Category: Cybersecurity

Jul 10, 2025Ravie LakshmananCybercrime / Ransomware

The U.K. National Crime Agency (NCA) on Thursday announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods.

The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West Midlands and London on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group.

All four suspects were arrested from their homes and their electronic devices have been seized for further forensic analysis. Their names were not disclosed.

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said in a statement.

“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the U.K. and overseas, to ensure those responsible are identified and brought to justice.”

According to the Cyber Monitoring Centre (CMC), the April 2025 cyber attacks targeting Marks & Spencer and Co-op have been classified as a “single combined cyber event” with a financial impact of anywhere between £270 million ($363 million) and £440 million ($592 million).

The NCA did not name the “organized crime group” the individuals are part of, but it’s believed that some of these attacks have been perpetrated by a decentralized cybercrime group called Scattered Spider, which is notorious for its advanced social engineering ploys to breach organizations and deploy ransomware.

“While ransomware is an ever-present threat, Scattered Spider represents a persistent and capable adversary whose operations have been historically effective even against organizations with mature security programs,” Grayson North, Senior Security Consultant at GuidePoint Security, told The Hacker News.

“The success of Scattered Spider is not exactly the result of any new or novel tactics, but rather their expertise in social engineering and willingness to be extremely persistent in attempting to gain initial access to their targets.”

The majority of individuals associated with the financially driven group are young, native English speakers which gives them an edge when attempting to gain trust with their targets by making fake calls to IT help desks posing as employees.

Scattered Spider is part of The Com, a larger loose-knit collective that’s responsible for a wide range of crimes, including social engineering, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping, and murder.

“Scattered Spider demonstrates a calculated and opportunistic targeting strategy, rotating across industries and geographies based on visibility, payout potential, and operational heat,” Halcyon pointed out.

Google-owned Mandiant said Scattered Spider has a habit of focusing on a single sector at a time, while keeping their core tactics, techniques, and procedures (TTPs) consistent. This includes setting up phishing domains that closely mimic legitimate corporate login portals and are designed to trick employees into revealing their credentials.

“This means that organizations can take proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant MFA to defend against these intrusions,” said Charles Carmakal, CTO, Mandiant Consulting at Google Cloud.

Jul 10, 2025Ravie LakshmananVulnerability / Hardware Security

Semiconductor company AMD is warning of a new set of vulnerabilities affecting a broad range of chipsets that could lead to information disclosure.

The attacks, called Transient Scheduler Attacks (TSA), manifests in the form of a speculative side channel in its CPUs that leverages execution timing of instructions under specific microarchitectural conditions.

“In some cases, an attacker may be able to use this timing information to infer data from other contexts, resulting in information leakage,” AMD said in an advisory.

The company said issues were uncovered as part of a study published by Microsoft and ETH Zurich researchers about testing modern CPUs against speculative execution attacks like Meltdown and Foreshadow by stress testing isolation between security domains such as virtual machines, kernel, and processes.

Following responsible disclosure in June 2024, the issues have been assigned the below CVE identifiers –

• CVE-2024-36350 (CVSS score: 5.6) – A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information
• CVE-2024-36357 (CVSS score: 5.6) – A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries
• CVE-2024-36348 (CVSS score: 3.8) – A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP[3] feature is enabled, potentially resulting in information leakage
• CVE-2024-36349 (CVSS score: 3.8) – A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage

AMD has described TSA as a “new class of speculative side channels” affecting its CPUs, stating it has released microcode updates for impacted processors –

• 3rd Gen AMD EPYC Processors
• 4th Gen AMD EPYC Processors
• AMD Instinct MI300A
• AMD Ryzen 5000 Series Desktop Processors
• AMD Ryzen 5000 Series Desktop Processors with Radeon Graphics
• AMD Ryzen 7000 Series Desktop Processors
• AMD Ryzen 8000 Series Processors with Radeon Graphics
• AMD Ryzen Threadripper PRO 7000 WX-Series Processors
• AMD Ryzen 6000 Series Processors with Radeon Graphics
• AMD Ryzen 7035 Series Processors with Radeon Graphics
• AMD Ryzen 5000 Series Processors with Radeon Graphics
• AMD Ryzen 7000 Series Processors with Radeon Graphics
• AMD Ryzen 7040 Series Processors with Radeon Graphics
• AMD Ryzen 8040 Series Mobile Processors with Radeon Graphics
• AMD Ryzen 7000 Series Mobile Processors
• AMD EPYC Embedded 7003
• AMD EPYC Embedded 8004
• AMD EPYC Embedded 9004
• AMD EPYC Embedded 97X4
• AMD Ryzen Embedded 5000
• AMD Ryzen Embedded 7000
• AMD Ryzen Embedded V3000

The company also noted that instructions that read data from memory may experience what’s referred to as “false completion,” which occurs when CPU hardware expects the load instructions to complete quickly, but there exists a condition that prevents it from happening –

In this case, dependent operations may be scheduled for execution before the false completion is detected. As the load did not actually complete, data associated with that load is considered invalid. The load will be re-executed later in order to complete successfully, and any dependent operations will re-execute with the valid data when it is ready.

