CyberSecurity news
FlagThis - #cybersecurity
|
Siôn Geschwindt@The Next Web
//
References:
The Next Web
, medium.com
,
Quantum computing is rapidly advancing, presenting both opportunities and challenges. Researchers at Toshiba Europe have achieved a significant milestone by transmitting quantum-encrypted messages over a record distance of 254km using standard fiber optic cables. This breakthrough, facilitated by quantum key distribution (QKD) cryptography, marks the first instance of coherent quantum communication via existing telecom infrastructure. QKD leverages the principles of quantum mechanics to securely share encryption keys, making eavesdropping virtually impossible, as any attempt to intercept the message would immediately alert both parties involved.
This advance addresses growing concerns among European IT professionals, with 67% fearing that quantum computing could compromise current encryption standards. Unlike classical computers, which would take an impractical amount of time to break modern encryption, quantum computers can exploit phenomena like superposition and entanglement to potentially crack even the most secure classical encryptions within minutes. This has prompted global governments and organizations to accelerate the development of robust cryptographic algorithms capable of withstanding quantum attacks. Efforts are underway to build quantum-secure communication infrastructure. Heriot-Watt University recently inaugurated a £2.5 million Optical Ground Station (HOGS) to promote satellite-based quantum-secure communication. In July 2024, Toshiba Europe, GÉANT, PSNC, and Anglia Ruskin University demonstrated cryogenics-free QKD over a 254 km fiber link, using standard telecom racks and room temperature detectors. Initiatives such as Europe’s EuroQCI and ESA’s Eagle-1 satellite further underscore the commitment to developing and deploying quantum-resistant technologies, mitigating the silent threat that quantum computing poses to cybersecurity. Recommended read:
References :
Rescana@Rescana
//
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.
Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts. The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise. Recommended read:
References :
@The DefendOps Diaries
//
Ascension, one of the largest private healthcare systems in the United States, is facing scrutiny following a significant data breach. The company revealed that the personal and healthcare information of over 430,000 patients was exposed in an incident disclosed last month. The breach stemmed from a compromise affecting a former business partner, highlighting the inherent risks associated with third-party vendors and the critical need for robust cybersecurity measures within the healthcare ecosystem.
The vulnerability in third-party software allowed attackers access to sensitive patient data. Depending on the patient, the attackers could access personal health information related to inpatient visits, including the physician's name, admission and discharge dates, diagnoses, and more. The data breach underscores the importance of healthcare organizations thoroughly vetting and continuously monitoring third-party vendors and their software solutions. This situation exemplifies how a single point of failure in the supply chain can have far-reaching consequences for patient privacy and data security. The Ascension data breach has broader implications for healthcare cybersecurity. The incident serves as a stark reminder of the vulnerabilities in healthcare systems, especially those involving third-party software. The lessons learned emphasize the need for strengthening cybersecurity defenses against third-party and ransomware threats. Healthcare providers must prioritize data protection, regularly assess the security of their partners, and implement robust measures to protect patient information from evolving cyber threats. Recommended read:
References :
@industrialcyber.co
//
References:
Industrial Cyber
, NCSC News Feed
,
The UK's National Cyber Security Centre (NCSC) has issued a warning that critical systems in the United Kingdom face increasing risks due to AI-driven vulnerabilities. The agency highlighted a growing 'digital divide' between organizations capable of defending against AI-enabled threats and those that are not, exposing the latter to greater cyber risk. According to a new report, developments in AI are expected to accelerate the exploitation of software vulnerabilities by malicious actors, intensifying cyber threats by 2027.
