Author: Mark

Running a SOC often feels like drowning in alerts. Every morning, dashboards light up with thousands of signals; some urgent, many irrelevant. The job is to find the real threats fast enough to keep cases from piling up, prevent analyst burnout, and maintain client or leadership confidence.

The toughest challenges, however, aren’t the alerts that can be dismissed quickly, but the ones that hide in plain sight. These tricky threats drag out investigations, create unnecessary escalations, and quietly drain resources over time.

Why Detection Gaps Keep Opening

What slows SOCs down isn’t the flood of alerts alone but the way investigations get split across disconnected tools. Intel in one platform, detonation in another, enrichment in a third; every switch wastes time. Across hundreds of cases, those minutes add up to stalled investigations, unnecessary escalations, and threats that linger longer than they should.

Action Plan That Delivers 3× SOC Efficiency in Threat Detection

SOC teams looking to close detection gaps have found one approach that works: building detection as a continuous workflow, where every step reinforces the next. Instead of stalling in disconnected tools, analysts move through a process that flows, from filtering alerts to detonating suspicious files to validating indicators.

A recent ANY.RUN survey shows just how much this shift can change SOC performance:

• 95% of SOC teams reported faster investigations
• 94% of users said triage became quicker and clearer
• 21 minutes saved on MTTR for each case
• Up to 58% more threats identified overall

3-step action plan with its impact when using ANY.RUN

Behind these numbers is more than speed. SOCs that adopted this workflow reduced alert overload, gained clearer visibility into complex attacks, and built confidence in compliance and reporting. Teams also grew faster in expertise, as analysts learned by doing rather than relying solely on static reports.

So how are these numbers possible? The answer lies in three practical steps SOC teams have already put into action.

Let’s look at how this plan works, and how you can implement it in your own workflows.

Step 1: Expand Threat Coverage Early

The earlier a SOC can spot an incident, the faster it can respond. Threat Intelligence Feeds give analysts fresh, actionable IOCs drawn from the latest malware campaigns; IPs, domains, and hashes seen in real-world attacks. Instead of chasing alerts blindly, teams start with data that reflects what’s happening across the threat landscape right now.

TI Feeds as your first step in threat detection

With this early coverage, SOCs gain three key advantages: they catch incidents sooner, stay aligned with current threats, and cut down on noise that clutters Tier 1. In practice, that means a 20% decrease in Tier 1 workload and fewer escalations eating into senior analysts’ time.

Once alerts are filtered, the next challenge is proving what’s left. An interactive sandbox becomes the SOC’s proving ground. Instead of waiting for static reports, analysts can detonate suspicious files and URLs in real time, watching behavior unfold step by step.

This approach exposes what most automated defenses miss; payloads that need clicks to activate, staged downloads that appear over time, and evasive tactics designed to fool passive detection.

ANY.RUN’s sandbox analyzing complex threat

The result is faster, clearer answers:

• Evasive attacks exposed before they can escalate
• Actionable threat reports generated for quick response
• Routine tasks minimized with automated investigations

In practice, SOCs achieve a 15-second median detection time, turning what used to be long, uncertain investigations into rapid, decisive outcomes.

By combining real-time visibility with automation, the sandbox gives specialists of all levels the confidence to act quickly, while freeing senior staff from spending hours on routine triage.

Step 3: Strengthen Proactive Defense with Threat Intelligence Lookup

Even with full sandbox results, one question always remains: has this threat been seen before? Knowing whether an IOC is part of a fresh campaign or one already circulating across industries can completely change how a SOC responds.

That’s why the third step is implementing Threat Intelligence Lookup. By tapping into live attack data contributed by more than 15,000 SOCs worldwide, analysts instantly enrich their findings and connect isolated alerts to wider patterns.

TI Lookup search of attack and its relevant sandbox analyses

The advantages are clear:

• Hidden threats uncovered through proactive hunting
• Greater incident clarity with rich historical context
• Real-time visibility into evolving campaigns

With access to 24× more IOCs than typical isolated sources, security professionals can validate faster, close tickets sooner, and anticipate what might be coming next.

This final step ensures that every investigation ends with stronger evidence; not just a snapshot of one case, but an understanding of how it fits into the bigger threat landscape.

