Found 847 bookmarks
Custom sorting
US man who hacked SEC's X account to spike Bitcoin price sentenced to prison | TechCrunch
US man who hacked SEC's X account to spike Bitcoin price sentenced to prison | TechCrunch
US man who hacked SEC’s X account to spike Bitcoin price sentenced to prison Eric Council Jr., 26, was sentenced to 14 months in prison and three years of supervised release on Friday for participating in the hack of the official X account of the U.S. Securities and Exchange Commission. The U.S. Department of Justice announced the sentencing in a press release. Council and other hackers took over the SEC’s X account in 2024 to falsely announce that the agency had approved Bitcoin exchange traded funds, or ETFs, which shot up the price of the cryptocurrency before later dropping. According to the DOJ, Council and his co-conspirators performed a SIM swap attack against the cellphone account of a person who had access to the SEC’s X account, which allowed the hackers to take control of their phone number. From there, the hackers reset the password of the SEC’s X account, granting them control of the account.
#techcrunch#EN#2025#SEC#Twitter#hacked#bitcoin#US#prison
·techcrunch.com·
US man who hacked SEC's X account to spike Bitcoin price sentenced to prison | TechCrunch
Printer company provided infected software downloads for half a year
Printer company provided infected software downloads for half a year
When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. The printer company Procolored assured him at first that these were false positives. Nevertheless, Cameron turned to Reddit in the hopes of finding a professional malware analyst who can figure out the truth. All these software downloads are available on mega.nz with a different mega folder link for each product. Overall, there are 8 GB of files and archives for all six products. Most files were last updated in October 2024, which is six months ago at the time of writing.
#gdatasoftware#EN#2025#UVprinter#printer#driver#malware#Floxif
·gdatasoftware.com·
Printer company provided infected software downloads for half a year
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend - Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend - Ivanti, and their Endpoint Manager Mobile (Ivanti EPMM) solution. For those out of the loop, don’t worry - as always, we’re here to fill you in. Ivanti Endpoint Manager Mobile (EPMM) is an MDM solution for system administrators to install and manage devices within an organization. It hopes to prevent you from installing malware or enjoying your life by watching YouTube during any permitted and sanctioned downtime. Why Is This Important? Well, short of their intended functionality, MDM solutions are, in a sense, C2 frameworks for enterprises… allowing system administrators to manage software on their devices. Picture this: You’ve compromised the MDM solution at one of the largest banks and are able to deploy malicious software at scale to employee devices. And it's Friday!
#labs.watchtowr.com#EN#2025#Ivanti#EPMM#Unauth#RCE#CVE-2025-4427#CVE-2025-4428
·labs.watchtowr.com·
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
Trump's sanctions on ICC prosecutor have halted tribunal's work
Trump's sanctions on ICC prosecutor have halted tribunal's work
The International Criminal Court ’s chief prosecutor has lost access to his email, and his bank accounts have been frozen. The Hague-based court’s American staffers have been told that if they travel to the U.S. they risk arrest. Some nongovernmental organizations have stopped working with the ICC and the leaders of one won’t even reply to emails from court officials. Those are just some of the hurdles facing court staff since U.S. President Donald Trump in February slapped sanctions on its chief prosecutor, Karim Khan, according to interviews with current and former ICC officials, international lawyers and human rights advocates. The sanctions will “prevent victims from getting access to justice,” said Liz Evenson, international justice director at Human Rights Watch. Trump sanctioned the court after a panel of ICC judges in November issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu and his former defense minister, Yoav Gallant. Judges found there was reason to believe that the pair may have committed war crimes by restricting humanitarian aid and intentionally targeting civilians in Israel’s campaign against Hamas in Gaza — charges Israeli officials deny. One reason the the court has been hamstrung is that it relies heavily on contractors and non-governmental organizations. Those businesses and groups have curtailed work on behalf of the court because they were concerned about being targeted by U.S. authorities, according to current and former ICC staffers. Microsoft, for example, cancelled Khan’s email address, forcing the prosecutor to move to Proton Mail, a Swiss email provider, ICC staffers said. His bank accounts in his home country of the U.K. have been blocked. Microsoft did not respond to a request for comment. Staffers at an NGO that plays an integral role in the court’s efforts to gather evidence and find witnesses said the group has transferred money out of U.S. bank accounts because they fear it might be seized by the Trump administration.
#apnews.com#EN#2025#Donald-Trump#NGO#US#Microsoft#ICC#email#address#blocked
·apnews.com·
Trump's sanctions on ICC prosecutor have halted tribunal's work
EU bug database fully operational as US slashes infosec
EU bug database fully operational as US slashes infosec
The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. As of Tuesday, the full-fledged version of the website is up and running. "The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it," ENISA Executive Director Juhan Lepassaar said in a statement announcing the EUVD. "The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures," Lepassaar continued. The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program. Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and renewed the contract with MITRE to operate the initiative.
