What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-01-27 11:13:21 | Bilan de la 10ᵉ édition du baromètre du CESIN (lien direct) | Le 10ᵉ baromètre du CESIN révèle une décennie d\'évolutions en cybersécurité, illustrant les défis des entreprises françaises face à des menaces sophistiquées, et soulignant leur résilience grâce à des stratégies défensives robustes.
Le 10ᵉ baromètre du CESIN révèle une décennie d\'évolutions en cybersécurité, illustrant les défis des entreprises françaises face à des menaces sophistiquées, et soulignant leur résilience grâce à des stratégies défensives robustes. |
Threat | ★★★ | |
 |
2025-01-27 11:11:34 | SonicWall SMA Appliances Exploited in Zero-Day Attacks (lien direct) | Critical security flaw in SonicWall SMA 1000 appliances (CVE-2025-23006) exploited as a zero-day. Rated CVSS 9.8, patch immediately…
Critical security flaw in SonicWall SMA 1000 appliances (CVE-2025-23006) exploited as a zero-day. Rated CVSS 9.8, patch immediately… |
Vulnerability Threat | ★★ | |
 |
2025-01-27 11:08:00 | Cybersécurité en entreprise : bilan et enseignements d\'une décennie d\'analyses avec le CESIN (lien direct) | Le 10ᵉ baromètre annuel du CESIN met en lumière une décennie d\'évolutions en cybersécurité, illustrant comment les entreprises françaises s\'adaptent (ou pas) pour contrer des menaces toujours plus complexes et sophistiquées....
Le 10ᵉ baromètre annuel du CESIN met en lumière une décennie d\'évolutions en cybersécurité, illustrant comment les entreprises françaises s\'adaptent (ou pas) pour contrer des menaces toujours plus complexes et sophistiquées.... |
Threat | ★★★ | |
 |
2025-01-27 11:00:00 | Subaru Bug Enabled Remote Vehicle Tracking and Hijacking (lien direct) | A now-patched vulnerability could have enabled threat actors to remotely control Subaru cars
A now-patched vulnerability could have enabled threat actors to remotely control Subaru cars |
Vulnerability Threat | ★★★ | |
 |
2025-01-27 10:58:32 | Post-Exploitation Activities on Fortinet Devices: A Network-Based Analysis (lien direct) | This blog explores recent findings from Darktrace\'s Threat Research team on active exploitation campaigns targeting Fortinet appliances. This analysis focuses on the September 2024 exploitation of FortiManager via CVE-2024-47575, alongside related malicious activity observed in June 2024.
This blog explores recent findings from Darktrace\'s Threat Research team on active exploitation campaigns targeting Fortinet appliances. This analysis focuses on the September 2024 exploitation of FortiManager via CVE-2024-47575, alongside related malicious activity observed in June 2024. |
Threat | ★★★ | |
 |
2025-01-27 02:08:30 | A Chemical Company Had a Microsoft Data Security Problem-Here\\'s How Proofpoint Fixed It (lien direct) | This blog post is part of a three-part series that explores why companies are choosing Proofpoint Data Security solutions. It focuses on the unique challenges of various industries when it comes to keeping data safe. It\'s vital for organizations to protect their intellectual property. This is especially true in industries where innovation and proprietary knowledge are a competitive advantage. For one multinational chemical company that was preparing to split into three independent businesses, it became a critical mission to gain control of its sensitive data. This blog post explores how this company overcame its Microsoft data security challenges and strengthened its data protection strategy with Proofpoint. The challenge: managing data amid a complex spin-off As this Fortune 500 company planned to split off into three publicly traded entities, the CISO faced the pressing task of mitigating insider data loss risks. Because it already had a Microsoft E5 license, the company initially used Microsoft Purview for data loss prevention (DLP). After all, Purview was included with their license at no extra cost. So why invest in another DLP tool? But within the first six months the CISO\'s team found that Purview had numerous, critical shortcomings. They included: Operational inefficiencies. To analyze data, Purview needed to have predefined written policies-a rigidity that made it labor-intensive. Inadequate alerting. Purview\'s alert options were not flexible. This was particularly true when it came to detecting insider threats. For the company to get customized alerts, it needed to integrate Purview with Microsoft Sentinel, which carried significant operational costs. Disjointed platforms. To manage insider data loss, its team had to navigate multiple Microsoft consoles. This complicated the team\'s workflows and wasted valuable time. Fallback to manual processes. Frustrated by these limitations, the team resorted to building a custom tool to extract data from Purview and using Excel spreadsheets to manage insider threats-a far cry from an optimal solution. In the words of the company\'s cybersecurity leader, “If I use Microsoft as the primary platform for data protection, I\'m putting my company at risk for data loss.” Immediate results with Proofpoint By selecting Proofpoint Enterprise Data Loss Prevention (DLP), the company achieved immediate, tangible improvements. During the proof of concept (POC), Proofpoint revealed critical vulnerabilities that Microsoft missed, such as: Unprotected Microsoft SharePoint Online. Documents were accessible to anyone with a link Unauthorized data sharing. Employees were found sharing sensitive data via personal email accounts. Undetected account takeovers. The company had no visibility into account takeovers. Once Proofpoint was fully deployed, the results were striking: Dramatic reduction in data loss. The company reduced data loss from 2,000 GB (or 200,000 files) per month to blocking 4,000 high-risk events monthly. Streamlined operations. Our unified console significantly enhanced operational efficiency. Not only did Proofpoint make it easier to triage alerts across cloud, endpoint and email systems, but our console also sped up investigations and responses. Simplified exclusion management. Writing exclusions in Purview took 30 minutes and could take up to a day to deploy. With Proofpoint, exclusions were written in 10 minutes and rolled out to users within 20 minutes. Accurate alerting and investigation. Proofpoint delivered zero false positives, 100% accuracy and investigations that were seamless-all within a single dashboard. Why Proofpoint: efficiency, time to value and visibility Ultimately, the company chose to complement Purview with Proofpoint in their environment. The reasons for its decision came down to three factors. 1. Operational efficiency Our human-centric approach provides deep insights into user intent as well as patterns around data a | Tool Vulnerability Threat Cloud | ★★★ | |
