Get Cyber-Smart in Just 5 Minutes a Week
Weekly insights on cybersecurity and privacy. No spam—just essential info to keep you secure, straight to your inbox.
Latest
ALL STORIES >Brief for
🌐 Over 4 million internet systems vulnerable to tunneling protocol attacks. New research by KU Leuven’s Mathy Vanhoef and Angelos Beitis reveals that more than 4.26 million internet hosts, including VPN servers and home routers, are susceptible to exploitation due to vulnerabilities in tunneling protocols like IPIP and GRE. These protocols, essential for data transport across networks, can be misconfigured to accept unauthenticated packets, allowing attackers to conduct anonymous attacks, including DoS and DNS spoofing. The majority of vulnerable systems are located in China and France. The researchers have published technical details and defense recommendations to help secure these systems, which have been assigned several CVE identifiers for tracking the vulnerabilities.
🔄 Microsoft Active Directory Group Policy misconfiguration allows NTLMv1 bypass. Cybersecurity researchers have discovered that a misconfiguration in on-premise applications can override Microsoft’s Group Policy intended to disable NT LAN Manager (NTLM) v1 authentication. This vulnerability allows organizations to inadvertently enable NTLMv1, despite efforts to secure their networks. While NTLMv2 offers improved security, it still has weaknesses that can be exploited by attackers. To mitigate risks, experts recommend enabling audit logs for NTLM authentication and ensuring systems are kept up-to-date. This finding follows other recent security concerns, including a zero-day vulnerability in PDF readers that could leak sensitive information.
🖼️💻 Hackers Conceal Malware in Images to Launch Sophisticated Attacks. Threat actors are using images to hide malicious code and deliver malware like VIP Keylogger and 0bj3ctivity Stealer through phishing campaigns. These attacks begin with deceptive emails that trick recipients into opening infected attachments, exploiting a known security flaw to download a PowerShell script. This script retrieves an image from archive.org, decodes it, and executes a .NET loader to install the malware. HP Wolf Security’s report highlights the increasing use of GenAI in crafting these attacks, making them more efficient and accessible to less skilled cybercriminals. The commodification of cybercrime is evident as malware kits become easier to obtain and use, posing a growing threat to cybersecurity.
🦠 Wolf Haldenstein law firm suffers major data breach affecting 3.5 million individuals. The firm reported that on December 13, 2023, hackers accessed sensitive information stored on its servers, impacting a total of 3,445,537 people. Although the firm has not found evidence of data misuse, the breach exposed personal details such as names, Social Security numbers, and medical information, increasing the risk of phishing and scams. Delays in the investigation and notification process have left many affected individuals without direct communication from the firm. Wolf Haldenstein plans to offer credit monitoring services and advises those potentially impacted to remain vigilant against suspicious activities. The firm has not clarified whether the exposed data belonged to clients, employees, or others.
🐍💻 Python-based malware fuels RansomHub ransomware attacks. Cybersecurity researchers from GuidePoint Security have uncovered a sophisticated attack involving a Python backdoor that enables persistent access to compromised networks, facilitating the deployment of RansomHub ransomware. The initial breach is attributed to the SocGholish malware, which tricks users into downloading fake browser updates through drive-by campaigns. Once executed, SocGholish connects to an attacker-controlled server to deliver additional payloads. The Python backdoor, detected since December 2023, utilizes a SOCKS5 protocol-based tunnel for lateral movement within networks. The malware’s well-structured code suggests a meticulous author, potentially leveraging AI tools. Additionally, other tools have been identified in ransomware campaigns, including those targeting Amazon S3 buckets and employing aggressive ransom tactics.
🔐 FTC mandates GoDaddy to enhance security measures following breaches. The Federal Trade Commission (FTC) has reached a settlement with GoDaddy, requiring the web hosting company to implement essential security protocols, including HTTPS APIs and mandatory multi-factor authentication (MFA), due to its failure to secure hosting services since 2018. The FTC’s complaint highlighted GoDaddy’s misleading claims about its security practices, which left millions of customers vulnerable to attacks. Notable breaches occurred between 2019 and 2022, including a significant incident in February 2023 where attackers accessed customer data and installed malware. The settlement mandates GoDaddy to establish a comprehensive security program and undergo biennial assessments by an independent third party to ensure compliance.
