CyberSecurity news
FlagThis
|
@cyberscoop.com
//
Microsoft has issued its July 2025 Patch Tuesday updates, a crucial monthly release that addresses a significant number of vulnerabilities across its product lines. This release tackles a total of 130 CVEs, with 10 of them classified as critical. Notably, while no vulnerabilities were reported as actively exploited in the wild at the time of the release, one flaw in Microsoft SQL Server (CVE-2025-49719) has been publicly disclosed. This information disclosure vulnerability, rated as important with a CVSS score of 7.5, means that technical details are available, potentially increasing the risk of future exploitation. Organizations should prioritize patching this vulnerability, particularly as it affects SQL Server versions 2016 through 2022 and does not require authentication to exploit, potentially exposing sensitive data like credentials.
Among the critical vulnerabilities addressed, a particularly concerning one is a remote code execution (RCE) flaw in Windows SPNEGO Extended Negotiation (NEGOEX), designated CVE-2025-47981. This vulnerability carries a high CVSS score of 9.8 and is described as a heap-based buffer overflow, allowing an unauthenticated attacker to execute code remotely on a target system with low attack complexity and no user interaction. The nature of this flaw makes it a prime target for attackers seeking initial access or lateral movement within networks. Microsoft has also highlighted critical RCE vulnerabilities in Microsoft Office, with several rated as "more likely" to be exploited, including some that can be triggered via the preview pane without requiring a user to open a document, posing a significant risk to users' security. The July Patch Tuesday also includes fixes for vulnerabilities in Microsoft SharePoint, with an RCE flaw that requires authenticated access but could allow an attacker to execute code on the server. Additionally, vulnerabilities impacting Windows Hyper-V and other system components have been addressed. With a total of 130 CVEs patched, including numerous critical flaws, it is imperative for all organizations to review and apply these updates promptly to protect their systems and data from potential exploitation. The proactive patching of these vulnerabilities is essential for maintaining a strong security posture against the ever-evolving threat landscape. Recommended read:
References :
@socprime.com
//
A critical vulnerability, identified as CVE-2025-5777 and nicknamed "CitrixBleed 2," has been discovered in Citrix NetScaler ADC and Gateway. This memory disclosure vulnerability allows unauthenticated remote attackers to extract sensitive information, including session tokens and credentials, from affected devices. Security researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirm that this flaw is being actively exploited in the wild. The vulnerability is particularly concerning due to its similarity to the infamous CVE-2023-4966, or "CitrixBleed," which also led to widespread exploitation and session hijacking. The ease of exploitation and the potential for bypassing multi-factor authentication (MFA) make this a significant threat to organizations globally.
Exploitation of CitrixBleed 2 reportedly began as early as mid-June, with proof-of-concept exploits now publicly available. This has led to a surge in scanning activity as attackers search for vulnerable systems. The U.S. government has been alerted to the severity of the threat, with CISA issuing an urgent directive for federal agencies to patch their NetScaler systems within 24 hours. Despite this, concerns remain that a significant portion of Citrix customers have not yet applied the necessary patches, mirroring the delayed response seen during the previous CitrixBleed crisis. The ability for attackers to hijack existing user sessions and gain unauthorized access to critical systems highlights the urgent need for immediate mitigation. The technical details of CVE-2025-5777 reveal that it stems from insufficient input validation, leading to memory overreads when NetScaler is configured as a Gateway or an AAA virtual server. Attackers can trigger a memory leak by sending specially crafted HTTP requests to the NetScaler login endpoint. The leaked memory can contain sensitive session tokens, allowing attackers to impersonate authenticated users and bypass MFA, thereby gaining access to internal networks. The potential consequences of successful exploitation range from data breaches and ransomware attacks to the disruption of critical operations across various sectors, including finance and healthcare. Organizations are strongly advised to update their Citrix NetScaler devices to the latest fixed versions immediately. Recommended read:
References :
@cyberpress.org
//
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.
Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries. The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness. Recommended read:
References :
@socprime.com
//
Citrix NetScaler ADC and Gateway systems are currently facing a critical security threat, identified as CVE-2025-5777, and widely nicknamed "CitrixBleed 2". This vulnerability, similar to the infamous CitrixBleed from 2023, allows unauthenticated attackers to exploit memory overread issues. This exploitation can lead to the disclosure of sensitive information, including session tokens and user credentials, enabling attackers to bypass multi-factor authentication and hijack active remote sessions. Security researchers have noted that exploitation of this flaw began as early as mid-June, with evidence pointing to its use in active hacking campaigns.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. This designation carries significant weight, and CISA has issued a stern warning, urging federal civilian agencies to apply necessary patches within 24 hours. The urgency stems from the understanding that vulnerabilities like this are frequent vectors for malicious cyber actors, posing a substantial risk to government and corporate networks. While Citrix initially released guidance and patches in June, concerns have been raised about the vendor's response in acknowledging the widespread exploitation of this critical flaw. The exploitation of CitrixBleed 2, alongside other critical vulnerabilities like CVE-2025-5349 and CVE-2025-6543, presents a significant risk to organizations. CVE-2025-5777 specifically allows attackers to steal session tokens, effectively enabling them to impersonate authenticated users and bypass security measures like MFA. This is a direct echo of the impact of the original CitrixBleed vulnerability, which was widely abused by nation-state actors and ransomware groups. The ongoing exploitation means that a considerable portion of the Citrix NetScaler user base may still be vulnerable, underscoring the critical need for immediate patching and diligent security practices. Recommended read:
References :
@blog.checkpoint.com
//
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.