Build a Stronger SOC With a Unified Detection Workflow

Closing detection gaps is possible by creating a workflow where every stage strengthens the next. With early filtering from Threat Feeds, real-time visibility from the sandbox, and global context from Lookup, SOCs move from fragmented detection to a continuous process that delivers measurable results: faster triage, fewer escalations, and up to 3× greater efficiency in threat detection.

Organizations worldwide are already seeing the benefits:

• 74% of Fortune 100 companies use ANY.RUN to reinforce SOC operations
• 15,000+ organizations have integrated it into their detection workflows
• 500,000+ users rely on it daily for malware analysis and threat intelligence

Boost your detection rate, cut investigation time, and strengthen SOC efficiency.

Connect with ANY.RUN’s experts to explore how this approach can work for your team.

Cybersecurity researchers have discovered two Android spyware campaigns dubbed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.).

Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data.

“Neither app containing the spyware was available in official app stores; both required manual installation from third-party websites posing as legitimate services,” ESET researcher Lukáš Štefanko said. Notably, one of the websites distributing the ToSpy malware family mimicked the Samsung Galaxy Store, luring users into manually downloading and installing a malicious version of the ToTok app.”

The ProSpy campaign, discovered in June 2025, is believed to have been ongoing since 2024, leveraging deceptive websites masquerading as Signal and ToTok to host booby-trapped APK files that claim to be upgrades to the respective apps, namely Signal Encryption Plugin and ToTok Pro.

The use of ToTok as a lure is no coincidence, as the app was removed from Google Play and Apple App Store in December 2019 due to concerns that it acted as a spying tool for the U.A.E. government, harvesting users’ conversations, locations, and other data.

The developers of ToTok subsequently went on to claim the removal was an “attack perpetrated against our company by those who hold a dominant position in this market” and that the app does not spy on users.

The rogue ProSpy apps are designed to request permissions to access contacts, SMS messages, and files stored on the device. It’s also capable of exfiltrating device information.

ESET said its telemetry also flagged another Android spyware family actively distributed in the wild and targeting users in the same region around the same time ProSpy was detected. The ToSpy campaign, which likely began on June 30, 2022, and is currently ongoing, has leveraged fake sites impersonating the ToTok app to deliver the malware.

“This redirection is designed to reinforce the illusion of legitimacy,” ESET said. “Any future launches of the malicious ToTok Pro app will instead open the real ToTok app, effectively masking the spyware’s presence. However, the user will still see two apps installed on the device (ToTok and ToTok Pro), which could be suspicious.”

The Signal Encryption Plugin, in a similar manner, includes an “ENABLE” button to deceive the users into downloading the legitimate encrypted messaging app by visiting the signal[.]org site. But unlike the case of ToTok Pro, the rogue Signal app icon is changed to impersonate Google Play Services once the victim grants it all the necessary permissions.

Regardless of the app installed, the spyware embedded within it stealthily exfiltrates the data before the user clicks CONTINUE or ENABLE. This includes device information, SMS messages, contact lists, files, and a list of installed applications.

“Similarly to ProSpy, ToSpy also includes steps designed to further deceive the victim into believing that the malware they just installed is a legitimate app,” Štefanko said. “After the user launches the malicious ToTok app, there are two possible scenarios: either the official ToTok app is installed on the device or it’s not.”

“If the official ToTok app is not installed on the device, ToSpy attempts to redirect the user to the Huawei AppGallery, either through an already installed Huawei app or via the default browser, suggesting the user download the official ToTok app.”

In the event the app is already installed on the device, it displays a fake screen to give the impression that it’s checking for app updates before seamlessly launching the official ToTok app. However, in the background, it collects user contacts, files matching certain extensions, device information, and ToTok data backups (*.ttkmbackup).

To achieve persistence, both the spyware families run a foreground service that displays a persistent notification, use Android’s AlarmManager to repeatedly restart the foreground service if it gets terminated, and automatically launch the necessary background services upon a device reboot.

ESET said the campaigns are being tracked differently due to differences in delivery methods and infrastructure, despite several commonalities in the malware deployed. It’s currently not known who is behind the activity.

“Users should remain vigilant when downloading apps from unofficial sources and avoid enabling installation from unknown origins, as well as when installing apps or add-ons outside of official app stores, especially those claiming to enhance trusted services,” the company added.

