CyberSecurity news

FlagThis

Pierluigi Paganini@Security Affairs //
References: bsky.app , CyberInsider , The Apple Post ...
Apple has released security updates to address actively exploited zero-day vulnerabilities impacting older iPhones and Macs. The patches aim to fix flaws that could allow malicious actors to elevate privileges or execute arbitrary code on affected devices. These updates address CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, and are now available for iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.

The vulnerabilities include a use-after-free bug in the Core Media component (CVE-2025-24085), an authorization issue in the Accessibility component (CVE-2025-24200), and an out-of-bounds write issue in the WebKit component (CVE-2025-24201). Apple addressed the flaw in iOS 18.3.1, iPadOS 18.3.1, and 17.7.5, released on February 10, 2025. CVE-2025-24200 specifically allowed attackers with physical access to locked devices to disable USB Restricted Mode. Users of older devices, including iPhone 6s, iPhone 7, iPhone 8, iPhone X, iPad Air 2, and various iPad Pro models, are urged to update their systems to safeguard against potential threats.

Recommended read:
References :
  • bsky.app: EMERGENCY UPDATES Apple pushed additional updates for 3 zero-days that may have been actively exploited. CVE-2025-24200 (Accessibility) additional patches, CVE-2025-24201 (WebKit) additional patches: - iOS and iPadOS 15.8.4 - iOS and iPadOS 16.7.11
  • CyberInsider: Apple has issued a wide set of security updates, patching multiple zero-day vulnerabilities across its operating systems — including iOS, macOS, iPadOS, and Safari — and notably extended critical fixes to older software versions, addressing previously exploited flaws.
  • isc.sans.edu: Apple Patches Everything: March 31st 2025 Edition, (Mon, Mar 31st)
  • The Apple Post: Apple releases iOS 18.4 with Priority Notifications feature, Control Center updates, new emoji, more
  • bsky.app: NEW SECURITY CONTENT - macOS Sequoia 15.4 - 131 bugs fixed macOS Sonoma 14.7.5 - 91 bugs fixed macOS Ventura 13.7.5 - 85 bugs fixed iOS and iPadOS 18.4 - 62 bugs fixed visionOS 2.4 - 38 bugs fixed iPadOS 17.7.6 - 38 bugs fixed tvOS 18.4 - 36 bugs fixed
  • securityaffairs.com: Apple has backported fixes for three actively exploited vulnerabilities to older devices and OS versions. The three vulnerabilities are: Apple released the following updates: that are available for the following devices:
  • The Hacker News: Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices
  • BleepingComputer: Apple backports zero-day patches to older iPhones and Macs
  • The Register - Security: Apple belatedly patches actively exploited bugs in older OSes
  • thecyberexpress.com: Apple Backports Zero-Day Patches to Older Devices in Latest Security Update

jane.mccallion@futurenet.com (Jane@itpro.com //
The Wikimedia Foundation, which oversees Wikipedia, is facing a surge in bandwidth usage due to AI bots scraping the site for data to train AI models. Representatives from the Wikimedia Foundation have stated that since January 2024, the bandwidth used for downloading multimedia content has increased by 50%. This increase is not attributed to human readers, but rather to automated programs that are scraping the Wikimedia Commons image catalog of openly licensed images.

This unprecedented level of bot traffic is straining Wikipedia's infrastructure and increasing costs. The Wikimedia Foundation has found that at least 65% of the resource-consuming traffic to the website is coming from bots, even though bots only account for about 35% of overall page views. This is because bots often gather data from less popular articles, which requires fetching content from the core data center, consuming more computing resources. In response, Wikipedia’s site managers have begun imposing rate limits or banning offending AI crawlers.

Recommended read:
References :

@The DefendOps Diaries //
A vulnerability in Verizon's Call Filter feature exposed customers' incoming call history, allowing unauthorized access to call logs. Security researcher Evan Connelly discovered the flaw in the Verizon Call Filter iOS app, revealing that it was possible to access the incoming call logs for any Verizon Wireless number through an unsecured API request. The vulnerability was reported to Verizon on February 22, 2025, and acknowledged by the company two days later. The flaw was subsequently fixed by March 25, 2025.

The vulnerability was rooted in the backend API used by the Verizon Call Filter app, which failed to verify that the phone number requested for call history matched the authenticated user’s number. An attacker with a valid JSON Web Token (JWT) could manipulate the request header and retrieve call logs for any Verizon customer. This oversight allowed modification of the phone number being sent, and data could be received back for Verizon numbers not associated with the signed-in user, raising significant privacy and safety concerns for Verizon Wireless customers.

Recommended read:
References :
  • bsky.app: A vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request.
  • The DefendOps Diaries: Understanding the Verizon Call Filter API Vulnerability
  • BleepingComputer: Verizon Call Filter API flaw exposed customers' incoming call history
  • DataBreaches.Net: Security researcher Evan Connelly recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for a malicious actor to leak call history logs of Verizon Wireless customers.
  • securityonline.info: Verizon Call Filter App Vulnerability Exposed Call Records of Millions
  • CyberInsider: Verizon Call Filter App Flaw Exposed Call Logs of Millions of Customers

Pierluigi Paganini@securityaffairs.com //
CISA has added a new Apache Tomcat vulnerability, identified as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence that the flaw is being actively exploited in the wild, posing a significant risk to organizations utilizing affected versions of Apache Tomcat. The vulnerability is a path equivalence issue within Apache Tomcat.