Unlike other speculative behavior such as Predictive Store Forwarding, loads that experience a false completion do not result in an eventual pipeline flush. While the invalid data associated with a false completion may be forwarded to dependent operations, load and store instructions which consume this data will not attempt to fetch data or update any cache or TLB state. As such, the value of this invalid data cannot be inferred using standard transient side channel methods.

In processors affected by TSA, the invalid data may however affect the timing of other instructions being executed by the CPU in a way that may be detectable by an attacker.

The chipmaker said it has identified two variants of TSA, TSA-L1 and TSA-SQ, based on the source of the invalid data associated with a false completion: either the L1 data cache or the CPU store queue.

In a worst-case scenario, successful attacks carried out using TSA-L1 or TSA-SQ flaws could lead to information leakage from the operating system kernel to a user application, from a hypervisor to a guest virtual machine, or between two user applications.

While TSA-L1 is caused by an error in the way the L1 cache uses microtags for data-cache lookups, TSA-SQ vulnerabilities arise when a load instruction erroneously retrieves data from the CPU store queue when the necessary data isn’t yet available. In both cases, an attacker could infer any data that is present within the L1 cache or used by an older store, even if they were executed in a different context.

That said, exploiting these flaws requires an attacker to obtain malicious access to a machine and possess the ability to run arbitrary code. It’s not exploitable through malicious websites.

“The conditions required to exploit TSA are typically transitory as both the microtag and store queue will be updated after the CPU detects the false completion,” AMD said.

“Consequently, to reliably exfiltrate data, an attacker must typically be able to invoke the victim many times to repeatedly create the conditions for the false completion. This is most likely possible when the attacker and victim have an existing communication path, such as between an application and the OS kernel.”

Jul 10, 2025Ravie LakshmananEndpoint Security / Vulnerability

Cybersecurity researchers have discovered new artifacts associated with an Apple macOS malware called ZuRu, which is known to propagate via trojanized versions of legitimate software.

SentinelOne, in a new report shared with The Hacker News, said the malware has been observed masquerading as the cross‑platform SSH client and server‑management tool Termius in late May 2025.

“ZuRu malware continues to prey on macOS users seeking legitimate business tools, adapting its loader and C2 techniques to backdoor its targets,” researchers Phil Stokes and Dinesh Devadoss said.

ZuRu was first documented in September 2021 by a user on Chinese question-and-answer website Zhihu as part of a malicious campaign that hijacked searches for iTerm2, a legitimate macOS Terminal app, to direct users to fake sites that tricked unsuspecting users into downloading the malware.

Then in January 2024, Jamf Threat Labs said it discovered a piece of malware distributed via pirated macOS apps that shared similarities with ZuRu. Some of the other popular software that has been trojanized to deliver the malware include Microsoft’s Remote Desktop for Mac, along with SecureCRT and Navicat.

The fact that ZuRu primarily relies on sponsored web searches for distribution indicates the threat actors behind the malware are more opportunistic than targeted in their attacks, while also ensuring that only those looking for remote connections and database management are compromised.

Like the samples detailed by Jamf, the newly discovered ZuRu artifacts employ a modified version of the open-source post-exploitation toolkit known as Khepri to enable attackers to gain remote control of infected hosts.

“The malware is delivered via a .dmg disk image and contains a hacked version of the genuine Termius.app,” the researchers said. “Since the application bundle inside the disk image has been modified, the attackers have replaced the developer’s code signature with their own ad hoc signature in order to pass macOS code signing rules.”

The altered app packs in two extra executables within Termius Helper.app, a loader named “.localized” that’s designed to download and launch a Khepri command-and-control (C2) beacon from an external server (“download.termius[.]info”) and “.Termius Helper1,” which is a renamed version of the actual Termius Helper app.

“While the use of Khepri was seen in earlier versions of ZuRu, this means of trojanizing a legitimate application varies from the threat actor’s previous technique,” the researchers explained.

“In older versions of ZuRu, the malware authors modified the main bundle’s executable by adding an additional load command referencing an external .dylib, with the dynamic library functioning as the loader for the Khepri backdoor and persistence modules.”

Besides downloading the Khepri beacon, the loader is designed to set up persistence on the host and checks if the malware is already present at a pre-defined path in the system and employs(“/tmp/.fseventsd”) and if so, compares the MD5 hash value of the payload against the one that’s hosted on the server.

A new version is subsequently downloaded if the hash values don’t match. It’s believed that the feature likely serves as an update mechanism to fetch new versions of the malware as they become available. But SentinelOne also theorized it could be a way to ensure that the payload has not been corrupted or modified after it was dropped.

The modified Khepri tool is a feature-packed C2 implant that allows file transfer, system reconnaissance, process execution and control, and command execution with output capture. The C2 server used to communicate with the beacon is “ctl01.termius[.]fun.”

