Tag: Cyber Security

Aug 14, 2025The Hacker NewsEndpoint Security / Application Security

Story teaser text: Cybersecurity leaders face mounting pressure to stop attacks before they start, and the best defense may come down to the settings you choose on day one. In this piece, Yuriy Tsibere explores how default policies like deny-by-default, MFA enforcement, and application Ringfencing ™ can eliminate entire categories of risk. From disabling Office macros to blocking outbound server traffic, these simple but strategic moves create a hardened environment that attackers can’t easily penetrate. Whether you’re securing endpoints or overseeing policy rollouts, adopting a security-by-default mindset can reduce complexity, shrink your attack surface, and help you stay ahead of evolving threats.

Cybersecurity has changed dramatically since the days of the “Love Bug” virus in 2001. What was once an annoyance is now a profit-driven criminal enterprise worth billions. This shift demands proactive defense strategies that don’t just respond to threats—they prevent them from ever reaching your network. CISOs, IT admins, and MSPs need solutions that block attacks by default, not just detect them after the fact. Industry frameworks like NIST, ISO, CIS, and HIPAA provide guidance, but they often lack the clear, actionable steps needed to implement effective security.

For anyone starting a new security leadership role, the mission is clear: Stop as many attacks as possible, frustrate threat actors, and do it without alienating the IT team. That’s where a security-by-default mindset comes in—configuring systems to block risks out of the gate. As I’ve often said, the attackers only have to be right once. We have to be right 100% of the time.

Here’s how setting the right defaults can eliminate entire categories of risk.

Require multi-factor authentication (MFA) on all remote accounts

Enabling MFA across all remote services—including SaaS platforms like Office 365 and G Suite, as well as domain registrars and remote access tools—is a foundational security default. Even if a password is compromised, MFA can prevent unauthorized access. Try to avoid using text messages for MFA as it can be intercepted.

While it may introduce some friction, the security benefits far outweigh the risk of data theft or financial loss.

One of the most effective security measures nowadays is application whitelisting or allowlisting. This approach blocks everything by default and only allows known, approved software to run. The result: Ransomware and other malicious applications are stopped before they can execute. It also blocks legitimate-but-unauthorized remote tools like AnyDesk or similar, which attackers often try to sneak in through social engineering.

Users can still access what they need via a pre-approved store of safe applications, and visibility tools make it easy to track everything that runs—including portable apps.

Quick wins through secure configuration

Small changes to default settings can close major security gaps on Windows and other platforms:

• Turn off Office macros: It takes five minutes and blocks one of the most common attack vectors for ransomware.
• Use password-protected screensavers: Auto-lock your screen after a short break to stop anyone from snooping around.
• Disable SMBv1: This old-school protocol is outdated and has been used in big attacks like WannaCry. Most systems don’t need it anymore.
• Turn off the Windows keylogger: It’s rarely useful and could be a security risk if left on.

Control network and application behavior for organizations

• Remove local admin rights: Most malware doesn’t need admin access to run, but taking it away stops users from messing with security settings or even installing malicious software.
• Block unused ports and limit outbound traffic:
  • Shut down SMB and RDP ports unless absolutely necessary—and only allow trusted sources.
  • Stop servers from reaching the internet unless they need to. This helps avoid attacks like SolarWinds.
• Control application behaviors: Tools like ThreatLocker Ringfencing ™ can stop apps from doing sketchy things—like Word launching PowerShell (yes, that’s a real attack method).
• Secure your VPN: If you don’t need it, turn it off. If you do, limit access to specific IPs and restrict what users can access.

Strengthen data and web controls

• Block USB drives by default: They’re a common way for malware to spread. Only allow secure managed, encrypted ones if needed.
• Limit file access: Apps shouldn’t be able to poke around in user files unless they really need to.
• Filter out unapproved tools: Block random SaaS or cloud apps that haven’t been vetted. Let users request access if they need something.
• Track file activity: Keep an eye on who’s doing what with files—both on devices and in the cloud. It’s key for spotting shady behavior.

