Tag: Cyber Security

After two decades of developing increasingly mature security architectures, organizations are running up against a hard truth: tools and technologies alone are not enough to mitigate cyber risk. As tech stacks have grown more sophisticated and capable, attackers have shifted their focus. They are no longer focusing on infrastructure vulnerabilities alone. Instead, they are increasingly exploiting human behavior. In most modern breaches, the initial attack vector is not a zero-day technology exploit. It’s exploiting vulnerabilities in people.

The data is well-documented. For five years running, Verizon’s Data Breach Investigations Report has shown that human risk represents the greatest driver of breaches globally. The latest version of the report found that nearly 60% of all breaches in 2024 involved a human element. However, in that context, it’s important to address a common misconception. The phrase “people are the weakest link” implies that employees are at fault when breaches arise. In most cases, that isn’t the issue. Users aren’t failing at security, their security environment is failing them. Too often, security is made unnecessarily complex. Concepts are communicated in a confusing and overwhelming technical language while policies are designed for auditors and lawyers, not the average employee.

In turn, effectively mitigating human risk isn’t a matter of just more technology adoption or policy enforcement. It’s about cultivating a strong organizational security culture that simplifies and supports secure human behavior. Until security culture is treated with the same prioritization and investment as your security technology, human risk will continue to undermine even the best-designed technical programs.

Defining Security Culture

Every organization already has a security culture in place. The key question is if it’s the security culture they actually want.

Security culture, by definition, is the shared perceptions, beliefs, and attitudes about cybersecurity across the organization. Do people believe security is important? Do they feel responsible? Do they see themselves as a target? When that belief structure is strong, behavior follows. But when it’s missing, like when security is seen as someone else’s job or an obstacle to productivity, your degree of risk grows exponentially.

The problem isn’t that people don’t care about protecting their organization. It’s that security isn’t embedded into how they work, instead layered on top as something they’re expected to navigate around. If we want people to behave securely, we need to create conditions that support those behaviors. Employees adjust their behavior based on what the environment rewards, enables, and expects. Security is no different. To strengthen security culture, the focus should be on designing a day-to-day environment that shapes people’s perceptions and decisions.

In practice, this means evaluating the four biggest drivers of your security culture: leadership signals, security team engagement, policy design, and security training.

1. Leadership signals: Culture starts at the top. If leaders treat security as a priority by budgeting for it, tying it to bonuses, or elevating the CISO in the org chart, it sends a clear message. If they don’t, no amount of lip service will change that perception.
2. Security team engagement: It’s not just executives who shape culture. The day-to-day experience people have with security often depends on the security team itself. Is the security team helpful or hostile? Are they clear or confusing? Are they enablers or blockers? All of that matters.
3. Policy design: Policies are a constant point of interaction. If they’re overly technical, hard to follow, or full of friction, they erode trust. If they’re simple and intuitive, they reinforce the idea that security is achievable.
4. Security training: This is often the most visible part of a program, but also the most misunderstood. If your training is boring, outdated, or irrelevant, it signals that security doesn’t really matter. When engaging and applicable, it builds belief that drives behavior.

These four areas also provide a framework for measuring your culture. Ask your employees what they think and feel about leadership, the security team, policies, and training. Their answers will tell you whether your culture is working for you or against you.

Aligning the Four Levers of Security Culture

Executive support may set the tone, but security culture is defined by what employees encounter day to day. If those lived experiences are inconsistent with leadership’s message, belief breaks down. People may hear that security is a priority, but if policies are unclear, training feels disconnected, or security teams are rigid and unapproachable, trust erodes quickly.

This is why alignment across all four cultural levers – leadership, security team engagement, policy, and training – is essential. When leadership visibly prioritizes security, through resourcing and accountability, it signals strategic importance. But that message needs to be reinforced by how the security team interacts with the workforce. If employees feel punished for mistakes or stonewalled when they ask for support, they are less inclined to be active participants in defending the organization.

Policy design plays an equally important role. When policies are long, technical, or impractical, employees will default to convenience even if it introduces risk. Simpler, more intuitive guidance makes it easier to act securely without slowing down business outcomes. The same principle applies to training. If it’s outdated or generic, it becomes a check-the-box exercise. But when it’s relevant and role-specific, it helps reinforce that security is part of the job—not an add-on to it.

Ready to Operationalize Your Security Culture?

Join me this fall at SANS Orlando Fall 2025, where I’ll be teaching the newly updated LDR521: Security Culture for Leaders. This course offers a step-by-step framework to assess your current culture, identify the top opportunities for change, and build an environment where secure behavior is the norm. You’ll leave with practical tools, real-world case studies, and a leadership-ready playbook you can take back to your team.

Register for SANS Orlando Fall 2025 here.

Note: This article was contributed by Lance Spitzner, Senior Instructor with the SANS Institute. Learn more about his background and experience here.

Aug 19, 2025Ravie LakshmananEncryption / Cloud Security

The U.K. government has apparently abandoned its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens.

U.S. Director of National Intelligence (DNI) Tulsi Gabbard, in a statement posted on X, said the U.S. government had been working with its partners with the U.K. over the past few months to ensure that Americans’ civil liberties are protected.

“As a result, the UK has agreed to drop its mandate for Apple to provide a ‘backdoor’ that would have enabled access to the protected encrypted data of American citizens and encroached on our civil liberties,” Gabbard said.

The development comes after Apple switched off its Advanced Data Protection (ADP) feature for iCloud in the U.K. earlier this February, following government demands for backdoor access to encrypted user data.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K., given the continuing rise of data breaches and other threats to customer privacy,” the company was quoted as saying to Bloomberg at the time.

“As we have said many times before, we have never built a backdoor or master key to any of our products or services, and we never will.”

The secret order to require Apple to implement a “backdoor” came in the form of a technical capability notice (TCN) issued by the U.K. Home Office under the Investigatory Powers Act (IPA) to enable blanket access to end-to-end encrypted cloud data, even for users outside the country. The order was issued in January 2025.

Critics have argued that enabling access to encrypted cloud data, including backups, essentially amounts to building a backdoor that could be exploited by cybercriminals and authoritarian governments.

Apple has since appealed the legality of the order, with the Investigatory Powers Tribunal (IPT) denying the Home Office’s attempts to keep the case a secret.

Late last month, Google told TechCrunch that, unlike Apple, it did not receive any request from the U.K. to weaken encryption protections and allow authorities access to customer data.

In a new letter sent to Gabbard, Senator Ron Wyden said Meta “offered an unequivocal denial […] stating that “we have not received an order to backdoor our encrypted services, like that reported about Apple.’”

Aug 19, 2025Ravie LakshmananSupply Chain Security

The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks.

“These changes improve PyPI’s overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts,” Mike Fiedler, PyPI safety and security engineer at the Python Software Foundation (PSF), said.

With the latest update, the intention is to tackle domain resurrection attacks, which occur when bad actors purchase an expired domain and use it to take control of PyPI accounts through password resets.

PyPI said it has unverified over 1,800 email addresses since early June 2025, as soon as their associated domains entered expiration phases. While this is not a foolproof solution, it helps plug a significant supply chain attack vector that would otherwise appear legitimate and hard to detect, it added.

Email addresses are tied to domain names that, in turn, can lapse, if left unpaid – a critical risk for packages distributed via open-source registries. The threat is magnified if those packages have long been abandoned by their respective maintainers, but are still in a fair amount of use by downstream developers.

