Oracle denies breach after hacker claims theft of 6 million data records
Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
Large enterprises scramble after supply-chain attack spills their secrets
tj-actions/changed-files corrupted to run credential-stealing memory scraper.
Next.js and the corrupt middleware: the authorizing artifact
Recently, Yasser Allam, known by the pseudonym inzo_, and I, decided to team up for some research. We discussed potential targets and chose to begin by focusing on Next.js (130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. Therefore, the “we” throughout this paper will naturally refer to the two of us. Next.js is a comprehensive javascript framework based on React, packed with numerous features — the perfect playground for diving into the intricacies of research. We set out, fueled by faith, curiosity, and resilience, to explore its lesser-known aspects, hunting for hidden treasures waiting to be found. It didn’t take long before we uncovered a great discovery in the middleware. The impact is considerable, with all versions affected, and no preconditions for exploitability — as we’ll demonstrate shortly.
How to find Next.js on your network
How to find Next.js on your network
Next.js Middleware Exploit: Deep Dive into CVE-2025-29927 Authorization Bypass - ZeroPath Blog
Explore the critical CVE-2025-29927 vulnerability in Next.js middleware, enabling attackers to bypass authorization checks and gain unauthorized access.
Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]
SSD Advisory - Linux kernel hfsplus slab-out-of-bounds Write - SSD Secure Disclosure
This advisory describes an out-of-bounds write vulnerability in the Linux kernel that achieves local privilege escalation on Ubuntu 22.04 for active user sessions. Credit An independent security researcher working with SSD Secure Disclosure. Vendor Response Ubuntu has released the following advisory and fix: https://ubuntu.com/security/CVE-2025-0927
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns | Trend Micro (US)
Trend Zero Day Initiative™ (ZDI) uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440
Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440, Author: Johannes Ullrich
StarkeBlog - CVE Wednesday - CVE-2024-20439
Cisco recently released an advisory for CVE-2024-20439 here. (nvd) Please note I did not discover this vulnerability, I just reverse engineered the vulnerability from the advisory
VSCode extensions found downloading early-stage ransomware
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsoft's review process.
A well-funded Moscow-based global ‘news’ has infected Western artificial intelligence tools worldwide with Russian propaganda
A Moscow-based disinformation network named “Pravda” — the Russian word for "truth" — is pursuing an ambitious strategy by deliberately infiltrating the retrieved data of artificial intelligence chatbots, publishing false claims and propaganda for the purpose of affecting the responses of AI models on topics in the news rather than by targeting human readers, NewsGuard has confirmed. By flooding search results and web crawlers with pro-Kremlin falsehoods, the network is distorting how large language models process and present news and information. The result: Massive amounts of Russian propaganda — 3,600,000 articles in 2024 — are now incorporated in the outputs of Western AI systems, infecting their responses with false claims and propaganda.
Critical Veeam Backup & Replication CVE-2025-23120
On Wednesday, March 19, 2025, backup and recovery software provider Veeam published a security advisory for a critical remote code execution vulnerability tracked as CVE-2025-23120. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration
Virtue or Vice? A First Look at Proliferating Spyware Operations
In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.
Secure Annex - Enterprise Browser Extension Security & Management Platform
An investigation into buying access to browsers through extensions
Infostealers fueled cyberattacks and snagged 2.1B credentials last year | CyberScoop
Inexpensive information-stealing malware surged in 2024, infecting 23 million hosts, according to Flashpoint.
Over 16.8 Billion Records Exposed as Data Breaches Increase 6%
Flashpoint data points to a surge in data breaches fueled by compromised credentials, ransomware and exploits
Apple's Passwords app was vulnerable to phishing attacks for nearly three months after launch
In iOS 18, Apple spun off its Keychain password management tool—previously only tucked away in Settings—into a standalone app called...
Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping....
Strike 4.11 introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon.
Facial Recognition Injection Attacks - An Overview
Facial Recognition Injection Attacks involve injecting tampered video feeds or deepfakes into facial recognition systems to bypass security. Current attack types include Virtual Video Injections, Hardware-based Video Injections, Device Emulation and Function Hooking.
Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs
I recently helped a company recover their data from the Akira ransomware without paying the ransom. I’m sharing how I did it, along with the full source code. The code is here: https://github.com/yohanes/akira-bruteforce To clarify, multiple ransomware variants have been named Akira over the years, and several versions are currently circulating. The variant I encountered has been active from late 2023 to the present (the company was breached this year).
Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours — new counterattack breaks encryption | Tom's Hardware
Tinyhack publishes a full how-to guide on brute-forcing past the Akira ransomware's encryption attack and freeing captive files.
Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices
On February 11, 2025, a Russian speaking actor using the Telegram handle @ExploitWhispers [1], leaked internal chat logs of Black Basta Ransomware-as-a-Service (RaaS) members [2]. These communications, spanning from September 2023 to September 2024, provide an insider look on the group's operational tactics.
Les filiales Spar et les magasins TopCC ont été victimes d’une cyberattaque
L’entreprise annonce s’efforcer de rétablir le plus rapidement possible son activité, après une attaque survenue dans la nuit de jeudi à vendredi. Une plainte a été déposée
Apple Drops Another WebKit Zero-Day Bug
For the third time in as many months, Apple has released an emergency patch to fix an already exploited zero-day vulnerability impacting a wide range of its products. The new vulnerability, identified as CVE-2025-24201, exists in Apple's WebKit open source browser engine for rendering Web pages in Safari and other apps across macOS, iOS, and iPadOS. WebKit is a frequent target for attackers because of how deeply integrated it is with Apple's ecosystem.
Fake "Security Alert" issues on GitHub use OAuth app to hijack accounts
A widespread phishing campaign has targeted nearly 12,000 GitHub repositories with fake #Computer #GitHub #InfoSec #Issue #OAuth #Phishing #Repository #Security
New Ransomware Operator Exploits Fortinet Vulnerability Duo
Between late January and early March, Forescout Research – Vedere Labs identified a series of intrusions based on two Fortinet vulnerabilities. It began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack.
ICANN moves to retire Soviet-era .SU country domain name - Domain Name Wire
Domain system overseer plans to retire .su in 2030. ICANN has notified the operator of the legacy Soviet Union country code domain, .su, of its plans to retire the domain in five years, Domain Name Wire has learned. The .su namespace, which remains open for new registrations and currently has around 100,000 domain names, is […]
Exclusive: Hackers claim cyber attack on Trump winery, golf courses
Threat actors have claimed a cyber attack on two businesses owned by US President Donald Trump, allegedly bringing down their websites.
NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption
The new algorithm will serve as a backup for the general encryption needed to protect data from quantum computers developed in the future