Category: Cybersecurity

Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities (NHIs) come in. NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks to an ever-expanding array of apps and services that must work together and identify one another on the fly. In some enterprises, NHIs now outnumber human identities by as much as 50-to-1.

However, NHIs introduce unique risks and management challenges that have security leaders on high alert. Forty-six percent of organizations have experienced compromises of NHI accounts or credentials over the past year, and another 26% suspect they have, according to a recent report from Enterprise Strategy Group.

It’s no wonder NHIs — and the difficulties they present with oversight, risk reduction, and governance — have been a recurring topic at Okta’s CISO Forum. Here, we’ll explore their rise, risks, and how CISOs and security leaders are managing them today.

The spectacular rise of NHIs

The rise in NHIs can be traced to the increasing use of cloud services, AI and automation, and digital workflows. It’s a trend that’s likely to continue, as more and more tasks are automated and humans are less of a part of the equation.

NHIs allow apps to authenticate to one another, both inside a specific domain and with third-party applications like cloud services. Those secrets, keys, and tokens are just as sensitive as the credentials used by humans, and in some cases, even more so, as they can provide adversaries with powerful access to specific applications and services if they’re leaked.

CISOs are taking notice. In fact, over 80% of organizations expect to increase spending on non-human identity security.

According to Mark Sutton, CISO at Bain Capital, “Non-human identities have become a focus for teams based on the maturity of their identity and access management programs. It’s quickly becoming the next hottest fire because people have somewhat solved user identities. The natural progression is then to start looking at service accounts and machine-to-machine non-human identities, including APIs.”

Simply put, once organizations establish strong protocols for securing human identities, the logical next step is tackling NHIs. “That, and non-human identities are a part of the threat landscape, and it’s where attackers are going next.”

Secret leakage and other risks of NHIs

Like any other set of credentials, NHIs are sensitive and need to be protected. But while humans can employ robust security measures such as MFA or biometrics to protect sensitive credentials, NHIs often rely on less secure measures for authentication. That can make them easy targets for attackers.

Leakage of NHI secrets can also be a serious concern. This can happen in a number of ways, whether it’s through hard-coding them into an application’s source code or accidentally copying and pasting them into a public document. Secret leakage is a significant problem, and secrets often show up in public GitHub repositories. In fact, security firm GitGuardian found more than 27 million new secrets in public repositories last year. This poses an even larger problem when you consider that NHI secrets are not rotated very often in most environments, so the useful life of a leaked secret could be quite long.

And, because they often require broad and persistent permissions to perform tasks, NHIs can accumulate excessive permissions, further increasing the attack surface. All of this makes NHIs a prime target for attackers and a major challenge for CISOs and their security teams.

Three challenges CISOs face in securing NHIs

While NHIs are now on CISOs’ radar, securing them is another story. Here are three challenges we’re hearing from CISOs, and how they’re managing them:

1. Gaining visibility. The biggest hurdle in trying to secure and manage NHIs is actually finding them. Visibility into where NHIs lie in an environment can be limited, and discovering all or even most of them is a difficult task. Many organizations have thousands of NHIs that they didn’t even know existed. The old adage “you can’t secure what you don’t know about” holds true here. That means discovering and inventorying NHIs is critical. Implementing an identity security posture management solution can help admins and security professionals identify NHIs across their organization.
2. Risk prioritization and reduction. The next challenge is prioritizing the risks associated with the NHIs in the environment. Not all NHIs are created equal. Finding the most powerful NHIs and identifying over-privileged NHIs is a key step in securing these identities. Many service accounts and other NHIs have far more privileges than they actually need, which can create risks for the organization. Identifying high-value NHIs and adjusting privileges and permissions can help reduce that risk. “It’s about understanding the blast radius associated with each non-human identity and asking ‘what’s the risk?’ Not all NHIs carry the same threat,” Sutton stressed.
3. Establishing governance. With so many NHIs being created today, governance has become a real thorn in the side for CISOs. But when they’re not properly governed, bad things can happen — take, for instance, the series of Internet Archive breaches tied to unrotated tokens in October 2024. Often, NHIs are created by developers to serve short-term needs, but they’re rarely tracked or decommissioned properly. Understanding who’s creating NHIs, how they’re creating them, and for what purpose is a good first step. Then, security teams must establish a clear process for managing them so non-human identities can’t be created arbitrarily. “We have to think about what our authentication and password policies are,” says Sutton. “For instance, there are likely many service accounts with weak, static passwords that haven’t been rotated for years. How do we make sure we’re managing those?”

Final thoughts

Non-human identities are essential to businesses today, helping them automate processes, enable integrations, and ensure smooth operations. The challenge: They’re difficult to secure and are an enticing target for threat actors because they’re often non-federated, lack MFA, use static credentials, and have excessive privileges.

At the end of the day, non-human identities and human identities may have different characteristics and needs, but both require an end-to-end approach that protects them before, during, and after authentication. NHIs may not be people, but they’re increasingly powerful actors in your environment. That makes securing them not optional, but urgent.