🛡️💻 Ivanti issues security advisory for critical vulnerabilities in Connect Secure. On January 8, 2025, Ivanti announced two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282, a remote unauthenticated stack-based buffer overflow, has been actively exploited, allowing attackers to achieve remote code execution (RCE) with limited privileges. The advisory noted that while CVE-2025-0283, a local privilege escalation vulnerability, was patched simultaneously, there are no known exploits for it. Security firm watchTowr provided insights into the exploitation strategy, revealing that RCE could be achieved through brute-forcing address guessing, taking approximately 30 minutes in testing. The vulnerabilities pose significant risks, particularly for enterprise environments relying on Ivanti’s SSL VPN solutions.
🔑 Karmada Security Audit Reveals Key Vulnerabilities and Recommendations. A recent security audit of the Karmada project, conducted by Shielder with support from OSTIF and CNCF, identified six findings, including one high-severity issue related to insecure design in Pull Mode. While most vulnerabilities have been addressed, two remain open for future iterations. The audit emphasized the importance of threat modeling in multi-cloud environments, highlighting risks from compromised clusters and insecure configurations. Developers are advised to update to the latest release and consider using Push Mode for deployment to enhance security. The full audit report is available in the project’s repository, providing detailed insights and recommendations for improving Karmada’s security posture.
🛡️🌍 SentinelOne enhances Purple AI with new features for global cybersecurity. SentinelOne has introduced significant updates to its Purple AI platform, aimed at improving threat detection and response for security teams. The new features include expanded support for third-party log sources, such as Palo Alto Networks and Microsoft Office 365, allowing for broader data visibility and faster investigations. Additionally, early access to multilingual question support enables global teams to interact with the AI in their preferred languages, breaking down communication barriers. These enhancements are designed to streamline workflows, empower analysts, and foster collaboration across diverse organizations, ultimately strengthening cybersecurity efforts against evolving threats.
🛠️ Critical SQL Injection Vulnerability Discovered in Microsoft Configuration Manager. A serious security flaw has been identified in Microsoft Configuration Manager (MCM), allowing unauthenticated SQL injection attacks that could lead to arbitrary SQL query execution and potential remote code execution. The vulnerability, tracked as CVE-2024-43468, was confirmed by Microsoft on August 22, 2024, following an advisory sent to the Microsoft Security Response Center (MSRC). Initial hotfixes released in September faced issues, but a revised fix was published on September 18. The vulnerability poses significant risks as it does not leave clear traces in log files, complicating detection efforts. For further technical details, exploitation code is available on GitHub.
🔍 Wavlink AC3000 router exposed to 44 vulnerabilities, no patch released. Cisco Talos has identified 44 vulnerabilities across the Wavlink AC3000 wireless router’s web application, affecting ten .cgi and three .sh files, as well as the static login page. These vulnerabilities include critical issues such as arbitrary code execution, command injection, and buffer overflows, with some allowing attackers to gain root access. Despite the severity of these findings, Wavlink has opted not to release a patch. Users are advised to monitor Talos Intelligence for updates and utilize Snort for detection of potential exploit attempts. The vulnerabilities pose significant risks given the router’s popularity in the U.S. market.
🦅 Earth Baxia Launches Targeted Cyber Attacks in APAC Using Advanced Techniques. The threat actor Earth Baxia, suspected to operate from China, has executed sophisticated cyber attacks against government and energy sectors in Taiwan and other Asia-Pacific countries. Utilizing spear-phishing emails and exploiting the GeoServer vulnerability (CVE-2024-36401), they deployed customized malware, including modified Cobalt Strike components and a new backdoor named EAGLEDOOR. These attacks involved advanced techniques such as DLL side-loading and multi-protocol communication for data exfiltration. The group’s operations highlight the need for enhanced cybersecurity measures, including phishing awareness training and multi-layered protection solutions, to mitigate risks associated with such sophisticated threats.
💻🔒 Ransomware Group Black Basta Exploits Microsoft Teams for Phishing Attacks. A new threat campaign attributed to the ransomware group Black Basta involves flooding users’ mailboxes with spam emails before posing as IT support on Microsoft Teams to gain unauthorized access. The attackers create a fake Microsoft 365 tenant, send benign spam emails, and then initiate chats with victims, convincing them to use remote management tools to provide access. To combat this, organizations are advised to monitor for spikes in spam emails, suspicious Teams communications, and implement anti-spam policies. Additionally, disabling external Teams communication and enabling logging for chat events can enhance detection and prevention efforts against these phishing tactics.
