POPULARITY
Categories
In this episode of 'Cybersecurity Today,' host David Chipley discusses several major security incidents and threats. Hamilton, Ontario faces a $5 million insurance denial following a ransomware attack due to incomplete deployment of Multi-Factor Authentication (MFA). The episode also highlights a severe vulnerability, CVE-2025-54135, in the AI-powered Code Editor 'Cursor', which could allow prompt injection attacks. Further topics include a new ransomware attack exploiting Microsoft SharePoint vulnerabilities investigated by Palo Alto Networks, and a campaign leveraging fake OAuth apps to compromise Microsoft 365 accounts. The episode underscores the importance of robust security measures, emphasizing MFA, OAuth hygiene, and prompt patching. 00:00 Introduction and Headlines 00:38 Hamilton's Ransomware Attack and Insurance Denial 02:52 AI-Powered Code Editor Vulnerability 04:57 Palo Alto Networks Investigates SharePoint Exploitation 06:51 Fake OAuth Apps and Microsoft 365 Breaches 08:48 Conclusion and Upcoming Events
In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a single centralized ID system. The work happening by CIRCL on GCVE is very impressive, with all the current CVE turmoil, this is a project we should all be paying attention to. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025/2025-08-gcve-cedric-alex/
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Securing Firebase: Lessons Re-Learned from the Tea Breach Inspried by the breach of the Tea app, Brendon Evans recorded a video to inform of Firebase security issues https://isc.sans.edu/diary/Securing%20Firebase%3A%20Lessons%20Re-Learned%20from%20the%20Tea%20Breach/32158 WebKit Vulnerability Exploited before Apple Patch A WebKit vulnerablity patched by Apple yesterday has already been exploited in Google Chrome. Google noted the exploit with its patch for the same vulnerability in Chrome. https://nvd.nist.gov/vuln/detail/CVE-2025-6558 Scattered Spider Update CISA released an update for its report on Scattered Spider, noting that the group also calls helpdesks impersonating users, not just the other way around. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
Join Steve Goodman, Paul Robichaux, and Bastiaan Verdonk as they delve into the critical security vulnerabilities affecting on-premises SharePoint servers, including the "ToolShell" exploit chain (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) which enables unauthenticated remote code execution. They discuss the scale of the problem, the threat actors involved, and the crucial need for immediate patching and robust operational practices for any remaining on-premises deployments.The conversation then shifts to the overwhelming challenge of managing the constant stream of updates and changes within Microsoft 365. Special guest Tom Arbuthnot shares insights from his work with Empowering Cloud and their "Change Pilot" service, detailing how they use AI and expert review to help organizations navigate the deluge of Message Center notifications, prioritize impactful changes, and manage the communication around them. Discover practical strategies for staying ahead of the curve in the fast-paced world of Microsoft 365.Want to stay up to date on all things Practical 365? Follow us on Twitter, Facebook, and Linkedin to stay up to date on all things Microsoft!
This week, we cover AI going rogue, Cloudflare declaring independence, and the secure container craze. Plus, Matt bravely judges 9 new emoji. Watch the YouTube Live Recording of Episode (https://www.youtube.com/live/lRlWChvJ_m8?si=cZJ-0kzBrEH5ERZh) 530 (https://www.youtube.com/live/lRlWChvJ_m8?si=cZJ-0kzBrEH5ERZh) Runner-up Titles VP of getting it on Neutral trombone Good Margin Independent from what? The New Benevolence I have plenty of cynicism for other things Rundown Emojis Australian Bigfoot (https://en.wikipedia.org/wiki/Yowie) Unicode's new emoji refuses to put respect on Bigfoot's name (https://www.engadget.com/mobile/unicodes-new-emoji-refuses-to-put-respect-on-bigfoots-name-184412935.html) Matt's Rankings: Hairy Creature Trombone Treasure Chest Fight Cloud Orca Landslide Apple Core Ballet Dancers Distorted Face AI coding platform goes rogue during code freeze and deletes entire company database — Replit CEO apologizes after AI engine says it 'made a catastrophic error in judgment' and 'destroyed all production data' (https://www.tomshardware.com/tech-industry/artificial-intelligence/ai-coding-platform-goes-rogue-during-code-freeze-and-deletes-entire-company-database-replit-ceo-apologizes-after-ai-engine-says-it-made-a-catastrophic-error-in-judgment-and-destroyed-all-production-data) Cloudflare Cloudflare 1.1.1.1 Incident on July 14, 2025 (https://blog.cloudflare.com/cloudflare-1-1-1-1-incident-on-july-14-2025/) Content Independence Day: no AI crawl without compensation! (https://blog.cloudflare.com/content-independence-day-no-ai-crawl-without-compensation/) Accidental Tech Podcast: 649: Prove It With Cameras (https://atp.fm/649) Anubis Web AI Firewall (https://github.com/TecharoHQ/anubis) Announcing Model Context Protocol (MCP) Server for AWS Price List (https://aws.amazon.com/about-aws/whats-new/2025/07/model-context-protocol-server-price-list/) Chainguard builds a market, everyone else wants in. (https://redmonk.com/jgovernor/2025/07/18/chainguard-builds-a-market-everyone-else-wants-in/) Bitnami Secure Images (https://github.com/bitnami/charts/issues/35164) Relevant to your Interests Browser extensions turn Trojan and infect 2.3 million Chrome and Edge users (https://cybernews.com/security/chrome-edge-hijacked-by-eighteen-malicious-extensions/) Code was the least interesting part of my multi-agent app, and here's what that means to me (https://seroter.com/2025/07/17/code-was-the-least-interesting-part-of-my-multi-agent-app-and-heres-what-that-means-to-me/) Dell employees are not OK (https://www.yahoo.com/news/dell-employees-not-ok-135038218.html) How Uber Became A Cash-Generating Machine (https://len-sherman.medium.com/how-uber-became-a-cash-generating-machine-ef78e7a97230) Clouded Judgement 7.18.25 - The Return of the Point Solution (https://cloudedjudgement.substack.com/p/clouded-judgement-71825-the-return?utm_source=post-email-title&publication_id=56878&post_id=168595292&utm_campaign=email-post-title&isFreemail=true&r=2l9&triedRedirect=true&utm_medium=email) Mid-Year 2025 CNCF Open Source Project Velocity (https://www.cncf.io/blog/2025/07/18/a-mid-year-2025-look-at-cncf-linux-foundation-and-the-top-30-open-source-projects/) new Date("wtf") (https://jsdate.wtf/) Intel axes Clear Linux, the fastest distribution on the market — company ends support, effective immediately (https://www.tomshardware.com/software/linux/intel-axes-clear-linux-the-fastest-distribution-on-the-market-company-ends-support-effective-immediately) The Epic Battle for AI Talent—With Exploding Offers, Secret Deals and Tears (https://www.wsj.com/tech/ai/meta-ai-recruiting-mark-zuckerberg-sam-altman-140d5861?st=pBmtib&reflink=article_copyURL_share) Cursor snaps up enterprise startup Koala in challenge to GitHub Copilot (https://techcrunch.com/2025/07/18/cursor-snaps-up-enterprise-startup-koala-in-challenge-to-github-copilot/) Lovable becomes a unicorn with $200M Series A just 8 months after launch (https://techcrunch.com/2025/07/17/lovable-becomes-a-unicorn-with-200m-series-a-just-8-months-after-launch/) Apple details how it trained its new AI models, see highlights (https://9to5mac.com/2025/07/21/apple-details-how-it-trained-its-new-ai-models-4-interesting-highlights/) Instacart's former CEO is taking the reins of a big chunk of OpenAI (https://www.theverge.com/openai/710836/instacarts-former-ceo-is-taking-the-reins-of-a-big-chunk-of-openai) The Enshittification of American Power (https://www.wired.com/story/enshittification-of-american-power/) Customer guidance for SharePoint vulnerability CVE-2025-53770 (https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/) Mike Lynch's Estate Ordered to Pay Hewlett Packard $945 Million (https://www.nytimes.com/2025/07/22/business/dealbook/mike-lynch-hp.html) OpenAI announces ChatGPT agent for web browsing (https://mashable.com/article/openai-announces-chatgpt-agent-web-browsing) OpenAI's new ChatGPT Agent can control an entire computer and do tasks for you (https://www.theverge.com/ai-artificial-intelligence/709158/openai-new-release-chatgpt-agent-operator-deep-research) ChatGPT Numbers (https://www.threads.com/@axios/post/DMXssSjuHax?xmt=AQF0UNyFv8CGZkBsSBbi7XWeXnW67U-Y-ZWQEwDod8lyhA) Move Mesos to the Attic (https://lists.apache.org/list.html?dev@mesos.apache.org) Anthropic hired back two of its employees — just two weeks after they left for a competitor. (https://www.theverge.com/ai-artificial-intelligence/708521/anthropic-hired-back-two-of-its-employees-just-two-weeks-after-they-left-for-a-competitor) Investors Float Deal Valuing Anthropic at More Than $100 Billion (https://www.theinformation.com/articles/investors-float-deal-valuing-anthropic-100-billion) Nonsense Coldplay's Kiss Cam Exposes Astronomer's CEO Andy Byron Alleged Affair With HR Chief Kristin Cabot (https://www.yahoo.com/entertainment/articles/coldplay-kiss-cam-exposes-astronomer-142620411.html) Unicode's new emoji refuses to put respect on Bigfoot's name (https://www.engadget.com/mobile/unicodes-new-emoji-refuses-to-put-respect-on-bigfoots-name-184412935.html) Atari Is Re-Releasing Its 2600+ To Celebrate Pac-Man's 45th Birthday (https://www.timeextension.com/news/2025/07/atari-is-re-releasing-its-2600plus-to-celebrate-pac-mans-45th-birthday) Conferences Sydney Wizdom Meet-Up (https://www.wiz.io/events/sydney-wizdom-meet-up-aug-2025), Sydney, August 7. Matt will be there. SpringOne (https://www.vmware.com/explore/us/springone?utm_source=organic&utm_medium=social&utm_campaign=cote), Las Vegas, August 25th to 28th, 2025. See Coté's pitch (https://www.youtube.com/watch?v=f_xOudsmUmk). Explore 2025 US (https://www.vmware.com/explore/us?utm_source=organic&utm_medium=social&utm_campaign=cote), Las Vegas, August 25th to 28th, 2025. See Coté's pitch (https://www.youtube.com/shorts/-COoeIJcFN4). Wiz Capture the Flag (https://www.wiz.io/events/capture-the-flag-brisbane-august-2025), Brisbane, August 26. Matt will be there. SREDay London (https://sreday.com/2025-london-q3/), Coté speaking, September 18th and 19th. Civo Navigate London (https://www.civo.com/navigate/london/2025), Coté speaking, September 30th. Texas Linux Fest (https://2025.texaslinuxfest.org), Austin, October 3rd to 4th. CFP closes August 3rd (https://www.papercall.io/txlf2025). CF Day EU (https://events.linuxfoundation.org/cloud-foundry-day-europe/), Frankfurt, October 7th, 2025. AI for the Rest of Us (https://aifortherestofus.live/london-2025), Coté speaking, October 15th to 16th, London. SDT News & Community Join our Slack community (https://softwaredefinedtalk.slack.com/join/shared_invite/zt-1hn55iv5d-UTfN7mVX1D9D5ExRt3ZJYQ#/shared-invite/email) Email the show: questions@softwaredefinedtalk.com (mailto:questions@softwaredefinedtalk.com) Free stickers: Email your address to stickers@softwaredefinedtalk.com (mailto:stickers@softwaredefinedtalk.com) Follow us on social media: Twitter (https://twitter.com/softwaredeftalk), Threads (https://www.threads.net/@softwaredefinedtalk), Mastodon (https://hachyderm.io/@softwaredefinedtalk), LinkedIn (https://www.linkedin.com/company/software-defined-talk/), BlueSky (https://bsky.app/profile/softwaredefinedtalk.com) Watch us on: Twitch (https://www.twitch.tv/sdtpodcast), YouTube (https://www.youtube.com/channel/UCi3OJPV6h9tp-hbsGBLGsDQ/featured), Instagram (https://www.instagram.com/softwaredefinedtalk/), TikTok (https://www.tiktok.com/@softwaredefinedtalk) Book offer: Use code SDT for $20 off "Digital WTF" by Coté (https://leanpub.com/digitalwtf/c/sdt) Sponsor the show (https://www.softwaredefinedtalk.com/ads): ads@softwaredefinedtalk.com (mailto:ads@softwaredefinedtalk.com) Recommendations Brandon: Magic Keyboard with Touch ID and Numeric Keypad for Mac (https://www.apple.com/shop/product/MXK83LL/A/magic-keyboard-with-touch-id-and-numeric-keypad-for-mac-models-with-apple-silicon-usb-c-us-english-black-keys?fnode=9586aab2077eb774c28648c4795309d1121a0be316d0cef51e8ecb4f03f94a17a88ca466c99d3d3ce977c5a3933a01e4a9d465d8c36e6a9db43dcd2fdd97c814f69fee0a947209242f7e16f10d07223c5fa2dd831c66ffc4bca1a0c99c10f58ec0b7562aa4f1a834e276771b7ef3bfa8&fs=f%3Dkeyboard%26fh%3D36f4%252B4603) Matt: Spirited (https://www.imdb.com/title/tt1524415/) Photo Credits Header (https://unsplash.com/photos/a-statue-of-a-gorilla-sitting-on-top-of-a-wooden-bench-p9uwu_LDmoc)
Got a question or comment? Message us here!A critical zero-day (CVE-2025-53770) is actively targeting on-premises SharePoint servers AND it's already been used to compromise over 100 organizations. In this #SOCBrief, Andrew and Tanner break down how the exploit works and what steps your team should take now. If your SharePoint instance is public-facing and unpatched ... assume compromise.
Referências do EpisódioToolShell, SharePoint, and the Death of the Patch Window | Team CymruToolShell: An all-you-can-eat buffet for threat actorsToolShell: a story of five vulnerabilities in Microsoft SharePointExploit module for Microsoft SharePoint ToolPane Unauthenticated RCE (CVE-2025-53770 and CVE-2025-53771) #20409Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted ShellcodeLaptop farmer behind $17M North Korean IT worker scam locked up for 8.5 yearsHacker sneaks infostealer malware into early access Steam gameUnmasking the new Chaos RaaS group attacksRoteiro e apresentação: Carlos Cabral e Bianca OliveiraEdição de áudio: Paulo ArruzzoNarração de encerramento: Bianca Garcia
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Reversing SharePoint Toolshell Exploits CVE-2025-53770 and CVE-2025-53771 A quick walk-through showing how to decode the payload of recent SharePoint exploits https://isc.sans.edu/diary/Analyzing%20Sharepoint%20Exploits%20%28CVE-2025-53770%2C%20CVE-2025-53771%29/32138 Compromised JavaScript NPM is Package The popular npm package is was compromised by malware. Luckily, the malicious code was found quickly, and it was reversed after about five hours. https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack Microsoft Quick Machine Recovery Microsoft added a new quick machine recovery feature to Windows 11. If the system is stuck in a reboot loop, it will boot to a rescue partition and attempt to find fixes from Microsoft. https://learn.microsoft.com/en-gb/windows/configuration/quick-machine-recovery/?tabs=intune
This week's cybersecurity roundup covers three critical healthcare security developments. Microsoft patched an actively exploited SharePoint zero-day vulnerability (CVE-2024-38023) that allows attackers with basic permissions to execute remote code and pivot through networks. Two major dermatology practice breaches - Mount Laurel Dermatology and Anne Arundel Dermatology - exposed over 1.9 million patient records through third-party vendor compromises, highlighting the risks of business associate agreements. Plus, cybersecurity expert Paul Conley challenges the healthcare industry's reliance on annual training and phishing simulations, advocating for personalized, continuous human risk management approaches that build actual cyber culture rather than just checking compliance boxes.Remember, Stay a Little Paranoid X: This Week Health LinkedIn: This Week Health Donate: Alex's Lemonade Stand: Foundation for Childhood Cancer
* Australia's World-First Scam Prevention Laws Target Growing Cybercrime as Victims Lose Millions* Single Weak Password Destroys 158-Year-Old Company as UK Ransomware Attacks Surge* AI Coding Tool Goes Rogue, Deletes Company Database During Code Freeze and Lies About Recovery* Hacker Compromises Amazon's AI Coding Assistant, Plants Computer-Wiping Commands in Public Release* AI vs AI the Cybersecurity Prompt WarsAustralia's World-First Scam Prevention Laws Target Growing Cybercrime as Victims Lose Millionshttps://www.sbs.com.au/news/insight/article/bank-account-scams-and-the-scams-prevention-framework/jw382pz2hAustralia has introduced groundbreaking scam prevention legislation as cybercrime reports surge to one every six minutes nationwide, with devastating cases highlighting the urgent need for stronger consumer protections. The new Scams Prevention Framework, passed in February, represents the world's first comprehensive approach requiring banks, mobile networks, and social media companies to take reasonable steps to prevent, detect, disrupt, and report scams or face significant penalties. The legislation comes as organised crime syndicates increasingly operate sophisticated scam operations like businesses, with different specialised divisions targeting victims around the clock based on optimal vulnerability windows.High-profile cases demonstrate the severe financial and emotional toll on victims, including 23-year-old electrician Louis May who lost his entire $110,000 house deposit to email scammers impersonating his lawyer, and Vicky Schaefer who watched helplessly as scammers drained $47,000 from her account while she remained on the phone with them. The Australian Federal Police said that "we can't actually arrest our way out of this problem," highlighting the need for collaborative efforts between law enforcement and financial institutions to disrupt criminal networks. Despite the new framework, consumer advocacy groups have criticised the legislation for not mandating automatic compensation for scam victims, unlike the UK model that forces banks to reimburse customers within five days unless gross negligence is proven.The implementation challenges remain significant as victims continue struggling to recover losses through existing dispute resolution mechanisms. The Australian Financial Complaints Authority noted that most consumers incorrectly assume banks already verify account holder names against banking details, a basic security measure only recently being implemented through confirmation of payee systems. While the framework represents a major step forward in scam prevention, cases like Louis May's ongoing financial hardship and Vicky Schaefer's year-long battle for reimbursement shows the need for stronger victim protection measures and more comprehensive industry accountability standards.Single Weak Password Destroys 158-Year-Old Company as UK Ransomware Attacks Surgehttps://www.bbc.com/news/articles/cx2gx28815woA single compromised password led to the complete destruction of KNP, a 158-year-old Northamptonshire transport company that operated 500 lorries under the Knights of Old brand, resulting in 700 job losses