CyberSecurity news
FlagThis
|
David Jones@cybersecuritydive.com
//
The cybersecurity community is on high alert due to the active exploitation of a critical vulnerability in Citrix NetScaler devices, known as CitrixBleed 2 (CVE-2025-5777). This flaw allows attackers to perform dangerous memory leak attacks, potentially exposing sensitive user credentials and other confidential data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially recognized the severity of this threat by adding it to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. Federal agencies have been given a strict 24-hour deadline to patch affected systems, underscoring the urgency of the situation and the significant risk posed to government and enterprise networks.
CitrixBleed 2, which researchers have noted shares similarities with a previous critical vulnerability in Citrix NetScaler (CVE-2023-4966), enables attackers to bypass multi-factor authentication (MFA) and hijack user sessions. This memory leak vulnerability, stemming from insufficient input validation, allows unauthenticated attackers to read sensitive information from NetScaler devices configured as Gateways or AAA virtual servers. The exploitation of this flaw appears to have begun in late June, with reports indicating that some attackers may be linked to ransomware groups. The ease with which session tokens can be stolen and replayed to impersonate authenticated users presents a substantial threat to organizations relying on these Citrix products for remote access. In response to the escalating threat, cybersecurity researchers have confirmed widespread scanning and probing activity for the vulnerability. The U.S. CISA's inclusion of CVE-2025-5777 on its Known Exploited Vulnerabilities list serves as a strong warning to all organizations to prioritize patching their Citrix NetScaler ADC and Gateway devices immediately. Failure to do so leaves networks vulnerable to sophisticated attacks that can lead to significant data breaches and operational disruptions. Organizations are strongly advised to apply the latest security patches and updates as soon as possible to mitigate the risks associated with this critical vulnerability. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Critical SQL Injection Flaw in Fortinet FortiWeb - Fortinet's FortiWeb product has a critical SQL injection vulnerability (CVE-2025-25257) in its Fabric Connector, allowing arbitrary command execution.
ImgSrc: blogger.googleu
Fortinet has issued a critical patch for a severe SQL injection vulnerability affecting its FortiWeb product. Identified as CVE-2025-25257, the flaw resides within the Fabric Connector feature. This vulnerability allows an unauthenticated attacker to execute arbitrary commands and potentially gain access to sensitive information on affected systems. The issue stems from improper input sanitization, enabling attackers to manipulate SQL queries through specially crafted HTTP requests. The vulnerability has a high severity score of 9.8 out of 10, highlighting the significant risk it poses to organizations.
The vulnerability specifically impacts multiple versions of FortiWeb, including versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The FortiWeb Fabric Connector acts as a crucial middleware, connecting FortiWeb web application firewalls with other Fortinet products for dynamic security updates. Attackers can exploit this flaw by sending malicious SQL payloads within HTTP Authorization headers, bypassing authentication controls and potentially leading to remote code execution. Researchers have demonstrated that this SQL injection can be escalated to achieve full system compromise by leveraging MySQL's INTO OUTFILE statement to write files to the server and executing them via Python scripts. Given the critical nature of this vulnerability and the availability of proof-of-concept exploits, Fortinet strongly urges all users of affected FortiWeb versions to apply the provided patches immediately. Organizations should update to FortiWeb 7.6.4, 7.4.8, 7.2.11, 7.0.11, or later versions to mitigate the risk of exploitation. As a temporary workaround, disabling the HTTP/HTTPS administrative interface can also help reduce exposure until the patches can be applied. Swift action is crucial to prevent potential data breaches and unauthorized access to sensitive systems. Recommended read:
References :
@cyberscoop.com
//
Cybersecurity researchers have identified a critical set of vulnerabilities, collectively named PerfektBlue, affecting OpenSynergy's BlueSDK Bluetooth stack. These flaws, which can be chained together to achieve remote code execution, pose a significant risk to millions of vehicles. Automakers such as Mercedes-Benz, Volkswagen, and Skoda are confirmed to be impacted, along with an additional unnamed manufacturer. The vulnerabilities could allow attackers, within Bluetooth range, to compromise infotainment systems, potentially leading to unauthorized access to sensitive vehicle functions.
