Flaws in ZTNA Software — Cybersecurity researchers have discovered multiple security flaws impacting Zero Trust Network Access (ZTNA) solutions from Zscaler (CVE-2025-54982), NetSkope and Check Point Perimeter 81 that could be abused by attackers to escalate privileges on end user devices and to completely bypass authentication, granting access to internal resources as any user. The findings follow the discovery of critical weaknesses in Cato Networks' Cato client, including one that could allow an attacker to gain full administrative control of a user’s device simply by having the user visit a malicious web page. Google Address Promptware Attack — Google has remediated a serious security issue that allowed maliciously crafted Google Calendar invites to remotely take over Gemini agents running on the target's device, leak sensitive user data, and hijack control of smart home systems. The targeted promptware attack is initiated simply by an attacker sending a Google Calendar invite to a victim whose name contains an indirect prompt injection. When Google's flagship AI chatbot is asked to summarize its upcoming calendar events, those dormant instructions are triggered, causing havoc in the physical environment, such as remotely controlling a victim's home appliances. The attacks employ an approach called delayed automatic tool invocation to get around Google's existing safety measures. They also demonstrate a potential side effect of Gemini's broad permissions to take actions across the Google ecosystem. "As a result, we were able to hijack the application context, invoke its integrated agents, and exploit their permissions to perform a shocking range of malicious activities -- including identifying the victim's location, recording the victim, and even making changes within the victim's physical environment." The approach shows that Promptware, a variant of EchoLeak, is capable of performing both inter-agent lateral movement, by triggering malicious activity between different Gemini agents, and inter-app lateral movement, by escaping the boundaries of Gemini and leveraging applications installed on a victim's smartphone, to perform malicious activities with real-world consequences. The promptware attacks further show that Gemini can be made to send spam links, generate vulgar content, open up the Zoom app and start a call, steal email and meeting details from a web browser, and download a file from a smartphone's web browser. Google has since rolled out fixes like security thought reinforcement to address the issues. Indirect prompt injections are a more serious AI threat, as the malicious prompt is inserted by an outside source, either embedded within a web page or as text in a white font in an email that's invisible to the naked eye, but can be parsed by AI systems. Addressing prompt injections is a hard problem since the methods LLMs can be tricked are continually evolving, and the attack surface is simultaneously getting more complex. Matter Adds New Security Features — Matter, a unifying, IP-based connectivity protocol and technical standard for smart home and IoT devices, has received numerous security enhancements in version 1.4.2, including (1) Wi-Fi Only Commissioning, which enables devices to be onboarded to Matter ecosystems over Wi-Fi without requiring Bluetooth Low Energy (LE) radios, (2) Vendor ID (VID) Verification, which allows controllers to cryptographically verify that the Admins installed on a device are genuinely from the vendors they claim, (3) Access Restriction Lists (ARLs), which provide a mechanism to restrict access to sensitive settings and data to only trusted, verified Controllers, and (4) Certificate Revocation Lists (CRLs), which offers support for revoking unused or compromised Device Attestation Certificates. Smart Buses Can Be Remotely Hacked — Cybersecurity researchers have discovered that Taiwanese smart buses that incorporate various systems to improve safety, efficiency, and passenger experience, such as Advanced Public Transportation Services (APTS) and Advanced Driver Assistance Systems (ADAS) can be remotely hacked. The research showcased it's possible to easily bypass the on-board router's authentication and gain unauthorized access to its administration interface, and then take over the APTS and ADAS functionality due to a lack of network segmentation. This enables an attacker to leverage the remote access to track the vehicle's movements, manipulate controls, or access the camera. The vulnerabilities impact routers from BEC Technologies, which are commonly installed on smart buses in Taiwan. Cmimai Stealer Spotted in the Wild — A new Visual Basic Script (VBS) stealer malware called Cmimai Stealer has been observed in the wild since June 2025, employing capabilities to harvest a wide range of information from