#theregister#EN#2025#EU#EUVD#operational#CVE#ENISA
·theregister.com·
EU bug database fully operational as US slashes infosec
Open-source toolset of an Ivanti CSA attacker
Open-source toolset of an Ivanti CSA attacker
In September and October 2024, Ivanti published multiple1 security2 advisories3 regarding security policy bypasses and remote code execution vulnerabilities in their Cloud Services Appliance (CSA) product. It was later revealed by FortiGuard Labs Threat Research's work4 that some threat actors had been actively chaining these vulnerabilities as early as September 9, 2024, before any security advisory or patch was publicly released by Ivanti. In some compromise scenarios, even though the initial access stemmed from the exploitation of zero-day vulnerabilities, later stages were short of such proficient attacker tradecraft. Threat actors were seen using known malicious tools and noisy payloads for lateral movement, persistence and credential dumping. Synacktiv's CSIRT was recently in charge of different forensic investigations where the root cause was a vulnerable CSA appliance exposed to the internet. During these engagements, we found a set of open-source tools used by the attacker to achieve its goals. In this article, we take a tour of the OSS toolset from an Ivanti CSA exploiter and discuss related detection capabilities. suo5 iox * atexec-pro
#synacktiv#EN#2025#analisys#Ivanti#CSA#attacker#toolset#CSIRT#forensic
·synacktiv.com·
Open-source toolset of an Ivanti CSA attacker
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode. The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism. An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer. The vulnerability can be triggered by opening a crafted .ipynb file if the user has the setting enabled, or by opening a folder containing a crafted settings.json file in VS Code and opening a malicious ipynb file within the folder. This vulnerability can be triggered even when Restricted Mode is enabled (which is the default for workspaces that have not been explicitly trusted by the user). In this post, we’ll walk through how the bug works and how it bypasses VS Code’s Restricted Mode.
#starlabs.sg#EN#2025#XSS#Visual#VisualStudio#RCE#Electron
·starlabs.sg·
Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code
Protecting Our Customers - Standing Up to Extortionists
Protecting Our Customers - Standing Up to Extortionists
Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers. No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched. We will reimburse customers who were tricked into sending funds to the attacker. We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack. What happened Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users. Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto. They then tried to extort Coinbase for $20 million to cover this up. We said no. What they got Name, address, phone, and email Masked Social Security (last 4 digits only) Masked bank‑account numbers and some bank account identifiers Government‑ID images (e.g., driver’s license, passport) Account data (balance snapshots and transaction history) Limited corporate data (including documents, training material, and communications available to support agents)
#coinbase#EN#2025#cyberattack#extortion#theft#Data-Breach
·coinbase.com·
Protecting Our Customers - Standing Up to Extortionists
Ivanti warns of critical Neurons for ITSM auth bypass flaw
Ivanti warns of critical Neurons for ITSM auth bypass flaw
​Ivanti has released security updates for its Neurons for ITSM IT service management solution that mitigate a critical authentication bypass vulnerability. Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers gain administrative access to unpatched systems in low-complexity attacks, depending on system configuration. As the company highlighted in a security advisory released today, organizations that followed its guidance are less exposed to attacks. "Customers who have followed Ivanti's guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment," Ivanti said. "Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ." Ivanti added that CVE-2025-22462 only impacts on-premises instances running versions 2023.4, 2024.2, 2024.3, and earlier, and said that it found no evidence that the vulnerability is being exploited to target customers. Product Name Affected Version(s) Resolved Version(s) Ivanti Neurons for ITSM (on-prem only) 2023.4, 2024.2, and 2024.3 2023.4 May 2025 Security Patch 2024.2 May 2025 Security Patch 2024.3 May 2025 Security Patch The company also urged customers today to patch a default credentials security flaw (CVE-2025-22460) in its Cloud Services Appliance (CSA) that can let local authenticated attackers escalate privileges on vulnerable systems. While this vulnerability isn't exploited in the wild either, Ivanti warned that the patch won't be applied correctly after installing today's security updates and asked admins to reinstall from scratch or use these mitigation steps to ensure their network is protected from potential attacks.
