Cookie-Bite: How Your Digital Crumbs Let Threat Actors Bypass MFA and Maintain Access to Cloud Environments
Silent and undetectable initial access is the cornerstone of a cyberattack. MFA is there to stop unauthorized access, but attackers are constantly evolving.
XRP supply chain attack: Official NPM package infected with crypto stealing backdoor
The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.
Deceptive Browser Extensions within the Google Store: A Study in AI Slop
Like any garden, the digital landscape experiences the emergence of unexpected blooms. Among the helpful flora of browser and application extensions, some appear with intentions less than pure. These deceptive ones, often born from a fleeting desire for illicit gain or mischievous disruption, may possess a certain transient beauty in their ingenuity. They arrive, sometimes subtly flawed in their execution, yet are driven by an aspiration to infiltrate our digital lives, to harvest our data, or to simply sow chaos.
Thousands of Baltimore students, teachers affected by data breach following February ransomware attack
Thousands of students, teachers and administrators had information stolen from the Baltimore City Public Schools system during a ransomware attack in February.
Cisco Webex bug lets hackers gain code execution via meeting links
Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
ASUS Urges Users to Patch AiCloud Router Vuln Immediately
ASUS recently disclosed a critical security vulnerability affecting routers that have AiCloud enabled, potentially allowing remote attackers to perform unauthorized execution functions on vulnerable devices. The vulnerability is being tracked as CVE-2025-2492 and was given a CVSS score of 9.2 on a 10.0 scale, making it classified as critical. According to ASUS researchers, the "improper authentication control vulnerability," which only exists in certain ASUS router firmware series, can be triggered by a "crafted request" on behalf of the attackers.
Internet Crime Complaint Center (IC3) | FBI Warns of Scammers Impersonating the IC3
The Federal Bureau of Investigation (FBI) warns the public about an ongoing fraud scheme where criminal scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees to deceive and defraud individuals. Between December 2023 and February 2025, the FBI received more than 100 reports of IC3 impersonation scams.
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...
CVE-2025-32955: Security mechanism bypass in Harden-Runner Github Action
The Sysdig Threat Research Team (TRT) has discovered CVE-2025-32955, a now-patched vulnerability in Harden-Runner, one of the most popular GitHub Action CI/CD security tools. Exploiting this vulnerability allows an attacker to bypass Harden-Runner’s disable-sudo security mechanism, effectively evading detection within the continuous integration/continuous delivery (CI/CD) pipeline under certain conditions. To mitigate this risk, users are strongly advised to update to the latest version. The CVE has been assigned a CVSS v3.1 base score of 6.0.
CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused. Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes. Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.
Learn how a convincing Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena. A real-world phishing example you need to see.
Phishers abuse Google OAuth to spoof Google in DKIM replay attack
In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins.
Widespread Microsoft Entra lockouts tied to new security feature rollout
Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation
This report details a newly identified and active fraud campaign, highlighting the emergence of sophisticated mobile malware leveraging innovative techniques: SuperCard X Malware: A novel Android malware offered through a Malware-as-a-Service (MaaS) model, enabling NFC relay attacks for fraudulent cash-outs. Evolving Threat Landscape: Demonstrates the continuous advancement of mobile malware in the financial sector, with NFC relay representing a significant new capability. Combined Attack Vectors: Employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud. Low Detection Rate: SuperCard X currently exhibits a low detection rate among antivirus solutions due to its focused functionality and minimalistic permission model. * Broad Target Scope: The fraud scheme targets customers of banking institutions and card issuers, aiming to compromise payment card data.
Mitigating ELUSIVE COMET Zoom remote control attacks - The Trail of Bits Blog
When our CEO received an invitation to appear on “Bloomberg Crypto,” he immediately recognized the hallmarks of a sophisticated social engineering campaign. What appeared to be a legitimate media opportunity was, in fact, the latest operation by ELUSIVE COMET—a threat actor responsible for millions in cryptocurrency theft through carefully constructed social engineering attacks. This post details our encounter with ELUSIVE COMET, explains their attack methodology targeting the Zoom remote control feature, and provides concrete defensive measures organizations can implement to protect themselves.
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog
Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.
1961406 - SSL.com: DCV bypass and issue fake certificates for any MX hostname
SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative control of that domain
In March 2025, our team found a suspicious mach-O file named wsus. Read the full analysis on its likely origins, target users, and observed functionality.
CISA extends funding to ensure 'no lapse in critical CVE services'
CISA says the U.S. government has extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. #CISA #CVE #Computer #Foundation #InfoSec #MITRE #Security
Microsoft Warns of Node.js Abuse for Malware Delivery
In the past months Microsoft has seen multiple campaigns involving Node.js to deliver malware and other malicious payloads. Microsoft on Tuesday issued a warning over the increasing use of Node.js for the delivery of malware and other malicious payloads. The tech giant has been seeing such attacks aimed at its customers since October 2024 and some of the observed campaigns are still active in April 2025.