Go beyond defaults with monitoring and patching

Strong defaults are just the beginning. Ongoing vigilance is critical:

• Regular patching: Most attacks use known bugs. Keep everything updated—including portable apps.
• Automated threat detection: EDR tools are great, but if no one’s watching alerts 24/7, threats can slip through. MDR services can jump in fast, even after hours.

Security by default isn’t just smart, it’s non-negotiable. Blocking unknown apps, using strong authentication, locking down networks and app behavior can wipe out a ton of risk. Attackers only need one shot, but solid default settings keep your defenses ready all the time. The payoff? Fewer breaches, less hassle, and a stronger, more resilient setup.

Note: This article is expertly written and contributed by Yuriy Tsibere, Product Manager and Business Analyst at ThreatLocker.

Aug 14, 2025Ravie LakshmananCryptocurrency / Financial Crime

Google said it’s implementing a new policy requiring developers of cryptocurrency exchanges and wallets to obtain government licenses before publishing apps in 15 jurisdictions in order to “ensure a safe and compliant ecosystem for users.”

The policy applies to markets like Bahrain, Canada, Hong Kong, Indonesia, Israel, Japan, the Philippines, South Africa, South Korea, Switzerland, Thailand, the United Arab Emirates, the United Kingdom, the United States, and the European Union. The changes do not apply to non-custodial wallets.

This means developers publishing cryptocurrency exchange and wallet apps have to hold appropriate licences or be registered with relevant authorities like the Financial Conduct Authority (FCA) or Financial Crimes Enforcement Network (FinCEN), or authorized as a crypto-asset service provider (CASP) under the Markets in Crypto-Assets (MiCA) regulation before distribution.

“If your targeted location is not on the list, you may continue to publish cryptocurrency exchanges and software wallets. However, due to the rapidly evolving regulatory landscape worldwide, developers are expected to obtain any additional licensure requirements per local laws,” the tech giant said.

Google noted that developers have to declare under the App Content section that their app is a cryptocurrency exchange and/or software wallet in the Financial Features Declaration. In addition, the company said it may request developers to provide more information regarding their compliance in a given jurisdiction that’s not covered in the aforementioned list.

Developers who don’t have the required registration or licensing information for certain locations are being urged to remove the apps from those targeting countries/regions.

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) issued an updated alert warning of cryptocurrency scams in which companies falsely claim to help victims recover their stolen funds to further defraud them.

Fraudsters have been observed posing as lawyers representing fictitious law firms, approaching scam victims on social media and other messaging platforms to assist with fund recovery, only to dupe them a second time under the pretext of receiving their information from the FBI, Consumer Financial Protection Bureau (CFPB), or other government agency.

“Between February 2023 and February 2024, cryptocurrency scam victims who were further exploited by fictitious law firms reported losses totaling over $9.9 million,” the FBI said in an alert last June.

The FBI also listed a number of potential red flags that users are advised to look for that could indicate a potential scam –

• Impersonation of government entities or actual lawyers
• References to fictitious government or regulatory entities
• Requesting payment in cryptocurrency or prepaid gift cards (the U.S. government does not request payment for law enforcement services provided)
• Having knowledge of the exact amounts and dates of previous wire transfers and the third-party company where the victim previously sent scammed funds
• Stating the victim was on a government-affiliated list of scam victims
• Referring victims to a “crypto recovery law firm”
• Stating the victims’ funds are in an account held at a foreign bank and instructing them to register an account at that bank
• Placing victims into a group chat on WhatsApp, or other messaging applications, for supposed client safety
• Requesting victims send payment to a third-party trading company for maintaining secrecy and safety
• Inability to provide credentials or a license

“Be cautious of law firms contacting you unexpectedly, especially if you have not reported the crime to any law enforcement or civil protection agencies,” the FBI said, urging citizens to exercise due diligence and adopt a zero-trust model.

“Request video verification or documentation or a photo of their law license. Request verification of employment for anyone claiming to work for the US Government or law enforcement.”

