Category: Cybersecurity

Sep 24, 2025Ravie LakshmananVulnerability / Network Security

A suspected cyber espionage activity cluster that was previously found targeting global government and private sector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a Chinese state-sponsored threat actor.

Recorded Future, which was tracking the activity under the moniker TAG-100, has now graduated it to a hacking group dubbed RedNovember. It’s also tracked by Microsoft as Storm-2077.

“Between June 2024 and July 2025, RedNovember (which overlaps with Storm-2077) targeted perimeter appliances of high-profile organizations globally and used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions,” the Mastercard-owned company said in a report shared with The Hacker News.

“The group has expanded its targeting remit across government and private sector organizations, including defense and aerospace organizations, space organizations, and law firms.”

Some of the likely new victims of the threat actor include a ministry of foreign affairs in central Asia, a state security organization in Africa, a European government directorate, and a Southeast Asian government. The group is also believed to have breached two at least two United States (US) defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia.

RedNovember was first documented by Recorded Future over a year ago, detailing its use of the Pantegana post-exploitation framework and Spark RAT following the weaponization of known security flaws in several internet-facing perimeter appliances from Check Point (CVE-2024-24919), Cisco, Citrix, F5, Fortinet, Ivanti, Palo Alto Networks (CVE-2024-3400), and SonicWall for initial access.

The focus on targeting security solutions such as VPNs, firewalls, load balancers, virtualization infrastructure, and email servers mirrors a trend that has been increasingly adopted by other Chinese state-sponsored hacking groups to break into networks of interest and maintain persistence for extended periods of time.

A noteworthy aspect of the threat actor’s tradecraft is the use of Pantegana and Spark RAT, both of which are open-source tools. The adoption is likely an attempt to repurpose existing programs to their advantage and confuse attribution efforts, a hallmark of espionage actors.

The attacks also involve the use of a variant of the publicly available Go-based loader LESLIELOADER to launch Spark RAT or Cobalt Strike Beacons on compromised devices.

RedNovember is said to make use of VPN services like ExpressVPN and Warp VPN to administer and connect to two sets of servers that are used for exploitation of internet-facing devices and communicate with Pantegana, Spark RAT, and Cobalt Strike, another legitimate program that has been widely abused by bad actors.

Between June 2024 and May 2025, much of the hacking group’s targeting efforts have been focused on Panama, the U.S., Taiwan, and South Korea. As recently as April 2025, it has been found to target Ivanti Connect Secure appliances associated with a newspaper and an engineering and military contractor, both based in the U.S.

Recorded Future said it also identified the adversary likely targeting the Microsoft Outlook Web Access (OWA) portals belonging to a South American country before that country’s state visit to China.

“RedNovember has historically targeted a diverse range of countries and sectors, suggesting broad and changing intelligence requirements,” the company noted. “RedNovember’s activity to date has primarily focused on several key geographies, including the US, Southeast Asia, the Pacific region, and South America.”

Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BRICKSTORM.

The activity, attributed to UNC5221 and closely related, suspected China-nexus threat clusters, is designed to facilitate persistent access to victim organizations for over a year, Mandiant and Google Threat Intelligence Group (GTIG) said in a new report shared with The Hacker News.

It’s assessed that the objective of BRICKSTORM targeting SaaS providers is to gain access to downstream customer environments or the data SaaS providers host on their customers’ behalf, while the targeting of the U.S. legal and technological spheres is likely an attempt to gather information related to national security and international trade, as well as steal intellectual property to advance the development of zero-day exploits.

BRICKSTORM was first documented by the tech giant last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). It has also been used to target Windows environments in Europe since at least November 2022.

A Go-based backdoor, BRICKSTORM comes fitted with capabilities to set itself up as a web server, perform file system and directory manipulation, carry out file operations such as upload/download, execute shell commands, and act as a SOCKS relay. It communicates with a command-and-control (C2) server using WebSockets.

Earlier this year, the U.S. government noted that the China-aligned threat cluster tracked as APT27 (aka Emissary Panda) overlaps with that of Silk Typhoon, UNC5221, and UTA0178. However, GTIG told The Hacker News at the time that it does not have enough evidence on its own to confirm the link and that it’s treating them as two clusters.

“These intrusions are conducted with a particular focus on maintaining long term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools,” GTIG said, adding it has responded to several intrusions since March 2025.

“The actor employs methods for lateral movement and data theft that generate minimal to no security telemetry. This, coupled with modifications to the BRICKSTORM backdoor, has enabled them to remain undetected in victim environments for 393 days, on average.”

In at least one case, the threat actors are said to have exploited the aforementioned security flaws in Ivanti Connect Secure edge devices to obtain initial access and drop BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers.

There is evidence to suggest that the malware is under active development, with one sample featuring a “delay” timer that waits for a hard-coded date months in the future before initiating contact with its C2 server. The BRICKSTORM variant, Google said, was deployed on an internal VMware vCenter server after the targeted organization had commenced its incident response efforts, indicating the agility of the hacking group to maintain persistence.

