CyberSecurity news
FlagThis - #multiple
|
Duncan Riley@SiliconANGLE - 74d
A significant cyberattack has targeted Rhode Island's online social services portal, RIBridges, potentially compromising the personal data of hundreds of thousands of residents who have used state programs over the past eight years. The breach, confirmed by the state's vendor Deloitte, has likely exposed sensitive information including Social Security numbers, bank account details, names, addresses, and dates of birth. The cyberattack has led to the shutdown of the RIBridges system, impacting the ability of residents to access and apply for benefits.
Hackers are demanding a ransom payment and are threatening to release the stolen information if their demands are not met, which state officials are describing as an extortion attempt. Affected programs include Medicaid, SNAP (Supplemental Nutrition Assistance Program), and HealthSource RI, the state's healthcare marketplace. Rhode Island residents are now required to submit paper applications while the system is down. The state government plans to mail instructions for free credit monitoring to affected individuals and has established a call center to provide support. Recommended read:
References :
alinskens@sonatype.com (Aaron Linskens)@2024 Sonatype Blog - 74d
Multiple critical vulnerabilities have been discovered in Apache Struts2 and Tomcat, including a path traversal vulnerability in Struts2 (CVE-2024-53677) that can lead to remote code execution, and two vulnerabilities in Apache Tomcat (CVE-2024-50379 and CVE-2024-54677) that can cause remote code execution and denial of service respectively. These vulnerabilities stem from issues like Time-of-check Time-of-use (TOCTOU) race conditions during JSP compilation in Tomcat and the ability to upload files into restricted directories in Struts2, allowing attackers to potentially compromise affected systems. Users are urged to apply the available patches immediately.
Recommended read:
References :
Rounak Jain@feeds.benzinga.com - 61d
Security firm SquareX exposed a significant vulnerability in the OAuth implementation of Google Chrome extensions just days before a major breach occurred. The flaw allowed malicious actors to inject harmful code into extensions using a sophisticated phishing campaign. This campaign involved emails disguised as Chrome Store notifications regarding policy violations, prompting developers to connect their Google account to a fake "Privacy Policy Extension". This fake extension, in turn, granted attackers the ability to edit, update, and publish extensions on the developer's account, effectively hijacking them.
The identified attack vector was demonstrated by SquareX researchers in a video just before a malicious version of Cyberhaven’s browser extension was found on the Chrome store. This malicious extension was available for over 30 hours and affected over 400,000 users before it was removed by Cyberhaven. The incident highlights the increasing risk that browser extensions pose, as most organizations don't monitor what extensions their employees are using, making them a common target for cybercriminals. Recommended read:
References :
@ofac.treasury.gov - 34d
North Korean IT workers are increasingly engaging in aggressive extortion tactics against companies that unknowingly hired them. The FBI and Mandiant have issued warnings about these workers, who exploit remote access to steal sensitive data and demand ransom payments. After being discovered, some of these workers hold stolen data and proprietary code hostage, threatening to publicly release it if demands are not met. There have also been reports of workers attempting to steal code repositories, company credentials, and session cookies for further compromise.
This escalation in tactics is attributed to increased law enforcement action, sanctions, and media coverage, which have impacted the success of their schemes. The US Department of Justice has indicted several individuals, including North Korean nationals, for their involvement in elaborate "laptop farm" schemes. These schemes involve using stolen identities, forged documents and remote access software to deceive companies into hiring North Korean IT workers and generating revenue for the DPRK regime. The indicted individuals are accused of generating over $800,000, which was then laundered, highlighting the sophistication and reach of this cybercrime operation. Recommended read:
References :
@feeds.feedburner.com - 76d
Cybersecurity researchers have discovered a new Linux rootkit named PUMAKIT that employs sophisticated techniques to evade detection and maintain persistence. The malware utilizes a staged deployment, activating its core functionalities only under specific conditions, such as secure boot verification. PUMAKIT embeds necessary files as ELF binaries within a dropper component named "cron", ensuring all components necessary for its operations are readily available. This rootkit features a multi-stage architecture which includes a memory-resident executable named "/memfd:tgt" a loader called "/memfd:wpn", a loadable kernel module (LKM) rootkit named "puma.ko" and a shared object userland rootkit called Kitsune.