Aug 14, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting N-able N-central to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

N-able N-central is a Remote Monitoring and Management (RMM) platform designed for Managed Service Providers (MSPs), allowing customers to efficiently manage and secure their clients’ Windows, Apple, and Linux endpoints from a single, unified platform.

The vulnerabilities in question are listed below –

• CVE-2025-8875 (CVSS score: N/A) – An insecure deserialization vulnerability that could lead to command execution
• CVE-2025-8876 (CVSS score: N/A) – A command injection vulnerability via improper sanitization of user input

Both shortcomings have been addressed in N-central versions 2025.3.1 and 2024.6 HF2 released on August 13, 2025. N-able is also urging customers to make sure that multi-factor authentication (MFA) is enabled, particularly for admin accounts.

“These vulnerabilities require authentication to exploit,” N-able said in an alert. “However, there is a potential risk to the security of your N-central environment, if unpatched. You must upgrade your on-premises N-central to 2025.3.1.”

It’s currently not known how the vulnerabilities are being exploited in real-world attacks, in what context, and what is the scale of such efforts. The Hacker News has reached out to N-able for comment, and we will update the story if we hear back.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by August 20, 2025, to secure their networks.

The development comes a day after CISA placed two-year-old security flaws affecting Microsoft Internet Explorer and Office in the KEV catalog –

• CVE-2013-3893 (CVSS score: 8.8) – A memory corruption vulnerability in Microsoft Internet Explorer that allows for remote code execution
• CVE-2007-0671 (CVSS score: 8.8) – A remote code execution vulnerability in Microsoft Office Excel that can be exploited when a specially crafted Excel file is opened to achieve remote code execution

FCEB agencies have time till September 9, 2025, to update to the latest versions, or discontinue their use if the product has reached end-of-life (EoL) status, as is the case with Internet Explorer.

Aug 13, 2025Ravie LakshmananMalvertising / Cryptocurrency

Cybersecurity researchers have discovered a new malvertising campaign that’s designed to infect victims with a multi-stage malware framework called PS1Bot.

“PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access,” Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said.

“PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.”

Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share technical overlaps with AHK Bot, an AutoHotkey-based malware previously put to use by threat actors Asylum Ambuscade and TA866.

Furthermore, the activity cluster has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet) with an aim to steal data and establish remote control over compromised hosts.

The starting point of the attack is a compressed archive that’s delivered to victims via malvertising or search engine optimization (SEO) poisoning. Present within the ZIP file is a JavaScript payload that serves as a downloader to retrieve a scriptlet from an external server, which then writes a PowerShell script to a file on disk and executes it.

The PowerShell script is responsible for contacting a command-and-control (C2) server and fetching next-stage PowerShell commands that allow the operators to augment the malware’s functionality in a modular fashion and carry out a wide range of actions on the compromised host –

• Antivirus detection, which obtains and reports the list of antivirus programs present on the infected system
• Screen capture, which captures screenshots on infected systems and transmits the resulting images to the C2 server
• Wallet grabber, which steals data from web browsers (and wallet extensions), application data for cryptocurrency wallet applications, and files containing passwords, sensitive strings, or wallet seed phrases
• Keylogger, which logs keystrokes and gathers clipboard content
• Information collection, which harvests and transmits information about the infected system and environment to the attacker
• Persistence, which creates a PowerShell script such that it’s automatically launched when the system restarts, incorporating the same logic used to establish the C2 polling process to fetch the modules

“The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems,” Talos noted.

“The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed.”

The disclosure comes as Google said it’s leveraging artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors.

“Our new applications provide faster and stronger protections by analyzing app and web content, ad placements and user interactions,” Google said. “For example, they’ve significantly improved our content review capabilities, leading to a 40% reduction in IVT stemming from deceptive or disruptive ad serving practices.”

Aug 13, 2025Ravie LakshmananVulnerability / Software Security

Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.

The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation.

“Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access,” Zoom said in a security bulletin on Tuesday.