The attacks are also characterized by the use of a malicious Java Servlet filter for the Apache Tomcat server dubbed BRICKSTEAL to capture vCenter credentials for privilege escalation, subsequently using it to clone Windows Server VMs for key
systems such as Domain Controllers, SSO Identity Providers, and secret vaults.

“Normally, installing a filter requires modifying a configuration file and restarting or reloading the application; however, the actor used a custom dropper that made the modifications entirely in memory, making it very stealthy and negating the need for a restart,” Google said.

Furthermore, the threat actors have been found to leverage valid credentials for lateral movement to pivot to the VMware infrastructure and establish persistence by modifying init.d, rc.local, or systemd files to ensure that the backdoor is automatically started on appliance reboot.

The primary goal of the campaign is to access the emails of key individuals within the victim entities, including developers, system administrators, and individuals involved in matters that align with China’s economic and espionage interests. BRICKSTORM’s SOCKS proxy feature is used to create a tunnel and directly access the applications deemed of interest to the attackers.

Google has also developed a shell script scanner for potential victims to figure out if they’ve been impacted by BRICKSTORM activity on Linux and BSD-based appliances and systems by flagging files that match known signatures of the malware.

“The BRICKSTORM campaign represents a significant threat due to its sophistication, evasion of advanced enterprise security defenses, and focus on high-value targets,” Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, said in a statement shared with The Hacker News.

“The access obtained by UNC5221 enables them to pivot to downstream customers of compromised SaaS providers or discover zero-day vulnerabilities in enterprise technologies, which can be used for future attacks. We encourage organizations to hunt for BRICKSTORM and other backdoors that may reside on their systems that do not have endpoint detection and response (EDR) coverage.”

Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks.

The critical-rated vulnerabilities in question, discovered by Trend Micro, are listed below –

• CVE-2025-10643 (CVSS score: 9.1) – An authentication bypass vulnerability that exists within the permissions granted to a storage account token
• CVE-2025-10644 (CVSS score: 9.4) – An authentication bypass vulnerability that exists within the permissions granted to an SAS token

Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers’ endpoints.

Trend Micro researchers Alfredo Oliveira and David Fiser said the AI-powered data repair and photo editing application “contradicted its privacy policy by collecting, storing, and, due to weak Development, Security, and Operations (DevSecOps) practices, inadvertently leaking private user data.”

The poor development practices include embedding overly permissive cloud access tokens directly in the application’s code that enables read and write access to sensitive cloud storage. Furthermore, the data is said to have been stored without encryption, potentially opening the door to wider abuse of users’ uploaded images and videos.

To make matters worse, the exposed cloud storage contains not only user data but also AI models, software binaries for various products developed by Wondershare, container images, scripts, and company source code, enabling an attacker to tamper with AI models or the executables, paving the way for supply chain attacks targeting its downstream customers.

“Because the binary automatically retrieves and executes AI models from the unsecure cloud storage, attackers could modify these models or their configurations and infect users unknowingly,” the researchers said. “Such an attack could distribute malicious payloads to legitimate users through vendor-signed software updates or AI model downloads.”

Beyond customer data exposure and AI model manipulation, the issues can also pose grave consequences, ranging from intellectual property theft and regulatory penalties to erosion of consumer trust.

The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to “restrict interaction with the product.”

“The need for constant innovations fuels an organization’s rush to get new features to market and maintain competitiveness, but they might not foresee the new, unknown ways these features could be used or how their functionality may change in the future,” Trend Micro said.

The development comes as Trend Micro previously warned against exposing Model Context Protocol (MCP) servers without authentication or storing sensitive credentials such as MCP configurations in plaintext, which threat actors can exploit to gain access to cloud resources, databases, or inject malicious code.

Each MCP server acts as an open door to its data source: databases, cloud services, internal APIs, or project management systems,” the researchers said. “Without authentication, sensitive data such as trade secrets and customer records becomes accessible to everyone.”

In December 2024, the company also found that exposed container registries could be abused to gain unauthorized access and pull target Docker images to extract the AI model within it, modify the model’s parameters to influence its predictions, and push the tampered image back to the exposed registry.

“The tampered model could behave normally under typical conditions, only displaying its malicious alterations when triggered by specific inputs,” Trend Micro said. “This makes the attack particularly dangerous, as it could bypass basic testing and security checks.”

The supply chain risk posed by MCP servers has also been highlighted by Kaspersky, which devised a proof-of-concept (PoC) exploit to highlight how MCP servers installed from untrusted sources can conceal reconnaissance and data exfiltration activities under the guise of an AI-powered productivity tool.

“Installing an MCP server basically gives it permission to run code on a user machine with the user’s privileges,” security researcher Mohamed Ghobashy said. “Unless it is sandboxed, third-party code can read the same files the user has access to and make outbound network calls – just like any other program.”

