Category: Cybersecurity

Aug 14, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting N-able N-central to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

N-able N-central is a Remote Monitoring and Management (RMM) platform designed for Managed Service Providers (MSPs), allowing customers to efficiently manage and secure their clients’ Windows, Apple, and Linux endpoints from a single, unified platform.

The vulnerabilities in question are listed below –

• CVE-2025-8875 (CVSS score: N/A) – An insecure deserialization vulnerability that could lead to command execution
• CVE-2025-8876 (CVSS score: N/A) – A command injection vulnerability via improper sanitization of user input

Both shortcomings have been addressed in N-central versions 2025.3.1 and 2024.6 HF2 released on August 13, 2025. N-able is also urging customers to make sure that multi-factor authentication (MFA) is enabled, particularly for admin accounts.

“These vulnerabilities require authentication to exploit,” N-able said in an alert. “However, there is a potential risk to the security of your N-central environment, if unpatched. You must upgrade your on-premises N-central to 2025.3.1.”

It’s currently not known how the vulnerabilities are being exploited in real-world attacks, in what context, and what is the scale of such efforts. The Hacker News has reached out to N-able for comment, and we will update the story if we hear back.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by August 20, 2025, to secure their networks.

The development comes a day after CISA placed two-year-old security flaws affecting Microsoft Internet Explorer and Office in the KEV catalog –

• CVE-2013-3893 (CVSS score: 8.8) – A memory corruption vulnerability in Microsoft Internet Explorer that allows for remote code execution
• CVE-2007-0671 (CVSS score: 8.8) – A remote code execution vulnerability in Microsoft Office Excel that can be exploited when a specially crafted Excel file is opened to achieve remote code execution

FCEB agencies have time till September 9, 2025, to update to the latest versions, or discontinue their use if the product has reached end-of-life (EoL) status, as is the case with Internet Explorer.

Aug 13, 2025Ravie LakshmananMalvertising / Cryptocurrency

Cybersecurity researchers have discovered a new malvertising campaign that’s designed to infect victims with a multi-stage malware framework called PS1Bot.

“PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access,” Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said.

“PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.”

Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share technical overlaps with AHK Bot, an AutoHotkey-based malware previously put to use by threat actors Asylum Ambuscade and TA866.

Furthermore, the activity cluster has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet) with an aim to steal data and establish remote control over compromised hosts.

The starting point of the attack is a compressed archive that’s delivered to victims via malvertising or search engine optimization (SEO) poisoning. Present within the ZIP file is a JavaScript payload that serves as a downloader to retrieve a scriptlet from an external server, which then writes a PowerShell script to a file on disk and executes it.

The PowerShell script is responsible for contacting a command-and-control (C2) server and fetching next-stage PowerShell commands that allow the operators to augment the malware’s functionality in a modular fashion and carry out a wide range of actions on the compromised host –

• Antivirus detection, which obtains and reports the list of antivirus programs present on the infected system
• Screen capture, which captures screenshots on infected systems and transmits the resulting images to the C2 server
• Wallet grabber, which steals data from web browsers (and wallet extensions), application data for cryptocurrency wallet applications, and files containing passwords, sensitive strings, or wallet seed phrases
• Keylogger, which logs keystrokes and gathers clipboard content
• Information collection, which harvests and transmits information about the infected system and environment to the attacker
• Persistence, which creates a PowerShell script such that it’s automatically launched when the system restarts, incorporating the same logic used to establish the C2 polling process to fetch the modules

“The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems,” Talos noted.

“The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed.”

The disclosure comes as Google said it’s leveraging artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors.

“Our new applications provide faster and stronger protections by analyzing app and web content, ad placements and user interactions,” Google said. “For example, they’ve significantly improved our content review capabilities, leading to a 40% reduction in IVT stemming from deceptive or disruptive ad serving practices.”

Aug 13, 2025Ravie LakshmananVulnerability / Software Security

Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.

The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation.

“Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access,” Zoom said in a security bulletin on Tuesday.