Jun 10, 2025Ravie LakshmananVulnerability / API Security

Google has stepped in to address a security flaw that could have made it possible to brute-force an account’s recovery phone number, potentially exposing them to privacy and security risks.

The issue, according to Singaporean security researcher “brutecat,” leverages an issue in the company’s account recovery feature.

That said, exploiting the vulnerability hinges on several moving parts, specifically targeting a now-deprecated JavaScript-disabled version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked anti-abuse protections designed to prevent spammy requests.

The page in question is designed to help users check if a recovery email or phone number is associated with a specific display name (e.g., “John Smith”).

But circumventing the CAPTCHA-based rate limit ultimately made it possible to try out all permutations of a Google account’s phone number in a short space of time and arrive at the correct digits in seconds or minutes, depending on the length of the phone number (which varies from country to country).

An attacker could also take advantage of Google’s Forgot Password flow to figure out the country code associated with a victim’s phone number, as well as obtain their display name by creating a Looker Studio document and transferring ownership to the victim, effectively causing their full name to be leaked on the home page.

In all, the exploit requires performing the following steps –

• Leak the Google account display name via Looker Studio
• Run the forgot password flow for a target email address to get the masked phone number with the last 2 digits displayed to the attacker (e.g., •• ••••••03)
• Brute-force the phone number against the username recovery endpoint to obtain the phone number

Brutecat said a Singapore-based number could be leaked using the aforementioned technique in a span of 5 seconds, while a U.S. number could be unmasked in about 20 minutes.

Armed with the knowledge of a phone number associated with a Google account, a bad actor could take control of it through a SIM-swapping attack and ultimately reset the password of any account associated with that phone number.

Following responsible disclosure on April 14, 2025, Google awarded the researcher a $5,000 bug bounty and plugged the vulnerability by completely getting rid of the non-JavaScript username recovery form as of June 6, 2025.

The findings come months after the same researcher detailed another $10,000 exploit that an attacker could have weaponized to expose the email address of any YouTube channel owner by chaining a flaw in the YouTube API and an outdated web API associated with Pixel Recorder.

Then in March, brutecat also revealed that it’s possible to glean email addresses belonging to creators who are part of the YouTube Partner Program (YPP) by leveraging an access control issue in the “/get_creator_channels” endpoint, earning them a reward of $20,000.

“[An] access control issue in /get_creator_channels leaks channel contentOwnerAssociation, which leads to channel email address disclosure via Content ID API,” Google said.

“An attacker with access to a Google account that had a channel that joined the YouTube Partner Program (over 3 million channels) can obtain the email address as well as monetization details of any other channel in the YouTube Partner Program. The attacker can use this to de-anonymize a YouTuber (as there is an expectation of pseudo-anonymity in YouTube), or phish them.”

Jun 10, 2025Ravie LakshmananCryptocurrency / Malware

The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries.

“A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries,” Kaspersky said. “The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts.”

The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan.

Rare Werewolf, also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a track record of striking organizations in Russia and Ukraine. It’s believed to be active at least since 2019.

According to BI.ZONE, the threat actor obtains initial access using phishing emails, leveraging the foothold to steal documents, Telegram messenger data, and drop tools like Mipko Employee Monitor, WebBrowserPassView, and Defender Control to interact with the infected system, harvest passwords, and disable antivirus software.

The latest set of attacks documented by Kaspersky reveals the use of phishing emails as a malware delivery vehicle, using password-protected archives containing executable files as a starting point to activate the infection.

Present within the archive is an installer that’s used to deploy a legitimate tool called 4t Tray Minimizer, as well as other payloads, including a decoy PDF document that mimics a payment order.

“This software can minimize running applications to the system tray, allowing attackers to obscure their presence on the compromised system,” Kaspersky said.

These intermediate payloads are then used to fetch additional files from a remote server, including Defender Control and Blat, a legitimate utility for sending stolen data to an attacker-controlled email address over SMTP. The attacks are also characterized by the use of the AnyDesk remote desktop software, and a Windows batch script to facilitate data theft and the deployment of the miner.

A salient aspect of the batch script is that it launches a PowerShell script that incorporates capabilities for automatically waking up the victim system at 1 a.m. local time and allowing the attackers remote access to it for a four-hour window via AnyDesk. The machine is then shut down at 5 a.m. by means of a scheduled task.

“It is a common technique to leverage third-party legitimate software for malicious purposes, which makes detecting and attributing APT activity more difficult,” Kaspersky said. “All of the malicious functionality still relies on the installer, command, and PowerShell scripts.”

The disclosure comes as Positive Technologies revealed that a financially motivated cybercrime group dubbed DarkGaboon has been targeting Russian entities using LockBit 3.0 ransomware. DarkGaboon, first discovered in January 2025, is said to be operational since May 2023.

