CyberSecurity news
FlagThis
|
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow, a widely used cloud-based platform, are being actively exploited by hackers, resulting in escalated attacks. Security researchers at GreyNoise have observed a resurgence of malicious activity targeting three year-old, but previously patched, flaws: CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. These vulnerabilities can lead to unauthorized access and potentially full database compromise if left unpatched.
Organizations that failed to apply ServiceNow patches last year are now falling victim to these exploits. Israel has been significantly impacted, with over 70% of recent malicious activity directed at systems within the country. However, attacks have also been detected in Lithuania, Japan, and Germany. Security experts urge organizations to apply the necessary patches and monitor for unusual authentication attempts, unauthorized data access logs, and unexpected server behavior. Recommended read:
References :
David Jones@cybersecuritydive.com
//
Coinbase was the initial target of a sophisticated supply chain attack on GitHub Actions, according to researchers from Palo Alto Networks and Wiz. The attack exploited the public continuous integration/continuous delivery flow of Coinbase's open-source project, agentkit. The hackers aimed to leverage agentkit for further compromises, but they did not manage to access Coinbase secrets or publish any packages.
Researchers found malicious code injected into the reviewdog/action-setup@v1 GitHub Action, a dependency of tj-actions/changed-files, which was also compromised. The attack leaked sensitive secrets from repositories that ran the workflow, assigned as CVE-2025-30066 and CVE-2025-30154. Approximately 218 repositories had secrets exposed, including credentials for DockerHub, npm, Amazon Web Services, and GitHub install access tokens. Recommended read:
References :
Matthias Bastian@THE DECODER
//
ChatGPT's AI Hallucination and Privacy Concerns - ChatGPT is accused of inventing fake crimes in latest privacy complaint where the chatbot falsely claimed a man had murdered his two children.
ImgSrc: the-decoder.com
ChatGPT is under fire after falsely accusing a Norwegian man, Arve Hjalmar Holmen, of murdering his two children. Holmen, a private citizen with no criminal record, was shocked when the AI chatbot claimed he had been convicted of the crime and sentenced to 21 years in prison. The response to the prompt "Who is Arve Hjalmar Holmen?" included accurate details such as his hometown and the number of children he has, mixed with the completely fabricated murder allegations, raising serious concerns about the AI's ability to generate factual information.
The incident has prompted a privacy complaint filed by Holmen and the digital rights group Noyb with the Norwegian Data Protection Authority, citing violations of the GDPR, European data law. They argue that the false and defamatory information breaches accuracy provisions, and are requesting that OpenAI, the company behind ChatGPT, correct its model to prevent future inaccuracies about Holmen and face a fine. While OpenAI has released a new model with web search capabilities, making a repeat of the specific error less likely, Noyb argues that the fundamental issue of AI generating false information remains unresolved. Recommended read:
References :
Megan Crouse@eWEEK
//
Cloudflare has launched AI Labyrinth, a new tool designed to combat web scraping bots that steal website content for AI training. Instead of simply blocking these crawlers, AI Labyrinth lures them into a maze of AI-generated content. This approach aims to waste the bots' time and resources, providing a more effective defense than traditional blocking methods which can trigger attackers to adapt their tactics. The AI Labyrinth is available as a free, opt-in tool for all Cloudflare customers, even those on the free tier.
The system works by embedding hidden links within a protected website. When suspicious bot behavior is detected, such as ignoring robots.txt rules, the crawler is redirected to a series of AI-generated pages. This content is "real looking" and based on scientific facts, diverting the bot from the original website's content. Because no human would deliberately explore deep into a maze of AI-generated nonsense, anyone who does can be identified as a bot with high confidence. Cloudflare emphasizes that AI Labyrinth also functions as a honeypot, allowing them to identify new bot patterns and improve their overall bot detection capabilities, all while increasing the cost for unauthorized web scraping. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
Cybercriminals are exploiting Microsoft's Trusted Signing platform by using short-lived, three-day code-signing certificates to sign malware executables. These certificates, issued by “Microsoft ID Verified CS EOC CA 01,” are intended to ensure software authenticity, but have been abused to make malicious software appear legitimate, thus bypassing security filters. This abuse allows malware to operate with less scrutiny, increasing the risk of successful attacks.
