info@thehackernews.com (The@The Hacker News
// 13d
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.
Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks. Recommended read:
References :
Fogerlog@Phishing Tackle
// 9d
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.
Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally. Recommended read:
References :
jane.mccallion@futurenet.com (Jane@itpro.com
// 12d
Infosec veteran Troy Hunt, the creator of HaveIBeenPwned, has been compromised in a Mailchimp phishing attack. The incident resulted in the theft of data belonging to over 16,000 newsletter subscribers. Hunt, who is usually known for helping people check if their credentials have been compromised, unfortunately became a victim himself. The attack highlights how even security experts can fall prey to sophisticated phishing schemes, and Hunt has blogged about the incident, providing details of the phishing email.
The attackers employed a well-crafted phishing email, designed to create a sense of urgency. The email informed Hunt that he was unable to send updates to his subscribers until he reviewed his account due to a spam complaint. Hunt entered his credentials and one-time passcode, but quickly realized his error. Although he changed his password, the attackers managed to export the mailing list in under two minutes. The stolen data included records of both active and former email subscribers. Recommended read:
References :
Bill Mann@CyberInsider
// 3d
CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.
Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security. Recommended read:
References :
Pierluigi Paganini@Security Affairs
// 11d
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.
Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users. Recommended read:
References :
Waqas@hackread.com
// 4d
Royal Mail is currently investigating a data breach after a threat actor leaked over 144GB of data allegedly stolen from its systems. The breach is believed to have originated from a compromise at Spectos GmbH, a third-party data collection and analytics service provider for Royal Mail. The leaked data includes sensitive information such as customer personally identifiable information (PII), internal communications including Zoom meeting recordings, operational data like delivery routes, and marketing infrastructure data including Mailchimp mailing lists.
The investigation is ongoing to determine the full extent of the breach and its potential impact. Royal Mail has stated that there is currently no impact on operations. The incident serves as a stark reminder of the vulnerabilities inherent in modern supply chains and the critical need for robust vendor management and security protocols. The breach highlights the potential for identity theft, phishing attacks, and reputational damage arising from compromised vendor access. Recommended read:
References :
@itpro.com
// 10d
Advanced Computer Software Group, an NHS software supplier, has been fined £3 million by the Information Commissioner's Office (ICO) for security failures that led to a disruptive ransomware attack in 2022. The ICO determined that Advanced Computer Software Group failed to implement appropriate security measures prior to the attack, which compromised the personal information of tens of thousands of NHS patients. The LockBit ransomware group was identified as the perpetrator, gaining access through a customer account lacking multi-factor authentication (MFA).
Personal information belonging to 79,404 people was taken in the attack, including instructions for carers on how to gain entry into the properties of 890 people who were receiving care at home. The stolen data included checklists for medics on how to get into vulnerable people's homes. The ICO cited gaps in applying MFA policies across the organization, a lack of vulnerability scanning, and inadequate patch management as the primary facilitators of the attack. Recommended read:
References :
Megan Crouse@eWEEK
// 14d
Cloudflare has launched AI Labyrinth, a new tool designed to combat web scraping bots that steal website content for AI training. Instead of simply blocking these crawlers, AI Labyrinth lures them into a maze of AI-generated content. This approach aims to waste the bots' time and resources, providing a more effective defense than traditional blocking methods which can trigger attackers to adapt their tactics. The AI Labyrinth is available as a free, opt-in tool for all Cloudflare customers, even those on the free tier.
The system works by embedding hidden links within a protected website. When suspicious bot behavior is detected, such as ignoring robots.txt rules, the crawler is redirected to a series of AI-generated pages. This content is "real looking" and based on scientific facts, diverting the bot from the original website's content. Because no human would deliberately explore deep into a maze of AI-generated nonsense, anyone who does can be identified as a bot with high confidence. Cloudflare emphasizes that AI Labyrinth also functions as a honeypot, allowing them to identify new bot patterns and improve their overall bot detection capabilities, all while increasing the cost for unauthorized web scraping. Recommended read:
References :
Laura French@scmagazine.com
// 6d
Microsoft's AI tool, Security Copilot, has identified 20 critical vulnerabilities in open-source bootloaders, including GRUB2, U-Boot, and Barebox. These bootloaders are vital for initializing operating systems, especially in Linux environments and embedded systems. The findings highlight the potential for attackers to bypass UEFI Secure Boot, a security standard designed to ensure that only trusted software runs during startup. Security updates addressing these flaws were released in February 2025.
The discovered vulnerabilities, including an exploitable integer overflow, could allow attackers to execute arbitrary code and install persistent malware that may survive OS reinstallation. In the case of GRUB2, attackers could potentially bypass Secure Boot, install stealthy bootkits, and evade enterprise security mechanisms. This could grant threat actors complete control over devices, compromise additional devices on the network, and enable persistent threats. Microsoft used traditional discovery methods, including static code analysis, manual code analysis and fuzzing, with assistance from Microsoft Security Copilot. Recommended read:
References :
@itpro.com
// 9d
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.
The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025. Recommended read:
References :
@The DefendOps Diaries
// 3d
A vulnerability in Verizon's Call Filter feature exposed customers' incoming call history, allowing unauthorized access to call logs. Security researcher Evan Connelly discovered the flaw in the Verizon Call Filter iOS app, revealing that it was possible to access the incoming call logs for any Verizon Wireless number through an unsecured API request. The vulnerability was reported to Verizon on February 22, 2025, and acknowledged by the company two days later. The flaw was subsequently fixed by March 25, 2025.
The vulnerability was rooted in the backend API used by the Verizon Call Filter app, which failed to verify that the phone number requested for call history matched the authenticated user’s number. An attacker with a valid JSON Web Token (JWT) could manipulate the request header and retrieve call logs for any Verizon customer. This oversight allowed modification of the phone number being sent, and data could be received back for Verizon numbers not associated with the signed-in user, raising significant privacy and safety concerns for Verizon Wireless customers. Recommended read:
References :
@The DefendOps Diaries
// 4d
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.
The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
// 2d
The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.
The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia. Recommended read:
References :
@upguard.com
// 6d
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.
The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025. The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts." Recommended read:
References :
jane.mccallion@futurenet.com (Jane@itpro.com
// 3d
References:
Platformer
, The Register - Software
,
The Wikimedia Foundation, which oversees Wikipedia, is facing a surge in bandwidth usage due to AI bots scraping the site for data to train AI models. Representatives from the Wikimedia Foundation have stated that since January 2024, the bandwidth used for downloading multimedia content has increased by 50%. This increase is not attributed to human readers, but rather to automated programs that are scraping the Wikimedia Commons image catalog of openly licensed images.
This unprecedented level of bot traffic is straining Wikipedia's infrastructure and increasing costs. The Wikimedia Foundation has found that at least 65% of the resource-consuming traffic to the website is coming from bots, even though bots only account for about 35% of overall page views. This is because bots often gather data from less popular articles, which requires fetching content from the core data center, consuming more computing resources. In response, Wikipedia’s site managers have begun imposing rate limits or banning offending AI crawlers. Recommended read:
References :
Mandvi@Cyber Security News
// 15d
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.
The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide. Recommended read:
References :
Nazy Fouladirad@AI Accelerator Institute
// 4d
References:
hiddenlayer.com
, AI Accelerator Institute
,
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.
Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products. The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems. Recommended read:
References :
|