Category: Cybersecurity

INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants.

The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns.

“These coordinated efforts resulted in the takedown of 79 percent of identified suspicious IP addresses,” INTERPOL said in a statement. “Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.”

Vietnamese authorities arrested 18 suspects, and confiscated devices, SIM cards, business registration documents, and money worth $11,500. Further house raids have led to the arrest of another 12 people in Sri Lanka and two individuals in Nauru.

The Hong Kong Police, per INTERPOL, identified 117 command-and-control servers hosted across 89 internet service providers. These servers were designed to act as a hub to launch and manage malicious campaigns, such as phishing, online fraud, and social media scams.

Countries involved in Operation Secure include Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, South Korea, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, and Vietnam.

The development comes weeks after a global operation led to the seizure of 2,300 domains associated with the Lumma Stealer malware. In a separate operation last October 2024, police also disrupted infrastructure and seized data associated with RedLine and MetaStealer families.

Information stealers, often sold on the cybercrime underground on a subscription basis, are seen as a stepping stone for threat actors to gain unauthorized access to target networks. These malicious programs make it possible to siphon browser credentials, passwords, cookies, credit card details, and cryptocurrency wallet data from infected machines.

The stolen information is then monetized in the form of logs on various forums, enabling other actors to conduct follow-on attacks, including ransomware, data breaches, and business email compromise (BEC).

Singapore-headquartered Group-IB, which was one of the private sector companies that participated in the operation, said it provided mission-critical intelligence related to user accounts compromised by stealer malware like Lumma, RisePro, and MetaStealer.

“The compromised credentials and sensitive data acquired by cybercriminals through infostealer malware often serve as initial vectors for financial fraud and ransomware attacks,” said Dmitry Volkov, CEO of Group-IB.

Trend Micro said its investigation uncovered Vidar, Lumma Stealer, and Rhadamanthys as some of the most prominent infostealer families detected over the course of the multi-country initiative. Kaspersky, another private partner, said it shared data on malicious infrastructures that were involved in controlling and distributing the stealer malware.

In today’s cybersecurity landscape, much of the focus is placed on firewalls, antivirus software, and endpoint detection. While these tools are essential, one critical layer often goes overlooked: the Domain Name System (DNS). As the starting point of nearly every online interaction, DNS is not only foundational – it’s increasingly a target. When left unsecured, it becomes a single point of failure that can disrupt services, redirect users, or expose sensitive data. Securing it isn’t just good practice – it’s a necessity.

Why DNS Is a Core Part of Internet Infrastructure

The Domain Name System, or DNS, functions like the internet’s address book. It translates easy-to-remember domain names (like example.com) into the numerical IP addresses (like 1.2.3.4) that computers use to identify each other across networks. Every time a user visits a website, opens an app, or sends an email, a DNS query is triggered in the background to connect that request to the correct server. Without DNS, users would need to memorize complex strings of numbers for every online destination. While it operates quietly and efficiently, DNS is essential to how we navigate the internet – and when it’s disrupted or attacked, the entire digital experience can break down.

DNS: A Prime Target for Cyber Attackers

DNS might seem like just another background process – quietly resolving domain names so users can browse the internet without typing IP addresses. But beneath that simplicity lies a critical system that cyber attackers love to exploit. Why? Because DNS touches everything. It’s involved in almost every click, connection, and request made online.

The problem is, that DNS wasn’t built with security in mind. Most DNS traffic is unencrypted, unauthenticated, and largely invisible to traditional security tools. That makes it the perfect channel for attackers to launch stealthy, high-impact attacks – from silent redirections to full-scale service outages.

Some of the most common DNS-based attacks include:

• DNS Spoofing – Trick the resolver into sending users to fake websites that look real.
• DNS Hijacking – Change DNS records or settings to reroute traffic through malicious servers.
• DNS Tunneling – Hide stolen data inside DNS traffic to sneak it past firewalls.
• DDoS on DNS Servers – Overwhelm DNS infrastructure, making websites and apps unreachable.

These aren’t just technical tricks – they’re methods that can take entire businesses offline, compromise sensitive data, or silently spy on users. That’s why securing DNS is no longer optional – it’s a frontline defense.

Early Detection, Early Defense

Securing DNS means protecting the very first step in an attacker’s chain. By inspecting and controlling DNS traffic, organizations can block threats before they reach internal systems. This doesn’t just reduce the chance of compromise – it buys time. Time to react, time to investigate, and time to mitigate before damage is done.

In this way, DNS becomes more than just a directory service – it transforms into a sensor and a shield. Through careful monitoring of DNS queries and patterns, it’s possible to detect anomalies that suggest early-stage intrusions, like malware trying to call home or users unknowingly accessing a spoofed domain.

