CyberSecurity news
FlagThis - #cybersecurity
|
@www.helpnetsecurity.com
//
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).
Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures. The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors. Recommended read:
References :
@cyberscoop.com
//
Despite being sanctioned twice by the US Treasury Department last year, Intellexa, the developer of the Predator spyware, continues to operate and has even established new server infrastructure for its customers. Security firm Recorded Future recently uncovered fresh activity, identifying new infrastructure aimed at both customers and victims, along with new systems designed to avoid detection. This new infrastructure includes servers and domains for hosting and delivering the Predator mobile spyware, as well as VPS servers for anonymizing traffic and hosting management panels for Intellexa customers.
Intellexa's Predator spyware activity has been observed surfacing in new places with new techniques. Recorded Future's Insikt Group identified a previously unknown customer in Mozambique, connecting Intellexa infrastructure to this new location. Furthermore, links have been established to a Czech entity, and a cluster linked to an Eastern European country was also discovered, with activity observed between August and November of last year. Researchers believe this Eastern European activity could be related to testing or development. To evade detection, Intellexa has adopted advanced obfuscation capabilities, including the use of fake websites. These websites fall into four main categories: fake 404 error pages, counterfeit login or registration pages, sites indicating they are under construction, and websites purporting to be associated with specific entities, such as conferences. Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that "Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies." Recommended read:
References :
@research.checkpoint.com
//
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.
CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection. The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
References:
The Hacker News
, therecord.media
The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been actively targeting Russian enterprises and engineering schools since at least 2019, with activity continuing through May 2025. This advanced persistent threat group distinguishes itself by primarily utilizing legitimate third-party software instead of developing its own malicious tools. The attacks are characterized by the use of command files and PowerShell scripts to establish remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The campaign has impacted hundreds of Russian users, with additional infections reported in Belarus and Kazakhstan.
The group's initial infection vector typically involves targeted phishing emails containing password-protected archives with executable files disguised as official documents or payment orders. Once the victim opens the attachment, the attackers deploy a legitimate tool called 4t Tray Minimizer to obscure their presence on the compromised system. They also use tools like Defender Control to disable antivirus software and Blat, a legitimate utility, to send stolen data via SMTP. The attackers actively refine their tactics and a new wave of attacks emerged immediately after a slight decline in December 2024. A key aspect of the Rare Werewolf APT's strategy involves the use of a Windows batch script that launches a PowerShell script, scheduling the victim system to wake up at 1 AM local time and providing a four-hour window for remote access via AnyDesk. The machine is then shut down at 5 AM through a scheduled task, minimizing the chance of detection. The attackers also collect information about available CPU cores and GPUs to optimally configure the crypto miner. Besides cryptomining, the group has also been known to steal sensitive documents, passwords, and compromise Telegram accounts. Recommended read:
References :
@socprime.com
//
A critical zero-click AI vulnerability, dubbed "EchoLeak," has been discovered in Microsoft 365 Copilot, potentially allowing attackers to exfiltrate sensitive data without any user interaction. The vulnerability, identified as CVE-2025-32711, has been assigned a CVSS score of 9.3. Aim Security, the firm that discovered and reported the vulnerability, described it as an instance of a Large Language Model (LLM) Scope Violation, paving the way for indirect prompt injection and leading to unintended behavior. This allows attackers to automatically exfiltrate sensitive and proprietary information from Microsoft 365 Copilot's context without any specific action from the user, relying on Copilot's default behavior to combine and process content.
The attack sequence involves an attacker sending an innocuous-looking email containing a malicious prompt payload to an employee's Outlook inbox. When the user asks Microsoft 365 Copilot a business-related question, the system mixes the untrusted attacker input with sensitive data to the LLM context through its Retrieval-Augmented Generation (RAG) engine. This process results in Copilot leaking private data to the attacker via Microsoft Teams and SharePoint URLs. This means attackers can exploit a flaw where Copilot doesn't isolate trust boundaries when processing content from Outlook and SharePoint, turning a helpful automation feature into a potential data leak. Microsoft has addressed the EchoLeak vulnerability and released an advisory stating that no further action is needed by customers. The company has implemented defense-in-depth measures and updated its products to mitigate the issue. While there is no evidence of malicious exploitation in the wild, the discovery highlights the importance of ongoing security research and proactive measures to protect AI-powered systems from potential vulnerabilities. Microsoft expressed appreciation to Aim Labs for responsibly reporting the issue, enabling them to address it before any customers were impacted. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
ConnectWise is initiating a rotation of its ScreenConnect code signing certificates following security concerns identified by a third-party researcher. The issue revolves around how ScreenConnect handled specific configuration data in earlier versions, where configuration data was stored in an unsigned area of the installer. While this area is intended for customization, its coupling with remote control capabilities created a potentially insecure design pattern according to current security standards. The company emphasizes that this action is unrelated to the recent nation-state attacks affecting some of its customers.