#bleepingcomputer#EN#2025#Authentication#Authentication-Bypass#Bypass#Ivanti#Neurons-for-ITSM#Vulnerability
·bleepingcomputer.com·
Ivanti warns of critical Neurons for ITSM auth bypass flaw
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
EclecticIQ analysts assess with high confidence that, in April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324 [1], an unauthenticated file upload vulnerability that enables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on attacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple compromised systems. EclecticIQ analysts link observed SAP NetWeaver intrusions to Chinese cyber-espionage units including UNC5221 [2], UNC5174 [3], and CL-STA-0048 [4] based on threat actor tradecrafts patterns. Mandiant and Palo Alto researchers assess that these groups connect to China's Ministry of State Security (MSS) or affiliated private entities. These actors operate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide. Uncategorized China-Nexus Threat Actor Scanning the Internet for CVE-2025-31324 and Upload Webshells EclecticIQ analysts assess with high confidence that, a very likely China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. Threat actor–controlled server hosted at IP address 15.204.56[.]106 exposed the scope of the SAP NetWeaver intrusions [5].
#eclecticiq.com#EN#2025#exploitation#China-Nexus#China#attribution#CVE-2025-31324#SAP#NetWeaver
·blog.eclecticiq.com·
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
Excel(ent) Obfuscation: Regex Gone Rogue
Excel(ent) Obfuscation: Regex Gone Rogue
Join Ido Kringel and the Deep Instinct Threat Research Team in this deep dive into a recently discovered, Office-based regex evasion technique Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros. Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware. Since Office files are familiar to users and often appear legitimate (e.g., invoices, resumes, or reports), they’re also highly effective tools in phishing and social engineering attacks. This mixture of social credit and advanced attack characteristics unique to Office files, as well as compatibility across platforms and integration with scripting languages, makes them ideal for initiating sophisticated attacks with minimal user suspicion. Last year, Microsoft announced the availability of three new functions that use Regular Expressions (regex) to help parse text more easily: Regex are sequences of characters that define search patterns, primarily used for string matching and manipulation. They enable efficient text processing by allowing complex searches, replacements, and validations based on specific criteria.
#deepinstinct.com#EN#2025#Research#PoC#regex#Excel#Threat#preemptive#Office
·deepinstinct.com·
Excel(ent) Obfuscation: Regex Gone Rogue
Premier rapport sur la mise en œuvre de la Cyberstratégie nationale (CSN)
Premier rapport sur la mise en œuvre de la Cyberstratégie nationale (CSN)
Lors de sa séance du 14 mai 2025, le Conseil fédéral a été informé du contenu du premier rapport sur la mise en œuvre de la Cyberstratégie nationale (CSN), lequel documente l’état des travaux menés au niveau national pour renforcer la cybersécurité. Rédigé par le comité de pilotage de la CSN en collaboration avec l’Office fédéral de la cybersécurité (OFCS), il montre des progrès évidents : la création d’importantes structures de coordination, l’avancée de projets en cours et le lancement de nouveaux projets, sans compter le renforcement de la visibilité internationale de la Suisse dans le domaine de la cybersécurité. Avec la CSN, la Confédération poursuit une approche globale visant à renforcer la cyberrésilience de la Suisse. Cinq objectifs stratégiques sont au cœur de cette démarche : la responsabilisation de la population, la sécurité des prestations numériques et des infrastructures critiques, la gestion et la défense contre les cyberattaques, la lutte contre la cybercriminalité, et la coopération internationale. Le rapport sur la mise en œuvre de la CSN montre des progrès évidents : la poursuite ciblée de projets en cours et le lancement de nouveaux projets dans les cinq objectifs stratégiques de la CSN. Progrès concrets Des mesures de sensibilisation et de promotion de la recherche et de la formation sont venues renforcer les compétences de la population, des entreprises et des autorités dans le traitement des cybermenaces. La campagne « S-U-P-E-R.ch » menée en 2024 et la participation de la Suisse au « European Cyber Security Month » ont contribué à sensibiliser le grand public aux thèmes liés à la cybersécurité. La stratégie continue d’être axée sur la protection des infrastructures critiques face aux cybermenaces. La mise en œuvre des programmes de gestion des vulnérabilités, p. ex. le programme de primes aux bogues de la Confédération, et la construction de centres spécialisés en cybersécurité (CSC) dans des secteurs sensibles comme ceux de la santé et du trafic ferroviaire ont permis de réaliser des progrès notables. La création du Cyber Security Hubs (CSH) à l’OFCS a par ailleurs favorisé le développement des échanges d’information concernant les cybermenaces. En matière de normalisation et de réglementation, les travaux visant à introduire une obligation d’annoncer les cyberattaques contre des infrastructures critiques ont été au premier plan l’année dernière. Cette obligation est entrée en vigueur le 1er avril 2025. Il s’agit de la première réglementation multisectorielle dans le domaine de la cybersécurité. Dans le domaine de la lutte contre la cybercriminalité, la CSN favorise le développement de capacités spécialisées au sein des autorités de poursuites pénales et le renforcement de la coopération tant au niveau national qu’international. Des plateformes telles que Cyber-CASE et NEDIK permettent une détection et un traitement plus rapides des infractions numériques. Parallèlement, la standardisation des données et des processus ainsi que des formations et perfectionnements ciblés devrait permettre de gagner encore en efficience dans ce domaine à l’avenir. Au niveau international, la Suisse s’est positionnée activement en faveur de la sécurité dans l’espace numérique. Avec des initiatives comme la Geneva Cyber Week, elle promeut la place internationale de Genève et renforce, en participant au processus de l’ONU et à la Counter Ransomware Initiative, les efforts internationaux visant à établir des règles contraignantes dans le cyberespace.