🔍 CISA releases playbook to enhance cybersecurity using Microsoft cloud logs. The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Office of Management and Budget, the Office of the National Cyber Director, and Microsoft, has published the Microsoft Expanded Cloud Log Implementation Playbook. This resource aims to assist public and private organizations in utilizing Microsoft Purview Audit (Standard) logs to improve their cybersecurity operations. The playbook offers guidance on enabling and operationalizing these logs for threat detection and incident response, along with best practices for navigating M365 logs. CISA emphasizes the importance of these security logs in defending against cyber threats and encourages organizations to adopt the Secure by Design principles.
🛡️💻 Avery Products Corporation reports significant data breach affecting customer information. The company announced that its website was hacked, compromising the credit card and personal details of approximately 61,193 customers between July 18 and December 9, 2024. A card skimmer was discovered on their online shop, leading to the exfiltration of sensitive data, including names, addresses, email addresses, and payment card information. Although Social Security numbers and government IDs were not affected, the exposed data could facilitate fraudulent transactions. In response, Avery is offering 12 months of free credit monitoring and has set up a dedicated assistance line for affected customers. They urge vigilance against unsolicited communications and recommend reporting any suspicious account activity.
🎭 Cybercriminals exploit Google search ads to launch phishing attacks. Attackers are using Google search advertisements to promote phishing sites that impersonate Google Ads, tricking users into entering their credentials on fake login pages. These phishing pages, hosted on Google Sites, mimic the official Google Ads interface, making it difficult for victims to discern the deception. Malwarebytes Labs reports that at least three cybercrime groups are involved, targeting users worldwide and aiming to sell stolen accounts on hacking forums. Google is actively investigating the issue and has taken significant action against misleading ads, removing millions of violations throughout 2023. The ongoing campaign highlights vulnerabilities in ad policies that allow such impersonation tactics to flourish.
🖼️✨ ImageNet-Patch dataset launched to enhance machine learning robustness testing. Researchers have introduced ImageNet-Patch, a new dataset designed to benchmark machine learning models against adversarial patches that can mislead these systems. The dataset features optimized patches that generalize across various models and can be applied to ImageNet data through efficient preprocessing techniques. This approach allows for quicker robustness evaluations by utilizing the transferability of adversarial perturbations. The effectiveness of the patches was tested on 127 different models, demonstrating the dataset’s potential as a standard for assessing model robustness. The dataset and evaluation code have been made publicly available for further research and application in the field.
🤖🔍 ChatGPT shows promise in Face Presentation Attack Detection. A study reveals that ChatGPT (GPT-4o) can effectively compete with existing Face Presentation Attack Detection (PAD) models, outperforming several commercial solutions in specific scenarios. The model excels in few-shot in-context learning, improving its performance with more examples and demonstrating high consistency. Detailed prompts enhance its reliability, while explanation-seeking prompts boost interpretability. Notably, GPT-4o exhibits emergent reasoning, accurately predicting attack types without explicit instructions. However, it struggles in zero-shot tasks compared to specialized PAD systems. Conducted on a subset of the SOTERIA dataset, the research emphasizes GPT-4o’s potential in PAD applications and highlights the need for further exploration of data privacy and cross-dataset generalization.
🔐✨ Advancements in Quantum Key Distribution Enhance Symmetric Key Encryption Security. Researchers have developed a secure method for combining quantum key distribution (QKD) with symmetric key encryption, ensuring information-theoretic security against quantum adversaries. The study introduces a quantum-enabled Key Encapsulation Mechanism (qKEM) and a quantum-enabled hybrid encryption (qHE) framework, which utilizes a one-time symmetric key encryption scheme for efficient message encryption of unrestricted length. This approach leverages existing QKD protocols to provide a robust security proof, demonstrating that the hybrid encryption system remains secure even against adversaries capable of quantum computations. The findings represent a significant step towards post-quantum secure encryption without relying on computational assumptions.