infected hosts and exfiltrating the data using a Discord webhook. "It is lightweight and lacks advanced features like persistence on system restart, encrypted communication, and credential theft; perhaps by design," K7 Security said. "Although it is collecting browser data and screenshots, making us classify it as an Infostealer, it can be used for the dual purpose as a Stealer and also as a second-stage reconnaissance tool used for strategizing further future attacks." Windows Hello or Windows Hell No? — Cybersecurity researchers have presented a novel attack targeting Windows Hello for Business (WHfB) that leverages the storage subsystem of the biometric unit in order to conduct bypass attacks. Essentially, the attack can facilitate biometric injection from another computer that would compromise biometric authentication, granting access to any face or fingerprint submitted. ERNW Research demonstrated that a local admin, or someone who has access to their credentials via malware or other means, can inject biometric information into a computer that would allow it to recognize any face or fingerprint. While the biometric templates are "encrypted," a local administrator can exchange biometric features in the database, allowing authentication as any user already enrolled in the targeted system, including the possibility to make a lateral movement by usurping a domain administrator. Microsoft's Enhanced Sign-in Security (ESS), which operates at a higher hypervisor virtual trust level (VTL1), blocks this line of attack. Securam Prologic Lock Flaws Disclosed — Researchers James Rowley and Mark Omo managed to discover a "backdoor" intended to let authorized locksmiths open Securam Prologic locks used in Liberty Safe and seven other brands. In addition, they discovered a way for a hacker to exploit that backdoor—intended to be accessible only with the manufacturer's help—to open a safe on their own in seconds, as well as found another security vulnerability in many newer versions of Securam's locks that would allow a bad actor to insert a tool into a hidden port in the lock and instantly obtain a safe’s unlock code, WIRED reported. Securam is expected to fix the issues in future models of the ProLogic lock. UAC Bypass via eudcedit.exe — An inventive User Account Control (UAC) bypass method exploits Windows' built-in Private Character Editor ("eudcedit.exe"), allowing attackers to gain elevated privileges without user consent. The technique once again highlights how legitimate Windows utilities can be weaponized to circumvent critical security mechanisms. "If eudcedit.exe is executed under a user context that already belongs to the Administrators group, and UAC is configured permissively (e.g., 'Elevate without prompting'), Windows will launch it immediately with high integrity, without showing a UAC dialog," security researcher Matan Bahar said. Information Leak in Multi-User Linux Environments — New research has demonstrated how basic Linux commands like "ps auxww" can be weaponized to extract database credentials, API keys, and administrative passwords in multi-user Linux environments, "without ever escalating privileges or exploiting a single bug," according to Ionut Cernica. Privacy Leaks Via Siri — Privacy issues have been uncovered in Apple Siri, finding the chat assistant transmits metadata about installed and active open apps, as well as audio playback metadata (e.g., recording names) without the user's ability to control these privacy settings or their consent. What's more, messages dictated via Siri to apps like iMessage and WhatsApp are sent to Apple's servers, along with the recipient phone number and other identifiers. The issues have been codenamed AppleStorm by Lumia Security. Apple said the behavior stemmed from third-party services' use of SiriKit, its extension system for integrating external apps with Siri. OAuth Apps as a Privilege Escalation Tool — Malicious OAuth applications could be used to escalate privileges or move laterally within a target environment. That's according to findings from Praetorian, which has open-sourced a red teaming tool called OAuthSeeker that performs phishing attacks using malicious OAuth applications to compromise user identities within Microsoft Azure and Office365. "It is possible for external verified or internal unverified applications to request user_impersonation privileges within Microsoft Azure, which then allows the attacker to impersonate the user to cloud computing resources within Microsoft Azure, such as accessing compute infrastructure, such as virtual machines," Praetorian said. "Operators can leverage OAuthSeeker for both gaining initial access into an environment, for lateral movement after obtaining initial access, and for persistence purposes after compromising an account leveraging other methods."