The findings show that the rapid adoption of MCP and AI tools in enterprise settings to enable agentic capabilities, particularly without clear policies or security guardrails, can open brand new attack vectors, including tool poisoning, rug pulls, shadowing, prompt injection, and unauthorized privilege escalation.

In a report published last week, Palo Alto Networks Unit 42 revealed that the context attachment feature used in AI code assistants to bridge an AI model’s knowledge gap can be susceptible to indirect prompt injection, where adversaries embed harmful prompts within external data sources to trigger unintended behavior in large language models (LLMs).

Indirect prompt injection hinges on the assistant’s inability to differentiate between instructions issued by the user and those surreptitiously embedded by the attacker in external data sources.

Thus, when a user inadvertently supplies to the coding assistant third-party data (e.g., a file, repository, or URL) that has already been tainted by an attacker, the hidden malicious prompt could be weaponized to trick the tool into executing a backdoor, injecting arbitrary code into an existing codebase, and even leaking sensitive information.

“Adding this context to prompts enables the code assistant to provide more accurate and specific output,” Unit 42 researcher Osher Jacob said. “However, this feature could also create an opportunity for indirect prompt injection attacks if users unintentionally provide context sources that threat actors have contaminated.”

AI coding agents have also been found vulnerable to what’s called an “lies-in-the-loop” (LitL) attack that aims to convince the LLM that the instructions it’s been fed are much safer than they really are, effectively overriding human-in-the-loop (HitL) defenses put in place when performing high-risk operations.

“LitL abuses the trust between a human and the agent,” Checkmarx researcher Ori Ron said. “After all, the human can only respond to what the agent prompts them with, and what the agent prompts the user is inferred from the context the agent is given. It’s easy to lie to the agent, causing it to provide fake, seemingly safe context via commanding and explicit language in something like a GitHub issue.”

“And the agent is happy to repeat the lie to the user, obscuring the malicious actions the prompt is meant to guard against, resulting in an attacker essentially making the agent an accomplice in getting the keys to the kingdom.”

Think payment iframes are secure by design? Think again. Sophisticated attackers have quietly evolved malicious overlay techniques to exploit checkout pages and steal credit card data by bypassing the very security policies designed to stop them.

Download the complete iframe security guide here.

TL;DR: iframe Security Exposed

Payment iframes are being actively exploited by attackers using malicious overlays to skim credit card data. These pixel-perfect fake forms bypass traditional security, as proven by a recent Stripe campaign that has already compromised dozens of merchants.

This article explores:

• Anatomy of the 2024 Stripe skimmer attack.
• Why old defenses like CSP and X-Frame-Options are failing.
• Modern attack vectors: overlays, postMessage spoofing, and CSS exfiltration.
• How third-party scripts in payment iframes create new risks.
• How the new PCI DSS 4.0.1 rules are forcing merchants to secure the entire page.
• A six-step defense strategy focusing on real-time monitoring and CSP.

Bottom line: An iframe is only as secure as its host page. Attackers aren’t breaking iframes anymore; they’re exploiting the blind spots around them. Active monitoring is now mandatory, not optional.

A Wake-up Call: The Stripe iframe Skimmer Campaign

Payment iframes are designed to be secure sandboxes, isolating credit card data from the merchant’s site. However, attackers are bypassing this protection by targeting the host page itself.

The Stripe iframe skimmer campaign (August 2024) is a prime example. It injects malicious JavaScript through vulnerable platforms like WordPress to hide the legitimate Stripe iframe and replace it with a pixel-perfect malicious overlay.

Having already compromised 49 merchants, this sophisticated attack uses a deprecated Stripe API to validate stolen cards in real time, making the theft invisible to the customer.

This isn’t an isolated threat. The attack surface is alarmingly wide, with 18% of websites running tools like Google Tag Manager directly within their payment iframes, creating massive security blind spots.

This means a simple frame-src ‘none’ directive just isn’t enough. Overall, CVE reports jumped 30% in the past year, according to Qualys research, and with XSS attacks comprising over 30% of web application attacks, many involving iframe exploitation, this corner of the attack surface has never been more volatile and vulnerable.

Why Current Defenses Fall Short

Most security guides still focus on decade-old X-Frame-Options headers. But these offer little protection when dealing with:

• CSP frame-src limitations: Even with frame-src ‘self’, attackers can compromise allowed domains or exploit postMessage vulnerabilities to exfiltrate data from within approved iframes.
• Sandbox bypass techniques: Overly permissive settings like allow-same-origin + allow-scripts negate protections
• Same-Origin Policy gaps: Bypassed through postMessage wildcards and CORS misconfigurations

The Framework Reality Check

Even modern frameworks don’t save you ou -o -the box. Consider this common React pattern:

This seemingly innocent React pattern has been exploited in over 200 documented attacks in 2024 alone:

Using dangerouslySetInnerHTML near a payment iframe creates opportunities for attackers to inject hidden iframes that harvest payment data through event listeners or manipulate communication between the payment iframe and parent window.