|
2025-01-27 01:19:44 | Cybersecurity Stop of the Month: E-Signature Phishing Nearly Sparks Disaster for an Electric Company (lien direct) | The Cybersecurity Stop of the Month blog series explores the ever-evolving tactics of today\'s cybercriminals and how Proofpoint helps organizations better fortify their email defenses to protect people against today\'s emerging threats. Phishing remains the No. 1 tactic that cybercriminals use to target your people and steal valuable data and funds. According to Verizon, phishing is the top method that attackers use to gain unauthorized access, and it continues to evolve in both frequency and sophistication. This trend is not just alarming-it\'s costly. IBM estimates the average data breach that originates with phishing causes a staggering $4.88 million in damages. In this post, we\'ll analyze a new and complex e-signature phishing threat. In it, attackers combine several novel tactics to get around native Microsoft email security. Background In an e-signature phishing attack, bad actors will spoof a trusted brand and send malicious content through legitimate digital channels. Often, they use advanced methods like adversary-in-the-middle (AitM) to bypass multifactor authentication (MFA) in an effort to further extend their access. And when bad actors use combined tactics, such as Adversary-in-the-Middle plus geofencing, they can be extremely successful in evading detection. Let\'s look at e-signature phishing attacks in more depth: Impersonating trusted brands Threat actors leverage brands and services of trusted electronic signature services, such as DocuSign or Adobe Sign. They use them to trick recipients into directly downloading malicious documents or visiting fake websites where they enter their login credentials. Of the billions of phishing emails that Proofpoint sees each year, our 2024 State of the Phish report shows that 3.5M malicious messages abused DocuSign branding. Bypassing MFA Attackers that use e-signature phishing lures frequently seek more than just credentials. They also aim to intercept MFA codes or steal session cookies. Adversary-in-the-middle (AitM) tactics use proxy sites to capture login details and MFA codes in real-time. This grants attackers access to the victim\'s account and any active session cookies which can, in turn, unlock other websites. Steps in the adversary-in-the-middle threat technique. Geofencing access Threat actors use geofencing techniques to limit from where their targets can access their phishing sites or malicious content. By restricting access to specific geographic locations, such as the target\'s region or country, they reduce the likelihood of detection by IT teams and automated security scanning tools based in other regions. Deploying just one of these tactics can be enough to convince your people to take action. But what happens when a savvy scammer uses all three? The scenario Our recent example shows how combining the methods above enabled a threat actor to successfully target a global electric company. The threat actor\'s intended victim supplies power to one of the world\'s largest cities and employs more than 15K people. In this attack, the offending message was delivered to the mailbox of a C-suite executive. It bypassed Microsoft security tools as well as additional detection meant to stop such multi-stage campaigns. Thankfully, Proofpoint caught this threat and helped secure the company from a possible cyberattack or data breach. The named threat actor launching this threat was first observed by Proofpoint in 2021. They are known for using delivery mechanisms like multistep redirection chains, advanced filtering and highly customized lures. Frequent targets include the manufacturing, technology and energy industries. While they often spoof brands like Microsoft OneDrive and LinkedIn, in this e-signature-based phishing attack they chose popular digital transaction management platform, DocuSign. The threat: How did the attack happen? Here\'s how the attack unfolded: 1. Setting a lure. The attack started with an email that spoofed DocuSign\'s brand to appear as a legitimate follow up notice. It offered the recipient | Data Breach Malware Tool Threat Prediction Medical Cloud | ★★★★ | |
 |
2025-01-25 20:07:25 | Hackers Using RID Hijacking To Create Admin Accounts In Windows (lien direct) | Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts.
According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group.
“RID Hijacking is an attack technique that involves modifying the RID value of an account with low privileges, such as a regular user or a guest account, to match the RID value of an account with higher privileges (Administrator). By modifying the RID value, threat actors can deceive the system into treating the account as having administrator privileges,” AhnLab wrote in a blog post published on Thursday.
In Windows, a Relative Identifier (RID) is part of a Security Identifier (SID), which exclusively distinguishes each user and group within a domain. For instance, an administrator account will have a RID value of “500”, “501” for guest accounts, “512” for the domain admins group, and for regular users, the RID will start from the value “of 1000”.
In a RID hijacking attack, hackers change the RID of a low-privilege account to the same value as an administrator account. As a result, Windows grants administrative privileges to the account.
However, to pull this off, attackers need access to the SAM (Security Account Manager) registry, which requires them to already have SYSTEM-level access to the targeted machine for modification.
Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt.
While SYSTEM access is the highest privilege in Windows, it has certain limitations: it doesn\'t allow remote access, cannot interact with GUI apps, generates noisy activity that can be easily detected and doesn\'t persist after a system reboot.