“The latest variant of macOS.ZuRu continues the threat actor’s pattern of trojanizing legitimate macOS applications used by developers and IT professionals,” the researchers said.

“The shift in technique from Dylib injection to trojanizing an embedded helper application is likely an attempt to circumvent certain kinds of detection logic. Even so, the actor’s continued use of certain TTPs – from choice of target applications and domain name patterns to the reuse of file names, persistence and beaconing methods – suggest these are offering continued success in environments lacking sufficient endpoint protection.”

Generative AI is not arriving with a bang, it’s slowly creeping into the software that companies already use on a daily basis. Whether it is video conferencing or CRM, vendors are scrambling to integrate AI copilots and assistants into their SaaS applications. Slack can now provide AI summaries of chat threads, Zoom can provide meeting summaries, and office suites such as Microsoft 365 contain AI assistance in writing and analysis. This trend of AI usage implies that the majority of businesses are awakening to a new reality: AI capabilities have spread across their SaaS stack overnight, with no centralized control.

A recent survey found 95% of U.S. companies are now using generative AI, up massively in just one year. Yet this unprecedented usage comes tempered by growing anxiety. Business leaders have begun to worry about where all this unseen AI activity might lead. Data security and privacy have quickly emerged as top concerns, with many fearing that sensitive information could leak or be misused if AI usage remains unchecked. We’ve already seen some cautionary examples: global banks and tech firms have banned or restricted tools like ChatGPT internally after incidents of confidential data being shared inadvertently.

Why SaaS AI Governance Matters

With AI woven into everything from messaging apps to customer databases, governance is the only way to harness the benefits without inviting new risks.

What do we mean by AI governance?

In simple terms, it basically refers to the policies, processes, and controls that ensure AI is used responsibly and securely within an organization. Done right, AI governance keeps these tools from becoming a free-for-all and instead aligns them with a company’s security requirements, compliance obligations, and ethical standards.

This is especially important in the SaaS context, where data is constantly flowing to third-party cloud services.

1. Data exposure is the most immediate worry. AI features often need access to large swaths of information – think of a sales AI that reads through customer records, or an AI assistant that combs your calendar and call transcripts. Without oversight, an unsanctioned AI integration could tap into confidential customer data or intellectual property and send it off to an external model. In one survey, over 27% of organizations said they banned generative AI tools outright after privacy scares. Clearly, nobody wants to be the next company in the headlines because an employee fed sensitive data to a chatbot.

2. Compliance violations are another concern. When employees use AI tools without approval, it creates blind spots that can lead to breaches of laws like GDPR or HIPAA. For example, uploading a client’s personal information into an AI translation service might violate privacy regulations – but if it’s done without IT’s knowledge, the company may have no idea it happened until an audit or breach occurs. Regulators worldwide are expanding laws around AI use, from the EU’s new AI Act to sector-specific guidance. Companies need governance to ensure they can prove what AI is doing with their data, or face penalties down the line.

3. Operational reasons are another reason to rein in AI sprawl. AI systems can introduce biases or make poor decisions (hallucinations) that impact real people. A hiring algorithm might inadvertently discriminate, or a finance AI might give inconsistent results over time as its model changes. Without guidelines, these issues go unchecked. Business leaders recognize that managing AI risks isn’t just about avoiding harm, it can also be a competitive advantage. Those who start to use AI ethically and transparently can generally build greater trust with customers and regulators.

The Challenges of Managing AI in the SaaS World

Unfortunately, the very nature of AI adoption in companies today makes it hard to pin down. One big challenge is visibility. Often, IT and security teams simply don’t know how many AI tools or features are in use across the organization. Employees eager to boost productivity can enable a new AI-based feature or sign up for a clever AI app in seconds, without any approval. These shadow AI instances fly under the radar, creating pockets of unchecked data usage. It’s the classic shadow IT problem amplified: you can’t secure what you don’t even realize is there.

Compounding the problem is the fragmented ownership of AI tools. Different departments might each introduce their own AI solutions to solve local problems – Marketing tries an AI copywriter, engineering experiments with an AI code assistant, customer support integrates an AI chatbot – all without coordinating with each other. With no real centralized strategy, each of these tools might apply different (or nonexistent) security controls. There’s no single point of accountability, and important questions start to fall through the cracks:

1. Who vetted the AI vendor’s security?

2. Where is the data going?

3. Did anyone set usage boundaries?

The end result is an organization using AI in a dozen different ways, with loads of gaps that an attacker could potentially exploit.

Perhaps the most serious problem is the lack of data provenance with AI interactions. An employee could copy proprietary text and paste it into an AI writing assistant, get a polished result back, and use that in a client presentation – all outside normal IT monitoring. From the company’s perspective, that sensitive data just left their environment without a trace. Traditional security tools might not catch it because no firewall was breached and no abnormal download occurred; the data was voluntarily given away to an AI service. This black box effect, where prompts and outputs aren’t logged, makes it extremely hard for organizations to ensure compliance or investigate incidents.

Despite these hurdles, companies can’t afford to throw up their hands.

