Author: Mark

U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called “gross cybersecurity negligence” that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks.

“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” Wyden wrote in a four-page letter to FTC Chairman Andrew Ferguson, likening Redmond to an “arsonist selling firefighting services to their victims.”

The development comes after Wyden’s office obtained new information from healthcare system Ascension, which suffered a crippling ransomware attack last year, resulting in the theft of personal and medical information associated with nearly 5.6 million individuals.

The ransomware attack, which also disrupted access to electronic health records, was attributed to a ransomware group known as Black Basta. According to the U.S. Department of Health and Human Services, the breach has been ranked as the third-largest healthcare-related incident over the past year.

According to the senator’s office, the breach occurred when a contractor clicked on a malicious link after conducting a web search on Microsoft’s Bing search engine, causing their system to be infected with malware. Subsequently, the attackers leveraged “dangerously insecure default settings” on Microsoft software to obtain elevated access to the most sensitive parts of Ascension’s network.

This involved the use of a technique called Kerberoasting that targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory.

Kerberoasting “exploits an insecure encryption technology from the 1980s known as ‘RC4’ that is still supported by Microsoft software in its default configuration,” Wyden’s office said, adding it urged Microsoft to warn customers about the threat posed by the threat on July 29, 2024.

RC4, short for Rivest Cipher 4, is a stream cipher that was first developed in 1987. Originally intended to be a trade secret, it was leaked in a public forum in 1994. As of 2015, the Engineering Task Force (ETF) has prohibited the use of RC4 in TLS, citing a “variety of cryptographic weaknesses” that allow plaintext recovery.

Eventually, Microsoft did publish an alert in October 2024 outlining the steps users can take to stay protected, in addition to stating its plans to deprecate support for RC4 as a future update to Windows 11 24H2 and Windows Server 2025 –

Microsoft, which removed support for the Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11, version 24H2 earlier this February, said it has also introduced security improvements in Server 2025 that prevent the Kerberos Distribution Center from issuing Ticket Granting Tickets using RC4 encryption, such as RC4-HMAC(NT).

Some of Microsoft’s recommended mitigations to harden environments against Kerberoasting include –

• Using Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever possible
• Securing service accounts by setting randomly generated, long passwords that are at least 14 characters long
• Making sure all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption
• Auditing user accounts with Service Principal Names (SPNs)

However, Wyden wrote that Microsoft’s software does not enforce a 14-character password length for privileged accounts, and that the company’s continued support for the insecure RC4 encryption technology “needlessly exposes” its customers to ransomware and other cyber threats by allowing attackers to crack the passwords of privileged accounts.

The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back. This is not the first time the Windows maker has been blasted for its cybersecurity practices.

In a report released last year, U.S. Cyber Safety Review Board (CSRB) lambasted the company for a series of avoidable errors that could have prevented Chinese threat actors known as Storm-0558 from compromising the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world.

“Ultimately, Microsoft’s abysmal cybersecurity track record has had no impact on its lucrative federal contracts thanks to its dominant market position and inaction by government agencies in the face of the company’s string of security failures,” Wyden’s office argued.

“The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design,” Ensar Seker, CISO at SOCRadar, said. “It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences.”

“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered.”

Sep 11, 2025Ravie LakshmananArtificial Intelligence / Mobile Security

Google on Tuesday announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content.

To that end, support for C2PA’s Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media transparency.

C2PA’s Content Credentials are a tamper-evident, cryptographically signed digital manifest providing verifiable provenance for digital content such as images, videos, or audio files. The metadata type, according to Adobe, serves as a “digital nutrition label,” giving information about the creator, how it was made, and if it was generated using artificial intelligence (AI).

“The Pixel Camera app achieved Assurance Level 2, the highest security rating currently defined by the C2PA Conformance Program,” Google’s Android Security and C2PA Core teams said. “Assurance Level 2 for a mobile app is currently only possible on the Android platform.”

“Pixel 10 phones support on-device trusted time-stamps, which ensures images captured with your native camera app can be trusted after the certificate expires, even if they were captured when your device was offline.”

The capability is made possible using a combination of Google Tensor G5, Titan M2 security chip, and hardware-backed security features built into the Android operating system.

Google said it has implemented C2PA to be secure, verifiable, and usable offline, thereby ensuring that provenance data is trustworthy, the process is not personally identifiable, and works even when the device is not connected to the internet.