The PUMAKIT rootkit uses advanced methods such as syscall hooking, memory-resident execution, and privilege escalation, to hide its presence and maintain communication with command-and-control servers. It hooks into 18 system calls using the internal Linux function tracer (ftrace) along with functions like "prepare_creds" and "commit_creds" to alter system behaviors. Uniquely, the rootkit uses the rmdir() system call for privilege escalation. PUMAKIT ensures the LKM rootkit is activated only after specific security checks and kernel symbol verification are complete. The researchers have not yet attributed the malware to any known threat actor. Recommended read:
References :
@www.aquasec.com - 76d
A significant security flaw has been identified in the Prometheus monitoring system, potentially exposing over 300,000 servers and exporters to various cyberattacks. These vulnerabilities, stemming from a lack of proper authentication, enable malicious actors to access sensitive information such as credentials, passwords, and API keys. This lapse in security poses a severe threat, putting organizations that depend on Prometheus for monitoring at risk of data breaches and unauthorized access to their systems.
Attackers can exploit the exposed "/debug/pprof" endpoint, designed for performance profiling, to launch Denial-of-Service (DoS) attacks, causing system instability or complete outages. Furthermore, the "/metrics" endpoint can reveal internal API endpoints, subdomains, and Docker registry details, enabling reconnaissance and further network compromise. Researchers have also found eight Prometheus exporters vulnerable to 'repojacking,' where attackers can introduce malicious code by leveraging the names of deleted or renamed GitHub repositories, potentially leading to remote code execution. Organizations are strongly urged to implement authentication, restrict public access, monitor vulnerable endpoints, and apply repojacking mitigations to mitigate these threats. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 2d
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.
The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com - 45d
A sophisticated credit card skimmer malware campaign is targeting WordPress e-commerce websites, placing user payment information at risk. The malware operates by injecting malicious JavaScript code directly into the database tables of the content management system. This stealthy method allows the skimmer to evade traditional security detection systems, making it difficult to spot and remove. Once activated on the checkout page, the malware either hijacks existing payment fields or injects a fake payment form, closely mimicking legitimate payment processors. This form is designed to capture and record sensitive information such as credit card numbers, expiration dates, CVV numbers, and billing addresses.
The stolen data is then encoded using Base64 and encrypted with AES-CBC to make it appear harmless and harder to analyze. This encrypted data is subsequently sent to an attacker-controlled server using the navigator.sendBeacon function to avoid detection by the website user. The collected data, including payment card details and potentially other personal information, is then used for fraudulent transactions or sold on underground markets. Website owners are advised to examine custom HTML widgets, apply the latest security updates and patches, implement two-factor authentication, regularly review admin accounts, implement file integrity monitoring and use a website firewall for protection. Recommended read:
References :
TIGR Threat Watch@Security Risk Advisors - 49d
Multiple vulnerabilities have been discovered in Palo Alto Networks' Expedition migration tool, posing significant security risks. These flaws could allow attackers to gain unauthorized access to sensitive data such as usernames, cleartext passwords, device configurations, and API keys associated with firewalls running PAN-OS software. An OS command injection vulnerability, identified as CVE-2025-0107, allows authenticated attackers to execute arbitrary OS commands, potentially leading to data breaches and system compromise. Other vulnerabilities include SQL injection (CVE-2025-0103), reflected cross-site scripting (CVE-2025-0104), arbitrary file deletion (CVE-2025-0105) and a wildcard expansion enumeration (CVE-2025-0106).
The Expedition tool, intended for firewall migration and optimization, reached its End of Life (EoL) on December 31, 2024, and is no longer supported or updated. Organizations are strongly advised to transition away from using Expedition and to explore alternative migration tools. While Palo Alto Networks has released patches in versions 1.2.100 and 1.2.101, no further updates are planned for the tool. Until users can migrate, it is recommended to restrict network access to Expedition to only authorized users, hosts, and networks, or to shut down the service if it's not in use. Recommended read:
References :
@www.justice.gov - 26d
U.S. and Dutch law enforcement agencies have jointly dismantled a network of 39 domains and associated servers used in Business Email Compromise (BEC) fraud operations. The operation, codenamed "Operation Heart Blocker," took place on January 29th and targeted the infrastructure of a group known as "The Manipulaters," which also went by the name Saim Raza. This group operated online marketplaces originating from Pakistan, selling phishing toolkits, scam pages, email extractors, and fraud-enabling tools. The services marketed were utilized by transnational organized crime groups in the US who used these tools to target various victims with BEC schemes. These attacks tricked victim companies into making fraudulent payments which are estimated to have caused over $3 million in losses.