ConnectWise is implementing an update to enhance the management of configuration data within ScreenConnect. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions." The rotation of digital certificates is set to take place by June 13 at 8 p.m. ET. ConnectWise is already updating certificates and agents across its cloud instances of Automate and RMM. Users of on-premise versions of ScreenConnect or Automate are required to update to the latest build and validate all agents before the June 13th deadline to avoid potential service disruptions. ConnectWise acknowledges the challenges this may pose and has committed to supporting users through the transition. Connectwise customers who use the company’s ScreenConnect, Automate, and ConnectWise RMM solutions are urged to update all agents and/or validate that the update has been deployed by Friday, June 13 at 8:00 p.m. ET, or risk disruptions. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.
The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures. Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers. Recommended read:
References :
@cyberscoop.com
//
INTERPOL has announced the successful culmination of Operation Secure, a global initiative targeting the infrastructure of information-stealing malware. The operation, which spanned from January to April 2025, involved law enforcement agencies from 26 countries who worked collaboratively to locate servers, map physical networks, and execute targeted takedowns. This coordinated effort resulted in the dismantling of more than 20,000 malicious IP addresses and domains associated with 69 different variants of infostealer malware, significantly disrupting cybercriminal activities worldwide.
Operation Secure also led to the seizure of 41 servers and over 100 GB of data, providing valuable insights into the operations of cybercriminals. A total of 32 suspects were arrested across multiple countries in connection with illegal cyber activities, demonstrating the effectiveness of international cooperation in combating cybercrime. Eighteen arrests occurred in Vietnam, where authorities confiscated devices, SIM cards, business registration documents, and a substantial sum of cash, revealing a scheme to open and sell corporate accounts for illicit purposes. The operation was further bolstered by the contributions of private sector cybersecurity firms, including Group-IB, Kaspersky, and Trend Micro, who provided critical intelligence and Cyber Activity Reports to assist cyber teams. This collaboration resulted in the takedown of 79% of identified suspicious IP addresses. Hong Kong police played a key role by analyzing over 1,700 pieces of intelligence and identifying 117 command-and-control servers used by cybercriminals to orchestrate phishing schemes, online fraud, and social media scams. Recommended read:
References :
sjvn01@Practical Technology
//
Cisco is making significant strides in integrating artificial intelligence into its networking and data center solutions. They are releasing a range of new products and updates that leverage AI to enhance security and automate network tasks, with a focus on supporting AI adoption for enterprise IT. These new "AgenticOps" tools will enable the orchestration of AI agents with a high degree of autonomy within enterprise environments, aiming to streamline complex system management. Cisco's strategy includes a focus on secure network architectures and AI-driven policies to combat emerging threats, including rogue AI agents.
The networking giant is also strengthening its data center strategy through an expanded partnership with NVIDIA. This collaboration is designed to establish a new standard for secure, scalable, and high-performance enterprise AI. The Cisco AI Defense and Hypershield security solutions utilize NVIDIA AI to deliver enhanced visibility, validation, and runtime protection across AI workflows. This partnership builds upon the Cisco Secure AI Factory with NVIDIA, aiming to provide continuous monitoring and protection throughout the AI lifecycle, from data ingestion to model deployment. Furthermore, Cisco is enhancing AI networking performance to meet the demands of data-intensive AI workloads. This includes Cisco Intelligent Packet Flow, which dynamically steers traffic using real-time telemetry, and NVIDIA Spectrum-X, an AI-optimized Ethernet platform that delivers high-throughput and low-latency connectivity. By offering end-to-end visibility and unified monitoring across networks and GPUs, Cisco and NVIDIA are enabling enterprises to maintain zero-trust security across distributed AI environments, regardless of where data and workloads are located. Recommended read:
References :
@research.checkpoint.com
//
Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.
The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file. Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update. Recommended read:
References :
Bill Toulas@BleepingComputer
//
The Texas Department of Transportation (TxDOT) is alerting the public to a significant data breach that compromised nearly 300,000 crash records. The incident, discovered on May 12th, 2025, involved unauthorized access to its Crash Records Information System (CRIS). Texas officials revealed that a hacker gained entry through a compromised user account and proceeded to download a large volume of sensitive data. This data included personally identifiable information such as names, addresses, driver's license numbers, license plate numbers, and car insurance policy numbers.
