CyberSecurity news
FlagThis
|
David Jones@cybersecuritydive.com
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments. To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible. Recommended read:
References :
@securityonline.info
//
Trend Micro has recently uncovered a state-sponsored backdoor known as BPFDoor, actively employed in cyberespionage campaigns across Asia and the Middle East. This stealthy malware is designed to target the telecommunications, finance, and retail sectors in countries including South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. The discovery highlights the evolving sophistication of cyber threats and the increasing focus on strategic espionage by state-sponsored actors. BPFDoor leverages advanced techniques, including the use of Berkeley Packet Filtering (BPF), to remain undetected within compromised networks.
This previously undocumented controller associated with BPFDoor possesses the capability to open a reverse shell, enabling deeper infiltration into compromised networks. The controller relies on password-authenticated sessions and "magic sequences" within network packets to trigger actions on the infected machine. This sophisticated method allows attackers to move laterally across networks, gaining access to sensitive data and controlling additional systems. Trend Micro attributes this controller to Red Menshen, an advanced persistent threat (APT) group also known as Earth Bluecrow, underscoring the organized and well-resourced nature of the cyber espionage campaign. BPFDoor's stealth capabilities are largely attributed to its use of Berkeley Packet Filtering (BPF), a technology that allows code execution within the operating system’s kernel virtual machine. By leveraging BPF’s packet filtering features, BPFDoor can inspect network packets at a very low level, enabling it to be activated by specific "magic sequences" within those packets. This method allows the backdoor to evade security measures. Defenders are advised to watch for TCP packets starting with 0x5293 followed by IP:port and password, as well as UDP/ICMP packets. Recommended read:
References :
@www.microsoft.com
//
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.
The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST. The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
SonicWall Command Injection Flaw Added to KEV - CISA added CVE-2021-20035, a SonicWall SMA100 Appliance flaw, to its Known Exploited Vulnerabilities (KEV) catalog, allowing remote attackers to execute arbitrary code.
ImgSrc: securityaffairs
CISA has added CVE-2021-20035, a high-severity vulnerability affecting SonicWall SMA100 series appliances, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, an OS command injection vulnerability in the SMA100 management interface, allows remote attackers to execute arbitrary code. The Cybersecurity and Infrastructure Security Agency (CISA) issued the alert on April 16, 2025, based on evidence of active exploitation in the wild. SonicWall originally disclosed the vulnerability in September 2021, and updated the advisory noting it has been reportedly exploited in the wild, and has updated the summary and revised the CVSS score to 7.2.
The vulnerability, tracked as CVE-2021-20035, stems from improper neutralization of special elements in the SMA100 management interface. Specifically, a remote authenticated attacker can inject arbitrary commands as a 'nobody' user, potentially leading to code execution. The affected SonicWall devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v appliances running specific firmware versions. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by May 7, 2025, to protect their networks from this actively exploited vulnerability. Remediation steps include applying the latest security patches provided by SonicWall to all affected SMA100 appliances and restricting management interface access to trusted networks. CISA strongly advises all organizations, including state, local, tribal, territorial governments, and private sector entities, to prioritize remediation of this cataloged vulnerability to enhance their cybersecurity posture. Recommended read:
References :
Aman Mishra@gbhackers.com
//
A sophisticated malware campaign impersonating PDFCandy.com is distributing the ArechClient2 information stealer, according to research from CloudSEK. Cybercriminals are creating fake websites that closely mimic the legitimate PDF conversion tool, tricking users into downloading malware. These deceptive sites are promoted through Google Ads and exploit the common need for online file conversion. By replicating the user interface and using similar domain names, attackers deceive unsuspecting users into believing they are interacting with a trusted service.
The attack unfolds through a series of social engineering tactics. Victims are prompted to upload a PDF file for conversion, after which a simulated loading sequence creates the illusion of genuine file processing. This builds trust and lowers the user’s guard. Subsequently, users are presented with a fake CAPTCHA verification dialog, designed to enhance the site’s perceived authenticity and create a sense of urgency, potentially rushing the user into action. The CAPTCHA acts as a pivotal interaction point to trigger the malicious payload. After the fake conversion process and CAPTCHA interaction, users are prompted to execute a PowerShell command. This command initiates a sophisticated redirection chain to obscure the malware delivery, ultimately leading to the distribution of the ArechClient2 infostealer. The malware is known for its ability to steal sensitive data, including browser credentials and cryptocurrency wallet information. Cybersecurity experts advise users to rely on verified tools from official websites, keep anti-malware software updated, and implement endpoint detection and response solutions to defend against these advanced threats. Recommended read:
References :
@the-decoder.com
//
OpenAI has launched its latest AI models, o3 and o4-mini, marking a significant advancement in artificial intelligence. These models are designed with improved capabilities in reasoning and problem-solving, going beyond previous models by being able to manipulate and reason with images. This allows them to analyze visual inputs and use them to solve complex problems, opening up new possibilities for AI in various fields.