The issue, reported by its own Offensive Security team, affects the following products –

• Zoom Workplace for Windows before version 6.3.10
• Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
• Zoom Rooms for Windows before version 6.3.10
• Zoom Rooms Controller for Windows before version 6.3.10
• Zoom Meeting SDK for Windows before version 6.3.10

The disclosure comes as multiple vulnerabilities have been disclosed in Xerox FreeFlow Core, the most severe of which could result in remote code execution. The issues, which have been addressed in version 8.0.4, include –

• CVE-2025-8355 (CVSS score: 7.5) – XML External Entity (XXE) injection vulnerability leading to server-side request forgery (SSRF)
• CVE-2025-8356 (CVSS score: 9.8) – Path traversal vulnerability leading to remote code execution

“These vulnerabilities are rudimentary to exploit and if exploited, could allow an attacker to execute arbitrary commands on the affected system, steal sensitive data, or attempt to move laterally into a given corporate environment to further their attack,” Horizon3.ai said.

Aug 13, 2025The Hacker NewsArtificial Intelligence / Threat Hunting

Security operations have never been a 9-to-5 job. For SOC analysts, the day often starts and ends deep in a queue of alerts, chasing down what turns out to be false positives, or switching between half a dozen tools to piece together context. The work is repetitive, time-consuming, and high-stakes, leaving SOCs under constant pressure to keep up, yet often struggling to stay ahead of emerging threats. That combination of inefficiency, elevated risk, and a reactive operating model is exactly where AI-powered SOC capabilities are starting to make a difference.

Why AI SOC is gaining traction now

The recent Gartner Hype Cycle for Security Operations 2025 (download a complimentary copy) recognizes AI SOC Agents as an innovation trigger, reflecting a broader shift in how teams approach automation. Instead of relying solely on static playbooks or manual investigation workflows, AI SOC capabilities bring reasoning, adaptability, and context-aware decision-making into the mix.

SOC teams report that their most pressing challenges are inefficient investigations, siloed tools, and a lack of effective automation. These issues slow response and increase risk. The latest SANS SOC Survey underscores this, showing these operational hurdles consistently outpace other concerns. AI-driven triage, investigation, and detection coverage analysis are well-positioned to address these gaps head-on.

AI’s biggest wins in the SOC

An AI SOC brings together a range of capabilities that strengthen and scale the core functions of a security operations center. These capabilities work alongside human expertise to improve how teams triage alerts, investigate threats, respond to incidents, and refine detections over time.

Triage at speed and scale

AI systems can review and prioritize every incoming alert within minutes, pulling telemetry from across the environment. True threats rise to the top quickly, while false positives are resolved without draining analyst time.

Faster, deeper investigations and response

By correlating data from SIEM, EDR, identity, email, and cloud platforms, AI SOC tools reduce mean time to investigate (MTTI) and mean time to respond (MTTR). This shortens dwell time and limits the opportunity for threats to spread.

Detection engineering insights

AI can pinpoint coverage gaps against frameworks such as MITRE ATT&CK, identify rules that need tuning, and recommend adjustments based on real investigation data. This gives detection engineers a clear view of where changes will make the most impact.

Enabling more threat hunting

With less time spent working alert queues, analysts can shift to proactive threat hunting. AI SOC platforms with natural language query support make it easier to explore data, run complex hunts, and surface hidden threats.

The AI SOC market is filled with sweeping claims about fully autonomous SOC and instant results. While AI can automate large portions of tier 1 and tier 2 investigations and even support tier 3 work, it is not a replacement for experienced analysts. Complex, high impact cases still require human judgment, contextual understanding, and decision making.

The real value lies in shifting the balance of work. By removing repetitive triage and speeding investigations, AI frees analysts to focus on higher impact activities like advanced threat hunting, tuning detections, and investigating sophisticated threats. This is the work that improves both security outcomes and analyst retention.