The PerfektBlue attack leverages a chain of vulnerabilities including a critical use-after-free flaw in the AVRCP service (CVE-2024-45434) and issues within L2CAP and RFCOMM protocols. Successful exploitation can enable attackers to execute arbitrary code on a car's system, potentially allowing them to track GPS coordinates, record audio, access contact lists, and even pivot to more critical systems. While infotainment systems are often isolated, the effectiveness of this separation varies by manufacturer, meaning some attacks could provide a pathway to controlling core vehicle functions. OpenSynergy confirmed these vulnerabilities last year and released patches in September 2024. However, many automakers have yet to implement these crucial updates, leaving millions of vehicles exposed. The attack requires an attacker to pair with the target vehicle's infotainment system via Bluetooth, a process that can vary in user interaction depending on the manufacturer's implementation. While patches are available, the widespread delay in deployment means that a significant number of cars remain vulnerable to this potentially far-reaching exploit. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
GPUHammer Attack Targets NVIDIA GPUs - A new 'GPUHammer' attack targets NVIDIA GPUs, degrading AI model accuracy; NVIDIA recommends enabling ECC.
ImgSrc: blogger.googleu
A significant security vulnerability, dubbed GPUHammer, has been demonstrated against NVIDIA GPUs, specifically targeting GDDR6 memory. Researchers from the University of Toronto have successfully executed a Rowhammer attack variant on an NVIDIA A6000 GPU, causing bit flips in the memory. This type of attack exploits the physical behavior of DRAM chips, where rapid access to one memory row can induce errors, or bit flips, in adjacent rows. While Rowhammer has been a known issue for CPUs, this marks the first successful demonstration against a discrete GPU, raising concerns about the integrity of data and computations performed on these powerful processors, especially within the burgeoning field of artificial intelligence.
The practical implications of GPUHammer are particularly alarming for machine learning models. In a proof-of-concept demonstration, researchers were able to degrade the accuracy of a deep neural network model from 80% to a mere 0.1% by inducing a single bit flip. This degradation highlights the vulnerability of AI infrastructure, which increasingly relies on GPUs for parallel processing and complex calculations. Such attacks could compromise the reliability and trustworthiness of AI systems, impacting everything from image recognition to complex decision-making processes. NVIDIA has acknowledged these findings and is urging its customers to implement specific security measures to defend against this threat. In response to the GPUHammer attack, NVIDIA is strongly recommending that customers enable System-level Error Correction Codes (ECC) on their GDDR6 GPUs. ECC is a hardware-level mechanism designed to detect and correct errors in memory, and it has been proven to effectively neutralize the Rowhammer threat. NVIDIA's guidance applies to a wide range of its professional and data center GPU architectures, including Blackwell, Hopper, Ada, Ampere, and Turing. While consumer-grade GPUs may have limited ECC support, the company emphasizes that its enterprise-grade and data center solutions, many of which have ECC enabled by default, are the recommended choice for applications requiring enhanced security assurance. This proactive measure aims to protect users from data tampering and maintain the integrity of critical workloads. Recommended read:
References :
@cyberpress.org
//
Iranian APTs Target Critical US Infrastructure Intensified Attacks - Iranian APT groups have increased cyberattacks on US critical infrastructure, particularly transportation and manufacturing, with a 133% surge.
ImgSrc: blogger.googleu
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.
Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries. The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness. Recommended read:
References :
@gbhackers.com
//
SLOW#TEMPEST Evolving Malware Obfuscation Evasion Techniques - The SLOW#TEMPEST group is employing advanced malware with dynamic jumps and obfuscated calls to evade detection, countered by CPU emulation.
ImgSrc: blogger.googleu
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.