To work around these issues, Andariel first created a hidden, low-privilege local user account by appending a “$” character to its username.
This made the account invisible in regular listings but still accessible in the SAM registry. The attackers then carried out RID hijacking to escalate the account’s privileges to the administrator level.
According to the researchers, Andariel added the modified account to the Remote Desktop Users and Administrators groups, giving them more control over the system.
The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking.
Although SYSTEM access could allow the direct creation of administrator accounts, this method is less conspicuous, making it difficult to detect and prevent.
To avoid detection, Andariel also exported and backed up the modified registry settings, deleted the rogue account, and restored it later from the backup when needed, bypassing system logs and making detection even harder.
To reduce the risk of RID hijacking, system administrators should implement proactive measures such as:
Use the Local Security Authority (LSA) Subsystem Service to monitor unusual login attempts and password changes.
Prevent unauthorized access to the SAM registry.
Restricting the use of tools like PsExec and JuicyPotato.
Disabling guest accounts.
Enforcing multi-factor authentication (MFA) for all user accounts, including low-privileged ones.
Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts. According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group. “RID Hijacking is |
Malware Tool Threat | APT 38 APT 45 | ★★ |
 |
2025-01-25 16:23:24 | TalkTalk investigates breach after data for sale on hacking forum (lien direct) | UK telecommunications company TalkTalk is investigating a third-party supplier data breach after a threat actor began selling alleged customer data on a hacking forum. [...]
UK telecommunications company TalkTalk is investigating a third-party supplier data breach after a threat actor began selling alleged customer data on a hacking forum. [...] |
Data Breach Threat | ★★ | |
 |
2025-01-24 21:36:27 | More than 2,000 SonicWall devices vulnerable to critical zero-day (lien direct) | The Cybersecurity and Infrastructure Security Agency warned that a bug affecting SonicWall\'s Secure Mobile Access products is being actively exploited.
The Cybersecurity and Infrastructure Security Agency warned that a bug affecting SonicWall\'s Secure Mobile Access products is being actively exploited. |
Vulnerability Threat Mobile | ★★ | |
 |
2025-01-24 19:38:35 | Cisco: Critical Meeting Management Bug Requires Urgent Patch (lien direct) | The bug has been given a 9.9 CVSS score, and could allow authenticated threat actors to escalate their privileges to admin-level if exploited.
The bug has been given a 9.9 CVSS score, and could allow authenticated threat actors to escalate their privileges to admin-level if exploited. |
Threat | ★★ | |
|
2025-01-24 16:19:52 | Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices (lien direct) | Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…
Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive… |
Threat | ★★ | |
 |
2025-01-24 14:40:40 | Unlocking Vulnrichment: Enhancing CVE Data for Smarter Vulnerability Management (lien direct) | >
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) has introduced Vulnrichment, an innovative initiative designed to enhance CVE data by adding crucial context, scoring, and detailed analysis. Launched on May 10, 2024, Vulnrichment aims to empower security professionals by providing more than just basic CVE information-it offers the insights needed to make informed, timely decisions regarding vulnerability management.
As part of a mid-year update, CISA\'s Tod Beardsley, Vulnerability Response Section Chief, provides an overview of how this resource can be leveraged to improve vulnerability management.
For IT defenders and vulnerability management teams, Vulnrichment represents a significant advancement in how CVE data is presented and utilized. By enriching basic CVE records with essential metadata like Stakeholder-Specific Vulnerability Categorization (SSVC) decision points, Common Weakness Enumeration (CWE) IDs, and Common Vulnerability Scoring System (CVSS) scores, Vulnrichment transforms raw CVE data into a more actionable and comprehensive resource.
The best part? No additional setup is required. This enhanced data is integrated directly into the CVE feeds already being consumed by security teams. Whether you\'re pulling CVE data from the official CISA platform at https://cve.org or GitHub at https://github.com/CVEProject/cvelistV5, you\'re already collecting the enriched CVE records that Vulnrichment provides.
How Vulnrichment Enhances CVE Data
CISA\'s Vulnrichment is designed to provide a deeper layer of insight into each CVE, helping security professionals prioritize vulnerabilities with greater clarity. Here\'s an example of how Vulnrichment works with a specific CVE, CVE-2023-45727, which has been marked as a Known Exploited Vulnerability (KEV) by CISA. If you want to understand the exploitation status of this CVE, you can query the SSVC decision points included in the Vulnrichment ADP (Authorized Data Publisher) container. For instance, using the command line tool jq, you can execute a query to extract the "Exploitation" field to understand whether the vulnerability is actively being exploited, requires proof of concept, or is not yet exploited in the wild.
By parsing the ADP container, you can extract this enriched data, which helps you make informed decisions about whether to prioritize this vulnerability over others. This ability to access context-rich CVE data provides valuable intelligence for vulnerability management efforts, enabling teams to prioriti |
Tool Vulnerability Threat Patching Technical | ★★★ | |
|
2025-01-24 13:53:11 | Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks (lien direct) | >
Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs).
The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People\'s Republic of China (PRC).
The Ivanti CSA Exploit Chains
CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability.
The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers.
The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0.