The report, presented at the NCSC's CYBERUK conference, predicts that AI will significantly enhance the efficiency and effectiveness of cyber intrusions. Paul Chichester, NCSC director of operations, stated that AI is transforming the cyber threat landscape by expanding attack surfaces, increasing the volume of threats, and accelerating malicious capabilities. He emphasized the need for organizations to implement robust cybersecurity practices across their AI systems and dependencies, ensuring up-to-date defenses. The NCSC assessment emphasizes that by 2027, AI-enabled tools will almost certainly improve threat actors' ability to exploit known vulnerabilities, leading to a surge in attacks against systems lacking security updates. With the time between vulnerability disclosure and exploitation already shrinking, AI is expected to further reduce this timeframe. The agency urges organizations to adopt its guidance on securely implementing AI tools while maintaining strong cybersecurity measures across all systems. Recommended read:
References :
@www.pwc.com
//
The UK's National Cyber Security Centre (NCSC) has issued warnings regarding the growing cyber threats intensified by artificial intelligence and the dangers of unpatched, end-of-life routers. The NCSC's report, "Impact of AI on cyber threat from now to 2027," indicates that threat actors are increasingly using AI to enhance existing tactics. These tactics include vulnerability research, reconnaissance, malware development, and social engineering, leading to a potential increase in both the volume and impact of cyber intrusions. The NCSC cautioned that a digital divide is emerging, with organizations unable to keep pace with AI-enabled threats facing increased risk.
The use of AI by malicious actors is projected to rise, and this poses significant challenges for businesses, especially those that are not prepared to defend against it. The NCSC noted that while advanced state actors may develop their own AI models, most threat actors will likely leverage readily available, off-the-shelf AI tools. Moreover, the implementation of AI systems by organizations can inadvertently increase their attack surface, creating new vulnerabilities that threat actors could exploit. Direct prompt injection, software vulnerabilities, indirect prompt injection, and supply chain attacks are techniques that could be used to gain access to wider systems. Alongside the AI threat, the FBI has issued alerts concerning the rise in cyberattacks targeting aging internet routers, particularly those that have reached their "End of Life." The FBI warned of TheMoon malware exploiting these outdated devices. Both the NCSC and FBI warnings highlight the importance of proactively replacing outdated hardware and implementing robust security measures to mitigate these risks. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Google is integrating its Gemini Nano AI model into the Chrome browser to provide real-time scam protection for users. This enhancement focuses on identifying and blocking malicious websites and activities as they occur, addressing the challenge posed by scam sites that often exist for only a short period. The integration of Gemini Nano into Chrome's Enhanced Protection mode, available since 2020, allows for the analysis of website content to detect subtle signs of scams, such as misleading pop-ups or deceptive tactics.
When a user visits a potentially dangerous page, Chrome uses Gemini Nano to evaluate security signals and determine the intent of the site. This information is then sent to Safe Browsing for a final assessment. If the page is deemed likely to be a scam, Chrome will display a warning to the user, providing options to unsubscribe from notifications or view the blocked content while also allowing users to override the warning if they believe it's unnecessary. This system is designed to adapt to evolving scam tactics, offering a proactive defense against both known and newly emerging threats. The AI-powered scam detection system has already demonstrated its effectiveness, reportedly catching 20 times more scam-related pages than previous methods. Google also plans to extend this feature to Chrome on Android devices later this year, further expanding protection to mobile users. This initiative follows criticism regarding Gmail phishing scams that mimic law enforcement, highlighting Google's commitment to improving online security across its platforms and safeguarding users from fraudulent activities. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.
The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network. To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities. Recommended read:
References :
@cyble.com
//
The ransomware landscape is experiencing significant shifts in April 2025, with groups like Qilin taking center stage. Despite a general decline in ransomware attacks from 564 in March to 450 in April, the lowest level since November 2024, Qilin has surged to the top of the ransomware rankings. This rise is attributed to the realignment of cybercriminal groups within the chaotic Ransomware-as-a-Service (RaaS) ecosystem. Qilin is reportedly leveraging sophisticated tools and techniques, contributing to their increased success in recent months.