Fake Minecraft Setup Leads to NjRAT — A new malware campaign has been observed using fake Minecraft installers or mods to distribute a remote access trojan called NjRAT. "It is written in .NET and allows attackers to fully control infected machines remotely, making it one of the most popular and persistent malware families used in cyber espionage, cybercrime, and surveillance operations," Point Wild said. The disclosure comes as the cybersecurity company detailed the inner workings of another RAT called Sakula RAT that has been employed in targeted intrusions since at least 2012. Besides harvesting sensitive data, the malware can connect to a command-and-control (C2) server to receive instructions from the attacker to run arbitrary commands and download additional payloads. Israel Targeted by PowerShell RAT Using ClickFix — Speaking or RATs, multiple Israeli organizations have been targeted by spear-phishing attacks that direct users to fake landing pages mimicking Microsoft Teams invites, while using ClickFix-like lures to trick recipients into launching PowerShell commands under the guise of joining the conversation. The command initiates the retrieval and execution of a secondary PowerShell script from the attacker's server, which, in turn, acts as a loader for a PowerShell remote access trojan that can run PowerShell commands from the C2 and run more malware. "The adversary leveraged compromised internal email infrastructure to distribute phishing messages across the regional business landscape," Fortinet said. "The attacker systematically compromised multiple Israeli companies over several consecutive days, using each breached environment as a launchpad to target additional organizations in the region. This tactic closely mirrors MuddyWater's typical approach to lateral expansion." The absence of remote management tools (RMMs), a hallmark of MuddyWater's attacks, indicates a tactical deviation. The disclosure came as Profero said it cracked the encryption of the DarkBit (aka Storm-1084) ransomware gang's encryptors, allowing victims to recover files for free without paying a ransom. DarkBit is assessed to share overlaps with MuddyWater. The decrypter exploits a weak key generation algorithm used by the DarkBit group to brute-force the decryption key. Kimsuky Allegedly Suffers Data Breach — The North Korean state-sponsored hackers known as Kimsuky have reportedly suffered a data breach after a pair of hackers, named Saber and cyb0rg, stole the group's data and leaked it publicly online. "Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda," the hackers remarked in an analysis published in the latest issue of Phrack magazine. "You steal from others and favour your own. You value yourself above the others: You are morally perverted." Among the leaked data are Kimsuky's backend, exposing hacking tools, email addresses, internal manuals, and passwords that could provide insight into unknown campaigns and undocumented compromises. Saber and cyb0rg claim to have found evidence of Kimsuky compromising several South Korean government networks and companies. The files also include the group's Android Toybox modifications and use of exploits like Bushfire. Another program is a Loadable Kernel Module (LKM) style rootkit with the ability to hide from detection and operate on any network port. "The main purpose of the rootkit is to create a persistent and stealthy backdoor," Sandfly Security said. "The backdoor is activated when a special magic packet is received, combined with a correct password to initiate an SSL connection. The backdoor can be activated on any port. This is important to understand because a firewall alone may not protect the target system. If the magic packet is able to hit the victim, then the backdoor may be activated." The tranche of data is said to have originated from a virtual workstation and virtual private server (VPS) used by the threat actor. That said, indications are that the dumps may have originated from a likely Chinese actor who has knowledge of Kimsuky's tradecraft. 2 Founder of Samourai Wallet Plead Guilty to Money Laundering — Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million worth of crypto assets from criminal proceeds and concealing the nature of illicit transactions using services like Whirlpool and Ricochet. Samourai CEO Keonne Rodriguez and CTO William Lonergan Hill were arrested last year after the U.S. Federal Bureau of Investigation (FBI) took down their service. As part of their plea agreements, Rodriguez and Hill have also agreed to forfeit $237,832,360.55. "The defendants created and operated a cryptocurrency mixing service that they knew enabled criminals to wash millions in dirty money, including proceeds from cryptocurrency thefts, drug trafficking operations, and fraud schemes," the U.S. Department of Justice (DoJ) said. "They did not just facilitate this illicit movement of money, but also encouraged it." Tornado Cash Founder Convicted of Operating a Money Transmitting Business — Roman Storm, a co-founder of the cryptocurrency mixing service Tornado Cash, was found guilty of conspiring to operate an unlicensed money-transmitting business. However, the jury failed to reach a ruling on the more significant charges of conspiracy to commit money laundering and to violate sanctions. "Roman Storm and Tornado Cash provided a service for North Korean hackers and other criminals to move and hide more than $1 billion of dirty money," the DoJ said. Storm is set to be sentenced later this year and faces a maximum prison sentence of five years. The development came as the U.S. Treasury Department