#news.admin.ch#EN#2025#Cyberstratégie#nationale#(CSN)#Suisse
·news.admin.ch·
Premier rapport sur la mise en œuvre de la Cyberstratégie nationale (CSN)
ETH Zurich researchers discover new security vulnerability in Intel processors | ETH Zurich
ETH Zurich researchers discover new security vulnerability in Intel processors | ETH Zurich
Computer scientists at ETH Zurich discover new class of vulnerabilities in Intel processors, allowing them to break down barriers between different users of a processor using carefully crafted instruction sequences. Entire processor memory can be read by employing quick, repeated attacks. All Intel processors since 2018 are affected by Branch Privilege Injection. In brief The new class of vulnerabilities in Intel processors arises from speculative technologies that anticipate individual computing steps. Openings enable gradual reading of entire privilege memory contents of shared processor (CPU). * All Intel processors from the last 6 years are affected, from PCs to servers in data centres.
#ethz.ch#EN#2025#D-ITET#CVE-2024-45332#research#Intel#instruction#Branch-Privilege-Injection
·ethz.ch·
ETH Zurich researchers discover new security vulnerability in Intel processors | ETH Zurich
COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs
COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs
Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. Observed in January, March, and April 2025, LOSTKEYS marks a new development in the toolset of COLDRIVER, a group primarily known for credential phishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and former intelligence and diplomatic officers. GTIG has been tracking COLDRIVER for many years, including their SPICA malware in 2024. COLDRIVER typically targets high-profile individuals at their personal email addresses or at NGO addresses. They are known for stealing credentials and after gaining access to a target’s account they exfiltrate emails and steal contact lists from the compromised account. In select cases, COLDRIVER also delivers malware to target devices and may attempt to access files on the system. Recent targets in COLDRIVER’s campaigns have included current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. The group has also continued targeting individuals connected to Ukraine. We believe the primary goal of COLDRIVER’s operations is intelligence collection in support of Russia’s strategic interests. In a small number of cases, the group has been linked to hack-and-leak campaigns targeting officials in the UK and an NGO. To safeguard at-risk users, we use our research on serious threat actors like COLDRIVER to improve the safety and security of Google’s products. We encourage potential targets to enroll in Google's Advanced Protection Program, enable Enhanced Safe Browsing for Chrome, and ensure that all devices are updated.
#GTIG#EN#2025#LOSTKEYS#COLDRIVER#analysis#NGO
·cloud.google.com·
COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs
Apple Patches Major Security Flaws in iOS, macOS Platforms
Apple Patches Major Security Flaws in iOS, macOS Platforms
Apple rolls out iOS and macOS platform updates to fix serious security bugs that could be triggered simply by opening an image or video file. Apple on Monday pushed out patches for security vulnerabilities across the macOS, iPhone and iPad software stack, warning that code-execution bugs that could be triggered simply by opening a rigged image, video or website. The new iOS 18.5 update, rolled out alongside patches for iPadOS, covers critical bugs in AppleJPEG and CoreMedia with a major warning from Cupertino that attackers could craft malicious media files to run arbitrary code with the privileges of the targeted app. The company also documented serious file-parsing vulnerabilities patched in CoreAudio, CoreGraphics, and ImageIO, each capable of crashing apps or leaking data if booby-trapped content is opened. The iOS 18.5 update also provides cover for at least 9 documented WebKit flaws, some serious enough to lead to exploits that allow a hostile website to execute code or crash the Safari browser engine. The company also patched a serious ‘mute-button’ flaw in FaceTime that exposes the audio conversation even after muting the microphone. Beneath the interface, Apple said iOS 18.5 hardens the kernel against two memory-corruption issues and cleans up a libexpat flaw (CVE-2024-8176) that affects a broad range of software projects. Other notable fixes include an issue in Baseband (CVE-2025-31214) that allows attackers in a privileged network position to intercept traffic on the new iPhone 16e line; a privilege escalation bug in mDNSResponder (CVE-2025-31222); an issue in Notes that expose data from a locked iPhone screen; and security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.
