Author: Mark

Jul 02, 2025The Hacker NewsNetwork Security / Threat Detection

With nearly 80% of cyber threats now mimicking legitimate user behavior, how are top SOCs determining what’s legitimate traffic and what is potentially dangerous?

Where do you turn when firewalls and endpoint detection and response (EDR) fall short at detecting the most important threats to your organization? Breaches at edge devices and VPN gateways have risen from 3% to 22%, according to Verizon’s latest Data Breach Investigations report. EDR solutions are struggling to catch zero-day exploits, living-off-the-land techniques, and malware-free attacks. Nearly 80% of detected threats use malware-free techniques that mimic normal user behavior, as highlighted in CrowdStrike’s 2025 Global Threat Report. The stark reality is that conventional detection methods are no longer sufficient as threat actors adapt their strategies, using clever techniques like credential theft or DLL hijacking to avoid discovery.

In response, security operations centers (SOCs) are turning to a multi-layered detection approach that uses network data to expose activity adversaries can’t conceal.

Technologies like network detection and response (NDR) are being adopted to provide visibility that complements EDR by exposing behaviors that are more likely to be missed by endpoint-based solutions. Unlike EDR, NDR operates without agent deployment, so it effectively identifies threats that use common techniques and legitimate tools maliciously. The bottom line is evasive techniques that work against edge devices and EDR are less likely to succeed when NDR is also on the lookout.

Layering up: The faster threat detection strategy

Much like layering for unpredictable weather, elite SOCs boost resilience through a multi-layered detection strategy centered on network insights. By consolidating detections into a single system, NDR streamlines management and empowers teams to focus on high-priority risks and use cases.

Teams can adapt quickly to evolving attack conditions, detect threats faster, and minimize damage. Now, let’s gear up and take a closer look at the layers that make up this dynamic stack:

THE BASE LAYER

Lightweight and quick to apply, these easily catch known threats to form the basis for defense:

• Signature-based network detection serves as the first layer of protection due to its lightweight nature and quick response times. Industry-leading signatures, such as those from Proofpoint ET Pro running on Suricata engines, can rapidly identify known threats and attack patterns.
• Threat intelligence, often composed of indicators of compromise (IOCs), looks for known network entities (e.g., IP addresses, domain names, hashes) observed in actual attacks. As with signatures, IOCs are easy to share, light-weight, and quick to deploy, offering quicker detection.

THE MALWARE LAYER

Think of malware detection as a waterproof barrier, protecting against “drops” of malware payloads by identifying malware families. Detections such as YARA rules — a standard for static file analysis in the malware analysis community — can identify malware families sharing common code structures. It’s crucial for detecting polymorphic malware that alters its signature while retaining core behavioral characteristics.

THE ADAPTIVE LAYER

Built to weather evolving conditions, the most sophisticated layers use behavioral detection and machine learning algorithms that identify known, unknown, and evasive threats:

• Behavioral detection identifies dangerous activities like domain generation algorithms (DGAs), command and control communications, and unusual data exfiltration patterns. It remains effective even when attackers change their IOCs (or even components of the attack), since the underlying behaviors don’t change, enabling quicker detection of unknown threats.
• ML models, both supervised and unsupervised, can detect both known attack patterns and anomalous behaviors that might indicate novel threats. They can target attacks that span greater lengths of time and complexity than behavioral detections.
• Anomaly detection uses unsupervised machine learning to spot deviations from baseline network behavior. This alerts SOCs to anomalies like unexpected services, unusual client software, suspicious logins, and malicious management traffic. It helps organizations uncover threats hiding in normal network activity and minimize attacker dwell time.

THE QUERY LAYER

Finally, in some situations, there is simply no faster way to generate an alert than to query the existing network data. Search-based detection — log search queries that generate alerts and detections — functions like a snap-on layer that’s at the ready for short-term, rapid response.

Unifying threat detection layers with NDR

The true strength in multi-layered detections is how they work together. Top SOCs are deploying Network Detection and Response (NDR) to provide a unified view of threats across the network. NDR correlates detections from multiple engines to deliver a complete threat view, centralized network visibility, and the context that powers real-time incident response.