The seized domains and servers contained millions of records, including at least 100,000 pertaining to Dutch citizens. "The Manipulaters" marketed their services under various brands, including Heartsender, Fudpage, and Fudtools which specialized in spam and malware dissemination. The U.S. Department of Justice stated that Saim Raza-run websites not only sold the tools, but they also provided training to end users through instructional videos on how to execute schemes using the malicious programs, making them accessible to those without the technical expertise. The service was estimated to have thousands of customers. The tools were used to acquire victim user credentials which were then utilized to further the fraudulent schemes. Users can check to see if they were impacted by credential theft via a Dutch Police website. Recommended read:
References :
@Gadgets 360 - 55d
The T3 Financial Crime Unit, a collaborative effort between TRON, Tether, and TRM Labs, has successfully frozen over $100 million in USDT linked to illicit activities. Formed in September 2024, the unit has been actively working with global law enforcement agencies to disrupt organized crime networks that exploit blockchain technology. The initiative focuses on analyzing on-chain activity, identifying suspicious patterns, and intercepting illegal transfers associated with a wide range of offenses, including money laundering, investment scams, and terrorism financing. The T3 unit’s efforts highlight the ongoing battle to combat the misuse of cryptocurrencies for unlawful purposes.
The T3 Financial Crime Unit has monitored more than $3 billion in USDT transactions and relies on advanced blockchain forensics, and technology to track illicit flows. The frozen funds have been traced to operations such as "money laundering as a service," and includes connections to North Korean actors. Justin Sun, founder of TRON, emphasized that this milestone sends a clear message to criminals, making them think twice before using TRON for unlawful operations. Paolo Ardoino, CEO of Tether, highlighted the success of private-public coordination, aiming to strengthen security standards across jurisdictions, as the unit expands its operations in the future. Recommended read:
References :
do son@securityonline.info - 71d
The Chinese hacking group Winnti is using a new PHP backdoor called 'Glutton' in attacks targeting organizations in China and the United States. This sophisticated malware is also being used to target other cybercriminals, marking a notable shift in Winnti's tactics. Glutton is a modular backdoor that injects code into popular PHP frameworks and systems. Once installed, it allows attackers to exfiltrate data, install backdoors, and inject malicious code, all while leaving no file traces, allowing the malware to operate undetected. The group's activities with this new backdoor have been ongoing for over a year, with evidence of its deployment dating back to December 2023.
Cybersecurity experts believe Winnti is not only targeting traditional organizations, such as those in the IT sector, social security and web development, but also the cybercrime market itself. It has been found embedded in various software packages within online criminal forums, allowing Glutton's operators to compromise the systems of other malicious actors, stealing their sensitive information. Despite its sophistication, Glutton has some weaknesses that are atypical for Winnti, such as plaintext samples and simplistic communication protocols, indicating it may still be in early development. Recommended read:
References :
@ciso2ciso.com - 27d
A series of cyber incidents have been reported, highlighting the evolving nature of online threats. A concerning trend involves a sophisticated phishing campaign targeting users in Poland and Germany, using PureCrypter malware to deliver multiple payloads, including Agent Tesla and Snake Keylogger, as well as a novel backdoor called TorNet. This TorNet backdoor employs advanced detection evasion tactics, requiring immediate and proactive defense measures. The campaign, which has been active since at least mid-summer 2024, indicates financially motivated threat actors behind the attacks. Security tools are available with threat intelligence to assist in detecting and preventing such intrusions.
Multiple additional vulnerabilities have been discovered, including over 10,000 WordPress websites unknowingly delivering MacOS and Windows malware through fake Google browser update pages. This cross-platform malware attack is notable as it delivers AMOS for Apple users and SocGholish for Windows users, and is the first time these variants have been delivered through a client-side attack. Moreover, an OAuth redirect flaw in an airline travel integration system has exposed millions of users to account hijacking. By manipulating parameters within the login process, attackers can redirect authentication responses, gain unauthorized access to user accounts, and perform actions like booking hotels and car rentals. These incidents underscore the importance of constant vigilance and robust security measures across all platforms. Recommended read:
References :
@tomshardware.com - 60d
A Russian-linked 'dark fleet' ship, the Eagle S, initially suspected of severing undersea cables between Finland and Estonia on Christmas Day, has been found to be equipped with advanced spying technology. This revelation suggests a dual-purpose operation, combining physical infrastructure damage with signals intelligence gathering. The ship, part of a fleet known for circumventing sanctions, was boarded in the Baltic Sea by Finnish authorities, who discovered equipment for intercepting and recording signals intelligence, including monitoring NATO naval and aircraft frequencies.