At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow. Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM. Recommended read:
References :
@www.csoonline.com
//
McDonalds McHire Leak Due to Default Password - McDonald's McHire platform experienced a data breach affecting 64 million applicants due to a default password, exposing personal information.
ImgSrc: www.csoonline.c
References:
PrivacyDigest
, Talkback Resources
,
McDonald's AI-powered hiring platform, McHire, has been found to have a significant data breach affecting an estimated 64 million job applicants. Security researchers Ian Carroll and Sam Curry uncovered a critical vulnerability stemming from elementary security oversights. The core of the problem lay in the use of a default administrator password, specifically '123456', which granted unauthorized access to sensitive applicant information. This, combined with an insecure direct object reference (IDOR) vulnerability in an internal API, allowed individuals with a McHire account to potentially access any inbox and retrieve personal data of millions of job seekers.
The breach revealed how easily this information could be accessed. By exploiting a hidden API within the McHire system, researchers were able to view applicant chat data. A simple modification to a request, by changing a number referred to as the "lead_id", allowed them to view personal details such as names, email addresses, phone numbers, and job application specifics from actual McDonald's applicants. The security flaw also exposed internal employee data from Paradox.ai, the AI software firm that built the McHire system, after researchers gained admin access to a test restaurant account using the default credentials. The security researchers disclosed their findings, and the issue was reportedly patched swiftly after disclosure. This incident highlights the ongoing cybersecurity challenges faced by even large organizations, particularly when implementing new technologies like AI in their operations. The compromise of the McHire platform underscores the importance of robust security practices, including the mandatory use of strong, unique passwords and secure API development, to protect sensitive personal information in an increasingly digital world. Recommended read:
References :
@cyberalerts.io
//
References:
Cyber Security News
, securityaffairs.com
,
Cybersecurity researchers have uncovered critical vulnerabilities in Kigen's eSIM technology, potentially impacting billions of Internet of Things (IoT) devices and mobile networks worldwide. Security Explorations, a research lab, demonstrated that they could compromise Kigen's eUICC cards, a component essential for eSIM functionality. The attack allowed researchers to extract private encryption keys and download arbitrary eSIM profiles from major mobile network operators. This breach raises significant concerns about identity theft and the potential interception of communications for a vast number of connected devices.
The exploitation of these flaws builds upon prior Java Card research from 2019, which highlighted fundamental weaknesses in virtual machine implementations. Researchers were able to bypass security measures on the eUICC chip, which is designed to securely store and manage mobile carrier profiles. By exploiting type confusion vulnerabilities, they gained unauthorized access to the chip's memory, enabling the extraction of critical cryptographic keys like the private ECC key for GSMA certificates. This effectively undermined the trust model that underpins the entire eSIM ecosystem, as the eSIM profiles themselves and the Java applications stored on the chip were found to lack proper isolation or protection. While Kigen has acknowledged the issue and deployed mitigations, including hardening bytecodes and tightening test profile rules, concerns remain regarding the root cause of the vulnerability. The GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, has been identified as a contributing factor, allowing for the installation of unverified or malicious applets. Although the latest version of the GSMA standard addresses this, the existence of these fundamental flaws in widely deployed eSIM technology highlights the ongoing challenges in securing the rapidly expanding IoT landscape and the potential for widespread compromise if not adequately addressed. Recommended read:
References :
MalBot@malware.news
//
References:
malware.news
, thedfirreport.com
,
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.
The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics. The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection. Recommended read:
References :
Aman Mishra@gbhackers.com
//
Compromised WordPress Plugin Enables Code Injection - Hackers compromised the Gravity Forms WordPress plugin, injecting malicious code and creating backdoors for remote code execution and data exfiltration.
ImgSrc: blogger.googleu
Hackers have successfully compromised the popular WordPress plugin Gravity Forms, embedding malicious code into versions downloaded directly from the official gravityforms.com website. This sophisticated supply chain attack targets a significant portion of WordPress websites relying on Gravity Forms for form creation and data collection. The attackers are reportedly exploiting a vulnerability within the plugin, specifically targeting the gf_api_token parameter. This allows them to inject malicious PHP code into core plugin files, such as gravityforms/common.php and includes/settings/class-settings.php, creating backdoors that can lead to remote code execution and unauthorized access.