Beyond layered detections, advanced NDR solutions can also offer several key advantages that enhance overall threat response capabilities:

• Detecting emerging attack vectors and novel techniques that haven’t yet been incorporated into traditional EDR signature-based detection systems.
• Reducing false positive rates by ~25%, according to a 2022 FireEye report
• Cutting incident response times with AI-driven triage and automated workflows
• Comprehensive coverage of MITRE ATT&CK network-based tools, techniques and procedures (TTPs)
• Leveraging shared intelligence and community-driven detections (open-source solutions)

The path forward for modern SOCs

The combination of increasingly sophisticated attacks, expanding attack surfaces, and added resource constraints requires a shift toward multi-layered detection strategies. In an environment where attacks succeed in seconds, the window for maintaining effective cybersecurity without an NDR solution is rapidly closing. Elite SOC teams get this and have already layered up. The question isn’t whether to implement multi-layered detection, it’s how quickly organizations can make this transition.

Corelight Network Detection and Response

Corelight’s integrated Open NDR Platform combines all seven of the network detection types mentioned above and is built on a foundation of open-source software like Zeek®, allowing you to tap into the power of community-driven detection intelligence. For more information: Corelight.

Jul 02, 2025Ravie LakshmananCybercrime / Dark Web

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has levied sanctions against Russia-based bulletproof hosting (BPH) service provider Aeza Group to assist threat actors in their malicious activities and targeting victims in the country and across the world.

The sanctions also extend to its subsidiaries Aeza International Ltd., the U.K. branch of Aeza Group, as well as Aeza Logistic LLC, Cloud Solutions LLC, and four individuals linked to the company –

• Arsenii Aleksandrovich Penzev, CEO and 33% owner of Aeza Group
• Yurii Meruzhanovich Bozoyan, general director and 33% owner of Aeza Group
• Vladimir Vyacheslavovich Gast, technical director who works closely with Penzev and Bozoyan
• Igor Anatolyevich Knyazev, 33% owner of Aeza Group who manages the operations in the absence of Penzev and Bozoyan

It’s worth noting that Penzev was arrested in early April 2025 on charges of leading a criminal organization and enabling large-scale drug trafficking by hosting BlackSprut, an illicit drugs marketplace on the dark web. Bozoyan and two other Aeza employees, Maxim Orel and Tatyana Zubova, were also detained.

“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.

“Treasury, in close coordination with the U.K. and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”

BPH services have been godsend for threat actors as they are known to deliberately ignore abuse reports and law enforcement takedown requests, often operating in countries with weak enforcement or intentionally vague legal standards. This makes them a resilient option for attackers to host their malicious infrastructure, including phishing sites, command-and-control (C2) servers, without disruption or consequences.

Headquartered in St. Petersburg, Aeza Group is accused of leasing its services to various ransomware and information stealer families, such as BianLian, RedLine, Meduza, and Lumma, some of which have been used to target U.S. defense industrial base and technology companies and other victims worldwide.

What’s more, a report published by Correctiv and Qurium last July detailed the use of Aeza’s infrastructure by the pro-Russian influence operation dubbed Doppelganger. Another threat actor that has availed the services of Aeza is Void Rabisu, the Russia-aligned threat actor behind RomCom RAT.

The development comes nearly five months after the Treasury sanctioned another Russia-based BPH service provider named Zservers for facilitating ransomware attacks, such as those orchestrated by the LockBit group.

Last week, Qurium also linked a Russian web hosting and proxy provider named Biterika to distributed denial-of-service (DDoS) attacks against two Russian independent media outlets IStories and Verstka.

These sanctions form part of a broader effort to dismantle the ransomware supply chain by targeting critical enablers like malicious hosting, command-and-control servers, and dark web infrastructure. As threat actors shift tactics, monitoring sanctioned entities, IP reputation scores, and abuse-resilient networks is becoming central to modern threat intelligence operations.

Jul 02, 2025Ravie LakshmananAI Security / Phishing

Unknown threat actors have been observed weaponizing v0, a generative artificial intelligence (AI) tool from Vercel, to design fake sign-in pages that impersonate their legitimate counterparts.

“This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts,” Okta Threat Intelligence researchers Houssem Eddine Bordjiba and Paula De la Hoz said.

v0 is an AI-powered offering from Vercel that allows users to create basic landing pages and full-stack apps using natural language prompts.

The identity services provider said it has observed scammers using the technology to develop convincing replicas of login pages associated with multiple brands, including an unnamed customer of its own. Following responsible disclosure, Vercel has blocked access to these phishing sites.

The threat actors behind the campaign have also been found to host other resources such as the impersonated company logos on Vercel’s infrastructure, likely in an effort to abuse the trust associated with the developer platform and evade detection.