What makes this even more compelling is the fact that DNS traffic is relatively lightweight and ubiquitous. It offers a rich stream of security-relevant data without adding intrusive layers to user devices or degrading performance.

The Role of ClouDNS in Securing DNS

Fast DNS resolution is a critical foundation, but without integrated security, it leaves your infrastructure exposed. This is where advanced DNS providers bring critical capabilities to the table – features that ensure both resilience and security.

One such provider is ClouDNS, a global DNS hosting provider that combines speed, reliability, and built-in security to help organizations stay online and protected. Their infrastructure includes DDoS-protected DNS, a necessity in today’s environment where DDoS attacks can take down entire domains in minutes. By absorbing and deflecting malicious traffic, such systems ensure uninterrupted access for legitimate users even under active attack.

Another crucial advancement is DNSSEC (Domain Name System Security Extensions). DNSSEC adds cryptographic signatures to DNS records, ensuring that the responses users receive are authentic and unaltered. Without it, attackers can spoof legitimate-looking domains and redirect users to malicious destinations with alarming ease. With DNSSEC enabled, that risk is drastically reduced.

As threats grow more sophisticated, encrypting DNS queries is now a critical layer of defense. ClouDNS supports DNS over HTTPS (DoH) and DNS over TLS (DoT), which help prevent man-in-the-middle attacks by encrypting DNS queries between the client and the resolver. This matters especially in environments like public Wi-Fi, where unencrypted traffic can be intercepted or tampered with.

And because DNS isn’t just about websites, but also plays a crucial role in email delivery, ClouDNS helps secure this process as well. From its user-friendly platform, users can easily create and manage SPF, DKIM, and DMARC records – essential DNS configurations that help prevent phishing and spoofing by specifying which mail servers are authorized to send emails on behalf of a domain. ClouDNS simplifies even more complex setups, enabling organizations to strengthen their domain reputation and improve email deliverability.

DNS Security Is Not Optional, It’s Fundamental

As digital infrastructure grows more complex, DNS is no longer just a background service – it’s a critical control point in every online interaction. From loading websites and processing transactions to sending emails and accessing cloud-based tools, DNS is the silent engine behind it all. Its reach is vast, and so is its potential impact if left unsecured.

Because DNS touches every corner of an organization’s digital footprint, it offers a unique vantage point – and an opportunity. When properly secured and monitored, DNS becomes more than just a resolver; it acts as an early detection layer, revealing suspicious patterns, malicious queries, and signs of compromise before threats escalate.

That’s why working with a DNS provider that understands both performance and security – like ClouDNS – is not just a technical decision; it’s a business-critical one. It’s about ensuring uptime, trust, and protection in a digital world that leaves no room for blind spots.

Final Thoughts

As cyber threats grow more advanced, relying solely on internal defenses is no longer enough. DNS, as the first step in nearly every online interaction, plays a critical role in stopping threats before they reach the network. When properly secured, DNS becomes more than infrastructure – it becomes a frontline defense. Prioritizing DNS security is not just smart; it’s essential for building a resilient digital foundation.

Jun 12, 2025Ravie LakshmananEnterprise Security / Active Directory

Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts.

The activity, codenamed UNK_SneakyStrike by Proofpoint, has targeted over 80,000 user accounts across hundreds of organizations’ cloud tenants since a surge in login attempts was observed in December 2024, leading to successful account takeovers.

“Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts,” the enterprise security company said. “Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others.”

TeamFiltration, publicly released by researcher Melvin “Flangvik” Langvik in August 2022 at the DEF CON security conference, is described as a cross-platform framework for “enumerating, spraying, exfiltrating, and backdooring” Entra ID accounts.

The tool offers extensive capabilities to facilitate account takeover using password spraying attacks, data exfiltration, and persistent access by uploading malicious files to the target’s Microsoft OneDrive account.

While the tool requires an Amazon Web Services (AWS) account and a disposable Microsoft 365 account to facilitate password spraying and account enumeration functions, Proofpoint said it observed evidence of malicious activity leveraging TeamFiltration to conduct these activities such that each password spraying wave originates from a different server in a new geographic location.

At its peak, the campaign targeted 16,500 accounts in a single day in early January 2025. The three primary source geographies linked to malicious activity based on the number of IP addresses include the United States (42%), Ireland (11%), and Great Britain (8%).

When reached for comment, an AWS spokesperson told The Hacker News that customers are required to abide by its terms and that it takes steps to block prohibited content.

“AWS has clear terms that require our customers to use our services in compliance with applicable law,” the spokesperson said. “When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process.”

The UNK_SneakyStrike activity has been described as “large-scale user enumeration and password spraying attempts,” with the unauthorized access efforts occurring in “highly concentrated bursts” targeting several users within a single cloud environment. This is followed by a lull that lasts for four to five days.