Guiding principles for evaluating AI SOC capabilities

When assessing AI SOC solutions, focus on principles that determine whether they can deliver sustainable improvements to security operations:

• Transparency and explainability – The system should provide clear, detailed reasoning for its findings, allowing analysts to trace conclusions back to the underlying data and logic. This builds trust and enables informed decision making.
• Data privacy and security – Understand exactly where data is processed and stored, how it is protected in transit and at rest, and whether the deployment model meets your compliance requirements.
• Integration depth – The solution should integrate seamlessly with your existing SOC stack and workflows. This includes preserving the familiar user experience of tools like SIEM, EDR, and case management systems to avoid introducing friction.
• Adaptability and learning – AI should improve over time by incorporating analyst feedback, adapting to changes in your environment, and staying effective against evolving threats.
• Accuracy and trust – Evaluate not just the volume of work automated, but the precision and reliability of results. A tool that closes false positives at scale but misses real threats creates more risk than it solves.
• Time to value – Favor solutions that deliver measurable gains in investigation speed, accuracy, or coverage within weeks rather than months, without heavy customization or lengthy deployments.

The human and AI hybrid SOC

The most effective SOCs combine the speed and scale of AI with the contextual understanding and judgment of human analysts. This model gives people the capacity to focus on the work that matters most.

How Prophet Security aligns with this vision

Prophet Security helps organizations move beyond manual investigations and alert fatigue with an agentic AI SOC platform that automates triage, accelerates investigations, and ensures every alert gets the attention it deserves. By integrating across the existing stack, Prophet AI improves analyst efficiency, reduces incident dwell time, and delivers more consistent security outcomes. Security leaders use Prophet AI to maximize the value of their people and tools, strengthen their security posture, and turn daily SOC operations into measurable business results. Visit Prophet Security to request a demo and see how Prophet AI can elevate your SOC operations.

Aug 13, 2025Ravie LakshmananVulnerability / Network Security

Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild.

The vulnerability, tracked as CVE-2025-25256, carries a CVSS score of 9.8 out of a maximum of 10.0.

“An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests,” the company said in a Tuesday advisory.

The following versions are impacted by the flaw –

• FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a fixed release)
• FortiSIEM 6.7.0 through 6.7.9 (Upgrade to 6.7.10 or above)
• FortiSIEM 7.0.0 through 7.0.3 (Upgrade to 7.0.4 or above)
• FortiSIEM 7.1.0 through 7.1.7 (Upgrade to 7.1.8 or above)
• FortiSIEM 7.2.0 through 7.2.5 (Upgrade to 7.2.6 or above)
• FortiSIEM 7.3.0 through 7.3.1 (Upgrade to 7.3.2 or above)
• FortiSIEM 7.4 (Not affected)

Fortinet acknowledged in its advisory that a “practical exploit code for this vulnerability was found in the wild,” but did not share any additional specifics about the nature of the exploit and where it was found. It also noted that the exploitation code does not appear to produce distinctive indicators of compromise (IoCs).

As workarounds, the network security company is recommending that organizations limit access to the phMonitor port (7900).

The disclosure comes a day after GreyNoise warned of a “significant spike” in brute-force traffic aimed at Fortinet SSL VPN devices, with dozens of IP addresses from the United States, Canada, Russia, and the Netherlands probing devices located across the world.

Aug 13, 2025The Hacker NewsArtificial Intelligence / Identity Security

The AI revolution isn’t coming. It’s already here. From copilots that write our emails to autonomous agents that can take action without us lifting a finger, AI is transforming how we work.

But here’s the uncomfortable truth: Attackers are evolving just as fast.

Every leap forward in AI gives bad actors new tools — deepfake scams so real they trick your CFO, bots that can bypass human review, and synthetic identities that slip quietly into your systems. The fight is no longer at your network’s edge. It’s at your login screen.

And that’s why identity has become the last line of defense.

Why This Matters Now

Legacy security can’t keep up. Traditional models were built for slower threats and predictable patterns. AI doesn’t play by those rules.

Today’s attackers:

• Scale at machine speed.
• Use deepfakes to impersonate trusted people.
• Exploit APIs through autonomous agents.
• Create fake “non-human” identities that look perfectly legitimate.

The only security control that can adapt and scale as fast as AI? Identity. If you can’t verify who — or what — is accessing your systems, you’ve already lost.

