CyberSecurity news

FlagThis - #encryption

Bill Toulas@BleepingComputer //
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.

The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.

Recommended read:
References :
  • The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
  • BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
  • Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
  • The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
  • securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
  • techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
  • Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
  • Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
  • gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
  • securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
  • cyble.com: CISA Alerts Users of CVE-2025-24472
  • securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
  • www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
  • : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
  • chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25

@techcrunch.com //
Apple has ceased offering its Advanced Data Protection (ADP) feature for iCloud users in the United Kingdom. This decision follows a reported demand from the UK government for a backdoor that would grant authorities access to encrypted user data. ADP provided end-to-end encryption, ensuring that only the user could decrypt their data stored in iCloud. Apple confirmed that this security feature will no longer be available to new users, and existing UK users will eventually need to disable it.

Apple stated it was "gravely disappointed" that ADP protections would be unavailable in the UK, especially considering the increasing data breaches and threats to customer privacy. The company emphasized the growing need for enhanced cloud storage security with end-to-end encryption. This move highlights a conflict between government surveillance and user privacy, as security experts warn this demand could set a precedent for authoritarian countries. James Baker from Open Rights Group said, "The Home Office’s actions have deprived millions of Britons from accessing a security feature. As a result, British citizens will be at higher risk."

Recommended read:
References :
  • techcrunch.com: Apple has disabled its iCloud Advanced Data Protection feature for UK users after government demands for a backdoor.
  • securityaffairs.com: The article discusses Apple's decision to remove iCloud's Advanced Data Protection in the UK.
  • www.bleepingcomputer.com: This article discusses Apple's decision to disable the iCloud end-to-end encryption feature in the UK due to government pressure.
  • Deeplinks: The piece explains Apple's decision to disable the end-to-end encryption feature for iCloud in the UK due to the government demanding backdoor access.
  • Ars OpenForum: UK government wants access to all Apple user data worldwide
  • billatnapier.medium.com: Apple Steps Back Their Security
  • The Register - Security: Rather than add a backdoor, Apple decides to kill iCloud E2EE for UK peeps
  • The Verge: The UK will neither confirm nor deny that it’s killing encryption

John Engates@The Cloudflare Blog //
Cloudflare has announced an expansion of its Zero Trust platform to protect organizations against emerging quantum computing threats. The upgrade focuses on enabling post-quantum cryptography for corporate network traffic, allowing secure routing of communications from web browsers to corporate web applications. This provides immediate, end-to-end quantum-safe connectivity, addressing the increasing vulnerability of conventional cryptography to quantum computer attacks. Cloudflare has been actively developing and implementing post-quantum cryptography since 2017 and are already making post-quantum security free, by default, for all of its customers.

Organizations can tunnel their corporate network traffic through Cloudflare’s Zero Trust platform, thereby shielding sensitive data from potential quantum breaches. Over 35% of non-bot HTTPS traffic that touches Cloudflare is already post-quantum secure, with the expectation that this percentage will grow as more browsers and clients support post-quantum cryptography. The National Institute of Standards and Technology (NIST) is also encouraging this transition, setting a timeline to phase out conventional cryptographic algorithms like RSA and Elliptic Curve Cryptography (ECC) by 2030 and completely disallowing them by 2035.

Cloudflare's CEO Matthew Prince states "Cloudflare has long committed to making post-quantum security the new baseline for Internet security, delivering it to all customers so we can bolster defenses against future quantum threats. Now, we’re offering that protection built directly into our Zero Trust solutions". He continues "We want every Cloudflare customer to have a clear path to quantum safety, and we are already working with some of the most innovative banks, ISPs, and governments around the world as they begin their journeys to quantum security. We will continue to make advanced cryptography accessible to everyone, at no cost, in all of our products.”

Recommended read:
References :
  • The Cloudflare Blog: Conventional cryptography is under threat. Upgrade to post-quantum cryptography with Cloudflare Zero Trust
  • Quartz: Cloudflare is already selling security tools for the quantum computing era
  • Help Net Security: Cloudflare boosts defenses against future quantum threats
  • www.infosecurity-magazine.com: Cloudflare introduces E2E post-quantum cryptography, enhancing security against quantum threats

@www.csoonline.com //
Ransomware gangs are accelerating their operations, significantly reducing the time between initial system compromise and encryption deployment. Recent cybersecurity analyses reveal the average time-to-ransom (TTR) now stands at a mere 17 hours. This marks a dramatic shift from previous tactics where attackers would remain hidden within networks for extended periods to maximize reconnaissance and control. Some groups, like Akira, Play, and Dharma/Crysis, have even achieved TTRs as low as 4-6 hours, demonstrating remarkable efficiency and adaptability.