This is achieved using –

• Android Key Attestation to allow Google C2PA Certification Authorities (CAs) to verify that they are communicating with a genuine physical device
• Hardware-backed Android Key Attestation certificates that include the package name and signing certificates associated with the app that requested the generation of the C2PA signing key to verify the request originated from a trusted, registered app
• Generating and storing C2PA claim signing keys using Android StrongBox in the Titan M2 security chip for tamper-resistance
• Anonymous, hardware-backed attestation to certify new cryptographic keys generated on-device without knowing who is using it
• Unique certificates to sign each image, making it “cryptographically impossible” to deanonymize the creator
• On-device, offline Time-Stamping Authority (TSA) component within the Tensor chip to generate cryptographically-signed time-stamps when the camera’s shutter is pressed

“C2PA Content Credentials are not the sole solution for identifying the provenance of digital media,” Google said. “They are, however, a tangible step toward more media transparency and trust as we continue to unlock more human creativity with AI.”

Threat actors affiliated with the Akira ransomware group have continued to target SonicWall devices for initial access.

Cybersecurity firm Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July 2025.

SonicWall subsequently revealed the SSL VPN activity aimed at its firewalls involved a year-old security flaw (CVE-2024-40766, CVSS score: 9.3) where local user passwords were carried over during the migration and not reset.

“We are observing increased threat activity from actors attempting to brute-force user credentials,” the company noted. “To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled.”

SonicWall has also urged users to review LDAP SSL VPN Default User Groups, describing it as a “critical weak point” if misconfigured in the context of an Akira ransomware attack —

This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.

This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.

Rapid7, in its alert, said it has also observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances, which, in certain default configurations, can facilitate public access and enable attackers to configure mMFA/TOTP with valid accounts, assuming there is a prior credential exposure.

“The Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” it said.

To mitigate the risk, organizations are advised to rotate passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA/TOTP policies are configured, and restrict Virtual Office Portal access to the internal network.

Akira’s targeting of SonicWall SSL VPNs has also been echoed by the Australian Cyber Security Centre (ACSC), which acknowledged it’s aware of the ransomware gang striking vulnerable Australian organizations through the devices.

Since its debut in March 2023, Akira has been a persistent threat in the ransomware threat landscape, claiming 967 victims to date, as per information from Ransomware.Live. According to statistics shared by CYFIRMA, Akira accounted for 40 attacks in the month of July 2025, making it the third most active group after Qilin and INC Ransom.

Of the 657 ransomware attacks impacting industrial entities worldwide flagged in Q2 2025, Qilin, Akira, and Play ransomware families took the top three slots, each reporting 101, 79, and 75 incidents, respectively.

Akira maintained “substantial activity with consistent targeting of manufacturing and transportation sectors through sophisticated phishing and multi-platform ransomware deployments,” industrial cybersecurity company Dragos said in a report published last month.

Recent Akira ransomware infections have also leveraged search engine optimization (SEO) poisoning techniques to deliver trojanized installers for popular IT management tools, which are then used to drop the Bumblebee malware loader.

The attacks then utilize Bumblebee as a conduit to distribute the AdaptixC2 post-exploitation and adversarial emulation framework, install RustDesk for persistent remote access, exfiltrate data, and deploy the ransomware.

According to Palo Alto Networks Unit 42, the versatile and modular nature of AdaptixC2 can allow threat actors to execute commands, transfer files, and perform data exfiltration on infected systems. The fact that it’s also open-source means it can be customized by adversaries to fit their needs.

Other campaigns propagating AdaptixC2, the cybersecurity company said, have used Microsoft Teams calls mimicking IT help desk to trick unsuspecting users into granting them remote access via Quick Assist and drop a PowerShell script that decrypts and loads into memory the shellcode payload.

“The Akira ransomware group follows a standard attack flow: obtaining initial access via the SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level,” Rapid7 said.

Sep 11, 2025Ravie LakshmananMalvertising / Browser Security

Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data.

The malvertising campaign, per Bitdefender, is designed to push fake “Meta Verified” browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads have been observed serving the extension in question.

“The malicious ads are bundled with a video tutorial that guides viewers through the process of downloading and installing a so-called browser extension, which claims to unlock the blue verification tick on Facebook or other special features,” the Romanian cybersecurity vendor said.

