CyberSecurity news
FlagThis
|
@cyberalerts.io
//
Fortinet has issued an urgent advisory, warning customers of a new technique employed by attackers to maintain unauthorized, read-only access to FortiGate devices even after the original vulnerabilities are patched. Attackers are exploiting known FortiGate flaws such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. They achieve persistent access by inserting a symbolic link (symlink) that connects the user file system to the root file system.
This symlink is placed in a directory tied to the SSL-VPN language file function, allowing the attackers to bypass FortiGate patches. Despite the fact that the original vulnerabilities have been addressed, the symlink remains active, granting continuous visibility into device configurations. Devices with SSL-VPN functionality disabled are not affected. The read-only access ensures attackers cannot make direct changes, but they can still expose sensitive data. To combat this threat, Fortinet has released targeted updates across FortiOS versions that automatically remove the symlink through antivirus detection. Changes to the SSL-VPN interface are also implemented to prevent similar abuses. Customers are strongly advised to upgrade to the latest FortiOS versions and thoroughly inspect and recover configurations, treating existing ones as potentially compromised. Security agencies have noted that related compromises may date back to early 2023, emphasizing the need for continuous monitoring, robust patch management, and proactive threat hunting. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
The cybersecurity world is on edge as MITRE, the organization behind the Common Vulnerabilities and Exposures (CVE) program, faces a potential shutdown of the program due to expiring funding from the Department of Homeland Security (DHS). The CVE program is a cornerstone of global vulnerability management, providing a standardized system for identifying and tracking software flaws. This system allows companies, governments, and researchers to share information and coordinate their efforts to address cybersecurity risks.
A lapse in funding for the CVE program would have dire consequences for the cybersecurity landscape. Without a universal framework for tracking software flaws, coordinated disclosures across vendors and governments would become significantly more challenging. This breakdown in coordination would create chaos and uncertainty in vulnerability management, making it harder for organizations to protect themselves against cyberattacks. The potential shutdown of the CVE program is not just a tech industry issue, but a matter of national security. According to Gary Miliefsky, publisher of Cyber Defense Magazine and a former advisory board member to the CVE/OVAL initiatives, MITRE has confirmed that funding for the CVE and CWE programs will expire on April 16, 2025. While historical CVE records will remain accessible on GitHub, active development, modernization, and oversight of the CVE and CWE systems are now at risk. MITRE has expressed its commitment to CVE as a global resource, but without adequate funding, the future of this essential cybersecurity tool remains uncertain. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging. GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection. Recommended read:
References :
ross.kelly@futurenet.com (Ross@Latest from ITPro
//
Hertz Corporation has announced a data breach affecting customers of its Hertz, Thrifty, and Dollar car rental brands. The breach stems from the exploitation of Cleo zero-day vulnerabilities in late 2024. Customer data, including personal information and driver's licenses, was stolen. The company confirmed the breach on February 10, 2025, stating that an unauthorized third party acquired Hertz data by exploiting vulnerabilities within Cleo's platform in October and December 2024.
The stolen data varies depending on the region, but generally includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. In some instances, Social Security numbers and other government-issued identification numbers were also compromised. Notices about the breach have been posted on Hertz websites for customers in Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states, including California, Maine, and Texas. Hertz has disclosed that at least 3,400 customers in Maine and some 96,665 customers in Texas were affected. The company attributed the breach to vulnerabilities in Cleo's software, which was targeted by the Clop ransomware gang in 2024. This breach highlights the significant cybersecurity risks associated with third-party vendors and the potential for mass data theft. It is another example of the widespread consequences that can occur from zero-day exploits in widely used enterprise file transfer products. Those affected have been advised to take precautions to protect their personal and financial information. Recommended read:
References :
@www.wsj.com
//
China has reportedly acknowledged its role in cyberattacks against U.S. critical infrastructure, specifically those attributed to the Volt Typhoon campaign. This admission occurred during a secret meeting with U.S. officials in December, according to SecurityWeek. U.S. officials noted that Volt Typhoon's actions, which involved infiltrating various industries' systems through zero-day exploits and other advanced tactics, were an attempt to deter U.S. support for Taiwan. Furthermore, cyberespionage by the Chinese state-backed Salt Typhoon group against U.S. telecommunications firms was also discussed, revealing the compromise of U.S. officials' communications.