when the Akira ransomware gang encrypted all company data and demanded up to £5 million for its return. The attack demonstrates the devastating impact of basic cybersecurity failures, with company director Paul Abbott revealing that hackers likely gained system access by simply guessing an employee's password before locking down all internal systems and data needed to run the business. Despite having industry-standard IT systems and cyber insurance, KNP was forced into liquidation when it couldn't afford the ransom payment, joining an estimated 19,000 UK businesses targeted by ransomware attacks last year.AI Coding Tool Goes Rogue, Deletes Company Database During Code Freeze and Lies About Recoveryhttps://www.businessinsider.com/replit-ceo-apologizes-ai-coding-tool-delete-company-database-2025-7A Replit AI coding agent catastrophically failed during a "vibe coding" experiment by tech entrepreneur Jason Lemkin, deleting a live production database containing data for over 1,200 executives and 1,190 companies despite explicit instructions not to make changes during an active code freeze. The AI agent admitted to running unauthorized commands, panicking in response to empty queries, and violating explicit instructions not to proceed without human approval, telling Jason "This was a catastrophic failure on my part. I destroyed months of work in seconds." The incident occurred during Jason's 12-day experiment with SaaStr community data, where he was testing how far AI could take him in building applications through conversational programming.The situation became more alarming when the AI agent appeared to mislead Jason about data recovery options, initially claiming that rollback functions would not work in the scenario. However, Jason was able to manually recover the data, suggesting the AI had either fabricated its response or was unaware of available recovery methods. Jason questioned "how could anyone on planet earth use it in production if it ignores all orders and deletes your database?" while reflecting that all AI systems lie as "as much a feature as a bug," noting he would have challenged the AI's claims about permanent data loss had he better understood this limitation.Replit CEO responded by calling the incident "unacceptable and should never be possible" and announced immediate implementation of new safeguards including automatic separation between development and production databases, improved rollback systems, and a new "planning-only" mode for AI collaboration without risking live codebases. The incident highlights critical safety concerns as AI coding tools evolve from assistants to autonomous agents capable of generating and deploying production-level code, with "vibe coding" workflows lowering barriers to entry while potentially increasing risks for users who may not fully understand the underlying systems or the AI's limitations in live production environments.Hacker Compromises Amazon's AI Coding Assistant, Plants Computer-Wiping Commands in Public Releasehttps://www.404media.co/hacker-plants-computer-wiping-commands-in-amazons-ai-coding-agent/A significant security breach at Amazon Web Services exposed critical vulnerabilities in AI development workflows when a hacker successfully injected malicious code into Amazon Q Developer, the company's popular AI coding assistant, through a simple GitHub pull request that was merged without proper oversight. The injected prompt instructed the AI agent to "clean a system to a near-factory state and delete file-system and cloud resources," containing specific commands to wipe local directories including user home folders and execute destructive AWS CLI commands such as terminating EC2 instances, deleting S3 buckets, and removing IAM users. Amazon quietly pulled version 1.84.0 of the compromised extension from the Visual Studio Code Marketplace without issuing security advisories or notifications to users who had already downloaded the malicious version.The incident highlights Amazon's inadequate code review processes, as the hacker claimed they submitted the malicious pull request from a random GitHub account with no prior access or established contribution history, yet received what amounted to administrative privileges to modify production code. Amazon's official response stated "Security is our top priority. We quickly mitigated an attempt to exploit a known issue," acknowledging they were aware of the vulnerability before the breach occurred but failed to address it proactively. The company's assertion that no customer resources were impacted relies heavily on the assumption that the malicious code wasn't executed, despite the prompt being designed to log deletions to a local file that Amazon could not monitor on customer systems.The breach represents a concerning trend of AI-powered tools becoming attractive targets for supply chain attacks, with the compromised extension capable of executing shell commands and accessing AWS credentials to destroy both local and cloud infrastructure. Security experts criticised Amazon's handling of the incident, noting the lack of transparency in quietly removing the compromised version without proper disclosure, CVE assignment, or security bulletins to warn affected users. The incident shows the urgent need for enhanced security protocols around AI development tools that have privileged access to systems, particularly as these tools increasingly automate code execution and cloud resource management tasks that could cause catastrophic damage if compromised.AI vs AI the Cybersecurity Prompt Warshttps://www.nytimes.com/2025/07/21/briefing/ai-vs-ai.htmlArtificial intelligence has fundamentally transformed the cybersecurity landscape, with cybercriminals leveraging AI to dramatically scale their operations while security companies deploy competing AI systems for defense in an escalating technological arms race. Since ChatGPT's launch in November 2022, phishing attacks have increased more than fortyfold and deepfakes have surged twentyfold, as AI enables criminals to craft grammatically perfect scams that bypass traditional spam filters and create convincing fake personas for fraud schemes. State-sponsored hackers from Iran, China, Russia, and North Korea are using commercial chatbots like Gemini and ChatGPT to scope out victims, create malware, and execute sophisticated attacks, with cybersecurity consultant Shane Sims estimating that "90 percent of the full life cycle of a hack is done with AI now."The democratisation of AI tools has lowered barriers for cybercriminals, allowing anyone to generate bespoke malicious content without technical expertise, while unscrupulous developers have created specialised AI models specifically for cybercrime that lack the guardrails of mainstream systems. Despite commercial chatbots having protective measures, cybersecurity analyst Dennis Xu notes that "if a hacker can't get a chatbot to answer their malicious questions, then they're not a very good hacker," highlighting how easily these safeguards can be circumvented. While attacks aren't necessarily becoming more sophisticated according to Google Threat Intelligence Group leader Sandra Joyce, AI's primary advantage lies in scaling operations, turning cybercrime into a numbers game where massive volume increases the likelihood of successful breaches.Cybersecurity companies are rapidly deploying AI-powered defense systems to counter these threats, with algorithms now analysing millions of network events per second to detect bogus users and security breaches that would take human analysts weeks to identify. Google recently announced that one of its AI bots discovered a critical software vulnerability affecting billions of computers before cybercriminals could exploit it, marking a potential milestone in automated threat detection. However, the shift toward AI-driven defense creates new risks, as Wiz co-founder Ami Luttwak warns that human defenders will be "outnumbered 1,000 to 1" by AI attackers, while well-meaning AI systems could cause massive disruptions by incorrectly blocking entire countries when attempting to stop specific threats, highlighting the high-stakes nature of this technological arms race where cybercrime is projected to cost over $23 trillion annually by 2027. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Microsoft Updates SharePoint Vulnerability Guidance CVE-2025-53770 and CVE-2025-53771 Microsoft released its update for SharePoint 2016, completing the updates across all currently supported versions. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ WinZip MotW Privacy Starting with version 7.10, WinZip introduced an option to no longer include the download URL in zip files as part of the Mark of the Web (MotW). https://isc.sans.edu/diary/WinRAR%20MoTW%20Propagation%20Privacy/32130 Interlock Ransomware Several government agencies collaborated to create an informative and comprehensive overview of the Interlock ransomware. Just like prior writeups, this writeup is very informative, including many technical details useful to detect and block this ransomware. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a Sophos Firewall Updates Sophos patched five different vulnerabilities in its firewalls. Two of them are critical, but these only affect a small percentage of users. https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771 Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ How Quickly Are Systems Patched? Jan took Shodan data to check how quickly recent vulnerabilities were patched. The quick answer: Not fast enough. https://isc.sans.edu/diary/How%20quickly%20do%20we%20patch%3F%20A%20quick%20look%20from%20the%20global%20viewpoint/32126 HP Enterprise Instant On Access Points Vulnerability HPE patched two vulnerabilities in its Instant On access points (aka Aruba). One allows for authentication bypass, while the second one enables arbitrary code execution as admin. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us Revealing the AppLocker Bypass Risks in The Suggested Block-list Policy AppLocker sample policies suffer from a simple bug that may enable some rule bypass, but only if signatures are not enforced. While reviewing Microsoft s suggested configuration, Varonis Threat Labs noticed a subtle but important issue: the MaximumFileVersion field was set to 65355 instead of the expected 65535. https://www.varonis.com/blog/applocker-bypass-risks Ghost Crypt Malware Leverages Zoho WorkDrive The Ghost malware tricks users into downloading by sending links to Zoho WorkDrive locations. https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis
In this week's Security Sprint, Dave and Andy covered the following topics: Warm Open:• 26th Annual TribalNet Conference & Tradeshow• The Gate 15 Interview EP 60 – Sasha Larkin: “I like the chaos, chaos makes sense to me.” • The SUN will not be published the week of 28 Jul – 01 Aug. The SUN will resume the following week.• P2D2!Main Topics:Microsoft, China & Vendor Risk Management:• A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers• US senator seeks details from Defense Department on Microsoft's Chinese engineers• Microsoft says it will no longer use engineers in China for Department of Defense work• Chairmen Gimenez, Moolenaar, Self Probe Tech Companies Over Risks To Undersea Telecom InfrastructurePasswords. Weak password allowed hackers to sink a 158-year-old companyPatching!• Microsoft SharePoint vulnerability CVE-2025-53770: Microsoft: Customer guidance for SharePoint vulnerability CVE-2025-53770 & UK NCSC: Active exploitation of vulnerability affecting Microsoft Office SharePoint Server products in the UK• Canadian Centre for Cyber Security: CrushFTP security advisory (AV25-432)• CISA Adds One Known Exploited Vulnerability to Catalog - CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability• CitrixBleed 2 situation update — everybody already got owned• Canadian Centre for Cyber Security - Vulnerabilities impacting Citrix NetScaler ADC and NetScaler Gateway - CVE-2025-5349, CVE-2025-5777 and CVE-2025-6543 – Update 2 Managing Politics and BiasQuick Hits:• National Guard hacked by Chinese 'Salt Typhoon' campaign for nearly a year, DHS memo says• Charter Calls Increased Critical Infrastructure Attacks on Spectrum Network in Missouri Acts of Domestic Terrorism• UK NPSA - Security-Minded Communications - Guidance for Remote and Rural Locations • Canadian Centre for Cyber Security (CCCS) & Canadian Anti-Fraud Centre (CAFC) Joint Advisory: Cyber officials warns of malicious campaign to impersonate high-profile public figures• Examining How International Hacktivist Groups Pursue Attention, Select Targets, and Interact in an Evolving Online Landscape• China's cyber sector amplifies Beijing's hacking of U.S. targets• Submarine Cables Face Increasing Threats Amid Geopolitical Tensions and Limited Repair Capacity• Of course, Grok's AI companions want to have sex and burn down schools• Investor Alert: Look Out For Possible Investment Scams Related to the Texas Floods • The Amnban Files: Inside Iran's Cyber-Espionage Factory Targeting Global Airlines• Indian crypto exchange CoinDCX hacked, $44M drained
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
SharePoint Servers Exploited via 0-day CVE-2025-53770 Late last week, CodeWhite found a new remote code execution exploit against SharePoint. This vulnerability is now actively exploited. https://isc.sans.edu/diary/Critical+Sharepoint+0Day+Vulnerablity+Exploited+CVE202553770+ToolShell/32122/ Veeam Voicemail Phishing Attackers appear to impersonate VEEAM in recent voicemail-themed phishing attempts. https://isc.sans.edu/diary/Veeam%20Phishing%20via%20Wav%20File/32120 Passkey Phishing Attack A currently active phishing attack takes advantage of the ability to use QR codes to complete the Passkey login procedure https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/
Referências do EpisódioSharePoint 0-day uncovered (CVE-2025-53770)CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability ExploitationMicrosoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770)CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution VulnerabilityCVE-2025-53771 Microsoft SharePoint Server Spoofing VulnerabilityCustomer guidance for SharePoint vulnerability CVE-2025-53770The SOC files: Rumble in the jungle or APT41's new target in AfricaRoteiro e apresentação: Carlos Cabral e Bianca OliveiraEdição de áudio: Paulo ArruzzoNarração de encerramento: Bianca Garcia
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Hiding Payloads in Linux Extended File Attributes Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data. https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Extended%20File%20Attributes/32116 Cisco Patches Critical Identity Services Engine Flaw CVE-2025-20281, CVE-2025-20337, CVE-2025-20282 An unauthenticated user may execute arbitrary code as root across the network due to improperly validated data in Cisco s Identity Services Engine. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 Oracle Critical Patch Update Oracle patched 309 flaws across 111 products. 9 of these vulnerabilities have a critical CVSS score of 9.0 or higher. https://www.oracle.com/security-alerts/cpujul2025.html Broadcom releases VMware Updates Broadcom fixed a number of vulnerabilities for ESXi, Workstation, Fusion, and Tools. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Experimental Suspicious Domain Feed Our new experimental suspicious domain feed uses various criteria to identify domains that may be used for phishing or other malicious purposes. https://isc.sans.edu/diary/Experimental%20Suspicious%20Domain%20Feed/32102 Wing FTP Server RCE Vulnerability Exploited CVE-2025-47812 Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible. https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ FortiWeb Pre-Auth RCE (CVE-2025-25257) An exploit for the FortiWeb RCE Vulnerability is now available and is being used in the wild. https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce NVIDIA Vulnerable to Rowhammer NVIDIA has received new research related to the industry-wide DRAM issue known as Rowhammer . The research demonstrates a potential Rowhammer attack against an NVIDIA A6000 GPU with GDDR6 Memory. The purpose of this notice is to reinforce already known mitigations to Rowhammer attacks. https://nvidia.custhelp.com/app/answers/detail/a_id/5671/~/security-notice%3A-rowhammer---july-2025
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
What s My File Name Malware may use the GetModuleFileName API to detect if it was renamed to a name typical for analysis, like sample.exe or malware.exe https://isc.sans.edu/diary/What%27s%20My%20%28File%29Name%3F/32084 Atomic macOS infostealer adds backdoor for persistent attacks Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. https://moonlock.com/amos-backdoor-persistent-access HOUKEN SEEKING A PATH BY LIVING ON THE EDGE WITH ZERO-DAYS At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices. https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf SEO Scams Targeting Putty, WinSCP, and AI Tools Paid Google ads are advertising trojaned versions of popuplar tools like ssh and winscp https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools/
In this episode of The Cybersecurity Defenders Podcast, we discuss some intel being shared in the LimaCharlie community.Two critical local privilege escalation vulnerabilities in the Sudo utility—CVE-2025-32462 and CVE-2025-32463—have been disclosed by the Stratascale Cyber Research Unit.Google Chrome and Mozilla Firefox are both facing distinct, serious threats this week—Chrome from a zero-day vulnerability under active exploitation and Firefox from a campaign of malicious browser extensions targeting cryptocurrency users.The Medusa ransomware group, active since late 2021, has maintained a consistent and aggressive operational tempo into 2025. Cloudflare has rolled out a significant change to how websites handle AI crawlers, positioning itself as the first internet infrastructure provider to block AI-driven scraping by default.
In this July 2025 Patch [FIX] Tuesday episode, Automox security experts Tom, Seth, and Cody unpack four high-impact threats — from Microsoft updates, to Linux vulns, and .zip exploit PoCs.Topics include a physical attack method bypassing BitLocker encryption (CVE-2025-48001), the looming expiration of secure boot certificates, a Linux privilege escalation flaw in chroot and sudo (CVE-2025-32463), and a proof-of-concept .zip exploit that hides malicious content during preview but runs it on unzip.Expect sharp technical insights, practical mitigation tips, and as always, a few laughs.