Unlike traditional phishing kits that require some amount of effort to set, tools like v0 — and its open-source clones on GitHub — allows attackers spin up fake pages just by typing a prompt. It’s faster, easier, and doesn’t require coding skills. This makes it simple for even low-skilled threat actors to build convincing phishing sites at scale.

“The observed activity confirms that today’s threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities,” the researchers said.

“The use of a platform like Vercel’s v0.dev allows emerging threat actors to rapidly produce high-quality, deceptive phishing pages, increasing the speed and scale of their operations.”

The development comes as bad actors continue to leverage large language models (LLMs) to aid in their criminal activities, building uncensored versions of these models that are explicitly designed for illicit purposes. One such LLM that has gained popularity in the cybercrime landscape is WhiteRabbitNeo, which advertises itself as an “Uncensored AI model for (Dev) SecOps teams.”

“Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs, and jailbreaking legitimate LLMs,” Cisco Talos researcher Jaeson Schultz said.

“Uncensored LLMs are unaligned models that operate without the constraints of guardrails. These systems happily generate sensitive, controversial, or potentially harmful output in response to user prompts. As a result, uncensored LLMs are perfectly suited for cybercriminal usage.”

This fits a bigger shift we’re seeing: Phishing is being powered by AI in more ways than before. Fake emails, cloned voices, even deepfake videos are showing up in social engineering attacks. These tools help attackers scale up fast, turning small scams into large, automated campaigns. It’s no longer just about tricking users—it’s about building whole systems of deception.

Cybersecurity researchers have discovered a critical security vulnerability in artificial intelligence (AI) company Anthropic’s Model Context Protocol (MCP) Inspector project that could result in remote code execution (RCE) and allow an attacker to gain complete access to the hosts.

The vulnerability, tracked as CVE-2025-49596, carries a CVSS score of 9.4 out of a maximum of 10.0.

“This is one of the first critical RCEs in Anthropic’s MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools,” Oligo Security’s Avi Lumelsky said in a report published last week.

“With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks – highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP.”

MCP, introduced by Anthropic in November 2024, is an open protocol that standardizes the way large language model (LLM) applications integrate and share data with external data sources and tools.

The MCP Inspector is a developer tool for testing and debugging MCP servers, which expose specific capabilities through the protocol and allow an AI system to access and interact with information beyond its training data.

It contains two components, a client that provides an interactive interface for testing and debugging, and a proxy server that bridges the web UI to different MCP servers.

That said, a key security consideration to keep in mind is that the server should not be exposed to any untrusted network as it has permission to spawn local processes and can connect to any specified MCP server.

This aspect, coupled with the fact that the default settings developers use to spin up a local version of the tool come with “significant” security risks, such as missing authentication and encryption, opens up a new attack pathway, per Oligo.

“This misconfiguration creates a significant attack surface, as anyone with access to the local network or public internet can potentially interact with and exploit these servers,” Lumelsky said.

The attack plays out by chaining a known security flaw affecting modern web browsers, dubbed 0.0.0.0 Day, with a cross-site request forgery (CSRF) vulnerability in Inspector (CVE-2025-49596) to run arbitrary code on the host simply upon visiting a malicious website.

“Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio,” the developers of MCP Inspector said in an advisory for CVE-2025-49596.

0.0.0.0 Day is a 19-year-old vulnerability in modern web browsers that could enable malicious websites to breach local networks. It takes advantage of the browsers’ inability to securely handle the IP address 0.0.0.0, leading to code execution.

“Attackers can exploit this flaw by crafting a malicious website that sends requests to localhost services running on an MCP server, thereby gaining the ability to execute arbitrary commands on a developer’s machine,” Lumelsky explained.

“The fact that the default configurations expose MCP servers to these kinds of attacks means that many developers may be inadvertently opening a backdoor to their machine.”

Specifically, the proof-of-concept (PoC) makes use of the Server-Sent Events (SSE) endpoint to dispatch a malicious request from an attacker-controlled website to achieve RCE on the machine running the tool even if it’s listening on localhost (127.0.0.1).

This works because the IP address 0.0.0.0 tells the operating system to listen on all IP addresses assigned to the machine, including the local loopback interface (i.e., localhost).

In a hypothetical attack scenario, an attacker could set up a fake web page and trick a developer into visiting it, at which point, the malicious JavaScript embedded in the page would send a request to 0.0.0.0:6277 (the default port on which the proxy runs), instructing the MCP Inspector proxy server to execute arbitrary commands.