The attacks, the company said, employ phishing emails bearing archive files containing RTF bait documents and Windows screensaver files to drop the LockBit encryptor and trojans like XWorm and Revenge RAT. The use of readily available tooling is seen as an attempt on the part of the attackers to blend in with broader cybercriminal activity and challenge attribution efforts.

“DarkGaboon is not a client of the LockBit RaaS service and acts independently, as indicated by the use of a publicly available version of the LockBit ransomware, the absence of traces of data exfiltration in the attacked companies, and the traditional threats to publish stolen information on the [data leak site] portal,” Positive Technologies researcher Victor Kazakov said.

Jun 10, 2025Ravie LakshmananVulnerability / SaaS Security

Cybersecurity researchers have uncovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries), exposing sensitive data to unauthorized internal and external parties.

The weaknesses affect various components like FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions.

“Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn’t prioritized,” Aaron Costello, chief of SaaS Security Research at AppOmni, said in a statement shared with The Hacker News.

These misconfigurations, if left unaddressed, could allow cybercriminals and unauthorized to access encrypted confidential data on employees and customers, session data detailing how users have interacted with Salesforce Industry Cloud, credentials for Salesforce and other company systems, and business logic.

Following responsible disclosure, Salesforce has addressed the shortcomings and issued configuration guidance for the other misconfiguration. The defects that have been assigned CVE identifiers are listed below –

• CVE-2025-43697 (CVSS score: N/A) – If ‘Check Field Level Security’ is not enabled for ‘Extract’ and ‘Turbo Extract Data Mappers, the ‘View Encrypted Data’ permission check is not enforced, exposing cleartext values for the encrypted fields to users with access to a given record
• CVE-2025-43698 (CVSS score: N/A) – The SOQL data source bypasses any Field-Level Security when fetching data from Salesforce objects
• CVE-2025-43699 (CVSS score: 5.3) – Flexcard does not enforce the ‘Required Permissions’ field for the OmniUlCard object
• CVE-2025-43700 (CVSS score: 7.5) – Flexcard does not enforce the ‘View Encrypted Data’ permission, returning plaintext values for data that uses Classic Encryption
• CVE-2025-43701 (CVSS score: 7.5) – FlexCard allows Guest Users to access values for Custom Settings

Put simply, attackers can weaponize these issues to bypass security controls and extract sensitive customer or employee information.

AppOmni said CVE-2025-43967 and CVE-2025-43698 have been tackled through a new security setting called “EnforceDMFLSAndDataEncryption” that customers will have to enable to ensure that only users with the “View Encrypted Data” permission may see the plaintext value of fields returned by the Data Mapper.

“For organizations subject to compliance mandates such as HIPAA, GDPR, SOX, or PCI-DSS, these gaps can represent real regulatory exposure,” the company said. “And because it is the customer’s responsibility to securely configure these settings, a single missed setting could lead to the breach of thousands of records, with no vendor accountability.”

When reached for comment, a Salesforce spokesperson told The Hacker News that a vast majority of the issues “stem from customer configuration issues” and are not vulnerabilities inherent to the application.

“All issues identified in this research have been resolved, with patches made available to customers, and official documentation updated to reflect complete configuration functionality,” the company said. “We have not observed any evidence of exploitation in customer environments as a result of these issues.”

The findings come as security researcher Tobia Righi, who goes by the handle MasterSplinter, disclosed a Salesforce Object Query Language (SOQL) injection vulnerability that could be exploited to access sensitive user data.

The zero-day vulnerability (no CVE) exists in a default aura controller present in all Salesforce deployments, arising as a result of a user-controlled “contentDocumentId” parameter that’s unsafely embedded into “aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap” that creates a pathway for SOQL injection.

Successful exploitation of the flaw could have enabled attackers to insert additional queries through the parameter and extract database contents. The exploit could be further augmented by passing a list of IDs correlated to ContentDocument objects that are not public so as to gather information about uploaded documents.

The IDs, Righi said, can be generated by means of a publicly-available brute-force script that can generate possible previous or next Salesforce IDs based on a valid input ID. This, in turn, is made possible owing to the fact that Salesforce IDs do not actually provide a security boundary and are actually somewhat predictable.

“As noted in the research, after receiving the report, our security team promptly investigated and resolved the issue. We have not observed any evidence of exploitation in customer environments,” the Salesforce spokesperson said. “We appreciate Tobia’s efforts to responsibly disclose this issue to Salesforce, and we continue to encourage the security research community to report potential issues through our established channels.”

Jun 10, 2025Ravie LakshmananPhishing / Cybercrime

The financially motivated threat actor known as FIN6 has been observed leveraging fake resumes hosted on Amazon Web Services (AWS) infrastructure to deliver a malware family called More_eggs.

“By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware,” the DomainTools Investigations (DTI) team said in a report shared with The Hacker News.

More_eggs is the work of another cybercrime group called Golden Chickens (aka Venom Spider), which was most recently attributed to new malware families like TerraStealerV2 and TerraLogger. A JavaScript-based backdoor, it’s capable of enabling credential theft, system access, and follow-on attacks, including ransomware.

