Oluwapelumi Adejumo@CryptoSlate - 7d
Cryptocurrency exchange Bybit has confirmed a record-breaking theft of approximately $1.46 billion in digital assets from one of its offline Ethereum wallets. The attack, which occurred on Friday, is believed to be the largest crypto heist on record. Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets.
The theft targeted an Ethereum cold wallet, involving a manipulation of a transaction from the cold wallet to a warm wallet. This allowed the attacker to gain control and transfer the funds to an unidentified address. The incident highlights the rising trend of cryptocurrency heists, driven by the allure of profits and challenges in tracing such crimes.
Recommended read:
References :
- www.techmeme.com: ZachXBT: crypto exchange Bybit has experienced $1.46B worth of "suspicious outflows"; Bybit CEO confirms hacker took control of cold ETH wallet
- CryptoSlate: The crypto exchange ByBit has been hacked, and roughly $1.5 billion in Ethereum (ETH) has been stolen — making this one of the biggest hacks in history.
- infosec.exchange: NEW: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- PCMag UK security: The Bybit exchange lost 400,000 in ETH, or about $1.4 billion, before the price began to slide, making it the biggest crypto-related hack in history.
- techcrunch.com: TechCrunch reports on the Bybit hack, disclosing a loss of approximately $1.4 billion in Ethereum.
- ciso2ciso.com: In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from a cold wallet breach.
- ciso2ciso.com: Bybit Hack: $1.4B Stolen from World’s 2nd Largest Crypto Exchange – Source:hackread.com
- cryptoslate.com: ByBit suffers $1.5 billion Ethereum heist in cold wallet breach
- www.coindesk.com: Bybit experiences USD1.46B in suspicious outflows
- BleepingComputer: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- The Cryptonomist: 3 Best Bybit Alternatives As Top CEX Is Hacked
- Gulf Business: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- Anonymous ???????? :af:: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.bleepingcomputer.com: Hacker steals record $1.46 billion in ETH from Bybit cold wallet
- Techmeme: Bybit Loses $1.5B in Hack but Can Cover Loss, CEO Confirms (Oliver Knight/CoinDesk)
- Report Boom: Report on the Bybit crypto heist, detailing the incident and security recommendations.
- thehackernews.com: Report on the Bybit hack, highlighting the scale of the theft and its implications.
- reportboom.com: Reportboom article about Bybit's $1.46B Crypto Heist.
- www.it-daily.net: Bybit hacked: record theft of 1.5 billion US dollars
- Protos: News about the Bybit cryptocurrency exchange being hacked for over \$1.4 billion.
- The420.in: On Friday, cryptocurrency exchange Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets from one of its offline Ethereum wallets—the largest crypto heist on record.
- TechSpot: The hackers stole the crypto from Bybit's cold wallet, an offline storage system.
- Talkback Resources: Crypto exchange Bybit was targeted in a $1.46 billion theft by the Lazarus Group, highlighting the rising trend of cryptocurrency heists driven by the allure of profits and challenges in tracing such crimes.
- www.bleepingcomputer.com: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.the420.in: The420.in: Biggest Crypto Heist Ever: Bybit Loses Rs 12,000+ Crore in Sophisticated Ethereum Wallet Attack!
- www.cnbc.com: This report discusses the Bybit hack, detailing the amount stolen and the potential impact on the crypto market.
- www.engadget.com: This news piece reports on the massive crypto heist from Bybit, highlighting the scale of the incident and the impact on the crypto market.
- Techmeme: Arkham says ZachXBT submitted proof that North Korea's Lazarus Group is behind Bybit's $1.5B hack, which is the largest single theft in crypto history
- BrianKrebs: Infosec exchange post describing Bybit breach.
- Talkback Resources: Bybit cryptocurrency exchange suffered a cyberattack resulting in the theft of $1.5 billion worth of digital currency, including over 400,000 ETH and stETH, with potential vulnerabilities in the Safe.global platform's user interface exploited.
- securityaffairs.com: SecurityAffairs reports Lazarus APT stole $1.5B from Bybit, it is the largest cryptocurrency heist ever.
- gulfbusiness.com: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- techcrunch.com: Crypto exchange Bybit says it was hacked and lost around $1.4B
- Tekedia: The cryptocurrency industry has been rocked by what is now considered the largest digital asset theft in history, as Bybit, a leading crypto exchange, confirmed on Friday that hackers stole approximately $1.4 billion worth of Ethereum (ETH) from one of its offline wallets.
- blog.checkpoint.com: What the Bybit Hack Means for Crypto Security and the Future of Multisig Protection
- Dan Goodin: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- BleepingComputer: Crypto exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- Security Boulevard: North Korea’s Lazarus Group Hacks Bybit, Steals $1.5 Billion in Crypto
- bsky.app: Elliptic is following the money on this ByBit hack - the biggest theft ot all time. “Within 2 hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH. These are now being systematically emptied�.
- Talkback Resources: Talkback Post about the $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived
- infosec.exchange: Reports that North Korean hackers stole $1.4 billion in crypto from Bybit.
- securityboulevard.com: North Korea's notorious Lazarus Group reportedly stole $1.5 billion in cryptocurrency from the Bybit exchange in what is being called the largest hack in the controversial market's history.
- billatnapier.medium.com: One of the Largest Hacks Ever? But Will The Hackers Be Able To Launder The Gains?
- thecyberexpress.com: thecyberexpress.com - Details on Bybit Cyberattack.
- Matthew Rosenquist: This may turn out to be the biggest hack in history! $1.5 BILLION.
- PCMag UK security: The $1.4 billion at Bybit—the largest known cryptocurrency heist in history—has been traced to the notorious Lazarus North Korean hacking group.
- www.nbcnews.com: Hackers steal $1.5 billion from exchange Bybit in biggest-ever crypto heist: Blockchain analysis firm Elliptic later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking collective
- www.pcmag.com: Researchers spot the $1.4 billion stolen from Bybit moving through cryptocurrency wallets that were used in earlier heists attributed to North Korea's Lazarus hacking group.
- siliconangle.com: $1.5B in cryptocurrency stolen from Bybit in attack linked to North Korean hackers
- www.americanbanker.com: Nearly $1.5 billion in tokens lost in Bybit crypto exchange hack
- SiliconANGLE: SiliconAngle reports on the details of the Bybit hack and links it to North Korean hackers.
- techcrunch.com: TechCrunch reports on the massive crypto heist, citing research that points to North Korean hackers as perpetrators.
- OODAloop: Reports that North Korea’s Lazarus Group APT is Behind Largest Crypto Heist Ever
- Be3: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Schneier on Security: Schneier on Security covers the North Korean Hackers Stealing $1.5B in Cryptocurrency.
- Dataconomy: How the Bybit hack shook the crypto world: $1.5B gone overnight
- be3.sk: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Risky Business: Risky Business #781 -- How Bybit oopsied $1.4bn
- cyberriskleaders.com: Bybit, a leading exchange, was hacked for USD1.4 billion in Ethereum and staked Ethereum, sending shockwaves through the digital asset community.