The malicious campaign was first detected when security researchers observed suspicious HTTP POST requests to a newly registered domain, gravityapi.org, which served as a command-and-control server. The injected malware is capable of exfiltrating sensitive WordPress site data, including URLs, plugin lists, user counts, and environment details, transmitting this information to the attacker-controlled domain. Upon receiving a response, the malware can deploy further payloads, such as writing a backdoored PHP file to the server that masquerades as legitimate content management tools. This backdoor enables attackers to execute arbitrary code, create new administrator accounts, upload files, and manipulate site content with devastating effects. In response to the discovered vulnerability, Gravity Forms has swiftly released version 2.9.13 of the plugin, which is confirmed to be free of the backdoor. Additionally, the registrar Namecheap has suspended the malicious gravityapi.org domain to disrupt ongoing exploitation efforts. Website administrators are strongly advised to update their Gravity Forms plugin to the latest version immediately to mitigate the risk of compromise. Monitoring network traffic for suspicious activity, particularly POST requests to the identified malicious domain, is also a crucial step in preventing unauthorized access and code execution on affected WordPress sites. Recommended read:
References :
@www.helpnetsecurity.com
//
Bitwarden Launches MCP Server for Secure AI Integration - Bitwarden launched its Model Context Protocol server for secure integration of AI agents with credential management.
ImgSrc: img.helpnetsecu
Bitwarden Unveils Model Context Protocol Server for Secure AI Agent Integration
Bitwarden has launched its Model Context Protocol (MCP) server, a new tool designed to facilitate secure integration between AI agents and credential management workflows. The MCP server is built with a local-first architecture, ensuring that all interactions between client AI agents and the server remain within the user's local environment. This approach significantly minimizes the exposure of sensitive data to external threats. The new server empowers AI assistants by enabling them to access, generate, retrieve, and manage credentials while rigorously preserving zero-knowledge, end-to-end encryption. This innovation aims to allow AI agents to handle credential management securely without the need for direct human intervention, thereby streamlining operations and enhancing security protocols in the rapidly evolving landscape of artificial intelligence. The Bitwarden MCP server establishes a foundational infrastructure for secure AI authentication, equipping AI systems with precisely controlled access to credential workflows. This means that AI assistants can now interact with sensitive information like passwords and other credentials in a managed and protected manner. The MCP server standardizes how applications connect to and provide context to large language models (LLMs), offering a unified interface for AI systems to interact with frequently used applications and data sources. This interoperability is crucial for streamlining agentic workflows and reducing the complexity of custom integrations. As AI agents become increasingly autonomous, the need for secure and policy-governed authentication is paramount, a challenge that the Bitwarden MCP server directly addresses by ensuring that credential generation and retrieval occur without compromising encryption or exposing confidential information. This release positions Bitwarden at the forefront of enabling secure agentic AI adoption by providing users with the tools to seamlessly integrate AI assistants into their credential workflows. The local-first architecture is a key feature, ensuring that credentials remain on the user’s machine and are subject to zero-knowledge encryption throughout the process. The MCP server also integrates with the Bitwarden Command Line Interface (CLI) for secure vault operations and offers the option for self-hosted deployments, granting users greater control over system configurations and data residency. The Model Context Protocol itself is an open standard, fostering broader interoperability and allowing AI systems to interact with various applications through a consistent interface. The Bitwarden MCP server is now available through the Bitwarden GitHub repository, with plans for expanded distribution and documentation in the near future. Recommended read:
References :
@cyble.com
//
Cyble threat intelligence researchers have uncovered a global phishing campaign leveraging the LogoKit phishing kit. This sophisticated kit is being used to target government, banking, and logistics sectors. The initial discovery stemmed from a phishing link mimicking the Hungary CERT login page, highlighting the campaign's ability to impersonate legitimate websites to steal credentials.