The Webinar That Connects the Dots

In AI’s New Attack Surface: Why Identity Is the Last Line of Defense, Okta’s Karl Henrik Smith will show you:

• Where AI is creating hidden vulnerabilities — and how to find them before attackers do.
• How “synthetic identities” work (and why they’re scarier than you think).
• The blueprint for an “identity security fabric” that protects humans and non-human actors.
• How to build secure-by-design AI apps without slowing innovation.

Whether you’re a developer, security architect, or tech leader, you’ll leave with a clear, practical plan for staying ahead of AI-powered threats.

Watch this Webinar Now

The next wave of cyberattacks won’t be about if someone can get past your defenses — it’ll be about how fast they can.

Put identity where it belongs: at the center of your security strategy. Reserve your spot now →

Microsoft on Tuesday rolled out fixes for a massive set of 111 security flaws across its software portfolio, including one flaw that has been disclosed as publicly known at the time of the release.

Of the 111 vulnerabilities, 16 are rated Critical, 92 are rated Important, two are rated Moderate, and one is rated Low in severity. Forty-four of the vulnerabilities relate to privilege escalation, followed by remote code execution (35), information disclosure (18), spoofing (8), and denial-of-service (4) defects.

This is in addition to 16 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of last month’s Patch Tuesday update, including two spoofing bugs affecting Edge for Android.

Included among the vulnerabilities is a privilege escalation vulnerability impacting Microsoft Exchange Server hybrid deployments (CVE-2025-53786, CVSS score: 8.0) that Microsoft disclosed last week.

The publicly disclosed zero-day is CVE-2025-53779 (CVSS score: 7.2), another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

It’s worth mentioning here that the issue was publicly detailed back in May 2025 by the web infrastructure and security company, giving it the codename BadSuccessor. The novel technique essentially allows a threat actor with sufficient privileges to compromise an Active Directory (AD) domain by misusing delegated Managed Service Account (dMSA) objects.

“The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act,” Adam Barnett, lead software engineer at Rapid7, told The Hacker News.

“However, abuse of CVE-2025-53779 is certainly plausible as the final link of a multi-exploit chain which stretches from no access to total pwnage.”

“An attacker who already has a compromised privileged account can use it to move from limited administrative rights to full domain control,” Walters added. “It can also be paired with methods such as Kerberoasting or Silver Ticket attacks to maintain persistence.”

“With domain administrator privileges, attackers can disable security monitoring, modify Group Policy, and tamper with audit logs to hide their activity. In multi-forest environments or organizations with partner connections, this flaw could even be leveraged to move from one compromised domain to others in a supply chain attack.”

Satnam Narang, senior staff research engineer at Tenable, said the immediate impact of BadSuccessor is limited, as only 0.7% of Active Directory domains had met the prerequisite at the time of disclosure. “To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise,” Narang pointed out.

Some of notable Critical-rated vulnerabilities patched by Redmond this month are below –

• CVE-2025-53767 (CVSS score: 10.0) – Azure OpenAI Elevation of Privilege Vulnerability
• CVE-2025-53766 (CVSS score: 9.8) – GDI+ Remote Code Execution Vulnerability
• CVE-2025-50165 (CVSS score: 9.8) – Windows Graphics Component Remote Code Execution Vulnerability
• CVE-2025-53792 (CVSS score: 9.1) – Azure Portal Elevation of Privilege Vulnerability
• CVE-2025-53787 (CVSS score: 8.2) – Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
• CVE-2025-50177 (CVSS score: 8.1) – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• CVE-2025-50176 (CVSS score: 7.8) – DirectX Graphics Kernel Remote Code Execution Vulnerability

Microsoft noted that the three cloud service CVEs impacting Azure OpenAI, Azure Portal, and Microsoft 365 Copilot BizChat have already been remediated, and that they require no customer action.

Check Point, which disclosed CVE-2025-53766 alongside CVE-2025-30388, said the vulnerabilities allow attackers to execute arbitrary code on the affected system, leading to a full system compromise.