To mitigate the risk posed by CVE-2025-24813, impacted users are urged to upgrade their Apache Tomcat installations to the latest secure versions. Specifically, upgrades to Apache Tomcat 11.0.3 or later, Apache Tomcat 10.1.35 or later, or Apache Tomcat 9.0.99 or later are recommended. The advisory also includes IPS protection measures to detect and block potential attack attempts targeting this vulnerability affecting the Apache Tomcat web server.

Recommended read:
References :

Waqas@hackread.com //
References: CyberInsider , hackread.com , bsky.app ...
Royal Mail is currently investigating a data breach after a threat actor leaked over 144GB of data allegedly stolen from its systems. The breach is believed to have originated from a compromise at Spectos GmbH, a third-party data collection and analytics service provider for Royal Mail. The leaked data includes sensitive information such as customer personally identifiable information (PII), internal communications including Zoom meeting recordings, operational data like delivery routes, and marketing infrastructure data including Mailchimp mailing lists.

The investigation is ongoing to determine the full extent of the breach and its potential impact. Royal Mail has stated that there is currently no impact on operations. The incident serves as a stark reminder of the vulnerabilities inherent in modern supply chains and the critical need for robust vendor management and security protocols. The breach highlights the potential for identity theft, phishing attacks, and reputational damage arising from compromised vendor access.

Recommended read:
References :
  • CyberInsider: Royal Mail Group Breach Exposes 144GB of Sensitive Customer Data
  • hackread.com: Hacker leaks 144GB of sensitive Royal Mail Group data, including customer info and internal files, claiming access came via supplier Spectos. Investigation underway!
  • The DefendOps Diaries: Explore the Royal Mail data breach and learn vital lessons in supply chain security and vendor management.
  • bsky.app: Royal Mail is investigating claims of a security breach after a threat actor leaked over 144GB of data allegedly stolen from the company's systems.
  • BleepingComputer: Royal Mail investigates data leak claims, no impact on operations
  • www.scworld.com: Massive Royal Mail breach alleged by threat actors
  • The Register - Security: Hacker leaks 144GB of sensitive Royal Mail Group data.
  • www.cysecurity.news: Royal Mail experienced a major security breach in which 144GB of sensitive data was leaked to the public.
  • : Royal Mail Investigates Data Breach Affecting Supplier

SC Staff@scmagazine.com //
An ongoing cryptomining campaign, attributed to the threat actor JINX-0126, has successfully compromised over 1,500 internet-exposed PostgreSQL servers. Attackers are exploiting instances with weak credentials, allowing them to deploy XMRig-C3 cryptocurrency miners using fileless techniques. This campaign is an evolution of the PG_MEM malware activity, initially detected in August, and demonstrates sophisticated evasion tactics. These include deploying binaries with unique hashes per target and executing the miner payload filelessly.

Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines.

Recommended read:
References :
  • gbhackers.com: A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy cryptomining payloads.
  • The Hacker News: Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign
  • www.scworld.com: More than 1,500 internet-exposed PostgreSQL instances have been compromised with cryptocurrency mining malware as part of an ongoing JINX-0126 attack campaign, which is an evolution of PG_MEM malware activity initially detected by Aqua Security in August, The Hacker News reports.
  • Wiz Blog | RSS feed: Cloud environments at risk: Attackers target weak PostgreSQL instances with fileless cryptominer payloads.
  • securityonline.info: PostgreSQL Servers Hacked: 1,500+ Cloud Systems Mining Crypto via CPU_HU
  • Security Risk Advisors: CPU_HU Fileless Cryptominer Targets PostgreSQL Servers, Affects Over 1,500 Victims

@The DefendOps Diaries //
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, raising significant cybersecurity concerns. This sophisticated malware, initially identified in 2016, has evolved to embed itself deeply into the Android system framework, making it difficult for users to detect or remove. Discovered on counterfeit versions of popular smartphone models sold at discounted prices through online stores, Triada poses a severe threat as it can steal user data immediately after device setup.

Triada's capabilities include stealing user data, such as social media and messenger accounts, and manipulating cryptocurrency transactions by replacing wallet addresses. The malware can also falsify caller IDs, monitor browser activity, and even activate premium SMS services. Experts warn that this new version infiltrates the device at the firmware level, indicating a compromised supply chain and urging users to exercise caution and purchase Android devices from reputable sources.

Recommended read:
References :
  • bsky.app: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • The DefendOps Diaries: Explore the threat of Triada malware in counterfeit Android devices and learn how to protect against this sophisticated cyber threat.
  • BleepingComputer: A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up.
  • www.it-daily.net: Triada Trojan discovered on counterfeit Android smartphones
  • PCMag UK security: Counterfeit Android Phones Preloaded With a Special Surprise: Malware
  • Sam Bent: Triada Malware Preloaded on Counterfeit Androids Hijacks 2,600+ Devices for Crypto Theft and Espionage
  • www.scworld.com: Updated Triada trojan compromises thousands of Android devices
  • securityaffairs.com: New Triada Trojan comes preinstalled on Android devices

@The DefendOps Diaries //
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.

