CyberSecurity news

FlagThis - #none

info@thehackernews.com (The@The Hacker News // 13d
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.

Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks.

Recommended read:
References :
  • Open Source Security: Multiple vulnerabilities in ingress-nginx
  • The Hacker News: Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
  • Wiz Blog | RSS feed: IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
  • The Register - Software: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw
  • Open Source Security: [kubernetes] Multiple vulnerabilities in ingress-nginx
  • ciso2ciso.com: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw – Source: go.theregister.com
  • securityonline.info: CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
  • dragosr: "CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required." ingress-nginx is deployed in 40% of k8s clusters.
  • research.kudelskisecurity.com: Critical Unauthenticated Remote Code Execution Vulnerabilities inIngress NGINX
  • securityboulevard.com: Security Boulevard answers FAQs about IngressNightmare.
  • : Wiz Security finds four critical RCE vulnerabilities in the Ingress NGINX Controller for Kubernetes
  • Resources-2: IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
  • www.csoonline.com: Critical RCE flaws put Kubernetes clusters at risk of takeover
  • www.cybersecuritydive.com: Critical vulnerabilities put Kubernetes environments in jeopardy
  • Arctic Wolf: CVE-2025-1974: Critical Unauthenticated RCE Vulnerability in Ingress NGINX for Kubernetes
  • Tenable Blog: CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare
  • open-appsec: On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsanitized user...
  • Threats | CyberScoop: String of defects in popular Kubernetes component puts 40% of cloud environments at risk
  • Blog: Ingress NGINX Kubernetes Controller vulnerabilities a ‘nightmare’ for impacted users
  • circl: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. CVE-2025-1974 but also CVE-2025-1097 CVE-2025-1098 CVE-2025-24513 CVE-2025-24514 🔗 For more details about Ingress NGINX Controller for Kubernetes release
  • Sysdig: Detecting and Mitigating IngressNightmare – CVE-2025-1974
  • thecyberexpress.com: Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise
  • Datadog Security Labs: The "IngressNightmare" vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation
  • Information Security Buzz: Five critical security vulnerabilities have been found in the Ingress NGINX Controller for Kubernetes, potentially enabling unauthenticated remote code execution. This exposure puts over 6,500 clusters at immediate risk by making the component accessible via the public internet.
  • MSSP feed for Latest: Researchers aren’t aware of active exploitation in the wild, but they warn the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.
  • Latest Bulletins: Addresses issues with Kubernetes ingress-nginx controller
  • nsfocusglobal.com: Kubernetes Ingress-nginx Remote Code Execution Vulnerability (CVE-2025-1974)
  • Dynatrace news: NGINX vulnerability: Quickly detect and mitigate IngressNightmare vulnerabilities with Dynatrace
  • securityonline.info: ingress-nginx maintainers released fixes for multiple vulnerabilities that could allow threat actors to take over Kubernetes clusters.
  • Delinea Blog: Discusses vulnerabilities enabling access to Kubernetes clusters’ secrets.
  • Kali Linux Tutorials: Details on IngressNightmare Vulnerabilities

Fogerlog@Phishing Tackle // 9d
References: The Hacker News , , Cyber Security News ...
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
  • : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
  • www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
  • Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
  • The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
  • www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
  • Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
  • hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
  • Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
  • gbhackers.com: The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
  • securityaffairs.com: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.
  • : Phishing kits going to great lengths to personalise attacks
  • Malwarebytes: Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that generates multiple phishing kits and spoofs login pages of over 100 brands using DNS mail exchange (MX) records.
  • securityaffairs.com: Morphing Meerkat phishing kits exploit DNS MX records
  • www.bleepingcomputer.com: A new phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. [...]
  • bsky.app: A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
  • Talkback Resources: Morphing Meerkat phishing kits exploit DNS MX records
  • Security Risk Advisors: 🚩Morphing Meerkat’s Phishing-as-a-Service Leverages DNS MX Records for Targeted Attacks
  • Talkback Resources: New Morphing Meerkat PhaaS platform examined
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.
  • Phishing Tackle: Phishing-as-a-Service Exposed: DNS-over-HTTPS Fuels the Morphing Meerkat Attack
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.

jane.mccallion@futurenet.com (Jane@itpro.com // 12d
Infosec veteran Troy Hunt, the creator of HaveIBeenPwned, has been compromised in a Mailchimp phishing attack. The incident resulted in the theft of data belonging to over 16,000 newsletter subscribers. Hunt, who is usually known for helping people check if their credentials have been compromised, unfortunately became a victim himself. The attack highlights how even security experts can fall prey to sophisticated phishing schemes, and Hunt has blogged about the incident, providing details of the phishing email.