PyPI users are required to verify their email addresses during the account registration phase, thus ensuring that the provided addresses are valid and accessible to them. But this layer of defense is effectively neutralized should the domain expire, thus allowing an attacker to purchase the same domain and initiate a password reset request, which would land in their inbox (as opposed to the actual owner of the package).

From there, all the threat actor has to do is follow through the steps to gain access to the account with that domain name. The threat posed by expired domains arose in 2022, when an unknown attacker acquired the domain used by the maintainer of the ctx PyPI package to gain access to the account and publish rogue versions to the repository.

The latest safeguard added by PyPI aims to prevent this kind of account takeover (ATO) scenario and “minimize potential exposure if an email domain does expire and change hands, regardless of whether the account has 2FA enabled.” It’s worth noting that the attacks are only applicable to accounts that have registered using email addresses with a custom domain name.

PyPI said it’s making use of Fastly’s Status API to query the status of a domain every 30 days and mark the corresponding email address as unverified if it has expired.

Users of the Python package manager are being advised to enable two-factor authentication (2FA) and add a second verified email address from another notable domain, such as Gmail or Outlook, if the accounts only have a single verified email address from a custom domain name.

Aug 18, 2025Ravie LakshmananMalware / Enterprise Security

The threat actors behind the Noodlophile malware are leveraging spear-phishing emails and updated delivery mechanisms to deploy the information stealer in attacks aimed at enterprises located in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region.

“The Noodlophile campaign, active for over a year, now leverages advanced spear-phishing emails posing as copyright infringement notices, tailored with reconnaissance-derived details like specific Facebook Page IDs and company ownership information,” Morphisec researcher Shmuel Uzan said in a report shared with The Hacker News.

Noodlophile was previously detailed by the cybersecurity vendor in May 2025, uncovering the attackers’ use of fake artificial intelligence (AI)-powered tools as lures to propagate the malware. These counterfeit programs were found to be advertised on social media platforms like Facebook.

That said, the adoption of copyright infringement lures is not a new development. Back in November 2024, Check Point uncovered a large-scale phishing operation that targeted individuals and organizations under the false premise of copyright infringement violations to drop the Rhadamanthys Stealer.

But the latest iteration of the Noodlophile attacks exhibits notable deviation, particularly when it comes to the use of legitimate software vulnerabilities, obfuscated staging via Telegram, and dynamic payload execution.

It all starts with a phishing email that seeks to trick employees into downloading and running malicious payloads by inducing a false sense of urgency, claiming copyright violations on specific Facebook Pages. The messages originate from Gmail accounts in an effort to evade suspicion.

Present within the message is a Dropbox link that drops a ZIP or MSI installer, which, in turn, sideloads a malicious DLL using legitimate binaries associated with Haihaisoft PDF Reader to ultimately launch the obfuscated Noodlophile stealer, but not before running batch scripts to establish persistence using Windows Registry.

What’s notable about the attack chain is that it leverages Telegram group descriptions as a dead drop resolver to fetch the actual server (“paste[.]rs”) that hosts the stealer payload to challenge detection and takedown efforts.

“This approach builds on the previous campaign’s techniques (e.g., Base64-encoded archives, LOLBin abuse like certutil.exe), but adds layers of evasion through Telegram-based command-and-control and in-memory execution to avoid disk-based detection,” Uzan said.

Noodlophile is a full-fledged stealer that can capture data from web browsers and gather system information. Analysis of the stealer source code indicates ongoing development efforts to expand on its capabilities to facilitate screenshot capture, keylogging, file exfiltration, process monitoring, network information gathering, file encryption, and browser history extraction.

“The extensive targeting of browser data underscores the campaign’s focus on enterprises with significant social media footprints, particularly on platforms like Facebook,” Morphisec said. “These unimplemented functions indicate that the stealer’s developers are actively working to expand its capabilities, potentially transforming it into a more versatile and dangerous threat.”

Aug 18, 2025Ravie LakshmananVulnerability / Cloud Security

Cybersecurity researchers have lifted the lid on the threat actors’ exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks.

The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) that was addressed by Microsoft in April 2025, Kaspersky and BI.ZONE said in a joint report published today.

PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia, capable of acting as a full-fledged backdoor providing remote access and executing a wide range of commands on compromised hosts.

In those attacks, the threat actors have been found to exploit CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate victim infrastructure. Subsequent infection chains observed in October 2024 in Saudi Arabia were spotted leveraging a fake OpenAI ChatGPT app as bait to deliver the malware.

Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to a threat actor it tracks as Storm-2460.

“One unique feature of PipeMagic is that it generates a random 16-byte array used to create a named pipe formatted as: \.pipe1.<hex string>,” researchers Sergey Lozhkin, Leonid Bezvershenko, Kirill Korchemny, and Ilya Savelyev said. “After that, a thread is launched that continuously creates this pipe, attempts to read data from it, and then destroys it. This communication method is necessary for the backdoor to transmit encrypted payloads and notifications.”

PipeMagic is a plugin-based modular malware that uses a domain hosted on the Microsoft Azure cloud provider to stage the additional components, with 2025 attacks aimed at Saudi Arabia and Brazil relying on a Microsoft Help Index file (“metafile.mshi”) as a loader. The loader, in turn, unpacks C# code that decrypts and executes embedded shellcode.

“The injected shellcode is executable code for 32-bit Windows systems,” the researchers said. “It loads an unencrypted executable embedded inside the shellcode itself.”

Kaspersky said it also uncovered PipeMagic loader artifacts masquerading as a ChatGPT client in 2025 that are similar to those previously seen in October 2024. The samples have been observed leveraging DLL hijacking techniques to run a malicious DLL that mimics a Google Chrome update file (“googleupdate.dll”).

Irrespective of the loading method used, it all leads to the deployment of the PipeMagic backdoor that supports various modules –

• Asynchronous communication module that supports five commands to terminate the plugin, read/write files, terminate a file operation, or terminate all file operations
• Loader module to inject additional payloads into memory and execute them
• Injector module to launch a C# executable

“The repeated detection of PipeMagic in attacks on organizations in Saudi Arabia and its appearance in Brazil indicate that the malware remains active and that the attackers continue to develop its functionality,” the researchers said.

“The versions detected in 2025 show improvements over the 2024 version, aimed at persisting in victim systems and moving laterally within internal networks. In the 2025 attacks, the attackers used the ProcDump tool, renamed to dllhost.exe, to extract memory from the LSASS process.”

Aug 18, 2025Ravie LakshmananCybersecurity / Hacking News

Power doesn’t just disappear in one big breach. It slips away in the small stuff—a patch that’s missed, a setting that’s wrong, a system no one is watching. Security usually doesn’t fail all at once; it breaks slowly, then suddenly. Staying safe isn’t about knowing everything—it’s about acting fast and clear before problems pile up. Clarity keeps control. Hesitation creates risk.

Here are this week’s signals—each one pointing to where action matters most.

⚡ Threat of the Week

Ghost Tap NFC-Based Mobile Fraud Takes Off — A new Android trojan called PhantomCard has become the latest malware to abuse near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. In these attacks, users who end up installing the malicious apps are instructed to place their credit/debit card on the back of the phone to begin the verification process, only for the card data to be sent to an attacker-controlled NFC relay server. The stolen card details are passed on to money mules who link the information to contactless payment systems like Apple Pay or Google Pay in person to obtain physical goods.