But, in reality, the extension – which is hosted on a legitimate cloud service called Box — is capable of collecting session cookies from Facebook and sending them to a Telegram bot controlled by the attackers. It’s also equipped to obtain the victim’s IP address by sending a query to ipinfo[.]io/json.

Select variants of the rogue browser add-on have been observed using the stolen cookies to interact with the Facebook Graph API to likely fetch additional information related to the accounts. In the past, malware like NodeStealer has leveraged the Facebook Graph API to collect budget details of the account.

The end goal of these efforts is to sell valuable Facebook Business and Ads accounts on underground forums for profit to other fraudsters, or repurpose them to fuel more malvertising campaigns, which, in turn, leads to more hijacked accounts – effectively creating a self-perpetuating cycle.

The campaign exhibits all the “fingerprints” typically associated with Vietnamese-speaking threat actors, who are known to adopt various stealer families to target and gain unauthorized access to Facebook accounts. This hypothesis is also bolstered by the use of Vietnamese to narrate the tutorial and add source code comments.

“By using a trusted platform, attackers can mass-generate links, automatically embed them into tutorials, and continuously refresh their campaigns,” Bitdefender said. “This fits a larger pattern of attackers industrializing malvertising, where everything from ad images to tutorials is created en masse.”

The disclosure with another campaign that’s targeting Meta advertisers with rogue Chrome extensions distributed via counterfeit websites posing as artificial intelligence (AI)-powered ad optimization tools for Facebook and Instagram. At the heart of the operation is a fake platform named Madgicx Plus.

“Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts,” Cybereason said.

“The extensions are promoted as productivity or ad performance enhancers, but they operate as dual-purpose malware capable of stealing credentials, accessing session tokens, or enabling account takeover.

The extensions, the first of which is still available for download from the Chrome Web Store as of writing, are listed below –

Once installed, the extension gains full access to all websites the user visits, enabling the threat actors to inject arbitrary scripts, as well as intercept and modify network traffic, monitor browsing activity, capture form inputs, and harvest sensitive data.

It also prompts users to link their Facebook and Google accounts to access the service, while their identity information is covertly harvested in the background. Furthermore, the add-ons function similarly to the aforementioned fake Meta Verified extension in that it uses victims’ stolen Facebook credentials to interact with the Facebook Graph API.

“This staged approach reveals a clear threat-actor strategy: first capturing Google identity data, then pivoting to Facebook to broaden access and increase the chances of hijacking valuable business or advertising assets,” Cybereason said.

Sep 11, 2025The Hacker NewsContinuous Threat Exposure Management

CISOs know their field. They understand the threat landscape. They understand how to build a strong and cost-effective security stack. They understand how to staff out their organization. They understand the intricacies of compliance. They understand what it takes to reduce risk. Yet one question comes up again and again in our conversations with these security leaders: how do I make the impact of risk clear to business decision-makers?

Boards want to hear how risk affects revenue, governance, and growth. They have a limited attention span for lists of vulnerabilities or technical details. When the story gets too technical, even urgent initiatives lose traction and fail to get funded.

CISOs need to translate technical issues into terms the board understands. Doing so builds trust, garners support and shows how security decisions connect directly to long-term growth. It was the urgent need to bridge the CISO-Board communication gap that led us to create a new paradigm in CISO continuing education: Risk Reporting to the Board for Modern CISOs.

The Disconnect Between Boards and CISOs

Boards are increasingly held accountable for cyber risk. SEC rules require public companies to disclose cyber incidents within four business days and to describe board cyber oversight in annual reports. In the EU, NIS2 holds management bodies directly responsible for cybersecurity measures, with penalties up to €10 million or 2% of global turnover.

Boards track governance, liability, and enterprise value. CISOs present threats, vulnerabilities, and controls. Surveys confirm this gap: Gartner’s 2024 Board of Directors Survey reports that 84% of directors classify cybersecurity as a business risk, yet research finds that only about half of boards rate their understanding as strong enough for effective oversight.

CISO-Board alignment has never been more important, but the two sides still speak different languages. This challenge surfaced so often in our conversations with security leaders that it led us to a simple conclusion: if so many experienced professionals need this skill, it should be taught.

Teaching How to Close the Boardroom Gap

The goal was clear: boards need insights that connect cyber risk to business outcomes. Risk Reporting to the Board for Modern CISOs was built from scratch to help security leaders meet that need.