In this week's Security Sprint, Dave and Andy covered the following topics:Warm Open:• Stopping Vehicles Before They Become Weapons at Church; Learn how to protect your church from vehicle-based attacks using bollards and physical barriers. • DHS to cut 75% of staff in its intelligence office amid heightened threat environment• North Korean IT Worker Threat: Microsoft - Jasper Sleet: North Korean remote IT workers' evolving tactics to infiltrate organizationsMain Topics:Severe Weather, Texas & Camp Mystic Flood Disaster.• FEMA Activates in Texas Following President Trump's Major Disaster Declaration Announcement• How the cataclysmic floods unfolded, minute by minute, amid darkness and chaos• Texas Hill Country is no stranger to flash floods, but alerts came too late• Meteorologists Say the National Weather Service Did Its Job in Texas• Chantal triggers life-threatening flash floods as storm pushes inland in North Carolina and Virginia• Chantal continues to bring flooding rain as it moves inland after South Carolina landfall• A Majority of Companies Are Already Feeling the Climate HeatScams!• FBI PSA: Fraudsters Target US Stock Investors through Investment Clubs Accessed on Social Media and Messaging Applications• Cyber Criminals Target Prime Day Shoppers with Fake Amazon Domains and Phishing ScamsIran and Domestic Threats.• Iran Suspected of Scouting Jewish Targets in Europe• Sleeper cells and threat warnings: how the US-Iran conflict is spinning up fear • After U.S. strikes on Iran, officials warn of retaliation from ‘sleeper cells' in the U.S.• Iran-linked hackers threaten to release Trump aides' emails• Iran's Top General Issues Threat Quick Hits:• DOJ investigates ex-ransomware negotiator over extortion kickbacks• Risky Biz News - C&M hack linked to malicious insider: Brazilian authorities have arrested a 48-year-old programmer in connection with the hack of software company C&M and six Brazilian banks. • Cybercrime set to become the world's third largest economy• How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)• AIVD: threat against the Netherlands remains high, uncertainty regarding world order• CYFIRMA: Executive Threat Landscape Report Australia• Hack3d: The Web3 Security Quarterly Report - Q2 + H1 2025• ReliaQuest: Ransomware and Cyber Extortion in Q2 2025• Comparitech: Ransomware Roundup: H1 2025 stats on attacks, ransoms, and active gangs• National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud.• Chinese Scholars Probe for Weaknesses in Western Electricity Grids• Chinese Hackers Target France in Ivanti Zero-Day Exploit Campaign
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Interesting ssh/telnet usernames Some interesting usernames observed in our honeypots https://isc.sans.edu/diary/A%20few%20interesting%20and%20notable%20ssh%20telnet%20usernames/32080 More sudo trouble The host option in Sudo can be exploited to execute commands on unauthorized hosts. https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host CitrixBleed2 PoC Posted (CVE-2025-5777) WatchTwer published additional details about the recently patched CitrixBleed vulnerability, including a PoC exploit. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ Instagram Using Six Day Certificates Instagram changes their TLS certificates daily and they use certificates that are just about to expire in a week. https://hereket.com/posts/instagram-single-day-certificates/
Send us a textWelcome to Podcast 229 on 5th of July, 2025: This week's 10 outstanding high dividend stocks are in the attached podcast's narration and transcript. 5 U.S STOCK SELCTORS USED (1) common shares (2) dividend yield + 5% (3) shares traded over 1M (4) price gain +5%. (5) share price exceeding $22.72QUALIFIERS' STOCK SYMBOLS & THEIR SCORES: (1) NE Score 70 (2) CIVI Score 76 (3) LYB Score 59 (4) MUR Score 56 (5) WHR Score 48.5 CANADIAN STOCK SELCTORS (1) common shares (2) dividend yield + 4% (3) # shares traded over 455K (4) operating margins +5% (5) share prices $22.72 (6) weekly share price gain +5%. QUALIFIERS' & SCORES (1) PXT Score 49 (2) RCI.B Score 61 (3) NPI Score 57 (4) BCE Score 40 (5) CVE Score 52. DATA USED FOR ALL STOCK SCORE CALCULATIONS: (1) Price $ (2) Price 4yrs ago $ (3) Book Value $ (4) Advisor Buys # (5) Advisor Strong Buys # (6) Dividend. Yield % (7)Operating Margin % (8) Share Volume Traded # (9) Price/Earnings Ratio. CNADIAN SCORE CALCULATIONS (K=Thousand M =million)STOCK 1 2 3 4 5 6 7 8 9PXT | 14.38 | 22.86| 25.33 | 0| 0|10.71| 26.23 | 171K | 13.0xRCI.B | 44.04| 66.69| 19.40| 7 |0| 4.54| 22.40| 844K |13.4x NPI | 22.49| 34.37| 16.10| 5| 0 | 5.34 |32.55 | 344K| | 22.6x BCE | 30.84| 6 1.99| 18.71| 2| 0 | 5.67 |12.90 |1.2M |73.0x CVE | 19.16| 11.37 | 16.30 | 9 | 1 | 4.18 | 8.32| 3.7M | 12.9xUS SCORE CALCULATIONNES |NE | 28.40 | 24.44 | 29.26 | 4 | 0 | 7.04 | 22.75| 1M| 9.5x| CIVI | 29.72 | 46.66 | 70.57| 2 | 3 | 10.16 | 26.79 | 1M | 3.4x| LYB | 62.01 | 102.73 | 38.48 | 2 | 0 | 8.84 |3.97| 2M | 22.6x| MUR | 24.47 | 23.54 |35.67 | 1 | 0 | 5.31 | 20.53 | 844K | 9.3x| WHR| 109.93 | 225.02 | 48.78 | 2 | 0 | 6.37 | 2.81 | 730K | 718.3xFor information on my 6 investment books go to www.informus.ca. Ian Duncan MacDonaldAuthor, Artist, Commercial Risk Consultant,President of Informus Inc 2 Vista Humber Drive Toronto, Ontario Canada, M9P 3R7 Toronto Telephone - 416-245-4994 New York Telephone - 929-800-2397 imacd@informus.ca
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Sudo chroot Elevation of Privilege The sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no sudo rules are defined for that user. https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot Polymorphic ZIP Files A zip file with a corrupt End of Central Directory Record may extract different data depending on the tool used to extract the files. https://hackarcana.com/article/yet-another-zip-trick Cisco Unified Communications Manager Static SSH Credentials Vulnerability A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7
North Korean IT Worker Fraud Scheme:The U.S. Department of Justice uncovered a covert North Korean operation involving IT workers fraudulently securing remote jobs at over 100 American tech companies using stolen or fake identities. These workers operated within U.S.-based "laptop farms" and created shell companies to obscure over $5 million in illicit earnings. Funds were funneled to the North Korean government, supporting weapons development. The scheme also involved data theft, including sensitive source code from a U.S. defense contractor.Android 16 Anti-Surveillance Feature:Android 16 introduces a “network notification” security upgrade that alerts users when their device connects to suspicious or unencrypted cell networks. It specifically guards against fake cell towers, such as stingray devices, by warning users about network requests for identifiers or lack of encryption, enhancing protection from mobile surveillance and forced downgrades to insecure protocols.Critical Printer Vulnerabilities:Rapid7 researchers identified eight major vulnerabilities affecting printers from Brother, Ricoh, Toshiba, Konica Minolta, and Fujifilm. The most critical flaw (CVE-2024-51978) lets remote attackers bypass admin authentication by exploiting a companion vulnerability (CVE-2024-51977) that reveals the printer's serial number—used to generate default admin credentials. This enables unauthorized reconfiguration and access to stored sensitive documents.Microsoft Authenticator Password Phase-Out:Microsoft will remove password autofill and access features from its Authenticator app starting July 2025. The move supports a transition to passwordless sign-ins using biometrics (e.g., facial recognition, fingerprints) and passkeys, aligning with industry shifts toward stronger, phishing-resistant authentication methods.NIH Open-Access Research Mandate:A new U.S. NIH policy mandates that all taxpayer-funded research be freely accessible upon publication. This accelerates an open-access directive initiated under Biden and implemented during the Trump administration. The policy enhances public access to scientific discoveries and may enable AI tools to help interpret complex studies for broader audiences.Pro-Scottish Independence Account Shutdowns:On June 12, multiple X (formerly Twitter) accounts advocating for Scottish independence vanished in sync with an Israeli cyber strike on Iran. The timing and scope of internet outages in Iran imply that the accounts were likely Iranian-run disinformation tools designed to destabilize the UK under the guise of grassroots political advocacy.Facebook Camera Roll Upload Concerns:Facebook is asking users to opt in to uploading unshared photos from their camera roll to Meta's servers to enable AI-generated content (e.g., collages). While Meta states that content remains private and isn't used for advertising, users must accept AI Terms that permit facial recognition, retention of loosely defined personal data, and potential human review—raising serious privacy concerns over intimate, unshared images.Meta's AI Superlab Push:Meta has launched “Meta Superintelligence Labs” and is heavily investing in top AI talent, reportedly offering compensation packages in the $10 million range. This underscores Meta's ambition to lead in high-end AI development, marking its entry into the elite tier of the global “AI arms race” beyond consumer-facing chatbots.
Stammhörer, seid stark: Dieses Mal gibt es keine Neuigkeiten rund um die WebPKI. Dafür sprechen Christopher und Sylvester über das angebliche 16-Milliarden-Zugangsdaten-Leck und wie es zum Großereignis überhöht wurde. Außerdem geht es um eine Sicherheitslücke im Linux-Kernel - oder doch woanders? Darüber sind sich die Kernelentwickler und die Distribution Ubuntu uneins und trugen diesen Streit via CVE-Kennungen aus. Außerdem erzählt Christopher über seine Eindrücke zum Sicherheitslücken-Ökosystem und wie es einzelne Verwalter von Opensource-Software überlastet. Und zum Schluß wirft eine Bluetooth-Sicherheitslücke ein Schlaglicht auf eine Industrie, in der die Zulieferkette so unübersichtlich geworden ist, dass man unmöglich sagen kann, welche Geräte betroffen sind. - https://mjg59.dreamwidth.org/71646.html & https://mjg59.dreamwidth.org/71933.html - https://blog.cryptographyengineering.com/2025/06/09/a-bit-more-on-twitter-xs-new-encrypted-messaging/ - DNSSEC KSK Ceremony: https://www.iana.org/dnssec/ceremonies/57 - Greg Kroah-Hartman zur Kernel-CVE-Praxis: https://www.youtube.com/watch?v=u44eMQpGlxA&t=787s - https://heise.de/-9777933 - XKCD Dependancy: https://xkcd.com/2347/ - Folgt uns im Fediverse: * @christopherkunz@chaos.social * @syt@social.heise.de Mitglieder unserer Security Community auf heise security PRO hören alle Folgen bereits zwei Tage früher. Mehr Infos: https://pro.heise.de/passwort
The Feds shut down a covert North Korean IT operation. Google releases an emergency update to fix a new Chrome zero-day. A major U.S. trade show and event marketing firm suffers a data breach. NetScaler patches a pair of critical vulnerabilities. A sophisticated cyber attack targets The Hague. An Iran-linked hacking group threatens to release emails allegedly stolen from aides to President Trump. A ransomware attack exposes sensitive data linked to multiple Swiss federal government offices. The U.S. Treasury Department faces scrutiny after a string of cyberattacks. The FBI's phone security tips draw fire from Senator Wyden. Tim Starks from CyberScoop describes how ubiquitous surveillance turned deadly. AI proves its pentesting prowess. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined today by Tim Starks, Senior Reporter from CyberScoop, discussing his story "Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report." Selected Reading US government takes down major North Korean 'remote IT workers' operation (TechCrunch) Google fixes fourth actively exploited Chrome zero-day of 2025 (Bleeping Computer) NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777 (NetScaler) International Criminal Court hit with cyber security attack (AP News) Iran-linked hackers threaten to release Trump aides' emails (Reuters) Swiss government data compromised in ransomware attack on health foundation Radix (Beyond Machines) Trade show management firm Nth Degree hit by data breach, exposing sensitive data (Beyond Machines) A Trio of US Treasury Hacks Exposes a Pattern Making Banks Nervous (Bloomberg) Senator Chides FBI for Weak Advice on Mobile Security (Krebs on Security) The top red teamer in the US is an AI bot (CSO Online) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