Microsoft is actively monitoring the situation and working to mitigate the abuse of its Trusted Signing Service. When threats are identified, Microsoft revokes certificates and suspends accounts to prevent further misuse. However, the rapid issuance and expiration of these certificates make it challenging to detect and revoke them quickly enough to stop all malware campaigns. The Trusted Signing Service offers a more accessible option for attackers compared to Extended Validation (EV) certificates, which require more rigorous verification. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion. Recommended read:
References :
Mandvi@Cyber Security News
//
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.
The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide. Recommended read:
References :
Sam Bent@Sam Bent
//
Ascom, a Swiss global solutions provider specializing in healthcare and enterprise communication systems, has confirmed a cyberattack on its IT infrastructure. The attack, suspected to be carried out by the Hellcat group, exploited vulnerabilities in Jira servers. The company revealed that hackers breached its technical ticketing system.
The Hellcat group claimed responsibility, stating they stole approximately 44GB of data potentially impacting all of Ascom's divisions. Hellcat hackers are known for using compromised credentials to infiltrate Jira systems, leading to data breaches in multiple organizations. Security experts advise implementing multi-factor authentication, regular security audits, prompt patching, and employee training to mitigate such attacks. Recommended read:
References :
@cyberalerts.io
//
UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, has been actively targeting critical infrastructure entities in Taiwan since at least 2023. Cisco Talos researchers have been tracking this campaign. The group utilizes a combination of web shells, such as the Chopper web shell, and open-sourced tooling to conduct post-compromise activities, focusing on persistence in victim environments for information theft and credential harvesting. UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.
UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan. Recommended read:
References :
Zimperium@Zimperium
//
Zimperium, a mobile security firm, has issued a warning about the persistent and evolving threat that rooted and jailbroken mobile devices pose to enterprises. Their recent report highlights that these compromised devices, which bypass security protocols, make organizations increasingly vulnerable to mobile malware, data breaches, and full system compromises. According to Zimperium's research, rooted Android devices are significantly more susceptible to security incidents, with a 3.5 times greater likelihood of malware attacks and a staggering 250 times higher risk of system compromise.
Rooting and jailbreaking, initially used for device customization, grant users full control but remove crucial security protections. This allows the installation of apps from unverified sources, disabling security features, and modifying system files, making them prime targets for cybercriminals. Hackers are continuously developing sophisticated toolkits, such as Magisk and APatch, to hide their presence and evade detection. These tools employ techniques like "systemless" rooting and on-the-fly kernel memory modification, making it increasingly difficult for cybersecurity researchers to identify compromised devices before they inflict damage, emphasizing the need for constant monitoring and updated security measures. Recommended read:
References :
SC Staff@scmagazine.com
//
Attackers are intensifying their efforts to exploit old ServiceNow vulnerabilities, specifically CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, which were patched last year. GreyNoise, a threat intelligence firm, has observed a resurgence of in-the-wild activity targeting these flaws, putting unpatched company instances at risk. These vulnerabilities can potentially lead to unauthorized access to sensitive data, remote code execution, and full database compromise, even by unauthenticated actors.
The attacks have predominantly targeted systems in Israel, accounting for over 70% of recent malicious activity. However, organizations in Lithuania, Japan, and Germany have also been affected. Security experts urge organizations to apply the necessary patches to protect their ServiceNow platforms and mitigate the risk of exploitation. These vulnerabilities were initially discovered by Assetnote in May 2024, and ServiceNow promptly released patches, but a failure to apply these updates has left some systems vulnerable. Recommended read:
References :
Field Effect@Blog
//
A sophisticated cyber threat is rapidly evolving, exploiting user familiarity with CAPTCHAs to distribute malware through social engineering tactics. The ClearFake malicious JavaScript framework now utilizes 'ClickFix' techniques to trick users into executing malicious PowerShell commands, often disguised as fake reCAPTCHA or Cloudflare Turnstile verifications. This framework injects a fraudulent CAPTCHA on compromised websites, enticing visitors to unknowingly copy and paste malicious commands that lead to malware installation.