The course teaches CISOs how to reframe their message in ways that resonate with directors. It focuses on practical skills: moving beyond vanity metrics to dashboards that answer the “So what?” question, building concise presentations that boards can act on, anticipating and managing difficult questions, and framing budget requests in financial and strategic terms. The course also introduces Continuous Threat Exposure Management as a model for presenting risk in a structured, forward-looking way.

Each of the five lessons is designed to be practical and easy to apply. Participants leave with methods and templates they can use in their next board meeting. The key areas of focus include:

• The Board’s View of Risk: What directors focus on and how to frame security as an enabler of safe innovation and competitive advantage.
• Clear Risk Communication: Moving past vanity metrics by building dashboards that tell a risk story that ties technical findings to business impact.
• High-Impact Presentations: Creating concise, effective board presentations, aligning with key executives in advance, and handling difficult questions with confidence.
• Stronger Business Cases: Translating security needs into financial and strategic language. Building requests around risk reduction value, total cost of ownership, and alignment with company objectives.
• Operationalizing CTEM: Applying the five stages of Continuous Threat Exposure Management to strengthen security posture and structure reporting in a forward-looking way.

The course is led by Dr. Gerald Auger, whose career spans more than twenty years in both industry and academia. He served as cybersecurity architect for a major medical center and has taught tens of thousands of students through his Simply Cyber platform. His mix of practical and teaching experience makes the course grounded, relevant, and directly useful for CISOs in the boardroom.

The Bottom Line

Cybersecurity is at the center of business oversight. Boards expect insight that is clear and actionable, and CISOs need to present risk in terms that connect directly to governance, finance, and strategy. Risk Reporting to the Board for Modern CISOs was designed with these challenges in mind. The course gives security leaders practical tools to translate their expertise into language the board can act on.

When CISOs build these skills, they move from talking about technical metrics to explaining risk in terms that link to business goals and show how security drives long-term growth. That leads to clearer conversations with directors, steadier support for security programs, and a stronger role for cybersecurity in the company’s overall strategy.

Want to learn more about Risk Reporting to the Board for Modern CISOs?

Note: This article was expertly written by Tobi Trabing, VP Global Sales Engineering at XMCyber.

Sep 11, 2025Ravie LakshmananMalware / Credential Theft

Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts.

“The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs,” LevelBlue said in a report shared with The Hacker News. “These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake ‘Skype Updater’ scheduled task.”

In the infection chain documented by the cybersecurity company, the threat actors have been found to leverage a ScreenConnect deployment to initiate a remote session and launch a Visual Basic Script payload via hands-on-keyboard activity.

“We saw trojanized ScreenConnect installers masquerading as financial and other business documents being sent via phishing emails,” Sean Shirley, LevelBlue MDR SOC Analyst, told The Hacker News.

The script, for its part, is designed to retrieve two external payloads (“logs.ldk” and “logs.ldr”) from an attacker-controlled server by means of a PowerShell script. The first of the two files, “logs.ldk,” is a DLL that’s responsible for writing a secondary Visual Basic Script to disk, using it to establish persistence using a scheduled task by passing it off as “Skype Updater” to evade detection.

This Visual Basic Script contains the same PowerShell logic observed at the start of the attack. The scheduled task ensures that the payload is automatically executed after every login.

The PowerShell script, besides loading “logs.ldk” as a .NET assembly, passes “logs.ldr” as input to the loaded assembly, leading to the execution of a binary (“AsyncClient.exe”), which is the AsyncRAT payload with capabilities to log keystrokes, steal browser credentials , fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions in Google Chrome, Brave, Microsoft Edge, Opera, and Mozilla Firefox.

All this collected information is eventually exfiltrated to a command-and-control (C2) server (“3osch20.duckdns[.]org”) over a TCP socket, to which the malware beacons in order to execute payloads and receive post-exploitation commands. The C2 connection settings are either hard-coded or pulled from a remote Pastebin URL.

“Fileless malware continues to pose a significant challenge to modern cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution,” LevelBlue said. “Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate.”

Sep 10, 2025Ravie LakshmananCybersecurity / Malware

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme.

“This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads,” Bitdefender researcher Bogdan Zavadovschi said in a report shared with The Hacker News.

“The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.”

