|
Some of the biggest security problems start quietly. No alerts. No warnings. Just small actions that seem normal but aren't. Attackers now know how to stay hidden by blending in, and that makes it hard to tell when something’s wrong.
This week’s stories aren’t just about what was attacked—but how easily it happened. If we’re only looking for the obvious signs, what are we missing right in front of us?
Here’s a look at the tactics and mistakes that show how much can go unnoticed.
 Threat of the Week
Apple Zero-Click Flaw in Messages Exploited to Deliver Paragon Spyware — Apple disclosed that a security flaw in its Messages app was actively exploited in the wild to target civil society members in sophisticated cyber attacks. The vulnerability, CVE-2025-43200, was addressed by the company in February as part of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. The Citizen Lab said it uncovered forensic evidence that the flaw was weaponized to target Italian journalist Ciro Pellegrino and an unnamed prominent European journalist and infect them with Paragon's Graphite mercenary spyware.
|
| | | Data Security ROI: Key Metrics That Matter Most
Sensitive data moves fast in the cloud. If you can’t see it, you can’t protect it. This guide shows how top teams use DSPM to reduce risk, improve compliance, and boost efficiency—backed by real metrics that drive measurable impact. |
| | | |  Top News
Microsoft Fixes WebDAV 0-Day Exploited in Targeted Attacks — Microsoft addressed a zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that was exploited by a threat actor known as Stealth Falcon (aka FruityArmor) as part of highly targeted attacks to deliver Horus Agent, a custom implant built for the Mythic command-and-control (C2) framework. Horus Agent is believed to be an evolution of the customized Apollo implant, an open-source .NET agent for Mythic framework, that was previously put to use by Stealth Falcon between 2022 and 2023. "The new Horus Agent appears to be written from scratch," according to Check Point. "In addition to adding custom commands, the threat actors placed additional emphasis on the agent's and its loader's anti-analysis protections and counter-defensive measures. This suggests that they have deep knowledge of both their victims and/or the security solutions in use." TokenBreak Attack Bypasses AI Moderation With a Single Character Change — Cybersecurity researchers disclosed an attack technique called TokenBreak that can be used to bypass a large language model's (LLM) safety and content moderation guardrails with just a single character change. "The TokenBreak attack targets a text classification model's tokenization strategy to induce false negatives, leaving end targets vulnerable to attacks that the implemented protection model was put in place to prevent," HiddenLayer said. Google Addresses Flaw Leaking Phone Numbers Linked to Accounts — Google has fixed a security flaw that could have made it possible to brute-force an account's recovery phone number by taking advantage of a legacy username recovery form and combining it with an exposure path Looker Studio that serves as an unintended oracle by leaking a user's full name. Google has since deprecated the username recovery form. Rare Werewolf and DarkGaboon Leverage Readymade Tooling to Target Russia — Two threat actors tracked as Rare Werewolf and DarkGaboon have been observed employing legitimate tools, living-off-the-land (LotL) tactics, and off-the-shelf malware to target Russian entities. While adversaries are known to adopt such tactics, the complete abstinence of bespoke malware speaks to the effectiveness of the approach in helping them evade detection triggers and endpoint detection systems. Because these techniques are also commonly used by administrators, distinguishing between malicious and benign activity becomes significantly more challenging for defenders. Zero-Click AI Flaw Allows Data Exfiltration Without User Interaction — The first known zero-click artificial intelligence vulnerability in Microsoft 365 could have allowed attackers to exfiltrate sensitive internal data without any user interaction. The flaw, dubbed EchoLeak, involved what's described as an LLM Scope Violation, referring to scenarios where a large language model (LLM) can be manipulated into leaking information beyond its intended context. In this case, an attacker can craft a malicious email containing specific markdown syntax that could slip past Microsoft's Cross-Prompt Injection Attack (XPIA) defenses, causing the AI assistant to process the malicious payload and exfiltrate data using Microsoft's own trusted domains, including SharePoint and Teams, which are allowlisted under Copilot's content security policies. These domains can be used to embed external links or images that, when rendered by Copilot, automatically issue outbound requests to redirect stolen data to an attacker-controlled server. The most important aspect of this attack is that it all happens behind the scenes and users don't even have to open the email message or click on any link. All it requires is for a victim to ask Microsoft 365 Copilot a business-related question that triggers the whole attack chain automatically. Microsoft, which is tracking the issue as CVE-2025-32711, has resolved it and emphasized it found no evidence of the vulnerability being exploited in the wild. VexTrio Runs a Massive Affiliate Program to Propagate Malware, Scams — The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to a far-reaching campaign that hijacks WordPress sites to funnel victims into malware and scam networks. The malicious operation is designed to monetize compromised infrastructure, transforming legitimate websites into unwitting participants in a massive criminal advertising ecosystem. The scale of VexTrio's activities came to light in November 2024 when Qurium revealed that Los Pollos, a Swiss-Czech adtech company, was part of the illicit TDS scheme. A new analysis from Infoblox has found that Los Pollos is one of the many companies controlled by VexTrio, including Taco Loco and Adtrafico, each overseeing different functions within the commercial affiliate network. These companies are in charge of recruiting publishing affiliates, who compromise websites with JavaScript injects, and advertising affiliates, who are the operators behind scams, malware, and other forms of fraud, turning VexTrio into an Uber-like intermediary for a criminal model that has generated substantial profits for the enterprise. Furthermore, when Los Pollos announced the cessation of their push monetization services in November 2024, many of these malware operations simultaneously migrated to TDSs called Help TDS and Disposable TDS, which are one and the same, and enjoyed an "exclusive relationship with VexTrio" until around the same time.