The attack can also leverage DNS rebinding techniques to create a forged DNS record that points to 0.0.0.0:6277 or 127.0.0.1:6277 in order to bypass security controls and gain RCE privileges.

Following responsible disclosure in April 2025, the vulnerability was addressed by the project maintainers on June 13 with the release of version 0.14.1. The fixes add a session token to the proxy server and incorporate origin validation to completely plug the attack vector.

“Localhost services may appear safe but are often exposed to the public internet due to network routing capabilities in browsers and MCP clients,” Oligo said.

“The mitigation adds Authorization which was missing in the default prior to the fix, as well as verifying the Host and Origin headers in HTTP, making sure the client is really visiting from a known, trusted domain. Now, by default, the server blocks DNS rebinding and CSRF attacks.”

Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader.

Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829. The latter is also known by the names CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu.

The company said it discovered UNK_GreenSec as part of its investigation into TA829, describing it as using an “unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes.”

TA829 is something of an unusual hacking group in the threat landscape given its ability to conduct both espionage as well as financially motivated attacks. The Russia-aligned hybrid group has also been linked to the zero-day exploitation of security flaws in Mozilla Firefox and Microsoft Windows to deliver RomCom RAT in attacks aimed at global targets.

Earlier this year, PRODAFT detailed the threat actors’ use of bulletproof hosting providers, living-off-the-land (LOTL) tactics, and encrypted command-and-control (C2) communications to sidestep detection.

TransferLoader, on the other hand, was first documented by Zscaler ThreatLabz in connection with a February 2025 campaign that delivered the Morpheus ransomware against an unnamed American law firm.

Proofpoint noted that campaigns undertaken by both TA829 and UNK_GreenSec rely on REM Proxy services that are deployed on compromised MikroTik routers for their upstream infrastructure. That said, the exact method used to breach these devices is not known.

“REM Proxy devices are likely rented to users to relay traffic,” the Proofpoint threat research team said. “In observed campaigns, both TA829 and UNK_GreenSec use the service to relay traffic to new accounts at freemail providers to then send to targets. REM Proxy services have also been used by TA829 to initiate similar campaigns via compromised email accounts.”

Given that the format of the sender addresses are similar — e.g., ximajazehox333@gmail.com and hannahsilva1978@ukr.net — it’s believed that the threat actors are likely using some sort of an email builder utility that facilitates the en masse creation and sending of phishing emails via REM Proxy nodes.

The messages act as a conduit to deliver a link, which is either directly embedded in the body or within a PDF attachment. Clicking on the link initiates a series of redirections via Rebrandly that ultimately take the victim to a fake Google Drive or Microsoft OneDrive page, while filtering out machines that have been flagged as sandboxes or deemed not of interest to the attackers.

It’s at this stage that the attack chains splinter into two, as the adversary infrastructure to which the targets are redirected is different, ultimately paving the way for TransferLoader in the case of UNK_GreenSec and a malware strain called SlipScreen in the case of TA829.

“TA829 and UNK_GreenSec have both deployed Putty’s PLINK utility to set up SSH tunnels, and both used IPFS services to host those utilities in follow-on activity,” Proofpoint noted.

SlipScreen is a first-stage loader that’s designed to decrypt and load shellcode directly into memory and initiate communications with a remote server, but only after a Windows Registry check to ensure the targeted computer has at least 55 recent documents based on the “HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerRecentDocs” key.

The infection sequence is then used to deploy a downloader named MeltingClaw (aka DAMASCENED PEACOCK) or RustyClaw, which is then used to drop backdoors like ShadyHammock or DustyHammock, with the former being used to launch SingleCamper (aka SnipBot), an updated version of RomCom RAT.

DustyHammock, besides running reconnaissance commands on an infected system, comes fitted with the ability to download additional payloads hosted on the InterPlanetary File System (IPFS) network.

Campaigns propagating TransferLoader have been found to leverage job opportunity-themed messages to trick victims into clicking on a link that ostensibly leads to a PDF resume, but, in reality, results in the download of TransferLoader from an IPFS webshare.

TransferLoader’s primary objective is to fly under the radar and serve more malware, such as Metasploit and Morpheus ransomware, a rebranded version of HellCat ransomware.

“Unlike the TA829 campaigns, the TransferLoader campaigns’ JavaScript components redirected users to a different PHP endpoint on the same server, which allows the operator to conduct further server-side filtering,” Proofpoint said. “UNK_GreenSec used a dynamic landing page, often irrelevant to the OneDrive spoof, and redirected users to the final payload that was stored on an IPFS webshare.”