The targeting of the Philippines is something of a recurring pattern for Chinese state-sponsored hacking groups, particularly in light of geopolitical tensions fueled by territorial disputes in the South China Sea between China, Vietnam, the Philippines, Taiwan, Malaysia, and Brunei.

The Romanian cybersecurity vendor, which first detected signs of malicious activity in early 2024, described EggStreme as a tightly integrated set of malicious components that’s engineered to establish a “resilient foothold” on infected machines.

The starting point of the multi-stage operation is a payload called EggStremeFuel (“mscorsvc.dll”) that conducts system profiling and deploys EggStremeLoader to set up persistence and then executes EggStremeReflectiveLoader, which, in turn, triggers EggStremeAgent.

EggStremeFuel’s functions are realized by opening an active communication channel with a command-and-control (C2), enabling it to –

• Get drive information
• Start cmd.exe and establish communication via pipes
• Gracefully close all connections and shutdown
• Read a file from server and save it to disk
• Read a local file from a given path and transmit its content
• Send the external IP address by making a request to myexternalip[.]com/raw
• Dump the in-memory configuration to disk

Calling EggStremeAgent the “central nervous system” of the framework, the backdoor works by monitoring new user sessions and injects a keylogger component dubbed EggStremeKeylogger for each session to harvest keystrokes and other sensitive data. It communicates with a C2 server using the Google Remote Procedure Call (gRPC) protocol.

It supports an impressive 58 commands that enable a broad range of capabilities to facilitate local and network discovery, system enumeration, arbitrary shellcode execution, privilege escalation, lateral movement, data exfiltration, and payload injection, including an auxiliary implant codenamed EggStremeWizard (“xwizards.dll”).

“The attackers use this to launch a legitimate binary that sideloads the malicious DLL, a technique they consistently abuse throughout the attack chain,” Zavadovschi noted.

“This secondary backdoor provides reverse shell access and file upload/download capabilities. Its design also incorporates a list of multiple C2 servers, enhancing its resilience and ensuring that communication with the attacker can be maintained even if one C2 server is taken offline.”

The activity is also characterized by the use of the Stowaway proxy utility to establish an internal network foothold. Complicating detection further is the fileless nature of the framework, causing malicious code to be loaded and executed directly in memory without leaving any traces on disk.

“This, coupled with the heavy use of DLL side-loading and the sophisticated, multi-stage execution flow, allows the framework to operate with a low profile, making it a significant and persistent threat,” Bitdefender said.

“The EggStreme malware family is a highly sophisticated and multi-component threat designed to achieve persistent access, lateral movement, and data exfiltration. The threat actor demonstrates an advanced understanding of modern defensive techniques by employing a variety of tactics to evade detection.”

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.

According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures.

CHILLYHELL is the name assigned to a malware that’s attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022.

According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.

The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized by Apple back in 2021, is said to have been publicly hosted on Dropbox since then. Apple has since revoked the developer certificates linked to the malware.

Once executed, the malware extensively profiles the compromised host and establishes persistence using three different methods, following which it initializes command-and-control (C2) communication with a hard-coded server (93.88.75[.]252 or 148.72.172[.]53) over HTTP or DNS, and enters into a command loop to receive further instructions from its operators.

To set up persistence, CHILLYHELL either installs itself as a LaunchAgent or a system LaunchDaemon. As a backup mechanism, it alters the user’s shell profile (.zshrc, .bash_profile, or .profile) to inject a launch command into the configuration file.

A noteworthy tactic adopted by the malware is its use of timestomping to modify the timestamps of created artifacts to avoid raising red flags.

“If it does not have sufficient permission to update the timestamps by means of a direct system call, it will fall back to using shell commands touch -c -a -t and touch -c -m -t respectively, each with a formatted string representing a date from the past as an argument included at the end of the command,” Jamf researchers Ferdous Saljooki and Maggie Zirnhelt said.

CHILLYHELL supports a wide range of commands that allow it to launch a reverse shell to the C2 IP address, download a new version of the malware, fetch additional payloads, run a module named ModuleSUBF to enumerate user accounts from “/etc/passwd” and conduct brute-force attacks using a pre-defined password list retrieved from the C2 server.

“Between its multiple persistence mechanisms, ability to communicate over different protocols and modular structure, ChillyHell is extraordinarily flexible,” Jamf said. “Capabilities such as timestomping and password cracking make this sample an unusual find in the current macOS threat landscape.”