- www.csoonline.com: Independent investigation finds connections to the Lazarus Group.
- Cybercrime Magazine: Bybit suffers the largest crypto hack in history
- www.theguardian.com: Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit.
- bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- SecureWorld News: SecureWorld reports on the Bybit hack, attributing it to the Lazarus Group.
- OODAloop: The Largest Theft in History – Following the Money Trail from the Bybit Hack
- gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
- Secure Bulletin: Lazarus group’s Billion-Dollar Bybit heist: a cyber forensics analysis
- Talkback Resources: "
THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma [mal]
- infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum.
- CyberInsider: Record $1.5 billion Bybit hack undermines trust in crypto security
- The Register - Security: Cryptocurrency exchange Bybit, just days after suspected North Korean operatives stole $1.5 billion in Ethereum from it, has launched a bounty program to help recover its funds.
- PCMag UK security: The malicious Javascript code used in the attack could secretly modify transactions for Safe{Wallet}, a cryptocurrency wallet provider. The suspected North Korean hackers who $1.4 billion in cryptocurrency from Bybit pulled off the heist by infiltrating a digital wallet provider and tampering with its software.
- techcrunch.com: Last week, hackers stole around $1.4 billion in Ethereum cryptocurrency from crypto exchange Bybit, believed to be the largest crypto heist in history. Now the company is offering a total of $140 million in bounties for anyone who can help trace and freeze the stolen funds. Bybit’s CEO and
- securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
- The Register - Security: FBI officially fingers North Korea for $1.5B Bybit crypto-burglary
- techcrunch.com: The FBI has said the North Korean government is “responsible� for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
- Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
- Unchained: How the Bybit Hack Reveals an Industry Still Striving for Transparency
- PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- The420.in: Rs 1.27 trillion Stolen: Bybit Joins the Ranks of Crypto’s Largest Thefts – Full List Inside
- Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers [mal]
Bruce Schneier@Schneier on Security - 20d
The UK government has reportedly ordered Apple to create a backdoor for accessing end-to-end encrypted data in iCloud. This demand, made under the Investigatory Powers Act, seeks blanket access to all encrypted content, not just specific accounts. The law, known as the "Snoopers' Charter," prohibits Apple from even revealing the demand.
The Washington Post reported that the UK government served Apple with a “technical capability notice” requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This has caused alarm among privacy advocates and tech experts with many seeing it as an emergency. Experts warn that complying with the order could weaken user trust and expose sensitive data to misuse, also a backdoor for the government puts everyone at greater risk of hacking, identity theft, and fraud. It is being reported that Apple is likely to turn the feature off for UK users rather than break it for everyone worldwide.
Recommended read:
References :
- Casey Newton: Reports on Apple's potential response to the UK's demand to access encrypted iCloud data.
- jonnyevans: UK orders Apple to let it access everyone’s encrypted data
- Tao of Mac: UK Government Orders Apple to Create Global iCloud Encryption Backdoor
- Deeplinks: The Electronic Frontier Foundation (EFF) strongly opposes the UK's demand, emphasizing that weakening encryption undermines privacy and security.
- Schneier on Security: The Washington Post is that the UK government has served Apple with a “technical capability notice� as defined by the 2016 Investigatory Powers Act, requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement. This is a big deal, and something we in the security community have worried was coming for a while now. The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand.
- www.macrumors.com: UK Government Orders Apple to Create Global iCloud Encryption Backdoor
- gbhackers.com: UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access
- techcrunch.com: UK government demands Apple backdoor to encrypted cloud data report
- CyberInsider: U.K. Secretly Ordered Apple to Create Encryption Backdoor
- gbhackers.com: UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access
- Carly Page: Government officials in the UK have reportedly ordered Apple to build a backdoor that would give its authorities access to users’ encrypted iCloud data. Apple will likely stop offering its encrypted cloud storage offering, Advanced Data Protection, to users in the country
- tomas-svojanovsky.medium.com: The UK’s Secret Demand for an Apple Backdoor: What It Means for Your Privacy and Apple’s Encryption Battle
- cyberinsider.com: U.K. Secretly Ordered Apple to Create Encryption Backdoor
- 9to5Mac: It’s being reported that the British government secretly ordered to create a backdoor into all content uploaded by users anywhere in the world.
- The Register - Security: UK Home Office silent on alleged Apple backdoor order
- Matthew Green: Let’s be clear about what this article is saying. The U.K. has a law that allows it to issue “technical capability notices� to companies. These notices require the company to effectively disable, or secretly backdoor, their encryption mechanisms.
- Matthew Green: The U.K. may be preparing to issue Apple an order that forces them to (secretly) disable encryption.
- 9to5mac.com: 9to5Mac reports on the UK government's secret order for Apple to create a worldwide iCloud backdoor.
- Six Colors: This article discusses the implications of the UK government's order for Apple to implement a backdoor for end-to-end encryption.
- The Internet Review: This article discusses the UK government's mandate for Apple to create a global iCloud encryption backdoor.
- Open Rights Group: UK government seeks to break encryption in secret, with minimal accountability and potentially global impacts. They're failing in their primary duty to protect British citizens in a world where cybersecurity threats are increasing. Privacy = security. We must protect encryption!
- Anonymous ???????? :af:: It will affect users around the world: The UK's demands for Apple to break encryption is an emergency for us all. Weakening encryption violates human rights!
- arstechnica.com: The UK demands Apple break encryption to allow gov’t spying worldwide, reports say Apple last year opposed UK's secret notices demanding encryption backdoors.
- CCC: It will affect users around the world: The UK's demands for Apple to break encryption is an emergency for us all. Weakening encryption violates human rights!
- Metacurity: UK government demands Apple create an encrypted cloud backdoor
- www.computerworld.com: UK orders Apple to let it access everyone’s encrypted data
- Anonymous ???????? :af:: Government officials in the UK have reportedly ordered Apple to build a backdoor that would give its authorities access to users’ encrypted iCloud data.
- Ars Technica: UK demands Apple break encryption to allow gov’t spying worldwide, reports say Apple last year opposed UK's secret notices demanding encryption backdoors.
- www.bbc.co.uk: The UK government seeks to break encryption in secret, with minimal accountability and potentially global impacts. They're failing in their primary duty to protect British citizens in a world where cybersecurity threats are increasing. Privacy = security. We must protect encryption!
- Mark Nottingham: What can Apple do in the face of a UK order to weaken encryption worldwide? Decentralise iCloud, to start.
- @PrivacyMatters: Mastodon post on the UK demanding Apple to create a backdoor to access all iCloud content.