Oct 01, 2025Ravie LakshmananEncryption / Hardware Security

In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intel’s Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data.

SGX is designed as a hardware feature in Intel server processors that allows applications to be run in a Trusted Execution Environment (TEE). It essentially isolates trusted code and resources within what’s called enclaves, preventing attackers from viewing their memory or CPU state.

In doing so, the mechanism ensures that the data stays confidential even when the underlying operating system has been tampered with or compromised by other means. However, the latest findings show the limitations of SGX.

“We show how one can build a device to physically inspect all memory traffic inside a computer cheaply and easily, in environments with only basic electrical tools, and using equipment easily purchased on the internet,” the researchers said. “Using our interposer device against SGX’s attestation mechanism, we are able to extract an SGX secret attestation key from a machine in fully trusted status, thereby breaching SGX’s security.”

Like the Battering RAM attack recently disclosed by KU Leuven and the University of Birmingham researchers, the newly devised method – codenamed WireTap – relies on an interposer that sits between the CPU and the memory module to observe the data that flows between them. The interposer can be installed by a threat actor either through a supply chain attack or physical compromise.

At its core, the physical attack exploits Intel’s use of deterministic encryption to stage a full key recovery against Intel SGX’s Quoting Enclave (QE), effectively making it possible to extract an ECDSA signing key that can be used to sign arbitrary SGX enclave reports.

Put differently, an attacker can weaponize the deterministic nature of memory encryption to build an oracle of sorts to break the security of constant-time cryptographic code.

“We have successfully extracted attestation keys, which are the primary mechanism used to determine whether code is running under SGX,” the researchers said. “This allows any hacker to masquerade as genuine SGX hardware, while in fact running code in an exposed manner and peeking into your data.”

“Like two sides of the same coin, WireTap and Battering RAM look at complementary properties of deterministic encryption. While WireTap focuses mainly on breaching confidentiality, BatteringRAM focuses mostly on integrity. The bottom line is the same; however, both SGX and SEV are easy to break using memory interposition.”

However, while Battering RAM is a low-cost attack that can be pulled off using equipment costing less than $50, the WireTap setup costs about $1,000, including the logic analyzer.

In a hypothetical attack scenario targeting SGX-backed blockchain deployments such as Phala Network, Secret Network, Crust Network, and IntegriTEE, the study found that WireTap can be leveraged to undermine confidentiality and integrity guarantees and allow attackers to disclose confidential transactions or illegitimately obtain transaction rewards.

In response to the findings, Intel said the exploit is outside the scope of its threat model since it assumes a physical adversary that has direct access to the hardware with a memory bus interposer. In the absence of a “patch,” it’s recommended that the servers be run in secure physical environments and use cloud providers that provide independent physical security.

“Such attacks are outside the scope of the boundary of protection offered by Advanced Encryption Standard-XEX-based Tweaked Codebook Mode with Ciphertext Stealing (AES-XTS) based memory encryption,” the chipmaker said. “As it provides limited confidentiality protection, and no integrity or anti-replay protection against attackers with physical capabilities, Intel does not plan to issue a CVE.”

Oct 01, 2025The Hacker NewsAutomation / IT Operations

AI is changing automation—but not always for the better. That’s why we’re hosting a new webinar, “Workflow Clarity: Where AI Fits in Modern Automation,” with Thomas Kinsella, Co-founder & Chief Customer Officer at Tines, to explore how leading teams are cutting through the hype and building workflows that actually deliver.

The rise of AI has changed how organizations think about automation. But here’s the reality many teams are quietly wrestling with: AI isn’t a silver bullet. Purely human-led workflows buckle under pressure, rigid rules-based automations break the moment reality shifts, and fully autonomous AI agents risk introducing black-box decision-making that’s impossible to audit.

For cybersecurity and operations leaders, the stakes are even higher. You need workflows that are fast but reliable, powerful but secure, and—above all—explainable.

So where does AI really fit in?

The Hidden Problem with “All-In” Automation

The push to automate everything has left many teams with fragile systems:

• Too much human intervention: slows down response time and eats up valuable analyst hours.
• Too many rigid rules: can’t adapt to new threats or business realities, leading to constant rework.
• Too much AI: risks shadow processes that no one fully understands, undermining trust and compliance.