#securityweek#EN#2025#Apple#macos#ios#update#file-parsing#vulnerabilities
·securityweek.com·
Apple Patches Major Security Flaws in iOS, macOS Platforms
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks | The Observer
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks | The Observer
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks DragonForce group also says it has targeted Co-op and Harrods in cybercrime spree Hackers who bragged about crippling Marks & Spencer’s systems and breaching Co-op Group databases appeared to have vowed to protect “the former Soviet Union” from the technology used in the attacks. The DragonForce cybercrime group appeared to use a dark web forum to issue a threat to “punish any violations” by fellow hackers planning to use its ransomware in Russia or the former Soviet states – the first indication of any allegiance. The group, which licenses its ransomware to other hacking gangs for a fee, claimed responsibility for an attack that has left shelves at some branches of M&S bare and has forced the company to suspend online orders. A separate attack on the Co-op led to a data breach and customer details being stolen, and the group has also been linked to an attempt to hack systems at Harrods. “Any attack by our software on critical infrastructure, hospitals where critical patients, children, and the elderly are kept, or on the countries of the former Soviet Union, is a PROVOCATION by unscrupulous partners,” read a statement which claimed to be from the group, released at the end of last month. “We, as regulators, are doing our best to counteract this, and we will punish any violations, as well as assist in solving the problems of the affected parties.”
#observer.co.uk#EN#2025#Marks&Spencer#DragonForce#Russia
·observer.co.uk·
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks | The Observer
Can You Really Trust That Permission Pop-Up On macOS? (CVE-2025-31250) | Watch This Space
Can You Really Trust That Permission Pop-Up On macOS? (CVE-2025-31250) | Watch This Space
It's time to update your Macs again! This time, I'm not burying the lede. CVE-2025-31250, which was patched in today's release of macOS Sequoia 15.5, allowed for… …any Application A to make macOS show a permission consent prompt… …appearing as if it were coming from any Application B… …with the results of the user's consent response being applied to any Application C. These did not have to be different applications. In fact, in most normal uses, they would all likely be the same application. Even a case where Applications B and C were the same but different than Application A would be relatively safe (if somewhat useless from Application A's perspective). However, prior to this vulnerability being patched, a lack of validation allowed for Application B (the app the prompt appears to be from) to be different than Application C (the actual application the user's consent response is applied to). Spoofing these kinds of prompts is not exactly new. In fact, the HackTricks wiki has had a tutorial on how to perform a similar trick on their site for a while. However, their method requires: the building of an entire fake app in a temporary directory, the overriding of a shortcut on the Dock, and the simple hoping that the user clicks on the (now) fake shortcut. This vulnerability requires none of the above. TCC As I explained in my first ever article on this site, TCC is the core permissions system built into Apple's operating systems. It is used by sending messages to the tccd daemon (or rather, by using functions in the private TCC framework). The framework is a private API, so developers don't call the functions directly (instead, public API's call the functions under-the-hood as needed). However, all this wrapping cannot hide the fact that the control mechanism is still simply sending messages to the daemon. The daemon uses Apple's public (but proprietary) XPC API for messaging (specifically the lower-level dictionary-based API). Prior to this vulnerability being patched, any app with the ability to send XPC messages to tccd could send it a specifically-crafted message that, as described above, would make it display a permission prompt as if it were from one app but then apply the user's response to a completely separate app. But how was this possible, and was it even hard? Before I answer these questions, we need to detour into what will, at first, seem like a completely unrelated topic.
#wts.dev#EN#2025#security#macos#tcc#apple-events#cve-2025-31250#apple
·wts.dev·
Can You Really Trust That Permission Pop-Up On macOS? (CVE-2025-31250) | Watch This Space
Marks & Spencer confirms customers' personal data was stolen in hack | TechCrunch
Marks & Spencer confirms customers' personal data was stolen in hack | TechCrunch
U.K. retail giant Marks & Spencer has confirmed hackers stole its customers’ personal information during a cyberattack last month. In a brief statement with London’s stock exchange on Tuesday, the retailer said an unspecified amount of customer information was taken in the data breach. The BBC, which first reported the company’s filing, cited a Marks & Spencer online letter as saying that the stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information and online order histories. The company also said it was resetting the online account passwords of its customers. Marks & Spencer continues to experience disruption and outages across its stores, with some grocery shelves remaining empty after the hack affected the company’s operations. The company’s online ordering system for customers also remains offline. It’s not clear how many individuals’ data was stolen during the hack. When reached by TechCrunch, Marks & Spencer spokesperson Alicia Sanctuary would not say how many individuals are affected and referred TechCrunch to its online statement. Marks & Spencer had 9.4 million online customers as of 30 March 2024, per its most recent annual report.