The issue, reported by its own Offensive Security team, affects the following products –

• Zoom Workplace for Windows before version 6.3.10
• Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
• Zoom Rooms for Windows before version 6.3.10
• Zoom Rooms Controller for Windows before version 6.3.10
• Zoom Meeting SDK for Windows before version 6.3.10

The disclosure comes as multiple vulnerabilities have been disclosed in Xerox FreeFlow Core, the most severe of which could result in remote code execution. The issues, which have been addressed in version 8.0.4, include –

• CVE-2025-8355 (CVSS score: 7.5) – XML External Entity (XXE) injection vulnerability leading to server-side request forgery (SSRF)
• CVE-2025-8356 (CVSS score: 9.8) – Path traversal vulnerability leading to remote code execution

“These vulnerabilities are rudimentary to exploit and if exploited, could allow an attacker to execute arbitrary commands on the affected system, steal sensitive data, or attempt to move laterally into a given corporate environment to further their attack,” Horizon3.ai said.

Aug 13, 2025The Hacker NewsArtificial Intelligence / Threat Hunting

Security operations have never been a 9-to-5 job. For SOC analysts, the day often starts and ends deep in a queue of alerts, chasing down what turns out to be false positives, or switching between half a dozen tools to piece together context. The work is repetitive, time-consuming, and high-stakes, leaving SOCs under constant pressure to keep up, yet often struggling to stay ahead of emerging threats. That combination of inefficiency, elevated risk, and a reactive operating model is exactly where AI-powered SOC capabilities are starting to make a difference.

Why AI SOC is gaining traction now

The recent Gartner Hype Cycle for Security Operations 2025 (download a complimentary copy) recognizes AI SOC Agents as an innovation trigger, reflecting a broader shift in how teams approach automation. Instead of relying solely on static playbooks or manual investigation workflows, AI SOC capabilities bring reasoning, adaptability, and context-aware decision-making into the mix.

SOC teams report that their most pressing challenges are inefficient investigations, siloed tools, and a lack of effective automation. These issues slow response and increase risk. The latest SANS SOC Survey underscores this, showing these operational hurdles consistently outpace other concerns. AI-driven triage, investigation, and detection coverage analysis are well-positioned to address these gaps head-on.

AI’s biggest wins in the SOC

An AI SOC brings together a range of capabilities that strengthen and scale the core functions of a security operations center. These capabilities work alongside human expertise to improve how teams triage alerts, investigate threats, respond to incidents, and refine detections over time.

Triage at speed and scale

AI systems can review and prioritize every incoming alert within minutes, pulling telemetry from across the environment. True threats rise to the top quickly, while false positives are resolved without draining analyst time.

Faster, deeper investigations and response

By correlating data from SIEM, EDR, identity, email, and cloud platforms, AI SOC tools reduce mean time to investigate (MTTI) and mean time to respond (MTTR). This shortens dwell time and limits the opportunity for threats to spread.

Detection engineering insights

AI can pinpoint coverage gaps against frameworks such as MITRE ATT&CK, identify rules that need tuning, and recommend adjustments based on real investigation data. This gives detection engineers a clear view of where changes will make the most impact.

Enabling more threat hunting

With less time spent working alert queues, analysts can shift to proactive threat hunting. AI SOC platforms with natural language query support make it easier to explore data, run complex hunts, and surface hidden threats.

The AI SOC market is filled with sweeping claims about fully autonomous SOC and instant results. While AI can automate large portions of tier 1 and tier 2 investigations and even support tier 3 work, it is not a replacement for experienced analysts. Complex, high impact cases still require human judgment, contextual understanding, and decision making.

The real value lies in shifting the balance of work. By removing repetitive triage and speeding investigations, AI frees analysts to focus on higher impact activities like advanced threat hunting, tuning detections, and investigating sophisticated threats. This is the work that improves both security outcomes and analyst retention.