The First Exploit Chain
In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone |
Tool Vulnerability Threat Patching Cloud | ★★★ | |
 |
2025-01-24 13:00:12 | The 8 Things You Should Know About Cyber Attacks on the Education Sector and How to Prevent Them (lien direct) | >2024 saw an escalation in cyber attacks on the critical Education Sector. Looking at overall numbers, cyber attacks are surging at an alarming rate, with organizations experiencing an average of 1,673 weekly attacks in 2024-a staggering 44% increase from the previous year, according to Check Point\'s The State of Cyber Security 2025 report. Out of all sectors, the education sector has been hit hardest, suffering an alarming 75% year-over-year rise to 3,574 weekly attacks, as cyber criminals exploit the vast troves of personal data held by schools. As we mark the International Day of Education on January 24th, it\'s crucial […]
>2024 saw an escalation in cyber attacks on the critical Education Sector. Looking at overall numbers, cyber attacks are surging at an alarming rate, with organizations experiencing an average of 1,673 weekly attacks in 2024-a staggering 44% increase from the previous year, according to Check Point\'s The State of Cyber Security 2025 report. Out of all sectors, the education sector has been hit hardest, suffering an alarming 75% year-over-year rise to 3,574 weekly attacks, as cyber criminals exploit the vast troves of personal data held by schools. As we mark the International Day of Education on January 24th, it\'s crucial […] |
Threat | ★★★ | |
|
2025-01-24 12:15:00 | Russian Scammers Target Crypto Influencers with Infostealers (lien direct) | Crazy Evil, a group of crypto scammers, exploit NFTs and cryptocurrencies with malware targeting influencers and tech professionals
Crazy Evil, a group of crypto scammers, exploit NFTs and cryptocurrencies with malware targeting influencers and tech professionals |
Malware Threat | ★★★ | |
|
2025-01-24 11:34:40 | Hacker infects 18,000 "script kiddies" with fake malware builder (lien direct) | A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers. [...]
A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers. [...] |
Malware Threat | ★★★ | |
 |
2025-01-24 10:56:27 | Faux CAPTCHAs et nouvelles techniques pour échapper à la détection (lien direct) | >Au cours de ce mois de janvier, le Threat Labs de Netskope a signalé une nouvelle campagne de logiciels malveillants, utilisant de faux CAPTCHA afin de diffuser le malware Lumma Stealer, qui existe depuis 2022 et fonctionne comme un malware-as-a-service. Tribune – La campagne a un impact à l\'échelle mondiale : les experts de Netskope […]
The post Faux CAPTCHAs et nouvelles techniques pour échapper à la détection first appeared on UnderNews.
>Au cours de ce mois de janvier, le Threat Labs de Netskope a signalé une nouvelle campagne de logiciels malveillants, utilisant de faux CAPTCHA afin de diffuser le malware Lumma Stealer, qui existe depuis 2022 et fonctionne comme un malware-as-a-service. Tribune – La campagne a un impact à l\'échelle mondiale : les experts de Netskope […] The post Faux CAPTCHAs et nouvelles techniques pour échapper à la détection first appeared on UnderNews. |
Malware Threat | ★★★ | |
|
2025-01-24 05:28:30 | Unlocking the Value of AI: Safe AI Adoption for Cybersecurity Professionals (lien direct) | As a cybersecurity professional or CISO, you likely find yourself in a rapidly evolving landscape where the adoption of AI is both a game changer and a challenge. In a recent webinar, I had an opportunity to delve into how organizations can align AI adoption with business objectives while safeguarding security and brand integrity. Michelle Drolet, CEO of Towerwall, Inc., hosted the discussion. And Diana Kelley, CISO at Protect AI, participated with me. What follows are some key takeaways. I believe every CISO and cybersecurity professionals should consider them when they are integrating AI into their organization. Start with gaining visibility into AI usage The first and most critical step is gaining visibility into how AI is being used across your organization. Whether it\'s generative AI tools like ChatGPT or custom predictive models, it\'s essential to understand where and how these technologies are deployed. After all, you cannot protect what you cannot see. Start by identifying all large language models (LLMs) and the AI tools that are being used. Then map out the data flows that are associated with them. Balance innovation with guardrails AI adoption is inevitable. The “hammer approach” of banning its use outright rarely works. Instead, create tailored policies that balance innovation with security. For instance: Define policies that specify what types of data can interact with AI tools Implement enforcement mechanisms to prevent sensitive data from being shared inadvertently These measures empower employees to use AI\'s capabilities while ensuring that robust security protocols are maintained. Educate your employees One of the biggest challenges in AI adoption is ensuring that employees understand the risks and responsibilities that are involved. Traditional security awareness programs that focus on phishing or malware need to evolve to include AI-specific training. Employees must be equipped to: Recognize the risks of sharing sensitive data with AI Create clear policies for complex techniques like data anonymization to prevent inadvertent exposure of sensitive data Appreciate why it\'s important to follow organizational policies Conduct proactive threat modeling AI introduces unique risks, such as accidental data leakage. Another risk is “confused pilot” attacks where AI systems inadvertently expose sensitive data. Conduct thorough threat modeling for each AI use case: Map out architecture and data flows Identify potential vulnerabilities in training data, prompts and responses Implement scanning and monitoring tools to observe interactions with AI systems Use modern tools like DSPM Data Security Posture Management (DSPM) is an invaluable framework for securing AI. By providing visibility into data types, access patterns and risk exposure, DSPM enables organizations to: Identify sensitive data being used for AI training or inference Monitor and control who has access to critical data Ensure compliance with data governance policies Test before you deploy AI is nondeterministic by nature. This means that its behavior can vary unpredictably. Before deploying AI tools, conduct rigorous testing: Red team your AI systems to uncover potential vulnerabilities Use AI-specific testing tools to simulate real-world scenarios Establish observability layers to monitor AI interactions post-deployment Collaborate across departments Effective AI security requires cross-departmental collaboration. Engage teams from marketing, finance, compliance and beyond to: Understand their AI use cases Identify risks that are specific to their workflows Implement tailored controls that support their objectives while keeping the organization safe Final thoughts By focusing on visibility, education and proactive security measures, we can harness AI\'s potential while minimizing risks. If there\'s one piece of advice that I\'d leave you with, it\'s this: Don\'t wait for incidents to highlight the gaps in your AI strategy. Take the first step now by auditing | Malware Tool Vulnerability Threat Legislation | ChatGPT | ★★ |
|
2025-01-23 22:00:56 | CVSS Score 9.9: Cisco Patches Critical Privilege Escalation Vulnerability In Meeting Management Software (lien direct) | Cisco, the largest provider of networking equipment in the world, released a security update on Wednesday to address a critical privilege escalation vulnerability in the REST API of Cisco Meeting Management.
