CyberSecurity news

FlagThis - #cybersecurity

@cyberscoop.com //
Microsoft has issued its July 2025 Patch Tuesday updates, a crucial monthly release that addresses a significant number of vulnerabilities across its product lines. This release tackles a total of 130 CVEs, with 10 of them classified as critical. Notably, while no vulnerabilities were reported as actively exploited in the wild at the time of the release, one flaw in Microsoft SQL Server (CVE-2025-49719) has been publicly disclosed. This information disclosure vulnerability, rated as important with a CVSS score of 7.5, means that technical details are available, potentially increasing the risk of future exploitation. Organizations should prioritize patching this vulnerability, particularly as it affects SQL Server versions 2016 through 2022 and does not require authentication to exploit, potentially exposing sensitive data like credentials.

Among the critical vulnerabilities addressed, a particularly concerning one is a remote code execution (RCE) flaw in Windows SPNEGO Extended Negotiation (NEGOEX), designated CVE-2025-47981. This vulnerability carries a high CVSS score of 9.8 and is described as a heap-based buffer overflow, allowing an unauthenticated attacker to execute code remotely on a target system with low attack complexity and no user interaction. The nature of this flaw makes it a prime target for attackers seeking initial access or lateral movement within networks. Microsoft has also highlighted critical RCE vulnerabilities in Microsoft Office, with several rated as "more likely" to be exploited, including some that can be triggered via the preview pane without requiring a user to open a document, posing a significant risk to users' security.

The July Patch Tuesday also includes fixes for vulnerabilities in Microsoft SharePoint, with an RCE flaw that requires authenticated access but could allow an attacker to execute code on the server. Additionally, vulnerabilities impacting Windows Hyper-V and other system components have been addressed. With a total of 130 CVEs patched, including numerous critical flaws, it is imperative for all organizations to review and apply these updates promptly to protect their systems and data from potential exploitation. The proactive patching of these vulnerabilities is essential for maintaining a strong security posture against the ever-evolving threat landscape.

Recommended read:
References :
  • Tenable Blog: Microsoft’s July 2025 Patch Tuesday Addresses 128 CVEs (CVE-2025-49719)
  • Cisco Talos Blog: Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
  • isc.sans.edu: Microsoft Patch Tuesday, July 2025, (Tue, Jul 8th)
  • cyberscoop.com: Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited
  • krebsonsecurity.com: Microsoft Patch Tuesday, July 2025 Edition
  • thecyberexpress.com: Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed, 17 High-Risk
  • blog.talosintelligence.com: Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
  • Arctic Wolf: Reports on Microsoft's July 2025 security update addressing 130 vulnerabilities.
  • The Register - Security: Microsoft enjoys first Patch Tuesday of 2025 with no active exploits
  • Action1: Patch Tuesday July 2025
  • securityaffairs.com: Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day
  • The Hacker News: Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server
  • arcticwolf.com: Microsoft Patch Tuesday: July 2025
  • Arctic Wolf: Microsoft's July 2025 security update, addressing 130 newly disclosed vulnerabilities.
  • arcticwolf.com: Microsoft Patch Tuesday: July 2025
  • Sophos News: July Patch Tuesday offers 127 fixes
  • SOC Prime Blog: CVE-2025-47981: Critical Heap-Based Buffer Overflow Vulnerability in Windows SPNEGO Extended Negotiation Leads to RCE
  • socprime.com: CVE-2025-47981: Critical Heap-Based Buffer Overflow Vulnerability in Windows SPNEGO Extended Negotiation Leads to RCE
  • Threats | CyberScoop: Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited

@blog.checkpoint.com //
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.

In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi.

The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access.