- securityaffairs.com: UK Gov demands backdoor to access Apple iCloud backups worldwide
- techcrunch.com: The UK government's secret demands for backdoor access to encrypted iCloud accounts is a "global emergency", critics have warned
- The Tuta Blog: Tuta.com: Apple to backdoor encryption? Round 2
- www.cybersecurity-insiders.com: UK Home Office Seeks Access to Apple iCloud Accounts
- SecureWorld News: A secret order issued by the United Kingdom's government is sparking global alarm among privacy advocates and cybersecurity experts.
- Carly Page: The UK government's secret demands for backdoor access to encrypted iCloud accounts is a "global emergency", critics have warned
- www.cybersecurity-insiders.com: CyberSecurity Insiders article about details on Home Office Apple iCloud access
- securityboulevard.com: UK Is Ordering Apple to Break Its Own Encryption
- securityboulevard.com: The United Kingdom has made a bold demand to Apple, purporting to require the company to create a backdoor to access encrypted cloud backups of all users worldwide.
- blog.cryptographyengineering.com: U.K. asks to backdoor iCloud Backup encryption
- www.helpnetsecurity.com: The UK’s secret iCloud backdoor request: A dangerous step toward Orwellian mass surveillance
- www.scworld.com: Reported UK-ordered iCloud encryption backdoor slammed
- Freedom of the Press: social.freedom.press topic about officials issued a secret order to Apple to create a backdoor for “blanket� access to encrypted data on its iCloud service for users worldwide.
- freedom.press: 📩 U.K. officials issued a secret order to Apple to create a backdoor for “blanket� access to encrypted data on its iCloud service for users worldwide. Read about how to protect yourself in our digital security newsletter (and subscribe):
- Help Net Security: The UK’s secret iCloud backdoor request: A dangerous step toward Orwellian mass surveillance
Bill Mann@CyberInsider - 10d
The Qualys Threat Research Unit (TRU) has revealed two significant vulnerabilities in OpenSSH, impacting both client and server components. The first, CVE-2025-26465, is a machine-in-the-middle (MitM) attack that targets OpenSSH clients when the VerifyHostKeyDNS option is enabled. The second, CVE-2025-26466, involves a pre-authentication denial-of-service (DoS) attack affecting both client and server systems by exhausting resources. These vulnerabilities expose systems to potential interception of communications and resource exhaustion, potentially crippling SSH servers.
The MitM vulnerability, CVE-2025-26465, allows attackers to impersonate a server, bypassing client identity checks even if VerifyHostKeyDNS is set to "yes" or "ask". This flaw was introduced in December 2014 and affects OpenSSH versions 6.8p1 through 9.9p1. The DoS vulnerability, CVE-2025-26466, enables attackers to consume excessive memory and CPU resources, impacting versions 9.5p1 through 9.9p1. While mitigations exist, such as LoginGraceTime and MaxStartups, immediate patching is strongly advised. OpenSSH version 9.9p2 addresses these vulnerabilities, urging administrators to upgrade affected systems promptly.
Recommended read:
References :
- CyberInsider: OpenSSH Vulnerabilities Exposed Millions to Multi-Year Risks
- buherator's timeline: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enab...
- Open Source Security: Qualys Security Advisory discussing MitM and DoS attacks against OpenSSH clients and servers.
- securityonline.info: Securityonline.info article on OpenSSH flaws CVE-2025-26465 and CVE-2025-26466 exposing clients and servers to attacks.
- www.openwall.com: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enab...
- cyberinsider.com: The Qualys Threat Research Unit (TRU) has disclosed two critical vulnerabilities in OpenSSH affecting both client and server components.
- securityonline.info: OpenSSH Flaws CVE-2025-26465 & CVE-2025-26466 Expose Clients and Servers to Attacks
- blog.qualys.com: Qualys TRU Discovers Two Vulnerabilities in OpenSSH (CVE-2025-26465, CVE-2025-26466)
- hackread.com: Critical OpenSSH Vulnerabilities Expose Users to MITM and DoS Attacks
- Ubuntu security notices: USN-7270-2: OpenSSH vulnerability
- The Hacker News: Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions.
- www.csoonline.com: OpenSSH fixes flaws that enable man-in-the-middle, DoS attacks
- securityaffairs.com: OpenSSH bugs allows Man-in-the-Middle and DoS Attacks
- www.scworld.com: OpenSSH flaws could enable man-in-the-middle attacks, denial of service Two vulnerabilities in OpenSSH could enable man-in-the-middle (MitM) attacks or denial of service (DoS), the Qualys Threat Research Unit (TRU) revealed Tuesday.
- KubikPixel: OpenSSH flaws could enable man-in-the-middle attacks, denial of service Two vulnerabilities in OpenSSH could enable man-in-the-middle (MitM) attacks or denial of service (DoS), the Qualys Threat Research Unit (TRU) revealed Tuesday. â˜�ï¸
- AAKL: Infosec Exchange Post: Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466 More: The Register: FreSSH bugs undiscovered for years threaten OpenSSH security
- socradar.io: Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)
- Information Security Buzz: Qualys Identifies Critical Vulnerabilities that Enable DDoS, MITM Attacks
- www.theregister.com: FreSSH bugs undiscovered for years threaten OpenSSH security
- socprime.com: Socprime discusses CVE-2025-26465 & CVE-2025-26466 Vulnerabilities.
- Full Disclosure: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client CVE-2025-26466: DoS attack against OpenSSH's client and server
- www.scworld.com: The security flaws, tracked as CVE-2025-26465 and CVE-2025-26466, can be used by an attacker to conduct an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled.
- SOC Prime Blog: CVE-2025-26465 & CVE-2025-26466 Vulnerabilities Expose Systems to Man-in-the-Middle and DoS Attacks
- Security Risk Advisors: OpenSSH Vulnerabilities Enable MITM Attacks and Denial-of-Service (CVE-2025-26465 & CVE-2025-26466)
@csoonline.com - 14d
A high-severity SQL injection vulnerability, identified as CVE-2025-1094, has been discovered in PostgreSQL's psql interactive tool. Rapid7 researchers found that threat actors exploited this zero-day flaw in conjunction with a BeyondTrust vulnerability (CVE-2024-12356) during targeted attacks in December 2024. Specifically, attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL.
This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to OS command execution. The flaw stems from how PostgreSQL handles invalid UTF-8 characters, which allows attackers to inject malicious code via a shortcut command "\!". Rapid7 discovered that successful exploitation of the BeyondTrust vulnerability required exploiting CVE-2025-1094 to achieve remote code execution. Patches have been released for PostgreSQL versions 13 through 17 to address this issue, and users are advised to upgrade their database servers immediately.
Recommended read:
References :
- The Register - Security: High-complexity bug unearthed by infoseccers, as Rapid7 probes exploit further A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say.…
- Caitlin Condon: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation
- securityaffairs.com: Threat actors are exploiting a zero-day SQL injection vulnerability in PostgreSQL, according to researchers from cybersecurity firm Rapid7.
- The Hacker News: Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7.