The critical vulnerability tracked as CVE-2025-20156 has been rated 9.9 out of 10 on the Common Vulnerability Scoring System (CVSS). This privilege escalation flaw, if exploited, could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device, posing a severe risk to organizations.
“This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint,” the company said in an advisory on Wednesday.
Cisco also thanked Ben Leonard-Lagarde of Modux for reporting this vulnerability.
The following versions of Cisco Meeting Management are affected by the vulnerability irrespective of device configuration, for which Cisco has released software updates.
Cisco Meeting Management 3.8 and earlier: Users are recommended to migrate to a fixed release, such as 3.9.1.
Cisco Meeting Management 3.9: Patched in 3.9.1
Cisco Meeting Management 3.10: This version is not impacted and does not require any updates.
As of the advisory\'s release, the Cisco Product Security Incident Response Team (PSIRT) said it is not aware of any public announcements or malicious use of the vulnerability, as they are yet to find any evidence that the flaw is being actively exploited.
Unfortunately, there are no workarounds to mitigate this vulnerability. The only way to address this issue is to apply the necessary software updates.
Cisco has urged users to apply the available patches immediately to mitigate the risk. Customers with service contracts that permit them to regular software updates should obtain security fixes through their usual update channels.
For those who do not have service contracts, they can contact the Technical Assistance Center (TAC) for help in obtaining the necessary upgrades.
Further, the company has confirmed that only the products listed in the Vulnerable Products section of the advisory are affected. Cisco also advises users to check hardware and software compatibility before upgrading to maintain safety and stability of their systems.
Cisco, the largest provider of networking equipment in the world, released a security update on Wednesday to address a critical privilege escalation vulnerability in the REST API of Cisco Meeting Management. The critical vulnerability tracked as CVE-2025-20156 has been rated 9.9 out of 10 on the Common Vulnerability Scoring System (CVSS). This privilege escalation flaw, if exploited, could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device, posing a severe risk to organizations. “This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint,” the company said in an advisory on Wednesday. Cisco also thanked Ben Leonard-Lagarde of Modux for reporting this vulnerability. The following versions of Cisco Meeting Management are affected by the vulnerability irrespective of device configuration, for which Cisco has released software updates. Cisco Meeting Management 3.8 and earlier: Users are recommended to migrate |
Vulnerability Threat Technical | ★★★ | |
|
2025-01-23 20:37:53 | Cloudflare CDN Bug Outs User Locations on Signal, Discord (lien direct) | Attackers can use a zero- or one-click flaw to send a malicious image to targets - an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.
Attackers can use a zero- or one-click flaw to send a malicious image to targets - an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive. |
Threat | ★★★ | |
 |
2025-01-23 20:30:00 | Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks (lien direct) | Cybersecurity researchers are calling attention to a new malware campaign that leverages fake CAPTCHA verification checks to deliver the infamous Lumma information stealer.
"The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world," Leandro Fróes, senior threat research engineer at
Cybersecurity researchers are calling attention to a new malware campaign that leverages fake CAPTCHA verification checks to deliver the infamous Lumma information stealer. "The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world," Leandro Fróes, senior threat research engineer at |
Malware Threat | ★★★ | |
|
2025-01-23 20:25:00 | Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers (lien direct) | Enterprise-grade Juniper Networks routers have become the target of a custom backdoor as part of a campaign dubbed J-magic.
According to the Black Lotus Labs team at Lumen Technologies, the activity is so named for the fact that the backdoor continuously monitors for a "magic packet" sent by the threat actor in TCP traffic.
"J-magic campaign marks the rare occasion of malware designed
Enterprise-grade Juniper Networks routers have become the target of a custom backdoor as part of a campaign dubbed J-magic. According to the Black Lotus Labs team at Lumen Technologies, the activity is so named for the fact that the backdoor continuously monitors for a "magic packet" sent by the threat actor in TCP traffic. "J-magic campaign marks the rare occasion of malware designed |
Malware Vulnerability Threat | ★★★ | |
|
2025-01-23 18:10:09 | Darktrace\\'s view on Operation Lunar Peek: Exploitation of Palo Alto firewall devices (CVE 2024-0012 and 2024-9474) (lien direct) | Darktrace\'s Threat Research team investigated a major campaign exploiting vulnerabilities in Palo Alto firewall devices (CVE 2024-0012 and 2024-9474). Learn about the spike in post-exploitation activities and understand the need for anomaly-based detection to stay ahead of evolving threats.
