Tag: Cyber Threats

Aug 12, 2025Ravie LakshmananMalware / Container Security

New research has uncovered Docker images on Docker Hub that contain the infamous XZ Utils backdoor, more than a year after the discovery of the incident.

More troubling is the fact that other images have been built on top of these infected base images, effectively propagating the infection further in a transitive manner, Binarly REsearch said in a report shared with The Hacker News.

The firmware security company said it discovered a total of 35 images that ship with the backdoor. The incident once again highlights the risks faced by the software supply chain.

The XZ Utils supply chain event (CVE-2024-3094, CVSS score: 10.0) came to light in late March 2024, when Andres Freund sounded the alarm on a backdoor embedded within XZ Utils versions 5.6.0 and 5.6.1.

Further analysis of the malicious code and the broader compromise led to several startling discoveries, the first and foremost being that the backdoor could lead to unauthorized remote access and enable the execution of arbitrary payloads through SSH.

Specifically, the backdoor — placed in the liblzma.so library and used by the OpenSSH server — was designed such that it triggered when a client interacts with the infected SSH server.

By hijacking the RSA_public_decrypt function using the glibc’s IFUNC mechanism, the malicious code allowed an attacker possessing a specific private key to bypass authentication and execute root commands remotely,” Binarly explained.

The second finding was that the changes were pushed by a developer named “Jia Tan” (JiaT75), who spent almost two years contributing to the open-source project to build trust until they were given maintainer responsibilities, signaling the meticulous nature of the attack.

“This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning,” Binary noted at the time. “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation.”

The latest research from the company shows that the impact of the incident continues to send aftershocks through the open-source ecosystem even after all these months.

This includes the discovery of 12 Debian Docker images that contain one of the XZ Utils backdoor, and another set of second-order images that include the compromised Debian images.

Binarly said it reported the base images to the Debian maintainers, who said they have “made an intentional choice to leave these artifacts available as a historical curiosity, especially given the following extremely unlikely (in containers/container image use cases) factors required for exploitation.”

However, the company pointed out that leaving publicly available Docker images that contain a potential network-reachable backdoor carries a significant security risk, despite the criteria required for successful exploitation – the need for network access to the infected device with the SSH service running.

“The xz-utils backdoor incident demonstrates that even short-lived malicious code can remain unnoticed in official container images for a long time, and that can propagate in the Docker ecosystem,” it added.

“The delay underscores how these artifacts may silently persist and propagate through CI pipelines and container ecosystems, reinforcing the critical need for continuous binary-level monitoring beyond simple version tracking.”

Aug 12, 2025Ravie LakshmananThreat Intelligence / Enterprise Security

Cybersecurity researchers are warning of a “significant spike” in brute-force traffic aimed at Fortinet SSL VPN devices.

The coordinated activity, per threat intelligence firm GreyNoise, was observed on August 3, 2025, with over 780 unique IP addresses participating in the effort.

As many as 56 unique IP addresses have been detected over the past 24 hours. All the IP addresses have been classified as malicious, with the IPs originating from the United States, Canada, Russia, and the Netherlands. Targets of the brute-force activity include the United States, Hong Kong, Brazil, Spain, and Japan.

“Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” GreyNoise said. “This was not opportunistic — it was focused activity.”

The company also pointed out that it identified two distinct assault waves spotted before and after August 5: One, a long-running, brute-force activity tied to a single TCP signature that remained relatively steady over time, and Two, which involved a sudden and concentrated burst of traffic with a different TCP signature.

“While the August 3 traffic has targeted the FortiOS profile, traffic fingerprinted with TCP and client signatures – a meta signature – from August 5 onward was not hitting FortiOS,” the company noted. “Instead, it was consistently targeting our FortiManager.”

“This indicated a shift in attacker behavior – potentially the same infrastructure or toolset pivoting to a new Fortinet-facing service.”

On top of that, a deeper examination of the historical data associated with the post-August 5 TCP fingerprint has uncovered an earlier spike in June featuring a unique client signature that resolved to a FortiGate device in a residential ISP block managed by Pilot Fiber Inc.

This has raised the possibility that the brute-force tooling was either initially tested or launched from a home network. An alternative hypothesis is the use of a residential proxy.

The development comes against the backdrop of findings that spikes in malicious activity are often followed by the disclosure of a new CVE affecting the same technology within six weeks.