“The attack vector involves interacting with a specially crafted file. When a user opens or processes this file, the vulnerability is triggered, allowing the attacker to take control,” the cybersecurity company said.

The Israeli firm revealed that it also uncovered a vulnerability in a Rust-based component of the Windows kernel that can result in a system crash that, in turn, triggers a hard reboot.

“For organizations with large or remote workforces, the risk is significant: attackers could exploit this flaw to simultaneously crash numerous computers across an enterprise, resulting in widespread disruption and costly downtime,” Check Point said. “This discovery highlights that even with advanced security technologies like Rust, continuous vigilance and proactive patching are essential to maintaining system integrity in a complex software environment.”

Another vulnerability of importance is CVE-2025-50154 (CVSS score: 6.5), an NTLM hash disclosure spoofing vulnerability that’s actually a bypass for a similar bug (CVE-2025-24054, CVSS score: 6.5) that was plugged by Microsoft in March 2025.

“The original vulnerability demonstrated how specially crafted requests could trigger NTLM authentication and expose sensitive credentials,” Cymulate researcher Ruben Enkaoua said. “This new vulnerability […] allows an attacker to extract NTLM hashes without any user interaction, even on fully patched systems. By exploiting a subtle gap left in the mitigation, an attacker can trigger NTLM authentication requests automatically, enabling offline cracking or relay attacks to gain unauthorized access.”

Aug 13, 2025Ravie LakshmananEndpoint Security / Cybercrime

Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East’s public sector and aviation industry.

The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software.

The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia, which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools.

“The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” researchers Jacob Santos, Ted Lee, Ahmed Kamal, and Don Ovid Ladore said.

Like other ransomware binaries, Charon is capable of disruptive actions that terminate security-related services and running processes, as well as delete shadow copies and backups, thereby minimizing the chances of recovery. It also employs multithreading and partial encryption techniques to make the file-locking routine faster and more efficient.

Another notable aspect of the ransomware is the use of a driver compiled from the open-source Dark-Kill project to disable EDR solutions by means of what’s called a bring your own vulnerable driver (BYOVD) attack. However, this functionality is never triggered during the execution, suggesting that the feature is likely under development.

There is evidence to suggest that the campaign was targeted rather than opportunistic. This stems from the use of a customized ransom note that specifically calls out the victim organization by name, a tactic not observed in traditional ransomware attacks. It’s currently not known how the initial access was obtained.

Despite the technical overlaps with Earth Baxia, Trend Micro has emphasized that this could mean one of three things –

• Direct involvement of Earth Baxia
• A false flag operation designed to deliberately imitate Earth Baxia’s tradecraft, or
• A new threat actor that has independently developed similar tactics

“Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations,” Trend Micro pointed out.

Regardless of the attribution, the findings exemplify the ongoing trend of ransomware operators increasingly adopting sophisticated methods for malware deployment and defense evasion, further blurring the lines between cybercrime and nation-state activity.

“This convergence of APT tactics with ransomware operations poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption,” the researchers concluded.

The disclosure comes as eSentire detailed an Interlock ransomware campaign that leveraged ClickFix lures to drop a PHP-based backdoor that, in turn, deploys NodeSnake (aka Interlock RAT) for credential theft and a C-based implant that supports attacker-supplied commands for further reconnaissance and ransomware deployment.

“Interlock Group employs a complex multi-stage process involving PowerShell scripts, PHP/NodeJS/C backdoors, highlighting the importance of monitoring suspicious process activity, LOLBins, and other TTPs,” the Canadian company said.

The findings show that ransomware continues to be an evolving threat, even as victims continue to pay ransoms to quickly recover access to systems. Cybercriminals, on the other hand, have begun resorting to physical threats and DDoS attacks as a way of putting pressure on victims.

Statistics shared by Barracuda show that 57% of organizations experienced a successful ransomware attack in the last 12 months, of which 71% that had experienced an email breach were also hit with ransomware. What’s more, 32% paid a ransom, but only 41% of the victims got all their data back.