The truth? The strongest workflows aren’t found at the extremes—they emerge when human judgment, traditional automation, and AI are blended intentionally.

A Webinar for Teams Who Want More Than AI Hype

Join Thomas Kinsella for a candid look at how top security and operations teams are blending people, rules, and AI agents to build workflows that deliver real outcomes—without over-engineering or sacrificing control.

In this session, you’ll learn:

• Where AI belongs (and where it doesn’t): practical guidance on mapping human, rules-based, and AI-driven tasks.
• How to avoid AI overreach: spotting when automation is adding complexity instead of clarity.
• Building for security and auditability: ensuring workflows stand up to compliance and scrutiny.
• Proven patterns from the field: real-world examples of how top security teams are scaling AI automation thoughtfully.

This session is designed for security leaders who are tired of the AI hype and want to cut through the noise. If you’re looking for practical strategies to deploy automation that strengthens defenses—without creating new risks—this is for you.

Watch this Webinar Now

It’s equally valuable for Ops and IT teams working to free up their human talent while avoiding brittle, opaque systems that collapse under real-world pressure. And if you’re an innovation-minded professional exploring how to balance people, rules, and AI agents in the workplace, you’ll walk away with a clear framework for making those choices.

AI is already transforming workflows, but the winners won’t be those who chase complexity—they’ll be the teams who embrace clarity, security, and control. This webinar will give you the tools to identify the right mix of human, rules-based, and AI automation for your environment, and show you how to implement it in ways that are secure, auditable, and built to scale with confidence.

Don’t just “add AI.” Learn how to make it work for you—at scale, with control. Register now to save your spot.

Oct 01, 2025Ravie LakshmananVulnerability / API Security

A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain circumstances.

The vulnerability, tracked as CVE-2025-59363, has been assigned a CVSS score of 7.7 out of 10.0. It has been described as a case of incorrect resource transfer between spheres (CWE-669), which causes a program to cross security boundaries and obtain unauthorized access to confidential data or functions.

CVE-2025-59363 “allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization’s OneLogin tenant,” Clutch Security said in a report shared with The Hacker News.

The identity security said the problem stems from the fact that the application listing endpoint – /api/2/apps – was configured to return more data than expected, including the client_secret values in the API response alongside metadata related to the apps in a OneLogin account.

The steps to pull off the attack are listed below –

• Attacker uses valid OneLogin API credentials (client ID and secret) to authenticate
• Request access token
• Call the /api/2/apps endpoint to list all applications
• Parse the response to retrieve client secrets for all OIDC applications
• Use extracted client secrets to impersonate applications and access integrated services

Successful exploitation of the flaw could allow an attacker with valid OneLogin API credentials to retrieve client secrets for all OIDC applications configured within a OneLogin tenant. Armed with this access, the threat actor could leverage the exposed secret to impersonate users and gain access to other applications, offering opportunities for lateral movement.

OneLogin’s role-based access control (RBAC) grants API keys broad endpoint access, meaning the compromised credentials could be used to access sensitive endpoints across the entire platform. Compounding matters further is the lack of IP address allowlisting, as a result of which it’s possible for attackers to exploit the flaw from anywhere in the world, Clutch noted.

Following responsible disclosure on July 18, 2025, the vulnerability was addressed in OneLogin 2025.3.0, which was released last month by making OIDC client_secret values no longer visible. There is no evidence that the issue was ever exploited in the wild.

“Identity providers serve as the backbone of enterprise security architecture,” Clutch Security said. “Vulnerabilities in these systems can have cascading effects across entire technology stacks, making rigorous API security essential.”

Oct 01, 2025Ravie LakshmananAI Security / Cloud Security

A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.

OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration.

The vulnerability, tracked as CVE-2025-10725, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been classified by Red Hat as “Important” and not “Critical” in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment.

“A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator,” Red Hat said in an advisory earlier this week.

“This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.”

The following versions are affected by the flaw –

• Red Hat OpenShift AI 2.19
• Red Hat OpenShift AI 2.21
• Red Hat OpenShift AI (RHOAI)

As mitigations, Red Hat is recommending that users avoid granting broad permissions to system-level groups, and “the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group.”

“The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege,” it added.