The spying equipment, described as abnormal for a merchant vessel, was reportedly so power-hungry it caused repeated blackouts on board. Sources indicate the gear was operated by a mix of Russian, Turkish, and Indian personnel. This discovery, coupled with the suspected cable cutting, raises serious concerns about the security of critical infrastructure and the potential for hostile intelligence activities. NATO chief Mark Rutte has assured Finland and Estonia of added military support following these incidents. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com - 31d
Multiple vulnerabilities have been discovered in Git and its related tools, posing a risk to user credentials. These flaws stem from the improper handling of message delimiters within the Git Credential Protocol, impacting tools such as GitHub Desktop, Git Credential Manager, Git LFS, GitHub CLI, and GitHub Codespaces. This improper handling allows malicious actors to craft URLs with injected carriage return or newline characters, leading to credential leaks. Specifically, vulnerabilities like CVE-2025-23040 in GitHub Desktop allowed for 'carriage return smuggling' through crafted submodule URLs.
These vulnerabilities arise from differences between Git's strict protocol handling and the implementation of related projects. Git Credential Manager is vulnerable due to the StreamReader class, misinterpreting line-endings, while Git LFS is vulnerable by not checking for embedded control characters, allowing for the injection of carriage return line feeds via crafted HTTP URLs. A new configuration setting, `credential.protectProtocol`, has been introduced to help mitigate these vulnerabilities by providing a defense-in-depth approach. Recommended read:
References :
do son@Cybersecurity News - 85d
A new SmokeLoader malware campaign is targeting Taiwanese companies across various sectors, including manufacturing, healthcare, and IT. Unlike previous campaigns where SmokeLoader acted as a downloader for other malware, this campaign directly executes the attack by downloading and executing malicious plugins from its command-and-control (C2) server. This significantly enhances its capabilities and evasiveness. The attackers employed social engineering, using personalized emails with generic content to trick recipients into opening malicious attachments. These attachments exploited vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) to install AndeLoader, which then deployed SmokeLoader.
The SmokeLoader malware's modular design allows it to download and execute various plugins directly from its C2 server. These plugins steal sensitive data such as login credentials, cookies, and email content from various applications including browsers, email clients, and FTP clients. The malware also utilizes keylogging and clipboard monitoring to further compromise victims. The campaign's success hinges on exploiting known vulnerabilities in Microsoft Office and leveraging social engineering tactics to bypass security measures. The use of nearly identical phishing emails sent to multiple recipients with only the recipient's name personalized highlights the attackers' efficiency and scale. Recommended read:
References :
Analyst-TC@OODAloop - 70d
DroidBot, a novel Android RAT, targets 77 banks, cryptocurrency exchanges, and national organizations. It combines VNC and overlay attacks with keylogging and UI monitoring. Campaigns have been detected in Europe and potentially spreading to Latin America, highlighting the threat of advanced Android malware targeting financial institutions. DroidBot’s sophistication and wide reach make it a significant concern.
Recommended read:
References :
do son@Cybersecurity News - 47d
FunkSec, a new ransomware group, has quickly risen to prominence since late 2024, claiming over 85 victims in its first month, more than any other group during the same period. This four-member team operates as a ransomware-as-a-service (RaaS), but has no established connections to other ransomware networks. FunkSec uses a blend of financial and ideological motivations, targeting governments and corporations in the USA, India and Israel while also aligning with some hacktivist causes, creating a complex operational profile. The group employs double extortion tactics, breaching databases and selling access to compromised websites.