The findings once again highlight how tools designed to assist cybersecurity professionals can be misused by threat actors to carry out a wide range of nefarious actions that allow them to breach user accounts, harvest sensitive data, and establish persistent footholds.

“UNK_SneakyStrike’s targeting strategy suggests they attempt to access all user accounts within smaller cloud tenants while focusing only on a subset of users in larger tenants,” Proofpoint said. “This behaviour matches the tool’s advanced target acquisition features, designed to filter out less desirable accounts.”

Jun 11, 2025Ravie LakshmananRansomware / Cybercrime

Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks.

“Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads,” ReliaQuest said in a report shared with The Hacker News.

The development is a sign that the threat actors are continuing to pivot and regroup, despite the Black Basta brand suffering a huge blow and a decline after the public leak of its internal chat logs earlier this February.

The cybersecurity company said half of the Teams phishing attacks that were observed between February and May 2025 originated from onmicrosoft[.]com domains, and that breached domains accounted for 42% of the attacks during the same period. The latter is a lot more stealthy and allows threat actors to impersonate legitimate traffic in their attacks.

As recently as last month, ReliaQuest’s customers in the finance and insurance sector and the construction sector have been targeted using Teams phishing by masquerading as help desk personnel to trick unsuspecting users.

“The shutdown of Black Basta’s data-leak site, despite the continued use of its tactics, indicates that former affiliates have likely either migrated to another RaaS group or formed a new one,” the company added. “The most probable scenario is that former members have joined the CACTUS RaaS group, which is evidenced by Black Basta leader Trump referencing a $500–600K payment to CACTUS in the leaked chats.”

That said, it’s worth noting that CACTUS hasn’t named any organizations on its data leak site since March 2025, indicating that the group has either disbanded or is deliberately trying to avoid drawing attention to itself. Another possibility is that the affiliates have moved to BlackLock, which, in turn, is believed to have started collaborating with a ransomware cartel named DragonForce.

The threat actors have also been spotted leveraging the access obtained via the Teams phishing technique to initial remote desktop sessions via Quick Assist and AnyDesk, and then downloading a malicious Python script from a remote address and executing it to establish command-and-control (C2) communications.

“The use of Python scripts in this attack highlights an evolving tactic that’s likely to become more prevalent in future Teams phishing campaigns in the immediate future,” ReliaQuest said.

The Black Basta-style social engineering strategy of using a combination of email spamming, Teams phishing, and Quick Assist has since also found takers among the BlackSuit ransomware group, raising the possibility that BlackSuit affiliates have either embraced the approach or absorbed members of the group.

According to Rapid7, the initial access serves as a pathway to download and execute updated variants of a Java-based RAT that was previously deployed to act as a credential harvester in Black Basta attacks.

“The Java malware now abuses cloud-based file hosting services provided by both Google and Microsoft to proxy commands through the respective cloud service provider’s (CSP) servers,” the company said. “Over time, the malware developer has shifted away from direct proxy connections (i.e., the config option is left blank or not present), towards OneDrive and Google Sheets, and most recently, towards simply using Google Drive.”

The new iteration of the malware packs in more features to transfer files between the infected host and a remote server, initiate a SOCKS5 proxy tunnel, steal credentials stored in web browsers, present a fake Windows login window, and download a Java class from a supplied URL and run it in memory.

Like the 3AM ransomware attacks detailed by Sophos a couple of weeks ago, the intrusions are also characterized by the use of a tunneling backdoor called QDoor, a malware previously attributed to BlackSuit, and a Rust payload that’s likely a custom loader for the SSH utility, and a Python RAT referred to as Anubis.

The findings come amid a number of developments in the ransomware landscape –

• The financially motivated group known as Scattered Spider has targeted managed service providers (MSPs) and IT vendors as part of a “one-to-many” approach to infiltrate multiple organizations through a single compromise, in some cases exploiting compromised accounts from the global IT contractor Tata Consultancy Services (TCS) to gain initial access.
• Scattered Spider has created bogus login pages using the Evilginx phishing kit to bypass multi-factor authentication (MFA) and forged strategic alliances with major ransomware operators like ALPHV (aka BlackCat), RansomHub, and, most recently, DragonForce, to conduct sophisticated attacks targeting MSPs by exploiting vulnerabilities in SimpleHelp remote desktop software.
• Qilin (aka Agenda and Phantom Mantis) ransomware operators have launched a coordinated intrusion campaign targeting several organizations between May and June 2025 by weaponizing Fortinet FortiGate vulnerabilities (e.g., CVE-2024-21762 and CVE-2024-55591) for initial access.
• The Play (aka Balloonfly and PlayCrypt) ransomware group is estimated to have compromised 900 entities as of May 2025 since its emergence in mid-2022. Some of the attacks have leveraged SimpleHelp flaws (CVE-2024-57727) to target many U.S.-based entities following public disclosure of the vulnerability.
• The administrator of the VanHelsing ransomware group has leaked the entire source code on the RAMP forum, citing internal conflicts between developers and leadership. The leaked details include the TOR keys, ransomware source code, admin web panel, chat system, file server, and the blog with its full database, per PRODAFT.
• The Interlock ransomware group has deployed a previously undocumented JavaScript remote access trojan called NodeSnake as part of attacks targeting local government and higher education organizations in the United Kingdom in January and March 2025. The malware, distributed via phishing emails, offers persistent access, system reconnaissance, and remote command execution capabilities.