Qilin's success is partly due to the adoption of advanced tactics, techniques, and procedures (TTPs). Threat actors associated with Qilin have been observed utilizing malware such as SmokeLoader, along with a previously undocumented .NET compiled loader called NETXLOADER, in campaigns dating back to November 2024. NETXLOADER is a highly obfuscated loader designed to deploy additional malicious payloads and bypass traditional detection mechanisms, making it difficult to analyze. This loader plays a critical role in Qilin's stealthy malware delivery method. The surge in activity is reflected in the doubling of disclosures on Qilin's data leak site since February 2025, making it the top ransomware group in April. The emergence of new actors like DragonForce is reshaping the threat landscape. The group is built for the gig economy. Its features include a 20% revenue share, white-label ransomware kits, pre-built infrastructure. DragonForce quickly moved to absorb affiliates following the April 2025 disappearance of RansomHub, pitching itself as an agile alternative to collapsed legacy operators. A historic surge in ransomware activity is occurring. A total of 2,289 publicly named ransomware victims were reported in just Q1 a 126% year-over-year increase, setting an all-time high. 74 distinct ransomware groups are now operating concurrently, highlighting an explosion of new actors and affiliate-driven threats. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
SonicWall has released patches to address three significant vulnerabilities impacting its Secure Mobile Access (SMA) 100 series appliances. These flaws, including a potential zero-day, could be chained together by remote attackers to achieve remote code execution. The vulnerabilities affect SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, highlighting the importance of timely updates to prevent exploitation. Cybersecurity experts are urging administrators to apply the patches immediately to mitigate the risk of unauthorized access and potential system compromise.
The most serious of the vulnerabilities, tracked as CVE-2025-32819, is a high-severity arbitrary file delete bug. This flaw could allow attackers to bypass path traversal checks, enabling arbitrary file deletion and potentially leading to reboots to factory settings. SonicWall noted that this vulnerability may have been exploited in the wild, based on known indicators of compromise. Additionally, CVE-2025-32820, another high-severity vulnerability, could facilitate system overwriting, resulting in a denial-of-service condition. The third vulnerability, CVE-2025-32821, is a medium-severity bug that could enable shell command injections, potentially leading to root-level remote code execution. The fixes are available in firmware version 10.2.1.15-81sv and higher. SonicWall is strongly advising all users of the SMA 100 series products to update their appliances to the latest firmware to protect their systems from these critical vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has also added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog. Recommended read:
References :
@ai-techpark.com
//
SpyCloud, a leading identity threat protection company, released an analysis on May 7th, 2025, revealing that a staggering 94% of Fortune 50 companies have had employee identity data exposed due to phishing attacks. The analysis is based on nearly 6 million phished data records recaptured from the criminal underground over the last six months. These findings highlight the growing scale and sophistication of phishing attacks, with cybercriminals increasingly targeting high-value identity data for follow-on attacks such as ransomware, account takeover, and fraud. The data provides valuable insights for organizations to enhance their defenses, improve user training, and prevent identity-based attacks.
Nearly 82% of phishing victims had their email credentials compromised in prior data breaches, according to SpyCloud's analysis. This gives attackers a critical advantage, emphasizing the importance of monitoring and securing compromised credentials. The exposed data often includes email addresses (81% of records), IP addresses (42%), and user-agent information (31%) which identifies device and browser details. The top industries impersonated in phishing campaigns include telecommunications, IT, and financial services, highlighting the specific targets of these malicious activities. To combat the escalating phishing threat, Brian Jack, chief information security officer at KnowBe4, a partner of SpyCloud, emphasizes the need for ongoing security awareness training and swift, targeted action to remediate exposures. He stated that "Combining human vigilance with actionable intelligence is the most effective way to stop phishing in its tracks – and prevent it from opening the door to broader cyberattacks.” The rise of phishing attacks is attributed to cybercriminals modernizing their tactics and evolving campaigns into industrial-scale operations, aided by phishing-as-a-service (PhaaS) platforms and AI. Recommended read:
References :
@securityonline.info
//
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.