- www.csoonline.com: PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks
- infosec.exchange: New vuln disclosure c/o : CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting on its relation to BeyondTrust exploitation
- MSSP feed for Latest: New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks
- www.scworld.com: New PostgreSQL zero-day potentially leveraged in BeyondTrust attacks
- Talkback Resources: Rapid7 discovered a zero-day vulnerability in PostgreSQL's psql terminal (CVE-2025-1094) enabling SQL injection, exploited in attacks on BeyondTrust Remote Support systems, compromising US Treasury Department machines.
- Caitlin Condon: CVE-2025-1094 affects all supported versions of PostgreSQL
- Open Source Security: Hi, As announced on February 13 in: This vulnerability is related to BeyondTrust CVE-2024-12356: In Caitlin Condon's words in the thread above: The referenced Rapid7 blog post:
- www.postgresql.org: PostgreSQL security announcement about CVE-2025-1094.
- Open Source Security: Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection
- securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
- securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
- Caitlin Condon: Infosec.exchange post linking to various resources related to CVE-2025-1094 in PostgreSQL.
- www.postgresql.org: PostgreSQL announcement about PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 releases fixing CVE-2025-1094
@cyberscoop.com - 15d
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.
Recommended read:
References :
- cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
- Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
- techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
- www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
- Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
- CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
- Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
- industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
- Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
- Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
- cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
@csoonline.com - 14d
A critical zero-day vulnerability, identified as CVE-2025-1094, has been discovered in the open-source database management system PostgreSQL. This SQL injection flaw, found in PostgreSQL's psql terminal, was actively exploited in conjunction with a separate zero-day vulnerability, CVE-2024-12356, affecting BeyondTrust Remote Support systems. The combined exploitation of these vulnerabilities enabled attackers to achieve remote code execution, leading to potential system compromise.
Rapid7 researchers discovered that the PostgreSQL flaw stems from the interactive terminal psql's handling of malformed UTF-8 characters, which allows attackers to inject malicious SQL commands. This vulnerability was leveraged in attacks targeting the U.S. Treasury Department, highlighting the severity of the threat. PostgreSQL has urged users of versions before 13.19, 14.16, 15.11, 16.7, and 17.3 to immediately apply the issued patch to mitigate the risk of exploitation.
Recommended read:
References :
- The Hacker News: PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks
- www.csoonline.com: PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks
- MSSP feed for Latest: New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks
- www.scworld.com: New PostgreSQL zero-day potentially leveraged in BeyondTrust attacks
- securityaffairs.com: Experts discovered PostgreSQL flaw chained with BeyondTrust zeroday in targeted attacks
- Talkback Resources: Rapid7 discovered a zero-day vulnerability in PostgreSQL's psql terminal (CVE-2025-1094) enabling SQL injection, exploited in attacks on BeyondTrust Remote Support systems, compromising US Treasury Department machines.
@Talkback Resources - 14d
Kimsuky, a North Korean advanced persistent threat operation also known as APT43, is actively targeting South Korean entities within the business, government, and cryptocurrency sectors. The hacking group employs a sophisticated attack campaign, named DEEP#DRIVE, that starts with spear-phishing emails designed to establish trust by spoofing a South Korean government official. These emails contain malicious PDF documents and links redirecting victims to websites hosting PowerShell code, ultimately leading to code execution on the targeted systems.
This campaign leverages tailored phishing lures written in Korean and disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files. The attack chain heavily relies on PowerShell scripts for payload delivery, reconnaissance, and execution. Dropbox is utilized for payload distribution and data exfiltration, using OAuth token-based authentication for Dropbox API interactions, which allows for seamless exfiltration of data while bypassing traditional IP or domain blocklists. This makes the threat actors difficult to detect.
Recommended read:
References :
- Talkback Resources: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
- MSSP feed for Latest: PowerShell Exploited in New Kimsuky Intrusions
- MSSP feed for Latest: The Hacker News report on Kimsuky's ongoing attacks using PowerShell and Dropbox.
Juan Perez@Tenable Blog - 6d
The Ghost (Cring) ransomware group, known for exploiting vulnerabilities in software and firmware, remains a significant threat as of January 2025. A joint cybersecurity alert from the FBI, CISA, and other partners warns the global cyber defender community of increasing attacks from this financially motivated group. CISA issued a joint advisory on February 19, 2025, emphasizing the group's ongoing activity.
The Ghost (Cring) ransomware first appeared in early 2021 and has impacted organizations across more than 70 countries by compromising vulnerable, internet-facing services. Security measures such as patching known vulnerabilities and implementing basic infosec actions are crucial in defending against these attacks. The SOC Prime Platform has curated Sigma rules to help detect Ghost (Cring) ransomware activity.
Recommended read:
References :
- SecureWorld News: The FBI, CISA, and MS-ISAC have issued a joint cybersecurity advisory warning organizations about Ghost (Cring) ransomware, a sophisticated cyber threat that has been compromising critical infrastructure, businesses, and government entities worldwide.
- Tenable Blog: Rapid7 discusses Ghost Ransomware group targeting known Vulns.
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions.
- Resources-2: Picus Security provides Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation.
- socprime.com: Ghost (Cring) Ransomware Detection: The FBI, CISA, and Partners Warn of Increasing China-Backed Group’s Attacks for Financial Gain
- SOC Prime Blog: The FBI, CISA, and partners have recently issued a joint cybersecurity alert warning the global cyber defender community of increasing Ghost (Cring) ransomware attacks aimed at financial gain.
- thecyberexpress.com: A Ghost ransomware group also referred to as Cring, has been actively exploiting vulnerabilities in software and firmware as recently as January 2025.
- Security Boulevard: [CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- www.attackiq.com: CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- industrialcyber.co: CISA, FBI, MS-ISAC warn of Ghost ransomware
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions, according to a joint advisory issued Wednesday by the FBI and US Cybersecurity and
- securebulletin.com: Secure Bulletin provides an analysis of tactics, targets, and techniques used by Ghost Ransomware.
- Secure Bulletin: Securebulletin article on Ghost Ransomware
- The Register - Security: Ghost ransomware crew continues to haunt IT depts with scarily bad infosec
- cyble.com: FBI-CISA Ghost Ransomware Warning Shows Staying Power of Old Vulnerabilities
- aboutdfir.com: News article covering the joint advisory from CISA and the FBI on the Ghost/Cring ransomware.
@www.bleepingcomputer.com - 10d
JPMorgan Chase Bank will soon block Zelle payments that originate from social media platforms and messaging apps, aiming to combat a surge in online scams. This policy change, set to take effect on March 23rd, 2025, is a direct response to the increasing fraudulent activities exploiting peer-to-peer payment services. Chase emphasizes that Zelle is intended for transactions between trusted contacts like friends and family, not for payments to unfamiliar individuals encountered through social media.