Darktrace\'s Threat Research team investigated a major campaign exploiting vulnerabilities in Palo Alto firewall devices (CVE 2024-0012 and 2024-9474). Learn about the spike in post-exploitation activities and understand the need for anomaly-based detection to stay ahead of evolving threats. |
Vulnerability Threat | ★★★ | |
|
2025-01-23 17:57:23 | CISA: Ivanti Vulns Chained Together in Cyberattack Onslaught (lien direct) | The threat actors are abusing the vulnerabilities to gain initial access, obtain credentials, and install malicious scripts on user devices.
The threat actors are abusing the vulnerabilities to gain initial access, obtain credentials, and install malicious scripts on user devices. |
Vulnerability Threat | ★★★ | |
|
2025-01-23 16:50:00 | How to Eliminate Identity-Based Threats (lien direct) | Despite significant investments in advanced technologies and employee training programs, credential and user-based attacks remain alarmingly prevalent, accounting for 50-80% of enterprise breaches[1],[2]. While identity-based attacks continue to dominate as the leading cause of security incidents, the common approach to identity security threats is still threat reduction, implementing layers of
Despite significant investments in advanced technologies and employee training programs, credential and user-based attacks remain alarmingly prevalent, accounting for 50-80% of enterprise breaches[1],[2]. While identity-based attacks continue to dominate as the leading cause of security incidents, the common approach to identity security threats is still threat reduction, implementing layers of |
Threat | ★★★ | |
|
2025-01-23 16:30:00 | Chained Vulnerabilities Exploited in Ivanti Cloud Service Appliances (lien direct) | Threat actors chained Ivanti CSA vulnerabilities for RCE, credential theft & webshell deployment
Threat actors chained Ivanti CSA vulnerabilities for RCE, credential theft & webshell deployment |
Vulnerability Threat Cloud | ★★★ | |
|
2025-01-23 15:54:00 | SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (lien direct) | SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day.
The vulnerability, tracked as CVE-2025-23006, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system.
"Pre-authentication deserialization of untrusted data vulnerability has been identified in the
SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day. The vulnerability, tracked as CVE-2025-23006, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. "Pre-authentication deserialization of untrusted data vulnerability has been identified in the |
Vulnerability Threat Mobile | ★★★ | |
|
2025-01-23 15:24:10 | Hackers imitate Kremlin-linked group to target Russian entities (lien direct) | A little-known hacking group has been mimicking the tactics of a prominent Kremlin-linked threat actor to target Russian-speaking victims, according to new research.
A little-known hacking group has been mimicking the tactics of a prominent Kremlin-linked threat actor to target Russian-speaking victims, according to new research. |
Threat | ★★★ | |
|
2025-01-23 15:13:00 | QakBot-Linked BC Malware Adds Enhanced DNS Tunneling and Remote Access Features (lien direct) | Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader.
"BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks," Walmart\'s Cyber Intelligence team told The Hacker News. "The BackConnect(s) in use were \'DarkVNC\' alongside the IcedID
Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader. "BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks," Walmart\'s Cyber Intelligence team told The Hacker News. "The BackConnect(s) in use were \'DarkVNC\' alongside the IcedID |
Malware Threat | ★★★ | |
 |
2025-01-23 15:00:00 | Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection (lien direct) | Summary In January, Netskope Threat Labs observed a new malware campaign using fake CAPTCHAs to deliver Lumma Stealer. Lumma is a malware that works in the malware-as-a-service (MaaS) model and has existed since at least 2022. The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, […]
Summary In January, Netskope Threat Labs observed a new malware campaign using fake CAPTCHAs to deliver Lumma Stealer. Lumma is a malware that works in the malware-as-a-service (MaaS) model and has existed since at least 2022. The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, […] |
Malware Threat | ★★★ | |
|
2025-01-23 12:43:04 | Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability (lien direct) | >
Overview
A pair of vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II for avoiding midair collisions were among 20 vulnerabilities reported by Cyble in its weekly Industrial Control System (ICS) Vulnerability Intelligence Report.
The midair collision system flaws have been judged at low risk of being exploited, but one of the vulnerabilities does not presently have a fix. They could potentially be exploited from adjacent networks.
Other ICS vulnerabilities covered in the January 15-21 Cyble report to subscribers include flaws in critical manufacturing, energy and other critical infrastructure systems. The full report is available for subscribers, but Cyble is publishing information on the TCAS vulnerabilities in the public interest.
TCAS II Vulnerabilities
The TCAS II vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by European researchers and defense agencies. CISA in turn disclosed the vulnerabilities in a January 21 advisory.
The vulnerabilities are still undergoing analysis by NIST, but Cyble vulnerability researchers said the weaknesses “underscore the urgent need for enhanced input validation and secure configuration controls in transportation systems.”
TCAS airborne devices function independently of ground-based air traffic control (ATC) systems, according to the FAA, and provide collision avoidance protection for a range of aircraft types. TCAS II is a more advanced system for commercial aircraft with more than 30 seats or a maximum takeoff weight of more than 33,000 pounds. TCAS II offers advanced features such as recommended escape maneuvers for avoiding midair collisions.
The first vulnerability, CVE-2024-9310, is an “Untrusted Inputs” vulnerability in TCAS II that presently carries a CVSS 3.1 base score of 6.1.
CISA notes that “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).”
The second flaw, CVE-2024-11166, is an 8.2-severity External Control of System or Configuration Setting vulnerability. TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F could be attacked by threat actors impersonating a ground station to issue a Comm- |
Tool Vulnerability Threat Patching Industrial Commercial | ★★★ | |
|
2025-01-23 11:05:00 | TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for Ransomware (lien direct) | Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks.