The answer is to bring the same rigor to AI that’s applied to other technology – without stifling innovation. It’s a delicate balance: security teams don’t want to become the department of no that bans every useful AI tool. The goal of SaaS AI governance is to enable safe adoption. That means putting protection in place so employees can leverage AI’s benefits while minimizing the downsides.

5 Best Practices for AI Governance in SaaS

Establishing AI governance might sound daunting, but it becomes manageable by breaking it into a few concrete steps. Here are some best practices that leading organizations are using to get control of AI in their SaaS environment:

1. Inventory Your AI Usage

Start by shining a light on the shadow. You can’t govern what you don’t know exists. Take an audit of all AI-related tools, features, and integrations in use. This includes obvious standalone AI apps and less obvious things like AI features within standard software (for example, that new AI meeting notes feature in your video platform). Don’t forget browser extensions or unofficial tools employees might be using. A lot of companies are surprised by how long the list is once they look. Create a centralized registry of these AI assets noting what they do, which business units use them, and what data they touch. This living inventory becomes the foundation for all other governance efforts.

2. Define Clear AI Usage Policies

Just as you likely have an acceptable use policy for IT, make one specifically for AI. Employees need to know what’s allowed and what’s off-limits when it comes to AI tools. For instance, you might permit using an AI coding assistant on open-source projects but forbid feeding any customer data into an external AI service. Specify guidelines for handling data (e.g. “no sensitive personal info in any generative AI app unless approved by security”) and require that new AI solutions be vetted before use. Educate your staff on these rules and the reasons behind them. A little clarity up front can prevent a lot of risky experimentation.

3. Monitor and Limit Access

Once AI tools are in play, keep tabs on their behavior and access. Principle of least privilege applies here: if an AI integration only needs read access to a calendar, don’t give it permission to modify or delete events. Regularly review what data each AI tool can reach. Many SaaS platforms provide admin consoles or logs – use them to see how often an AI integration is being invoked and whether it’s pulling unusually large amounts of data. If something looks off or outside policy, be ready to intervene. It’s also wise to set up alerts for certain triggers, like an employee attempting to connect a corporate app to a new external AI service.

4. Continuous Risk Assessment

AI governance is not a set and forget task. AI changes too quickly. Establish a process to re-evaluate risks on a regular schedule – say monthly or quarterly. This could involve rescanning the environment for any newly introduced AI tools, reviewing updates or new features released by your SaaS vendors, and staying up to date on AI vulnerabilities. Make adjustments to your policies as needed (for example, if research exposes a new vulnerability like a prompt injection attack, update your controls to address it). Some organizations form an AI governance committee with stakeholders from security, IT, legal, and compliance to review AI use cases and approvals on an ongoing basis.

5. Cross-Functional Collaboration

Finally, governance isn’t solely an IT or security responsibility. Make AI a team sport. Bring in legal and compliance officers to help interpret new regulations and ensure your policies meet them. Include business unit leaders so that governance measures align with business needs (and so they act as champions for responsible AI use in their teams). Involve data privacy experts to assess how data is being used by AI. When everyone understands the shared goal – to use AI in ways that are innovative and safe – it creates a culture where following the governance process is seen as enabling success, not hindering it.

To translate theory into practice, use this checklist to track your progress:

By taking these foundational steps, organizations can use AI to increase productivity while ensuring security, privacy, and compliance are protected.

How Reco Simplifies AI Governance

While establishing AI governance frameworks is critical, the manual effort required to track, monitor, and manage AI across hundreds of SaaS applications can quickly overwhelm security teams. This is where specialized platforms like Reco’s Dynamic SaaS Security solution can make the difference between theoretical policies and practical protection.

👉 Get a demo of Reco to assess the AI-related risks in your SaaS apps.

A high-severity security flaw has been disclosed in ServiceNow’s platform that, if successfully exploited, could result in data exposure and exfiltration.

The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), has been described as a case of data inference in Now Platform through conditional access control list (ACL) rules. It has been codenamed Count(er) Strike.

“A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization,” ServiceNow said in a bulletin. “Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.”

Cybersecurity company Varonis, which discovered and reported the flaw in February 2024, said it could have been exploited by malicious actors to obtain unauthorized access to sensitive information, including personally identifiable information (PII) and credentials.

At its core, the shortcoming impacts the record count UI element on list pages, which could be trivially abused to infer and expose confidential data from various tables within ServiceNow.

“This vulnerability could have potentially affected all ServiceNow instances, impacting hundreds of tables,” Varonis researcher Neta Armon said in Wednesday’s analysis.

“Most concerning, this vulnerability was relatively simple to exploit and required only minimal table access, such as a weak user account within the instance or even a self-registered anonymous user, which could bypass the need for privilege elevation and resulted in sensitive data exposure.”

Specifically, the company found that access to ServiceNow tables, while governed by ACL configurations, could be used to glean information, even in scenarios where access is denied due to a failed “Data Condition” or “Script Condition” — which makes it possible to conditionally provide access based on an evaluation of certain data-related criteria or custom logic.