“Notably, ChillyHell was notarized and serves as an important reminder that not all malicious code comes unsigned.”

The findings dovetail with the discovery of ZynorRAT, a RAT that uses a Telegram bot called @lraterrorsbot (aka lrat) to commandeer infected Windows and Linux hosts. Evidence shows that the malware was first submitted to VirusTotal on July 8, 2025. It does not share any overlaps with other known malware families.

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services, and arbitrary command execution –

• /fs_list, to enumerate directories
• /fs_get, to exfiltrate files from the host
• /metrics, to perform system profiling
• /proc_list, to run the “ps” Linux command
• /proc_kill, to kill a specific process by passing the PID as input
• /capture_display, to take screenshots
• /persist, to establish persistence

ZynorRAT’s Windows version is near-identical to its Linux counterpart, while still resorting to Linux-based persistence mechanisms. This likely indicates that development of the Windows variant is a work in progress.

“Its main purpose is to serve as a collection, exfiltration, and remote access tool, which is centrally managed through a Telegram bot,” Sysdig researcher Alessandra Rizzo said. “Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine.”

Further analysis of screenshots leaked via the Telegram bot has revealed that the payloads are distributed via a file-sharing service known as Dosya.co, and that the malware author may have “infected” their own machines to test out the functionality.

ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin, given the language used in Telegram chats.

“Although the malware ecosystem has no shortage of RATs, malware developers are still dedicating their time to creating them from scratch,” Rizzo said. “ZynorRAT’s customization and automated controls underline the evolving sophistication of modern malware, even within their earliest stages.”

Sep 10, 2025Ravie LakshmananSpyware / Vulnerability

Apple on Tuesday revealed a new security feature called Memory Integrity Enforcement (MIE) that’s built into its newly introduced iPhone models, including iPhone 17 and iPhone Air.

MIE, per the tech giant, offers “always-on memory safety protection” across critical attack surfaces such as the kernel and over 70 userland processes without sacrificing device performance by designing its A19 and A19 Pro chips, keeping this aspect in mind.

“Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies,” the company noted.

The effort is an aim to improve memory safety and prevent bad actors, specifically those leveraging mercenary spyware, from weaponizing such flaws in the first place to break into devices as part of highly-targeted attacks.

The technology that underpins MIE is EMTE, an improved version of the Memory Tagging Extension (MTE) specification released by chipmaker Arm in 2019 to flag memory corruption bugs either synchronously or asynchronously.

It’s worth noting that Google’s Pixel devices already have support for MTE as a developer option starting with Android 13. Similar memory integrity features have also been introduced by Microsoft in Windows 11.

“The ability of MTE to detect memory corruption exploitation at the first dangerous access is a significant improvement in diagnostic and potential security effectiveness,” Google Project Zero researcher Mark Brand said in October 2023, coinciding with the release of Pixel 8 and Pixel 8 Pro.

“The availability of MTE on a production handset for the first time is a big step forward, and I think there’s real potential to use this technology to make 0-day harder.”

Apple said MIE transforms MTE from a “helpful debugging tool” into a groundbreaking new security feature, offering security protection against two common vulnerability classes – buffer overflows and use-after-free bugs – that could result in memory corruption.

This essentially involves blocking out-of-bounds requests to access adjacent memory that has a different tag, and retagging memory as it gets reused for other purposes after it has been freed and reallocated by the system. As a result, requests to access retagged memory with an older tag (indicating use-after-free scenarios) also get blocked.

“A key weakness of the original MTE specification is that access to non-tagged memory, such as global variables, is not checked by the hardware,” Apple explained. “This means attackers don’t have to face as many defensive constraints when attempting to control core application configuration and state.”

“With Enhanced MTE, we instead specify that accessing non-tagged memory from a tagged memory region requires knowing that region’s tag, making it significantly harder for attackers to turn out-of-bounds bugs in dynamic tagged memory into a way to sidestep EMTE by directly modifying non-tagged allocations.”

Cupertino said it has also developed what it calls Tag Confidentiality Enforcement (TCE) to secure the implementation of memory allocators against side-channel and speculative execution attacks like TikTag that MTE was found susceptible to last year, resulting in the leak of an MTE tag associated with an arbitrary memory address by exploiting the fact that tag checks generate cache state differences during speculative execution.