#techcrunch#EN#2025#UK#Marks&Spencer#statement#customer#information#data-leak
·techcrunch.com·
Marks & Spencer confirms customers' personal data was stolen in hack | TechCrunch
Dior’s China data breach exposes elite clients
Dior’s China data breach exposes elite clients
Dior’s coveted client list of China’s wealthiest and most powerful consumers has been compromised in a major data breach, forcing the French luxury giant to issue an apology as it scrambles to contain potential fallout and limit any damage to its reputation. The luxury brand under French conglomerate LVMH experienced a customer data breach in China on May 7. According to a text message sent to customers yesterday, the company disclosed that an unauthorized external party had gained access to its database, obtaining sensitive personal information such as customers’ names, gender, phone numbers, email addresses, mailing addresses, purchase amounts, and shopping preferences. Dior emphasized that the compromised data did not include bank account details, IBANs (International Bank Account Numbers), or credit card information. Nonetheless, the brand urged customers to exercise heightened caution, advising them to beware of phishing messages, unsolicited calls or emails, and to avoid clicking on suspicious links or disclosing personal information.
#jingdaily.com#EN#2025#Luxury#Jing#China#Dior#Data-Breach
·jingdaily.com·
Dior’s China data breach exposes elite clients
Multiple Security Issues in Screen | SUSE Security Team Blog
Multiple Security Issues in Screen | SUSE Security Team Blog
Screen is the traditional terminal multiplexer software used on Linux and Unix systems. We found a local root exploit in Screen 5.0.0 affecting Arch Linux and NetBSD, as well as a couple of other issues that partly also affect older Screen versions, which are still found in the majority of distributions. In July 2024, the upstream Screen maintainer asked us if we could have a look at the current Screen code base. We treated this request with lower priority, since we already had a cursory look at Screen a few years earlier, without finding any problems. When we actually found time to look into it again, we were surprised to find a local root exploit in the Screen 5.0.0 major version update affecting distributions that ship it as setuid-root (Arch Linux and NetBSD). We also found a number of additional, less severe issues that partly also affect older Screen versions still found in the majority of distributions. We offer two sets of patches for the issues described in this report, one for screen-4.9.1 and another for screen-5.0.0. These patch sets apply against the screen-4.9.1 and screen-5.0.0 release tarballs, respectively. Due to difficulties in the communication with upstream we do not currently have detailed information about bugfixes and releases published on their end. The next section provides an overview of the Screen configurations and versions found on common Linux and UNIX distributions. Section 3) discusses each security issue we discovered in detail. Section 4) takes a look at possible further issues in Screen’s setuid-root implementation. Section 5) gives general recommendations for the improvement of Screen’s security posture. Section 6) points out problems we encountered during the coordinated disclosure process for these issues. Section 7) provides an affectedness matrix which gives a quick overview of the situation on various Linux and UNIX systems.
#security.opensuse.org#EN#2025#linux#screen#CVE-2025-23395#CVE-2025-46802#CVE-2025-46805#CVE-2025-46804#CVE-2025-46803
·security.opensuse.org·
Multiple Security Issues in Screen | SUSE Security Team Blog
Hackers now testing ClickFix attacks against Linux targets
Hackers now testing ClickFix attacks against Linux targets
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware. These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware. However, a 2024 campaign using bogus Google Meet errors also targeted macOS users. ClickFix targeting Linux users A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems. The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.