The bank will decline or block payments identified as stemming from social media interactions. In addition, Chase may request further information from users when setting up payments or adding recipients, including the payment purpose and contact method. This move follows scrutiny from the Consumer Financial Protection Bureau (CFPB), which has criticized Zelle for its limited safeguards against fraud and scams, and a lawsuit filed in December by the CFPB.
Recommended read:
References :
- 9to5Mac: 9to5Mac article reporting that Zelle scams are leading Chase Bank to block payments to social media contacts.
- BleepingComputer: BleepingComputer article reporting that JPMorgan Chase Bank will soon start blocking Zelle payments to social media contacts to combat a significant rise in online scams.
- Techmeme: Techmeme article reporting Chase's plan to stop users from making Zelle payments originating from social media contacts.
- The Verge: The Verge article detailing Chase's decision to start blocking Zelle payments originating from social media.
info@thehackernews.com (The Hacker News)@The Hacker News - 16d
Ivanti has released critical security updates for Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) to address multiple vulnerabilities. These include three critical severity problems that could allow remote code execution (RCE), posing a significant risk. The updates aim to patch flaws such as external control of a file name (CVE-2024-38657) and a stack-based buffer overflow (CVE-2025-22467), which can be exploited by authenticated attackers to execute arbitrary code and compromise system integrity.
The specific vulnerabilities addressed include CVE-2024-38657, which allows remote authenticated attackers with admin privileges to write arbitrary files, and CVE-2025-22467, a stack-based buffer overflow that enables remote code execution. Also patched is CVE-2024-10644 which is a code injection vulnerability, and CVE-2024-47908, an operating system command injection flaw in the admin web console of Ivanti CSA. Users are urged to update to the latest versions, Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5, as soon as possible to mitigate potential exploitation. While Ivanti is not aware of active exploitation, it's imperative to apply the patches due to the history of Ivanti appliances being weaponized.
Recommended read:
References :
- Vulnerability-Lookup: Security advisory for Ivanti Connect Secure, Policy Secure, and Secure Access Client (multiple CVEs).
- securityonline.info: Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products, with some The post appeared first on .
- The Hacker News: Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now
- BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- securityonline.info: CVE-2025-22467 (CVSS 9.9): Ivanti Connect Secure Vulnerability Allows Remote Code Execution
- www.bleepingcomputer.com: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- vulnerability.circl.lu: February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs), has been published on Vulnerability-Lookup
- research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
- bsky.app: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- socradar.io: Ivanti Security Update Addresses Severe Vulnerabilities in ICS, IPS, and ISAC (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644)
- research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
- BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems
info@thehackernews.com (The Hacker News)@The Hacker News - 13d
SecurityScorecard has uncovered a stealthy malware campaign orchestrated by North Korea's Lazarus Group, dubbed "Marstech Mayhem." The campaign involves the deployment of an advanced malware implant named "marstech1," designed to target cryptocurrency wallets and infiltrate the software supply chain. The implant first emerged in late December 2024, spreading through open-source software via GitHub and NPM packages, putting unsuspecting developers and their projects at risk. The group has been injecting JavaScript implants into repositories, blending malicious code with legitimate code to avoid detection.
The marstech1 implant targets Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. Once installed, the malware scans systems for crypto wallets, attempting to steal sensitive information. SecurityScorecard confirmed at least 233 victims across the U.S., Europe, and Asia. According to SecurityScorecard’s analysis, the threat actors have established a command and control server hosted on Stark Industries LLC infrastructure. Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, noted that the malware uses layered obfuscation techniques, highlighting the group's sophisticated approach to evading static and dynamic analysis.
Recommended read:
References :
- readwrite.com: Details of marstech1 implant used by Lazarus group in supply chain attacks.
- The Hacker News: Article describing Lazarus Group's attack campaign targeting developers using marstech1 implant.
- www.developer-tech.com: Report on Lazarus Group's use of marstech1 malware.
- ReadWrite: North Korea’s Lazarus Group spreads crypto-stealing malware through open-source software
- Developer Tech News: Lazarus Group infiltrates supply chain with stealthy malware
info@thehackernews.com (The Hacker News)@The Hacker News - 14d
The Winnti Group, a China-based threat actor also known as APT41, is actively targeting Japanese organizations within the manufacturing, materials, and energy sectors. Researchers at LAC's Cyber Emergency Center identified a new campaign dubbed "RevivalStone," which employs an advanced version of the Winnti malware. This updated malware exhibits enhanced capabilities and sophisticated evasion techniques, posing a significant threat to the targeted industries.
This RevivalStone campaign initiates by exploiting SQL injection vulnerabilities in web-facing Enterprise Resource Planning (ERP) systems. Attackers deploy web shells like China Chopper to gain initial access, enabling reconnaissance, credential harvesting, and lateral movement within targeted networks. The updated Winnti malware variant features AES and ChaCha20 encryption, device-specific decryption keys using IP and MAC addresses, a kernel-level rootkit for covert data exfiltration, and code obfuscation to evade endpoint detection and response (EDR) systems.
Recommended read:
References :
- www.lac.co.jp: Researchers from LAC's Cyber Emergency Center analyze the "RevivalStone" campaign operated by China-based threat group Winnti
- cyberpress.org: Winnti Hackers Target Japanese Organizations with Advanced Malware
- Talkback Resources: The content provides an in-depth analysis of the Winnti Group's activities, including the RevivalStone campaign, tools used such as WinntiWebShell and China Chopper, and techniques like AES encryption, Winnti RAT, and Winnti Rootkit, with a focus on detection and prevention strategies.
- Virus Bulletin: Researchers from LAC's Cyber ​​Emergency Center analyse the "RevivalStone" campaign operated by China-based threat group Winnti
- securityaffairs.com: SecurityAffairs: China-linked APT group Winnti targets Japanese organizations since March 2024
- The Hacker News: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
- Talkback Resources: China-linked APT group Winnti targeted Japanese organizations
- Talkback Resources: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
- www.scworld.com: Winnti attacks set sights on Japan
info@thehackernews.com (The Hacker News)@The Hacker News - 11d
Microsoft has uncovered a new variant of the XCSSET macOS malware, marking the first major revision since 2022. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware is spread through infected Xcode projects, posing a significant risk to Apple developers.
The new XCSSET variant uses more randomized encoding methods, including Base64 in addition to xxd, and obfuscates module names to make analysis more difficult. The malware also employs a "dock method" where a fake Launchpad application is created, replacing the legitimate Launchpad's path in the dock, ensuring the malicious payload executes every time Launchpad is started. Microsoft advises users to inspect Xcode projects before using them and only install apps from trusted sources.
Recommended read:
References :
- Talkback Resources: Talkback.sh article summarizing Microsoft's discovery of an advanced XCSSET malware variant for macOS.
- The Hacker News: The Hacker News article about Microsoft uncovering a new XCSSET macOS malware variant with advanced obfuscation tactics.