• Two N-able N-central Flaws Exploited in the Wild — Two security flaws impacting N-able N-central have come under active exploitation in the wild. The flaws, CVE-2025-8875 and CVE-2025-8876, allow command execution and command injection, respectively. The issues have been addressed in N-central versions 2025.3.1 and 2024.6 HF2 released on August 13, 2025. N-able is also urging customers to make sure that multi-factor authentication (MFA) is enabled, particularly for admin accounts.
• New ‘Curly COMrades’ APT Targets Georgia and Moldova — A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign designed to facilitate long-term access to target networks. The activity, tracked by the Romanian cybersecurity company since mid-2024, has singled out judicial and government bodies in Georgia, as well as an energy distribution company in Moldova. Curly COMrades are assessed to be operating with goals that are aligned with Russia’s geopolitical strategy. It gets its name from the heavy reliance on the curl utility for command-and-control (C2) and data transfer, and the hijacking of the component object model (COM) objects. Persistent access to the infected endpoints is accomplished by means of a bespoke backdoor called MucorAgent.
• XZ Utils Backdoor Found in Dozens of Docker Hub Images — Several Docker images built around the time of the XZ Utils compromise contain the backdoor, some of which are still available via the container image library Docker Hub. Binary said it identified 35 Debian images on Docker Hub that embedded the backdoor. That includes 12 Docker images and 23 second-order images. The main takeaway is that users should only rely on up-to-date images. The findings are a sign that traces of the supply chain threat have remained after more than a year since the incident came to light.
• U.S. Expands Sanctions on Garantex — The U.S. Treasury Department sanctioned Russian cryptocurrency exchange Garantex, its successor Grinex, and related affiliates as part of continued efforts by the government to halt the flow of ransomware proceeds facilitated by the platforms. Garantex is estimated to have processed more than $100 million in transactions linked to illicit activities since 2019. “Digital assets play a crucial role in global innovation and economic development, and the United States will not tolerate abuse of this industry to support cybercrime and sanctions evasion,” the Treasury Department said.
• EncryptHub Continues to Exploit Windows Flaw for Stealer Attacks — The Russia-aligned threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads, including a stealer called Fickle Stealer. The campaign combines social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.
• ShinyHunters and Scattered Spider Join Forces — ShinyHunters and Scattered Spider appear to be working together to carry out financially motivated attacks, including those targeting Salesforce customers. These include the use of adoption of tactics that mirror those of Scattered Spider, such as highly-targeted vishing (aka voice phishing) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration.

🔥 Trending CVEs

Hackers don’t wait—they strike within hours of a flaw being exposed. A missed patch, a hidden bug, or even a single overlooked CVE is enough to hand them the keys. What starts as “just one gap” can escalate into disruption, theft, or compromise before defenders even realize it’s happening. Below are this week’s high-risk vulnerabilities. Review them, patch quickly, and stay ahead before someone else makes the first move.

This week’s list includes — CVE-2025-20265 (Cisco Secure Firewall Management Center), CVE-2025-8671 (HTTP/2), CVE-2025-8875, CVE-2025-8876 (N-able N-central), CVE-2025-25256 (Fortinet FortiSIEM), CVE-2025-53779 (Microsoft Windows), CVE-2025-49457 (Zoom Clients for Windows), CVE-2025-8355, CVE-2025-8356 (Xerox FreeFlow Core), CVE-2024-42512, CVE-2024-42513, CVE-2025-1468 (OPC UA .NET Standard Stack), CVE-2025-42950, CVE-2025-42957 (SAP), CVE-2025-54472 (Apache bRPC), CVE-2025-5456, CVE-2025-5462 (Ivanti Connect Secure), CVE-2025-53652 (Jenkins), CVE-2025-49090, CVE-2025-54315 (Matrix), CVE-2025-52970 (Fortinet FortiWeb),CVE-2025-7384 (Database for Contact Form 7, WPforms, Elementor forms plugin), CVE-2025-53773 (GitHub Copilot), CVE-2025-6186, CVE-2025-7739, CVE-2025-7734 (GitLab), CVE-2025-8341 (Grafana Infinity Datasource Plugin), CVE-2025-47227, CVE-2025-47228 (ScriptCase), CVE-2025-30404, CVE-2025-30405, CVE-2025-54949, CVE-2025-54950, CVE-2025-54951, CVE-2025-54952 (Meta ExecuTorch), CVE-2025-55154, and CVE-2025-55004 (ImageMagick).