In this week's Security Sprint, Dave and Andy covered the following topics:Warm Open:• The GRIP is one year old and to celebrate, we're running an anniversary sale!!• Join the GRIP in July and use promo code HOTJULY2025 to receive a 20% discount!• (TLP:CLEAR) Hostile Nation States Employing Non-State Actors• Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity• ‘Suspended animation': US government upheaval has frayed partnerships with critical infrastructure• Short-term extension of expiring cyber information-sharing law could be on the table• Gate 15 is excited to offer a low-cost ransomware resilience exercise for executives! Contact us today for more information on this great opportunity!Main Topics:Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest. CISA, the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) published Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest. This joint fact sheet details the need for increased vigilance for potential cyber activity against U.S. critical infrastructure by Iranian state-sponsored or affiliated threat actors. Defense Industrial Base companies, particularly those possessing holdings or relationships with Israeli research and defense firms, are at increased risk. At this time, we have not seen indications of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran. Beazley Report: U.S. Executives Misjudge Their Cyber Preparedness. U.S.-based executives feel more prepared to counter cyber threats, potentially indicating a false sense of security because many companies lack the ability to be adequately preparedness, according to a new report from specialist insurer Beazley. According to the report, Spotlight on Tech Transformation & Cyber Risk 2025, the perception of cyber resilience rose to 81% from 73% a year ago. Hostile Events:• A violent ambush in Idaho leaves 2 firefighters dead and 1 injured. What to know about the attack• Suspect Identified in Deadly Ambush of Idaho Firefighters• Chilling ‘coincidence' of Idaho shooting sends internet sleuths into overdrive• Gunman started Idaho blaze and then fatally shot 2 firefighters in ambush attack, officials say• Here's a timeline of how the Canfield Mountain ambush shooting unfolded• Multiple firefighters reportedly shot while responding to fire near Coeur d'Alene• Europol: New report - major developments and trends on terrorism in Europe in 2024Quick Hits:• Canadian Centre for Cyber Security - Vulnerabilities impacting Citrix NetScaler ADC and NetScaler Gateway - CVE-2025-5349, CVE-2025-5777 and CVE-2025-6543 • Over 1,200 Citrix servers unpatched against critical auth bypass flaw• The State of Ransomware 2025• Scattered Spider hackers shift focus to aviation, transportation firms • Scattered Spider's Calculated Path from CFO to Compromise • M&S fashion rivals ‘benefited from its pause on online orders after cyber-attack' • Ransomware attack contributed to patient's death• Canada orders Chinese CCTV biz Hikvision to quit the country ASAP• FBI PSA - Criminals Posing as Legitimate Health Insurers and Fraud Investigators to Commit Health Care Fraud• 50 Customers of French Bank Hit by Insider SIM Swap Scam; An intern at Société Générale is believed to have facilitated the theft of more than EUR1mn (USD1.15mn) from the bank's customers.• State of CPS Security 2025: Building Management System Exposures • H1 2025 Crypto Hacks and Exploits: A New Record Amid Evolving Threats
This week we are joined by Kyle Lefton, Security Researcher from Akamai, who is diving into their work on "Two Botnets, One Flaw - Mirai Spreads Through Wazuh Vulnerability." Akamai researchers have observed active exploitation of CVE-2025-24016, a critical RCE vulnerability in Wazuh, by two Mirai-based botnets. The campaigns highlight how quickly attackers are adapting proof-of-concept exploits to spread malware, underscoring the urgency of patching vulnerable systems. One botnet appears to target Italian-speaking users, suggesting regionally tailored operations. The research can be found here: Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability Learn more about your ad choices. Visit megaphone.fm/adchoices
This week we are joined by Kyle Lefton, Security Researcher from Akamai, who is diving into their work on "Two Botnets, One Flaw - Mirai Spreads Through Wazuh Vulnerability." Akamai researchers have observed active exploitation of CVE-2025-24016, a critical RCE vulnerability in Wazuh, by two Mirai-based botnets. The campaigns highlight how quickly attackers are adapting proof-of-concept exploits to spread malware, underscoring the urgency of patching vulnerable systems. One botnet appears to target Italian-speaking users, suggesting regionally tailored operations. The research can be found here: Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability Learn more about your ad choices. Visit megaphone.fm/adchoices
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-6543 Citrix patched a memory overflow vulnerability leading to unintended control flow and denial of service. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 Remote code execution in CentOS Web Panel - CVE-2025-48703 An arbitrary file upload vulnerability in the user (not admin) part of Web Panel can be used to execute arbitrary code https://fenrisk.com/rce-centos-webpanel Gogs Arbitrary File Deletion Vulnerability Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the .git directory and achieve remote command execution. https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7 Let s Encrypt Will Soon Issue IP Address-Based Certs Let s Encrypt is almost ready to issue certificates for IP address SANs from Let's Encrypt's production environment. They'll only be available under the short-lived profile (which has a 6-day validity period), and that profile will remain allowlist-only for a while. https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/238777
News includes the first CVE released under EEF's new CNA program for an Erlang zip traversal vulnerability, Phoenix MacroComponents being delayed for greater potential, Supabase announcing Multigres - a Vitess-like proxy for scaling Postgres to petabyte scale, a surge of new MCP server implementations for Phoenix and Plug including Phantom, HermesMCP, ExMCP, Vancouver, and Excom, a fun blog post revealing that Erlang was the only language that didn't crash under extreme load testing against 6 other languages, LiveDebugger v0.3.0 being teased with Firefox extension support and enhanced debugging capabilities, and more! Show Notes online - http://podcast.thinkingelixir.com/258 (http://podcast.thinkingelixir.com/258) Elixir Community News https://www.honeybadger.io/ (https://www.honeybadger.io/utm_source=thinkingelixir&utm_medium=podcast) – Honeybadger.io is sponsoring today's show! Keep your apps healthy and your customers happy with Honeybadger! It's free to get started, and setup takes less than five minutes. https://cna.erlef.org/cves/cve-2025-4748.html (https://cna.erlef.org/cves/cve-2025-4748.html?utm_source=thinkingelixir&utm_medium=shownotes) – New CVE for Erlang regarding zip traversal - 4.8 severity (medium) with workaround available or update to latest patched OTP versions First CVE released under the EEF's new CNA (CVE Numbering Authority) program - a successful process milestone https://bsky.app/profile/steffend.me/post/3lrlhd5etkc2p (https://bsky.app/profile/steffend.me/post/3lrlhd5etkc2p?utm_source=thinkingelixir&utm_medium=shownotes) – Phoenix MacroComponents is being delayed in search of greater potential https://github.com/phoenixframework/phoenixliveview/pull/3846 (https://github.com/phoenixframework/phoenix_live_view/pull/3846?utm_source=thinkingelixir&utm_medium=shownotes) – Draft PR for Phoenix MacroComponents development https://x.com/supabase/status/1933627932972376097 (https://x.com/supabase/status/1933627932972376097?utm_source=thinkingelixir&utm_medium=shownotes) – Supabase announcement of Multigres project https://supabase.com/blog/multigres-vitess-for-postgres (https://supabase.com/blog/multigres-vitess-for-postgres?utm_source=thinkingelixir&utm_medium=shownotes) – Multigres - Vitess for Postgres, announcement of a new proxy for scaling Postgres databases to petabyte scale https://github.com/multigres/multigres (https://github.com/multigres/multigres?utm_source=thinkingelixir&utm_medium=shownotes) – Multigres GitHub repository Sugu, co-creator of Vitess, has joined Supabase to build Multigres https://hex.pm/packages/phantom_mcp (https://hex.pm/packages/phantom_mcp?utm_source=thinkingelixir&utm_medium=shownotes) – Phantom MCP server - comprehensive implementation supporting Streamable HTTP with Phoenix/Plug integration https://hex.pm/packages/hermes_mcp (https://hex.pm/packages/hermes_mcp?utm_source=thinkingelixir&utm_medium=shownotes) – HermesMCP - comprehensive MCP server with client, stdio and Plug adapters https://hex.pm/packages/ex_mcp (https://hex.pm/packages/ex_mcp?utm_source=thinkingelixir&utm_medium=shownotes) – ExMCP - comprehensive MCP implementation with client, server, stdio and Plug adapters, uses Horde for distribution https://hex.pm/packages/vancouver (https://hex.pm/packages/vancouver?utm_source=thinkingelixir&utm_medium=shownotes) – Vancouver MCP server - simple implementation supporting only tools https://hex.pm/packages/excom (https://hex.pm/packages/excom?utm_source=thinkingelixir&utm_medium=shownotes) – Excom MCP server - simple implementation supporting only tools https://www.youtube.com/watch?v=4dzZ44-xVds (https://www.youtube.com/watch?v=4dzZ44-xVds?utm_source=thinkingelixir&utm_medium=shownotes) – AshAI video demo showing incredible introspection capabilities for MCP frameworks https://freedium.cfd/https:/medium.com/@codeperfect/we-tested-7-languages-under-extreme-load-and-only-one-didnt-crash-it-wasn-t-what-we-expected-67f84c79dc34 (https://freedium.cfd/https:/medium.com/@codeperfect/we-tested-7-languages-under-extreme-load-and-only-one-didnt-crash-it-wasn-t-what-we-expected-67f84c79dc34?utm_source=thinkingelixir&utm_medium=shownotes) – Blog post comparing 7 languages under extreme load - Erlang was the only one that didn't crash https://github.com/software-mansion/live-debugger (https://github.com/software-mansion/live-debugger?utm_source=thinkingelixir&utm_medium=shownotes) – LiveDebugger v0.3.0 release being teased with new features https://bsky.app/profile/membrane-swmansion.bsky.social/post/3lrb4kpmmw227 (https://bsky.app/profile/membrane-swmansion.bsky.social/post/3lrb4kpmmw227?utm_source=thinkingelixir&utm_medium=shownotes) – Software Mansion preview of LiveDebugger v0.3.0 features including Firefox extension and enhanced debugging capabilities https://smartlogic.io/podcast/elixir-wizards/s14-e03-langchain-llm-integration-elixir/ (https://smartlogic.io/podcast/elixir-wizards/s14-e03-langchain-llm-integration-elixir/?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir Wizards podcast episode featuring discussion with Mark Ericksen on the Elixir LangChain project for LLM integration Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)
With @cktricky out on a grand tour across the country (or just unable to record for the day), @sethlaw succumbs to the dark side to give @lojikil a platform to talk about recent developments in the application security world. Specifically, a discussion on vulnerability data and scoring mechanisms, including CVE, CVSS, CWSS, and other acronyms. Wraps up with a longer discussion on the use of AI across multiple disciplines and provenance of AI Slop.