“These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools – the same kinds of systems increasingly targeted by advanced threat actors,” the company noted in its Early Warning Signals report published late last month.

The Hacker News has reached out to Fortinet for further comment, and we will update if we hear back.

Aug 12, 2025Ravie LakshmananCybercrime / Financial Security

An ongoing data extortion campaign targeting Salesforce customers may soon turn its attention to financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be working hand in hand, new findings show.

“This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group’s previous credential theft and database exploitation,” ReliaQuest said in a report shared with The Hacker News.

These include the use of adoption of tactics that mirror those of Scattered Spider, such as highly-targeted vishing (aka voice phishing) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration.

ShinyHunters, which first emerged in 2020, is a financially motivated threat group that has orchestrated a series of data breaches targeting major corporations and monetizing them on cybercrime forums like RaidForums and BreachForums. Interestingly, the ShinyHunters persona has been a key participant in these platforms both as a contributor and administrator.

“The ShinyHunters persona partnered with Baphomet to relaunch the second instance of BreachForums (v2) in June 2023 and later launched the June 2025 instance (v4) alone,” Sophos noted in a recent report. “The interim version (v3) abruptly disappeared in April 2025, and the cause is unclear.”

While the relaunch of the forum was short-lived and the bulletin board went offline around June 9, the threat actor has since been linked to attacks targeting Salesforce instances globally, a cluster of extortion-related activity that Google is tracking under the moniker UNC6240.

Coinciding with these developments was the arrest of four individuals suspected of running BreachForums, including ShinyHunters, by French law enforcement authorities. However, the threat actor told DataBreaches.Net that “France rushed to make FALSE, INACCURATE arrests,” raising the possibility that an “associate” member may have been caught.

And that’s not all. On August 8, a new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ called “scattered lapsu$ hunters” emerged, with the channel members also claiming to be developing a ransomware-as-a-service solution called ShinySp1d3r that they said will rival LockBit and DragonForce. Three days later, the channel disappeared.

Both Scattered Spider and LAPSUS$ have ties to a broader, nebulous collective dubbed The Com, a notorious network of experienced English-speaking cybercriminals that’s known to engage in a wide range of malicious activities, including SIM swapping, extortion, and physical crime.

ReliaQuest said it has identified a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages that are likely created for similar campaigns targeting Salesforce that are aimed at high-profile companies across various industry verticals.

These domains, the company said, were registered using infrastructure typically associated with phishing kits commonly used to host single sign-on (SSO) login pages — a hallmark of Scattered Spider’s attacks impersonating Okta sign-in pages.

Furthermore, an analysis of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns has revealed that domain registrations targeting financial companies have increased by 12% since July 2025, while targeting of technology firms has decreased by 5%, suggesting that banks, insurance companies and financial services could be next in line.

The tactical overlaps aside, that the two groups may be collaborating is borne out by the fact that they have targeted the same sectors (i.e., retail, insurance, and aviation) around the same time.

“Supporting this theory is evidence such as the appearance of a BreachForums’ user with the alias ‘Sp1d3rHunters,’ who was linked to a past ShinyHunters breach, as well as overlapping domain registration patterns,” researchers Kimberley Bromley and Ivan Righi said, adding the account was created in May 2024.

“If these connections are legitimate, they suggest that collaboration or overlap between ShinyHunters and Scattered Spider may have been ongoing for more than a year. The synchronized timing and similar targeting of these previous attacks strongly support the likelihood of coordinated efforts between the two groups.”

Aug 12, 2025Ravie LakshmananCyber Espionage / Windows Security

A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign designed to facilitate long-term access to target networks.

“They repeatedly tried to extract the NTDS database from domain controllers — the primary repository for user password hashes and authentication data in a Windows network,” Bitdefender said in a report shared with The Hacker News. “Additionally, they attempted to dump LSASS memory from specific systems to recover active user credentials, potentially plain-text passwords, from machines where users were logged on.”

The activity, tracked by the Romanian cybersecurity company since mid-2024, has singled out judicial and government bodies in Georgia, as well as an energy distribution company in Moldova.

Curly COMrades are assessed to be operating with goals that are aligned with Russia’s geopolitical strategy. It gets its name from the heavy reliance on the curl utility for command-and-control (C2) and data transfer, and the hijacking of the component object model (COM) objects.