In these cases, users are displayed a message, stating “Number of rows removed from this list by Security constraints” along with the count. However, when access to a resource is blocked due to “Required Roles” or “Security Attribute Condition,” users are displayed a blank page with the message “Security constraints prevent access to the requested page.”

It’s worth mentioning that the four ACL conditions are evaluated in a particular order, starting with roles, followed by security attributes, data condition, and lastly, script condition. For a user to gain access to a resource, all of these conditions must be satisfied. Any condition that’s left empty is considered as not having any kind of restriction.

To make matters worse, a threat actor could expand the blast radius of the flaw using techniques like dot-walking and self-registration to access additional data from referenced tables, create accounts and gain access to an instance without requiring prior approval from an administrator.

ServiceNow, in response to the findings, has introduced new security mechanisms, such as Query ACLs, Security Data Filters, and Deny-Unless ACLs, to counter the risk posed by the data inference blind query attack. While there is no evidence that the issue was ever exploited in the wild, all ServiceNow customers are urged to apply the necessary guardrails on sensitive tables.

“ServiceNow customers should also be aware that query range Query ACLs will soon be set to default deny, so they should create exclusions to maintain authorized user ability to perform such actions,” Armon said.

DLL Hijacking Flaw in Lenovo’s TrackPoint Quick Menu Software

The development comes as TrustedSec detailed a privilege escalation flaw (CVE-2025-1729) in TrackPoint Quick Menu software (“TPQMAssistant.exe”) present in Lenovo computers that could permit a local attacker to escalate privileges by means of a DLL hijacking vulnerability.

The flaw has been addressed in version 1.12.54.0 released on July 8, 2025, following responsible disclosure earlier this January.

“The directory housing ‘TPQMAssistant.exe’ is writable by standard users, which is already a red flag,” security researcher Oddvar Moe said. “The folder’s permission allows the CREATOR OWNER to write files, meaning any local user can drop files into this location.”

“When the scheduled task (or the binary itself) is triggered, it attempts to load ‘hostfxr.dll’ from its working directory but fails, resulting in a NAME NOT FOUND event. This tells us the binary is looking for a dependency that doesn’t exist in its own directory – a perfect opportunity for sideloading.”

As a result, an attacker can place a malicious version of ‘hostfxr.dll’ in the directory “C: ProgramDatalLenovolTPQMAssistant” to hijack control flow when the binary is launched, resulting in the execution of arbitrary code.

Microsoft Addresses Kerberos DoS Bug

The findings also follow the public disclosure of an out-of-bounds read flaw in Windows Kerberos’ Netlogon protocol (CVE-2025-47978, CVSS score: 6.5) that could permit an authorized attacker to deny service over a network. The vulnerability was addressed by Microsoft as part of its Patch Tuesday updates for July 2025.

Silverfort, which has assigned the name NOTLogon to CVE-2025-47978, said it permits any “domain-joined machine with minimal privileges to send a specially-crafted authentication request that will crash a domain controller and cause a full reboot.”

“This vulnerability does not require elevated privileges — only standard network access and a weak machine account are needed. In typical enterprise environments, any low-privileged user can create such accounts by default,” security researcher Dor Segal said.

The cybersecurity company also noted that the crash primarily affected Local Security Authority Subsystem Service (LSASS), a critical security process in Windows that’s responsible for enforcing security policies and handling user authentication. Successful exploitation of CVE-2025-47978 could therefore destabilize or disrupt Active Directory services.

“With only a valid machine account and a crafted RPC message, an attacker can remotely crash a domain controller – a system responsible for the core functionalities of Active Directory, including authentication, authorization, Group Policy enforcement, and service ticket issuance,” Segal said.

Jul 09, 2025Ravie LakshmananCyber Threat / Malware

The Initial Access Broker (IAB) known as Gold Melody has been attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and peddle that access to other threat actors.

The activity is being tracked by Palo Alto Networks Unit 42 under the moniker TGR-CRI-0045, where “TGR” stands for “temporary group” and “CRI” refers to criminal motivation. The hacking group is also known as Prophet Spider and UNC961, with one of its tools also used by an initial access broker called ToyMaker.

“The group seems to follow an opportunistic approach but has attacked organizations in Europe and the U.S. in the following industries: financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics,” researchers Tom Marsden and Chema Garcia said.

The abuse of ASP.NET machine keys in the wild was first documented by Microsoft in February 2025, with the company noting that it had identified over 3,000 such publicly disclosed keys that could be weaponized for ViewState code injection attacks, ultimately leading to arbitrary code execution.

The first sign of these attacks was detected by the Windows maker in December 2024, when an unknown adversary leveraged a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.

Unit 42’s analysis shows that the TGR-CRI-0045 is following a similar modus operandi, employing the leaked keys to sign malicious payloads that provide unauthorized access to targeted servers, a technique known as ASP.NET ViewState deserialization.