dropped its appeal against a court ruling that forced it to lift sanctions against Tornado Cash last month. Tornado Cash was delisted from the Specially Designated National and Blocked Persons (SDN) list earlier this March. The service was sanctioned in 2022 for its alleged links to cybercriminals and for having "repeatedly failed to impose effective controls” to prevent money laundering. India's UPI to Stop P2P Money Requests to Tackle Fraud — The National Payments Corporation of India (NPCI) announced it will discontinue the person-to-person (P2P) Collect Request feature from the country's instant payment system, Unified Payments Interface (UPI), starting October 1, 2025, aiming to strengthen security and prevent payment-related fraud. The feature allows users to request money from another individual via UPI, but has been misused by fraudsters by sending fake money transfer requests that can be inadvertently approved by a simple tap, thereby tricking unwitting users into authorizing payments. The change, however, does not apply to merchants. Microsoft Plans to Block Dangerous File Types in Teams — Microsoft revealed it's planning to block dangerous file types and malicious URLs in Teams chats and channels. "Microsoft Teams now blocks messages containing weaponizable file types, such as executables, in chats and channels, increasing protection against malware and other file-based attacks," the company said. "Microsoft Teams can now detect and warn users on malicious URLs sent in Teams chat and channels, increasing protection against malware attacks." Separately, the tech giant said it's also integrating Teams with Defender for Office 365 Tenant Allow/Block List to allow administrators to centrally manage blocked external domains in Teams. USB Worm Delivers Crypto Miner — A USB-based worm is being used to deliver the XMRig cryptocurrency miner as part of a global campaign targeting financial, education, healthcare, manufacturing, telecom, and oil and gas sectors in Australia, India, the U.S., and other countries. "The infection starts with execution of a VB script file from a USB drive (using a file name that starts with x and random 6 digits) from a folder named 'rootdir,'" CyberProof said. The attack chain subsequently leverages DLL side-loading techniques to launch a malicious DLL that's responsible for starting the mining process. In a related development, Russian companies have become the target of the Kinsing (aka H2Miner and Resourceful Wolf) cryptojacking group as part of large-scale attacks that brute-force SSH instances or scan internet-exposed servers for known vulnerabilities (e.g., CVE-2017-9841) in order to drop the Monero cryptocurrency miner. SMM Flaws in AMI Aptio UEFI Firmware — System Management Mode (SMM) memory corruption vulnerabilities (CVE-2025-33043) have been identified in UEFI modules present in AMI Aptio UEFI firmware that could be exploited by an attacker to elevate privileges and execute arbitrary code in the highly privileged SMM environment. "This could bypass certain firmware-level protections, such as those protecting the SPI flash memory, and enable persistent modifications to the firmware that operate independently of the OS," CERT Coordination Center (CERT/CC) said. Former Intel Engineer Sentenced to 2 Years of Probation for Stealing Trade Secrets — An engineer who stole trade secrets from Intel and shared them with his new employer Microsoft, was sentenced to two years of probation and ordered to pay a fine of more than $34,000. Varun Gupta was employed at Intel from July 2010 to January 2020, when he secured his new job at Microsoft. Gupta pleaded guilty to possessing trade secrets back in February 2025. "Between February and July 2020, while employed by the company in Washington, Gupta possessed and accessed his previous employer's trade secrets and proprietary information without authorization," the Justice Department noted at the time. "Gupta accessed information related to customized product design and pricing for significant purchases of computer processors, which Gupta used, as a representative of the Washington company, during head-to-head negotiations with his previous employer." He was sued by Intel in early 2021. GitHub Repositories Deliver Stealer Malware — GitHub repositories disguised as legitimate projects, including game cheats, software cracks, and automation tools, have been used to distribute a malware loader called SmartLoader. It's believed that users searching for such tools on search engines are the target of the campaign. The loader acts as a conduit for the Rhadamanthys information stealer malware, which is retrieved from a remote server. Users who search for tools to download YouTube videos for free have also been found to be served fake sites like YTMP4, where those who enter a video URL are displayed a "Download Now" button that drops DigitalPulse proxyware on the victim's host by means of an executable hosted on GitHub. In a separate campaign, Facebook ads are being used to redirect users to fake landing pages that aim to deceive users into installing phony versions of cryptocurrency exchange apps like Binance that contain malware. The activity overlaps with a threat cluster dubbed WEEVILPROXY. Phishing Attacks Use Personalized Subject Lines and Links — Phishing attacks have been observed crafting personalized subject lines, attachment names, and embedded links to create a sense of familiarity or urgency, and increase the likelihood that the recipients engage with the email messages. "This strategy is not limited to the subject line; it is often extended to the email