One of the malware’s known customers is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that originally targeted point-of-sale (PoS) systems in the hospitality and retail sectors to steal payment card details and profit off them. It’s operational since 2012.

The hacking group also has a history of using Magecart JavaScript skimmers to target e-commerce sites to harvest financial information.

According to payment card services company Visa, FIN6 has leveraged More_eggs as a first-stage payload as far back as 2018 to infiltrate several e-commerce merchants and inject malicious JavaScript code into the checkout pages with the ultimate goal of stealing card data.

“Stolen payment card data is later monetized by the group, sold to intermediaries, or sold openly on marketplaces such as JokerStash, prior to it shutting down in early 2021,” Secureworks notes in a profile of the threat actor.

The latest activity from FIN6 involves the use of social engineering to initiate contact with recruiters on professional job platforms like LinkedIn and Indeed, posing as job seekers to distribute a link (e.g., bobbyweisman[.]com, ryanberardi[.]com) that purports to host their resume.

DomainTools said the bogus domains, which masquerade as personal portfolios, are registered anonymously through GoDaddy for an extra layer of obfuscation that makes attribution and takedown efforts more difficult.

“By exploiting GoDaddy’s domain privacy services, FIN6 further shields the true registrant details from public view and takedown team,” the company said. “Although GoDaddy is a reputable and widely used domain registrar, its built-in privacy features make it easy for threat actors to hide their identities.”

Another noteworthy aspect is the use of trusted cloud services, such as AWS Elastic Compute Cloud (EC2) or S3, to host phishing sites. What’s more, the sites come with built-in traffic filtering logic to ensure that only prospective victims are served a link to download the supposed resume after completing a CAPTCHA check.

“Only users appearing to be on residential IP addresses and using common Windows-based browsers are allowed to download the malicious document,” DomainTools said. “If the visitor originates from a known VPN service, cloud infrastructure like AWS, or corporate security scanners, the site instead delivers a harmless plain-text version of the resume.”

The downloaded resume takes the form of a ZIP archive that, when opened, triggers an infection sequence to deploy the More_eggs malware.

“FIN6’s Skeleton Spider campaign shows how effective low-complexity phishing campaigns can be when paired with cloud infrastructure and advanced evasion,” the researchers concluded. “By using realistic job lures, bypassing scanners, and hiding malware behind CAPTCHA walls, they stay ahead of many detection tools.”

Update

Following the publication of the story, an AWS spokesperson shared the below statement with The Hacker News –

AWS has clear terms that require our customers to use our services in compliance with applicable laws. When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process.

(The story was updated after publication to include a response from AWS.)

Cybersecurity researchers have shed light on a previously undocumented Rust-based information stealer called Myth Stealer that’s being propagated via fraudulent gaming websites.

“Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing malicious code in the background,” Trellix security researchers Niranjan Hegde, Vasantha Lakshmanan Ambasankar, and Adarsh S said in an analysis.

The stealer, initially marketed on Telegram for free under beta in late December 2024, has since transitioned to a malware-as-a-service (MaaS) model. It’s equipped to steal passwords, cookies, and autofill information from both Chromium- and Gecko-based browsers, such as Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Mozilla Firefox.

The operators of the malware have been found maintaining a number of Telegram channels to advertise the sale of compromised accounts as well as provide testimonials of their service. These channels have been shut down by Telegram.

Evidence shows that Myth Stealer is distributed through fake websites, including one hosted on Google’s Blogger, offering various video games under the pretext of testing them. It’s worth noting that a near-identical Blogger page has been used to deliver another stealer malware known as AgeoStealer, as disclosed by Flashpoint in April 2025.

“As per our investigation, there is no correlation between Myth Stealer and AgeoStealer,” the company told The Hacker News. “AgeoStealer is written in JavaScript which is packaged as an Electron application whereas Myth Stealer is written in Rust. Other than the use of visually similar webpages, there is no relation between the two.”

Trellix said it also discovered the malware being distributed as a cracked version of a game cheating software called DDrace in an online forum, highlighting the myriad distribution vehicles.

Regardless of the initial access vector, the downloaded loader displays a fake setup window to the user to deceive them into thinking that a legitimate application is executed. In the background, the loader decrypts and launches the stealer component.

In a 64-bit DLL file, the stealer attempts to terminate running processes associated with various web browsers before stealing the data and exfiltrating it to a remote server, or, in some cases, to a Discord webhook.

“It also contains anti-analysis techniques such as string obfuscation and system checks using filenames and usernames,” the researchers said. “The malware authors regularly update stealer code to evade AV detection and introduce additional functionality such as screen capture capability and clipboard hijacking.”

Myth Stealer is by no means alone when it comes to using game cheat lures to distribute malware. Last week, Palo Alto Networks Unit 42 shed light on another Windows malware referred to as Blitz that’s spread through backdoored game cheats and cracked installers for legitimate programs.