“This technique enabled the IAB to execute malicious payloads directly in server memory, minimizing their on-disk presence and leaving few forensic artifacts, making detection more challenging,” the cybersecurity company said, adding it found evidence of earliest exploitation in October 2024.

Unlike traditional web shell implants or file-based payloads, this memory-resident approach bypasses many legacy EDR solutions that rely on file system or process tree artifacts. Organizations relying solely on file integrity monitoring or antivirus signatures may completely miss the intrusion, making it critical to implement behavioral detections based on anomalous IIS request patterns, child processes spawned by w3wp.exe, or sudden changes in .NET application behavior.

A significant spike in activity is said to have been detected between late January and March 2025, during which period the attacks led to the deployment of post-exploitation tools such as open-source port scanners and bespoke C# programs like updf for local privilege escalation.

In at least two incidents observed by Unit 42, the attacks are characterized by command shell execution originating from Internet Information Services (IIS) web servers. Another notable aspect is the likely use of an open-source .NET deserialization payload generator called ysoserial.net and ViewState plugin to build the payloads.

These payloads bypass ViewState protections and trigger the execution of a .NET assembly in memory. Five different IIS modules have been identified as loaded into memory so far –

• Cmd /c, which is used to passing a command to be executed to the system’s command shell and execute arbitrary instructions on the server
• File upload, which allows for uploading files to the server by specifying a target file path and a byte buffer containing the file’s contents
• Winner, which is likely a check for successful exploitation
• File download (not recovered), which appears to be a downloader that allows an attacker to retrieve sensitive data from the compromised server
• Reflective loader (not recovered), which seemingly acts as a reflective loader to dynamically load and execute additional .NET assemblies in memory without leaving a trail

“Between October 2024 and January 2025, the threat actor’s activity primarily focused on exploiting systems, deploying modules — like the exploit checker — and performing basic shell reconnaissance,” Unit 42 said. “Post-exploitation activity has primarily involved reconnaissance of the compromised host and surrounding network.”

Some of the other tools downloaded onto the systems include an ELF binary named atm from an external server (“195.123.240[.]233:443”) and a Golang port scanner called TXPortMap to map out the internal network and identify potential exploitation targets.

“TGR-CRI-0045 uses a simplistic approach to ViewState exploitation, loading a single, stateless assembly directly,” the researchers noted. “Each command execution requires re-exploitation and re-uploading the assembly (e.g., running the file upload assembly multiple times).”

“Exploiting ASP.NET View State deserialization vulnerabilities via exposed Machine Keys allows minimal on-disk presence and enables long-term access. The group’s opportunistic targeting and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised Machine Keys.”

This campaign also highlights a broader category of cryptographic key exposure threats, including weak machineKey generation policies, missing MAC validation, and insecure defaults in older ASP.NET applications. Expanding internal threat models to include cryptographic integrity risks, ViewState MAC tampering, and IIS middleware abuse can help organizations build more resilient AppSec and identity protection strategies.

Jul 09, 2025Ravie LakshmananMalware / Cyber Espionage

A threat actor with suspected ties to India has been observed targeting a European foreign affairs ministry with malware capable of harvesting sensitive data from compromised hosts.

The activity has been attributed by Trellix Advanced Research Center to an advanced persistent threat (APT) group called DoNot Team, which is also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger. It’s been assessed to be active since 2016.

“DoNot APT is known for using custom-built Windows malware, including backdoors like YTY and GEdit, often delivered through spear-phishing emails or malicious documents,” Trellix researchers Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc, and Alex Lanstein said.

“This threat group typically targets government entities, foreign ministries, defense organizations, and NGOs especially those in South Asia and Europe.”

The attack chain commences with phishing emails that aim to trick recipients into clicking on a Google Drive link to trigger the download of a RAR archive, which then paves the way for the deployment of a malware dubbed LoptikMod, which is exclusively put to use by the group as far back as 2018.

The messages, per Trellix, originate from a Gmail address and impersonate defense officials, with a subject line that references an Italian Defense Attaché’s visit to Dhaka, Bangladesh.

“The email used HTML formatting with UTF-8 encoding to properly display special characters like ‘é’ in ‘Attaché,’ demonstrating attention to detail to increase legitimacy,” Trellix noted in its deconstruction of the infection sequence.

The RAR archive distributed via the emails contains a malicious executable that mimics a PDF document, opening which causes the execution of the LoptikMod remote access trojan that can establish persistence on the host via scheduled tasks and connect to a remote server to send system information, receive further commands, download additional modules, and exfiltrate data.

It also employs anti-VM techniques and ASCII obfuscation to hinder execution in virtual environments and evade analysis, thereby making it a lot more challenging to determine the tool’s purpose. Furthermore, the attack makes sure that only one instance of the malware is actively running on the compromised system to avoid potential interference.

Trellix said the command-and-control (C2) server used in the campaign is currently inactive, meaning the infrastructure has been either temporarily disabled or no longer functional, or that the threat actors have moved to a completely different server.