- www.bleepingcomputer.com: Microsoft spots XCSSET macOS malware variant used for crypto theft
- Help Net Security: The XCSSET info-stealing malware is back, targeting macOS users and devs
- securityonline.info: XCSSET Malware Returns with Enhanced Capabilities to Target macOS Users
- www.helpnetsecurity.com: The XCSSET info-stealing malware is back, targeting macOS users and devs
- ciso2ciso.com: Source: thehackernews.com – Author: . Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.
- The Register: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- ciso2ciso.com: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics – Source:thehackernews.com
- go.theregister.com: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- BleepingComputer: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics
- securityaffairs.com: New XCSSET macOS malware variant used in limited attacks
@cyberinsider.com - 12d
Dutch Police have dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers. The takedown follows a year-long investigation into the network, which has been used by cybercriminals to facilitate illegal activities. This includes the spread of malware, botnets, and various cyberattacks.
Earlier this week, authorities in the United States, Australia, and the United Kingdom announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. ZServers was accused of facilitating LockBit ransomware attacks and supporting the cybercriminals' efforts to launder illegally obtained money, according to The Record. The Cybercrime Team Amsterdam will conduct an additional probe of the servers, as the company advertised the possibility for customers to allow criminal acts from its servers while remaining anonymous to law enforcement.
Recommended read:
References :
- cyberinsider.com: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
- gbhackers.com: Dutch Authorities Dismantle Network of 127 Command-and-Control Servers
- www.bleepingcomputer.com: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
- www.scworld.com: Zservers/XHost servers dismantled by Dutch police
- Metacurity: Dutch cops dismantle ZServers bulletproof hosting operation
- BleepingComputer: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
- CyberInsider: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
- DataBreaches.Net: Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster
- www.politie.nl: Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald - "an investigation of over a year, dismantled a bulletproof hoster on the Paul van Vlissingenstraat in Amsterdam. During the raid on February 12, 127 servers were taken offline and seized."
- Cybernews: After a year-long investigation, Amsterdam's Cybercrime Team shut down a bulletproof hosting provider, seizing 127 servers.
- securityaffairs.com: Dutch Police shut down bulletproof hosting provider Zservers and seized 127 servers
Jessica Lyons@The Register - Software - 15d
The FBI and CISA have jointly issued an advisory urging software developers to eliminate buffer overflow vulnerabilities, labeling them "unforgivable defects." These agencies highlighted the continued presence of such vulnerabilities in products from major vendors like Microsoft and VMware. The advisory emphasizes the need for developers to adopt secure-by-design practices and memory-safe programming languages to prevent these flaws.
The agencies pointed out several recent buffer overflow vulnerabilities, including those found in Microsoft's Hyper-V, Ivanti's Connect Secure, and VMware's vCenter. These vulnerabilities, if exploited, could lead to privilege escalation, remote code execution, and full system access. The advisory stresses that buffer overflows are avoidable by using updated coding practices and safe languages. They also call on manufacturers to implement compile-time and runtime protections, conduct thorough testing, and analyze the root cause of past vulnerabilities to prevent future occurrences.
Recommended read:
References :
- The Register - Software: Feds want devs to stop coding 'unforgivable' buffer overflow vulnerabilities
- Information Security Buzz: CISA and FBI warn of threats exploiting buffer overflow vulnerabilities.
- : CISA and FBI release a joint Secure by Design Alert on eliminating buffer overflow vulnerabilities.
- industrialcyber.co: CISA, FBI urge manufacturers to eliminate buffer overflow vulnerabilities with secure-by-design practices
- ciso2ciso.com: CISA, FBI call software with buffer overflow issues ‘unforgivable’ – Source: www.csoonline.com
- Talkback Resources: US govt wants developers to stop coding 'unforgivable' bugs [app] [exp]
- Tenable Blog: Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat
- cyble.com: FBI, CISA Urge Memory-Safe Practices for Software Development
- securityonline.info: Buffer Overflows Vulnerabilities: CISA & FBI Issue Urgent Warning
@cyberinsider.com - 14d
A new malware family, dubbed FinalDraft, has been discovered using Microsoft Outlook drafts for command-and-control (C2) communication. This covert method allows the malware to blend into typical Microsoft 365 traffic, making it harder to detect. The malware has been used in attacks against a ministry in a South American country and was identified by Elastic Security Labs during an investigation into the REF7707 intrusion set.
The FinalDraft toolkit includes a loader, named PathLoader, a backdoor, and multiple submodules. PathLoader is a lightweight Windows PE executable that downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory, avoiding static analysis through API hashing and obfuscation. FinalDraft itself is a 64-bit malware written in C++ focused on data exfiltration and process injection, exploiting Outlook's mail drafts as a C2 channel. The malware creates session draft emails, reads and deletes command request drafts generated by the attackers, executes commands, and writes responses as draft emails.
Recommended read:
References :
- cyberinsider.com: Elastic Security Labs has identified a new malware family named FinalDraft, that uses Microsoft’s Graph API to communicate through Outlook email drafts, allowing attackers to bypass traditional network monitoring.
- Virus Bulletin: infosec.exchange post on finaldraft
- The Hacker News: FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux
- BleepingComputer: A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country.
- securityonline.info: SecurityOnline article detailing how FinalDraft malware uses Outlook drafts for covert communication.
- www.bleepingcomputer.com: BleepingComputer news article on FinalDraft malware abusing Outlook email drafts for command-and-control.
- securityonline.info: In a recent investigation into the REF7707 intrusion set, Elastic Security Labs has identified a new malware family The post appeared first on .
- Anonymous ???????? :af:: A new malware called FinalDraft has been using email drafts for command-and-control communication in attacks against a ministry in a South American country.
@ciso2ciso.com - 12d
The US Coast Guard is facing increasing pressure to bolster its cybersecurity defenses within the Maritime Transportation System (MTS). A recent Government Accountability Office (GAO) report highlights critical shortcomings in the Coast Guard's cybersecurity strategy, including a lack of comprehensive planning and unreliable access to vulnerability data. This leaves the MTS, which supports $5.4 trillion in annual economic activity and over 30 million jobs, vulnerable to attacks from foreign governments, transnational criminals, and hacktivists.
The GAO audit, conducted between December 2023 and December 2024, revealed that while the Coast Guard developed a cybersecurity strategy in 2021, it lacks key components such as clearly defined national security risks, measurable targets, and an implementation budget. The report also found that the Coast Guard's system for managing cybersecurity checks on facilities and vessels does not readily provide complete information about cybersecurity problems. The GAO has made five recommendations to the Coast Guard to address these vulnerabilities.