️ Trending CVEs
Attackers love software vulnerabilities – they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-43200 (Apple), CVE-2025-32711 (Microsoft 365 Copilot), CVE-2025-33053 (Microsoft Windows), CVE-2025-47110 (Adobe Commerce and Magento Open Source), CVE-2025-43697, CVE-2025-43698, CVE-2025-43699, CVE-2025-43700, CVE-2025-43701 (Salesforce), CVE-2025-24016 (Wazuh), CVE-2025-5484, CVE-2025-5485 (SinoTrack), CVE-2025-31022 (PayU CommercePro plugin), CVE-2025-3835 (ManageEngine Exchange Reporter Plus), CVE-2025-42989 (SAP NetWeaver), CVE-2025-5353, CVE-2025-22463, CVE-2025-22455 (Ivanti Workspace Control), CVE-2025-5958 (Google Chrome), CVE-2025-3052 (DT Research DTBios and BiosFlashShell), CVE-2025-2884 (TCG TPM2.0 reference implementation), CVE-2025-26521 (Apache CloudStack), CVE-2025-47950 (CoreDNS), CVE-2025-4230, CVE-2025-4232 (Palo Alto Networks PAN-OS), CVE-2025-4278, CVE-2025-2254, CVE-2025-5121, CVE-2025-0673 (GitLab), CVE-2025-47934 (OpenPGP.js), CVE-2025-49219, CVE-2025-49220 (Trend Micro Apex Central), CVE-2025-49212, CVE-2025-49213, CVE-2025-49216, CVE-2025-49217 (Trend Micro Endpoint Encryption PolicyServer), CVE-2025-4922 (HashiCorp Nomad), CVE-2025-36631, CVE-2025-36632, CVE-2025-36633 (Tenable Agent), CVE-2025-33108 (IBM Backup, Recovery, and Media Services), CVE-2025-6029 (KIA-branded Aftermarket Generic Smart Keyless Entry System), and a patch bypass for CVE-2024-41713 (Mitel MiCollab).