🛠️ CveBinarySheet launches a comprehensive database for IoT vulnerability analysis. The newly introduced CveBinarySheet database features 1,033 CVE entries from 1999 to 2024, specifically designed to enhance Binary Static Code Analysis (BSCA) for various environments, including IoT and firmware. It includes 16 critical third-party components, such as busybox and curl, and supports five CPU architectures: x86-64, i386, MIPS, ARMv7, and RISC-V64. Each binary is available at two compiler optimization levels (O0 and O3), providing essential resources for vulnerability analysis. This initiative aims to facilitate the development of advanced BSCA tools and improve binary similarity and vulnerability matching applications, addressing the current lack of comprehensive datasets in the field.
🛡️🌍 Innovative Approach to Multilingual Email Phishing Detection Using OSINT and Machine Learning. A recent study investigates the effectiveness of integrating open-source intelligence (OSINT) tools with machine learning (ML) models to enhance the detection of email phishing attacks across multilingual datasets, specifically English and Arabic. By extracting 17 features such as domain names and IP addresses using tools like Nmap and theHarvester, the research found that the Random Forest algorithm achieved the highest accuracy at 97.37%. This approach not only improved detection rates compared to traditional models but also addressed the limitations of existing ML systems that primarily focus on English data. The findings underscore the potential of combining OSINT with advanced ML techniques to bolster cybersecurity measures against phishing threats in diverse linguistic contexts.
🛡️✨ New UEFI vulnerability threatens Secure Boot integrity. A recently disclosed security flaw, identified as CVE-2024-7344, could allow attackers to bypass the Secure Boot mechanism in UEFI systems, potentially enabling the execution of malicious UEFI bootkits. The vulnerability, which has a CVSS score of 6.7, affects UEFI applications signed by Microsoft’s third-party certificate and can lead to the loading of unsigned code during system boot. ESET researchers highlighted that the issue stems from a custom PE loader used in certain recovery software, allowing exploitation even with Secure Boot enabled. While the flaw has been patched, concerns remain about the prevalence of similar vulnerabilities in third-party UEFI software, prompting calls for improved security measures and vigilance in UEFI implementations.
🔒🛡️ Google releases Chrome 132, addressing critical security vulnerabilities. The latest update, version 132.0.6834.83/84, is now available for Windows, macOS, and Linux users, featuring 16 security fixes, including five high-severity vulnerabilities that could allow remote code execution. Notable issues include an out-of-bounds memory access in the V8 JavaScript engine and an integer overflow in the Skia graphics engine. Google has awarded bug bounties to researchers who identified these vulnerabilities, with rewards ranging from $1,000 to $7,000. Users are strongly urged to update their browsers promptly to mitigate potential risks, as the update also includes performance enhancements and prepares for future features. This release underscores Google’s commitment to maintaining browser security and user safety.
🎣 Criminals exploit Google Ads to launch sophisticated phishing scheme. Online criminals are targeting Google Ads advertisers through fraudulent ads that impersonate the platform, redirecting victims to fake login pages designed to steal their credentials. This extensive malvertising operation, which has affected thousands of users globally, involves redirecting victims to Google Sites-hosted pages that appear legitimate. Once victims enter their information, it is captured and sent to remote servers, allowing criminals to take control of the accounts for further exploitation. The scheme is primarily run by two groups, one based in Brazil and another in Asia, highlighting the international scope of the threat. As Google continues to earn revenue from these compromised accounts, the urgency for advertisers to remain vigilant against such scams is paramount.
🛠️ Critical vulnerabilities discovered in Rsync file-synchronizing tool. Six security flaws have been identified in Rsync, a widely used file-synchronizing tool for Unix systems, potentially allowing attackers to execute arbitrary code on connected clients. The vulnerabilities include a heap-buffer overflow and information disclosure, with the most severe flaw (CVE-2024-12084) scoring 9.8 on the CVSS scale, enabling code execution with only anonymous read access to a server. Researchers from Google Cloud Vulnerability Research reported the first five issues, while a separate researcher identified a race condition. Patches have been released in Rsync version 3.4.0, and users unable to update are advised to implement specific mitigations to enhance security.
🔄 Exploring Attack Paths in Microsoft Intune: A Comprehensive Overview. The article delves into the security implications of Microsoft Intune, a service for endpoint management, highlighting its growing adoption and the potential vulnerabilities it presents to adversaries. It outlines the distinct role-based access control (RBAC) systems within Intune and Entra, emphasizing how these can be exploited for unauthorized actions on managed devices. The piece also discusses various methods for executing arbitrary commands through Intune, including the use of PowerShell scripts and remediation features. Additionally, it addresses user hunting techniques to identify logged-on users across devices, setting the stage for future research on Intune’s security landscape and potential abuse scenarios.