Guiding principles for evaluating AI SOC capabilities

When assessing AI SOC solutions, focus on principles that determine whether they can deliver sustainable improvements to security operations:

• Transparency and explainability – The system should provide clear, detailed reasoning for its findings, allowing analysts to trace conclusions back to the underlying data and logic. This builds trust and enables informed decision making.
• Data privacy and security – Understand exactly where data is processed and stored, how it is protected in transit and at rest, and whether the deployment model meets your compliance requirements.
• Integration depth – The solution should integrate seamlessly with your existing SOC stack and workflows. This includes preserving the familiar user experience of tools like SIEM, EDR, and case management systems to avoid introducing friction.
• Adaptability and learning – AI should improve over time by incorporating analyst feedback, adapting to changes in your environment, and staying effective against evolving threats.
• Accuracy and trust – Evaluate not just the volume of work automated, but the precision and reliability of results. A tool that closes false positives at scale but misses real threats creates more risk than it solves.
• Time to value – Favor solutions that deliver measurable gains in investigation speed, accuracy, or coverage within weeks rather than months, without heavy customization or lengthy deployments.

The human and AI hybrid SOC

The most effective SOCs combine the speed and scale of AI with the contextual understanding and judgment of human analysts. This model gives people the capacity to focus on the work that matters most.

How Prophet Security aligns with this vision

Prophet Security helps organizations move beyond manual investigations and alert fatigue with an agentic AI SOC platform that automates triage, accelerates investigations, and ensures every alert gets the attention it deserves. By integrating across the existing stack, Prophet AI improves analyst efficiency, reduces incident dwell time, and delivers more consistent security outcomes. Security leaders use Prophet AI to maximize the value of their people and tools, strengthen their security posture, and turn daily SOC operations into measurable business results. Visit Prophet Security to request a demo and see how Prophet AI can elevate your SOC operations.

Aug 13, 2025Ravie LakshmananVulnerability / Network Security

Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild.

The vulnerability, tracked as CVE-2025-25256, carries a CVSS score of 9.8 out of a maximum of 10.0.

“An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests,” the company said in a Tuesday advisory.

The following versions are impacted by the flaw –

• FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a fixed release)
• FortiSIEM 6.7.0 through 6.7.9 (Upgrade to 6.7.10 or above)
• FortiSIEM 7.0.0 through 7.0.3 (Upgrade to 7.0.4 or above)
• FortiSIEM 7.1.0 through 7.1.7 (Upgrade to 7.1.8 or above)
• FortiSIEM 7.2.0 through 7.2.5 (Upgrade to 7.2.6 or above)
• FortiSIEM 7.3.0 through 7.3.1 (Upgrade to 7.3.2 or above)
• FortiSIEM 7.4 (Not affected)

Fortinet acknowledged in its advisory that a “practical exploit code for this vulnerability was found in the wild,” but did not share any additional specifics about the nature of the exploit and where it was found. It also noted that the exploitation code does not appear to produce distinctive indicators of compromise (IoCs).

As workarounds, the network security company is recommending that organizations limit access to the phMonitor port (7900).

The disclosure comes a day after GreyNoise warned of a “significant spike” in brute-force traffic aimed at Fortinet SSL VPN devices, with dozens of IP addresses from the United States, Canada, Russia, and the Netherlands probing devices located across the world.

Aug 13, 2025The Hacker NewsArtificial Intelligence / Identity Security

The AI revolution isn’t coming. It’s already here. From copilots that write our emails to autonomous agents that can take action without us lifting a finger, AI is transforming how we work.

But here’s the uncomfortable truth: Attackers are evolving just as fast.

Every leap forward in AI gives bad actors new tools — deepfake scams so real they trick your CFO, bots that can bypass human review, and synthetic identities that slip quietly into your systems. The fight is no longer at your network’s edge. It’s at your login screen.

And that’s why identity has become the last line of defense.

Why This Matters Now

Legacy security can’t keep up. Traditional models were built for slower threats and predictable patterns. AI doesn’t play by those rules.

Today’s attackers:

• Scale at machine speed.
• Use deepfakes to impersonate trusted people.
• Exploit APIs through autonomous agents.
• Create fake “non-human” identities that look perfectly legitimate.

The only security control that can adapt and scale as fast as AI? Identity. If you can’t verify who — or what — is accessing your systems, you’ve already lost.