Oct 01, 2025The Hacker NewsAutomation / IT Operations

AI is changing automation—but not always for the better. That’s why we’re hosting a new webinar, “Workflow Clarity: Where AI Fits in Modern Automation,” with Thomas Kinsella, Co-founder & Chief Customer Officer at Tines, to explore how leading teams are cutting through the hype and building workflows that actually deliver.

The rise of AI has changed how organizations think about automation. But here’s the reality many teams are quietly wrestling with: AI isn’t a silver bullet. Purely human-led workflows buckle under pressure, rigid rules-based automations break the moment reality shifts, and fully autonomous AI agents risk introducing black-box decision-making that’s impossible to audit.

For cybersecurity and operations leaders, the stakes are even higher. You need workflows that are fast but reliable, powerful but secure, and—above all—explainable.

So where does AI really fit in?

The Hidden Problem with “All-In” Automation

The push to automate everything has left many teams with fragile systems:

• Too much human intervention: slows down response time and eats up valuable analyst hours.
• Too many rigid rules: can’t adapt to new threats or business realities, leading to constant rework.
• Too much AI: risks shadow processes that no one fully understands, undermining trust and compliance.

The truth? The strongest workflows aren’t found at the extremes—they emerge when human judgment, traditional automation, and AI are blended intentionally.

A Webinar for Teams Who Want More Than AI Hype

Join Thomas Kinsella for a candid look at how top security and operations teams are blending people, rules, and AI agents to build workflows that deliver real outcomes—without over-engineering or sacrificing control.

In this session, you’ll learn:

• Where AI belongs (and where it doesn’t): practical guidance on mapping human, rules-based, and AI-driven tasks.
• How to avoid AI overreach: spotting when automation is adding complexity instead of clarity.
• Building for security and auditability: ensuring workflows stand up to compliance and scrutiny.
• Proven patterns from the field: real-world examples of how top security teams are scaling AI automation thoughtfully.

This session is designed for security leaders who are tired of the AI hype and want to cut through the noise. If you’re looking for practical strategies to deploy automation that strengthens defenses—without creating new risks—this is for you.

Watch this Webinar Now

It’s equally valuable for Ops and IT teams working to free up their human talent while avoiding brittle, opaque systems that collapse under real-world pressure. And if you’re an innovation-minded professional exploring how to balance people, rules, and AI agents in the workplace, you’ll walk away with a clear framework for making those choices.

AI is already transforming workflows, but the winners won’t be those who chase complexity—they’ll be the teams who embrace clarity, security, and control. This webinar will give you the tools to identify the right mix of human, rules-based, and AI automation for your environment, and show you how to implement it in ways that are secure, auditable, and built to scale with confidence.

Don’t just “add AI.” Learn how to make it work for you—at scale, with control. Register now to save your spot.

A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors.

“We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks,” researchers Jesse De Meulemeester, David Oswald, Ingrid Verbauwhede, and Jo Van Bulck said on a website publicizing the findings. “Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory.”

Battering RAM compromises Intel’s Software Guard Extensions (SGX) and AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) hardware security features, which ensure that customer data remains encrypted in memory and protected during use.

It affects all systems using DDR4 memory, specifically those relying on confidential computing workloads running in public cloud environments to secure data from the cloud service provider using hardware-level access control and memory encryption.

The attack, in a nutshell, involves leveraging a custom-built, low-cost DDR4 interposer hardware hack to stealthily redirect physical addresses and gain unauthorized access to protected memory regions. The interposer makes use of simple analog switches to actively manipulate signals between the processor and memory, and can be built for less than $50.

On Intel platforms, Battering RAM achieves arbitrary read access to victim plaintext or write plaintext into victim enclaves, whereas on AMD systems, the attack can be used to sidestep recent firmware mitigations against BadRAM, which was documented by the researchers back in December 2024, and introduce arbitrary backdoors into the virtual machine without raising any suspicion.

Successful exploitation of the vulnerability can allow a rogue cloud infrastructure provider or insider with limited physical access to compromise remote attestation and enable the insertion of arbitrary backdoors into protected workloads.

Battering RAM was reported to the vendors earlier this year, following which Intel, AMD, and Arm have responded that physical attacks are currently considered out of scope of their product’s threat model. However, defending against Battering RAM would require a fundamental redesign of memory encryption itself, the researchers noted.