Primarily propagated via an attacker-controlled Telegram channel, Blitz consists of two stages: A downloader that’s responsible for a bot payload, which is designed to log keystrokes, take screenshots, download/upload files, and inject code. It also comes fitted with a denial-of-service (DoS) function against web servers and drops an XMRig miner.

The backdoored cheat performs anti-sandbox checks before retrieving the malware’s next stage, with the downloader only running when the victim logs in again after logging out or a reboot. The downloader is also configured to run the same anti-sandbox checks prior to dropping the bot payload.

What’s notable about the attack chain is that the Blitz bot and XMR cryptocurrency miner payloads, along with components of its command-and-control (C2) infrastructure, are hosted in a Hugging Face Space. Hugging Face has locked the user account following responsible disclosure.

As of late April 2025, Blitz is estimated to have amassed 289 infections in 26 countries, led by Russia, Ukraine, Belarus, and Kazakhstan. Last month, the threat actor behind Blitz claimed on their Telegram channel that they are hanging up the boots after they apparently found that the cheat had a trojan embedded in it. They also provided a removal tool to wipe the malware from victim systems.

“The person behind Blitz malware appears to be a Russian speaker who uses the moniker sw1zzx on social media platforms,” Unit 42 said. “This malware operator is likely the developer of Blitz.”

The development comes as CYFIRMA detailed a new C#-based remote access trojan (RAT) named DuplexSpy RAT that comes with extensive capabilities for surveillance, persistence, and system control. It was published on GitHub in April 2025, claiming it’s intended for “educational and ethical demonstration only.”

Blitz infection chain

“It establishes persistence via startup folder replication and Windows registry modifications while employing fileless execution and privilege escalation techniques for stealth,” the company said. “Key features include keylogging, screen capture, webcam/audio spying, remote shell, and anti-analysis functions.”

Besides featuring the ability to remotely play audio or system sounds on the victim’s machine, DuplexSpy RAT incorporates a power control module that makes it possible for the attacker to remotely execute system-level commands on the compromised host, such as shutdown, restart, logout, and sleep.

“[The malware] enforces a fake lock screen by displaying an attacker-supplied image (Base64-encoded) in full screen while disabling user interaction,” CYFIRMA added. “It prevents closure unless explicitly permitted, simulating a system freeze or ransom notice to manipulate or extort the victim.”

The findings also follow a report from Positive Technologies that multiple threat actors, including TA558, Blind Eagle, Aggah (aka Hagga), PhaseShifters (aka Angry Likho, Sticky Werewolf, and UAC-0050), UAC-0050, and PhantomControl, are using a crypter-as-a-service offering called Crypters And Tools to obfuscate files like Ande Loader.

Attack chains using Crypters And Tools have targeted the United States, Eastern Europe (including Russia), and Latin America. One platform where the crypter is sold is nitrosoftwares[.]com, which also offers various tools, including exploits, crypters, loggers, and cryptocurrency clippers, among others.

Microsoft has released patches to fix 67 security flaws, including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild.

Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws.

The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.

The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV (CVE-2025-33053, CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL.

The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It’s worth mentioning that CVE-2025-33053 is the first zero-day vulnerability to be disclosed in the WebDAV standard.

In a separate report, the cybersecurity company attributed the abuse of CVE-2025-33053 to a threat actor known as Stealth Falcon (aka FruityArmor), which has a history of leveraging Windows zero-days in its attacks. In September 2023, the hacking group was observed using a backdoor dubbed Deadglyph as part of an espionage campaign aimed at entities in Qatar and Saudi Arabia.

While Stealth Falcon operations have been identified as likely tied to the United Arab Emirates by the Citizen Lab in the past, Eli Smadja, research group manager at Check Point Research, told The Hacker News they are “unable to confirm any country affiliations” given their focus on the groups and their tactics.

“The activity appears to be highly targeted, affecting specific victims rather than being widespread,” Smadja said of the latest campaign.

The threat sequence, in a nutshell, involves the use of an internet shortcut (URL) file that exploits CVE-2025-33053 to execute malware from an actor-controlled WebDAV server. Check Point said CVE-2025-33053 allows for remote code execution through manipulation of the working directory.

In the attack chain observed against an unnamed defense company in Turkey, the threat actor is said to have employed CVE-2025-33053 to deliver Horus Agent, a custom implant built for the Mythic command-and-control (C2) framework. It’s believed that the malicious payload used to initiate the attack, a URL shortcut file, was sent as an archived attachment in a phishing email.

The URL file is used to launch iediagcmd.exe, a legitimate diagnostics utility for Internet Explorer, leveraging it to launch another payload called Horus Loader, which is responsible for serving a decoy PDF document and executing Horus Agent.

“Written in C++, the implant shows no significant overlap with known C-based Mythic agents, aside from commonalities in the generic logic related to Mythic C2 communications,” Check Point said. “While the loader makes sure to implement some measures to protect the payload, the threat actors placed additional precautions within the backdoor itself.”