In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi. The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access. Recommended read:
References :
@databreaches.net
//
McDonald's has been at the center of a significant data security incident involving its AI-powered hiring tool, Olivia. The vulnerability, discovered by security researchers, allowed unauthorized access to the personal information of approximately 64 million job applicants. This breach was attributed to a shockingly basic security flaw: the AI hiring platform's administrator account was protected by the default password "123456." This weak credential meant that malicious actors could potentially gain access to sensitive applicant data, including chat logs containing personal details, by simply guessing the username and password. The incident raises serious concerns about the security measures in place for AI-driven recruitment processes.
The McHire platform, which is utilized by a vast majority of McDonald's franchisees to streamline the recruitment process, collects a wide range of applicant information. Researchers were able to access chat logs and personal data, such as names, email addresses, phone numbers, and even home addresses, by exploiting the weak password and an additional vulnerability in an internal API. This means that millions of individuals who applied for positions at McDonald's may have had their private information compromised. The ease with which this access was gained highlights a critical oversight in the implementation of the AI hiring system, underscoring the risks associated with inadequate security practices when handling large volumes of sensitive personal data. While the security vulnerability has reportedly been fixed, and there are no known instances of the exposed data being misused, the incident serves as a stark reminder of the potential consequences of weak security protocols, particularly with third-party vendors. The responsibility for maintaining robust cybersecurity standards falls on both the companies utilizing these technologies and the vendors providing them. This breach emphasizes the need for rigorous security testing and the implementation of strong, unique passwords and multi-factor authentication to protect applicant data from falling into the wrong hands. Companies employing AI in sensitive processes like hiring must prioritize data security to maintain the trust of job seekers and prevent future breaches. Recommended read:
References :
@securelist.com
//
Developers using the AI-powered coding assistant Cursor have fallen victim to a sophisticated crypto heist, losing an estimated $500,000. The incident involved a malicious extension, disguised as a legitimate tool for Solidity developers, which was distributed through the Open VSX marketplace. This marketplace, which serves as a source for extensions for AI development tools like Cursor, does not undergo the same stringent security checks as other marketplaces, creating a vulnerability that attackers exploited. The fake extension, titled "Solidity Language," managed to gain tens of thousands of downloads, likely boosted by bot activity, and successfully deceived even experienced users.
The malicious extension operated by silently executing PowerShell scripts and installing remote access tools on the victim's computer. Upon installation, the extension contacted a command-and-control server to download and run these harmful scripts. The attackers then leveraged the installed remote access application, ScreenConnect, to gain full control of the compromised system. This allowed them to upload additional malicious payloads, specifically targeting the developer's crypto wallet passphrases and ultimately siphoning off approximately $500,000 in cryptocurrency assets. The attackers also employed algorithm tricks to ensure the malicious extension ranked highly in search results, further increasing its visibility and the likelihood of it being downloaded by unsuspecting developers. This incident highlights a growing trend of attacks that leverage vulnerabilities within the open-source software ecosystem. While the Solidity Language extension itself offered no actual functionality, its deceptive appearance and elevated search ranking allowed it to trick users into installing malware. Security experts are urging developers to exercise extreme caution when installing extensions, emphasizing the importance of verifying extension authors and using robust security tools. The weaponization of AI-enhanced development tools serves as a stark reminder that the very tools designed to enhance productivity can be turned into vectors for significant financial loss if not handled with the utmost security awareness. Recommended read:
References :
Eric Geller@cybersecuritydive.com
//
References:
www.cybersecuritydive.com
Businesses are facing a growing wave of sophisticated phishing attacks, with mobile-based scams seeing a significant surge. Reports indicate that nearly six in ten companies have experienced incidents involving voice or text phishing that resulted in executive impersonation. Despite the prevalence of these attacks, with 77% of companies experiencing at least one such incident in the past six months, a concerningly low number of businesses, only half of those surveyed, express significant concern. This overconfidence leaves organizations more vulnerable than they realize, as attackers increasingly leverage mobile channels to trick employees into revealing credentials. These tactics often bypass traditional security measures, making detection incredibly difficult until irreversible damage has occurred.
The threat landscape is further complicated by the emergence of AI-generated content used to create highly convincing phishing lures. Researchers have noted that AI-powered search engine summaries are mistakenly suggesting phishing sites when users are attempting to find legitimate login pages. This fusion of AI and social engineering techniques makes these scams harder to identify and defend against. Compounding these issues, a major data leak involving McDonald's recruitment chatbot, Olivia, highlighted a critical security oversight. An administrator account was found using the default password "123456," potentially exposing sensitive data from over 60 million job applications. This breach underscores how basic security flaws can lead to massive data exposure in even advanced systems. To combat this escalating threat, companies are strongly advised to bolster their security awareness training programs and implement more robust security measures. The use of AI in crafting phishing campaigns, coupled with the pervasive nature of mobile attacks and basic security vulnerabilities, creates a more dangerous environment for businesses. Organizations must prioritize comprehensive training that educates employees on recognizing these advanced social engineering tactics and reinforce the importance of strong, unique passwords and multi-factor authentication across all systems. Proactive security strategies are essential to protect sensitive data and maintain operational integrity in the face of evolving cyber threats. Recommended read:
References :
|