The attackers employed a well-crafted phishing email, designed to create a sense of urgency. The email informed Hunt that he was unable to send updates to his subscribers until he reviewed his account due to a spam complaint. Hunt entered his credentials and one-time passcode, but quickly realized his error. Although he changed his password, the attackers managed to export the mailing list in under two minutes. The stolen data included records of both active and former email subscribers.

Recommended read:
References :
  • bsky.app: Have I Been Pwned creator Troy Hunt says the data of over 16,000 newsletter subscribers has been stolen after he fell for a Mailchimp phishing attack
  • cyberinsider.com: Details the phishing attack on Troy Hunt's Mailchimp account, exposing subscriber data.
  • The Register - Security: Infosec pro Troy Hunt HasBeenPwned in Mailchimp phish
  • DataBreaches.Net: Troy Hunt, owner of HaveIBeenPwned.com, writes: You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the...
  • PCMag UK security: Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email.
  • Information Security Buzz: Security consultant and founder of the popular Troy Hunt, a security consultant who runs the popular data-breach search service Have I Been Pwned?, has disclosed that he has become a victim of a phishing attack that exposed the email addresses of 16,000 subscribers to his blog troyhunt.com.   “Every active subscriber on my list will shortly [...]
  • www.itpro.com: Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
  • www.csoonline.com: Even anti-scammers get scammed: security expert Troy Hunt pwned by phishing email
  • www.techradar.com: HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
  • haveibeenpwned.com: In March 2025, . The exported list contained 16k email addresses and other data automatically collected by Mailchimp including IP address and a derived latitude, longitude and time zone.
  • Malwarebytes: Security expert Troy Hunt hit by phishing attack
  • heise Security: Have I Been Pwned: Projektbetreiber Troy Hunt gepwned Der Betreiber von Have I Been Pwned wurde selbst Opfer eines Phishing-Angriffs. Die E-Mails der Newsletter-Mailingliste wurden gestohlen.
  • bsky.app: Troy Hunt's mailing list got phished. Commiserations to him. If it can happen to Troy, it can probably happen to you.

Bill Mann@CyberInsider // 3d
CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.

Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security.

Recommended read:
References :
  • CyberInsider: CISA Warns of ‘Fast Flux’ Technique Hackers Use for Evasion
  • The Register - Security: For flux sake: CISA, annexable allies warn of hot DNS threat
  • Industrial Cyber: Advisory warns of fast flux national security threat, urges action to protect critical infrastructure
  • Cyber Security News: Hackers Leveraging Fast Flux Technique to Evade Detection & Hide Malicious Servers
  • BleepingComputer: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • BleepingComputer: CISA issues alert on Fast Flux DNS evasion technique
  • The DefendOps Diaries: Understanding and Combating Fast Flux in Cybersecurity
  • bsky.app: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • www.csoonline.com: Cyber agencies urge organizations to collaborate to stop fast flux DNS attacks
  • hackread.com: NSA and Global Allies Declare Fast Flux a National Security Threat
  • : Cyber Agencies Warn of Fast Flux Threat Bypassing Network Defenses
  • www.itpro.com: Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
  • Infoblox Blog: Disrupting Fast Flux with Predictive Intelligence
  • www.cybersecuritydive.com: Cybersecurity Dive on CISA FBI warn

Pierluigi Paganini@Security Affairs // 11d
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.

Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users.