This includes the use of techniques like string encryption and control flow flattening to complicate analysis efforts. The backdoor then connects to a remote server to fetch tasks that allow it to collect system information, enumerate files and folders, download files from the server, inject shellcode into running processes, and exit the program.

CVE-2025-33053 infection chain

Horus Agent is assessed to be an evolution of the customized Apollo implant, an open-source .NET agent for Mythic framework, that was previously put to use by Stealth Falcon between 2022 and 2023.

“Horus is a more advanced version of the threat groups’ custom Apollo implant, rewritten in C++, improved, and refactored,” Check Point said.

“Similar to the Horus version, the Apollo version introduces extensive victim fingerprinting capabilities while limiting the number of supported commands. This allows the threat actors to focus on stealthy identification of the infected machine and next stage payload delivery, while also keeping the implant size significantly smaller (only 120Kb) than the full agent.”

The company said it also observed the threat actor leveraging several previously undocumented tools such as the following –

• Credential Dumper, which targets an already-compromised Domain Controller to steal Active Directory and Domain Controller credential-related files
• Passive backdoor, which listens for incoming requests and executes shellcode payloads
• Keylogger, a custom C++ tool that records all keystrokes and writes them to a file under “C:/windows/temp/~TN%LogName%.tmp”

The keylogger notably lacks any C2 mechanism, meaning that it likely works in conjunction with another component that can exfiltrate the file to the attackers.

“Stealth Falcon employs commercial code obfuscation and protection tools, as well as custom-modified versions tailored for different payload types,” the Check Point research team said. “This makes their tools more difficult to reverse-engineer and complicates tracking technical changes over time.”

The active exploitation of CVE-2025-33053 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fix by July 1, 2025.

“What makes this flaw particularly concerning is the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration,” Mike Walters, President and Co-Founder of Action1, said. “Many organizations enable WebDAV for legitimate business needs — often without fully understanding the security risks it introduces.”

The most severe vulnerability resolved by Microsoft is a privilege escalation flaw in Power Automate (CVE-2025-47966, CVSS score: 9.8) that could permit an attacker to elevate privileges over a network. However, there is no customer action required to mitigate the bug.

Other vulnerabilities of note include elevation of privilege flaws in Common Log File System Driver (CVE-2025-32713, CVSS score: 7.8), Windows Netlogon (CVE-2025-33070, CVSS score: 8.1), and Windows SMB Client (CVE-2025-33073, CVSS score: 8.8), as well as a critical unauthenticated RCE vulnerability in the Windows KDC Proxy Service (CVE-2025-33071, CVSS score: 8.1).

“Over the past several months, the CLFS driver has become a consistent focus for both threat actors and security researchers due to its exploitation in multiple ransomware operations,” Ben McCarthy, lead cyber security engineer at Immersive said.

“It is categorized as a heap-based buffer overflow — a type of memory corruption vulnerability. The attack complexity is considered low, and successful exploitation allows an attacker to escalate privileges.”

CVE-2025-33073 is the only vulnerability to be listed as publicly known at the time of release, with CrowdStrike, Synacktiv, SySS GmbH, RedTeam Pentesting, and Google Project Zero acknowledged for reporting the bug.

“Even though CVE-2025-33073 is referred to by Microsoft as an elevation of privilege, it is actually an authenticated remote command execution as SYSTEM on any machine which does not enforce SMB signing,” Synacktiv researchers Wilfried Bécard and Guillaume André said.

Reflective Kerberos relay attack (CVE-2025-33073)

The path to exploitation requires a victim to connect to a malicious SMB server controlled by the attacker, ultimately leading to privilege escalation by means of a reflective Kerberos relay attack.

“The principle behind the attack is that we coerced a Windows host to connect to our attack system via SMB and authenticate via Kerberos,” RedTeam Pentesting said in a technical analysis. “The Kerberos ticket is then relayed back to the same host again via SMB. The resulting SMB session had high-privileged NT AUTHORITYSYSTEM privileges that are sufficient to execute arbitrary commands.

Adam Barnett, lead software engineer at Rapid7, said the exploitation of CVE-2025-33071 requires the attacker to exploit a cryptographic flaw and win a race condition.

“The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network,” Barnett added.

Last but not least, Microsoft has also rolled out patches to remediate a secure boot bypass bug (CVE-2025-3052, CVSS score: 6.7) discovered by Binarly that enables the execution of untrusted software.

“A vulnerability exists in a UEFI application signed with a Microsoft third-party UEFI certificate, which allows an attacker to bypass UEFI Secure Boot,” Redmond said in an alert. “An attacker who successfully exploited this vulnerability could bypass Secure Boot.”

CERT Coordination Center (CERT/CC), in an advisory released Tuesday, said the vulnerability is rooted in Unified Extensible Firmware Interface (UEFI) applications DTBios and BiosFlashShell from DT Research, allowing Secure Boot bypass using a specially crafted NVRAM variable.