📰 Around the Cyber World

• Flaws in ZTNA Software — Cybersecurity researchers have discovered multiple security flaws impacting Zero Trust Network Access (ZTNA) solutions from Zscaler (CVE-2025-54982), NetSkope and Check Point Perimeter 81 that could be abused by attackers to escalate privileges on end user devices and to completely bypass authentication, granting access to internal resources as any user. The findings follow the discovery of critical weaknesses in Cato Networks’ Cato client, including one that could allow an attacker to gain full administrative control of a user’s device simply by having the user visit a malicious web page.
• Google Address Promptware Attack — Google has remediated a serious security issue that allowed maliciously crafted Google Calendar invites to remotely take over Gemini agents running on the target’s device, leak sensitive user data, and hijack control of smart home systems. The targeted promptware attack is initiated simply by an attacker sending a Google Calendar invite to a victim whose name contains an indirect prompt injection. When Google’s flagship AI chatbot is asked to summarize its upcoming calendar events, those dormant instructions are triggered, causing havoc in the physical environment, such as remotely controlling a victim’s home appliances. The attacks employ an approach called delayed automatic tool invocation to get around Google’s existing safety measures. They also demonstrate a potential side effect of Gemini’s broad permissions to take actions across the Google ecosystem. “As a result, we were able to hijack the application context, invoke its integrated agents, and exploit their permissions to perform a shocking range of malicious activities — including identifying the victim’s location, recording the victim, and even making changes within the victim’s physical environment.” The approach shows that Promptware, a variant of EchoLeak, is capable of performing both inter-agent lateral movement, by triggering malicious activity between different Gemini agents, and inter-app lateral movement, by escaping the boundaries of Gemini and leveraging applications installed on a victim’s smartphone, to perform malicious activities with real-world consequences. The promptware attacks further show that Gemini can be made to send spam links, generate vulgar content, open up the Zoom app and start a call, steal email and meeting details from a web browser, and download a file from a smartphone’s web browser. Google has since rolled out fixes like security thought reinforcement to address the issues. Indirect prompt injections are a more serious AI threat, as the malicious prompt is inserted by an outside source, either embedded within a web page or as text in a white font in an email that’s invisible to the naked eye, but can be parsed by AI systems. Addressing prompt injections is a hard problem since the methods LLMs can be tricked are continually evolving, and the attack surface is simultaneously getting more complex.
• Matter Adds New Security Features — Matter, a unifying, IP-based connectivity protocol and technical standard for smart home and IoT devices, has received numerous security enhancements in version 1.4.2, including (1) Wi-Fi Only Commissioning, which enables devices to be onboarded to Matter ecosystems over Wi-Fi without requiring Bluetooth Low Energy (LE) radios, (2) Vendor ID (VID) Verification, which allows controllers to cryptographically verify that the Admins installed on a device are genuinely from the vendors they claim, (3) Access Restriction Lists (ARLs), which provide a mechanism to restrict access to sensitive settings and data to only trusted, verified Controllers, and (4) Certificate Revocation Lists (CRLs), which offers support for revoking unused or compromised Device Attestation Certificates.
• Smart Buses Can Be Remotely Hacked — Cybersecurity researchers have discovered that Taiwanese smart buses that incorporate various systems to improve safety, efficiency, and passenger experience, such as Advanced Public Transportation Services (APTS) and Advanced Driver Assistance Systems (ADAS) can be remotely hacked. The research showcased it’s possible to easily bypass the on-board router’s authentication and gain unauthorized access to its administration interface, and then take over the APTS and ADAS functionality due to a lack of network segmentation. This enables an attacker to leverage the remote access to track the vehicle’s movements, manipulate controls, or access the camera. The vulnerabilities impact routers from BEC Technologies, which are commonly installed on smart buses in Taiwan.
• Cmimai Stealer Spotted in the Wild — A new Visual Basic Script (VBS) stealer malware called Cmimai Stealer has been observed in the wild since June 2025, employing capabilities to harvest a wide range of information from infected hosts and exfiltrating the data using a Discord webhook. “It is lightweight and lacks advanced features like persistence on system restart, encrypted communication, and credential theft; perhaps by design,” K7 Security said. “Although it is collecting browser data and screenshots, making us classify it as an Infostealer, it can be used for the dual purpose as a Stealer and also as a second-stage reconnaissance tool used for strategizing further future attacks.”
• Windows Hello or Windows Hell No? — Cybersecurity researchers have presented a novel attack targeting Windows Hello for Business (WHfB) that leverages the storage subsystem of the biometric unit in order to conduct bypass attacks. Essentially, the attack can facilitate biometric injection from another computer that would compromise biometric authentication, granting access to any face or fingerprint submitted. ERNW Research demonstrated that a local admin, or someone who has access to their credentials via malware or other means, can inject biometric information into a computer that would allow it to recognize any face or fingerprint. While the biometric templates are “encrypted,” a local administrator can exchange biometric features in the database, allowing authentication as any user already enrolled in the targeted system, including the possibility to make a lateral movement by usurping a domain administrator. Microsoft’s Enhanced Sign-in Security (ESS), which operates at a higher hypervisor virtual trust level (VTL1), blocks this line of attack.
• Securam Prologic Lock Flaws Disclosed — Researchers James Rowley and Mark Omo managed to discover a “backdoor” intended to let authorized locksmiths open Securam Prologic locks used in Liberty Safe and seven other brands. In addition, they discovered a way for a hacker to exploit that backdoor—intended to be accessible only with the manufacturer’s help—to open a safe on their own in seconds, as well as found another security vulnerability in many newer versions of Securam’s locks that would allow a bad actor to insert a tool into a hidden port in the lock and instantly obtain a safe’s unlock code, WIRED reported. Securam is expected to fix the issues in future models of the ProLogic lock.
• UAC Bypass via eudcedit.exe — An inventive User Account Control (UAC) bypass method exploits Windows’ built-in Private Character Editor (“eudcedit.exe”), allowing attackers to gain elevated privileges without user consent. The technique once again highlights how legitimate Windows utilities can be weaponized to circumvent critical security mechanisms. “If eudcedit.exe is executed under a user context that already belongs to the Administrators group, and UAC is configured permissively (e.g., ‘Elevate without prompting’), Windows will launch it immediately with high integrity, without showing a UAC dialog,” security researcher Matan Bahar said.
• Information Leak in Multi-User Linux Environments — New research has demonstrated how basic Linux commands like “ps auxww” can be weaponized to extract database credentials, API keys, and administrative passwords in multi-user Linux environments, “without ever escalating privileges or exploiting a single bug,” according to Ionut Cernica.
• Privacy Leaks Via Siri — Privacy issues have been uncovered in Apple Siri, finding the chat assistant transmits metadata about installed and active open apps, as well as audio playback metadata (e.g., recording names) without the user’s ability to control these privacy settings or their consent. What’s more, messages dictated via Siri to apps like iMessage and WhatsApp are sent to Apple’s servers, along with the recipient phone number and other identifiers. The issues have been codenamed AppleStorm by Lumia Security. Apple said the behavior stemmed from third-party services’ use of SiriKit, its extension system for integrating external apps with Siri.
• OAuth Apps as a Privilege Escalation Tool — Malicious OAuth applications could be used to escalate privileges or move laterally within a target environment. That’s according to findings from Praetorian, which has open-sourced a red teaming tool called OAuthSeeker that performs phishing attacks using malicious OAuth applications to compromise user identities within Microsoft Azure and Office365. “It is possible for external verified or internal unverified applications to request user_impersonation privileges within Microsoft Azure, which then allows the attacker to impersonate the user to cloud computing resources within Microsoft Azure, such as accessing compute infrastructure, such as virtual machines,” Praetorian said. “Operators can leverage OAuthSeeker for both gaining initial access into an environment, for lateral movement after obtaining initial access, and for persistence purposes after compromising an account leveraging other methods.”