The inactive state of the C2 server also means that it’s currently not feasible to determine the exact set of commands that are transmitted to infected endpoints and the kinds of data that are sent back as responses.

“Their operations are marked by persistent surveillance, data exfiltration, and long-term access, suggesting a strong cyber espionage motive,” the researchers said. “While historically focused on South Asia, this incident targeting South Asian embassies in Europe, indicates a clear expansion of their interests towards European diplomatic communications and intelligence.”

Jul 09, 2025The Hacker NewsSecurity Operations / Automation

Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.

A recent standout is a workflow that handles malware alerts with CrowdStrike, Oomnitza, GitHub, and PagerDuty. Developed by Lucas Cantor at Intercom, the creators of fin.ai, the workflow makes it easier to determine the severity of a security alert and escalate it seamlessly, depending on the device owner’s response. “It’s a great way to reduce noise and add context to security issues that are added on our endpoints as well,” Lucas explains.

In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.

The problem – lack of integration between security tools

For security teams, responding to malware threats, analyzing their severity, and identifying the device owner so they can be contacted to resolve the threat, can take up a lot of time.

From a workflow perspective, teams often have to:

• Manually respond to CrowdStrike events
• Enrich the alert with additional metadata
• Document and alert the device owner in Slack
• Notify on call teams via PagerDuty

Going through this process manually can result in delays and increase the chances of human error.

The solution – automated ticket creation, device identification, and threat triage

Lucas’s prebuilt workflow automates the process of taking the malware alert and creating the case – while crucially notifying the device owner and the on-call team. This workflow helps security teams accurately identify the level of threat faster by:

• Detecting new alerts from Crowdstrike
• Identifying and notifying the device owner
• Escalating critical issues

The result is streamlined response to malware security alerts that ensures they are dealt with quickly, no matter what the severity.

Key benefits of this workflow:

• Reduced remediation time
• Device owner is kept informed
• Clear remediation and escalation pathways
• Centralized management system

Workflow overview

Tools used:

• Tines – workflow orchestration and AI platform (free Community Edition available)
• Crowdstrike – threat intelligence and EDR platform
• Oomnitza – IT asset management platform
• Github – developer platform
• PagerDuty – incident management platform
• Slack – team collaboration platform

How it works

Part 1

• Get a security alert from CrowdStrike
• Find the device that the alert was triggered and look up its details
• Create a ticket in GitHub for the alert and raise the issue in a Slack message
• If the device is owned by a user and it is a low priority,
  • Send the owner a message requesting escalation
• If the device is owned by a user and it is a high priority,
  • Create a PagerDuty Event to notify the on-call analyst
  • Informing the owner of the ongoing issue

Part 2

• Get a user interaction with the Slack message
• Enrich the GitHub issue with the users response
• If the owner escalates the issue
  • Create a PagerDuty Event to notify the on-call analyst

Configuring the workflow – step-by-step guide

1. Log into Tines or create a new account.

2. Navigate to the pre-built workflow in the library. Select import. This should take you straight to your new pre-built workflow.

3. Set up your credentials

You’ll need five credentials added to your Tines tenant:

• CrowdStrike
• Oomnitza
• Github
• PagerDuty
• Slack

Note that similar services to the ones listed above can also be used, with some adjustments to the workflow.

From the credentials page, select New credential, scroll down to the relevant credential and complete the required fields. Follow the CrowdStrike, Oomnitza, Github, PagerDuty, and Slack credential guides at explained.tines.com if you need help.

4. Configure your actions.

• Set your environment variables. This includes your:
  • Slack IT channel alerting webhook (`slack_channel_webhook_urls_prod`)
  • CrowdStrike/GitHub severity priority mapping (`crowdstrike_to_github_priority_map`)
• Configure CrowdStrike to alert the New CrowdStrike Detection webhook when a detection is created
• Configure your SlackBot interactivity URL to the Receive Slack Button Push webhook

5. Test the workflow.

6. Publish and operationalize

Once tested, publish the workflow.

If you’d like to test this workflow, you can sign up for a free Tines account.

Jul 09, 2025Ravie LakshmananMalware / Cyber Crime

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday sanctioned a member of a North Korean hacking group called Andariel for their role in the infamous remote information technology (IT) worker scheme.

The Treasury said Song Kum Hyok, a 38-year-old North Korean national with an address in the Chinese province of Jilin, enabled the fraudulent operation by using foreign-hired IT workers to seek remote employment with U.S. companies and planning to split income with them.

Between 2022 and 2023, Song is alleged to have used the identities of U.S. people, including their names, addresses, and Social Security numbers, to craft aliases for the hired workers, who then used these personas to pose as U.S. nationals looking for remote jobs in the country.