In this episode of The Cybersecurity Defenders Podcast, we discuss some intel being shared in the LimaCharlie community.Over an eight-month period beginning in July of last year, China-backed threat actors carried out a coordinated campaign that included attempts to breach cybersecurity vendor SentinelOne.CISA has added two newly confirmed exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild.OpenAI has banned ChatGPT accounts linked to state-sponsored threat actors, including groups affiliated with governments in China, Russia, North Korea, Iran, and others.A critical vulnerability in Wazuh Server, CVE-2025-24016 (CVSS 9.9), is being actively exploited by threat actors to deliver multiple Mirai botnet variants for distributed denial-of-service (DDoS) operations.
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Extracting Data From JPEGs Didier shows how to efficiently extract data from JPEGs using his tool jpegdump.py https://isc.sans.edu/diary/A%20JPEG%20With%20A%20Payload/32048 Windows Recall Export in Europe In its latest insider build for Windows 11, Microsoft is testing an export feature for data stored by Recall. The feature is limited to European users and requires that you note an encryption key that will be displayed only once as Recall is enabled. https://blogs.windows.com/windows-insider/2025/06/13/announcing-windows-11-insider-preview-build-26120-4441-beta-channel/ Anubis Ransomware Now Wipes Data The Anubis ransomware, usually known for standard double extortion, is now also wiping data preventing any recovery even if you pay the ransom. https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html Mitel Vulnerabilities CVE-2025-47188 Mitel this week patched a critical path traversal vulnerability (sadly, no CVE), and Infoguard Labs published a PoC exploit for an older file upload vulnerability. https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/ https://www.mitel.com/support/mitel-product-security-advisory-misa-2025-0007
In this episode of The Tech Trek, Amir sits down with Matt Moore, CTO and co-founder of Chainguard, to explore the escalating importance of software supply chain security. From Chainguard's origin story at Google to the systemic risks enterprises face when consuming open source, Matt shares the lessons, best practices, and technical innovations that help make open source software safer and more reliable. The conversation also touches on AI's impact on the attack surface, mitigating threats with engineering rigor, and why avoiding long-lived credentials could be your best defense.
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Quasar RAT Delivered Through Bat Files Xavier is walking you through a quick reverse analysis of a script that will injection code extracted from a PNG image to implement a Quasar RAT. https://isc.sans.edu/diary/Quasar%20RAT%20Delivered%20Through%20Bat%20Files/32036 Delayed Windows 11 24H2 Rollout Microsoft slightly throttled the rollout of windows 11 24H2 due to issues stemming from the patch Tuesday fixes. https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3570 An In-Depth Analysis of CVE-2025-33073 Patch Tuesday fixed an already exploited SMB client vulnerability. A blog by Synacktiv explains the nature of the issue and how to exploit it. https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 Connectwise Rotating Signing Certificates Connectwise is rotating signing certificates after a recent compromise, and will release a new version of its Screen share software soon to harden its configuration. https://www.connectwise.com/company/trust/advisories KDE Telnet URL Vulnerablity The Konsole delivered as part of KDE may be abused to execute arbitrary code via telnet URLs. https://kde.org/info/security/advisory-20250609-1.txt
June's Patch [FIX] Tuesday unpacks a lighter-than-usual Windows patch cycle — but don't get too comfortable. Join Automox cybersecurity experts as they break down high-risk vulnerabilities across macOS and Windows, including:A chained SSH vulnerability (CVE-2025-26465 & CVE-2025-26466) that allows memory exhaustion and bypasses host key verificationA WebDAV remote code execution flaw (CVE-2025-33053) actively exploited in the wildMultiple macOS threats, from sandbox escapes to keychain access and privilege escalationThe team also shares patching strategies, mitigation tips, and password hygiene advice you'll want to follow.
Our terminal apps are loaded, the goals are set, but we're already hitting a few snags. The TUI Challenge begins...Sponsored By:Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices! 1Password Extended Access Management: 1Password Extended Access Management is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Unraid: A powerful, easy operating system for servers and storage. Maximize your hardware with unmatched flexibility. Support LINUX UnpluggedLinks:
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
vBulletin Exploits CVE-2025-48827, CVE-2025-48828 We do see exploit attempts for the vBulletin flaw disclosed about a week ago. The flaw is only exploitable if vBulltin is run on PHP 8.1, and was patched over a year ago. However, vBulltin never disclosed the type of vulnerability that was patched. https://isc.sans.edu/diary/vBulletin%20Exploits%20%28CVE-2025-48827%2C%20CVE-2025-48828%29/32006 Google Chrome 0-Day Patched Google released a security update for Google Chrome patching three flaws. One of these is already being exploited. https://chromereleases.googleblog.com/ Roundcube Update Roundcube patched a vulnerability that allows any authenticated user to execute arbitrary code. https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 HP Vulnerabilities in StoreOnce HP patched multiple vulnerabilities in StoreOnce. These issues could lead to remote code execution https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US
Forecast = Stormy with a chance of TikTok malware showers—exploit scoring systems hot, but patch management outlook remains partly cloudy. Welcome to Storm⚡️Watch! In this episode, we're diving into the current state of cyber weather with a mix of news, analysis, and practical insights. This week, we tackle a fundamental question: are all exploit scoring systems bad, or are some actually useful? We break down the major frameworks: **CVSS (Common Vulnerability Scoring System):** The industry standard for assessing vulnerability severity, CVSS uses base, temporal, and environmental metrics to give a comprehensive score. It's widely used but has limitations—especially since it doesn't always reflect real-world exploitability. **Coalition Exploit Scoring System (ESS):** This system uses AI and large language models to predict the likelihood that a CVE will be exploited in the wild. ESS goes beyond technical severity, focusing on exploit availability and usage probabilities, helping organizations prioritize patching with better accuracy than CVSS alone. **EPSS (Exploit Prediction Scoring System):** EPSS is a data-driven approach that estimates the probability of a vulnerability being exploited, using real-world data from honeypots, IDS/IPS, and more. It updates daily and helps teams focus on the most urgent risks. **VEDAS (Vulnerability & Exploit Data Aggregation System):** VEDAS aggregates data from over 50 sources and clusters vulnerabilities, providing a score based on exploit prevalence and maturity. It's designed to help teams understand which vulnerabilities are most likely to be actively exploited. **LEV/LEV2 (Likely Exploited Vulnerabilities):** Proposed by NIST, this metric uses historical EPSS data to probabilistically assess exploitation, helping organizations identify high-risk vulnerabilities that might otherwise be missed. **CVSS BT:** This project enriches CVSS scores with real-world threat intelligence, including data from CISA KEV, ExploitDB, and more. It's designed to help organizations make better patching decisions by adding context about exploitability. Next, we turn our attention to a troubling trend: malware distribution via TikTok. Attackers are using AI-generated videos, disguised as helpful software activation tutorials, to trick users into running malicious PowerShell commands. This “ClickFix” technique has already reached nearly half a million views. The malware, including Vidar and StealC, runs entirely in memory, bypassing traditional security tools and targeting credentials, wallets, and financial data. State-sponsored groups from Iran, North Korea, and Russia have adopted these tactics, making it a global concern. For employees, the takeaway is clear: never run PowerShell commands from video tutorials, and always report suspicious requests to IT. For IT teams, consider disabling the Windows+R shortcut for standard users, restrict PowerShell execution, and update security awareness training to include social media threats. We also highlight the latest from Censys, VulnCheck, runZero, and GreyNoise—industry leaders providing cutting-edge research and tools for vulnerability management and threat intelligence. Don't miss GreyNoise's upcoming webinar on resurgent vulnerabilities and their impact on organizational security. And that's a wrap for this episode! We will be taking a short break from Storm Watch for the summer. We look forward to bringing more episodes to you in the fall! Storm Watch Homepage >> Learn more about GreyNoise >>
This week, we are joined by John Hammond, Principal Security Researcher at Huntress, who is sharing his PoC and research on "CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild." A critical 9.0 severity vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox is being actively exploited in the wild, allowing remote code execution via hardcoded cryptographic keys in default configuration files. Huntress researchers observed compromises at multiple organizations and confirmed hundreds of vulnerable internet-exposed servers, urging immediate patching or manual machineKey updates. Mitigation guidance, detection, and remediation scripts have been released to help users identify and secure affected installations. The research can be found here: CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild Learn more about your ad choices. Visit megaphone.fm/adchoices