The compromised crash reports contain detailed information about individuals involved in traffic accidents, including summaries of injuries sustained during the crash and narratives of the incidents. While TxDOT is not legally obligated to notify the public, it has chosen to proactively inform those affected by sending letters to individuals whose information was included in the stolen crash reports. TxDOT immediately disabled access from the compromised account upon discovering the unusual activity and launched an investigation into the matter. The Texas Department of Public Safety is currently investigating how the breach occurred and is attempting to determine the identity of the responsible parties. TxDOT is urging individuals who may have been affected to be cautious of potential scams and fraudulent activities. Letters sent to victims advise them to be wary of unsolicited emails, texts, or calls related to past crashes, and a dedicated call line has been established to address any questions or concerns. The exposed data poses a significant risk of financial fraud and identity theft for those affected, as the compromised information can be valuable for malicious actors. Recommended read:
References :
Eric Geller@cybersecuritydive.com
//
SentinelOne, a cybersecurity firm, has revealed that it was the target of a year-long reconnaissance campaign by China-linked espionage groups, identified as APT15 and UNC5174. This campaign, dubbed "PurpleHaze," involved network reconnaissance and intrusion attempts, ultimately aiming to gather strategic intelligence and potentially establish access for future conflicts. SentinelOne discovered the campaign when the suspected Chinese spies tried to break into the security vendor's own servers in October 2024. The attempted intrusion on SentinelOne's systems failed, but it prompted a deeper investigation into the broader campaign and the malware being used.
The investigation revealed that over 70 organizations across multiple sectors globally were targeted, including a South Asian government entity and a European media organization. The attacks spanned from July 2024 to March 2025 and involved the use of ShadowPad malware and post-exploitation espionage activity. These targeted sectors include manufacturing, government, finance, telecommunications, and research. The coordinated attacks are believed to be connected to Chinese government spying programs. SentinelOne has expressed high confidence that the PurpleHaze and ShadowPad activity clusters can be attributed to China-nexus threat actors. This incident underscores the persistent threat that Chinese cyber espionage actors pose to global industries and public sector organizations. The attack on SentinelOne also highlights that cybersecurity vendors themselves are prime targets for these groups, given their deep visibility into client environments and ability to disrupt adversary operations. SentinelOne recommends that more proactive steps are taken to prevent future attacks. Recommended read:
References :
Lily Hay@feeds.arstechnica.com
//
References:
www.wired.com
, arstechnica.com
,
Cybercriminals are increasingly leveraging residential proxy services to mask malicious web traffic, making it appear as routine online activity and evading detection. This tactic involves routing illicit activities through a network of real IP addresses assigned to homes and offices, making it difficult to distinguish between legitimate and harmful traffic. Researchers at the Sleuthcon conference in Arlington, Virginia, highlighted this growing trend, noting that the shift towards using proxies has become significant in recent years as law enforcement agencies have become more effective at targeting traditional "bulletproof" hosting services.
The core issue lies in the fact that proxy services are designed to obfuscate the source of web traffic, making it nearly impossible to identify malicious actors within a node. As Thibault Seret, a researcher at Team Cymru, explained, the strength of a proxy service lies in its anonymity, which while beneficial for internet freedom, presents a major challenge for analyzing and identifying harmful activities. This is particularly true of residential proxies, which use real IP addresses of everyday internet users, blurring the lines between legitimate and criminal behavior. The use of residential proxies by cybercriminals represents a significant shift in tactics, prompting security professionals to reassess their detection strategies. These proxies operate on consumer devices like old Android phones or low-end laptops, making it even more difficult to trace the origin of malicious activities. As criminals and companies seek to maintain anonymity and privacy, they are increasingly relying on these services, complicating the efforts to combat cybercrime effectively. Recommended read:
References :
Rescana@Rescana
//
Void Blizzard, a cyber threat actor with ties to Russia, has been identified as conducting extensive cyberespionage operations targeting critical sectors across Europe and North America. These operations, active since at least April 2024 and escalating in 2025, are aimed at gathering intelligence crucial to Russian governmental objectives. The targeted sectors include government, defense, transportation, media, NGOs, and healthcare, reflecting a broad scope of interest. Void Blizzard, also known as LAUNDRY BEAR, employs various techniques to infiltrate organizations and steal sensitive data.
