of an attack to maintain persistence, collect data, and execute malicious operations. The malware operates as a multi-channel configurable backdoor with capabilities such as drive information collection, process monitoring, file manipulation, and command line execution. It can also inject additional tools into processes like mspaint.exe for fileless operations, making detection challenging. The group uses sophisticated techniques, including DLL sideloading, timestomping, and encrypted communication channels, to ensure stealth and evade conventional security systems. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Sam's Club, the membership warehouse club chain owned by Walmart, is currently investigating claims of a Clop ransomware breach. The Clop ransomware group has reportedly taken responsibility for the alleged security incident. The investigation aims to determine the scope and nature of the potential data compromise, with Sam's Club stating they are actively looking into the matter.
The alleged breach is tied to the Clop ransomware operation's exploitation of vulnerabilities in Cleo file transfer software. Cybernews reports that Sam's Club is among the numerous organizations purportedly affected. Sam's Club has acknowledged the situation and initiated an internal investigation, though specific details regarding the alleged compromise remain limited. The company has affirmed its commitment to protecting the privacy and security of its members' information. Recommended read:
References :
@www.infosecurity-magazine.com
//
Cybersecurity researchers are raising concerns about a new sophisticated malware loader called CoffeeLoader, designed to stealthily download and execute secondary payloads while evading detection. The malware, first observed around September 2024, shares behavioral similarities with SmokeLoader, another known malware loader. CoffeeLoader employs a variety of techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.
CoffeeLoader's infection sequence starts with a dropper that attempts to execute a DLL payload packed by Armoury, impersonating ASUS's Armoury Crate utility. The malware establishes persistence by creating scheduled tasks and uses call stack spoofing and sleep obfuscation to evade antivirus and EDR solutions. Upon successful connection to a command-and-control server, CoffeeLoader receives commands to inject and execute Rhadamanthys shellcode, highlighting the potential for significant harm. While there are notable similarities between CoffeeLoader and SmokeLoader, researchers are still determining the exact relationship between the two malware families. Recommended read:
References :
|