“Battering RAM exposes the fundamental limits of the scalable memory encryption designs currently used by Intel and AMD, which omit cryptographic freshness checks in favor of larger protected memory sizes,” they added. “Battering RAM […] is capable of introducing memory aliases dynamically at runtime. As a result, Battering RAM can circumvent Intel’s and AMD’s boot-time alias checks.”

The disclosure comes as AMD released mitigations for attacks dubbed Heracles and Relocate-Vote disclosed by the University of Toronto and ETH Zürich, respectively, that can leak sensitive data from cloud environments and confidential virtual machines that rely on AMD’s SEV-SNP technology by means of a malicious hypervisor.

“The system lets the hypervisor move data around to manage memory efficiently,” David Lie, director of the Schwartz Reisman Institute (SRI) at the University of Toronto, said. “So when data is relocated, AMD’s hardware decrypts it from the old location and re-encrypts it for the new location. But, what we found was that by doing this over and over again, a malicious hypervisor can learn recurring patterns from within the data, which could lead to privacy breaches.”

Last month, ETH Zürich researchers also demonstrated that a CPU optimization known as the stack engine can be abused as a side channel for attacks that lead to information leakage. A proof-of-concept (PoC) has been developed for AMD Zen 5 machines, although it’s believed that all models have this “abusable hardware feature.”

The discovery of Battering RAM also follows a report from Vrije Universiteit Amsterdam researchers about a new, realistic attack technique referred to as L1TF Reloaded that combines L1 Terminal Fault (aka Foreshadow) and Half-Spectre gadgets (aka incomplete Spectre-like code patterns) to leak memory from virtual machines running on public cloud services.

“L1TF is a CPU vulnerability that allows an (attacker) VM to speculatively read any data residing in the (core-local) L1 data cache – including data the VM shouldn’t have access to,” VUSec researchers said. “At a high level, L1TF Reloaded abuses this to obtain an arbitrary RAM read primitive.”

Google, which provided the researchers with a sole-tenant node in order to conduct the research safely without potentially affecting any other customers, awarded a $151,515 bug bounty and “applied fixes to the affected assets.” Amazon said the L1TF Reloaded vulnerability does not impact the guest data of AWS customers running on the AWS Nitro System or Nitro Hypervisor.

Spectre, which first came to light in early 2018, continues to haunt modern CPUs, albeit in the form of different variants. As recently as two weeks ago, academics from ETH Zürich devised a new attack known as VMScape (CVE-2025-40300, CVSS score: 6.5) that breaks virtualization boundaries in AMD Zen CPUs and Intel Coffee Lake processors.

Described as a Spectre branch target injection (Spectre-BTI) attack targeting the cloud, it exploits isolation gaps across host and guest in user and supervisor modes to leak arbitrary memory from an unmodified QEMU process. A software fix has been introduced in the Linux kernel to counter the cross-virtualization BTI (vBTI) attack primitive.

“VMScape can leak the memory of the QEMU process at the rate of 32 B/s on AMD Zen 4,” the authors said in a study. “We use VMScape to find the location of secret data and leak the secret data, all within 772 s, extracting the cryptographic key used for disk encryption/decryption as an example.”

Oct 01, 2025The Hacker NewsAttack Surface / Artificial Intelligence

Bitdefender’s 2025 Cybersecurity Assessment Report paints a sobering picture of today’s cyber defense landscape: mounting pressure to remain silent after breaches, a gap between leadership and frontline teams, and a growing urgency to shrink the enterprise attack surface.

The annual research combines insights from over 1,200 IT and security professionals across six countries, along with an analysis of 700,000 cyber incidents by Bitdefender Labs. The results reveal hard truths about how organizations are grappling with threats in an increasingly complex environment.

Breaches Swept Under the Rug

This year’s findings spotlight a disturbing trend: 58% of security professionals were told to keep a breach confidential, even when they believed disclosure was necessary. That’s a 38% jump since 2023, suggesting more organizations may be prioritizing optics over transparency.

The pressure is especially acute for CISOs and CIOs, who report higher levels of expectation to remain quiet compared to frontline staff. Such secrecy risks undermining stakeholder trust, compliance obligations, and long-term resilience.