#bleepingcomputer#EN#2025#APT36#ClickFix#Linux#Social-Engineering
·bleepingcomputer.com·
Hackers now testing ClickFix attacks against Linux targets
Threat Brief: CVE-2025-31324
Threat Brief: CVE-2025-31324
On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. CVE-2025-31324 is a critical vulnerability residing in the SAP NetWeaver Application Server Java's Visual Composer component (VCFRAMEWORK). While not installed by default, business analysts commonly use this component to create applications without coding, making it widely present in SAP deployments. The core issue with this vulnerability is a missing authorization check in the Metadata Uploader, accessible via the /developmentserver/metadatauploader endpoint. This means that any user, even unauthenticated ones, can interact with this endpoint and upload arbitrary files to the server. Here's a breakdown of how the vulnerability works: Unrestricted access: The /developmentserver/metadatauploader endpoint is exposed over HTTP/HTTPS and lacks proper authentication or authorization controls. Malicious file upload: An attacker can send a specially crafted HTTP request to the vulnerable endpoint, containing a malicious file as the request body. File system access: Due to the missing authorization check, the server accepts the attacker's request and writes the uploaded file to the server's file system. The file is often written to a location within the web application's accessible directories (e.g., under /irj/servlet_jsp/irj/root/). Web shell execution (common scenario): If the attacker uploads a web shell like a Java server page (JSP) file, the attacker can then access the web shell via a web browser. Now residing on the server, this web shell allows an attacker to execute arbitrary operating system commands with the privileges of the SAP application server process. System compromise: With the ability to execute commands as an SAP system administrator (system account name: sidadm), an attacker effectively gains control of the SAP system and its associated data. The attacker can then perform various malicious activities. CVE-2025-31324 allows attackers to bypass security controls and directly upload and execute malicious files on vulnerable SAP servers, potentially leading to complete system compromise. The ease of exploitation (no authentication required) and the possibility for high impact make this a critical vulnerability that requires immediate attention and remediation.
#paloaltonetworks#EN#2025#CVE-2025-31324#vulnerability#SAP#VCFRAMEWORK
·unit42.paloaltonetworks.com·
Threat Brief: CVE-2025-31324
[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds
[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds
CVE-2025-37752 is an Array-Out-Of-Bounds vulnerability in the Linux network packet scheduler, specifically in the SFQ queuing discipline. An invalid SFQ limit and a series of interactions between SFQ and the TBF Qdisc can lead to a 0x0000 being written approximately 256KB out of bounds at a misaligned offset. If properly exploited, this can enable privilege escalation. Spray sfq_slots in kmalloc-64 to prevent an immediate kernel crash when the bug is triggered. Prevent a type-confused skb from being dequeued by reconfiguring the TBF Qdisc. Drop TBF rate and add packet overhead before the OOB write occurs. Use the 0x0000 written 262636 bytes OOB to corrupt the pipe->files field of a named pipe, free the pipe, cause page-level UAF and get arbitrary R/W in that page. Reclaim the freed page with signalfd files and use the page-level R/W primitive to swap file->private_data with file->f_cred. * Get root by overwriting the process credentials with zeros via signalfd4().bounds at a misaligned offset. If properly exploited, this can enable privilege escalation.
#syst3mfailure.io#EN#2025#CVE-2025-37752#kernelCTF#linux#kernel#pwn#exploit#oob#out-of-bounds#vulnerability
·syst3mfailure.io·
[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise) On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, rand-user-agent@1.0.110. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads. What is the package? The package rand-user-agent generates randomized real user-agent strings based on their frequency of occurrence. It’s maintained by the company WebScrapingAPI (https://www.webscrapingapi.com/). Our analysis engine detected suspicious code in the file dist/index.js. Lets check it out, here seen through the code view on npm’s site: We’ve got a RAT (Remote Access Trojan) on our hands. Here’s an overview of it: Behavior Overview The script sets up a covert communication channel with a command-and-control (C2) server using socket.io-client, while exfiltrating files via axios to a second HTTP endpoint. It dynamically installs these modules if missing, hiding them in a custom .node_modules folder under the user's home directory.
#aikido.dev#EN#2025#supply-chain-attack#IoCs#rand-user-agent#npm
·aikido.dev·
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
UK pioneering global move away from passwords
UK pioneering global move away from passwords
Government to roll out passkey technology across digital services as an alternative to SMS-based verification. Government to roll out passkey technology across digital services as an alternative to SMS-based verification. Arkadiusz Wargula via Getty Images Government set to roll out passkey technology across digital services later this year. SMS-based verification to be replaced by more secure, cost-effective solution. NCSC joins FIDO Alliance to shape international passkey standards. The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually. Announced on the first day of the government’s flagship cyber security event, CYBERUK, the move to implement passkey technology for the government’s GOV.UK services marks a major step forward in strengthening the nation’s digital security. Passkeys are unique digital keys that are today tied to specific devices, such as a phone or a laptop, that help users log in safely without needing an additional text message or other code. When a user logs in to a website or app, their device uses this digital key to prove the user’s identity without needing to send a code to a secondary device or to receive user input. This method is more secure because the key remains stored on the device and cannot be easily intercepted or stolen, making them phishing-resistant by design. As a result, even if someone attempts to steal a password or intercept a code, they would be unable to gain access without the physical device that contains the passkey. The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale, and the UK is already leading internationally with the NHS becoming one of the first government organisations in the world to offer passkeys to users. In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password, and SMS code.