“The vulnerability stems from improper handling of a runtime NVRAM variable that enables an arbitrary write primitive, capable of modifying critical firmware structures, including the global Security2 Architectural Protocol used for Secure Boot verification,” CERT/CC said.

“Because the affected applications are signed by the Microsoft UEFI Certificate Authority, this vulnerability can be exploited on any UEFI-compliant system, allowing unsigned code to run during the boot process.”

Successful exploitation of the vulnerability could permit the execution of unsigned or malicious code even before the operating system loads, potentially enabling attackers to drop persistent malware that can survive reboots and even disable security software.

Microsoft, however, is not affected by CVE-2025-4275 (aka Hydroph0bia), another Secure Boot bypass vulnerability present in an InsydeH2O UEFI application that allows digital certificate injection through an unprotected NVRAM variable (“SecureFlashCertData”), resulting in arbitrary code execution at the firmware level.

“This issue arises from the unsafe use of an NVRAM variable, which is used as trusted storage for a digital certificate in the trust validation chain,” CERT/CC said. “An attacker can store their own certificate in this variable and subsequently run arbitrary firmware (signed by the injected certificate) during the early boot process within the UEFI environment.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

• Adobe
• Amazon Web Services
• AMD
• Arm
• Atlassian
• AutomationDirect
• Bosch
• Broadcom (including VMware)
• Canon
• Cisco
• D-Link
• Dell
• Drupal
• F5
• Fortinet
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networking)
• IBM
• Intel
• Insyde
• Ivanti
• Jenkins
• Juniper Networks
• Lenovo
• Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitel
• Mitsubishi Electric
• Moxa
• Mozilla Firefox and Thunderbird
• NVIDIA
• Palo Alto Networks
• Phoenix Technologies
• QNAP
• Qualcomm
• Roundcube
• Salesforce
• Samsung
• SAP
• Schneider Electric
• Siemens
• SolarWinds
• SonicWall
• Splunk
• Spring Framework
• Synology
• Trend Micro Apex Central, Apex One, Endpoint Encryption PolicyServer, and WFBS
• Veritas
• Zimbra, and
• Zoho ManageEngine Exchange Reporter Plus and OpManager

Jun 10, 2025Ravie LakshmananVulnerability / Cloud Security

Adobe on Tuesday pushed security updates to address a total of 254 security flaws impacting its software products, a majority of which affect Experience Manager (AEM).

Of the 254 flaws, 225 reside in AEM, impacting AEM Cloud Service (CS) as well as all versions prior to and including 6.5.22. The issues have been resolved in AEM Cloud Service Release 2025.5 and version 6.5.23.

“Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation, and security feature bypass,” Adobe said in an advisory.

Almost all the 225 vulnerabilities have been classified as cross-site scripting (XSS) vulnerabilities, specifically a mix of stored XSS and DOM-based XSS, that could be exploited to achieve arbitrary code execution.

Adobe has credited security researchers Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi for discovering and reporting the XSS flaws.

The most severe of the flaws patched by the company as part of this month’s update concerns a code execution flaw in Adobe Commerce and Magento Open Source.

The critical-rated vulnerability, CVE-2025-47110 (CVSS score: 9.1), is a reflected XSS flaw that could result in arbitrary code execution. Also addressed is an improper authorization flaw (CVE-2025-43585, CVSS score: 8.2) that could lead to a security feature bypass.

The following versions are impacted –

• Adobe Commerce (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier, and 2.4.4-p13 and earlier)
• Adobe Commerce B2B (1.5.2 and earlier, 1.4.2-p5 and earlier, 1.3.5-p10 and earlier, 1.3.4-p12 and earlier, and 1.3.3-p13 and earlier)
• Magento Open Source (2.4.8, 2.4.7-p5 and earlier, 2.4.6-p10 and earlier, 2.4.5-p12 and earlier)

Of the remaining updates, four relate to code execution flaws in Adobe InCopy (CVE-2025-30327, CVE-2025-47107, CVSS scores: 7.8) and Substance 3D Sampler (CVE-2025-43581, CVE-2025-43588, CVSS scores: 7.8).

While none of the bugs have been listed as publicly known or exploited in the wild, users are advised to update their instances to the latest version to safeguard against potential threats.

Jun 11, 2025Ravie LakshmananIoT Security / Vulnerability

Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations.

“Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.

“Access to the device profile may allow an attacker to perform some remote functions on connected vehicles such as tracking the vehicle location and disconnecting power to the fuel pump where supported.”

The vulnerabilities, per the agency, affect all versions of the SinoTrack IoT PC Platform. A brief description of the flaws is below –

• CVE-2025-5484 (CVSS score: 8.3) – Weak authentication to the central SinoTrack device management interface stems from the use of a default password and a username that’s an identifier printed on the receiver.
• CVE-2025-5485 (CVSS score: 8.6) – The username used to authenticate to the web management interface, i.e., the identifier, is a numerical value of no more than 10 digits.

An attacker could retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay. Furthermore, the adversary could enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.