https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/ https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/ This 'ClickFix' attack redirects victims to malicious webpages delivering fake CAPTCHA verifications, ultimately deploying information-stealing malware such as Lumma Stealer and Vidar Stealer. Over 100 car dealerships have already been impacted by a supply-chain attack involving injected malicious code, and Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry using the same 'ClickFix' technique. Security experts advise users to exercise extreme caution with unsolicited instructions, especially those prompting system commands. Recommended read:
References :
NSFOCUS@nsfocusglobal.com
//
References:
nsfocusglobal.com
, www.trendmicro.com
A new vulnerability, CVE-2025-24071, has been identified in Windows File Explorer, potentially exposing users to network spoofing attacks. The vulnerability is triggered by specially crafted .library-ms files embedded within compressed archives like RAR or ZIP. When these files are decompressed, they can trigger an SMB authentication request, leading to the disclosure of the user’s NTLM hash. The vulnerability has a CVSS score of 7.5, indicating a significant risk.
Microsoft has released a security announcement and a patch to address the issue across a range of Windows versions including Windows 10, Windows 11 and Windows Server versions from 2012 R2 to 2022. Users are urged to install the patch as soon as possible to mitigate the risk of exploitation. The vulnerability stems from the implicit trust and automatic file parsing behavior of .library-ms files by Windows Explorer, making it crucial for users to update their systems promptly. Recommended read:
References :
Rescana@Rescana
//
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.
This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures. In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance. Recommended read:
References :
@The DefendOps Diaries
//
Cybercriminals are actively targeting SEO professionals through a sophisticated phishing campaign that exploits Google Ads. The attackers are using fake Semrush advertisements to trick users into visiting deceptive login pages designed to steal their Google account credentials. This campaign is a new twist in phishing, going after users of the Semrush SaaS platform, which is popular among SEO professionals and businesses, and is trusted by 40% of Fortune 500 companies.
This scheme is effective due to the SEO professionals' trust in Semrush, a platform used for advertising and market research. The malicious ads appear when users search for Semrush and redirect them to counterfeit login pages, which look similar to legitimate Semrush URLs. The attackers register domain names that closely resemble real Semrush domains and the only login option is with a Google account, harvesting Google account information for further malicious activities. This provides the attackers with valuable access to Google Analytics and Google Search Console, giving them insight into the companies' financial performance. Recommended read:
References :
Sam Bent@Sam Bent
//
References:
Sam Bent
, www.bleepingcomputer.com
CISA has issued a warning to U.S. federal agencies regarding a critical vulnerability, CVE-2024-48248, in NAKIVO's Backup & Replication software. This flaw, an absolute path traversal bug, could allow attackers to access sensitive files, potentially compromising configuration files, backups, and credentials. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Agencies are urged to apply necessary mitigations by April 9, 2025.
The vulnerability, affecting versions prior to 10.11.3.86570, was discovered by watchTowr Labs, who also published a proof-of-concept exploit. Successful exploitation could allow an unauthenticated attacker to read arbitrary files on the target host via the "/c/router" endpoint. NAKIVO addressed the issue in November 2024 with version v11.0.0.88174. CISA's directive underscores the need for federal agencies to promptly patch the flaw to secure their networks against potential data exposure. Recommended read:
References :
@The DefendOps Diaries
//
Valve Removes Malware-Laced Video Game Demo from Steam - Valve removed Sniper: Phantom’s Resolution from Steam after users reported infostealer malware, highlighting the need for Steam to improve its vetting process.
ImgSrc: thedefendopsdia
Valve has recently removed the video game "Sniper: Phantom's Resolution" from Steam after users discovered that its free demo contained infostealer malware. This marks the second instance in recent months where Steam has been exploited to distribute malicious software, raising concerns about the platform's security measures. The incident came to light when users on Reddit analyzed the demo and reported their findings.
The malware in "Sniper: Phantom's Resolution" follows a similar incident from last month involving a game called "PirateFi," which also turned out to be a malware plant designed to steal player passwords. These incidents emphasize the need for Steam to enhance its vetting process for game demos. Users are advised to exercise caution when downloading and installing content from the platform, ensuring they have up-to-date antivirus software and are vigilant about potential threats. Recommended read:
References :
|