“RATs enable attackers to gain remote control over infected systems, allowing them to access files, monitor activities, and manipulate system settings,” Quorum Cyber said. “Threat actors can use a RAT to maintain persistence within an organization as well as to introduce additional tooling or malware to the environment. They can also access, manipulate, destroy, or exfiltrate data.”

Jun 11, 2025Ravie LakshmananNetwork Security / Threat Intelligence

Threat intelligence firm GreyNoise has warned of a “coordinated brute-force activity” targeting Apache Tomcat Manager interfaces.

The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to “identify and access exposed Tomcat services at scale.”

To that end, 295 unique IP addresses have been found to be engaged in brute-force attempts against Tomcat Manager on that date, with all of them classified as malicious. Over the past 24 hours, 188 unique IPs have been recorded, a majority of them located in the United States, the United Kingdom, Germany, the Netherlands, and Singapore.

In a similar vein, 298 unique IPs were observed conducting login attempts against Tomcat Manager instances. Of the 246 IP addresses flagged in the last 24 hours, all of them are categorized as malicious and originate from the same locations.

Targets of these attempts include the United States, the United Kingdom, Spain, Germany, India, and Brazil for the same time period. GreyNoise noted that a significant chunk of the activity came from infrastructure hosted by DigitalOcean (ASN 14061).

“While not tied to a specific vulnerability, this behavior highlights ongoing interest in exposed Tomcat services,” the company added. “Broad, opportunistic activity like this often serves as an early warning of future exploitation.”

To mitigate any potential risks, organizations with exposed Tomcat Manager interfaces are recommended to implement strong authentication and access restrictions, and monitor for any signs of suspicious activity.

The disclosure comes as Bitsight revealed that it found more than 40,000 security cameras openly accessible on the internet, potentially enabling anyone to access live video feeds captured by these devices over HTTP or Real-Time Streaming Protocol (RTSP). The exposures are concentrated in the United States, Japan, Austria, Czechia, and South Korea.

The telecommunications sector accounts for 79% of the exposed cameras, followed by technology (6%), media (4.1%), utilities (2.5%), education (2.2%), business services (2.2%), and government (1.2%).

The installations range from those installed in residences, offices, public transportation systems, and factory settings, inadvertently leaking sensitive information that could then be exploited for espionage, stalking, and extortion.

Users are advised to change default usernames and passwords, disable remote access if not required (or restrict access with firewalls and VPNs), and keep firmware up-to-date.

“These cameras – intended for security or convenience – have inadvertently become public windows into sensitive spaces, often without their owners’ knowledge,” security researcher João Cruz said in a report shared with The Hacker News.

“No matter the reason why one individual or organization needs this kind of device, the fact that anyone can buy one, plug it in, and start streaming with minimal setup is likely why this is still an ongoing threat.”

A novel attack technique named EchoLeak has been characterized as a “zero-click” artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 (M365) Copilot’s context sans any user interaction.

The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already addressed by Microsoft. There is no evidence that the shortcoming was exploited maliciously in the wild.

“AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network,” the company said in an advisory released Wednesday. It has since been added to Microsoft’s Patch Tuesday list for June 2025, taking the total number of fixed flaws to 68.

Aim Security, which discovered and reported the issue, said it’s an instance of a large language model (LLM) Scope Violation that paves the way for indirect prompt injection, leading to unintended behavior.

LLM Scope Violation occurs when an attacker’s instructions embedded in untrusted content, e.g., an email sent from outside an organization, successfully tricks the AI system into accessing and processing privileged internal data without explicit user intent or interaction.

“The chains allow attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user’s awareness, or relying on any specific victim behavior,” the Israeli cybersecurity company said. “The result is achieved despite M365 Copilot’s interface being open only to organization employees.”

In EchoLeak’s case, the attacker embeds a malicious prompt payload inside markdown-formatted content, like an email, which is then parsed by the AI system’s retrieval-augmented generation (RAG) engine. The payload silently triggers the LLM to extract and return private information from the user’s current context.