“Due to its lack of security, this device allows remote execution and control of the vehicles to which it is connected and also steals sensitive information about you and your vehicles,” security researcher Raúl Ignacio Cruz Jiménez, who reported the flaws to CISA, told The Hacker News in a statement.

There are currently no fixes that address the vulnerabilities. The Hacker News has reached out to SinoTrack for comment, and we will update the story if we hear back.

In the absence of a patch, users are advised to change the default password as soon as possible and take steps to conceal the identifier. “If the sticker is visible on publicly accessible photographs, consider deleting or replacing the pictures to protect the identifier,” CISA said.

In today’s security landscape, budgets are tight, attack surfaces are sprawling, and new threats emerge daily. Maintaining a strong security posture under these circumstances without a large team or budget can be a real challenge. Yet lean security models are not only possible – they can be highly effective.

River Island, one of the UK’s leading fashion retailers, offers a powerful case study on how to do more with less. As River Island’s InfoSec Officer, Sunil Patel and his small team of three are responsible for securing over 200 stores, an e-commerce platform, a major distribution center, and head offices. With no headcount growth on the horizon, Sunil had to rethink how security could scale effectively.

By adopting a lean security model, powered by Intruder’s exposure management platform, the team was able to improve visibility, respond faster to threats, and empower others across the business to fix what matters most.

Here are five key lessons from their approach that any security team can apply.

1. Automate Attack Surface Visibility

A lean security model relies on the ability to quickly and clearly understand your external attack surface. River Island’s team lacked a central way to track what was exposed to the internet. Without a single, up-to-date view of their internet-facing assets, they relied on spreadsheets and manual checks and struggled to keep up with new risks stemming from a constantly changing infrastructure.

By adopting continuous network monitoring as part of their exposure management process, the team now detects attack surface changes automatically. When a new or unexpected service – like a login page, admin panel, or database – becomes accessible from the internet, they’re notified in real-time. This gives Sunil and his team a live, accurate view of what’s exposed and makes it easy to start automatically scanning these exposed assets for vulnerabilities.

2. Select the Right Tools for the Job

The last thing a lean team needs is a stack of overlapping tools – each doing little, none doing enough.

River Island had a range of security solutions in place, but many were underutilized. Sunil estimated they were “only getting about 5-6% of the possible value” from some products.

Rather than adding more to the mix, the team consolidated. This means less time spent context-switching and more time acting on clear, unified insights. With a smaller toolkit, it is easier to build the integrations and automation that are an essential part of being lean.

3. Automate Emerging Threat Detection

High-profile vulnerabilities like Log4j put lean teams under immense pressure. When critical vulnerabilities emerge, your ability to stay secure depends on how quickly you can assess exposure. But with limited resources, scrambling to do this manually is inefficient and unsustainable.

Unified exposure management platforms like Intruder take the pressure off by automatically scanning for newly disclosed critical vulnerabilities so that you’re not left waiting for your next weekly or monthly scan to find out whether you have an issue.

Speaking to the impact of this, Sunil said, “When Log4j hit, our CIO asked if we were affected. I could tell him straight away: ‘We’re good – Intruder’s scanned for it and we’re in the clear.’”

This level of assurance builds trust with leadership, avoids unnecessary fire drills, and frees up the team to focus on remediation rather than investigation.

4. Enable Asset Owners to Fix Issues Fast

In adopting a lean security model, the goal isn’t to fix everything yourself – it’s to make sure the right people are equipped to fix the right things, fast. That means removing the security team as a bottleneck and empowering others to remediate weaknesses.

“One of my goals was to take the security team out of the equation completely from a process perspective,” said Sunil.

Previously, the InfoSec team was responsible for chasing down asset owners and translating technical recommendations for non-security experts. Now, by integrating their exposure management platform with Jira, vulnerabilities are routed directly to the relevant teams – along with easy-to-follow instructions needed to take action.

This shift has freed up InfoSec to focus on higher priorities, while service delivery managers handle day-to-day remediation.

Sunil said, “We’re not the nagging manager anymore. We just monitor and make sure things are progressing.”

5. Report on Cyber Hygiene

When you’re running a lean security team, the last thing you want is to spend your limited time manually pulling reports or communicating updates to stakeholders. But visibility still matters – especially at the leadership level.

At River Island, that trust was built by shifting away from ad-hoc reporting towards automated dashboards that clearly show what’s exposed, what’s been fixed, and what still needs attention.

Sunil said, “I told my CIO, ‘You don’t have many one-to-ones with me,’ and he laughed and said, ‘That’s a good thing – it means nothing’s broken. Intruder gives him the confidence that we’ve got it covered, so he doesn’t need to check-in. That’s how I know things are working.”

Small Teams, Big Impact

Being lean doesn’t mean being underpowered. With the right tools, processes, and mindset, security teams of any size can build scalable, resilient, and efficient operations. River Island’s experience shows that doing more with less isn’t just possible – it can be a smarter, more sustainable approach to security.

Under pressure to do more with less? Try Intruder for free with a 14-day trial.