The LogoKit is designed to enhance credibility and increase the likelihood of successful credential theft. The phishing attacks often embed the victim's email address in the URL, pre-filling the username field on the spoofed login page. This personalized approach, combined with the kit's ability to dynamically generate convincing phishing pages, makes it a potent threat. CRIL analyzes show that the kit uses brand assets from Clearbit and Google Favicon to create realistic-looking login pages. These phishing campaigns are part of a larger trend of surging identity attacks. Reports indicate a significant increase in cyberattacks targeting user logins. Cybercriminals are increasingly turning to sophisticated phishing-as-a-service platforms to conduct BEC schemes and ransomware disasters. Organizations should implement strong DNS security measures to protect against such threats. Recommended read:
References :
@gbhackers.com
//
AI Coding and Signed Drivers Increase Attack Surface - AI coding increases the cyber attack surface, code-signed drivers are used for kernel-level attacks, and slopsquatting exploits coding agent workflows.
ImgSrc: blogger.googleu
References:
Cyber Security News
, gbhackers.com
The rise of AI-assisted coding is introducing new security challenges, according to recent reports. Researchers are warning that the speed at which AI pulls in dependencies can lead to developers using software stacks they don't fully understand, thus expanding the cyber attack surface. John Morello, CTO at Minimus, notes that while AI isn't inherently good or bad, it magnifies both positive and negative behaviors, making it crucial for developers to maintain oversight and ensure the security of AI-generated code. This includes addressing vulnerabilities and prioritizing security in open source projects.
Kernel-level attacks on Windows systems are escalating through the exploitation of signed drivers. Cybercriminals are increasingly using code-signing certificates, often fraudulently obtained, to masquerade malicious drivers as legitimate software. Group-IB research reveals that over 620 malicious kernel-mode drivers and 80-plus code-signing certificates have been implicated in campaigns since 2020. A particularly concerning trend is the use of kernel loaders, which are designed to load second-stage components, giving attackers the ability to update their toolsets without detection. A new supply-chain attack, dubbed "slopsquatting," is exploiting coding agent workflows to deliver malware. Unlike typosquatting, slopsquatting targets AI-powered coding assistants like Claude Code CLI and OpenAI Codex CLI. These agents can inadvertently suggest non-existent package names, which malicious actors then pre-register on public registries like PyPI. When developers use the AI-suggested installation commands, they unknowingly install malware, highlighting the need for multi-layered security approaches to mitigate this emerging threat. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
Ingram Micro, a global IT distributor, has confirmed it was hit by a SafePay ransomware attack, causing a significant outage affecting its websites and internal systems. The attack, which began on July 3, 2025, has disrupted order processing and shipments, impacting customers, vendor partners, and others who rely on the company's services. Ingram Micro, one of the world's largest technology distributors with approximately 24,000 employees and $48 billion in revenue in 2024, is working diligently to restore affected systems.
The company's initial response involved proactively taking certain systems offline and implementing other mitigation measures to secure the environment. Leading cybersecurity experts were engaged to assist with the investigation, and law enforcement was notified. Ingram Micro said that internal alerts, investigation protocols, and communications with key clients and stakeholders were immediately initiated, a statement was released to explain the suspected vulnerabilities exploited by the ransomware. Sources indicate that the SafePay ransomware group gained access through Ingram Micro's GlobalProtect VPN platform. The attack has impacted various systems, including the company's AI-powered Xvantage distribution platform and the Impulse license provisioning platform, leading to shipment backlogs and licensing interruptions across platforms such as Microsoft 365 and Dropbox. While it remains unclear if data was encrypted, the ransomware note claimed to have stolen various types of information. As a result, Ingram Micro's customers may experience delays as the company focuses on restoring its systems. Recommended read:
References :
@sec.cloudapps.cisco.com
//
Cisco is urging immediate action following the discovery of a critical vulnerability, CVE-2025-20309, in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw stems from hardcoded SSH root credentials that cannot be modified or removed, potentially allowing remote attackers to gain root-level access to affected systems. This vulnerability has a maximum severity rating with a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.