The attack sequence unfolds as follows –

• Injection: Attacker sends an innocuous-looking email to an employee’s Outlook inbox, which includes the LLM scope violation exploit
• User asks Microsoft 365 Copilot a business-related question (e.g., summarize and analyze their earnings report)
• Scope Violation: Copilot mixes untrusted attacked input with sensitive data to LLM context by the Retrieval-Augmented Generation (RAG) engine
• Retrieval: Copilot leaks the sensitive data to the attacker via Microsoft Teams and SharePoint URLs

Importantly, no user clicks are required to trigger EchoLeak. The attacker relies on Copilot’s default behavior to combine and process content from Outlook and SharePoint without isolating trust boundaries – turning helpful automation into a silent leak vector.

“As a zero-click AI vulnerability, EchoLeak opens up extensive opportunities for data exfiltration and extortion attacks for motivated threat actors,” Aim Security said. “In an ever-evolving agentic world, it showcases the potential risks that are inherent in the design of agents and chatbots.”

“The attack results in allowing the attacker to exfiltrate the most sensitive data from the current LLM context – and the LLM is being used against itself in making sure that the MOST sensitive data from the LLM context is being leaked, does not rely on specific user behavior, and can be executed both in single-turn conversations and multi-turn conversations.”

EchoLeak is especially dangerous because it exploits how Copilot retrieves and ranks data – using internal document access privileges – which attackers can influence indirectly via payload prompts embedded in seemingly benign sources like meeting notes or email chains.

MCP and Advanced Tool Poisoning

The disclosure comes as CyberArk disclosed a tool poisoning attack (TPA) that affects the Model Context Protocol (MCP) standard and goes beyond the tool description to extend it across the entire tool schema. The attack technique has been codenamed Full-Schema Poisoning (FSP).

“While most of the attention around tool poisoning attacks has focused on the description field, this vastly underestimates the other potential attack surface,” security researcher Simcha Kosman said. “Every part of the tool schema is a potential injection point, not just the description.”

MCP tool poisoning attacks (Credit: Invariant Labs)

The cybersecurity company said the problem is rooted in MCP’s “fundamentally optimistic trust model” that equates syntactic correctness to semantic safety and assumes that LLMs only reason over explicitly documented behaviors.

What’s more, TPA and FSP could be weaponized to stage advanced tool poisoning attacks (ATPA), wherein the attacker designs a tool with a benign description but displays a fake error message that tricks the LLM into accessing sensitive data (e.g., SSH keys) in order to address the purported issue.

“As LLM agents become more capable and autonomous, their interaction with external tools through protocols like MCP will define how safely and reliably they operate,” Kosman said. “Tool poisoning attacks — especially advanced forms like ATPA — expose critical blind spots in current implementations.”

That’s not all. Given that MCP enables AI agents (or assistants) to interact with various tools, services, and data sources in a consistent manner, any vulnerability in the MCP client-server architecture could pose serious security risks, including manipulating an agent into leaking data or executing malicious code.

This is evidenced in a recently disclosed critical security flaw in the popular GitHub MCP integration, which, if successfully exploited, could allow an attacker to hijack a user’s agent via a malicious GitHub issue, and coerce it into leaking data from private repositories when the user prompts the model to “take a look at the issues.”

“The issue contains a payload that will be executed by the agent as soon as it queries the public repository’s list of issues,” Invariant Labs researchers Marco Milanta and Luca Beurer-Kellner said, categorizing it as a case of a toxic agent flow.

That said, the vulnerability cannot be addressed by GitHub alone through server-side patches, as it’s more of a “fundamental architectural issue,” necessitating that users implement granular permission controls to ensure that the agent has access to only those repositories it needs to interact with and continuously audit interactions between agents and MCP systems.

Make Way for the MCP Rebinding Attack

The rapid ascent of MCP as the “connective tissue for enterprise automation and agentic applications” has also opened up new attack avenues, such as Domain Name System (DNS) rebinding, to access sensitive data by exploiting Server-Sent Events (SSE), a protocol used by MCP servers for real-time streaming communication to the MCP clients.

DNS rebinding attacks entail tricking a victim’s browser into treating an external domain as if it belongs to the internal network (i.e., localhost). These attacks, which are engineered to circumvent same-origin policy (SOP) restrictions, are triggered when a user visits a malicious site set up by the attacker via phishing or social engineering.

“There is a disconnect between the browser security mechanism and networking protocols,” GitHub’s Jaroslav Lobacevski said in an explainer on DNS rebinding published this week. “If the resolved IP address of the web page host changes, the browser doesn’t take it into account and treats the webpage as if its origin didn’t change. This can be abused by attackers.”

This behavior essentially allows client-side JavaScript from a malicious site to bypass security controls and target other devices on the victim’s private network that are not exposed to the public internet.

MCP rebinding attack

The MCP rebinding attack takes advantage of an adversary-controlled website’s ability to access internal resources on the victim’s local network so as to interact with the MCP server running on localhost over SSE and ultimately exfiltrate confidential data.