Recommended read:
References :
  • securityaffairs.com: Broadcom released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
  • securityonline.info: VMware Tools for Windows Hit by CVE-2025-22230 Auth Bypass Flaw
  • The DefendOps Diaries: Understanding the VMware Tools Authentication Bypass Vulnerability
  • thehackernews.com: New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround
  • www.csoonline.com: VMware plugs a high-risk vulnerability affecting its Windows-based virtualization
  • BleepingComputer: Broadcom Warns of Authentication Bypass in VMware Windows Tools
  • www.techradar.com: Broadcom warns of worrying security flaws affecting VMware tools
  • Security Risk Advisors: New VMware Tools vulnerability (CVE-2025-22230) allows non-admin Windows guest users to perform privileged operations.
  • Security | TechRepublic: Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication
  • securityaffairs.com: Broadcom addressed a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.

Waqas@hackread.com // 4d
References: CyberInsider , hackread.com , bsky.app ...
Royal Mail is currently investigating a data breach after a threat actor leaked over 144GB of data allegedly stolen from its systems. The breach is believed to have originated from a compromise at Spectos GmbH, a third-party data collection and analytics service provider for Royal Mail. The leaked data includes sensitive information such as customer personally identifiable information (PII), internal communications including Zoom meeting recordings, operational data like delivery routes, and marketing infrastructure data including Mailchimp mailing lists.

The investigation is ongoing to determine the full extent of the breach and its potential impact. Royal Mail has stated that there is currently no impact on operations. The incident serves as a stark reminder of the vulnerabilities inherent in modern supply chains and the critical need for robust vendor management and security protocols. The breach highlights the potential for identity theft, phishing attacks, and reputational damage arising from compromised vendor access.

Recommended read:
References :
  • CyberInsider: Royal Mail Group Breach Exposes 144GB of Sensitive Customer Data
  • hackread.com: Hacker leaks 144GB of sensitive Royal Mail Group data, including customer info and internal files, claiming access came via supplier Spectos. Investigation underway!
  • The DefendOps Diaries: Explore the Royal Mail data breach and learn vital lessons in supply chain security and vendor management.
  • bsky.app: Royal Mail is investigating claims of a security breach after a threat actor leaked over 144GB of data allegedly stolen from the company's systems.
  • BleepingComputer: Royal Mail investigates data leak claims, no impact on operations
  • www.scworld.com: Massive Royal Mail breach alleged by threat actors
  • The Register - Security: Hacker leaks 144GB of sensitive Royal Mail Group data.
  • www.cysecurity.news: Royal Mail experienced a major security breach in which 144GB of sensitive data was leaked to the public.
  • : Royal Mail Investigates Data Breach Affecting Supplier
  • The Register - Security: Customer info allegedly stolen from Royal Mail, Samsung via compromised supplier
  • www.csoonline.com: Royal Mail Investigates Data Leak

@itpro.com // 10d
Advanced Computer Software Group, an NHS software supplier, has been fined £3 million by the Information Commissioner's Office (ICO) for security failures that led to a disruptive ransomware attack in 2022. The ICO determined that Advanced Computer Software Group failed to implement appropriate security measures prior to the attack, which compromised the personal information of tens of thousands of NHS patients. The LockBit ransomware group was identified as the perpetrator, gaining access through a customer account lacking multi-factor authentication (MFA).

Personal information belonging to 79,404 people was taken in the attack, including instructions for carers on how to gain entry into the properties of 890 people who were receiving care at home. The stolen data included checklists for medics on how to get into vulnerable people's homes. The ICO cited gaps in applying MFA policies across the organization, a lack of vulnerability scanning, and inadequate patch management as the primary facilitators of the attack.