The overlapping tradecraft between TA829 and UNK_GreenSec raises one of the four possibilities –

• The threat actors are procuring distribution and infrastructure from the same third-party provider
• TA829 acquires and distributes infrastructure on its own, and has provided these services to UNK_GreenSec
• UNK_GreenSec is the infrastructure provider that typically offers its warez to TA829, but decided to temporarily use it to deliver its own malware, TransferLoader
• TA829 and UNK_GreenSec are one and the same, and TransferLoader is a new addition to their malware arsenal

“In the current threat landscape, the points at which cybercrime and espionage activity overlap continue to increase, removing the distinctive barriers that separate criminal and state actors,” Proofpoint said. “Campaigns, indicators, and threat actor behaviors have converged, making attribution and clustering within the ecosystem more challenging.”

“While there is not sufficient evidence to substantiate the exact nature of the relationship between TA829 and UNK_GreenSec, there is very likely a link between the groups.”

Jul 01, 2025Ravie LakshmananDeveloper Security / Software Development

A new study of integrated development environments (IDEs) like Microsoft Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor has revealed weaknesses in how they handle the extension verification process, ultimately enabling attackers to execute malicious code on developer machines.

“We discovered that flawed verification checks in Visual Studio Code allow publishers to add functionality to extensions while maintaining the verified icon,” OX Security researchers Nir Zadok and Moshe Siman Tov Bustan said in a report shared with The Hacker News. “This results in the potential for malicious extensions to appear verified and approved, creating a false sense of trust.”

Specifically, the analysis found that Visual Studio Code sends an HTTP POST request to the domain “marketplace.visualstudio[.]com” to determine if an extension is verified or otherwise.

The exploitation method essentially involves creating a malicious extension with the same verifiable values as an already verified extension, such as that of Microsoft, and bypassing trust checks.

As a result, it allows rogue extensions to appear verified to unsuspecting developers, while also containing code capable of executing operating system commands.

From a security standpoint, this is a classic case of extension sideloading abuse, where bad actors distribute plugins outside the official marketplace. Without proper code signing enforcement or trusted publisher verification, even legitimate-looking extensions can hide dangerous scripts.

For attackers, this opens up a low-barrier entry point to achieve remote code execution—a risk that’s especially serious in development environments where sensitive credentials and source code are often accessible.

In a proof-of-concept (PoC) demonstrated by the cybersecurity company, the extension was configured to open the Calculator app on a Windows machine, thereby highlighting its ability to execute commands on the underlying host.

By identifying the values used in verification requests and modifying them, it was found that it’s possible to create a VSIX package file such that it causes the malicious extension to appear legitimate.

OX Security said it was able to reproduce the flaw across other IDEs like IntelliJ IDEA and Cursor by modifying the values used for verification without making them lose their verified status.

In response to responsible disclosures, Microsoft said the behavior is by design and that the changes will prevent the VSIX extension from being published to the Marketplace owing to extension signature verification that’s enabled by default across all platforms.

However, the cybersecurity company found the flaw to be exploitable as recently as June 29, 2025. The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back.

The findings once again show that relying solely on the verified symbol of extensions can be risky, as attackers can trick developers into running malicious code without their knowledge. To mitigate such risks, it’s advised to install extensions directly from official marketplaces as opposed to using VSIX extension files shared online.

“The ability to inject malicious code into extensions, package them as VSIX/ZIP files, and install them while maintaining the verified symbols across multiple major development platforms poses a serious risk,” the researchers said. “This vulnerability particularly impacts developers who install extensions from online resources such as GitHub.”

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors.

“Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events,” the agencies said.

“These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.”

There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted.

Emphasizing the need for “increased vigilance,” the agencies singled out Defense Industrial Base (DIB) companies, specifically those with ties to Israeli research and defense firms, as being at an elevated risk. U.S. and Israeli entities may also be exposed to distributed denial-of-service (DDoS) attacks and ransomware campaigns, they added.

Attackers often start with reconnaissance tools like Shodan to find vulnerable internet-facing devices, especially in industrial control system (ICS) environments. Once inside, they can exploit weak segmentation or misconfigured firewalls to move laterally across networks. Iranian groups have previously used remote access tools (RATs), keyloggers, and even legitimate admin utilities like PsExec or Mimikatz to escalate access—all while evading basic endpoint defenses.