Modern Injection Techniques Unmasked

Event Handler iframe Injection: Attackers inject invisible iframes via onerror attributes on image tags. These iframes load scripts that attach listeners to payment fields on the parent page, exfiltrating data as users type.

PostMessage iframe Spoofing: Applications use postMessage for legitimate iframe communication. Attackers inject malicious iframes that send fraudulent “payment complete” messages, tricking applications into confirming orders without real payments being received.

CSS-Based Data Exfiltration: Even with strict CSP, attackers inject CSS that leaks data. Using attribute selectors on input fields, they make browsers request unique URLs for each character typed, effectively sending credit card numbers one digit at a time to attacker-controlled servers.

iframe Overlay Attacks: As demonstrated in the Stripe campaign, attackers hide legitimate payment iframes and overlay them with malicious replicas that perfectly mimic the original appearance while capturing all entered data.

Download the complete iframe security implementation guide here.

Risk-Based Implementation Priority

Not all iframe threats are equal. Security teams should prioritize defenses based on this risk matrix:

Start with iframe monitoring and strict CSP; these two controls prevent the majority of documented iframe attacks while requiring minimal development effort.

While advanced monitoring requires more development effort than basic CSP policies, organizations should assess their technical readiness before implementation. Teams with limited JavaScript expertise should start with CSP policies and external monitoring tools, while organizations with dedicated security engineering resources can implement the full 10-hour monitoring solution that prevents attacks costing an average of $2M in breach remediation. Consider partnering with your payment processor’s security team during initial deployment to validate monitoring effectiveness against their test environments.

A Defense-in-Depth Approach for iframes

Effective iframe security requires layered defenses tailored for sensitive data contexts:

1. Strict CSP with iframe Focus

Content-Security-Policy:

frame-src https://payments.stripe.com https://checkout.paypal.com;

script-src 'nonce-abc123' 'strict-dynamic';

object-src 'none';

base-uri 'self';

frame-ancestors 'none';

2. Advanced iframe Monitoring

Use a MutationObserver to monitor the DOM for unexpected iframe creation in real-time. If an iframe from a non-whitelisted source appears, remove it and trigger security alerts.

Performance Impact: Event-driven monitoring adds <0.1ms per DOM change vs. 5-50ms for polling approaches.

False Positive Management: Legitimate iframes may occasionally trigger alerts during normal operations (browser extensions, A/B testing tools). Implement a whitelist review process where security teams can quickly approve known-good sources, and log all alerts with context (user session, timestamp, iframe source) to identify patterns and reduce noise over time.

3. Secure PostMessage Handling

Never trust iframe messages without verification. Always validate event origin and message structure:

4. Subresource Integrity for External Scripts

5. Context-Aware Encoding

Store raw data and apply encoding specifically for each context, HTML entities for content near iframes, JavaScript escaping for iframe communication scripts, and URL encoding when passed to iframe src parameters.

6. Real-time iframe Validation (Performance-Optimized)

Implement checks to ensure iframe sources match expected payment processors and haven’t been tampered with:

Performance Impact: Reduces validation overhead while maintaining security effectiveness by triggering only on user interaction with payment elements.

PCI DSS 4.0.1 Compliance Reality

The Payment Card Industry Data Security Standard now places greater emphasis on securing pages that host payment iframes. Key requirements include:

• Requirement 6.4.3: All scripts on payment pages hosting iframes must be managed and authorized
• Requirement 11.6.1: Change detection mechanisms must monitor payment pages for unauthorized iframe modifications

The shared responsibility model means merchants must secure the iframe hosting environment, closing gaps that iframe injection attacks exploit.

The Bottom Line

• The Paradigm Has Shifted: An iframe’s security is irrelevant if the host page is compromised. Attackers are no longer breaking the iframe; they are exploiting the blind spots around it.
• The Proof is in the Wild: The Stripe skimmer campaign uses pixel-perfect overlays to make theft invisible, proving that traditional, static security policies are now obsolete.
• Active Defense is Mandatory: A layered, zero-trust strategy is the only viable solution. This requires combining a strict CSP with proactive, real-time monitoring for unauthorized DOM changes.
• This is Not a Theoretical Threat: These vulnerabilities are being actively exploited now. In this environment, passive security is guaranteed to fail.

The critical question for any organization with a web presence: Will you implement these six defense strategies this quarter, or wait until you become another statistic in a data breach report? Start with iframe monitoring today—it can be implemented in under an hour and will immediately reveal your exposure.

The complete iframe security guide with six tested strategies is available here.

Sep 24, 2025Ravie LakshmananMalware / Windows Security

Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share “significant” source code overlaps with IcedID and Latrodectus.

“The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks,” Zscaler ThreatLabz said in a Tuesday report. “YiBackdoor is able to execute arbitrary commands, collect system information, capture screenshots, and deploy plugins that dynamically expand the malware’s functionality.”