A key aspect of FunkSec's operations is their use of AI to enhance their tools, such as developing malware, creating phishing templates, and even a chatbot for malicious activities. The group developed a proprietary AI tool called WormGPT for desktop use. Their ransomware is advanced using multiple encryption methods, and is able to disable protection mechanisms while gaining administrator privileges. They claim that AI contributes to only about 20% of their operations; despite their technical capabilities sometimes revealing inexperience, the rapid iteration of their tools suggests the AI assistance lowers the barrier for new actors in cybercrime. Recommended read:
References :
@securityonline.info - 31d
Two Ransomware-as-a-Service (RaaS) operations, HellCat and Morpheus, are exhibiting striking similarities in their attack methods, according to a recent analysis by SentinelOne. Both groups have been found to be using nearly identical payloads to encrypt victim’s data, utilizing the Windows Cryptographic Application Programming Interface (CAPI). Furthermore, both direct victims to access .onion portals via the Tor browser and provided credentials to receive ransom instructions. This overlap in tools and techniques suggests a potential collaboration between HellCat and Morpheus or, perhaps, a shared origin.
The shared code base indicates that affiliates across both groups are compiling payloads that contain almost identical code. Despite differences in victim-specific details, the core functionality of the ransomware is the same: it encrypts file contents, leaving extensions and metadata intact, and delivers a ransom note instructing victims to connect via a Tor browser. While no direct link has been found between the HellCat and Morpheus operators, the identical code suggests the possibility of a common builder application used by affiliates. With ransom demands as high as 32 Bitcoin, approximately $3 million, it is vital that businesses and organizations have a strong threat detection system to mitigate these growing threats. Recommended read:
References :
@www.bleepingcomputer.com - 6d
References:
Anonymous ???????? :af:
, securityaffairs.com
Critical security vulnerabilities have been patched in Juniper Networks Session Smart Routers and several Atlassian products. A critical authentication bypass vulnerability, identified as CVE-2025-21589, affects Juniper's Session Smart Router, Conductor, and WAN Assurance Managed Routers. Juniper Networks has released a patch to address this flaw, which could allow attackers to bypass authentication and gain control of affected Session Smart Router devices.
Australian software firm Atlassian has also released security patches to address 12 critical and high-severity vulnerabilities across its product suite, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. Among the most severe vulnerabilities fixed is CVE-2024-50379, which has a CVSS score of 9.8 and could lead to remote code execution. Users of these products are strongly advised to apply the available patches as soon as possible to mitigate potential risks. Recommended read:
References :
CISO2CISO Editor 2@ciso2ciso.com - 26d
A new, sophisticated cyber campaign is utilizing GitHub's infrastructure to distribute the Lumma Stealer malware, a notorious data-stealing tool. This campaign doesn't only focus on Lumma Stealer, it also distributes other malicious software including SectopRAT, Vidar, and Cobeacon. Attackers are exploiting the platform's release mechanisms to gain initial access to systems and subsequently deploy these harmful payloads. This tactic has allowed the threat actors to leverage a trusted platform, tricking users into downloading files from malicious URLs, thereby increasing the risk of widespread infections.
Trend Micro researchers have analyzed the tactics, techniques and procedures (TTPs) used in this campaign and found significant similarities with those used by the Stargazer Goblin group, indicating a potential connection between the two. The Lumma Stealer malware is known for extracting credentials, cryptocurrency wallets, system details, and other sensitive files. SOC Prime Platform has released detection content aimed at helping security teams proactively identify and thwart related threats. This includes Sigma rules for Lumma Stealer, SectopRAT, Vidar, and Cobeacon detection, highlighting the ongoing efforts to counter this dangerous threat. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News - 40d
A new sophisticated phishing kit, dubbed 'Sneaky 2FA,' is actively targeting Microsoft 365 accounts using an Adversary-in-the-Middle (AitM) technique. This kit, sold as phishing-as-a-service (PhaaS) by the cybercrime group 'Sneaky Log' through a Telegram bot, has been in operation since at least October 2024. The kit's primary method involves sending emails with fake payment receipts containing QR codes. These codes redirect victims to phishing pages that steal both login credentials and two-factor authentication codes, bypassing traditional security measures. The phishing pages are hosted on compromised websites, particularly WordPress sites, and have been observed to use blurred screenshots of legitimate Microsoft interfaces to trick users.