The end goal of the attacks is to enable long-term access to carry out reconnaissance and credential theft, and leverage that information to burrow deeper into the network, collect data using custom tools, and exfiltrate to attacker-controlled infrastructure.

“The overall behavior indicates a methodical approach in which the attackers combined standard attack techniques with tailored implementations to blend into legitimate system activity,” the company pointed out. “Their operations were characterized by repeated trial-and-error, use of redundant methods, and incremental setup steps – all aimed at maintaining a resilient and low-noise foothold across multiple systems.”

A notable aspect of the attacks is the use of legitimate tools like Resocks, SSH, and Stunnel to create multiple conduits into internal networks and remotely execute commands using the stolen credentials. Another proxy tool deployed besides Resocks is SOCKS5. The exact initial access vector employed by the threat actor is currently not known.

Persistent access to the infected endpoints is accomplished by means of a bespoke backdoor called MucorAgent, which hijacks class identifiers (CLSIDs) – globally unique identifiers that identify a COM class object – to target Native Image Generator (Ngen), an ahead-of-time compilation service that’s part of the .NET Framework.

“Ngen, a default Windows .NET Framework component that pre-compiles assemblies, provides a mechanism for persistence via a disabled scheduled task,” Bitdefender noted. “This task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals (such as during system idle times or new application deployments), making it a great mechanism for restoring access covertly.”

Abusing the CLSID linked to Ngen underscores the adversary’s technical prowess, while granting them the ability to execute malicious commands under the highly privileged SYSTEM account. It’s suspected that there likely exists a more reliable mechanism for executing the specific task given the overall unpredictability associated with Ngen.

A modular .NET implant, MucorAgent is launched via a three-stage process and is capable of executing an encrypted PowerShell script and uploading the output to a designated server. Bitdefender said it did not recover any other PowerShell payloads.

“The design of the MucorAgent suggests that it was likely intended to function as a backdoor capable of executing payloads on a periodic basis,” the company explained. “Each encrypted payload is deleted after being loaded into memory, and no additional mechanism for regularly delivering new payloads was identified.”

Also weaponized by Curly COMrades are legitimate-but-compromised websites for use as relays during C2 communications and data exfiltration in a bid to fly under the radar by blending malicious traffic with normal network activity. Some of the other tools observed in the attacks are listed below –

• CurlCat, which is used to facilitate bidirectional data transfer between standard input and output streams (STDIN and STDOUT) and C2 server over HTTPS by routing the traffic through a compromised site
• RuRat, a legitimate Remote Monitoring and Management (RMM) program for persistent access
• Mimikatz, which is used to extract credentials from memory
• Various built-in commands like netstat, tasklist, systeminfo, ipconfig, and ping to conduct discovery
• Powershell scripts that use curl to exfiltrate stolen data (e.g., credentials, domain information, and internal application data)

“The campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments,” Bitdefender said.

“The attackers relied heavily on publicly available tools, open-source projects, and LOLBins, showing a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.”

Aug 12, 2025The Hacker NewsBrowser Security / Zero Trust

Most security tools can’t see what happens inside the browser, but that’s where the majority of work, and risk, now lives. Security leaders deciding how to close that gap often face a choice: deploy a dedicated Enterprise Browser or add an enterprise-grade control layer to the browsers employees already use and trust.

The Ultimate Battle: Enterprise Browsers vs. Enterprise Browser Extensions examines this choice across nine “rounds”: adoption, data protection, BYOD, productivity, management overhead, remote access, Zero Trust alignment, supply-chain security, and future-readiness, to show where each approach excels, and where trade-offs emerge.

Each round uses practical, enterprise scenarios to compare the two models, making it easier to see not just what they can do, but how they perform at scale.

The Browser Is Now the Workspace

The browser has become the primary workspace for enterprise users. It is where sensitive data is created, accessed, and moved through copy/paste actions, form submissions, uploads, downloads, and increasingly through GenAI prompts.

Default-browser habits are deeply ingrained. Forcing a switch can slow adoption, especially in hybrid environments where unmanaged devices and contractors play a role.

Extension ecosystems are both valuable and risky. They expand functionality but also widen the potential attack surface. The guide makes clear that neither Enterprise Browsers nor Enterprise Browser Extensions replace the rest of the security stack, instead, each addresses the in-session gap in a different way. One of the clearest examples of that gap is how GenAI usage plays out in the browser.