“By abusing SSE’s long-lived connections, attackers can pivot from an external phishing domain to target internal MCP servers,” the Straiker AI Research (STAR) team said in an analysis published last month.

It’s worth noting that SSE has been deprecated as of November 2024 in favor of Streamable HTTP owing to the risks posed by DNS rebinding attacks. To mitigate the threat of such attacks, it’s advised to enforce authentication on MCP Servers and validate the “Origin” header on all incoming connections to the MCP server to ensure that the requests are coming from trusted sources.

Human identities management and control is pretty well done with its set of dedicated tools, frameworks, and best practices. This is a very different world when it comes to Non-human identities also referred to as machine identities. GitGuardian’s end-to-end NHI security platform is here to close the gap.

Enterprises are Losing Track of Their Machine Identities

Machine identities–service accounts, API keys, bots, automation, and workload identities–that now outnumber humans by up to 100:1 are in fact a massive blind spot in companies’ security landscape:

Without robust governance, NHIs become a prime target for attackers. Orphaned credentials, over-privileged accounts, and “zombie” secrets are proliferating—especially as organizations accelerate cloud adoption, integrate AI-powered agents, and automate their infrastructure.

Secrets Sprawl: The New Attack Surface

GitGuardian’s research shows that 70% of valid secrets detected in public repositories in 2022 remained active in 2025—a three-year window of vulnerability. These aren’t just theoretical risks. Breaches at organizations like the U.S. Department of the Treasury, Toyota, and The New York Times all began with a leaked or unmanaged machine identity.

The problem isn’t just about volume. Secrets and credentials are scattered across code, CI/CD pipelines, cloud environments, and ticketing systems— environments outside traditional security perimeters.

This proliferation of unmanaged secrets has caught the attention of security frameworks worldwide. The newly released OWASP Top 10 Non-Human Identity Risks for 2025 specifically calls out ‘Secret Leakage’ as the #2 risk, noting that compromised credentials are implicated in over 80% of breaches.

Why Secrets Managers Alone Aren’t Enough

Traditional secrets managers (like HashiCorp Vault, CyberArk, AWS Secrets Manager, and Azure Key Vault) are essential for secure storage—but they don’t address the full lifecycle of NHI governance. They can’t discover secrets outside the vault, lack context around permissions, and don’t automate remediation when secrets are leaked or misused.

GitGuardian’s own analysis found that organizations using secrets managers are in fact more prone to secrets leakage. The secrets leakage incidence of repositories leveraging secrets managers is 5.1% compared with 4.6% for public repositories without secrets managers in place. And to add to this point, repositories with secret managers are more likely to handle sensitive information, increasing the risk of exposure.

The Platform Filling the NHI Security Gap

To address these challenges, organizations must adopt a unified IAM strategy that

empowers DevOps and SRE teams to effectively govern and secure NHIs, on top of the deployment of secrets management solutions (vaults and or secrets managers). This requires investing in solutions that provide comprehensive secrets discovery, centralized visibility, and automated governance capabilities. By leveraging tools that can map relationships between secrets, enforce consistent policies, and streamline rotation and remediation processes, DevOps and SRE teams can reduce the burden of secrets lifecycle management and focus on delivering value to the business.

GitGuardian’s NHI Security Platform is designed to address these exact blind spots and risks. Here’s how:

1. Discovery and Inventory: Finding the Invisible

Manual discovery of machine identities is a lost battle. Secrets exist across repositories, CI/CD pipelines, ticketing systems, messengers, and cloud environments—often in places security teams don’t monitor. Traditional approaches can’t keep pace with the dynamic nature of modern infrastructure, leading to incomplete inventories.

GitGuardian’s automated discovery continuously scans these environments, maintaining a real-time inventory enriched with contextual metadata. This centralized view serves as the foundation for effective governance.

2. Onboarding and Provisioning: Securing from Day One

Inconsistent provisioning processes create immediate risks—misconfigurations, over-permissioned identities, and manual errors. Organizations need standardized workflows that enforce the least privilege access and integrate with centralized secrets management.

A unified platform ensures consistency across teams and provides real-time visibility into permissions, maintaining a secure and compliant ecosystem from the start.

3. Continuous Monitoring: Staying Ahead of Threats

Modern enterprises face a monitoring nightmare: machine identities interact across dozens of systems, each with separate logging mechanisms. With organizations averaging six different secret management instances (according to “Voice of Practitioners: The State of Secrets in AppSec”), maintaining consistent policies becomes nearly impossible.

GitGuardian aggregates and normalizes usage data from multiple sources, providing centralized visibility. Advanced analytics and anomaly detection enable rapid response to high-risk events and policy violations.