Recommended read:
References :
  • bsky.app: NHS provider Advanced has been fined £3m by ICO for security failures that led to the hugely disruptive ransomware hack in 2022. One shocking new detail - not only was personal info of 79k people taken - it included instructions for carers on how to gain entry into 890 patient's homes.
  • The Register - Security: Data stolen included checklist for medics on how to get into vulnerable people's homes The UK's data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary's security failings led to a ransomware attack affecting NHS care.
  • techcrunch.com: NHS vendor Advanced will pay just over £3 million ($3.8 million) in fines for not implementing basic security measures before it suffered a ransomware attack in 2022, the U.K.’s data protection regulator has confirmed.
  • www.itpro.com: The Information Commissioner's Office (ICO) said Advanced Computer Software Group failed to use appropriate security measures before the 2022 attack, which put the personal information of tens of thousands of NHS patients at risk.
  • DataBreaches.Net: The UK’s data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary’s security failings led to a ransomware attack affecting NHS care. This is nearly half the fine the Information Commissioner’s Office provisionally floated...
  • www.cybersecurity-insiders.com: NHS LockBit ransomware attack yields £3.07 million penalty on tech provider
  • www.bleepingcomputer.com: UK fines software provider £3.07 million for 2022 ransomware breach
  • The DefendOps Diaries: Understanding the 2022 NHS Ransomware Attack: Lessons and Future Preparedness
  • Tech Monitor: UK ICO fines Advanced Computer Software £3m after NHS data breach
  • www.scworld.com: Advanced slapped with almost $4M fine after LockBit hack

Megan Crouse@eWEEK // 14d
References: The Register - Software , eWEEK , OODAloop ...
Cloudflare has launched AI Labyrinth, a new tool designed to combat web scraping bots that steal website content for AI training. Instead of simply blocking these crawlers, AI Labyrinth lures them into a maze of AI-generated content. This approach aims to waste the bots' time and resources, providing a more effective defense than traditional blocking methods which can trigger attackers to adapt their tactics. The AI Labyrinth is available as a free, opt-in tool for all Cloudflare customers, even those on the free tier.

The system works by embedding hidden links within a protected website. When suspicious bot behavior is detected, such as ignoring robots.txt rules, the crawler is redirected to a series of AI-generated pages. This content is "real looking" and based on scientific facts, diverting the bot from the original website's content. Because no human would deliberately explore deep into a maze of AI-generated nonsense, anyone who does can be identified as a bot with high confidence. Cloudflare emphasizes that AI Labyrinth also functions as a honeypot, allowing them to identify new bot patterns and improve their overall bot detection capabilities, all while increasing the cost for unauthorized web scraping.

Recommended read:
References :
  • The Register - Software: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content
  • eWEEK: Crowdflare’s Free AI Labyrinth Distracts Crawlers That Could Steal Website Content to Feed AI
  • The Verge: Cloudflare, one of the biggest network internet infrastructure companies in the world, has announced AI Labyrinth, a new tool to fight web-crawling bots that scrape sites for AI training data without permission. The company says in a blog post that when it detects “inappropriate bot behavior,â€� the free, opt-in tool lures crawlers down a path
  • OODAloop: Trapping misbehaving bots in an AI Labyrinth
  • THE DECODER: Instead of simply blocking unwanted AI crawlers, Cloudflare has introduced a new defense method that lures them into a maze of AI-generated content, designed to waste their time and resources.
  • Digital Information World: Cloudflare’s Latest AI Labyrinth Feature Combats Unauthorized AI Data Scraping By Giving Bots Fake AI Content
  • Ars OpenForum: Cloudflare turns AI against itself with endless maze of irrelevant facts
  • Cyber Security News: Cloudflare Introduces AI Labyrinth to Thwart AI Crawlers and Malicious Bots
  • poliverso.org: Cloudflare’s AI Labyrinth Wants Bad Bots To Get Endlessly Lost
  • aboutdfir.com: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content Cloudflare has created a bot-busting AI to make life hell for AI crawlers.

Laura French@scmagazine.com // 6d
Microsoft's AI tool, Security Copilot, has identified 20 critical vulnerabilities in open-source bootloaders, including GRUB2, U-Boot, and Barebox. These bootloaders are vital for initializing operating systems, especially in Linux environments and embedded systems. The findings highlight the potential for attackers to bypass UEFI Secure Boot, a security standard designed to ensure that only trusted software runs during startup. Security updates addressing these flaws were released in February 2025.

The discovered vulnerabilities, including an exploitable integer overflow, could allow attackers to execute arbitrary code and install persistent malware that may survive OS reinstallation. In the case of GRUB2, attackers could potentially bypass Secure Boot, install stealthy bootkits, and evade enterprise security mechanisms. This could grant threat actors complete control over devices, compromise additional devices on the network, and enable persistent threats. Microsoft used traditional discovery methods, including static code analysis, manual code analysis and fuzzing, with assistance from Microsoft Security Copilot.