The Webinar That Connects the Dots

In AI’s New Attack Surface: Why Identity Is the Last Line of Defense, Okta’s Karl Henrik Smith will show you:

• Where AI is creating hidden vulnerabilities — and how to find them before attackers do.
• How “synthetic identities” work (and why they’re scarier than you think).
• The blueprint for an “identity security fabric” that protects humans and non-human actors.
• How to build secure-by-design AI apps without slowing innovation.

Whether you’re a developer, security architect, or tech leader, you’ll leave with a clear, practical plan for staying ahead of AI-powered threats.

Watch this Webinar Now

The next wave of cyberattacks won’t be about if someone can get past your defenses — it’ll be about how fast they can.

Put identity where it belongs: at the center of your security strategy. Reserve your spot now →

Microsoft on Tuesday rolled out fixes for a massive set of 111 security flaws across its software portfolio, including one flaw that has been disclosed as publicly known at the time of the release.

Of the 111 vulnerabilities, 16 are rated Critical, 92 are rated Important, two are rated Moderate, and one is rated Low in severity. Forty-four of the vulnerabilities relate to privilege escalation, followed by remote code execution (35), information disclosure (18), spoofing (8), and denial-of-service (4) defects.

This is in addition to 16 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of last month’s Patch Tuesday update, including two spoofing bugs affecting Edge for Android.

Included among the vulnerabilities is a privilege escalation vulnerability impacting Microsoft Exchange Server hybrid deployments (CVE-2025-53786, CVSS score: 8.0) that Microsoft disclosed last week.

The publicly disclosed zero-day is CVE-2025-53779 (CVSS score: 7.2), another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

It’s worth mentioning here that the issue was publicly detailed back in May 2025 by the web infrastructure and security company, giving it the codename BadSuccessor. The novel technique essentially allows a threat actor with sufficient privileges to compromise an Active Directory (AD) domain by misusing delegated Managed Service Account (dMSA) objects.

“The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act,” Adam Barnett, lead software engineer at Rapid7, told The Hacker News.

“However, abuse of CVE-2025-53779 is certainly plausible as the final link of a multi-exploit chain which stretches from no access to total pwnage.”

“An attacker who already has a compromised privileged account can use it to move from limited administrative rights to full domain control,” Walters added. “It can also be paired with methods such as Kerberoasting or Silver Ticket attacks to maintain persistence.”

“With domain administrator privileges, attackers can disable security monitoring, modify Group Policy, and tamper with audit logs to hide their activity. In multi-forest environments or organizations with partner connections, this flaw could even be leveraged to move from one compromised domain to others in a supply chain attack.”

Satnam Narang, senior staff research engineer at Tenable, said the immediate impact of BadSuccessor is limited, as only 0.7% of Active Directory domains had met the prerequisite at the time of disclosure. “To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise,” Narang pointed out.

Some of notable Critical-rated vulnerabilities patched by Redmond this month are below –

• CVE-2025-53767 (CVSS score: 10.0) – Azure OpenAI Elevation of Privilege Vulnerability
• CVE-2025-53766 (CVSS score: 9.8) – GDI+ Remote Code Execution Vulnerability
• CVE-2025-50165 (CVSS score: 9.8) – Windows Graphics Component Remote Code Execution Vulnerability
• CVE-2025-53792 (CVSS score: 9.1) – Azure Portal Elevation of Privilege Vulnerability
• CVE-2025-53787 (CVSS score: 8.2) – Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
• CVE-2025-50177 (CVSS score: 8.1) – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• CVE-2025-50176 (CVSS score: 7.8) – DirectX Graphics Kernel Remote Code Execution Vulnerability

Microsoft noted that the three cloud service CVEs impacting Azure OpenAI, Azure Portal, and Microsoft 365 Copilot BizChat have already been remediated, and that they require no customer action.

Check Point, which disclosed CVE-2025-53766 alongside CVE-2025-30388, said the vulnerabilities allow attackers to execute arbitrary code on the affected system, leading to a full system compromise.

“The attack vector involves interacting with a specially crafted file. When a user opens or processes this file, the vulnerability is triggered, allowing the attacker to take control,” the cybersecurity company said.

The Israeli firm revealed that it also uncovered a vulnerability in a Rust-based component of the Windows kernel that can result in a system crash that, in turn, triggers a hard reboot.