GenAI: The Use Case That Tests Both Models

Enterprise adoption of GenAI tools has introduced high-impact, in-session risks for browser security:

• Proprietary code, business plans, and sensitive records can be pasted into prompts with no audit trail.
• Identity context matters, controls must distinguish work from personal accounts in real time.
• Coverage must extend to unmanaged devices, third parties, and temporary access users.
• Extension governance must balance productivity with the ability to detect and restrict risky behavior.

The guide uses scenarios like these to stress-test both approaches in multiple rounds, revealing where coverage, control depth, and operational overhead diverge.

Enterprise Browser vs. Secure Browser Extension: Side-by-Side Comparison in Nine Rounds

The Ultimate Battle organizes the comparison into nine operationally relevant rounds. Rather than listing features, it tests how each model responds to real conditions, from enabling BYOD access without weakening data-in-use controls to managing risky extensions without disrupting workflows.

Where the differences show most clearly:

Coverage

• Enterprise Browser: Strong control inside its own environment, but adoption depends on users switching defaults and keeping sensitive activity within the EB.
• Secure Browser Extension: Runs in mainstream browsers (Chrome/Edge) to cover managed, unmanaged, and contractor devices without changing the user’s primary workflow.

Control & Enforcement

• Enterprise Browser: Deep guardrails within the EB, including session isolation and strict separation of work and personal contexts.
• Enterprise Browser Extension: DOM-level visibility to apply warnings, redactions, or blocks on copy/paste, form fills, uploads, downloads, and GenAI prompts; policies can be identity-bound to differentiate corporate and personal activity.

Integration & Operations

• Enterprise Browser: Integrates cleanly while usage stays inside the EB, but requires parallel browser management and related support.
• Enterprise Browser Extension: Streams browser-layer telemetry to SIEM/XDR, influences IAM/ZTNA decisions, and updates centrally without retraining users on a new browser.

Making the Enterprise Browser vs. Secure Browser Extension Decision

The guide is designed to help security teams turn abstract pros and cons into a decision that fits their environment and risk profile. The choice between an Enterprise Browser and an Enterprise Browser Extension is not purely technical, it’s about balancing depth of control with breadth of coverage, while factoring in adoption patterns and long-term manageability.

The comparison document presents these trade-offs in a structured, scenario-driven format, enabling teams to map them to their own environments and make an informed call. Download the full comparison to see how each approach performs where it matters most for your organization.

Aug 12, 2025Ravie LakshmananVulnerability / Threat Intelligence

The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country.

The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands, and that investigations are ongoing to determine the extent of the impact.

CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in NetScaler ADC that results in unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

The vulnerability was first disclosed in late June 2025, with patches released in the following versions –

• NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
• NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Another flaw in the same product (CVE-2025-5777, CVSS score: 9.3) was also placed on the list last month.

NCSC-NL described the activity as likely the work of a sophisticated threat actor, adding the vulnerability has been exploited as a zero-day since early May 2025 – almost two months before it was publicly disclosed – and the attackers took steps to erase traces in an effort to conceal the compromise. The exploitation was discovered on July 16, 2025.

“During the investigation, malicious web shells were found on Citrix devices,” the agency said. “A web shell is a piece of rogue code that gives an attacker remote access to the system. The attacker can place a web shell by abusing a vulnerability.”

To mitigate the risk arising from CVE-2025-6543, organizations are advised to apply the latest updates, and terminate permanent and active sessions by running the following commands –

• kill icaconnection -all
• kill pcoipConnection -all
• kill aaa session -all
• kill rdp connection -all
• clear lb persistentSessions

Organizations can also run a shell script made available by NCSC-NL to hunt for indicators of compromise associated with the exploitation of CVE-2025-6543.

“Files with a different .php extension in Citrix NetScaler system folders may be an indication of abuse,” NCSC-NL said. “Check for newly created accounts on the NetScaler, and specifically for accounts with increased rights.”

Aug 11, 2025Ravie LakshmananEncryption / Network Security

Cybersecurity researchers have discovered a fresh set of security issues in the Terrestrial Trunked Radio (TETRA) communications protocol, including in its proprietary end-to-end encryption (E2EE) mechanism that exposes the system to replay and brute-force attacks, and even decrypt encrypted traffic.

Details of the vulnerabilities – dubbed 2TETRA:2BURST – were presented at the Black Hat USA security conference last week by Midnight Blue researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels.