• Fake Minecraft Setup Leads to NjRAT — A new malware campaign has been observed using fake Minecraft installers or mods to distribute a remote access trojan called NjRAT. “It is written in .NET and allows attackers to fully control infected machines remotely, making it one of the most popular and persistent malware families used in cyber espionage, cybercrime, and surveillance operations,” Point Wild said. The disclosure comes as the cybersecurity company detailed the inner workings of another RAT called Sakula RAT that has been employed in targeted intrusions since at least 2012. Besides harvesting sensitive data, the malware can connect to a command-and-control (C2) server to receive instructions from the attacker to run arbitrary commands and download additional payloads.
• Israel Targeted by PowerShell RAT Using ClickFix — Speaking or RATs, multiple Israeli organizations have been targeted by spear-phishing attacks that direct users to fake landing pages mimicking Microsoft Teams invites, while using ClickFix-like lures to trick recipients into launching PowerShell commands under the guise of joining the conversation. The command initiates the retrieval and execution of a secondary PowerShell script from the attacker’s server, which, in turn, acts as a loader for a PowerShell remote access trojan that can run PowerShell commands from the C2 and run more malware. “The adversary leveraged compromised internal email infrastructure to distribute phishing messages across the regional business landscape,” Fortinet said. “The attacker systematically compromised multiple Israeli companies over several consecutive days, using each breached environment as a launchpad to target additional organizations in the region. This tactic closely mirrors MuddyWater‘s typical approach to lateral expansion.” The absence of remote management tools (RMMs), a hallmark of MuddyWater’s attacks, indicates a tactical deviation. The disclosure came as Profero said it cracked the encryption of the DarkBit (aka Storm-1084) ransomware gang’s encryptors, allowing victims to recover files for free without paying a ransom. DarkBit is assessed to share overlaps with MuddyWater. The decrypter exploits a weak key generation algorithm used by the DarkBit group to brute-force the decryption key.
• Kimsuky Allegedly Suffers Data Breach — The North Korean state-sponsored hackers known as Kimsuky have reportedly suffered a data breach after a pair of hackers, named Saber and cyb0rg, stole the group’s data and leaked it publicly online. “Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda,” the hackers remarked in an analysis published in the latest issue of Phrack magazine. “You steal from others and favour your own. You value yourself above the others: You are morally perverted.” Among the leaked data are Kimsuky’s backend, exposing hacking tools, email addresses, internal manuals, and passwords that could provide insight into unknown campaigns and undocumented compromises. Saber and cyb0rg claim to have found evidence of Kimsuky compromising several South Korean government networks and companies. The files also include the group’s Android Toybox modifications and use of exploits like Bushfire. Another program is a Loadable Kernel Module (LKM) style rootkit with the ability to hide from detection and operate on any network port. “The main purpose of the rootkit is to create a persistent and stealthy backdoor,” Sandfly Security said. “The backdoor is activated when a special magic packet is received, combined with a correct password to initiate an SSL connection. The backdoor can be activated on any port. This is important to understand because a firewall alone may not protect the target system. If the magic packet is able to hit the victim, then the backdoor may be activated.” The tranche of data is said to have originated from a virtual workstation and virtual private server (VPS) used by the threat actor. That said, indications are that the dumps may have originated from a likely Chinese actor who has knowledge of Kimsuky’s tradecraft.
• 2 Founder of Samourai Wallet Plead Guilty to Money Laundering — Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million worth of crypto assets from criminal proceeds and concealing the nature of illicit transactions using services like Whirlpool and Ricochet. Samourai CEO Keonne Rodriguez and CTO William Lonergan Hill were arrested last year after the U.S. Federal Bureau of Investigation (FBI) took down their service. As part of their plea agreements, Rodriguez and Hill have also agreed to forfeit $237,832,360.55. “The defendants created and operated a cryptocurrency mixing service that they knew enabled criminals to wash millions in dirty money, including proceeds from cryptocurrency thefts, drug trafficking operations, and fraud schemes,” the U.S. Department of Justice (DoJ) said. “They did not just facilitate this illicit movement of money, but also encouraged it.”
• Tornado Cash Founder Convicted of Operating a Money Transmitting Business — Roman Storm, a co-founder of the cryptocurrency mixing service Tornado Cash, was found guilty of conspiring to operate an unlicensed money-transmitting business. However, the jury failed to reach a ruling on the more significant charges of conspiracy to commit money laundering and to violate sanctions. “Roman Storm and Tornado Cash provided a service for North Korean hackers and other criminals to move and hide more than $1 billion of dirty money,” the DoJ said. Storm is set to be sentenced later this year and faces a maximum prison sentence of five years. The development came as the U.S. Treasury Department dropped its appeal against a court ruling that forced it to lift sanctions against Tornado Cash last month. Tornado Cash was delisted from the Specially Designated National and Blocked Persons (SDN) list earlier this March. The service was sanctioned in 2022 for its alleged links to cybercriminals and for having “repeatedly failed to impose effective controls” to prevent money laundering.
• India’s UPI to Stop P2P Money Requests to Tackle Fraud — The National Payments Corporation of India (NPCI) announced it will discontinue the person-to-person (P2P) Collect Request feature from the country’s instant payment system, Unified Payments Interface (UPI), starting October 1, 2025, aiming to strengthen security and prevent payment-related fraud. The feature allows users to request money from another individual via UPI, but has been misused by fraudsters by sending fake money transfer requests that can be inadvertently approved by a simple tap, thereby tricking unwitting users into authorizing payments. The change, however, does not apply to merchants.
• Microsoft Plans to Block Dangerous File Types in Teams — Microsoft revealed it’s planning to block dangerous file types and malicious URLs in Teams chats and channels. “Microsoft Teams now blocks messages containing weaponizable file types, such as executables, in chats and channels, increasing protection against malware and other file-based attacks,” the company said. “Microsoft Teams can now detect and warn users on malicious URLs sent in Teams chat and channels, increasing protection against malware attacks.” Separately, the tech giant said it’s also integrating Teams with Defender for Office 365 Tenant Allow/Block List to allow administrators to centrally manage blocked external domains in Teams.
• USB Worm Delivers Crypto Miner — A USB-based worm is being used to deliver the XMRig cryptocurrency miner as part of a global campaign targeting financial, education, healthcare, manufacturing, telecom, and oil and gas sectors in Australia, India, the U.S., and other countries. “The infection starts with execution of a VB script file from a USB drive (using a file name that starts with x and random 6 digits) from a folder named ‘rootdir,’” CyberProof said. The attack chain subsequently leverages DLL side-loading techniques to launch a malicious DLL that’s responsible for starting the mining process. In a related development, Russian companies have become the target of the Kinsing (aka H2Miner and Resourceful Wolf) cryptojacking group as part of large-scale attacks that brute-force SSH instances or scan internet-exposed servers for known vulnerabilities (e.g., CVE-2017-9841) in order to drop the Monero cryptocurrency miner.
• SMM Flaws in AMI Aptio UEFI Firmware — System Management Mode (SMM) memory corruption vulnerabilities (CVE-2025-33043) have been identified in UEFI modules present in AMI Aptio UEFI firmware that could be exploited by an attacker to elevate privileges and execute arbitrary code in the highly privileged SMM environment. “This could bypass certain firmware-level protections, such as those protecting the SPI flash memory, and enable persistent modifications to the firmware that operate independently of the OS,” CERT Coordination Center (CERT/CC) said.
• Former Intel Engineer Sentenced to 2 Years of Probation for Stealing Trade Secrets — An engineer who stole trade secrets from Intel and shared them with his new employer, Microsoft, was sentenced to two years of probation and ordered to pay a fine of more than $34,000. Varun Gupta was employed at Intel from July 2010 to January 2020, when he secured his new job at Microsoft. Gupta pleaded guilty to possessing trade secrets back in February 2025. “Between February and July 2020, while employed by the company in Washington, Gupta possessed and accessed his previous employer’s trade secrets and proprietary information without authorization,” the Justice Department noted at the time. “Gupta accessed information related to customized product design and pricing for significant purchases of computer processors, which Gupta used, as a representative of the Washington company, during head-to-head negotiations with his previous employer.” He was sued by Intel in early 2021.
• GitHub Repositories Deliver Stealer Malware — GitHub repositories disguised as legitimate projects, including game cheats, software cracks, and automation tools, have been used to distribute a malware loader called SmartLoader. It’s believed that users searching for such tools on search engines are the target of the campaign. The loader acts as a conduit for the Rhadamanthys information stealer malware, which is retrieved from a remote server. Users who search for tools to download YouTube videos for free have also been found to be served fake sites like YTMP4, where those who enter a video URL are displayed a “Download Now” button that drops DigitalPulse proxyware on the victim’s host by means of an executable hosted on GitHub. In a separate campaign, Facebook ads are being used to redirect users to fake landing pages that aim to deceive users into installing phony versions of cryptocurrency exchange apps like Binance that contain malware. The activity overlaps with a threat cluster dubbed WEEVILPROXY.
• Phishing Attacks Use Personalized Subject Lines and Links — Phishing attacks have been observed crafting personalized subject lines, attachment names, and embedded links to create a sense of familiarity or urgency, and increase the likelihood that the recipients engage with the email messages. “This strategy is not limited to the subject line; it is often extended to the email attachments, links, and message body,” Cofense said. “By including customized elements, attackers aim to increase the likelihood of a successful compromise.” These subject customization campaigns bearing travel Assistance, Response, Finance, Taxes, and Notification-themed emails have been found to deliver remote access trojans and information stealers. Finance-themed campaigns predominantly deliver jRAT, a cross-platform Remote Access Trojan written in Java that enables multi-operating system compatibility, whereas response-themed emails frequently serve PikaBot malware.
• Google pKVM Achieves SESIP Level 5 Certification — Google announced that its protected Kernel-based Virtual Machine (pKVM) for Android has achieved SESIP Level 5 certification, the highest security assurance level for IoT and mobile platforms. “This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar,” Google said. “This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity.”
• 81% of Organizations Knowingly Ship Vulnerable Code — While 98% of organizations experienced breaches due to vulnerable code, 81% knowingly shipped that code, often to meet business goals. “Under pressure to deliver, teams are treating patch-later practices as acceptable risk, embedding insecurity into the SDLC,” Checkmarx said in its Future of AppSec report. The report is based on a survey of 1,500 application security leaders. Half of the respondents already use AI security code assistants, and 34% admitted that more than 60% of their code is generated using artificial intelligence (AI) tools.
• Pak Entities Targeted by Blue Locker Ransomware — Pakistan’s National Cyber Emergency Response Team (NCERT) issued an alert warning of Blue Locker ransomware attacks targeting the oil and gas sector. The ransomware, believed to be connected to the Shinra malware family, is distributed via a PowerShell-based loader that attempts to disable security defenses, escalate privileges, and launch its main payload. Phishing emails, malicious attachments, drive-by downloads, and insecure remote access are some of the initial access routes used by the threat actors behind the operation. “The motive behind these events may vary, but it is unlikely that a traditional cybercriminal organization is responsible; instead, it is more probable that a nation-state group is attacking critical infrastructure,” Resecurity said. “Very often, advanced actors operate under the guise of cybercrime to blur attribution and avoid geopolitical context.” The disclosure came as Huntress detailed a KawaLocker (aka KAWA4096) ransomware incident that involved the attackers accessing a victim’s endpoint via Remote Desktop Protocol (RDP) using a compromised account, followed by disabling security tools using kernel drivers and then dropping the locker.
• Phishing Campaign Uses “ん” as a URL Forward Slash — A Booking.com-themed phishing campaign has been observed using the Unicode character “ん” in URLs as a substitute for forward slashes when rendered in a web browser to trick unsuspecting users into running malicious MSI installers that are likely capable of delivering additional malware.
• Threat Actors Sell Access to Compromised Law Enforcement Accounts — A flourishing underground economy is enabling unauthorized access to hacked government and law enforcement accounts. These accounts are either compromised through phishing or through information-stealing infections. A single account is available for as little as $40.
• Chrome Tests Blocking Fingerprinting in Incognito Mode — Google’s Chrome team said it’s testing a Script Blocking feature that’s aimed at thwarting scripts engaging in known, prevalent techniques for browser re-identification using browser APIs to extract additional information about the user’s browser or device characteristics. The feature is expected to be shipped in version 140.
• Norway Says Russian Hackers Sabotaged Dam — The Norwegian Police Security Service said pro-Russian hackers likely sabotaged a dam in the country’s southwest in April 2025. This is the first time officials have publicly linked the incident to Russia. “The aim of this type of operation is to influence and to cause fear and chaos among the general population,” PST said. Exactly who is behind it is presently unknown.
• NIST Finalizes Lightweight Cryptography Standard to Secure IoT Devices — The U.S. National Institute of Standards and Technology (NIST) has completed work on the Ascon cryptographic standard. The standard contains four cryptographic algorithms (ASCON-128 AEAD , ASCON-Hash 256, ASCON-XOF 128, and ASCON-CXOF 128) designed to be used on low-memory IoT devices, as well as RFID tags and medical implants. The agency has been working on the standard since 2023.
• Chinese AI Firm Runs Propaganda Campaigns — The Chinese government is enlisting the help of domestic AI companies to monitor and manipulate public opinion on social media through sophisticated propaganda campaigns. One such company, named GoLaxy has run influence operations targeting Hong Kong and Taiwan with the help of AI tools. Founded in 2010, it has also used a tool named GoPro to build psychological profiles and build data profiles for at least 117 sitting U.S. lawmakers and more than 2,000 other American political and thought leaders. Furthermore, GoLaxy is believed to be tracking thousands of right-wing influencers and journalists. The company has since attempted to scrub its digital footprint, albeit unsuccessfully. In a statement to The New York Times, GoLaxy said its products are mainly based on open-source data.