The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes. The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures. Recommended read:
References :
Anna Ribeiro@Industrial Cyber
//
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.
This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection. Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation. Recommended read:
References :
@arcticwolf.com
//
Arctic Wolf Labs has identified a spear-phishing campaign orchestrated by the financially motivated threat group known as Venom Spider. The campaign targets hiring managers by abusing legitimate messaging services and job platforms. Attackers submit fake job applications with malicious resumes, leveraging an updated backdoor called More_eggs.
The fake resumes are designed to deliver the More_eggs backdoor onto the devices of unsuspecting HR personnel. Once installed, the backdoor allows the attackers to perform a variety of malicious activities, including stealing credentials, customer payment data, intellectual property, and trade secrets. Arctic Wolf warns that the updated More_eggs malware is more sophisticated, making it harder to detect than previous versions. They advise CISOs to warn HR staff about this ongoing threat and implement measures to identify and block these malicious resumes. Notably, threat actors are using msxsl.exe, a legitimate Microsoft Command Line Transformation Utility to execute the backdoor. Recommended read:
References :
@www.microsoft.com
//
The digital landscape is witnessing a significant shift in authentication methods, with passkeys emerging as a secure and user-friendly alternative to traditional passwords. This evolution has led to the celebration of the inaugural World Passkey Day, marking a pivotal moment in the journey towards a passwordless future. As passwords have long been a source of vulnerability and frustration, the rise of passkeys promises simpler and safer sign-ins, enhancing overall digital security by eliminating the inherent weaknesses associated with passwords.
Microsoft and Yubico are at the forefront of this movement, actively promoting the adoption of passkeys. Microsoft is rolling out updates designed for simpler, safer sign-ins, making passkeys more accessible and convenient for users. Yubico, a strong advocate for ditching passwords altogether, emphasizes the importance of embracing passkeys for a more secure digital future. This collaborative effort underscores the industry's commitment to transitioning to a passwordless authentication system. The transition to passkeys is not merely a technological upgrade but a fundamental shift in how we approach digital security. As highlighted by Microsoft, the number of password-based cyberattacks has dramatically increased, with a staggering 7,000 password attacks per second observed last year. Passkeys, being resistant to phishing and brute-force attacks, offer a robust defense against these threats. By celebrating World Passkey Day and actively promoting the adoption of passkeys, the industry aims to create a safer and more secure online experience for everyone. Recommended read:
References :
@cyble.com
//
Recent cyberattacks have targeted major UK retailers, prompting a call for increased vigilance and stronger defenses from the National Cyber Security Centre (NCSC). High-profile organizations such as Harrods, Marks & Spencer (M&S), and Co-op have been affected, causing significant operational disruptions. These attacks have led to restricted internet access, pauses in online order processing, and in some instances, potential data extraction, highlighting the severity and broad impact of these cyber incidents on the retail sector.
The NCSC has issued an urgent warning to UK firms, emphasizing the escalating risk of ransomware attacks, particularly within the retail industry. The agency anticipates a potential increase in similar attacks in the coming days. In response, the NCSC has released a comprehensive set of guidelines designed to assist businesses in bolstering their defenses against these threats and minimizing potential financial losses. This includes reviewing password reset policies, being cautious of senior employees with escalated priviledges such as Domain Admin, Enterprise Admin and Cloud Admin accounts. The NCSC's guidelines emphasize proactive measures such as isolating and containing threats quickly by severing internet connectivity to prevent malware spread and ensuring backup servers remain unaffected. It also highlights leveraging backup systems for recovery and implementing multi-factor authentication (MFA) across the board. The NCSC advises businesses to constantly be on the look out for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. Furthermore, the agency urges organizations to assess their cyber resilience and adopt best practices for both prevention and recovery to mitigate future attacks. Recommended read:
References :
|