The cybersecurity company said it first identified the malware in June 2025, adding it may be serving as a precursor to follow-on exploitation, such as facilitating initial access for ransomware attacks. Only limited deployments of YiBackdoor have been detected to date, indicating it’s currently either under development or being tested.

Given the similarities between YiBackdoor, IcedID, and Latrodectus, it’s being assessed with medium to high confidence that the new malware is the work of the same developers who are behind the other two loaders. It’s also worth noting that Latrodectus, in itself, is believed to be a successor of IcedID.

YiBackdoor features rudimentary anti-analysis techniques to evade virtualized and sandboxed environments, while incorporating capabilities to inject the core functionality into the “svchost.exe” process. Persistence on the host is achieved by using the Windows Run registry key.

“YiBackdoor first copies itself (the malware DLL) into a newly created directory under a random name,” the company said. “Next, YiBackdoor adds regsvr32.exe malicious_path in the registry value name (derived using a pseudo-random algorithm) and self-deletes to hinder forensic analysis.”

An embedded encrypted configuration within the malware is used to extract the command-and-control (C2) server, after which it establishes a connection to receive commands in HTTP responses –

• Systeminfo, to collect system metadata
• screen, to take a screenshot
• CMD, to execute a system shell command using cmd.exe
• PWS, to execute a system shell command using PowerShell
• plugin, to pass a command to an existing plugin and transmit the results back to the server
• task, to initialize and execute a new plugin that’s Base64-encoded and encrypted

Zscaler’s analysis of YiBackdoor has uncovered a number of code overlaps between YiBackdoor, IcedID, and Latrodectus, including the code injection method, the format and length of the configuration decryption key, and the decryption routines for the configuration blob and the plugins.

“YiBackdoor by default has somewhat limited functionality, however, threat actors can deploy additional plugins that expand the malware’s capabilities,” Zscaler said. “Given the limited deployment to date, it is likely that threat actors are still developing or testing YiBackdoor.”

New Versions of ZLoader Spotted

The development comes as the cybersecurity firm examined two new versions of ZLoader (aka DELoader, Terdot, or Silent Night) – 2.11.6.0 and 2.13.7.0 – that incorporate further improvements to its code obfuscation, network communications, anti-analysis techniques, and evasion capabilities.

Notable among the changes are LDAP-based network discovery commands that can be leveraged for network discovery and lateral movement, as well as an enhanced DNS-based network protocol that utilizes custom encryption with the option of using WebSockets.

Attacks distributing the malware loader are said to be more precise and targeted, being deployed only against a small number of entities rather than in an indiscriminate fashion.

“ZLoader 2.13.7.0 includes improvements and updates to the custom DNS tunnel protocol for command-and-control (C2) communications, along with added support for WebSockets,” Zscaler said. “ZLoader continues to evolve its anti-analysis strategies, leveraging innovative methods to evade detection.”

Most businesses don’t make it past their fifth birthday – studies show that roughly 50% of small businesses fail within the first five years. So when KNP Logistics Group (formerly Knights of Old) celebrated more than a century and a half of operations, it had mastered the art of survival. For 158 years, KNP adapted and endured, building a transport business that operated 500 trucks across the UK. But in June 2025, one easily guessed password brought down the company in a matter of days.

The Northamptonshire-based firm fell victim to the Akira ransomware group after hackers gained access by guessing an employee’s weak password. Attackers didn’t need a sophisticated phishing campaign or a zero-day exploit – all they needed was a password so simple that cybercriminals could guess it correctly.

When basic security fails, everything falls

No matter what advanced security mechanisms your organization has in place, everything falls if basic security measures fail. In the KNP attack, Akira targeted the company’s internet-facing systems, found an employee credential without multi-factor authentication, and guessed the password. Once inside, they deployed their ransomware payload across the company’s entire digital infrastructure.

But the hackers didn’t stop at encrypting critical business data. They also destroyed KNP’s backups and disaster recovery systems, ensuring that the company had no path to recovery without paying their ransom. The criminals demanded an estimated £5 million – money the transport company didn’t have.

KNP had industry-standard IT compliance and cyber-attack insurance, but none of these protections were enough to keep the organization going. Operations came to a standstill. Every truck was sidelined. All business data remained locked away. The cyber crisis team brought in by insurers described it as “the worst-case scenario” for any organization. Within weeks, KNP entered administration, and 700 employees lost their jobs.

The password problem persists

KNP’s story illustrates a weakness that continues to plague organizations across the globe. Research from Kaspersky analyzing 193 million compromised passwords found that 45% could be cracked by hackers within a minute. And when attackers can simply guess or quickly crack credentials, even the most established businesses become vulnerable. Individual security lapses can have organization-wide consequences that extend far beyond the person who chose “Password123” or left their birthday as their login credential.

Interested to know how many weak passwords are currently being used in your Active Directory? Run a free, read-only scan with Specops Password Auditor: Download here.

KNP joins an estimated 19,000 UK businesses that suffered ransomware attacks last year, according to government surveys. High-profile victims have included major retailers like M&S, Co-op, and Harrods, demonstrating that no organization is too large or established to be targeted.