🎥 Cybersecurity Webinars

• 5 Hidden Risks in Your Code-to-Cloud Pipeline—And How to Fix Them Fast: Security gaps don’t start in the cloud—they begin in your code. Join us to discover how code-to-cloud visibility unites developers, DevOps, and security teams with one shared map of risk. Learn how to cut noise, speed remediation, and protect your business-critical applications before attackers find the weak link.
• How to Detect the Silent AI Threats Hiding in Your Systems: AI is no longer just a tool—it can act like a rogue insider hiding in plain sight. Join our webinar, Shadow Agents and Silent Threats, to uncover how AI is reshaping identity risks, why traditional defenses aren’t enough, and what you can do now to stay ahead of invisible threats.
• How to Stop Rogue AI Agents Before They Hijack Your Identities and Data: AI Agents are multiplying inside your business faster than most teams can track—slipping into workflows, cloud platforms, and identities without warning. In this exclusive panel, security experts will uncover where Shadow AI hides, the risks they pose, and the practical steps you can take right now to regain control—without slowing innovation.

🔧 Cybersecurity Tools

• Buttercup: It is a Cyber Reasoning System (CRS) built to automatically find and fix vulnerabilities in open-source software. Developed by Trail of Bits for DARPA’s AIxCC program, it combines fuzzing, program analysis, and AI-driven patching to discover security flaws and generate repairs. Designed to work with OSS-Fuzz compatible C and Java projects, Buttercup integrates multiple components—like an orchestrator, fuzzer, and patcher—into a workflow that can test, monitor, and secure code at scale.
• Beelzebub: It is an open-source honeypot framework that provides a controlled environment for studying cyber attacks. It combines low-code configuration with AI-driven simulation to mimic high-interaction systems while maintaining a safer, low-interaction core. Supporting multiple protocols like SSH, HTTP, and TCP, as well as monitoring through Prometheus and ELK integration, Beelzebub helps researchers and defenders observe attacker behavior, test defenses, and analyze emerging threats.
• ExtensionHound: It is a forensic analysis tool designed to trace Chrome extensions’ DNS activity. By correlating network requests with specific extensions, it overcomes Chrome’s default process-level attribution barrier, making it possible to identify which extension generated suspicious queries. With optional integrations for domain reputation (VirusTotal), extension details (Secure Annex), and YARA-based signature detection, ExtensionHound provides investigators with clearer visibility into extension behavior across Windows, macOS, and Linux environments.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Clipboard Permissions — A Hidden Data Leak Waiting to Happen — Most people think of their clipboard as a harmless convenience — copy some text, paste it where you need it, done. But in modern browsers like Chrome, the clipboard is a shared space between your computer and any website you grant permission to. Once allowed, a site can read whatever is currently in your clipboard — not just what you copied from that site, but from anywhere: your password manager, a PDF, a corporate document, or even secure notes.