The development comes days after the U.S. Department of Justice (DoJ) announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

Sanctions have also been levied against a Russian national and four entities involved in a Russia-based IT worker scheme that contracted and hosted North Koreans to pull off the malicious operation. This includes –

• Gayk Asatryan, who used his Russia-based companies Asatryan LLC and Fortuna LLC to employ North Korean IT workers
• Korea Songkwang Trading General Corporation, which signed a deal with Asatryan to dispatch up to 30 IT workers to work in Russia for Asatryan LLC
• Korea Saenal Trading Corporation, which signed a deal with Asatryan to dispatch up to 50 IT workers to work in Russia for Fortuna LLC

The sanctions mark the first time a threat actor linked to Andariel, a sub-cluster within the Lazarus Group, has been tied to the IT worker scheme, which has become a crucial illicit revenue stream for the sanctions-hit nation. The Lazarus Group is assessed to be affiliated with the Democratic People’s Republic of Korea (DPRK) Reconnaissance General Bureau (RGB).

The action “underscores the importance of vigilance on the DPRK’s continued efforts to clandestinely fund its WMD and ballistic missile programs,” said Deputy Secretary of the Treasury Michael Faulkender.

“Treasury remains committed to using all available tools to disrupt the Kim [Jong Un] regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber attacks”

The IT worker scheme, also tracked as Nickel Tapestry, Wagemole, and UNC5267, involves North Korean actors using a mix of stolen and fictitious identities to gain employment with U.S. companies as remote IT workers with the goal of drawing a regular salary that’s then funneled back to the regime through intricate cryptocurrency transactions.

Data compiled by TRM Labs shows that North Korea is behind approximately $1.6 billion out of the total $2.1 billion stolen as a result of 75 cryptocurrency hacks and exploits in the first half of 2025 alone — mainly driven by the blockbuster heist of Bybit earlier this year.

A majority of steps taken to counter the threat has ostensibly come from U.S. authorities, but Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News that other countries are also stepping up and taking similar actions and driving awareness to a broader audience.

“This is a complex, transnational issue with many moving parts, so international collaboration and open communication are extremely useful,” Barnhart said.

“For an example of some of the complexities with this issue, a North Korean IT worker may be physically located in China, employed by a front company posing as a Singapore-based firm, contracted to a European vendor delivering services to clients in the United States. That level of operational layering highlights just how important joint investigations and intelligence sharing are in effectively countering this activity.”

“The good news is that awareness has grown significantly in recent years, and we’re now seeing the fruits of that labor. These initial awareness steps are part of a broader global shift toward recognizing and actively disrupting these threats.”

News of the sanctions dovetail with reports that the North Korea-aligned group tracked as Kimsuky (aka APT-C-55) is using a backdoor called HappyDoor in attacks targeting South Korean entities. HappyDoor, according to AhnLab, has been put to use as far back as 2021.

Typically distributed via spear-phishing email attacks, the malware has witnessed steady improvements over the years, allowing it to harvest sensitive information; execute commands, PowerShell code, and batch scripts; and upload files of interest.

“Mainly taking on the disguise of a professor or an academic institution, the threat actor has been using social engineering techniques like spear-phishing to distribute emails with attachments that, once run, install a backdoor and may also install additional malware,” AhnLab noted.

Jul 09, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

A Chinese national has been arrested in Milan, Italy, for his alleged links to a state-sponsored hacking group known as Silk Typhoon and for carrying out cyber attacks against American organizations and government agencies.

The 33-year-old, Xu Zewei, has been charged with nine counts of wire fraud and conspiracy to cause damage to and obtain information by unauthorized access to protected computers, as well as committing aggravated identity theft. Details of the arrest were first reported by Italian media.

Xu is alleged to have been involved in the U.S. computer intrusions between February 2020 and June 2021, including a mass attack spree that leveraged then-zero-day flaws in Microsoft Exchange Server, a cluster of activity the Windows maker designed as Hafnium.

The suspect is also accused of participating in China’s espionage efforts during the COVID-19 pandemic, attempting to gain access to vaccine research at various U.S. universities, including the University of Texas.

Xu, alongside co-defendant and Chinese national Zhang Yu, are believed to have undertaken the attacks based on directions given by the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).

“Beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely used Microsoft product for sending, receiving and storing email messages,” the Justice Department said. “Their exploitation of Microsoft Exchange Server was allegedly at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as ‘Hafnium.’”

Silk Typhoon, which overlaps with UNC5221, is known for its use of zero-day vulnerabilities and successful compromises of technology firms in supply chain attacks. The group is said to have targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information through the Hafnium campaign.

The Justice Department has also claimed that Zewei worked for a company named Shanghai Powerock Network Co. Ltd. when the attacks were carried out, lending further credence to other reports that China is leveraging an array of contractors and private firms to launch state-sponsored espionage campaigns in an effort to obscure the government’s involvement.

According to a report from Reuters, Xu has opposed the extradition request, claiming a case of mistaken identity. Xu’s lawyer added his surname is quite common in China and that his mobile phone had been stolen from him in 2020.

“Unfortunately, the impact of this arrest won’t be felt immediately. There are several teams composed of dozens of operators who are going to continue to carry out cyber espionage,” John Hultquist, Chief Analyst, Google Threat Intelligence Group (GTIG), said in a statement shared with The Hacker News.

“Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”