It’s only getting easier. Criminal gangs have lowered the barrier to entry by offering ransomware-as-a-service platforms and social engineering tactics that don’t require advanced technical skills. Attackers now routinely call IT helpdesks to trick their way into corporate systems, exploiting human psychology rather than software vulnerabilities.

Industry research suggests the typical UK ransom demand reaches approximately £4 million, with about one-third of companies choosing to pay rather than risk total business loss. But payment doesn’t guarantee data recovery or prevent future attacks – it simply funds criminal operations that target other organizations.

Building resilient defenses

The KNP incident highlights that security controls are your organization’s most critical defense against ransomware. When a single weak credential can destroy decades (or centuries) of business operations, you can’t afford to treat password security as an afterthought. To build resilient defenses, you should:

Implement strong password policies: Your first defense is strong password policies, backed by breached password detection. You can significantly reduce the risk of successful credential attacks by blocking weak and commonly compromised passwords while enforcing the creation of long, complex passphrases.

For the greatest level of protection, consider implementing an automated solution like Specops Password Policy. It continuously scans Active Directory credentials against billions of known breached passwords, helping your organization enforce strong password policies while preventing easily guessable credentials like the one that brought down KNP.

Enable multi-factor authentication: Even when passwords are compromised, additional authentication factors can prevent unauthorized access to critical systems. KNP’s lack of MFA on internet-facing systems allowed attackers to walk through an open door once they guessed the initial credentials.

To increase your security, add a second layer of protection to your systems using a multi-factor authentication solution like Specops Secure Access. Not only does Secure Access help better protect your organization against password attacks, but it can also help you fulfill compliance and cybersecurity insurance requirements.

Implement zero-trust architecture and least privilege access controls: Beyond password and authentication protections, you need to limit what attackers can do if they get inside your network. Zero-trust architectures assume compromise and verify every access request, regardless of the user’s location or previous authentication status. Least privilege access controls work hand-in-hand with this approach, limiting lateral movement within networks and ensuring that a single breached account cannot unlock every organizational resource.

Perform regular backup testing and recovery: Your organization must ensure its backup systems remain isolated from primary networks and regularly test restoration procedures. When ransomware strikes, functional backups often determine whether a company survives or follows KNP into administration.

If the destruction of a 158-year-old company by a single guessed password gives you an awful feeling in the pit of your stomach, it should: cybersecurity failures have real-world consequences. Investing in security controls today costs far less than rebuilding a business from scratch – if rebuilding is an option.

Ready to strengthen your password security? Learn more about Specops Password Policy and Specops Secure Access to protect your organization from credential-based attacks. Book a live demo today.

Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).

The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a target system by injecting a specially crafted HTML iframe element.

The EC2 IMDS is a crucial component of the AWS cloud environment, offering information about running instances, as well as temporary, short-lived credentials if an identity and access management (IAM) role is associated with the instance. The instance metadata is accessible to any application running on an EC2 instance via a link-local address (169.254.169[.]254).

These credentials can then be used to securely interact with other AWS services like S3, RDS, or DynamoDB, permitting applications to authenticate without the need for storing credentials on the machine, thereby reducing the risk of accidental exposure.

One of the common methods that attackers can use to steal IAM credentials from IMDS is via SSRF flaws in web applications. This essentially involves tricking the app running on an EC2 instance to send a request seeking IAM credentials from the IMDS service on its behalf.

“If the application can reach the IMDS endpoint and is susceptible to SSRF, the attacker can harvest temporary credentials without needing any direct host access (such as RCE or path traversal),” Wiz researchers Hila Ramati and Gili Tikochinski said.

An adversary looking to target AWS infrastructure can therefore search for SSRF vulnerabilities in web applications running on EC2 instances and, when found, access the instance metadata and steal IAM credentials. This is not a theoretical threat.

As far back as early 2022, Google-owned Mandiant found that a threat actor it tracks as UNC2903 had attacked AWS environments by abusing credentials obtained using IMDS since July 2021, exploiting an SSRF flaw (CVE-2021-21311, CVSS score: 7.2) in Adminer, an open-source database management tool, to facilitate data theft.

The issue, at its core, stems from the fact that IMDS, or more specifically IMDSv1, is a request and response protocol, making it an attractive target for bad actors who target exploitable web applications that also run IMDSv1.

In a report published last month, Resecurity warned that when SSRF is exploited against cloud infrastructure like AWS, it can have “severe and far-reaching” consequences, resulting in cloud credential theft, network reconnaissance, and unauthorized access to internal services.

“Since SSRF originates from within the server, it can reach endpoints protected by perimeter firewalls. This effectively turns the vulnerable application into a proxy, allowing the attacker to: Bypass IP whitelists [and] reach otherwise unreachable internal assets,” it said.

The latest findings from Wiz demonstrate that attacks targeting the IMDS service are continuing to take place, with adversaries leveraging SSRF vulnerabilities in little-known applications like Pandoc to enable them.