The danger isn’t just “technical paranoia” — clipboard access is a known target for attackers because it bypasses a lot of security boundaries. If you’ve allowed a site to read your clipboard:

• It can read sensitive data from other apps — (e.g., passwords, personal IDs, bank info) if that data is in your clipboard while the site is open.
• It can read more than what you paste — Once permission is granted, a site can read your clipboard when you interact with it (e.g., clicking a button). It can see data copied from anywhere, not just from that site.
• It’s silent — there’s no pop-up or alert for each read. You won’t know it’s happening.

For example, you allow design-tool[.]com to read your clipboard because you want to paste an image directly into the site. Later in the day, you copy:

• A password from your password manager,
• A confidential client email snippet,
• Or a crypto wallet address.

While you’re still working in design-tool[.]com, its code could (maliciously or due to a compromise) send each clipboard read to a remote server — without you ever pressing “paste.”

Unlike file downloads or microphone access, Chrome’s clipboard permission is “all or nothing” for that site. Once allowed, the site can read at will until you manually revoke the permission.

What You Can Do

1. Grant Access Only When Needed: Go to chrome://settings/content/clipboard and set permissions to “Ask before accessing.”
2. Revoke Access After Use: Click the lock icon next to the address bar → Site settings → Block clipboard access.
3. Use Separate Profiles: Keep clipboard-trusted sites in a dedicated Chrome profile; close it when not in use.
4. Avoid Copying Sensitive Data While a Site is Open: If you must copy sensitive info, close the tab for any site with clipboard permissions first.

Clipboard access is like giving a stranger a window into your desk — you may only want them to look once, but if you leave the window open, they can keep peeking without asking. Treat clipboard permissions as carefully as camera or microphone access.

Conclusion

The pace isn’t slowing down, and the risks aren’t waiting. Every delay, every blind spot, becomes an opening someone else is ready to use. What’s urgent isn’t just patching or reacting—it’s staying one step ahead.

Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution.

The package, named termncolor, realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler ThreatLabz said. While termncolor was downloaded 355 times, colorinal attracted 529 downloads. Both libraries are no longer available on PyPI.

“This attack could leverage DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution,” according to researchers Manisha Ramcharan Prajapati and Satyam Singh.

Once installed and executed, termncolor is designed to import colorinal, which, in turn, loads a rogue DLL that’s responsible for decrypting and running the next-stage payload.

Specifically, the payload deploys a legitimate binary “vcpktsvr.exe” and a DLL called “libcef.dll” that’s launched using DLL side-loading. The DLL, for its part, is capable of harvesting system information and communicating with the C2 server using Zulip, an open-source chat application, to conceal the activity.

“Persistence is achieved by creating a registry entry under the Windows Run key to ensure automatic execution of the malware at system startup,” Zscaler said.

The malware is also capable of infecting Linux systems, with the Python libraries dropping a shared object file called “terminate.so” to unleash the same functionality.

Further analysis of the threat actor’s Zulip activity has revealed three active users within the created organization, with a total of 90,692 messages exchanged within the platform. It’s believed that the malware author has been active since July 10, 2025.

“The termncolor package and its malicious dependency colorinal highlight the importance of monitoring open-source ecosystems for potential supply chain attacks,” the company said.

The disclosure comes as SlowMist revealed that threat actors are targeting developers under the guise of a job assessment to trick them into cloning a GitHub repository containing a booby-trapped npm package that’s capable of harvesting iCloud Keychain, web browser, and cryptocurrency wallet data, and exfiltrating the details to an external server.

The npm packages are also engineered to download and run Python scripts, capture system information, scan the file system for sensitive files, steal credentials, log keystrokes, take screenshots, and monitor clipboard content.

The list of identified packages, now removed from npm, is below –

• redux-ace (163 Downloads)
• rtk-logger (394 Downloads)

In recent months, malicious npm packages have been spotted targeting the cybersecurity community to facilitate data theft and cryptocurrency mining through a dependent package, using legitimate services like Dropbox to exfiltrate the information from infected systems.

These packages, Datadog researchers Christophe Tafani-Dereeper and Matt Muir noted, are distributed to targets under the guise of malicious proof-of-concept (PoC) code for security flaws, or a kernel patch that supposedly offers performance improvements. The activity has been attributed to a threat actor it tracks as MUT-1244.

The development also follows a report from ReversingLabs that has revealed the risks associated with automated dependency upgrades, particularly when a compromised project is used by thousands of other projects, amplifying risks to the software supply chain.

This is exemplified by the recent compromise of the eslint-config-prettier npm package by means of a phishing attack that allowed unnamed attackers to push poisoned versions directly to the npm registry without any source code commits or pull requests on its corresponding GitHub repository.

The software supply chain security company found that more than 14,000 packages have declared eslint-config-prettier as a direct dependency, instead of declaring it as a devDependency, causing automated actions like GitHub Actions to automatically merge the dependency update alerts issued by Dependabot without scrutinizing them.

“Since this is a configuration for a development tool used for code formatting, it can be expected that it should be declared as a devDependency across packages in which it is used, and, as such, it shouldn’t be automatically installed when the npm install command is executed like with regular dependencies,” security researcher Karlo Zanki said.

“Automated version management tools like Dependabot are designed to remove the risk of having dependencies with security issues in your code base, but […] ironically they can end up introducing even bigger security issues like malicious compromise.”

Aug 18, 2025The Hacker NewsData Breach / Regulatory Compliance

Organizations handling various forms of sensitive data or personally identifiable information (PII) require adherence to regulatory compliance standards and frameworks. These compliance standards also apply to organizations operating in regulated sectors such as healthcare, finance, government contracting, or education. Some of these standards and frameworks include, but are not limited to:

• Payment Card Industry Data Security Standard (PCI DSS)
• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• National Institute of Standards and Technology Special Publication framework (NIST SP 800-53)
• Trust Services Criteria (TSC)
• Cybersecurity Maturity Model Certification (CMMC)

Reasons for meeting compliance requirements

Below are some reasons for meeting compliance requirements:

• To protect businesses and organizations from cybersecurity risks, threats, and data breaches.
• To develop efficient organizational processes that aid in attaining business licensing.
• To avoid financial risk, losses, and fines due to data breaches or non-compliance with regulatory requirements.

How to meet regulatory compliance requirements

Regulatory compliance standards and frameworks can be implemented by adhering to the following points:

• Regular review of current regulatory compliance standards and frameworks applicable to your organization.
• Designating a specialist to be in charge of the compliance process. This specialist may be the organization’s compliance officer.
• Sensitizing employees and relevant third parties to compliance standards and the need to stay compliant. This sensitization may include training and tabletop exercises on the applicable compliance frameworks.
• Performing regular internal audits of systems and processes to ensure compliance with the relevant regulatory requirements.
• Using platforms to monitor and enforce compliance. An example of such a platform is Wazuh.

Wazuh SIEM/XDR

Wazuh is an open source security platform that provides unified Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) protection for endpoints and cloud workloads. It unifies historically separate functions into a single agent and platform architecture. Wazuh offers various capabilities, including threat detection and response, vulnerability detection, file integrity monitoring, container security, system inventory, and security configuration assessment. These capabilities are aided by visualizations that show various metrics and your organization’s compliance with specific standards.

Wazuh can help you track and implement regulatory compliance standards and frameworks by providing the following:

• Out-of-the-box modules that support compliance frameworks and standards.
• Compliance events visualization.
• Alerts classification by compliance requirements.
• Updated regulatory compliance documentation.