TETRA is a European mobile radio standard that’s widely used by law enforcement, military, transportation, utilities, and critical infrastructure operators. It was developed by the European Telecommunications Standards Institute (ETSI). It encompasses four encryption algorithms: TEA1, TEA2, TEA3, and TEA4.

The disclosure comes a little over two years after the Netherlands-based cybersecurity company discovered a set of security vulnerabilities in TETRA standard called TETRA:BURST, counting what was described as an “intentional backdoor” that could be exploited to leak sensitive information.

The newly discovered issues relate to a case of packet injection in TETRA, as well as an insufficient fix for CVE-2022-24401, one of the five TETRA:BURST issues, to prevent keystream recovery attacks. The identified issues are listed below –

• CVE-2025-52940 – TETRA end-to-end encrypted voice streams are vulnerable to replay attack. Furthermore, an attacker with no knowledge of the key may inject arbitrary voice streams, that are played back indistinguishably from authentic traffic by legitimate call recipients.
• CVE-2025-52941 – TETRA end-to-end encryption algorithm ID 135 refers to an intentionally weakened AES-128 implementation which has its effective traffic key entropy reduced from 128 to 56 bits, rendering it vulnerable to brute-force attacks.
• CVE-2025-52942 – End-to-end encrypted TETRA SDS messages feature no replay protection, allowing for arbitrary replay of messages towards either humans or machines.
• CVE-2025-52943 – TETRA networks that support multiple Air Interface Encryption algorithms are vulnerable to key recovery attacks since the SCK/CCK network key is identical for all supported algorithms. When TEA1 is supported, an easily recovered TEA1 key (CVE-2022-24402) can be used to decrypt or inject TEA2 or TEA3 traffic on the network.
• CVE-2025-52944 – The TETRA protocol lacks message authentication and therefore allows for the injection of arbitrary messages such as voice and data.
• ETSI’s fix for CVE-2022-24401 is ineffective in the prevention of keystream recovery attacks (No CVE, assigned a placeholder identifier MBPH-2025-001)

In a statement shared with WIRED, ETSI said the E2EE mechanism used in TETRA-based radios is not part of the ETSI standard, adding it was produced by The Critical Communications Association’s (TCCA) security and fraud prevention group (SFPG). ETSI also noted that purchasers of TETRA-based radios are free to deploy other solutions for E2EE on their radios.

The findings also coincide with the discovery of three flaws in the Sepura SC20 series of mobile TETRA radios that allow attackers with physical access to the device to achieve unauthorized code execution –

• CVE-2025-52945 – Defective file management restrictions
• CVE-2025-8458 – Insufficient key entropy for SD card encryption
• Exfiltration of all TETRA and TETRA E2EE key materials with the exception of the device-specific key K (no CVE, assigned a placeholder identifier MBPH-2025-003)

Patches for CVE-2025-52945 and CVE-2025-8458 are expected to be made available in the third quarter of 2025, necessitating that users are advised to implement enhanced TETRA key management policies. MBPH-2025-003, on the other hand, cannot be remediated due to architectural limitations.

“The vulnerabilities enable an attacker to gain code execution on a Sepura Gen 3 device,” the company said. “Attack scenarios featuring CVE-2025-8458 involve persistent code execution through access to a device’s SD card. Abuse of CVE-2025-52945 is even more straightforward as it requires only brief access to the device’s PEI connector.”

“From the premise of code execution, multiple attack scenarios are viable, such as exfiltration of TETRA key materials (MBPH-2025-003) or the implantation of a persistent backdoor into the radio firmware. This leads to the loss of confidentiality and integrity of TETRA communications.”

Aug 11, 2025Ravie LakshmananVulnerability / Network Security

Malicious actors have been observed exploiting a now-patched critical security flaw impacting Erlang/Open Telecom Platform (OTP) SSH as early as beginning of May 2025, with about 70% of detections originating from firewalls protecting operational technology (OT) networks.

The vulnerability in question is CVE-2025-32433 (CVSS score: 10.0), a missing authentication issue that could be abused by an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code. It was patched in April 2025 with versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.

Then in June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

“At the heart of Erlang/OTP’s secure communication capabilities lies its native SSH implementation — responsible for encrypted connections, file transfers and most importantly, command execution,” Palo Alto Networks Unit 42 researchers Adam Robbie, Yiheng An, Malav Vyas, Cecilia Hu, Matthew Tennis, and Zhanhao Chen said.