 Around the Cyber World
Kazakh and Singapore Authorities Disrupt Criminal Networks — Kazakh authorities said they dismantled a network that was using Telegram to illegally sell citizens' personal data extracted from government databases. More than 140 suspects were arrested in connection with the scheme, including business owners and alleged administrators of Telegram channels used to peddle the stolen information, according to officials. If convicted, the suspects could face up to five years in prison and a fine. The development came as the Singapore Police Force (SPF), in partnership with authorities from Hong Kong, Macao, Malaysia, Maldives, South Korea, and Thailand, announced the arrests of 1,800 subjects between April 28 and May 28 for their involvement in various online scams. The cross-border anti-scam initiative has been codenamed Operation FRONTIER+. "The subjects, aged between 14 and 81, are believed to be involved in more than 9,200 scam cases, comprising mainly government official impersonation scams, investment scams, rental scams, internet love scams, friend impersonation scams, job scams, and e-commerce scams, where victims reportedly lost over S$289 million (approximately USD225 million)," the SPF said. "More than 32,600 bank accounts suspected to be linked to scams were detected and frozen by the participating law enforcement agencies, with more than S$26.2 million (approximately USD20 million) seized in these bank accounts." Singapore officials said they arrested 106 people locally who were responsible for 1,300 scams that netted them about $30 million. Microsoft to Block .library-ms and .search-ms File Types in Outlook — Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month, to include .library-ms and .search-ms file types. Both file types have been repeatedly exploited by bad actors in phishing and malware attacks. "The newly blocked file types are rarely used, so most organizations will not be affected by the change. However, if your users are sending and receiving affected attachments, they will report that they are no longer able to open or download them in Outlook Web or the New Outlook for Windows," Microsoft said. Meta and Yandex Caught Using Tracking Code to Leak Unique Identifiers to Installed Native Apps on Android — Meta and Yandex misused Android's localhost ports to stealthily pass tracking data from mobile browsers into native apps like Facebook, Instagram, and Yandex services. This behavior allowed them to bypass browser sandboxing and Android’s permission system, likely making it possible to attach persistent identifiers to detailed browsing histories. The tracking worked even in private browsing modes across major browsers like Chrome and Firefox. Put differently, the loophole lets the apps detect any websites that Android device users visit and integrate the tracking scripts, and gather web cookie data via the device's loopback interface. It takes advantage of the fact that the Android operating system allows any installed app with the INTERNET permission to open a listening socket on localhost (127.0.0.1) and browsers running on the same device can also access this interface without user consent or platform mediation. This opens the door to a scenario where JavaScript embedded on web pages can communicate with native Android apps and share identifiers and browsing habits over standard Web APIs. Evidence of Meta using the technique first emerged in September 2024, but Yandex is said to have adopted the technique in February 2017. Meta Pixel is embedded on over 6 million websites, while Yandex Metrica is present on close to 3 million websites. "These native Android apps receive browsers' metadata, cookies, and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of websites," a group of academics from IMDEA Networks, Radboud University, and KU Leuven said. "These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts." As of June 3, 2025, the Meta/Facebook Pixel script is no longer sending any packets or requests to localhost, and the code responsible for sending _fbp cookie has been removed. Yandex claimed the feature in question did not collect any sensitive information and was solely meant to improve personalization. However, it has discontinued its use, citing privacy concerns. Google and Mozilla have released countermeasures to plug the eavesdropping scheme. Replay Attacks as a Way to Bypass Deepfake Detection — New research has found that replay attacks are an effective method to bypass deepfake detection. "By playing and re-recording deepfake audio through various speakers and microphones, we make spoofed samples appear authentic to the detection model," a team of researchers said. The development heralds new cyber risks as voice cloning technology has become a major driver of vishing attacks, allowing attackers to use artificial intelligence (AI) tools to generate synthetic audio that impersonate executives or IT personnel in an effort to gain privileged access to corporate systems. Linux Malware Families Receive Steady Code Updates — A new analysis of known Linux malware such as NoodleRAT, Winnti, SSHdInjector, Pygmy Goat, and AcidRain has found that "they had at least two significant code updates within the last year, meaning threat actors are actively updating and supporting them," Palo Alto Networks unit 42 said. "Additionally, each of the malware strains accounted for at least 20 unique sightings of samples in the wild over the last year. This means that threat actors are actively using them." The activities indicate that these malware families are highly likely to be used in future attacks aimed at cloud environments. Microsoft Defender Flaw Disclosed — Cybersecurity researchers have detailed a now-patched security flaw in Microsoft Defender for Identity that allows an unauthorized attacker to perform spoofing over an adjacent network by taking advantage of an improper authentication bug. The vulnerability, tracked as CVE-2025-26685 (CVSS score: 6.5), was patched by Microsoft in