These attacks are part of a broader pattern of Chinese state-backed hackers increasing their activity against infrastructure in the U.S., Europe, and the Asia-Pacific region. Recent intelligence indicates groups like Volt Typhoon and Salt Typhoon have infiltrated power grids, telecommunications networks, and transportation systems. Their apparent goal is to preposition for potential wartime disruption or coercive retaliation during periods of geopolitical tension. This approach involves installing dormant "logic bombs" designed to be triggered during a conflict or crisis, maintaining persistent access while minimizing detection risk. The intensified cyber activities are viewed as a component of China's cyber-enabled irregular warfare strategy. Recent incidents include a power grid failure in Taiwan linked to a Volt Typhoon logic bomb, along with similar occurrences reported in European infrastructure. The attacks' sophistication lies in their "Living Off the Land" techniques, blending state-sponsored hacking with proxy groups and disinformation to achieve strategic objectives without triggering conventional military responses. Such actions, as analyzed by IT security professional Simone Kraus, raise concerns due to their potential for devastating real-world consequences if critical infrastructure is compromised. Recommended read:
References :
@cyberpress.org
//
Russian state-sponsored espionage group Midnight Blizzard, also known as APT29 or Cozy Bear, is conducting a spear-phishing campaign targeting European diplomatic organizations. Check Point Research has been observing this sophisticated operation, which began in January 2025 and employs advanced techniques to target government officials and diplomats across Europe. The threat actors are impersonating a major European foreign affairs ministry to send deceptive emails inviting targets to wine-tasting events. This campaign, leveraging custom malware, aims to compromise diplomatic entities, including embassies of non-European countries.
The campaign introduces a previously unseen malware loader called GrapeLoader, along with a new variant of the Wineloader backdoor. The phishing emails, sent from domains like 'bakenhof[.]com' or 'silry[.]com,' contain malicious links that, under specific conditions, initiate the download of a ZIP archive named 'wine.zip'. If the targeting conditions are not met, victims are redirected to the legitimate website of the impersonated ministry, reducing suspicion. This mirrors a previous Wineloader campaign, indicating a continued focus on European diplomacy by APT29. Once executed via DLL sideloading, GrapeLoader collects host information, establishes persistence by modifying the Windows Registry, and contacts a command-and-control server. The use of in-memory execution is an advanced evasion technique to complicate detection. The objective of the campaign is likely espionage, given APT29's history of targeting high-profile organizations, including government agencies and think tanks, and its association with the SolarWinds supply chain attack. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.
ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks. Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.
This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site. WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4). Recommended read:
References :
@learn.microsoft.com
//
Microsoft is alerting IT administrators to a significant issue affecting Windows Server 2025 domain controllers (DCs). After a restart, these DCs may experience a loss of network connectivity due to the servers loading the standard firewall profile instead of the domain firewall profile. This problem can render the domain controllers inaccessible on the network, disrupting Active Directory (AD) environments and potentially causing applications and services running on those servers or remote devices to fail or remain unreachable. The issue primarily impacts systems running the Active Directory Domain Services role on Windows Server 2025, with no client systems or earlier server versions affected.
This problem arises from the domain controllers failing to apply the correct network profile after a reboot, instead defaulting to a "Public" or standard firewall profile rather than the required "Domain Authenticated" profile. This misconfiguration can lead to ports and protocols that should be restricted by the domain firewall profile remaining open, posing potential security risks. Essential AD functions like Group Policy application, replication, and authentication are also disrupted, further compounding the problem for organizations relying on Active Directory for network management. While Microsoft is actively working on a permanent fix for this issue, which is expected to be included in a future update, they have provided a temporary workaround for affected systems. Administrators can manually restart the network adapter on the affected servers using PowerShell with the command 'Restart-NetAdapter *'. However, because the issue reoccurs after each system restart, this workaround must be applied repeatedly. To streamline this process, Microsoft suggests creating a scheduled task that automatically restarts the network adapter each time the domain controller reboots. Recommended read:
References :
Dissent@DataBreaches.Net
//
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.