#ncsc.gov.uk#EN#2025#CYBERUK#passwords#passkey#NCSC#UK#digital-keys
·ncsc.gov.uk·
UK pioneering global move away from passwords
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges. Note: For exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It is not enabled by default. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication.
#cisco.com#EN#2025#Cisco#IOS#XE#vulnerability#JWT#CVE-2025-20188
·sec.cloudapps.cisco.com·
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
Schneier warns that AI loses integrity due to corporate bias
Schneier warns that AI loses integrity due to corporate bias
RSAC: Can we turn to govt, academic models instead? Corporate AI models are already skewed to serve their makers' interests, and unless governments and academia step up to build transparent alternatives, the tech risks becoming just another tool for commercial manipulation. That's according to cryptography and privacy guru Bruce Schneier, who spoke to The Register last week following a keynote speech at the RSA Conference in San Francisco. "I worry that it'll be like search engines, which you use as if they are neutral third parties but are actually trying to manipulate you. They try to kind of get you to visit the websites of the advertisers," he told us. "It's integrity that we really need to think about, integrity as a security property and how it works with AI." During his RSA keynote, Schneier asked: "Did your chatbot recommend a particular airline or hotel because it's the best deal for you, or because the AI company got a kickback from those companies?" To deal with this quandary, Schneier proposes that governments should start taking a more hands-on stance in regulating AI, forcing model developers to be more open about the information they receive, and how the decisions models make are conceived. He praised the EU AI Act, noting that it provides a mechanism to adapt the law as technology evolves, though he acknowledged there are teething problems. The legislation, which entered into force in August 2024, introduces phased requirements based on the risk level of AI systems. Companies deploying high-risk AI must maintain technical documentation, conduct risk assessments, and ensure transparency around how their models are built and how decisions are made. Because the EU is the world's largest trading bloc, the law is expected to have a significant impact on any company wanting to do business there, he opined. This could push other regions toward similar regulation, though he added that in the US, meaningful legislative movement remains unlikely under the current administration.
#theregister#EN#2025#Schneier#IA#corporate#bias#corporate-bias#warning
·theregister.com·
Schneier warns that AI loses integrity due to corporate bias
Malicious PyPI Package Targets Discord Developers with Remot...
Malicious PyPI Package Targets Discord Developers with Remot...
The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates data via a covert C2 channel. On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk. The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid. Discord’s developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third-party apps, Discord has rapidly evolved into a platform where developers not only build but also live test, share, and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools, and code snippets are shared freely and often used with little scrutiny. It’s within these trusted peer-to-peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like discordpydebug under the guise of debugging utilities. The fact that this package was downloaded over 11,000 times, despite having no README or documentation, highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMs, or Discord server threads, such packages can gain traction before ever being formally vetted.
#socket.dev#EN#2025#Malicious#PyPI#supply-chain-attack#Discord#discordpydebug
·socket.dev·
Malicious PyPI Package Targets Discord Developers with Remot...
DOGE software engineer’s computer infected by info-stealing malware - Ars Technica
DOGE software engineer’s computer infected by info-stealing malware - Ars Technica
The presence of credentials in leaked “stealer logs” indicates his device was infected. Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years. Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US. A steady stream of published credentials According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps. “I have no way of knowing exactly when Schutt's computer was hacked, or how many times,” Lee wrote. “I don't know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.”
#arstechnica#EN#2025#DOGE#infostealer#US#hacked#engineer
·arstechnica.com·
DOGE software engineer’s computer infected by info-stealing malware - Ars Technica
Microsoft Dynamics 365 Customer Voice Phishing Scam
Microsoft Dynamics 365 Customer Voice Phishing Scam
Overview: Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship Overview: Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship management software product. It’s often used to record customer calls, monitor customer reviews, share surveys and track feedback. Microsoft 365 is used by over 2 million organizations worldwide. At least 500,000 organizations use Dynamics 365 Customer Voice, including 97% of Fortune 500 companies. In this campaign, cyber criminals send business files and invoices from compromised accounts, and include fake Dynamics 365 Customer Voice links. The email configuration looks legitimate and easily tricks email recipients into taking the bait. As part of this campaign, cyber criminals have deployed over 3,370 emails, with content reaching employees of over 350 organizations, the majority of which are American. More than a million different mailboxes were targeted. Affected entities include well-established community betterment groups, colleges and universities, news outlets, a prominent health information group, and organizations that promote arts and culture, among others.
#checkpoint#EN#2025#Microsoft#Dynamics#365#Customer#Voice#Phishing#Scam#analysis
·blog.checkpoint.com·
Microsoft Dynamics 365 Customer Voice Phishing Scam