Cisco's security advisory specifies that all Engineering Special (ES) releases from 15.0.1.13010-1 through 15.0.1.13017-1 are vulnerable, regardless of optional features in use. An unauthenticated remote attacker can exploit this vulnerability by utilizing the static root account credentials to establish SSH connections to vulnerable systems. Once authenticated, the attacker gains complete administrative control over the affected device, enabling the execution of arbitrary commands with root privileges. There are no temporary workarounds to mitigate this risk. To remediate the vulnerability, administrators are advised to upgrade to version 15SU3 or apply the CSCwp27755 patch. Although Cisco discovered the flaw through internal testing and has not found evidence of active exploitation in the wild, the extreme severity necessitates immediate action to safeguard enterprise communications. The company has issued emergency fixes for the critical root credential flaw in Unified CM. Recommended read:
References :
@www.bleepingcomputer.com
//
The Hunters International ransomware operation has announced its shutdown, stating they will release free decryption keys to their past victims. The group made the announcement on its dark web leak site, removing all previous victim data. In a statement, Hunters International acknowledged the impact their actions have had on organizations, stating the decision to close down was not made lightly. Victims are instructed to visit the ransomware gang's website to obtain the decryption keys and recovery guidance, though some sources indicate victims need to log in to a portal mentioned in the ransom note using existing credentials to obtain the decryption software.
The move to shut down has been met with skepticism from the threat intel community. Several ransomware gangs in the past have released their victims’ decryption keys, then shut down, each of them for different reasons. Some shut down only to return under a new name, perhaps in an attempt to confuse researchers and law enforcement agencies and sometimes toescape sanctions. There is speculation that Hunters International may be rebranding and transitioning to new infrastructure to avoid increased scrutiny from law enforcement. It emerged in late 2023 and was flagged by security researchers and ransomware experts as apotential rebrand of Hive, which had its infrastructure seized earlier that year. Reports indicate that Hunters International launched a separate platform named "World Leaks" in January, advising its affiliates to switch to this new operation. At the time, the group claimed that encryption-based ransomware was no longer profitable and they would be shifting to a hack-and-extort model. However, some sources have found World Leaks victims who also had ransomware deployed on their networks. Hunters International has been linked to almost 300 attacks worldwide including India's Tata Technologies and the US Marshals Service and has earned millions in cryptocurrency. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
Australia's national carrier, Qantas Airways, has disclosed a significant cyberattack affecting approximately six million customers. The breach occurred through unauthorized access to a third-party customer service platform used by a Qantas call center. Exposed data includes customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers, however, the company reports that no financial data, passport details, passwords, or login credentials were compromised. The airline detected the unusual activity on Monday and took immediate action to bring the system back under control.
Qantas has launched an investigation into the incident, working closely with government authorities and cybersecurity experts. The airline has notified Australia’s National Cyber Security Coordinator, the Australian Cyber Security Centre, the Privacy Commissioner, and the Federal Police, reflecting the severity of the situation. Initial reports suggest the Scattered Spider group, known for targeting the aviation sector, may be linked to the attack. Qantas is also enhancing security measures by tightening access controls and improving system monitoring. Vanessa Hudson, Qantas Group Managing Director, has sincerely apologized to customers, acknowledging the uncertainty caused by the breach. A special customer support hotline and dedicated webpage have been established to provide information and assistance to those affected. While Qantas assures that the cyberattack has not impacted flight operations or the safety of the airline, cybersecurity experts warn that the stolen customer data could potentially be used for identity theft and other fraudulent activities. This incident underscores the importance of robust cybersecurity measures and vigilance in protecting sensitive customer information, particularly within third-party platforms. Recommended read:
References :
|