Recommended read:
References :
- ciso2ciso.com: Probe finds US Coast Guard has left maritime cybersecurity adrift
- The Register - Security: Probe finds US Coast Guard has left maritime cybersecurity adrift
- Graham Cluley: US Coast Guard Urged to Strengthen Cybersecurity Amid $2B Daily Port Risk
@techcrunch.com - 6d
Apple has ceased offering its Advanced Data Protection (ADP) feature for iCloud users in the United Kingdom. This decision follows a reported demand from the UK government for a backdoor that would grant authorities access to encrypted user data. ADP provided end-to-end encryption, ensuring that only the user could decrypt their data stored in iCloud. Apple confirmed that this security feature will no longer be available to new users, and existing UK users will eventually need to disable it.
Apple stated it was "gravely disappointed" that ADP protections would be unavailable in the UK, especially considering the increasing data breaches and threats to customer privacy. The company emphasized the growing need for enhanced cloud storage security with end-to-end encryption. This move highlights a conflict between government surveillance and user privacy, as security experts warn this demand could set a precedent for authoritarian countries. James Baker from Open Rights Group said, "The Home Office’s actions have deprived millions of Britons from accessing a security feature. As a result, British citizens will be at higher risk."
Recommended read:
References :
- techcrunch.com: Apple has disabled its iCloud Advanced Data Protection feature for UK users after government demands for a backdoor.
- securityaffairs.com: The article discusses Apple's decision to remove iCloud's Advanced Data Protection in the UK.
- www.bleepingcomputer.com: This article discusses Apple's decision to disable the iCloud end-to-end encryption feature in the UK due to government pressure.
- Deeplinks: The piece explains Apple's decision to disable the end-to-end encryption feature for iCloud in the UK due to the government demanding backdoor access.
Pierluigi Paganini@Security Affairs - 5d
Microsoft has issued updates to address a critical vulnerability, CVE-2025-24989, impacting its Power Pages platform. This flaw, a high-severity issue, is already being actively exploited in the wild, allowing unauthorized access to websites. Threat actors can leverage the vulnerability to achieve privilege escalation within targeted networks and evade user registration controls, granting them unauthorized access to sites.
Microsoft reports that the vulnerability, CVE-2025-24989, only impacts certain Power Pages users. The company urges users to examine their websites for possible compromise. The U.S. CISA has added the Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog.
Recommended read:
References :
- securityaffairs.com: U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog
- socradar.io: Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
- www.scworld.com: Actively exploited Microsoft Power Pages flaw patched
- Report Boom: Microsoft has addressed a high-severity issue in Power Pages, CVE-2025-24989...
@www.bleepingcomputer.com - 19d
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.
Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.
Recommended read:
References :
- ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
- securityaffairs.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage.
- www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access.
- www.microsoft.com: Microsoft details Kimsuky's new PowerShell-based attack tactic.
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
@www.ghacks.net - 19d
Recent security analyses have revealed that the iOS version of DeepSeek, a widely-used AI chatbot developed by a Chinese company, transmits user data unencrypted to servers controlled by ByteDance. This practice exposes users to potential data interception and raises significant privacy concerns. The unencrypted data includes sensitive information such as organization identifiers, software development kit versions, operating system versions, and user-selected languages. Apple's App Transport Security (ATS), designed to enforce secure data transmission, has been globally disabled in the DeepSeek app, further compromising user data security.
Security experts from NowSecure recommend that organizations remove the DeepSeek iOS app from managed and personal devices to mitigate privacy and security risks, noting that the Android version of the app exhibits even less secure behavior. Several U.S. lawmakers are advocating for a ban on the DeepSeek app on government devices, citing concerns over potential data sharing with the Chinese government. This mirrors previous actions against other Chinese-developed apps due to national security considerations. New York State has already banned government employees from using the DeepSeek AI app amid these concerns.
Recommended read:
References :
- cset.georgetown.edu: China’s ability to launch DeepSeek’s popular chatbot draws US government panel’s scrutiny
- PCMag Middle East ai: House Bill Proposes Ban on Using DeepSeek on Government-Issued Devices
- Information Security Buzz: Recent security analyses have found that the iOS version of DeepSeek transmits user data unencrypted.
- www.ghacks.net: Security analyses revealed unencrypted data transmission by DeepSeek's iOS app.
- iHLS: Article about New York State banning the DeepSeek AI app.
@www.cybersecurity-insiders.com - 3d
Orange Group has confirmed a data breach affecting its Romanian branch after a hacker, allegedly associated with the HellCat ransomware group and known as "Rey," breached their systems. The breach resulted in the exposure of over 380,000 email addresses and other sensitive data belonging to customers, partners, and employees. The attacker claims to have stolen thousands of internal documents after infiltrating the company’s infrastructure, and demanded a ransom which Orange refused to pay.
The leaked dataset includes over 600,000 customer records, employee details, financial documents, and source code. While the breach did not impact Orange’s core services, the company acknowledges major security gaps were highlighted as attackers had access to Orange’s systems for over a month before exfiltrating the data. This incident follows a similar cyber incident reported by Orange Spain just last week, increasing concerns about data security in the telecom sector.
Recommended read:
References :
- Dataconomy: dataconomy.com on Orange Group data breach: Every step explained
- The420.in: the420.in on Orange Group Suffers Data Breach: Hacker Claims Theft of Thousands of Internal Documents
- www.cybersecurity-insiders.com: Orange Group, a telecom services provider based in France, has confirmed that one of its internal systems at its Romanian branch was breached by a cyber attacker identified as “Rey,� an individual reportedly associated with the HellCat ransomware group.
- bsky.app: French telecommunications and digital services provider Orange confirmed that a hacker breached their systems and stole company data that includes customer, partners, and employee information.
- CyberInsider: Confirmation of a data breach impacting the French telecommunications and digital service provider Orange Group, following the leak of internal documents, particularly those affecting Orange Romania.
@ExpressVPN Blog - 10d
ExpressVPN has announced a significant upgrade to its Lightway VPN protocol, rewriting it in the Rust programming language to enhance security, improve performance, and streamline future development. This move demonstrates ExpressVPN's commitment to setting new industry standards and proactively addressing potential vulnerabilities. The company claims that Rust's memory safety features will eliminate common attack vectors, while its support for safer multicore processing will lead to better performance and battery life for users.
This reimplementation of Lightway in Rust is backed by two independent security audits conducted by cybersecurity firms Cure53 and Praetorian. These audits examined Lightway's new source code implementation, with both reports delivering positive results and validating the security enhancements. While a small number of issues were identified, none were deemed critical, and this rigorous dual-audit approach highlights ExpressVPN's dedication to transparency and security validation, promising users a faster, more secure, and reliable VPN experience.
Recommended read:
References :
- CyberInsider: CyberInsider article on ExpressVPN rewriting its Lightway VPN protocol in Rust.
- PCWorld: PCWorld article about ExpressVPN's massive upgrade to Lightway protocol written in Rust.