China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US. Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed. Recommended read:
References :
@www.csoonline.com
//
A new cyber threat called "slopsquatting" is emerging, exploiting AI-generated code and posing a risk to software supply chains. Researchers have discovered that AI code generation tools, particularly Large Language Models (LLMs), often "hallucinate" non-existent software packages or dependencies. Attackers can capitalize on this by registering these hallucinated package names and uploading malicious code to public repositories like PyPI or npm. When developers use AI code assistants that suggest these non-existent packages, the system may inadvertently download and execute the attacker's malicious code, leading to a supply chain compromise.
This vulnerability arises because popular programming languages rely heavily on centralized package repositories and open-source software. The combination of this reliance with the increasing use of AI code-generating tools creates a novel attack vector. A study analyzing 16 code generation AI models found that nearly 20% of the recommended packages were non-existent. When the same prompts were repeated, a significant portion of the hallucinated packages were repeatedly suggested, making the attack vector more viable for malicious actors. This repeatability suggests that the hallucinations are not simply random errors but a persistent phenomenon, increasing the potential for exploitation. Security experts warn that slopsquatting represents a form of typosquatting, where variations or misspellings of common terms are used to deceive users. To mitigate this threat, developers should exercise caution when using AI-generated code and verify the existence and integrity of all suggested packages. Organizations should also implement robust security measures to detect and prevent the installation of malicious packages from public repositories. As AI code generation tools become more prevalent, it is crucial to address this new vulnerability to protect the software supply chain from potential attacks. Recommended read:
References :
@unit42.paloaltonetworks.com
//
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.
The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications. GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform. The flaw, which carries a CVSS score of 10.0, affects all versions from 1.0.0 up to and including 6.1.4. This vulnerability allows malicious actors to retain unauthorized access to blog sites even after a password change.
The core of the issue lies in insufficient session expiration. When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions. Consequently, any session tokens or cookies issued before the password change remain valid, creating a significant security risk. An attacker who has compromised a user’s credentials can maintain access to the application through the old session, effectively bypassing the intended protection of a password change. Administrators and users of Apache Roller are strongly advised to upgrade to version 6.1.5 or later. This update implements centralized session management, ensuring that all active sessions are terminated immediately upon password changes or user deactivation. In related news, a critical vulnerability in Gladinet CentreStack also affects its Triofox remote access solution, leading to multiple organizations being compromised. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability has been discovered in Apache Roller, a Java-based blogging server software. The flaw, identified as CVE-2025-24859 and carrying a maximum severity CVSS score of 10.0, allows attackers to retain unauthorized access even after a user changes their password. This session management issue affects Apache Roller versions up to and including 6.1.4, potentially exposing blogs to unauthorized actions and undermining the security measures intended by password changes.
The vulnerability stems from the failure to properly invalidate active user sessions when a password is changed, either by the user or an administrator. This means that an attacker who has compromised a user's credentials could maintain continued access through an old session, even after the user has taken steps to secure their account by changing their password. This poses a significant risk, as it could enable unauthorized individuals to access and manipulate blog content, potentially leading to data breaches or other malicious activities. To address this critical flaw, Apache Roller version 6.1.5 has been released with a fix that implements centralized session management. This ensures that all active sessions are invalidated when passwords are changed or users are disabled, effectively preventing attackers from maintaining unauthorized access. Users of Apache Roller are strongly advised to upgrade to version 6.1.5 as soon as possible to mitigate the risk of exploitation and safeguard their blog sites from potential security breaches. The vulnerability was discovered and reported by security researcher Haining Meng. Recommended read:
References :
@www.bleepingcomputer.com
//
Microsoft Blocks ActiveX by Default for Security - Microsoft is blocking ActiveX controls by default in Microsoft 365 and Office 2024 to improve security by preventing remote code execution vulnerabilities.
ImgSrc: www.bleepstatic
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.
Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions. When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.
These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears. The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns. Recommended read:
References :
Aman Mishra@gbhackers.com
//
A sophisticated malware campaign impersonating PDFCandy.com is distributing the ArechClient2 information stealer, according to research from CloudSEK. Cybercriminals are creating fake websites that closely mimic the legitimate PDF conversion tool, tricking users into downloading malware. These deceptive sites are promoted through Google Ads and exploit the common need for online file conversion. By replicating the user interface and using similar domain names, attackers deceive unsuspecting users into believing they are interacting with a trusted service.