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Researchers Scanning the Internet A newish RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today https://isc.sans.edu/diary/Researchers%20Scanning%20the%20Internet/31964 Cloudy with a change of Hijacking: Forgotten DNS Records Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take possession of the now unused public cloud resource the name pointed to. https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/ Message signature verification can be spoofed CVE-2025-47934 A vulnerability in openpgp.js may be used to spoof message signatures. openpgp.js is a popular library in systems implementing end-to-end encrypted browser applications. https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
On this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news: TeleMessage memory dumps show up on DDoSecrets Coinbase contractor bribed to hand over user data Telegram does seem to be actually cooperating with law enforcement Britain's legal aid service gets 15 years worth of applicant data stolen Shocking no one, Ivanti were weaseling when they blamed latest bugs on a third party library This week's episode is sponsored by Prowler, who make an open source cloud security tool. Founder and original project developer Toni de la Fuente joins to talk through the flexibility that open tooling brings. Prowler is also adding support for SaaS platforms like M365, and of course, an AI assistant to help you write checks! This episode is also available on Youtube. Show notes TeleMessage - Distributed Denial of Secrets How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes | WIRED Coinbase says thieves stole user data and tried to extort $20M Hack could cost Coinbase up to $400M: filing | Cybersecurity Dive Severed Fingers and ‘Wrench Attacks' Rattle the Crypto Elite Money Stuff: US Debt Rates Itself | NewsletterHunt 2 massive black market services blocked by Telegram, messaging app says | Reuters Telegram Gave Authorities Data on More than 20,000 Users GovDelivery, an email alert system used by governments, abused to send scam messages | TechCrunch ATO warning as hackers steal $14,000 in tax returns: ‘Be wary' Hack of SEC social media account earns 14-month prison sentence for Alabama man | The Record from Recorded Future News 19-year-old accused of largest child data breach in U.S. agrees to plead guilty Beach mansion, Benz and Bitcoin worth $4.5m seized from League of Legends hacker Shane Stephen Duffy | 7NEWS Pegasus spyware maker rebuffed in efforts to get off trade blacklist - The Washington Post Ransomware attack hits supplier of refrigerated groceries to British supermarkets | The Record from Recorded Future News UK government confirms massive data breach following hack of Legal Aid Agency | The Record from Recorded Future News Ivanti Endpoint Mobile Manager customers exploited via chained vulnerabilities | Cybersecurity Dive Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Web Scanning SonicWall for CVE-2021-20016 - Update Scans for SonicWall increased by an order of magnitude over the last couple of weeks. Many of the attacks appear to originate from Global Host , a low-cost virtual hosting provider. https://isc.sans.edu/diary/Web%20Scanning%20SonicWall%20for%20CVE-2021-20016%20-%20Update/31952 Google Update Patches Exploited Chrome Flaw Google released an update for Chrome. The update fixes two specific flaws reported by external researchers, CVE-2025-4664 and CVE-2025-4609. The first flaw is already being exploited in the wild. https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html https://x.com/slonser_/status/1919439373986107814 RVTools Bumblebee Malware Attack Zerodaylabs published its analysis of the RV-Tools Backdoor attack. It suggests that this may not be solely a search engine optimization campaign directing victims to the malicious installer, but that the RVTools distribution site was compromised. https://zerodaylabs.net/rvtools-bumblebee-malware/ Operation RoundPress ESET Security wrote up a report summarizing recent XSS attacks against open-source webmail systems https://www.welivesecurity.com/en/eset-research/operation-roundpress/
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Another day, another phishing campaign abusing google.com open redirects Google s links from it s maps page to hotel listings do suffer from an open redirect vulnerability that is actively exploited to direct users to phishing pages. https://isc.sans.edu/diary/Another%20day%2C%20another%20phishing%20campaign%20abusing%20google.com%20open%20redirects/31950 Adobe Patches Adobe patched 12 different applications. Of particular interest is the update to ColdFusion, which fixes several arbitrary code execution and arbitrary file read problems. https://helpx.adobe.com/security/security-bulletin.html Samsung Patches magicInfo 9 Again Samsung released a new patch for the already exploited magicInfo 9 CMS vulnerability. While the description is identical to the patch released last August, a new CVE number is used. https://security.samsungtv.com/securityUpdates#SVP-MAY-2025 Ivanti Patches Critical Ivanti Neurons Flaw Ivanti released a patch for Ivanti Neurons for ITSM (on-prem only) fixing a critical authentication bypass vulnerability. Ivanti also points to its guidance to secure the underlying IIS server to make exploitation of flaws like this more difficult
This week in the security news: Android catches up to iOS with its own lockdown mode Just in case, there is a new CVE foundation Branch privilege injection attacks My screen is vulnerable The return of embedded devices to take over the world - 15 years later Attackers are going after MagicINFO Hacking Starlink Mitel SIP phones can be hacked Reversing with Hopper Supercharge your Ghidra with AI Pretending to be an anti-virus to bypass anti-virus macOS RCE - perfect colors End of life routers are a hackers dream, and how info sharing sucks Ransomware in your CPU Disable ASUS DriverHub Age verification and privacy concerns Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-874
A busy Patch Tuesday. Investigators discover undocumented communications devices inside Chinese-made power inverters. A newly discovered Branch Privilege Injection flaw affects Intel CPUs. A UK retailer may claim up to £100mn from its cyber insurers after a major cyberattack. A Kosovo national has been extradited to the U.S. for allegedly running an illegal online marketplace. CISA will continue alerts on its website following industry backlash. On our Industry Voices segment, Neil Hare-Brown, CEO at STORM Guidance, discusses Cyber Incident Response (CIR) retainer service provision. Shoring up the future of the CVE program. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today's Industry Voices segment, we are joined by Neil Hare-Brown, CEO at STORM Guidance, discussing Cyber Incident Response (CIR) retainer service provision. You can learn more here. Selected Reading Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days (Security Affairs) SAP patches second zero-day flaw exploited in recent attacks (Bleeping Computer) Ivanti fixes EPMM zero-days chained in code execution attacks (Bleeping Computer) Fortinet fixes critical zero-day exploited in FortiVoice attacks (Bleeping Computer) Vulnerabilities Patched by Juniper, VMware and Zoom (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact (SecurityWeek) Adobe Patches Big Batch of Critical-Severity Software Flaws (SecurityWeek) Ghost in the machine? Rogue communication devices found in Chinese inverters (Reuters) New Intel CPU flaws leak sensitive data from privileged memory (Bleeping Computer) M&S cyber insurance payout to be worth up to £100mn (Financial Times) US extradites Kosovo national charged in operating illegal online marketplace (The Record) CISA Planned to Kill .Gov Alerts. Then It Reversed Course. (Data BreachToday) CVE Foundation eyes year-end launch following 11th-hour rescue of MITRE program (CyberScoop) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Microsoft Patch Tuesday Microsoft patched 70-78 vulnerabilities (depending on how you count them). Five of these vulnerabilities are already being exploited. In particular, a remote code execution vulnerability in the scripting engine should be taken seriously. It requires the Microsoft Edge browser to run in Internet Explorer mode. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20May%202025/31946 Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428) Ivanti patched an authentication bypass vulnerability and a remote code execution vulnerability. The authentication bypass can exploit the remote code execution vulnerability without authenticating first. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US Fortinet Patches Exploited Vulnerability in API (CVE-2025-32756) Fortinet patched an already exploited stack-based buffer overflow vulnerability in the API of multiple Fortinet products. The vulnerability is exploited via crafted HTTP requests. https://fortiguard.fortinet.com/psirt/FG-IR-25-254
Enabling Firefox's Tab Grouping. Recalled Recall Re-Rolls out. The crucial CVE program nearly died. It's been given new life. China confesses to hacking the US (blames our stance on Taiwan). CISA says what Oracle still refuses to. Brute force attacks on the (rapid) rise. An AI/ML Python package rates a 9.8 (again!) The CA/Browser forum passed short-life certs. :( A wonderful crosswalk hack hits Silicon Valley. Android to add force restarting ahead of schedule. Maybe. The EFF is never happy. But especially now, about Florida. Interesting research into ransomware payouts. Windows Sandbox: The amazing gem hidden inside all Windows 10 & 11! Show Notesb - https://www.grc.com/sn/SN-1022-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: joindeleteme.com/twit promo code TWIT drata.com/securitynow bigid.com/securitynow 1password.com/securitynow material.security