Based on prior campaigns, attacks mounted by Iranian threat actors leverage techniques like automated password guessing, password hash cracking, and default manufacturer passwords to gain access to internet-exposed devices. They have also been found to employ system engineering and diagnostic tools to breach operational technology (OT) networks.

The development comes days after the Department of Homeland Security (DHS) released a bulletin, urging U.S. organizations to be on the lookout for possible “low-level cyber attacks” by pro-Iranian hacktivists amid the ongoing geopolitical tensions between Iran and Israel.

Last week, Check Point revealed that the Iranian nation-state hacking group tracked as APT35 targeted journalists, high-profile cyber security experts, and computer science professors in Israel as part of a spear-phishing campaign designed to capture their Google account credentials using bogus Gmail login pages or Google Meet invitations.

As mitigations, organizations are advised to follow the below steps –

• Identify and disconnect OT and ICS assets from the public internet
• Ensure devices and accounts are protected with strong, unique passwords, replace weak or default passwords, and enforce multi-factor authentication (MFA)
• Implement phishing-resistant MFA for accessing OT networks from any other network
• Ensure systems are running the latest software patches to protect against known security vulnerabilities
• Monitor user access logs for remote access to the OT network
• Establish OT processes that prevent unauthorized changes, loss of view, or loss of control
• Adopt full system and data backups to facilitate recovery

“Despite a declared ceasefire and ongoing negotiations towards a permanent solution, Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity,” the agencies said.

Update

In a new report, Censys said it uncovered 43,167 internet-exposed devices from Tridium Niagara, 2,639 from Red Lion, 1,697 from Unitronics, and 123 from Orpak SiteOmat as of June 2025. A majority of the increased exposures associated with Tridium Niagara appear to be in Germany, Sweden, and Japan.

It also noted that default passwords continue to provide an easy pathway for threat actors to access critical systems, urging manufacturers to avoid shipping devices or software with default credentials, and instead require strong, unique passwords as well as offer ways to prevent exposing their systems directly to the internet.

“Apart from Unitronics, which is most commonly observed in Australia, the highest numbers of these devices are observed in the U.S.,” the company said. “Though Tridium Niagara boasts the highest exposure numbers, it’s building automation software. Depending on a threat actor’s objective, these systems, though plentiful, may not be the most valuable targets.”

SOCRadar said the Iran-Israel conflict of 2025 has led to a spike in cyber activity, with more than 600 cyber attack claims reported across more than 100 Telegram channels between June 12 and 27, 2025. Israel emerged as the most targeted country with 441 attack claims, followed by the U.S. (69), India (34), and Middle Eastern nations like Jordan (33) and Saudi Arabia (13).

The top hacktivist groups during the time period included Mr Hamza, Keymous, Mysterious Team, Team Fearless, GARUDA_ERROR_SYSTEM, Dark Storm Team, Arabian Ghosts, Cyber Fattah, CYBER U.N.I.T.Y, and NoName057(16). Governments, defense, telecom, financial services, and technology sectors were among the most targeted industries.

“Since the war began, state-sponsored hackers, hacktivists from both countries, and cyber actors from non-participant nations ranging from South Asia to Russia to across the Middle East have become active,” the threat intelligence firm said. “Israel was the main target of DDoS attacks, with 357 claims, making up 74% of all DDoS activity.”

Jul 01, 2025Ravie LakshmananVulnerability / Browser Security

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.

The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.

“Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,” according to a description of the bug on the NIST’s National Vulnerability Database (NVD).

Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025, signaling that it may have been weaponized in highly targeted attacks — possibly involving nation-state actors or surveillance operations. TAG typically detects and investigates serious threats like government-backed attacks.

The tech giant also noted that the issue was mitigated the next day by means of a configuration change that was pushed out to the Stable channel across all platforms. For everyday users, that means the threat may not be widespread yet, but it’s still urgent to patch — especially if you’re in roles handling sensitive or high-value data.

Google has not released any additional details about the vulnerability and who may have exploited it, but acknowledged that “an exploit for CVE-2025-6554 exists in the wild.”

CVE-2025-6554 is the fourth zero-day vulnerability in Chrome to be addressed by Google since the start of the year after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. However, it bears noting that there is no clarity on whether CVE-2025-4664 has been abused in a malicious context.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.

If you’re unsure whether your browser is up to date, go to Settings > Help > About Google Chrome — it should trigger the latest update automatically. For businesses and IT teams managing multiple endpoints, enabling automatic patch management and monitoring browser version compliance is critical.

Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Despite years of investment in Zero Trust, SSE, and endpoint protection, many enterprises are still leaving one critical layer exposed: the browser.

It’s where 85% of modern work now happens. It’s also where copy/paste actions, unsanctioned GenAI usage, rogue extensions, and personal devices create a risk surface that most security stacks weren’t designed to handle. For security leaders who know this blind spot exists but lack a roadmap to fix it, a new framework may help.

The Secure Enterprise Browser Maturity Guide: Safeguarding the Last Mile of Enterprise Risk, authored by cybersecurity researcher Francis Odum, offers a pragmatic model to help CISOs and security teams assess, prioritize, and operationalize browser-layer security. It introduces a clear progression from basic visibility to real-time enforcement and ecosystem integration, built around real-world threats, organizational realities, and evolving user behavior.

Why the Browser Has Become the Security Blind Spot

Over the past three years, the browser has quietly evolved into the new endpoint of the enterprise. Cloud-first architectures, hybrid work, and the explosive growth of SaaS apps have made it the primary interface between users and data.

• 85% of the workday now happens inside the browser
• 90% of companies allow access to corporate apps from BYOD devices
• 95% report experiencing browser-based cyber incidents
• 98% have seen BYOD policy violations

And while most security programs have hardened identity layers, firewalls, and email defenses, the browser remains largely ungoverned. It’s where sensitive data is copied, uploaded, pasted, and sometimes leaked, with little or no monitoring.

Traditional Tools Weren’t Built for This Layer

The guide breaks down why existing controls struggle to close the gap:

• DLP scans files and email, but misses in-browser copy/paste and form inputs.
• CASB protects sanctioned apps, but not unsanctioned GenAI tools or personal cloud drives.
• SWGs block known bad domains, but not dynamic, legitimate sites running malicious scripts.
• EDR watches the OS, not the browser’s DOM.

This reflects what is described as the “last mile” of enterprise IT, the final stretch of the data path where users interact with content and attackers exploit the seams.

GenAI Changed the Game

A core theme of the guide is how browser-based GenAI usage has exposed a new class of invisible risk. Users routinely paste proprietary code, business plans, and customer records into LLMs with no audit trail.

• 65% of enterprises admit they have no control over what data goes into GenAI tools
• Prompts are effectively unsanctioned API calls
• Traditional DLP, CASB, and EDR tools offer no insight into these flows

The browser is often the only enforcement point that sees the prompt before it leaves the user’s screen.

The Secure Enterprise Browser Maturity Model

To move from reactive response to structured control, the guide introduces a three-stage maturity model for browser-layer security:

Stage 1: Visibility

“You can’t protect what you can’t see.”

Organizations at this stage begin by illuminating browser usage across devices, especially unmanaged ones.

• Inventory browsers and versions across endpoints
• Capture telemetry: uploads, downloads, extension installs, session times
• Detect anomalies (e.g., off-hours SharePoint access, unusual copy/paste behavior)
• Identify shadow SaaS and GenAI usage without blocking it yet

Quick wins here include audit-mode browser extensions, logging from SWGs, and flagging outdated or unmanaged browsers.

Stage 2: Control & Enforcement

Once visibility is in place, teams begin actively managing risk within the browser:

• Enforce identity-bound sessions (e.g., block personal Gmail login from corp session)
• Control uploads/downloads to/from sanctioned apps
• Block or restrict unvetted browser extensions
• Inspect browser copy/paste actions using DLP classifiers
• Display just-in-time warnings (e.g., “You’re about to paste PII into ChatGPT”)

This stage is about precision: applying the right policies in real-time, without breaking user workflows.

Stage 3: Integration & Usability

At full maturity, browser-layer telemetry becomes part of the larger security ecosystem:

• Events stream into SIEM/XDR alongside network and endpoint data
• Risk scores influence IAM and ZTNA decisions
• Browser posture is integrated with DLP classifications and compliance workflows
• Dual browsing modes (work vs. personal) preserve privacy while enforcing policy
• Controls extend to contractors, third parties, and BYOD—at scale

In this phase, security becomes invisible but impactful, reducing friction for users and mean-time-to-response for the SOC.