Recommended read:
References :
  • The Hacker News: The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp. The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of
  • Microsoft Security Blog: Using Microsoft Security Copilot to expedite the discovery process, Microsoft has uncovered several vulnerabilities in multiple open-source bootloaders impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability in the GRUB2, U-boot, and Barebox bootloaders. The post appeared first on .
  • bsky.app: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders. https://www.bleepingcomputer.com/news/security/microsoft-uses-ai-to-find-flaws-in-grub2-u-boot-barebox-bootloaders/
  • BleepingComputer: Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders
  • www.csoonline.com: Microsoft’s AI tool catches critical GRUB2, U-boot bootloader flaws
  • www.scworld.com: Microsoft touts bug finds from Security Copilot

@itpro.com // 9d
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.

The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025.

Recommended read:
References :
  • Full Disclosure: Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions.
  • The DefendOps Diaries: Understanding Security Bypasses in Ubuntu's Unprivileged User Namespaces
  • www.itpro.com: Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
  • www.networkworld.com: Ubuntu namespace vulnerability should be addressed quickly: Expert
  • BleepingComputer: New Ubuntu Linux security bypasses require manual mitigations
  • bsky.app: Details of how Qualys identifies security byasses on Ubuntu
  • BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
  • securityonline.info: Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions
  • BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
  • Cyber Security News: New Ubuntu Security Bypasses Allow Attackers to Exploit Kernel Vulnerabilities

@The DefendOps Diaries // 3d
A vulnerability in Verizon's Call Filter feature exposed customers' incoming call history, allowing unauthorized access to call logs. Security researcher Evan Connelly discovered the flaw in the Verizon Call Filter iOS app, revealing that it was possible to access the incoming call logs for any Verizon Wireless number through an unsecured API request. The vulnerability was reported to Verizon on February 22, 2025, and acknowledged by the company two days later. The flaw was subsequently fixed by March 25, 2025.

The vulnerability was rooted in the backend API used by the Verizon Call Filter app, which failed to verify that the phone number requested for call history matched the authenticated user’s number. An attacker with a valid JSON Web Token (JWT) could manipulate the request header and retrieve call logs for any Verizon customer. This oversight allowed modification of the phone number being sent, and data could be received back for Verizon numbers not associated with the signed-in user, raising significant privacy and safety concerns for Verizon Wireless customers.

Recommended read:
References :
  • bsky.app: A vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request.
  • The DefendOps Diaries: Understanding the Verizon Call Filter API Vulnerability
  • BleepingComputer: Verizon Call Filter API flaw exposed customers' incoming call history
  • DataBreaches.Net: Security researcher Evan Connelly recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for a malicious actor to leak call history logs of Verizon Wireless customers.
  • securityonline.info: Verizon Call Filter App Vulnerability Exposed Call Records of Millions
  • CyberInsider: Verizon Call Filter App Flaw Exposed Call Logs of Millions of Customers
  • www.itpro.com: Verizon Call Filter API flaw could’ve exposed millions of Americans’ call records
  • Malwarebytes: Flaw in Verizon call record requests put millions of Americans at risk
  • Talkback Resources: TalkBack.sh: Flaw in Verizon call record requests put millions of Americans at risk

@The DefendOps Diaries // 4d
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.

The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security.

Recommended read:
References :
  • bsky.app: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • The DefendOps Diaries: Explore the critical Cisco Smart Licensing Utility vulnerability and learn mitigation strategies to protect your network.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • Cyber Security News: Cisco Smart Licensing Utility Vulnerabilities Let Attackers Gain Admin Access
  • gbhackers.com: Cisco Smart Licensing Utility Flaws Allowed Attackers to Gain Admin Access
  • securityonline.info: CISA Warns of Active Exploitation of Cisco Smart Licensing Utility Flaw

Sergiu Gatlan@BleepingComputer // 2d
The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.

The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia.