Living-Off-the-Land Attacks Drive Attack Surface Focus

Bitdefender analyzed 700,000 high-severity attacks and found that 84% of high-severity attacks now now leverage legitimate tools already present inside environments — so-called Living Off the Land (LOTL) techniques. These tactics bypass traditional defenses, operate invisibly, and are increasingly used in targeted intrusions.

In response, 68% of surveyed organizations list attack surface reduction as a top priority, with the U.S. (75%) and Singapore (71%) leading adoption. Proactive hardening steps — disabling unnecessary services, eliminating unused applications, and reducing lateral movement paths — are quickly shifting from best practices to business imperatives.

AI: Perception vs. Reality

AI looms large in the minds of defenders, but perceptions don’t always align with on-the-ground reality.

• 67% believe AI-driven attacks are increasing
• 58% cite AI-powered malware as their top concern

Yet, the report shows that while AI-enhanced attacks are growing, fears may be outpacing actual prevalence. This gap underscores the need for a balanced approach: prepare for AI threats without losing sight of today’s highlights the need for a balanced approach: prepare for AI threats without losing sight of prevalent adversary tactics.

Leadership Disconnect Risks Slowdowns

Perhaps most concerning is the misalignment between executives and operational teams:

• 45% of C-level executives report being “very confident” in managing cyber risk
• Only 19% of mid-level managers agree

Strategic focus areas also diverge: executives prioritize AI adoption, while frontline managers place more urgency on cloud security and identity management. These disconnects can slow progress, dilute resources, and create blind spots that attackers exploit.

The Road Ahead

The findings converge on one message: cyber resilience demands preemptive strategies. That means:

• Actively reducing attack surfaces
• Streamlining security tools and complexity
• Addressing team burnout and the skills gap
• Closing the perception differences between leadership and the front-line

To explore additional findings, read the Bitdefender 2025 Cybersecurity Assessment report.

Oct 01, 2025Ravie LakshmananVulnerability / Malware

Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.

French cybersecurity company SEKOIA said the attackers are exploiting the cellular router’s API to send malicious SMS messages containing phishing URLs, with the campaigns primarily targeting Sweden, Italy, and Belgium using typosquatted URLs that impersonate government platforms like CSAM and eBox, as well as banking, postal, and telecom providers.

Of the 18,000 routers of this type accessible on the public internet, no less than 572 are assessed to be potentially vulnerable due to their exposing the inbox/outbox APIs. About half of the identified vulnerable routers are located in Europe.

“Moreover, the API enables retrieval of both incoming and outgoing SMS messages, which indicates that the vulnerability has been actively exploited to disseminate malicious SMS campaigns since at least February 2022,” the company said. “There is no evidence of any attempt to install backdoors or exploit other vulnerabilities on the device. This suggests a targeted approach, aligned specifically with the attacker’s smishing operations.”

It’s believed the attackers are exploiting a now-patched information disclosure flaw impacting Milesight routers (CVE-2023-43261, CVSS score: 7.5), which was disclosed by security researcher Bipin Jitiya exactly two years ago. Weeks later, VulnCheck revealed that the vulnerability may have been weaponized in the wild shortly following public disclosure.

Further investigation has revealed that some of the industrial routers expose SMS-related features, including sending messages or viewing SMS history, without requiring any form of authentication.

The attacks likely involve an initial validation phase where the threat actors attempt to verify whether a given router can send SMS messages by targeting a phone number under their control. SEKOIA further noted that the API could also be publicly accessible due to misconfigurations, given that a couple of routers have been found running more recent firmware versions that are not susceptible to CVE-2023-43261.

The phishing URLs distributed using this method include JavaScript that checks whether the page is being accessed from a mobile device before serving the malicious content, which, in turn, urges users to update their banking information for purported reimbursement.

What’s more, one of the domains used in the campaigns between January and April 2025 – jnsi[.]xyz – feature JavaScript code to disable right-click actions and browser debugging tools in an attempt to hinder analysis efforts. Some of the pages have also been found to log visitor connections to a Telegram bot named GroozaBot, which is operated by an actor named “Gro_oza,” who appears to speak both Arabic and French.

“The smishing campaigns appear to have been conducted through the exploitation of vulnerable cellular routers – a relatively unsophisticated, yet effective, delivery vector,” SEKOIA said. “These devices are particularly appealing to threat actors as they enable decentralised SMS distribution across multiple countries, complicating both detection and takedown efforts.”