🔍 New vulnerabilities in Autel MaxiCharger revealed at Blackhat EU. Security researchers Jonathan Andersson and Thanos Kaliyanakis presented findings on the Autel MaxiCharger, highlighting methods to bypass readout protection on its GD32 device, which prevents internal flash dumping. The charger features various communication modules, including Ethernet, Wi-Fi, and a mysterious USB-C port, alongside an ESP32 for Bluetooth operations. The teardown revealed that the 4G module, using a Qualcomm LTE modem, has debugging capabilities, while several unused ports suggest potential for further exploration. The researchers aim to encourage vulnerability research on the MaxiCharger ahead of the upcoming Pwn2Own Automotive event in January 2025, emphasizing the need for improved product security among IVI vendors.
🔑 Single-page applications (SPAs) face significant access control vulnerabilities. SPAs, popular for their dynamic interfaces, often rely on client-side rendering, which can expose them to unauthorized access and data manipulation. Key vulnerabilities include routing manipulation, hidden elements, and JavaScript debugging, allowing users to bypass access controls. To mitigate these risks, developers are advised to implement robust server-side access controls on APIs, utilize JSON Web Tokens for session management, and consider server-side rendering frameworks. Regular penetration testing is also recommended to identify and address security gaps. By prioritizing these security measures, developers can enhance the safety of SPAs while maintaining a seamless user experience.
🛡️✨ Okta leads the charge in establishing a new identity security standard. The OpenID Foundation has launched the Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) working group, supported by major tech companies including Okta, Microsoft, and Capital One. This initiative aims to create a unified standard for identity security, focusing on key areas such as single sign-on, lifecycle management, and risk signal sharing. Okta’s commitment to enhancing security is underscored by its detection of over 3 billion identity-based attacks monthly and the implementation of phishing-resistant authentication for all employees. The IPSIE group, which meets weekly, seeks to foster a more secure and efficient SaaS ecosystem, with draft specifications expected by early 2025.
🎭 Cybercriminals Exploit Google Ads to Hijack Accounts and Distribute Malware. A sophisticated malvertising campaign is underway, with attackers impersonating Google Ads login pages to steal credentials from advertisers. Operating from various regions, these threat actors use hijacked accounts to purchase and disseminate malicious ads, making them appear legitimate due to the use of Google’s own URLs. Malwarebytes researchers have labeled this operation as the most egregious of its kind, affecting thousands of users globally. Google is actively investigating the issue and has removed billions of ads in 2023, but the rapid creation of fake accounts complicates enforcement efforts. The ongoing impersonation tactics highlight the need for improved security measures within Google Ads.
🕵️♂️ New Malvertising Campaign Targets Google Ads Users for Credential Theft. Cybersecurity researchers have identified a malvertising scheme aimed at individuals and businesses using Google Ads, where attackers impersonate Google to phish for login credentials. The campaign, active since mid-November 2024, redirects users searching for Google Ads to fake login pages hosted on Google Sites, capturing sensitive information like two-factor authentication codes. The attackers exploit Google’s ad policies, allowing fraudulent URLs in ads, and are believed to operate primarily from Brazil. Google has acknowledged the issue, stating it prohibits deceptive ads and has taken action against millions of violative ads and accounts in 2023. The campaign highlights ongoing challenges in combating sophisticated phishing tactics within advertising networks.
💻🔗 Lazarus Group Launches Operation 99 to Target Web3 Developers. The North Korea-linked Lazarus Group has initiated a cyber attack campaign named Operation 99, aimed at software developers in the Web3 and cryptocurrency sectors. The operation employs fake recruiters on platforms like LinkedIn to lure victims into cloning malicious GitLab repositories, which then deploy malware designed to steal sensitive data, including cryptocurrency wallet keys. Victims have been identified globally, with a notable concentration in Italy. This campaign builds on previous tactics used by Lazarus, showcasing their evolving methods to exploit human trust through sophisticated recruitment schemes. The malware’s modular design allows it to operate across various operating systems, highlighting the persistent threat posed by nation-state cyber actors in the booming cryptocurrency landscape.