Recommended read:
References :
  • The DefendOps Diaries: Hunters International's shift to data extortion: a new era in cybercrime.
  • BleepingComputer: Hunters International shifts from ransomware to pure data extortion.
  • Cyber Security News: Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems
  • The Register - Security: Crimelords at Hunters International tell lackeys ransomware too 'risky'
  • securityboulevard.com: Details of the rebranding and shift in focus to extortion by Hunters International.
  • bsky.app: The Hunters International ransomware group is shutting down and rebranding as World Leaks – an extortion-only operation.

@upguard.com // 6d
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.

The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025.

The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts."

Recommended read:
References :
  • Zack Whittaker: New: API security testing firm APIsec exposed an internal database to the internet without a password. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, per researchers at UpGuard, which found it.
  • techcrunch.com: API testing firm APIsec exposed customer data during security lapse
  • www.upguard.com: Watching the Watcher: How a Security Company Leaked Customer Data | UpGuard
  • CyberInsider: Security Firm APIsec Exposed 3TB of Sensitive Customer Data

jane.mccallion@futurenet.com (Jane@itpro.com // 3d
The Wikimedia Foundation, which oversees Wikipedia, is facing a surge in bandwidth usage due to AI bots scraping the site for data to train AI models. Representatives from the Wikimedia Foundation have stated that since January 2024, the bandwidth used for downloading multimedia content has increased by 50%. This increase is not attributed to human readers, but rather to automated programs that are scraping the Wikimedia Commons image catalog of openly licensed images.

This unprecedented level of bot traffic is straining Wikipedia's infrastructure and increasing costs. The Wikimedia Foundation has found that at least 65% of the resource-consuming traffic to the website is coming from bots, even though bots only account for about 35% of overall page views. This is because bots often gather data from less popular articles, which requires fetching content from the core data center, consuming more computing resources. In response, Wikipedia’s site managers have begun imposing rate limits or banning offending AI crawlers.

Recommended read:
References :

Mandvi@Cyber Security News // 15d
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.

The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide.

Recommended read:
References :
  • Cyber Security News: Chinese FishMonger APT Linked to I-SOON Targets Governments and NGOs
  • Virus Bulletin: ESET's Matthieu Faou writes about Operation FishMedley, a global espionage operation by FishMonger, the China-aligned APT group run by I-SOON. In the victims list: governments, NGOs and think tanks across Asia, Europe and the United States.
  • : FishMonger APT Group Linked to I-SOON in Espionage Campaigns
  • gbhackers.com: GB Hackers: I-SOON’s ‘Chinese Fishmonger’ APT Targets Government Entities and NGOs
  • Talkback Resources: Talkback: Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley [net] [rev] [mal]

Nazy Fouladirad@AI Accelerator Institute // 4d
As generative AI adoption rapidly increases, securing investments in these technologies has become a paramount concern for organizations. Companies are beginning to understand the critical need to validate and secure the underlying large language models (LLMs) that power their Gen AI products. Failing to address these security vulnerabilities can expose systems to exploitation by malicious actors, emphasizing the importance of proactive security measures.

Microsoft is addressing these concerns through innovations in Microsoft Purview, which offers a comprehensive set of solutions aimed at helping customers seamlessly secure and confidently activate data in the AI era. Complementing these efforts, Fiddler AI is focusing on building trust into AI systems through its AI Observability platform. This platform emphasizes explainability and transparency. They are helping enterprise AI teams deliver responsible AI applications, and also ensure people interacting with AI receive fair, safe, and trustworthy responses. This involves continuous monitoring, robust security measures, and strong governance practices to establish long-term responsible AI strategies across all products.

The emergence of agentic AI, which can plan, reason, and take autonomous action to achieve complex goals, further underscores the need for enhanced security measures. Agentic AI systems extend the capabilities of LLMs by adding memory, tool access, and task management, allowing them to operate more like intelligent agents than simple chatbots. Organizations must ensure security and oversight are essential to safe deployment. Gartner research indicates a significant portion of organizations plan to pursue agentic AI initiatives, making it crucial to address potential security risks associated with these systems.

Recommended read:
References :