Spear phishing and credential theft are among the primary methods used by Void Blizzard. The group has been observed using stolen credentials sourced from infostealer ecosystems and launching spear phishing campaigns with typosquatted domains to mimic authentication portals. They also utilize adversary-in-the-middle (AitM) tactics with tools like Evilginx to intercept credentials. A notable campaign in April 2025 targeted over 20 NGOs with a spear phishing attack using a typosquatted domain resembling a Microsoft Entra authentication page. Their post-compromise activities include cloud service abuse, leveraging legitimate cloud APIs for data enumeration and exfiltration, and automating the collection of emails and files from cloud services like Exchange Online and SharePoint. Meanwhile, security researchers at ESET have uncovered a separate but related cyberespionage campaign dubbed "BladedFeline" targeting Iraqi and Kurdish officials. This operation, linked to OilRig, an Iran-based APT group, utilizes malicious tools such as Whisper, PrimeCache, and Shahmaran to gain unauthorized access to computer systems. The attackers primarily compromise webmail servers to deploy Whisper, a tool designed for data exfiltration and command execution. PrimeCache, a backdoor Internet Information Services (IIS) module, allows persistent covert access to targeted servers. The campaign also highlights the continued use of the Shahmaran backdoor, previously associated with attacks targeting Kurdish diplomatic officials, indicating a sustained interest in intelligence gathering related to Kurdish affairs. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
OpenAI is facing scrutiny over its ChatGPT user logs due to a recent court order mandating the indefinite retention of all chat data, including deleted conversations. This directive stems from a lawsuit filed by The New York Times and other news organizations, who allege that ChatGPT has been used to generate copyrighted news articles. The plaintiffs believe that even deleted chats could contain evidence of infringing outputs. OpenAI, while complying with the order, is appealing the decision, citing concerns about user privacy and potential conflicts with data privacy regulations like the EU's GDPR. The company emphasizes that this retention policy does not affect ChatGPT Enterprise or ChatGPT Edu customers, nor users with a Zero Data Retention agreement.
Sam Altman, CEO of OpenAI, has advocated for what he terms "AI privilege," suggesting that interactions with AI should be afforded the same privacy protections as communications with professionals like lawyers or doctors. This stance comes as OpenAI faces criticism for not disclosing to users that deleted and temporary chat logs were being preserved since mid-May in response to the court order. Altman argues that retaining user chats compromises their privacy, which OpenAI considers a core principle. He fears that this legal precedent could lead to a future where all AI conversations are recorded and accessible, potentially chilling free expression and innovation. In addition to privacy concerns, OpenAI has identified and addressed malicious campaigns leveraging ChatGPT for nefarious purposes. These activities include the creation of fake IT worker resumes, the dissemination of misinformation, and assistance in cyber operations. OpenAI has banned accounts linked to ten such campaigns, including those potentially associated with North Korean IT worker schemes, Beijing-backed cyber operatives, and Russian malware distributors. These malicious actors utilized ChatGPT to craft application materials, auto-generate resumes, and even develop multi-stage malware. OpenAI is actively working to combat these abuses and safeguard its platform from being exploited for malicious activities. Recommended read:
References :
iHLS News@iHLS
//
OpenAI has revealed that state-linked groups are increasingly experimenting with artificial intelligence for covert online operations, including influence campaigns and cyber support. A newly released report by OpenAI highlights how these groups, originating from countries like China, Russia, and Cambodia, are misusing generative AI technologies, such as ChatGPT, to manipulate content and spread disinformation. The company's latest report outlines examples of AI misuse and abuse, emphasizing a steady evolution in how AI is being integrated into covert digital strategies.
OpenAI has uncovered several international operations where its AI models were misused for cyberattacks, political influence, and even employment scams. For example, Chinese operations have been identified posting comments on geopolitical topics to discredit critics, while others used fake media accounts to collect information on Western targets. In one instance, ChatGPT was used to draft job recruitment messages in multiple languages, promising victims unrealistic payouts for simply liking social media posts, a scheme discovered accidentally by an OpenAI investigator. Furthermore, OpenAI shut down a Russian influence campaign that utilized ChatGPT to produce German-language content ahead of Germany's 2025 federal election. This campaign, dubbed "Operation Helgoland Bite," operated through social media channels, attacking the US and NATO while promoting a right-wing political party. While the detected efforts across these various campaigns were limited in scale, the report underscores the critical need for collective detection efforts and increased vigilance against the weaponization of AI. Recommended read:
References :
|