"This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant\'s cloud division said in its 11th
Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant\'s cloud division said in its 11th |
Ransomware Threat Cloud | ★★ | |
 |
2025-01-23 10:00:00 | The evolving landscape of data privacy: Key trends to shape 2025 (lien direct) | Incoming laws, combined with broader developments on the threat landscape, will create further complexity and urgency for security and compliance teams
Incoming laws, combined with broader developments on the threat landscape, will create further complexity and urgency for security and compliance teams |
Threat | ★★★ | |
 |
2025-01-23 04:43:55 | Mac Users Targeted: Fake Google Ads Exploit Homebrew in Malware Campaign (lien direct) | Homebrew, the popular open-source macOS and Linux package manager has become the latest victim of a malvertising campaign to distribute information-stealing malware. Security researcher Ryan Chenkie uncovered the scheme, which leverages fake Google ads to deliver malware that compromises user credentials, browser data, and cryptocurrency wallets. The Malware Behind the Campaign AmosStealer (Atomic), a notorious [...]
Homebrew, the popular open-source macOS and Linux package manager has become the latest victim of a malvertising campaign to distribute information-stealing malware. Security researcher Ryan Chenkie uncovered the scheme, which leverages fake Google ads to deliver malware that compromises user credentials, browser data, and cryptocurrency wallets. The Malware Behind the Campaign AmosStealer (Atomic), a notorious [...] |
Malware Threat | ★★ | |
|
2025-01-22 20:49:41 | Chinese Cyberspies Target South Korean VPN in Supply Chain Attack (lien direct) | Advanced persistent threat group PlushDaemon, active since 2019, is using a sophisticated modular backdoor to collect data from infected systems in South Korea.
Advanced persistent threat group PlushDaemon, active since 2019, is using a sophisticated modular backdoor to collect data from infected systems in South Korea. |
Threat | ★★ | |
|
2025-01-22 20:35:23 | Zendesk\\'s Subdomain Registration Exposed to Phishing, Pig Butchering Scams (lien direct) | CloudSEK uncovers a Zendesk vulnerability allowing cybercriminals to exploit subdomains for phishing and investment scams. Learn about the…
CloudSEK uncovers a Zendesk vulnerability allowing cybercriminals to exploit subdomains for phishing and investment scams. Learn about the… |
Vulnerability Threat | ★★ | |
|
2025-01-22 20:23:49 | Hackers Use Google Ads To Distribute Malware Via Fake Homebrew Site (lien direct) | Cybercriminals are using Google ads to spread malware by directing Mac and Linux users to a fake Homebrew website with an infostealer.
This malware campaign is designed to steal sensitive information, including credentials, browser data, and cryptocurrency wallets.
The information stealer in question, AmosStealer (or Atomic), was discovered by security expert Ryan Chenkie, who raised the alarm on X about this campaign and its potential risks.
Specifically tailored for macOS systems, this information stealer is sold to cyber criminals on a subscription basis for $1,000 per month.
For those unaware, Homebrew is a free and open-source software package management system that simplifies the installation of software on Apple’s operating systems, macOS and Linux.
However, it has recently become a focal point for malvertising campaigns promoting fake Google Meet pages.
Hackers used a deceptive Google advertisement that displayed the legitimate Homebrew URL, “brew.sh,” tricking unsuspecting users into clicking it.
It then redirected users to a fake site hosted at “brewe.sh” which mimicked the real one. It instructed visitors to install Homebrew by running a command in their Terminal or a Linux shell prompt from the fake website, which, upon execution, installed malware instead of the legitimate software on the device.
Security researcher JAMESWT identified the malware dropped in this case as Amos, a potent information stealer capable of targeting over 50 cryptocurrency extensions, desktop wallets, and web browser data.
Homebrew’s project leader, Mike McQuaid, acknowledged the issue and expressed frustration over Google’s inability to prevent these scams.
“This seems taken down now. But it keeps happening again and again, and Google appears to prioritize revenue from scammers. Please share this widely so Google can address it permanently,” McQuaid tweeted.
Although the malicious ad has been removed, the threat remains, as hackers can use other redirection domains to continue their campaigns.
Homebrew users are advised to exercise caution when clicking on Google-sponsored ads and verify that they are visiting the official websites of a project or company before downloading software or entering sensitive information.
To protect themselves from potential risks, users should bookmark the official websites of trusted projects like Homebrew and access them directly.
They should also avoid clicking on sponsored ads for software downloads and double-check URLs to ensure they match the legitimate site before proceeding.
Cybercriminals are using Google ads to spread malware by directing Mac and Linux users to a fake Homebrew website with an infostealer. This malware campaign is designed to steal sensitive information, including credentials, browser data, and cryptocurrency wallets. The information stealer in question, AmosStealer (or Atomic), was discovered by security expert Ryan Chenkie, who raised the alarm on X about this campaign and its potential risks. Specifically tailored for macOS systems, this information stealer is sold to cyber criminals on a subscription basis for $1,000 per month. For those unaware, Homebrew is |
Malware Threat | ★★ | |
 |
2025-01-22 20:05:50 | Appdome Unveils Threat Dynamics™ (lien direct) | Appdome Unveils Threat Dynamics™ to Become Industry\'s First
AI-Native Extended Threat Management Platform
Threat Dynamics Shows How Threats Move and Provides a Benchmark Mobile Risk Index™ to Help Businesses Manage and Stay Ahead of Fraud and Cyber Threats
-
Product Reviews
Appdome Unveils Threat Dynamics™ to Become Industry\'s First AI-Native Extended Threat Management Platform Threat Dynamics Shows How Threats Move and Provides a Benchmark Mobile Risk Index™ to Help Businesses Manage and Stay Ahead of Fraud and Cyber Threats - Product Reviews |
Threat Mobile | ★★★ | |
|
2025-01-22 19:23:00 | Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (lien direct) | Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks.