A Strategic Roadmap, Not Just a Diagnosis

The guide doesn’t just diagnose the problem, it helps security leaders build an actionable plan:

• Use the browser security checklist to benchmark current maturity
• Identify fast, low-friction wins in Stage 1 (e.g., telemetry, extension audits)
• Define a control policy roadmap (start with GenAI usage and risky extensions)
• Align telemetry and risk scoring with existing detection and response pipelines
• Educate users with inline guidance instead of blanket blocks

It also includes practical insights on governance, change management, and rollout sequencing for global teams.

Why This Guide Matters

What makes this model especially timely is that it doesn’t call for a rip-and-replace of existing tools. Instead, it complements Zero Trust and SSE strategies by closing the final gap where humans interact with data.

Security architecture has evolved to protect where data lives. But to protect where data moves, copy, paste, prompt, upload, we need to rethink the last mile.

The Secure Enterprise Browser Maturity Guide is available now for security leaders ready to take structured, actionable steps to protect their most overlooked layer. Download the full guide and benchmark your browser-layer maturity.

Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft’s ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors.

“The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious,” Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc said in a technical write-up.

“Its methods reflect a broader shift toward ‘living-off-the-land’ tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.”

The phishing attacks, in a nutshell, make use of a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon that’s designed to communicate with attacker-controlled infrastructure that’s obscured using Amazon Web Services (AWS) cloud services.

ClickOnce is offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction. It was introduced in .NET Framework 2.0. However, the technology can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags.

As noted in the MITRE ATT&CK framework, ClickOnce applications can be used to run malicious code through a trusted Windows binary, “dfsvc.exe,” that’s responsible for installing, launching, and updating the apps. The apps are launched as a child process of “dfsvc.exe.”

“Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install,” MITRE explains. “As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.”

Trellix said the attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application, which, in turn, runs an executable using dfsvc.exe.

The binary is a ClickOnce loader that’s launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.

The Golang implant can communicate with a command-and-control (C2) server over HTTP(s), WebSockets, raw TCP, and SMB named pipes, allowing it to perform file operations, enumerate and terminate running processes, execute shell commands, escalate privileges using token theft and impersonation, and achieve lateral movement.

Additionally, the backdoor incorporates anti-analysis features to evade detection, and supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features.

“RunnerBeacon’s design closely parallels known Go-based Cobalt Strike beacons (e.g. the Geacon/Geacon plus/Geacon Pro family),” the researchers said.

“Like Geacon, the set of commands (shell, process enumeration, file I/O, proxying, etc.) and use of cross-protocol C2 are very similar. These structural and functional similarities suggest RunnerBeacon may be an evolved fork or a privately modified variant of Geacon, tailored for stealthier, and cloud-friendly operations.”

Three different variants of OneClick have been observed in March 2025 alone: v1a, BPI-MDM, and v1d, with each iteration demonstrating progressively improved capabilities to fly under the radar. That said, a variant of RunnerBeacon was identified in September 2023 at a company in the Middle East in the oil and gas sector.

Although techniques like AppDomainManager injection have been used by China– and North Korea-linked threat actors in the past, the activity has not been formally attributed to any known threat actor or group. Trellix told The Hacker News that it did not have any more details to share on the scale of these attacks and the regions that have been targeted.

The development comes as QiAnXin detailed a campaign mounted by a threat actor it tracks as APT-Q-14 that has also employed ClickOnce apps to propagate malware by exploiting a zero-day cross-site scripting (XSS) flaw in the web version of an unnamed email platform. The vulnerability, it said, has since been patched.

The XSS flaw is automatically triggered when a victim opens a phishing email, causing the download of the ClickOne app. “The body of the phishing email comes from Yahoo News, which coincides with the victim industry,” QiAnXin noted.

The intrusion sequence serves a mailbox instruction manual as a decoy, while a malicious trojan is stealthily installed on the Windows host to collect and exfiltrate system information to a C2 server and receive unknown next-stage payloads.

The Chinese cybersecurity company said APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform.

APT-Q-14 has been described by QiAnXin as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15, which are assessed to be sub-groups within a South Korea-aligned threat group known as DarkHotel (aka APT-C-06).

Earlier this week, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel’s use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025.

The malware is engineered to establish communication with a remote server to download, decrypt, and execute unspecified shellcode.

“In general, the [hacking group’s] tactics have tended to be ‘simple’ in recent years: Different from the previous use of heavy-weight vulnerabilities, it has adopted flexible and novel delivery methods and attack techniques,” the company said. “In terms of attack targets, APT-C-06 still focuses on North Korean-related traders, and the number of targets attacked in the same period is greater.”