“The vulnerability, tracked as CVE-2025-51591, stems from Pandoc rendering <iframe> tags in HTML documents,” Wiz researchers said. “This would allow an attacker to craft an <iframe> that points to the IMDS server, or other private resources.”

“The attacker submitted crafted HTML documents containing <iframe> elements whose src attributes targeted the AWS IMDS endpoint at 169.254.169[.]254. The objective was to render and exfiltrate the content of sensitive paths, specifically /latest/meta-data/iam/info and /latest/meta-data/iam.”

Wiz said the attack was ultimately unsuccessful because of the enforcement of IMDSv2, which is session-oriented and mitigates the SSRF attack by first requiring a user to get a token and use that token in all requests to the IMDS via a special header (X-aws-ec2-metadata-token).

The company told The Hacker News that it observed in-the-wild exploitation attempts “dating back to August and continuing for a few weeks,” adding it also found continued efforts on the part of unknown threat actors to abuse another SSRF flaw in ClickHouse to unsuccessfully breach a target’s Google Cloud Platform.

To mitigate the risk posed by CVE-2025-51591 in cloud environments, it’s advised to use the “-f html+raw_html” option or the “–sandbox” option to prevent Pandoc from including the contents of iframe elements through the src attribute.

“[Pandoc maintainers] decided that rendering iframes is the intended behavior and that the user is responsible to either sanitize the input or use the sandbox flags when handling user inputs,” Wiz said.

“Although Amazon recommends implementing the IMDSv2 with GuardDuty enhancements, EC2 instances created by Amazon customers that instead use IMDSv1 may be at risk when combined with also running unpatched vulnerable third party software,” Mandiant researchers warned at the time.

Organizations are recommended to enforce IMDSv2 across all EC2 instances and ensure that instances are assigned roles that follow the principle of least privilege (PoLP) to contain the blast radius in the event of an IMDS compromise.

Sep 24, 2025Ravie LakshmananVulnerability / Email Security

Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors.

The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity.

“Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user,” Libraesva said in an advisory.

“This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats.”

In a hypothetical attack scenario, an attacker could exploit the flaw by sending an email containing a specially crafted compressed archive, allowing a threat actor to leverage the application’s improper sanitization logic to ultimately execute arbitrary shell commands.

The shortcoming affects Libraesva ESG versions 4.5 through 5.5.x before 5.5.7, with fixes released in 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Libraesva noted in the alert that versions below 5.0 have reached end-of-support and must be manually upgraded to a supported release.

The Italian email security company also acknowledged that it has identified one confirmed incident of abuse, and that the threat actor is “believed to be a foreign hostile state entity.” It did not share any further details on the nature of the activity, or who may be behind it.

“The single‑appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment,” Libraesva said, adding it deployed a fix within 17 hours of flagging the abuse.

In light of active exploitation, it’s essential that users of the ESG software update their instances to the latest version as soon as possible to mitigate potential threats.

Sep 23, 2025Ravie LakshmananFirmware Security / Vulnerability

Cybersecurity researchers have disclosed details of two security vulnerabilities impacting Supermicro Baseboard Management Controller (BMC) firmware that could potentially allow attackers to bypass crucial verification steps and update the system with a specially crafted image.

The medium-severity vulnerabilities, both of which stem from improper verification of a cryptographic signature, are listed below –

• CVE-2025-7937 (CVSS score: 6.6) – A crafted firmware image can bypass the Supermicro BMC firmware verification logic of Root of Trust (RoT) 1.0 to update the system firmware by redirecting the program to a fake “fwmap” table in the unsigned region
• CVE-2025-6198 (CVSS score: 6.4) – A crafted firmware image can bypass the Supermicro BMC firmware verification logic of the Signing Table to update the system firmware by redirecting the program to a fake signing table (“sig_table”) in the unsigned region

The image validation process carried out during a firmware update takes place over three steps: Retrieve the public key from the BMC SPI flash chip, process the “fwmap” or “sig_table” table embedded in the uploaded image, and compute a cryptographic hash digest of all “signed” firmware regions, and verify the signature value against the calculated hash digest.

Firmware security company Binarly, which has been credited with discovering and reporting the two shortcomings, said CVE-2025-7937 is a bypass for CVE-2024-10237, which was disclosed by Supermicro in January 2025. The vulnerability was originally discovered by NVIDIA, alongside CVE-2024-10238 and CVE-2024-10239.

CVE-2024-10237 is a “logical flaw in the validation process of the uploaded firmware, which could ultimately result in the BMC SPI chip being reflashed with a malicious image,” Binarly researcher Anton Ivanov said in a report shared with The Hacker News. “This security issue could allow potential attackers to gain complete and persistent control of both the BMC system and the main server OS.”

“This vulnerability demonstrated that the validation process could be manipulated by adding custom entries to the ‘fwmap’ table and relocating the original signed content of the image to unreserved firmware space, which ensures that the calculated digest still matches the signed value.”