“A flaw in this implementation would allow an attacker with network access to execute arbitrary code on vulnerable systems without requiring credentials, presenting a direct and severe risk to exposed assets.”

The cybersecurity company’s analysis of telemetry data has revealed that over 85% of exploit attempts have primarily singled out healthcare, agriculture, media and entertainment, and high technology sectors in the U.S., Canada, Brazil, India, and Australia, among others.

In the attacks observed, the successful exploitation of CVE-2025-32433 is followed by the threat actors using reverse shells to gain unauthorized remote access to target networks. It’s currently not known who is behind the efforts.

“This widespread exposure on industrial-specific ports indicates a significant global attack surface across OT networks,” Unit 42 said. “Analysis of affected industries demonstrates variance in the attacks.”

“Attackers are attempting to exploit the vulnerability in short, high-intensity bursts. These are disproportionately targeting OT networks and attempting to access exposed services over both IT and industrial ports.”

Aug 11, 2025Ravie Lakshmanan

This week, cyber attackers are moving quickly, and businesses need to stay alert. They’re finding new weaknesses in popular software and coming up with clever ways to get around security. Even one unpatched flaw could let attackers in, leading to data theft or even taking control of your systems. The clock is ticking—if defenses aren’t updated regularly, it could lead to serious damage. The message is clear: don’t wait for an attack to happen. Take action now to protect your business.

Here’s a look at some of the biggest stories in cybersecurity this week: from new flaws in WinRAR and NVIDIA Triton to advanced attack techniques you should know about. Let’s get into the details.

⚡ Threat of the Week

Trend Micro Warns of Actively Exploited 0-Day — Trend Micro has released temporary mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948 and CVE-2025-54987), both rated 9.4 on the CVSS scoring system, have been described as management console command injection and remote code execution flaws. There are currently no details on how the issues are being exploited in real-world attacks. Trend Micro said it “observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.”