According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse.
Some
Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse. Some |
Vulnerability Threat | ★★★ | |
|
2025-01-22 18:07:54 | Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack (lien direct) | Cloudflare mitigates a record-breaking 5.6 Tbps DDoS attack, highlighting the growing threat of hyper-volumetric assaults. Learn about the…
Cloudflare mitigates a record-breaking 5.6 Tbps DDoS attack, highlighting the growing threat of hyper-volumetric assaults. Learn about the… |
Threat | ★★★★ | |
|
2025-01-22 15:45:00 | Tycoon 2FA Phishing Kit Upgraded to Bypass Security Measures (lien direct) | Threat researchers analyzed the updated Tycoon 2FA phishing kit, which bypasses MFA
Threat researchers analyzed the updated Tycoon 2FA phishing kit, which bypasses MFA |
Threat | ★★★ | |
|
2025-01-22 15:35:44 | Telegram captcha tricks you into running malicious PowerShell scripts (lien direct) | Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into executing PowerShell code that infects them with malware. [...]
Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into executing PowerShell code that infects them with malware. [...] |
Malware Threat | ★★★ | |
|
2025-01-22 14:19:00 | PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack (lien direct) | A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET.
"The attackers replaced the legitimate installer with one that also deployed the group\'s signature implant that we have named SlowStepper – a
A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET. "The attackers replaced the legitimate installer with one that also deployed the group\'s signature implant that we have named SlowStepper – a |
Threat | ★★★ | |
 |
2025-01-22 12:44:45 | DHS ratifies TSA security directives to boost rail safety and cyber threat response (lien direct) | >The U.S. Department of Homeland Security (DHS) published Tuesday an official notice that the Transportation Security Oversight Board...
>The U.S. Department of Homeland Security (DHS) published Tuesday an official notice that the Transportation Security Oversight Board... |
Threat | ★★★ | |
|
2025-01-22 10:44:07 | Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks (lien direct) | >
Overview
The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government\'s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.
BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.
The term "bulletproof" is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.
How Bulletproof Hosting Providers Operate
BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.
A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.
Anot |
Ransomware Malware Tool Vulnerability Threat Legislation | ★★ | |
|
2025-01-22 09:44:09 | SentinelOne met Purple AI au service de Zscaler, Okta, Palo Alto Networks, Proofpoint, Fortinet et Microsoft (lien direct) | SentinelOne met la puissance de Purple AI au service de Zscaler, Okta, Palo Alto Networks, Proofpoint, Fortinet et Microsoft
Purple AI, l\'analyste de sécurité piloté par l\'IA générative, peut désormais accélérer les investigations de cybersécurité et simplifier la recherche de menaces grâce à une liste croissante de sources natives et tierces.
-
Business
SentinelOne met la puissance de Purple AI au service de Zscaler, Okta, Palo Alto Networks, Proofpoint, Fortinet et Microsoft Purple AI, l\'analyste de sécurité piloté par l\'IA générative, peut désormais accélérer les investigations de cybersécurité et simplifier la recherche de menaces grâce à une liste croissante de sources natives et tierces. - Business |
Threat | ★★★ | |
|
2025-01-22 08:12:57 | Cyble Finds Thousands of Security Vendor Credentials on Dark Web (lien direct) | >
Overview
Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.
The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.
The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.
Leaked Security Company Credentials
Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.
Cyble looked at 13 of the largest enterprise security vendors-along with some of the bigger consumer security companies-and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.
Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.
Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.
Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.
The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls.
All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.
One of the largest security vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for |
Ransomware Tool Vulnerability Threat Cloud | ★★★ | |
|
2025-01-22 05:57:38 | The Murdoc Botnet: Reinventing Mirai to Exploit IoT Vulnerabilities (lien direct) | In a new and ongoing large-scale cyber campaign, Qualys researchers have uncovered a variant of the infamous Mirai botnet called the Murdoc Botnet. This variant exploits vulnerabilities in widely used AVTECH Cameras and Huawei HG532 routers, allowing malicious actors to compromise devices and build vast botnet networks for additional malicious activities. “The Mirai botnet was [...]
In a new and ongoing large-scale cyber campaign, Qualys researchers have uncovered a variant of the infamous Mirai botnet called the Murdoc Botnet. This variant exploits vulnerabilities in widely used AVTECH Cameras and Huawei HG532 routers, allowing malicious actors to compromise devices and build vast botnet networks for additional malicious activities. “The Mirai botnet was [...] |
Vulnerability Threat | ★★★ | |
 |
2025-01-22 00:00:00 | Invisible Prompt Injection: A Threat to AI Security (lien direct) | This article explains the invisible prompt injection, including how it works, an attack scenario, and how users can protect themselves.
This article explains the invisible prompt injection, including how it works, an attack scenario, and how users can protect themselves. |
Threat | ChatGPT | ★★★ |
To see everything:
Our RSS (filtrered)