On the other hand, CVE-2024-10238 and CVE-2024-10239 are two stack overflow flaws in the firmware’s image verification function, allowing an attacker to execute arbitrary code in the BMC context.

Binarly’s analysis found the fix for CVE-2024-10237 to be insufficient, identifying a potential attack pathway by which a custom “fwmap” table can be inserted before the original one, which is then used during the validation process. This essentially enables the threat actor to run custom code in the context of the BMC system.

Further investigation into the implementation of the firmware validation logic in the X13SEM-F motherboard determined a flaw within the “auth_bmc_sig” function that could permit an attacker to load a malicious image without modifying the hash digest value.

“Once again, as all the regions used for the digest calculation are defined in the uploaded image itself (in the ‘sig_table’), it is possible to modify it, along with some other parts of the image – for example, the kernel – and move the original data to unused space in the firmware,” Ivanov said. “This means that the signed data digest will still match the original value.”

Successful exploitation of CVE-2025-6198 can not only update the BMC system with a specially crafted image, but also get around the BMC RoT security feature.

“Previously, we reported the discovery of the test key on Supermicro devices, and their PSIRT doubled down that the hardware RoT (Root of Trust) authenticates the key and has no impact on this discovery,” Alex Matrosov, CEO and Head of REsearch at Binarly, told The Hacker News.

“However, new research shows that the previous statement from Supermicro is not accurate, and CVE-2025-6198 bypasses the BMC RoT. In this case, any leak of the signing key will impact the entire ecosystem. Reusing the signing key is not the best approach, and we recommend at least rotating the signing keys per product line. Based on previous incidents like PKfail and the Intel Boot Guard key leakage, the reuse of cryptographic signing keys could cause an industry-wide impact.”

Sep 23, 2025Ravie LakshmananFinancial Crime / Cryptocurrency

Law enforcement authorities in Europe have arrested five suspects in connection with an “elaborate” online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain.

According to Eurojust, the coordinated action saw searches in five places across Spain and Portugal, as well as in Italy, Romania and Bulgaria. Bank accounts and other financial assets associated with the cybercrime ring were frozen.

The main perpetrator behind the operation has been accused of large-scale fraud and money laundering by running an online investment platform for several years, tricking unsuspecting individuals into parting with their funds by promising them high returns on investments in various cryptocurrencies.

Once the deposits were made, the funds were transferred to bank accounts in Lithuania to launder them. Victims who attempted to withdraw their assets from the platform were asked to pay additional fees, after which the website used to conduct the scam vanished.

A number of judicial and law enforcement agencies from Bulgaria, Italy, Lithuania, Portugal, Romania, and Spain participated in the fraud scheme investigation.

“This fraud had been running since at least 2018, and covered 23 different countries, for instance, either as areas used to divert proceeds of the scam or as locations where victims were based,” Eurojust, which coordinated the effort along with support from Europol, said.

According to the U.S. Federal Trade Commission (FTC), Americans lost a record $12.5 billion to fraud in 2024, a 25% increase from the previous year, with investment scams resulting in the highest losses, touching $5.7 billion, up from $4.6 billion in 2023 and $3.8 billion in 2022.

“A majority (79%) of people who reported an investment-related scam lost money, with a median loss of over $9,000,” the FTC said. “People lost over $3 billion to scams that started online, compared to approximately $1.9 billion lost to more ‘traditional’ contact methods like calls, texts, or emails.”

The disclosure comes as Chainalysis revealed how a Venus Protocol user was targeted on September 2, 2025, in a social engineering attack, and how early detection and swift action enabled the recovery of stolen funds worth approximately $13 million.

“The attack was rooted in social engineering: malicious actors used a compromised Zoom client to gain system access,” Chainalysis said.

Image Source: Chainalysis

“After infiltrating the victim’s machine, the attackers manipulated the user into submitting a blockchain transaction, which granted them delegate status over the account. This gave them direct control to borrow and redeem assets on behalf of the victim, effectively draining funds.”

The blockchain analytics company said Venus paused its protocol within 20 minutes of the malicious transaction taking place, effectively preventing the attacker from moving the funds further. Over the next 12 hours, Venus force-liquidated the attacker’s wallet, recovered the stolen funds, and resumed full service.

“Venus passed a governance proposal to freeze $3 million in assets still controlled by the attacker,” Chainalysis noted. “Not only did the attacker fail to profit; they actually lost $3 million as a result of the community’s decisive action.”

The Eurojust crackdown also coincides with a similar effort undertaken by the Seoul Metropolitan Police Agency (SMPA) earlier this month that disrupted a cybercrime operation, which is estimated to have stolen about $30 million from 258 high-profile victims, including corporate executives.

“The operation was sophisticated: after successfully hacking victims’ personal information and stealing funds, the criminals would impersonate agency employees and approach victims’ family members to gather even more personal data, preparing for additional thefts,” Chainalysis noted.