“For organizations with large or remote workforces, the risk is significant: attackers could exploit this flaw to simultaneously crash numerous computers across an enterprise, resulting in widespread disruption and costly downtime,” Check Point said. “This discovery highlights that even with advanced security technologies like Rust, continuous vigilance and proactive patching are essential to maintaining system integrity in a complex software environment.”

Another vulnerability of importance is CVE-2025-50154 (CVSS score: 6.5), an NTLM hash disclosure spoofing vulnerability that’s actually a bypass for a similar bug (CVE-2025-24054, CVSS score: 6.5) that was plugged by Microsoft in March 2025.

“The original vulnerability demonstrated how specially crafted requests could trigger NTLM authentication and expose sensitive credentials,” Cymulate researcher Ruben Enkaoua said. “This new vulnerability […] allows an attacker to extract NTLM hashes without any user interaction, even on fully patched systems. By exploiting a subtle gap left in the mitigation, an attacker can trigger NTLM authentication requests automatically, enabling offline cracking or relay attacks to gain unauthorized access.”

Aug 13, 2025Ravie LakshmananEndpoint Security / Cybercrime

Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East’s public sector and aviation industry.

The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software.

The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia, which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools.

“The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” researchers Jacob Santos, Ted Lee, Ahmed Kamal, and Don Ovid Ladore said.

Like other ransomware binaries, Charon is capable of disruptive actions that terminate security-related services and running processes, as well as delete shadow copies and backups, thereby minimizing the chances of recovery. It also employs multithreading and partial encryption techniques to make the file-locking routine faster and more efficient.

Another notable aspect of the ransomware is the use of a driver compiled from the open-source Dark-Kill project to disable EDR solutions by means of what’s called a bring your own vulnerable driver (BYOVD) attack. However, this functionality is never triggered during the execution, suggesting that the feature is likely under development.

There is evidence to suggest that the campaign was targeted rather than opportunistic. This stems from the use of a customized ransom note that specifically calls out the victim organization by name, a tactic not observed in traditional ransomware attacks. It’s currently not known how the initial access was obtained.

Despite the technical overlaps with Earth Baxia, Trend Micro has emphasized that this could mean one of three things –

• Direct involvement of Earth Baxia
• A false flag operation designed to deliberately imitate Earth Baxia’s tradecraft, or
• A new threat actor that has independently developed similar tactics

“Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations,” Trend Micro pointed out.

Regardless of the attribution, the findings exemplify the ongoing trend of ransomware operators increasingly adopting sophisticated methods for malware deployment and defense evasion, further blurring the lines between cybercrime and nation-state activity.

“This convergence of APT tactics with ransomware operations poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption,” the researchers concluded.

The disclosure comes as eSentire detailed an Interlock ransomware campaign that leveraged ClickFix lures to drop a PHP-based backdoor that, in turn, deploys NodeSnake (aka Interlock RAT) for credential theft and a C-based implant that supports attacker-supplied commands for further reconnaissance and ransomware deployment.

“Interlock Group employs a complex multi-stage process involving PowerShell scripts, PHP/NodeJS/C backdoors, highlighting the importance of monitoring suspicious process activity, LOLBins, and other TTPs,” the Canadian company said.

The findings show that ransomware continues to be an evolving threat, even as victims continue to pay ransoms to quickly recover access to systems. Cybercriminals, on the other hand, have begun resorting to physical threats and DDoS attacks as a way of putting pressure on victims.

Statistics shared by Barracuda show that 57% of organizations experienced a successful ransomware attack in the last 12 months, of which 71% that had experienced an email breach were also hit with ransomware. What’s more, 32% paid a ransom, but only 41% of the victims got all their data back.

Aug 12, 2025Ravie LakshmananMalware / Container Security

New research has uncovered Docker images on Docker Hub that contain the infamous XZ Utils backdoor, more than a year after the discovery of the incident.

More troubling is the fact that other images have been built on top of these infected base images, effectively propagating the infection further in a transitive manner, Binarly REsearch said in a report shared with The Hacker News.