4. Rotation and Remediation: Keeping Credentials Fresh

The stakes are high: CyberArk reports that 72% of organizations experienced certificate-related outages in the past year, with 34% suffering multiple incidents. Managing rotation at scale is complex, especially with system dependencies and inconsistent schedules.

GitGuardian integrates with popular secrets managers, providing contextual insights to identify owners and streamline remediation, minimizing security incident impact.

5. Decommissioning: Eliminating Zombie Credentials

Unused or stale identities accumulate as “zombie” credentials—prime targets for attackers. Fragmented tooling and inconsistent processes make proper offboarding difficult, leading to persistent security gaps.

GitGuardian’s continuous monitoring identifies candidates for decommissioning.

See GitGuardian’s NHI Security Platform in action with our interactive demo. Discover key features that security teams and IAM leaders love ⬇️

Compliance and Zero Trust: A Modern Mandate

Frameworks like PCI DSS 4.0 and NIST now explicitly demand strong controls for machine identities—enforcing least privilege, secure onboarding, and continuous monitoring. GitGuardian’s platform is built with these requirements in mind, helping organizations stay compliant as regulations evolve.

Conclusion: Don’t Wait for a Breach

The stakes are high: financial loss, reputational damage, compliance failure, and—most critically—loss of control over the digital infrastructure that powers your business.

Forward-thinking CISOs are bringing NHIs into their IAM strategy now. GitGuardian’s platform is the comprehensive, automated solution for discovering, managing, and securing all your machine identities—before attackers do.

Join us on June 25 for a 20-minute live demo of GitGuardian NHI Security to see how GitGuardian can help you:

• Get visibility over all NHI secrets across your infrastructure
• Improve your security hygiene
• Reduce breaches resulting from mismanaged identities

Jun 12, 2025Ravie LakshmananVulnerability / Software Security

ConnectWise has disclosed that it’s planning to rotate the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security concerns.

The company said it’s doing so “due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions.”

While the company did not publicly elaborate on the nature of the problem, it has shed more light in a non-public FAQ accessible only to its customers (and later shared on Reddit) –

The concern stems from ScreenConnect using the ability to store configuration data in an available area of the installer that is not signed but is part of the installer. We are using this ability to pass down configuration information for the connection (between the agent and server) such as the URL where the agent should call back without invalidating the signature. The unsigned area is used by our software and others for customization, however, when coupled with the capabilities of a remote control solution, it could create an insecure design pattern by today’s security standards.

Besides issuing new certificates, the company said it’s releasing an update that’s designed to improve how the aforementioned configuration data is managed in ScreenConnect.

The revocation of digital certificates is expected to take place by June 13 at 8 p.m. ET (June 14, 12 a.m. UTC). ConnectWise has emphasized that the issue does not involve a compromise of its systems or certificates.

It’s worth noting that automatically ConnectWise is already in the process of updating certificates and agents across all its cloud instances of Automate and RMM.

However, those using on-premise versions of ScreenConnect or Automate are required to update to the latest build and validate that all agents are updated before the cutoff date to avoid any possible service disruptions.

“We had already planned enhancements to certificate management and product hardening, but these efforts are now being implemented on an accelerated timeline,” ConnectWise said. “We understand this may create challenges and are committed to supporting you through the transition.”

The development comes merely days after the company disclosed that a suspected nation-state threat actor breached its systems and affected a small number of its customers by exploiting CVE-2025-3935 to conduct ViewState code injection attacks.

It also comes as attackers are increasingly relying on legitimate RMM software like ScreenConnect and others to obtain stealthy, persistent remote access, effectively allowing them to blend in with normal activity and fly under the radar.

This attack methodology, called living-off-the-land (LotL), makes it possible to hijack the software’s inherent capabilities for remote access, file transfer, and command execution.

Jun 12, 2025The Hacker NewsArtificial Intelligence / SaaS Security

AI is changing everything — from how we code, to how we sell, to how we secure. But while most conversations focus on what AI can do, this one focuses on what AI can break — if you’re not paying attention.

Behind every AI agent, chatbot, or automation script lies a growing number of non-human identities — API keys, service accounts, OAuth tokens — silently operating in the background.

And here’s the problem:

🔐 They’re invisible

🧠 They’re powerful

🚨 They’re unsecured

In traditional identity security, we protect users. With AI, we’ve quietly handed over control to software that impersonates users — often with more access, fewer guardrails, and no oversight.

This isn’t theoretical. Attackers are already exploiting these identities to:

• Move laterally through cloud infrastructure
• Deploy malware via automation pipelines
• Exfiltrate data — without triggering a single alert

Once compromised, these identities can silently unlock critical systems. You don’t get a second chance to fix what you can’t see.