OpenAI are really emphasizing tool use with these new models. For the first time, these reasoning models can use and combine every tool within ChatGPT. This includes searching the web, analyzing uploaded files and other data with Python, reasoning deeply about visual inputs, and even generating images. Critically, o3 and o4-mini are trained to reason about when and how to use tools to produce detailed and thoughtful answers in the right output formats. This all happens typically in under a minute, to solve complex problems The most striking feature of these models is their ability to "think with images," going beyond simply seeing them to manipulate and reason about them as part of the problem-solving process. This unlocks a new class of problem-solving that blends visual and textual reasoning. For example, o3 can analyze a physics poster from a decade-old internship, navigate its complex diagrams independently, and even identify that the final result wasn’t present in the poster itself. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.
These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears. The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns. Recommended read:
References :
@www.bleepingcomputer.com
//
Microsoft Blocks ActiveX by Default for Security - Microsoft is blocking ActiveX controls by default in Microsoft 365 and Office 2024 to improve security by preventing remote code execution vulnerabilities.
ImgSrc: www.bleepstatic
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.
Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions. When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely. Recommended read:
References :
@nvd.nist.gov
//
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.
The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques. The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity. Recommended read:
References :
@cyberpress.org
//
Russian state-sponsored espionage group Midnight Blizzard, also known as APT29 or Cozy Bear, is conducting a spear-phishing campaign targeting European diplomatic organizations. Check Point Research has been observing this sophisticated operation, which began in January 2025 and employs advanced techniques to target government officials and diplomats across Europe. The threat actors are impersonating a major European foreign affairs ministry to send deceptive emails inviting targets to wine-tasting events. This campaign, leveraging custom malware, aims to compromise diplomatic entities, including embassies of non-European countries.
The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29. Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform. The flaw, which carries a CVSS score of 10.0, affects all versions from 1.0.0 up to and including 6.1.4. This vulnerability allows malicious actors to retain unauthorized access to blog sites even after a password change.
The core of the issue lies in insufficient session expiration. When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions. Consequently, any session tokens or cookies issued before the password change remain valid, creating a significant security risk. An attacker who has compromised a user’s credentials can maintain access to the application through the old session, effectively bypassing the intended protection of a password change. Administrators and users of Apache Roller are strongly advised to upgrade to version 6.1.5 or later. This update implements centralized session management, ensuring that all active sessions are terminated immediately upon password changes or user deactivation. In related news, a critical vulnerability in Gladinet CentreStack also affects its Triofox remote access solution, leading to multiple organizations being compromised. Recommended read:
References :
Dissent@DataBreaches.Net
//
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.
China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US. Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
The cybersecurity world is on edge as MITRE, the organization behind the Common Vulnerabilities and Exposures (CVE) program, faces a potential shutdown of the program due to expiring funding from the Department of Homeland Security (DHS). The CVE program is a cornerstone of global vulnerability management, providing a standardized system for identifying and tracking software flaws. This system allows companies, governments, and researchers to share information and coordinate their efforts to address cybersecurity risks.
A lapse in funding for the CVE program would have dire consequences for the cybersecurity landscape. Without a universal framework for tracking software flaws, coordinated disclosures across vendors and governments would become significantly more challenging. This breakdown in coordination would create chaos and uncertainty in vulnerability management, making it harder for organizations to protect themselves against cyberattacks. The potential shutdown of the CVE program is not just a tech industry issue, but a matter of national security. According to Gary Miliefsky, publisher of Cyber Defense Magazine and a former advisory board member to the CVE/OVAL initiatives, MITRE has confirmed that funding for the CVE and CWE programs will expire on April 16, 2025. While historical CVE records will remain accessible on GitHub, active development, modernization, and oversight of the CVE and CWE systems are now at risk. MITRE has expressed its commitment to CVE as a global resource, but without adequate funding, the future of this essential cybersecurity tool remains uncertain. Recommended read:
References :
|