• WinRAR 0-Day Under Active Exploitation — The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability. Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files. Russian cybersecurity vendor BI.ZONE, in a report published last week, said there are indications that the hacking group tracked as Paper Werewolf (aka GOFFEE) may have leveraged CVE-2025-8088 alongside CVE-2025-6218, a directory traversal bug in the Windows version of WinRAR that was patched in June 2025.
• New Windows EPM Poisoning Exploit Chain Detailed — New findings presented at the DEF CON 33 security conference showed that a now-patched security issue in Microsoft’s Windows Remote Procedure Call (RPC) communication protocol (CVE-2025-49760, CVSS score: 3.5) could be abused by an attacker to conduct spoofing attacks and impersonate a known server. The vulnerability essentially makes it possible to manipulate a core component of the RPC protocol and stage what’s called an EPM poisoning attack that allows unprivileged users to pose as a legitimate, built-in service with the goal of coercing a protected process to authenticate against an arbitrary server of an attacker’s choosing.
• BadCam Attack Targets Linux Webcams From Lenovo — Linux-based webcams from Lenovo, Lenovo 510 FHD and Lenovo Performance FHD, which are powered by a System on a Chip (SoC) and firmware made by the Chinese company SigmaStar, can be weaponized and turned into BadUSB vectors, allowing attackers to tamper with the firmware of the devices to execute malicious commands when connected to a computer. “This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system,” Eclypsium researchers Paul Asadoorian, Mickey Shkatov, and Jesse Michael said.
• The Far-Reaching Scale of VexTrio Revealed — A new analysis of VexTrio has unmasked it as a “cybercriminal organization with tendrils that are far-reaching,” operating dozens of businesses and front companies across Europe, while posing as a legitimate ad tech firm to conduct various types of fraud. The cyber fraud network is assessed to be active in its present form since at least 2017. That said, suspected key figures behind the scheme have been linked to scam reports and sketchy domains since 2004. VexTrio’s nerve center is Lugano, melding scam operations and traffic distribution schemes to maximize illicit revenue. It’s also the result of two businesses, Tekka Group and AdsPro Group, joining forces in 2020. “The merger created a formidable suite of commercial entities that touch every part of the ad tech industry,” Infoblox said. VexTrio is known for using traffic distribution systems (TDSes) to filter and redirect web traffic based on specific criteria, as well as relying on sophisticated DNS manipulation techniques like fast-fluxing, DNS tunneling, and domain generation algorithms (DGAs) to rapidly change the IP addresses associated with their domains, establish covert command-and-control (C2) communication, and maintain persistent access with infected systems. Campaigns orchestrated the threat actor to leverage TDSes to hijack web users from compromised websites and redirect them to a variety of malicious destinations, from tech support scams and fake updates to phishing domains and exploit kits. The use of commercial entities to run the traffic distribution schemes offers several advantages to threat actors, both from an operational perspective as well as avoiding scrutiny from the infosec community and law enforcement by maintaining a veneer of legitimacy. The system works like any other ad tech network, only it’s malicious in nature. The threat actors pay VexTrio-controlled firms as if they were legitimate customers, receiving a steady supply of hijacked traffic and unsuspecting victims through TDSes for a variety of threats, from cryptocurrency scams and fake captcha schemes. “VexTrio employs a few hundred people globally. It’s unclear how much the average VexTrio employee knows about the true business model,” Infoblox said. The arrangement has proven to be extremely lucrative for VexTrio operators, who have been found leading a lavish lifestyle, sharing on social media about expensive cars and other luxuries.
• Multiple Flaws Patched in NVIDIA Triton Patched — Nvidia has patched a trio of vulnerabilities in its Triton inference server that could give unauthenticated remote attackers a way to take full control of susceptible servers. The new Triton vulnerabilities underscore a broader and rapidly growing category of AI-related threats that organizations must now factor into their security postures. With AI and ML tools becoming deeply embedded in critical business workflows, the attack surface has expanded in ways that traditional security frameworks aren’t always equipped to handle. The emergence of new threats like AI supply chain integrity, model poisoning, prompt injection, and data leakage signals the need for securing the underlying infrastructure and practicing defense-in-depth.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-8088 (WinRAR), CVE-2025-55188 (7-Zip), CVE-2025-4371 (Lenovo 510 FHD and Performance FHD web cameras), CVE-2025-25050, CVE-2025-25215, CVE-2025-24922, CVE-2025-24311, CVE-2025-24919 (Dell ControlVault3), CVE-2025-49827, CVE-2025-49831 (CyberArk Secrets Manager), CVE-2025-6000 (HashiCorp Vault), CVE-2025-53786 (Microsoft Exchange Server), CVE-2025-30023 (Axis Communications), CVE-2025-54948, CVE-2025-54987 (Trend Micro Apex One Management Console), CVE-2025-23310, CVE-2025-23311, CVE-2025-23319 (NVIDIA Triton), CVE-2025-54574 (Squid Web Proxy), CVE-2025-7025, CVE-2025-7032, and CVE-2025-7033 (Rockwell Automation Arena Simulation), CVE-2025-54253, CVE-2025-54254 (Adobe Experience Manager Forms), CVE-2025-24285 (Ubiquiti UniFi Connect EV Station), CVE-2025-38236 (Linux Kernel), CVE-2025-2771, CVE-2025-2773 (BEC Technologies routers), CVE-2025-25214, CVE-2025-48732 (WWBN AVideo), CVE-2025-26469, and CVE-2025-27724 (MedDream PACS Premium).

📰 Around the Cyber World

• NVIDIA Rejects Backdoor Claims — GPU maker NVIDIA has rejected accusations that it has built backdoors or kill switches in its chips. “There are no back doors in NVIDIA chips. No kill switches. No spyware. That’s not how trustworthy systems are built—and never will be,” Nvidia Chief Security Officer David Reber Jr. said. The development came after the Cyberspace Administration of China (CAC) said it held a meeting with NVIDIA over “serious security issues” in the company’s chips and claimed that U.S. artificial intelligence (AI) experts “revealed that NVIDIA’s computing chips have location tracking and can remotely shut down the technology.” A kill switch in a chip would be “a permanent flaw beyond user control, and an open invitation for disaster,” Reber Jr. added.
• Attackers Compromise Target Within 5 Minutes — Threat actors successfully compromised corporate systems within just five minutes using a combination of social engineering tactics and rapid PowerShell execution. The incident demonstrates how cybercriminals are weaponizing trusted business applications to bypass traditional security measures. “The Threat Actor targeted around twenty users, impersonating IT support personnel, and successfully convinced two users to grant remote access to their system using the Windows native Quick Assist remote support tool,” NCC Group said. “In less than five minutes, the Threat Actor executed PowerShell commands that led to the download of offensive tooling, malware execution and the creation of persistence mechanisms.” The attack was detected and stopped before it could have led to a bigger infection.
• Companies Drowning in Threat Intel — A new study commissioned by Google Cloud found that an “overwhelming volume of threats and data combined with the shortage of skilled threat analysts” are making companies more vulnerable to cyber attacks and keeping them stuck in a reactive state. “Rather than aiding efficiency, myriad [threat intelligence] feeds inundate security teams with data, making it hard to extract useful insights or prioritize and respond to threats. Security teams need visibility into relevant threats, AI-powered correlation at scale, and skilled defenders to use actionable insights, enabling a shift from a reactive to a proactive security posture,” the study found. The survey was conducted with 1,541 senior IT and cybersecurity leaders at enterprise organizations in North America, Europe, and Asia Pacific.