attachments, links, and message body," Cofense said. "By including customized elements, attackers aim to increase the likelihood of a successful compromise." These subject customization campaigns bearing travel Assistance, Response, Finance, Taxes, and Notification-themed emails have been found to deliver remote access trojans and information stealers. Finance-themed campaigns predominantly deliver jRAT, a cross-platform Remote Access Trojan written in Java that enables multi-operating system compatibility, whereas response-themed emails frequently serve PikaBot malware. Google pKVM Achieves SESIP Level 5 Certification — Google announced that its protected Kernel-based Virtual Machine (pKVM) for Android has achieved SESIP Level 5 certification, the highest security assurance level for IoT and mobile platforms. "This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar," Google said. "This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity." 81% of Organizations Knowingly Ship Vulnerable Code — While 98% of organizations experienced breaches due to vulnerable code, 81% knowingly shipped that code, often to meet business goals. "Under pressure to deliver, teams are treating patch-later practices as acceptable risk, embedding insecurity into the SDLC," Checkmarx said in its Future of AppSec report. The report is based on a survey of 1,500 application security leaders. Half of the respondents already use AI security code assistants, and 34% admitted that more than 60% of their code is generated using artificial intelligence (AI) tools. Pak Entities Targeted by Blue Locker Ransomware — Pakistan's National Cyber Emergency Response Team (NCERT) issued an alert warning of Blue Locker ransomware attacks targeting the oil and gas sector. The ransomware, believed to be connected to the Shinra malware family, is distributed via a PowerShell-based loader that attempts to disable security defenses, escalate privileges, and launch its main payload. Phishing emails, malicious attachments, drive-by downloads, and insecure remote access are some of the initial access routes used by the threat actors behind the operation. "The motive behind these events may vary, but it is unlikely that a traditional cybercriminal organization is responsible; instead, it is more probable that a nation-state group is attacking critical infrastructure," Resecurity said. "Very often, advanced actors operate under the guise of cybercrime to blur attribution and avoid geopolitical context." The disclosure came as Huntress detailed a KawaLocker (aka KAWA4096) ransomware incident that involved the attackers accessing a victim's endpoint via Remote Desktop Protocol (RDP) using a compromised account, followed by disabling security tools using kernel drivers and then dropping the locker. Phishing Campaign Uses "ん" as a URL Forward Slash — A Booking.com-themed phishing campaign has been observed using the Unicode character "ん" in URLs as a substitute for forward slashes when rendered in a web browser to trick unsuspecting users into running malicious MSI installers that are likely capable of delivering additional malware. Threat Actors Sell Access to Compromised Law Enforcement Accounts — A flourishing underground economy is enabling unauthorized access to hacked government and law enforcement accounts. These accounts are either compromised through phishing or through information-stealing infections. A single account is available for as little as $40. Chrome Tests Blocking Fingerprinting in Incognito Mode — Google's Chrome team said it's testing a Script Blocking feature that's aimed at thwarting scripts engaging in known, prevalent techniques for browser re-identification using browser APIs to extract additional information about the user's browser or device characteristics. The feature is expected to be shipped in version 140. Norway Says Russian Hackers Sabotaged Dam — The Norwegian Police Security Service said pro-Russian hackers likely sabotaged a dam in the country's southwest in April 2025. This is the first time officials have publicly linked the incident to Russia. "The aim of this type of operation is to influence and to cause fear and chaos among the general population," PST said. Exactly who is behind it is presently unknown. NIST Finalizes Lightweight Cryptography Standard to Secure IoT Devices — The U.S. National Institute of Standards and Technology (NIST) has completed work on the Ascon cryptographic standard. The standard contains four cryptographic algorithms (ASCON-128 AEAD , ASCON-Hash 256, ASCON-XOF 128, and ASCON-CXOF 128) designed to be used on low-memory IoT devices, as well as RFID tags and medical implants. The agency has been working on the standard since 2023. Chinese AI Firm Runs Propaganda Campaigns — The Chinese government is enlisting the help of domestic AI companies to monitor and manipulate public opinion on social media through sophisticated propaganda campaigns. One such company, named GoLaxy has run influence operations targeting Hong Kong and Taiwan with the help of AI tools. Founded in 2010, it has also used a tool named GoPro to build psychological profiles and build data profiles for at least 117 sitting U.S. lawmakers and more than 2,000 other American political and thought leaders. Furthermore, GoLaxy is believed to be tracking thousands of right-wing influencers and journalists. The company has since attempted to scrub its digital footprint, albeit unsuccessfully. In a statement to The New York Times, GoLaxy said its products are mainly based on open-source data.
|
|
|
|
|
|
Comments
Post a Comment
Please leave a comment about our recent post.