If you’re building AI tools, deploying LLMs, or integrating automation into your SaaS stack — you’re already depending on NHIs. And chances are, they’re not secured. Traditional IAM tools aren’t built for this. You need new strategies — fast.

This upcoming webinar, “Uncovering the Invisible Identities Behind AI Agents — and Securing Them,” led by Jonathan Sander, Field CTO at Astrix Security, is not another “AI hype” talk. It’s a wake-up call — and a roadmap.

What You’ll Learn (and Actually Use)

• How AI agents create unseen identity sprawl
• Real-world attack stories that never made the news
• Why traditional IAM tools can’t protect NHIs
• Simple, scalable ways to see, secure, and monitor these identities

Most organizations don’t realize how exposed they are — until it’s too late.

Watch this Webinar

This session is essential for security leaders, CTOs, DevOps leads, and AI teams who can’t afford silent failure.

The sooner you recognize the risk, the faster you can fix it.

Seats are limited. And attackers aren’t waiting. Reserve Your Spot Now

Cybersecurity researchers have discovered a novel attack technique called TokenBreak that can be used to bypass a large language model’s (LLM) safety and content moderation guardrails with just a single character change.

“The TokenBreak attack targets a text classification model’s tokenization strategy to induce false negatives, leaving end targets vulnerable to attacks that the implemented protection model was put in place to prevent,” Kieran Evans, Kasimir Schulz, and Kenneth Yeung said in a report shared with The Hacker News.

Tokenization is a fundamental step that LLMs use to break down raw text into their atomic units – i.e., tokens – which are common sequences of characters found in a set of text. To that end, the text input is converted into their numerical representation and fed to the model.

LLMs work by understanding the statistical relationships between these tokens, and produce the next token in a sequence of tokens. The output tokens are detokenized to human-readable text by mapping them to their corresponding words using the tokenizer’s vocabulary.

The attack technique devised by HiddenLayer targets the tokenization strategy to bypass a text classification model’s ability to detect malicious input and flag safety, spam, or content moderation-related issues in the textual input.

Specifically, the artificial intelligence (AI) security firm found that altering input words by adding letters in certain ways caused a text classification model to break.

Examples include changing “instructions” to “finstructions,” “announcement” to “aannouncement,” or “idiot” to “hidiot.” These subtle changes cause different tokenizers to split the text in different ways, while still preserving their meaning for the intended target.

What makes the attack notable is that the manipulated text remains fully understandable to both the LLM and the human reader, causing the model to elicit the same response as what would have been the case if the unmodified text had been passed as input.

By introducing the manipulations in a way without affecting the model’s ability to comprehend it, TokenBreak increases its potential for prompt injection attacks.

“This attack technique manipulates input text in such a way that certain models give an incorrect classification,” the researchers said in an accompanying paper. “Importantly, the end target (LLM or email recipient) can still understand and respond to the manipulated text and therefore be vulnerable to the very attack the protection model was put in place to prevent.”

The attack has been found to be successful against text classification models using BPE (Byte Pair Encoding) or WordPiece tokenization strategies, but not against those using Unigram.

“The TokenBreak attack technique demonstrates that these protection models can be bypassed by manipulating the input text, leaving production systems vulnerable,” the researchers said. “Knowing the family of the underlying protection model and its tokenization strategy is critical for understanding your susceptibility to this attack.”

“Because tokenization strategy typically correlates with model family, a straightforward mitigation exists: Select models that use Unigram tokenizers.”

To defend against TokenBreak, the researchers suggest using Unigram tokenizers when possible, training models with examples of bypass tricks, and checking that tokenization and model logic stays aligned. It also helps to log misclassifications and look for patterns that hint at manipulation.

The study comes less than a month after HiddenLayer revealed how it’s possible to exploit Model Context Protocol (MCP) tools to extract sensitive data: “By inserting specific parameter names within a tool’s function, sensitive data, including the full system prompt, can be extracted and exfiltrated,” the company said.

The finding also comes as the Straiker AI Research (STAR) team found that backronyms can be used to jailbreak AI chatbots and trick them into generating an undesirable response, including swearing, promoting violence, and producing sexually explicit content.

The technique, called the Yearbook Attack, has proven to be effective against various models from Anthropic, DeepSeek, Google, Meta, Microsoft, Mistral AI, and OpenAI.

“They blend in with the noise of everyday prompts — a quirky riddle here, a motivational acronym there – and because of that, they often bypass the blunt heuristics that models use to spot dangerous intent,” security researcher Aarushi Banerjee said.

“A phrase like ‘Friendship, unity, care, kindness’ doesn’t raise any flags. But by the time the model has completed the pattern, it has already served the payload, which is the key to successfully executing this trick.”

“These methods succeed not by overpowering the model’s filters, but by slipping beneath them. They exploit completion bias and pattern continuation, as well as the way models weigh contextual coherence over intent analysis.”