The Sneaky 2FA kit also employs several anti-analysis techniques to avoid detection. It filters traffic, uses Cloudflare Turnstile challenges, and performs checks to detect and resist analysis attempts using web browser developer tools. In an effort to not be detected, the kit redirects visitors from data centers, cloud providers, bots, proxies, or VPNs to a Wikipedia page. The kit's operators also use a central server to verify subscription licenses which are sold for $200 a month. Analysis of the kit's source code reveals overlaps with W3LL Panel OV6, another AitM phishing kit exposed in 2023, indicating a potentially larger and interconnected threat landscape targeting Microsoft 365 users. Recommended read:
References :
@securityboulevard.com - 49d
References:
ciso2ciso.com
, Security Boulevard
Work-from-home scams are becoming increasingly sophisticated, preying on job seekers with the promise of dream roles. These scams disguise themselves as legitimate opportunities, often using techniques that can cost victims time, money and confidence. Scammers often lure victims with promises of “be your own boss” and “unlimited earnings”, however, the reality is that the scheme requires payment from the victim with no return on investment. Some common work-from-home scams include multi-level marketing schemes that require upfront fees, fraudulent bounced checks, and mandatory training fees.
Additionally, some schemes offer payment in cryptocurrency, often requiring investment in advance, while others use suspicious cold messaging techniques to impersonate legitimate companies. Be cautious of offers that appear too good to be true, such as high hourly rates with no experience needed and also be wary of any job offer that does not provide full documentation and contracts. The increasing sophistication of work-from-home scams highlights the need for job seekers to be vigilant and to spot the red flags. Recommended read:
References :
toddrweiss@gmail.com (Todd R. Weiss)@Blog (Main) - 50d
The push for compliance as cybersecurity is under scrutiny, as risk management risks becoming a simple checkbox exercise. While compliance to standards is vital, it doesn't guarantee complete protection against threats. Experts like Chris Hughes, CEO of Aquia, view compliance as a starting point to make cybersecurity a priority. He argues it is a major factor in prompting organizations to invest in security, especially when cyberattack impact on share prices is often minimal. Compliance is essential to aim for to ensure stealthier cybersecurity for enterprises.
However, there is growing concern that the emphasis on compliance is shifting power from security professionals to legal departments. This trend is further fueled by the SEC's recent push for disclosure by public companies and guidelines from CISA. A recent blog post cited by Hughes, argues that this compliance-as-security trend means "that the future of security will be defined by lawyers, not security practitioners." Additionally, research has shown cybersecurity is becoming increasingly intertwined with legal issues. The move towards compliance shouldn't overshadow sound security practices which are needed to manage cyber security. Recommended read:
References :
@www.the420.in - 2d
References:
Cyber Security News
, gbhackers.com
,
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems. Recommended read:
References :
@www.zeroscience.mk - 60d
Multiple critical vulnerabilities have been disclosed this week affecting various industrial control systems (ICS) products. Hitachi has issued an advisory regarding 29 vulnerabilities discovered in their Disk Array Systems. Palo Alto Networks is addressing an improper check vulnerability in multiple of their products which could cause a denial of service. Philips has also announced a critical vulnerability concerning an Apache Struts unrestricted file upload issue which could potentially lead to remote code execution.
Additionally, independent security researchers have uncovered several flaws in products by ABB and HMS. Zero Science reported multiple vulnerabilities with publicly available exploits in the ABB Cylon Aspect building energy management product. CyberDanube disclosed a code injection vulnerability, again with a publicly available exploit, in the HMS Ewon Flexy 205. These disclosures highlight the ongoing security challenges in the ICS sector, with vulnerabilities being found across different vendors and product lines. Recommended read:
References :
@www.whitehouse.gov - 50d
The White House has officially launched the Cyber Trust Mark program, a new initiative aimed at enhancing the cybersecurity of consumer devices. This labeling scheme, similar to the Energy Star label, will inform consumers that household products, such as smart appliances and home security cameras, meet specific government-vetted cybersecurity standards. The program, developed in coordination with the National Institute of Standards and Technology (NIST) and the Federal Communications Commission (FCC), seeks to give consumers more confidence in the security of the connected devices they bring into their homes. The program aims to address growing concerns about cyber vulnerabilities in the Internet of Things (IoT).
The Cyber Trust Mark program has seen the selection of UL Solutions as the lead administrator and a further ten firms as deputy administrators. Major retailers like Amazon and Best Buy have pledged to assist in educating consumers about the label and where to locate it on devices. The mark itself features a shield symbol and will appear in various colors depending on the product design. Officials anticipate that labeled products will be available on store shelves by 2025, thus encouraging manufacturers to prioritize cybersecurity in their product development and empowering consumers to make more informed purchasing choices. Recommended read:
References :
|