Recommended read:
References :
  • blog.checkpoint.com: Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
  • Resources-2: Tracking Scattered Spider Through Identity Attacks and Token Theft
  • Cloud Security Alliance: Scattered Spider: The Group Behind Major ESXi Ransomware Attacks
  • BrianKrebs: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • infosec.exchange: 3 teenagers aged 17-19 and a 20-year-old woman arrested in the UK this morning in connection with cyber attacks on Marks & Spencer (M&S) and Co-op retail chains in April-May this year
  • Zack Whittaker: New, by me: U.K. authorities have confirmed the arrest of four alleged hackers behind the recent U.K. retail hacking spree targeting Marks & Spencer, Harrods, and the Co-op earlier this year. The hackers are allegedly linked to Scattered Spider; one of the suspects is aged 17.
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • SecureWorld News: 4 Arrested in U.K. for Cyberattacks on Retail Tied to Scattered Spider
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • www.nationalcrimeagency.gov.uk: Report on the arrests of four individuals linked to the Scattered Spider hacking group for the cyberattacks on UK retailers.
  • The Register - Security: NCA arrests four in connection with UK retail ransomware attacks
  • krebsonsecurity.com: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • thecyberexpress.com: UK NCA Arrests Four in Cyberattacks on M&S, Co-op, and Harrods
  • HYPR Blog: Deconstructing the Gen-Z Hackers behind the £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • cyberscoop.com: UK arrests four for cyberattacks on major British retailers
  • Threats | CyberScoop: UK arrests four for cyberattacks on major British retailers
  • WIRED: 4 Arrested Over Scattered Spider Hacking Spree
  • blog.knowbe4.com: Alert from KnowBe4 about Scattered Spider targeting the aviation sector.
  • Metacurity: UK's NCA arrested four people for M&S, Co-Op cyberattacks
  • Risky.Biz: Four Key Players Drive Scattered Spider
  • Talkback Resources: UK charges four in Scattered Spider ransom group
  • TechInformed: Four people have been arrested as part of a National Crime Agency (NCA) investigation into cyberattacks targeting major UK retailers M&S, Harrods and Co-op.
  • Help Net Security: The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
  • hackread.com: UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods
  • securityaffairs.com: UK NCA arrested four people over M&S, Co-op cyberattacks
  • BleepingComputer: The UK's National Crime Agency (NCA) arrested four people suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.

@databreaches.net //
McDonald's has been at the center of a significant data security incident involving its AI-powered hiring tool, Olivia. The vulnerability, discovered by security researchers, allowed unauthorized access to the personal information of approximately 64 million job applicants. This breach was attributed to a shockingly basic security flaw: the AI hiring platform's administrator account was protected by the default password "123456." This weak credential meant that malicious actors could potentially gain access to sensitive applicant data, including chat logs containing personal details, by simply guessing the username and password. The incident raises serious concerns about the security measures in place for AI-driven recruitment processes.

The McHire platform, which is utilized by a vast majority of McDonald's franchisees to streamline the recruitment process, collects a wide range of applicant information. Researchers were able to access chat logs and personal data, such as names, email addresses, phone numbers, and even home addresses, by exploiting the weak password and an additional vulnerability in an internal API. This means that millions of individuals who applied for positions at McDonald's may have had their private information compromised. The ease with which this access was gained highlights a critical oversight in the implementation of the AI hiring system, underscoring the risks associated with inadequate security practices when handling large volumes of sensitive personal data.

While the security vulnerability has reportedly been fixed, and there are no known instances of the exposed data being misused, the incident serves as a stark reminder of the potential consequences of weak security protocols, particularly with third-party vendors. The responsibility for maintaining robust cybersecurity standards falls on both the companies utilizing these technologies and the vendors providing them. This breach emphasizes the need for rigorous security testing and the implementation of strong, unique passwords and multi-factor authentication to protect applicant data from falling into the wrong hands. Companies employing AI in sensitive processes like hiring must prioritize data security to maintain the trust of job seekers and prevent future breaches.