This rapid pace presents considerable challenges for organizations attempting to defend against these attacks. The shrinking window for detection and response necessitates proactive threat detection and rapid incident response capabilities. The trend also highlights the increasing sophistication of ransomware groups, which are employing advanced tools and techniques to quickly achieve their objectives, often exploiting vulnerabilities in remote monitoring and management tools or using initial access brokers to infiltrate networks, escalate privileges, and deploy ransomware payloads.

Recommended read:
References :
  • ciso2ciso.com: Source: www.csoonline.com – Author: News 17 Feb 20255 mins Incident ResponseRansomware The window for intrusion detection keeps getting shorter as ransomware group’s time-to-ransom (TTR) accelerates.
  • gbhackers.com: Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection
  • www.csoonline.com: Ransomware gangs extort victims 17 hours after intrusion on average
  • ciso2ciso.com: Ransomware gangs extort victims 17 hours after intrusion on average
  • gbhackers.com: Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection
  • Blog RSS Feed: Ransomware has become more than a threat—it's a calculated assault on industries, wielding AI-driven precision to bypass traditional defenses.

Kirsten Doyle@informationsecuritybuzz.com //
Millions of RSA encryption keys are vulnerable to attack due to a significant security flaw. New research indicates that roughly 1 in 172 online certificates are susceptible to compromise via a mathematical attack. This vulnerability primarily affects Internet of Things (IoT) devices, but it can pose a risk to any system utilizing improperly generated RSA keys. The root cause lies in poor random number generation during the key creation process.

The flaw occurs because keys sometimes share prime factors with other keys. If two keys share a prime factor, both can be broken by computing the Greatest Common Divisor (GCD). According to researchers, with modest resources, hundreds of millions of RSA keys used to protect real-world internet traffic can be obtained. Using a single cloud-hosted virtual machine and a well-studied algorithm, over one in 200 certificates can be compromised within days.

Recommended read:
References :

Matt Swayne@The Quantum Insider //
Recent developments highlight ongoing efforts to transition to quantum-safe cryptography. The UK's National Cyber Security Centre (NCSC) has provided a roadmap for post-quantum cryptography (PQC) migration, urging organizations to complete a discovery phase by 2028, high-priority migration activities by 2031, and full transition by 2035. This roadmap aligns with similar initiatives, such as the US focus on post-quantum cryptography, signaling a global push to mitigate the threat posed by future quantum computers. Unisys has also launched Post-Quantum Cryptography services to strengthen cybersecurity

ETSI has launched a new post-quantum security standard designed to protect critical data from future quantum computing threats. The standard introduces Covercrypt, a hybrid encryption system that secures data by allowing only authorized users to access session keys based on specific user attributes, ensuring both current and future quantum-safe protection. Organizations are already adopting ETSI’s standard to enhance security infrastructure and comply with future-proof cryptographic requirements. Furthermore, OpenSSL 3.5 is integrating PQC methods.

Recommended read:
References :

Kaaviya Ragupathy@Cyber Security News //
A critical vulnerability has been discovered in Windows BitLocker (CVE-2025-21210), which leaves the encryption susceptible to a randomization attack. Attackers with physical access can exploit this flaw to manipulate ciphertext blocks, potentially exposing sensitive data stored on disk in plaintext. This vulnerability, referred to as bitpixie, stems from the ability to downgrade the Windows Boot Manager, and only requires the attacker to connect a LAN cable and keyboard to decrypt the disk.

There is also evidence that TPM-equipped devices are experiencing issues, triggering warnings after BitLocker is enabled. These vulnerabilities are present even on fully updated Windows 11 systems, where device encryption is enabled and Secure Boot is active with locked BIOS/UEFI settings. Although ready-made tools to exploit this bug aren’t widely available, the full details have been made public. Mitigation for affected users include using a pre-boot PIN or applying KB5025885.

Recommended read:
References :