- cyberinsider.com: ExpressVPN Rewrites Lightway VPN Protocol in Rust for Security
- www.expressvpn.com: Why ExpressVPN switched from C to Rust for Lightway’s code
- www.expressvpn.com: Lightway’s Rust rewrite undergoes two security audits, by Cure53 and Praetorian
Field Effect@Blog - 3d
The Australian government has banned Kaspersky Lab products and web services from all government systems, citing an "unacceptable security risk" stemming from potential foreign interference, espionage, and sabotage. Effective April 1, 2025, government entities must remove the software, reflecting concerns about Kaspersky's data collection practices and possible exposure to foreign government influence. The ban follows a threat and risk analysis that concluded the software posed a significant threat to Australian Government networks and data.
The directive aims to also encourage critical infrastructure providers and personal users to reconsider their use of Kaspersky products due to the identified security risks. While the directive does not explicitly name the foreign government, Kaspersky Lab is a Russian cybersecurity company, raising concerns about ties to the Russian government. Similar bans have been implemented in other countries, including the United States, which banned Kaspersky products from federal systems back in 2017. Exemptions to the ban may be considered for legitimate business reasons related to national security, subject to appropriate mitigations.
Recommended read:
References :
- BleepingComputer: The Australian government has banned all Kaspersky Lab products and web services from its systems and devices following an analysis that claims the company poses a significant security risk to the country.
- securityaffairs.com: Australia bans Kaspersky software over national security concerns, citing risks of foreign interference, espionage, and sabotage of government networks.
- Talkback Resources: The Australian Government has banned Kaspersky Lab products and web services from all government systems and devices due to security concerns related to potential foreign interference and espionage, effective April 1, 2025.
- Talkback Resources: Australia Bans Kaspersky Software Over National Security and Espionage Concerns [app]
- Blog: FieldEffect reports on the Australian government banning Kaspersky software.
Hatice Ozsahan@JumpCloud - 15d
JumpCloud has updated its SaaS management platform to simplify the discovery and blocking of unauthorized software accessed through the cloud, enhancing cybersecurity for organizations. The update aims to provide greater visibility and control over SaaS applications, addressing the growing problem of "shadow IT" where employees use unsanctioned software. JumpCloud's enhanced platform allows IT teams to identify and manage SaaS usage, reduce security risks, and control costs associated with redundant or unauthorized applications. This proactive approach helps organizations prevent sensitive data from being shared in ways that violate cybersecurity and compliance policies.
Integration between JumpCloud's existing SaaS management platform and Resmo, acquired last year, has been tightened, bolstering single sign-on (SSO) capabilities. JumpCloud's SaaS management platform uses a browser extension to provide visibility into SaaS application usage and apply controls to block unauthorized access. By strengthening its platform, JumpCloud aims to improve its tools for managing SaaS applications by adding more automation for its users, while making it simpler for organizations to identify redundant usage of multiple SaaS applications. This ultimately reduces the attack surface and potential vulnerabilities within an organization's IT infrastructure.
Recommended read:
References :
- techstrongitsm.com: JumpCloud enhances its SaaS management platform to gain greater visibility and control over SaaS applications.
- JumpCloud: JumpCloud's new capabilities streamline SaaS application management, allowing for easier discovery and blocking of rogue or unsanctioned software.
Pierluigi Paganini@Security Affairs - 3d
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities affect Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM), posing significant risks to organizations. The advisory issued by CISA strongly urges immediate remediation to mitigate the threat of potential exploitation.
These vulnerabilities include CVE-2017-3066 in Adobe ColdFusion and CVE-2024-20953 in Oracle Agile PLM. The agency has set a deadline of March 17, 2025, for federal agencies to secure their networks against these flaws. Active exploitation attempts have been reported, highlighting the urgency of applying necessary updates.
Recommended read:
References :
- Talkback Resources: Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA [exp] [net]
- thecyberexpress.com: CISA Warns of Actively Exploited Adobe ColdFusion and Oracle Agile PLM Vulnerabilities
- cyble.com: Overview The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
- Talkback Resources: Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA [exp] [net]
@techcrunch.com - 9d
New York-based venture capital and private equity firm Insight Partners has disclosed a security breach of its systems. The firm, which manages over $90 billion in regulatory assets and has invested in over 800 software and technology startups globally over the past 30 years, revealed that the incident occurred in January. The breach involved unauthorized access to its information systems following what they are calling "a sophisticated social engineering attack."
Insight Partners confirmed that the attack took place on January 16, 2025. The company has taken steps to address the situation, notifying law enforcement in relevant jurisdictions and engaging third-party cybersecurity experts to investigate the full scope and impact of the breach. The investigation is ongoing to determine the extent of data exposure and to implement measures to prevent future incidents.
Recommended read:
References :
- cyberinsider.com: Insight Partners Investigates Data Breach Following Cyberattack
- BleepingComputer: New York-based venture capital firm Insight Partners has disclosed that its systems were breached
- techcrunch.com: VC giant Insight Partners confirms a January cyberattack
- CyberInsider: Insight Partners Investigates Data Breach Following Cyberattack
- securityaffairs.com: Venture capital firm Insight Partners discloses security breach
- www.bleepingcomputer.com: Insight Partners hit by cyberattack
- Carly Page: US-based VC giant Insight Partners has confirmed that hackers breached its systems in January.
- aboutdfir.com: Insight Partners confirms cyberattack in January 2025, with unauthorized access to information systems.
@www.verdict.co.uk - 15d
OpenAI is shifting its strategy by integrating its o3 technology, rather than releasing it as a standalone AI model. CEO Sam Altman announced this change, stating that GPT-5 will be a comprehensive system incorporating o3, aiming to simplify OpenAI's product offerings. This decision follows the testing of advanced reasoning models, o3 and o3 mini, which were designed to tackle more complex tasks.
Altman emphasized the desire to make AI "just work" for users, acknowledging the complexity of the current model selection process. He expressed dissatisfaction with the 'model picker' feature and aims to return to "magic unified intelligence". The company plans to unify its AI models, eliminating the need for users to manually select which GPT model to use.
This integration strategy also includes the upcoming release of GPT-4.5, which Altman describes as their last non-chain-of-thought model. A key goal is to create AI systems capable of using all available tools and adapting their reasoning time based on the task at hand. While GPT-5 will be accessible on the free tier of ChatGPT with standard intelligence, paid subscriptions will offer a higher level of intelligence incorporating voice, search, and deep research capabilities.
Recommended read:
References :
- www.verdict.co.uk: The Microsoft-backed AI company plans not to release o3 as an independent AI model.
- sherwood.news: This article discusses OpenAI's 50 rules for AI model responses, emphasizing the loosening of restrictions and potential influence from the anti-DEI movement.
- thezvi.substack.com: This article explores the controversial decision by OpenAI to loosen restrictions on its AI models.
- thezvi.wordpress.com: This article details three recent events involving OpenAI, including the release of its 50 rules and the potential impact of the anti-DEI movement.
- www.artificialintelligence-news.com: This blog post critically examines OpenAI's new AI model response rules.
|
|
FlagThis - #null