The firmware security company said it discovered a total of 35 images that ship with the backdoor. The incident once again highlights the risks faced by the software supply chain.

The XZ Utils supply chain event (CVE-2024-3094, CVSS score: 10.0) came to light in late March 2024, when Andres Freund sounded the alarm on a backdoor embedded within XZ Utils versions 5.6.0 and 5.6.1.

Further analysis of the malicious code and the broader compromise led to several startling discoveries, the first and foremost being that the backdoor could lead to unauthorized remote access and enable the execution of arbitrary payloads through SSH.

Specifically, the backdoor — placed in the liblzma.so library and used by the OpenSSH server — was designed such that it triggered when a client interacts with the infected SSH server.

By hijacking the RSA_public_decrypt function using the glibc’s IFUNC mechanism, the malicious code allowed an attacker possessing a specific private key to bypass authentication and execute root commands remotely,” Binarly explained.

The second finding was that the changes were pushed by a developer named “Jia Tan” (JiaT75), who spent almost two years contributing to the open-source project to build trust until they were given maintainer responsibilities, signaling the meticulous nature of the attack.

“This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning,” Binary noted at the time. “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation.”

The latest research from the company shows that the impact of the incident continues to send aftershocks through the open-source ecosystem even after all these months.

This includes the discovery of 12 Debian Docker images that contain one of the XZ Utils backdoor, and another set of second-order images that include the compromised Debian images.

Binarly said it reported the base images to the Debian maintainers, who said they have “made an intentional choice to leave these artifacts available as a historical curiosity, especially given the following extremely unlikely (in containers/container image use cases) factors required for exploitation.”

However, the company pointed out that leaving publicly available Docker images that contain a potential network-reachable backdoor carries a significant security risk, despite the criteria required for successful exploitation – the need for network access to the infected device with the SSH service running.

“The xz-utils backdoor incident demonstrates that even short-lived malicious code can remain unnoticed in official container images for a long time, and that can propagate in the Docker ecosystem,” it added.

“The delay underscores how these artifacts may silently persist and propagate through CI pipelines and container ecosystems, reinforcing the critical need for continuous binary-level monitoring beyond simple version tracking.”

Aug 12, 2025Ravie LakshmananThreat Intelligence / Enterprise Security

Cybersecurity researchers are warning of a “significant spike” in brute-force traffic aimed at Fortinet SSL VPN devices.

The coordinated activity, per threat intelligence firm GreyNoise, was observed on August 3, 2025, with over 780 unique IP addresses participating in the effort.

As many as 56 unique IP addresses have been detected over the past 24 hours. All the IP addresses have been classified as malicious, with the IPs originating from the United States, Canada, Russia, and the Netherlands. Targets of the brute-force activity include the United States, Hong Kong, Brazil, Spain, and Japan.

“Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” GreyNoise said. “This was not opportunistic — it was focused activity.”

The company also pointed out that it identified two distinct assault waves spotted before and after August 5: One, a long-running, brute-force activity tied to a single TCP signature that remained relatively steady over time, and Two, which involved a sudden and concentrated burst of traffic with a different TCP signature.

“While the August 3 traffic has targeted the FortiOS profile, traffic fingerprinted with TCP and client signatures – a meta signature – from August 5 onward was not hitting FortiOS,” the company noted. “Instead, it was consistently targeting our FortiManager.”

“This indicated a shift in attacker behavior – potentially the same infrastructure or toolset pivoting to a new Fortinet-facing service.”

On top of that, a deeper examination of the historical data associated with the post-August 5 TCP fingerprint has uncovered an earlier spike in June featuring a unique client signature that resolved to a FortiGate device in a residential ISP block managed by Pilot Fiber Inc.

This has raised the possibility that the brute-force tooling was either initially tested or launched from a home network. An alternative hypothesis is the use of a residential proxy.

The development comes against the backdrop of findings that spikes in malicious activity are often followed by the disclosure of a new CVE affecting the same technology within six weeks.

“These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools – the same kinds of systems increasingly targeted by advanced threat actors,” the company noted in its Early Warning Signals report published late last month.

The Hacker News has reached out to Fortinet for further comment, and we will update if we hear back.