The attack unfolds through a series of social engineering tactics. Victims are prompted to upload a PDF file for conversion, after which a simulated loading sequence creates the illusion of genuine file processing. This builds trust and lowers the user’s guard. Subsequently, users are presented with a fake CAPTCHA verification dialog, designed to enhance the site’s perceived authenticity and create a sense of urgency, potentially rushing the user into action. The CAPTCHA acts as a pivotal interaction point to trigger the malicious payload. After the fake conversion process and CAPTCHA interaction, users are prompted to execute a PowerShell command. This command initiates a sophisticated redirection chain to obscure the malware delivery, ultimately leading to the distribution of the ArechClient2 infostealer. The malware is known for its ability to steal sensitive data, including browser credentials and cryptocurrency wallet information. Cybersecurity experts advise users to rely on verified tools from official websites, keep anti-malware software updated, and implement endpoint detection and response solutions to defend against these advanced threats. Recommended read:
References :
@nvd.nist.gov
//
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.
The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques. The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity. Recommended read:
References :
@techcrunch.com
//
Apple has released emergency security updates to address two zero-day vulnerabilities that have been actively exploited in targeted attacks against specific iPhone users. The company confirmed that these vulnerabilities were leveraged in an "extremely sophisticated attack" and urged users to update their devices immediately. The bugs, identified as CVE-2025-31200 and CVE-2025-31201, impact iOS, macOS, tvOS, iPadOS, and visionOS.
The first vulnerability, CVE-2025-31200, is located in CoreAudio, Apple's system-level component for audio processing. According to Apple, this flaw can be triggered by processing a maliciously crafted audio stream within a media file, potentially allowing attackers to execute arbitrary code on the affected device. The second flaw, CVE-2025-31201, allows attackers to bypass Pointer Authentication Codes (PAC), a security feature designed to prevent memory corruption attacks. Apple credited the discovery of one of the bugs to security researchers working at Google’s Threat Analysis Group, which investigates government-backed cyberattacks. This may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency. To mitigate the risk, Apple has released iOS 18.4.1/iPadOS 18.4.1 for iPhones and iPads, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1 for the Apple Vision Pro. Users are strongly advised to update their devices to the latest versions. Apple has not released details on who was behind the attacks, how widespread they were, or whether any users were successfully compromised. Recommended read:
References :
@cyble.com
//
References:
cyble.com
, threatmon.io
Hacktivist groups are increasingly adopting sophisticated and destructive attack methods, moving beyond basic DDoS attacks to target critical infrastructure with ransomware. These groups, motivated by ideological goals, are focusing on government platforms and industrial manufacturers. Pro-Russian hacktivists are primarily targeting NATO-aligned nations and supporters of Ukraine, while pro-Ukrainian, pro-Palestinian, and anti-establishment groups are focusing on Russia, Israel, and the United States. This evolution reflects a shift towards hybrid warfare tactics, combining DDoS, credential leaks, and ICS disruption to overcome single-layer defenses.
The energy sector is particularly vulnerable, with successful cyber breaches posing severe risks to national security, economic stability, and public safety. The CyberAv3ngers, an Iranian state-sponsored hacker group, exemplifies this threat. Despite masquerading as hacktivists, they are actively targeting industrial control systems in water, gas, oil and gas, and other critical infrastructure sectors worldwide. The group has already caused global disruption and shows no signs of slowing down. Their actions represent a rare example of state-sponsored cybersaboteurs crossing the line and disrupting critical infrastructure. Reports and investigations highlight vulnerabilities within power grids and other key systems. Recent investigations have revealed hidden capabilities in Chinese-manufactured power transformers that could allow remote shutdown from overseas. This discovery prompted concerns about potential "sleeper cells" within critical national systems. Furthermore, ransomware attacks continue to be a major threat, causing operational disruptions, data breaches, and financial losses. The industry is responding with increased cybersecurity investment and proactive strategies as professionals see cybersecurity as the greatest risk to their business. Recommended read:
References :
|