The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security.

Recommended read:
References :
  • bsky.app: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • The DefendOps Diaries: Explore the critical Cisco Smart Licensing Utility vulnerability and learn mitigation strategies to protect your network.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • Cyber Security News: Cisco Smart Licensing Utility Vulnerabilities Let Attackers Gain Admin Access
  • gbhackers.com: Cisco Smart Licensing Utility Flaws Allowed Attackers to Gain Admin Access
  • securityonline.info: CISA Warns of Active Exploitation of Cisco Smart Licensing Utility Flaw

Nazy Fouladirad@AI Accelerator Institute //
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.

Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products.

The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems.

Recommended read:
References :

@The DefendOps Diaries //
North Korean IT workers are expanding their remote work scams into Europe following increased crackdowns in the United States. Google security researchers have identified a shift in focus towards European companies, with these North Korean operatives attempting to secure remote IT positions using fabricated identities and credentials. The workers are reportedly targeting organizations in Germany, Portugal, and the United Kingdom, and may use AI-generated profile photos to enhance their credibility during video interviews.

This expansion poses a growing cybersecurity threat to European businesses. The IT workers often claim to be based in other countries, connecting via laptop farms to fraudulently secure remote freelance IT positions. Once inside a company, they may engage in cyber espionage and data theft to generate revenue for the North Korean government, including its weapons development programs. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access European portals, potentially as a precursor to targeted exploitation, highlighting the scale and coordinated nature of this operation.

Recommended read:
References :
  • Risky Business Media: Risky Bulletin: North Korean IT worker scams expand to Europe
  • PCMag UK security: As US Cracks Down, North Koreans Target Europe With Remote Work Scams
  • The DefendOps Diaries: Explore the cybersecurity threat posed by North Korean IT workers infiltrating European companies using advanced tactics.
  • BleepingComputer: ​North Korea's IT workers have expanded operations beyond the United States and are now increasingly targeting organizations across Europe.
  • The Register - Security: North Korea’s fake tech workers now targeting European employers
  • www.it-daily.net: Fake IT employee from North Korea had 12 identities
  • : North Korea's Fake IT Worker Scheme Sets Sights on Europe
  • www.itpro.com: Google warns that fake North Korean IT workers have expanded to Europe
  • Blog: North Korean IT operatives, often termed "IT warriors," have broadened their scope beyond the United States, now targeting companies across Europe, notably in Germany, Portugal, and the United Kingdom.
  • Help Net Security: North Korean IT workers are expanding their efforts beyond the US, and are seeking to fraudulently gain employment with organizations around the world, but most especially in Europe.
  • Security Risk Advisors: DPRK IT Workers Expand Global Operations with Focus on European Targets
  • Risky Business Media: Srsly Risky Biz: North Korean IT workers head to Europe

Matt Kapko@CyberScoop //
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.

This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments.

Recommended read:
References :
  • Threats | CyberScoop: Identity lapses ensnared organizations at scale in 2024
  • SiliconANGLE: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
  • www.scworld.com: Sixty percent of cybersecurity incidents around the world last year were identity-based intrusions, with identity targeting being prominent across all attack stages, SiliconAngle reports.

Dissent@DataBreaches.Net //
A former GCHQ intern, Hasaan Arshad, has pleaded guilty to violating the Computer Misuse Act by transferring top-secret data from a secure GCHQ computer to his work phone. He then moved the data to a personal hard drive connected to his home PC. Arshad admitted to the unauthorized acts, which prosecutors say involved a "top secret" tool worth millions of pounds. The tool was developed using a "significant amount" of taxpayer money.

Arshad, a student at the University of Manchester, was arrested and his home searched in September 2022. While he claimed his actions stemmed from curiosity and a desire to further develop the software, the incident underscores the risk of insider threats. Cybersecurity experts highlight the need for organizations to implement strict access controls, restrict removable media, and manage mobile device capabilities in sensitive areas to prevent such breaches.

Recommended read:
References :
  • DataBreaches.Net: Here’s today’s reminder of the insider threat (well, this, and the fact that U.S. government officials continue to deny any problem with discussing attack plans on Signal).
  • The Register - Security: Not exactly Snowden levels of skill A student at Britain's top eavesdropping government agency has pleaded guilty to taking sensitive information home on the first day of his trial.…
  • www.itpro.com: A former GCHQ intern has pleaded guilty to transferring data from a top-secret computer onto his work phone.

@upguard.com //
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.

The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025.

The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts."

Recommended read:
References :
  • Zack Whittaker: New: API security testing firm APIsec exposed an internal database to the internet without a password. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, per researchers at UpGuard, which found it.
  • techcrunch.com: API testing firm APIsec exposed customer data during security lapse
  • www.upguard.com: Watching the Watcher: How a Security Company Leaked Customer Data | UpGuard
  • CyberInsider: Security Firm APIsec Exposed 3TB of Sensitive Customer Data