Out-of-the-box modules that support compliance frameworks and standards

Wazuh includes default dashboards, modules, and rulesets associated with specific compliance standards and regulatory frameworks. These include dashboards for PCI DSS, GDPR, HIPAA, NIST SP 800-53, and TSC frameworks.

The section below shows examples of such applications of these modules.

Log analysis

You can configure Wazuh to suit your peculiar organizational requirements, such as monitoring for sensitive information. This is achievable using the Wazuh log data analysis and File Integrity Monitoring (FIM) modules. An example of such can be seen in the post conducting primary account number scan with Wazuh. The post shows you how to detect exposed primary account numbers (PAN) within a monitored endpoint.

You can utilize such capabilities to identify sensitive information and improve your organization’s security posture.

Active response for incident handling

Wazuh includes the Active Response module for automating incident responses. This module allows you to set a preferred response when an alert is triggered. You can also develop custom active response scripts tailored to your environment’s use cases. The example below shows an active response that disables a user account upon detecting multiple failed user login attempts.

Compliance events visualization

Wazuh provides dedicated dashboards to monitor and track events relevant to compliance requirements. These dashboards offer a quick view of recent compliance events, the timeline of alerts generated, the agents on which the alerts occur, and the alert volumes by agents. The image below shows the visualization dashboard for NIST SP 800-53 requirements:

Alerts classification by compliance requirements

The Wazuh compliance dashboard offers a “Controls” section that shows applicable compliance requirements. This dashboard also shows alerts generated for each requirement and the event details that generated the alert.

This dashboard provides visibility into the requirements and helps direct the efforts of the compliance specialist and internal auditors to stay current with regulatory compliance standards.

Updated regulatory compliance documentation

One way to stay compliant is to regularly review and stay updated with the regulatory compliance frameworks applicable to your organization. Wazuh supports this by providing an information section for each requirement. This section contains a description of the requirement and related alerts.

The information on the Wazuh dashboard is updated with the latest compliance standards and frameworks versions. This information will give the compliance team a quick overview of the impact of the alerts being generated.

Conclusion

Adherence to regulatory compliance is key for businesses and organizations. These compliance standards and frameworks guide companies in protecting and securing themselves.

Various supporting platforms can be used to ensure compliance with regulatory standards and frameworks. Wazuh is one such platform. It provides threat detection, response, and visibility on the compliance status of your endpoints.

Aug 16, 2025Ravie LakshmananAndroid / Malware

Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators’ infrastructure.

“The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications,” Hunt.io said in a report.

ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attributed to a threat actor named DukeEugene, it’s assessed to be an evolution of Cerberus and BlackRock.

Other commonly observed malware families – including Hook (ERMAC 2.0), Pegasus, and Loot – possess a shared lineage: An ancestor in the form of ERMAC from which source code components have been passed down and modified through generations.

Hunt.io said it managed to obtain the complete source code associated with the malware-as-a-service (MaaS) offering from an open directory on 141.164.62[.]236:443, right down to its PHP and Laravel backend, React-based frontend, Golang exfiltration server, and Android builder panel.

The functions of each of the components are listed below –

• Backend C2 server – Provides operators the ability to manage victim devices and access compromised data, such as SMS logs, stolen accounts, and device data
• Frontend panel – Allows operators to interact with connected devices by issuing commands, managing overlays, and accessing stolen data
• Exfiltration server – A Golang server used for exfiltrating stolen data and managing information related to compromised devices
• ERMAC backdoor – An Android implant written in Kotlin that offers the ability to control the compromised device and collect sensitive data based on incoming commands from the C2 server, while ensuring that the infections don’t touch devices located in the Commonwealth of Independent States (CIS) nations
• ERMAC builder – A tool to help customers configure and create builds for their malware campaigns by providing the application name, server URL, and other settings for the Android backdoor

Besides an expanded set of app targets, ERMAC 3.0 adds new form injection methods, an overhauled command-and-control (C2) panel, a new Android backdoor, and AES-CBC encrypted communications.

“The leak revealed critical weaknesses, such as a hardcoded JWT secret and a static admin bearer token, default root credentials, and open account registration on the admin panel,” the company said. “By correlating these flaws with live ERMAC infrastructure, we provide defenders with concrete ways to track, detect, and disrupt active operations.”

Aug 16, 2025Ravie LakshmananMalware / Vulnerability

The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads.

Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.

“These activities are part of a broad, ongoing wave of malicious activity that blends social engineering with technical exploitation to bypass security defenses and gain control over internal environments,” Trustwave researchers Nathaniel Morales and Nikita Kazymirskyi said.

EncryptHub, also tracked as LARVA-208 and Water Gamayun, is a Russian hacking group that first gained prominence in mid-2024. Operating at a high tempo, the financially motivated crew is known for leveraging several methods, including fake job offers, portfolio review, and even compromising Steam games, to infect targets with stealer malware.

The threat actor’s abuse of CVE-2025-26633 was previously documented by Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.

The latest attack sequence involves the threat actor claiming to be from the IT department and sending a Microsoft Teams request to the target with the goal of initiating a remote connection and deploying secondary payloads by means of PowerShell commands.

Among the files dropped are two MSC files with the same name, one benign and the other malicious, that’s used to trigger CVE-2025-26633, ultimately resulting in the execution of the rogue MSC file when its innocuous counterpart is launched.

The MSC file, for its part, fetches and executes from an external server another PowerShell script that collects system information, establishes persistence on the host, and communicates with an EncryptHub command-and-control (C2) server to receive and run malicious payloads, including a stealer called Fickle Stealer.

“The script receives AES-encrypted commands from the attacker, decrypts them, and runs the payloads directly on the infected machine,” the researchers said.

Also deployed by the threat actor over the course of the attack is a Go-based loader codenamed SilentCrystal, which abuses Brave Support, a legitimate platform associated with the Brave web browser, to host next-stage malware – a ZIP archive containing the two MSC files to weaponize CVE-2025-26633.

What makes this significant is that uploading file attachments on the Brave Support platform is restricted for new users, indicating that the attackers somehow managed to obtain unauthorized access to an account with upload permissions to pull off the scheme.

Some of the other tools deployed include a Golang backdoor that operates in both client and server mode to send system metadata to the C2 server, as well as set up C2 infrastructure by making use of the SOCKS5 proxy tunneling protocol.

There is also evidence that the threat actors are continuing to rely on videoconferencing lures, this time setting up phony platforms like RivaTalk to deceive victims into downloading an MSI installer.

Running the installer leads to the delivery of several files: the legitimate Early Launch Anti-Malware (ELAM) installer binary from Symantec that’s used to sideload a malicious DLL that, in turn, launches a PowerShell command to download and run another PowerShell script.

It’s engineered to gather system information and exfiltrate it to the C2 server, and await encrypted PowerShell instructions that are decoded and executed to give attackers full control of the system. The malware also displays a fake “System Configuration” pop-up message as a ruse, while launching a background job to generate fake browser traffic by making HTTP requests to popular websites so as to blend C2 communications with normal network activity.

“The EncryptHub threat actor represents a well-resourced and adaptive adversary, combining social engineering, abuse of trusted platforms, and the exploitation of system vulnerabilities to maintain persistence and control,” Trustwave said.

“Their use of fake video conferencing platforms, encrypted command structures, and evolving malware toolsets underscores the importance of layered defense strategies, ongoing threat intelligence, and user awareness training.”