“The meticulous planning and implementation of Memory Integrity Enforcement made it possible to maintain synchronous tag checking for all the demanding workloads of our platforms, delivering groundbreaking security with minimal performance impact, while remaining completely invisible to users,” it added.

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.

Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3).

“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Satnam Narang, senior staff research engineer at Tenable, said. “Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities.”

The patches are in addition to 12 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of August 2025’s Patch Tuesday update, including a security bypass bug (CVE-2025-53791, CVSS score: 4.7) that has been patched in version 140.0.3485.54 of the browser.

The vulnerability that has been flagged as publicly known is CVE-2025-55234 (CVSS score: 8.8), a case of privilege escalation in Windows SMB.

“SMB Server might be susceptible to relay attacks depending on the configuration,” Microsoft said. “An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.”

The Windows maker said the update enables support for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA, allowing customers to assess their environment and detect any potential device or software incompatibility issues before deploying appropriate hardening measures.

“The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn’t enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won’t support the recommended hardening options,” Adam Barnett, lead software engineer at Rapid7, said.

The CVE with the highest CVSS score for this month is CVE-2025-54914 (CVSS score: 10.0), a critical flaw impacting Azure Networking that could result in privilege escalation. It requires no customer action, given that it’s a cloud-related vulnerability.

Two other shortcomings that merit attention include a remote code execution flaw in Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232, CVSS score: 9.8) and an elevation of privilege issue affecting Windows NTLM (CVE-2025-54918, CVSS score: 8.8) that could allow an attacker to gain SYSTEM privileges.

“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Kev Breen, senior director of threat research at Immersive, said.

“The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”

Lastly, the update also remediates a security flaw (CVE-2024-21907, CVSS score: 7.5) in Newtonsoft.Json, a third-party component used in SQL Server, that could be exploited to trigger a denial-of-service condition, as well as two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911, CVSS score: 7.3, and CVE-2025-54912, CVSS score: 7.8).

Microsoft’s Hussein Alrubaye has been credited with discovering and reporting both the BitLocker flaws. The two flaws add to four other vulnerabilities (collectively called BitUnlocker) in the full-disk encryption feature that were patched by Microsoft in July 2025 –

• CVE-2025-48003 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation
• CVE-2025-48800 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing
• CVE-2025-48804 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing
• CVE-2025-48818 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing

Successful exploitation of any of the above four flaws could allow an attacker with physical access to the target to bypass BitLocker protections and gain access to encrypted data.

“To further enhance the security of BitLocker, we recommend enabling TPM+PIN for pre-boot authentication,” Security Testing and Offensive Research at Microsoft (STORM) researchers Netanel Ben Simon and Alon Leviev said in a report last month. “This significantly reduces the BitLocker attack surfaces by limiting exposure to only the TPM.”

“To mitigate BitLocker downgrade attacks, we advise enabling the REVISE mitigation. This mechanism enforces secure versioning across critical boot components, preventing downgrades that could reintroduce known vulnerabilities in BitLocker and Secure Boot.”

The disclosure comes as Purple Team detailed a new lateral movement technique dubbed BitLockMove that involves the remote manipulation of BitLocker registry keys via Windows Management Instrumentation (WMI) to hijack specific COM objects of BitLocker.

BitLockMove, developed by security researcher Fabian Mosch, works by initiating a remote connection to the target host through WMI and copying a malicious DLL to the target over SMB. In the next phase, the attacker writes a new registry key that specifies the DLL path, ultimately causing BitLocker to load the copied DLL by hijacking its COM objects.

“The purpose of the BitLocker COM Hijacking is to execute code under the context of the interactive user on a target host,” Purple Team said. “In the event that the interactive user has excessive privileges (i.e., domain administrator), this could also lead to domain escalation.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

• Adobe
• Arm
• Broadcom (including VMware)
• Cisco
• Commvault
• Dell
• Drupal
• F5
• Fortra
• FUJIFILM
• Gigabyte
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Google Wear OS
• Hikvision
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networking)
• IBM
• Ivanti
• Jenkins
• Juniper Networks
• Lenovo
• Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• Moxa
• Mozilla Firefox, Firefox ESR, and Thunderbird
• NVIDIA
• QNAP
• Qualcomm
• Rockwell Automation
• Salesforce
• Samsung
• SAP
• Schneider Electric
• Siemens
• Sitecore
• Sophos
• Spring Framework
• Supermicro
• Synology
• TP-Link, and
• Zoom