May 2025. NetSPI, which discovered and reported the flaw, said the issue "abused the Lateral Movement Paths (LMPs) feature and allowed an unauthenticated attacker on the local network to coerce and capture the Net-NTLM hash of the associated Directory Service Account (DSA), under specific conditions." Once the Net-NTLM hash is captured, it can be taken offline for password cracking using tools like Hashcat or exploited in conjunction with other vulnerabilities to elevate privileges to the DSA account and obtain a foothold in the Active Directory environment. Apple Updates Passwords App with New Features — Apple has previewed new features in its Passwords app with iOS 26 and macOS 26 Tahoe that allow users to view the complete version history for stored logins, including the timestamps when a particular password was saved or changed. Another useful addition is the ability to import and export passkeys between participating credential manager apps across iOS, iPadOS, macOS, and visionOS 26. "This user-initiated process, secured by local authentication like Face ID, reduces the risk of credential leaks," Apple said. "The transfer uses a standardized data schema developed by the FIDO Alliance, ensuring compatibility between apps." A similar feature is already in the works for Google Password Manager. Last October, the FIDO Alliance unveiled the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) to facilitate interoperability. CyberEYE RAT Exposed — Cybersecurity researchers have shed light on the inner workings of CyberEYE RAT (aka TelegramRAT, a modular, .NET-based trojan that provides surveillance and data theft capabilities. Its various modules harvest browser history and passwords, Wi-Fi passwords, gaming profiles, files matching configured extensions, FileZilla FPT credentials, and session data from applications like Telegram and Discord. "Its use of Telegram for Command and Control (C2) eliminates the need for attackers to maintain their own infrastructure, making it more evasive and accessible," CYFIRMA said. "The malware is deployed through a builder GUI that allows attackers to customize payloads by injecting credentials, modifying metadata, and bundling features such as keyloggers, file grabbers, clipboard hijackers, and persistence mechanisms." The malware also acts as a clipper to redirect cryptocurrency transactions and employs defense evasion techniques by disabling Windows Defender through PowerShell and registry manipulations. WhatsApp Joins Apple's Encryption Fight With U.K. — Meta-owned WhatsApp said it's backing Apple in its legal fight against the U.K. Home Office's demands for backdoor access to encrypted iCloud data worldwide under the Investigatory Powers Act. The move, the company told BBC, "could set a dangerous precedent" by "emboldening" other nations to put forth similar requests to break encryption. In response to the government notice, Apple pulled the Advanced Data Protection (ADP) feature for iCloud from U.K. users' devices and took legal action to appeal to the Investigatory Powers Tribunal to overturn the secret Technical Capability Notice (TCN) issued by the Home Office. In April 2025, the tribunal ruled the details of the legal row cannot be kept secret. The existence of the TCN was first reported by The Washington Post in January. Governments across the U.S., U.K., and the European Union (E.U.) have sought to push back against end-to-end encryption, arguing it enables criminals, terrorists, and sex offenders to conceal illicit activity. Europol, in its 2025 Internet Organised Crime Threat Assessment (IOCTA) released last week, said: "While encryption protects users' privacy, the criminal abuse of end-to-end encrypted (E2EE) apps is increasingly hampering investigations. Cybercriminals hide behind anonymity while coordinating sales of stolen data, often with no visibility for investigators." DanaBot C2 Server Suffers From DanaBleed — Last month, a coordinated law enforcement operation felled DanaBot, a Delphi malware that allowed its operators to remotely commandeer the infected machines, steal data, and deliver additional payloads like ransomware. According to Zscaler ThreatLabz, a bug introduced in its C2 server in June 2022 inadvertently caused it to "leak snippets of its process memory in responses to infected victims," giving more visibility into the malware. The leaked information included threat actor usernames, threat actor IP addresses, backend C2 server IP addresses and domains, infection and exfiltration statistics, malware version updates, private cryptographic keys, victim IP addresses, victim credentials, and other exfiltrated victim data. The June 2022 update introduced a new C2 protocol to exchange command data and responses. "The memory leak allowed up to 1,792 bytes per C2 server response to be exposed," Zscaler said. "The content of the leaked data was arbitrary and depended on the code being executed and the data being manipulated in the C2 server process at a given time." Lures for OpenAI Sora and DeepSeek Lead to Malware — A bogus site impersonating DeepSeek ("deepseek-platform[.]com") is distributing installers for a malware called BrowserVenom, a Windows implant that reconfigures Chromium- and Gecko-based browsing instances to force traffic through a proxy controlled by the threat actors by adding a hard-coded proxy server address. "This enables them to sniff sensitive data and monitor the victim's browsing activity while decrypting their traffic," Kaspersky said. The phishing sites are promoted in the search results via Google Ads when users search for "deepseek r1." The installer is designed to run a PowerShell command that retrieves the malware from an external server. The attacks are characterized by the use of CAPTCHA challenges to ward off bots. To date, BrowserVenom has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The disclosure comes as phony installers for OpenAI Sora have been
|
|
|
|
|
|
Comments
Post a Comment
Please leave a comment about our recent post.