Recommended read:
References :
  • Talkback Resources: Leaking 64 million McDonald’s job applications
  • Security Latest: McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’
  • Malwarebytes: The job applicants' personal information could be accessed by simply guessing a username and using the password “12345.â€
  • www.wired.com: McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’
  • www.pandasecurity.com: Yes, it was. The personal information of approximately 64 million McDonald’s applicants was left unprotected due to login details consisting of a username and password…
  • Cybersecurity Blog: McDonald's Hiring Bot Blunder: AI, Fries and a Side of Job Seeker Data
  • techcrunch.com: AI chatbot’s simple ‘123456’ password risked exposing personal data of millions of McDonald’s job applicants
  • www.pandasecurity.com: Was the data of 64 million McDonald’s applicants left protected only by a flimsy password?
  • Talkback Resources: McDonald’s job app exposes data of 64 Million applicants
  • hackread.com: McDonald’s AI Hiring Tool McHire Leaked Data of 64 Million Job Seekers
  • futurism.com: McDonald’s AI Hiring System Just Leaked Personal Data About Millions of Job Applicants
  • hackread.com: Security flaws in McDonald's McHire chatbot exposed over 64 million applicants' data.
  • www.csoonline.com: McDonald’s AI hiring tool’s password ‘123456’: Exposes data of 64M applicants
  • Palo Alto Networks Blog: The job applicants' personal information could be accessed by simply guessing a username and using the password “123456.
  • SmartCompany: Big Hack: How a default password left millions of McDonald’s job applications exposed
  • Talkback Resources: '123456' password exposed chats for 64 million McDonald’s job applicants
  • databreaches.net: McDonald’s just got a supersized reminder to beef up its digital security after its recruitment platform allegedly exposed the sensitive data of 64 million applicants.
  • BleepingComputer: Cybersecurity researchers discovered a vulnerability in McHire, McDonald's chatbot job application platform, that exposed the chats of more than 64 million job applications across the United States.
  • PrivacyDigest: McDonald’s Exposed Millions of Applicants' Data to Using the ‘123456’
  • www.tomshardware.com: McDonald's McHire bot exposed personal information of 64M people by using '123456' as a password in 2025
  • bsky.app: Cybersecurity researchers discovered a vulnerability in McHire, McDonald's chatbot job application platform, that exposed the personal information of more than 64 million job applicants across the United States.
  • malware.news: McDonald’s just got a supersized reminder to beef up its digital security after its recruitment platform allegedly exposed the sensitive data of 64 million applicants.

@gbhackers.com //
Cybersecurity experts have identified a significant evolution in the tactics employed by the SLOW#TEMPEST malware group, which is now utilizing advanced obfuscation techniques to bypass detection systems. This latest variant is distributed as an ISO file containing both malicious and seemingly benign files, a common strategy to evade initial scanning. The malware employs DLL sideloading, a technique where a legitimate, signed executable like DingTalk.exe is tricked into loading a malicious DLL, zlibwapi.dll. This loader DLL then decrypts and executes a payload appended to another DLL, ipc_core.dll, creating a multi-stage attack that complicates analysis and detection.

At the core of SLOW#TEMPEST's enhanced evasion are sophisticated obfuscation methods designed to thwart both static and dynamic analysis. The malware utilizes control flow graph (CFG) obfuscation through dynamic jumps, where the target addresses of instructions like JMP RAX are computed at runtime based on system states and CPU flags. This unpredictability renders traditional analysis tools ineffective. Additionally, function calls are heavily obfuscated, with addresses dynamically resolved at runtime, masking the malware's true intentions and obscuring calls to crucial Windows APIs. Researchers have countered these tactics by employing CPU emulation frameworks like Unicorn to isolate and execute dispatcher routines, thereby revealing the dynamic jump destinations and restoring a more comprehensible program flow.

Palo Alto Networks researchers have delved into these advanced obfuscation techniques, highlighting methods and code that can be used to detect and defeat them. Their analysis reveals that the malware authors are actively manipulating execution paths and obscuring function calls to make their malicious code as difficult to analyze as possible. The campaign's use of dynamic jumps and obfuscated function calls forces security practitioners to adopt advanced emulation and scripting to dissect the malware's operations effectively. Understanding and counteracting these evolving tactics is crucial for developing robust detection rules and strengthening defenses against increasingly sophisticated cyber threats. Palo Alto Networks customers are reportedly better protected against these threats through products like Advanced WildFire, Cortex XDR, and XSIAM.

Recommended read:
References :
  • unit42.paloaltonetworks.com: Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
  • Cyber Security News: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • cyberpress.org: SLOW#TEMPEST Employs Advanced Evasion Techniques to Evade Detection
  • gbhackers.com: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • malware.news: Malware News: SLOW#TEMPEST Hackers Adopt New Evasion Tactics to Bypass Detection Systems
  • Virus Bulletin: Palo Alto Networks researchers explore the obfuscation techniques employed by the malware authors in the SLOW#TEMPEST campaign and highlight methods and code that can be used to detect and defeat these techniques.