• New EDR Killer Spotted — Malware capable of terminating antivirus software and obfuscated using commercial packers like HeartCrypt are being used in ransomware attacks involving BlackSuit, RansomHub, Medusa, Qilin, DragonForce, Crytox, Lynx, and INC. Posing as a legitimate utility, the EDR killer looks for a driver with a five-letter random name that’s signed with a compromised certificate to achieve its goals. If found, the malicious driver is loaded into the kernel, as required to perform a bring your own vulnerable driver (BYOVD) attack and achieve kernel privileges required to turn off security products. The exact list of antivirus software to be terminated varies among samples. It’s believed to be an evolution of EDRKillShifter, developed by RansomHub. “Multiple new variants of a malicious driver that first surfaced in 2022 are circulating in the wild,” Symantec warned earlier this January. “The driver is used by attackers to attempt to disable security solutions.” The fact that multiple ransomware actors are relying on variants of the same EDR killer tool alludes to the possibility of a common seller or some sort of an “information/tool leakage between them.”
• Ransomware Continues to Evolve — Threat intel firm Analyst1 has published a profile of Yaroslav Vasinskyi, a Ukrainian national and member of the REvil gang that broke into Kaseya in 2021. Meanwhile, the ransomware landscape continues to be volatile as ever, replete with rebrands and abrupt cessation of activities amid continued law enforcement takedowns: BlackNevas (aka Trial Recovery) is assessed to be a derivative of Trigona, while one affiliate named “hastalamuerte” alleged that the Qilin group had conducted an exit scam, defrauding them of $48,000. Another user, operating under the handle “Nova,” publicly leaked the Qilin affiliate panel, including login credentials, further exposing the group’s operational security weaknesses. RansomHub, Babuk-Bjorka, FunkSec, BianLian, 8Base, CACTUS, Hunters International, and LockBit are among the groups that have stopped publishing new victims, indicating an increasingly fragmented ransomware ecosystem. “The rapid succession of events following the disappearance of RansomHub and the subsequent rise – and apparent turbulence – within Qilin’s operations underscore the dynamic volatility of today’s ransomware ecosystem,” Dark Atlas said. “The internal chaos and alleged exit scam within Qilin […] reveal deep fissures in trust and operational security among ransomware collectives, further compounded by active interference from law enforcement and rival groups.”
• Turkish Organizations Targeted by SoupDealer — Banks, ISPs, and mid-level organizations in Türkiye are being targeted by phishing campaigns that deliver a new Java-based loader called SoupDealer. “When this malware is executed, it uses advanced persistence mechanisms – including downloading TOR to establish communication with the C2 panel and scheduling tasks for automatic execution – to ensure the device is located in Türkiye and being used in Turkish,” Malwation said. “It then sends various information based on signals from the command-and-control server and gains full control over the device.”
• Spark RAT Detailed — Cybersecurity researchers have detailed the inner workings of an open-source RAT called Spark RAT that’s capable of targeting Windows, Linux, and macOS systems. It allows an attacker to remotely commandeer a compromised endpoint by establishing communications with C2 infrastructure and awaiting further instructions from an operator. “All the desirable RAT features are present, with the perhaps notable absence of Remote Desktop-like functionality,” F5 Labs said. “These factors have combined to make SparkRAT an attractive offensive tool choice, as is evidenced by the documented instances of its use in threat campaigns.”
• Threat Actors’ Use of SVG Files Increase — Cybercriminals are turning Scalable Vector Graphics (SVG) files into potent weapons by embedding malicious JavaScript payloads that can bypass traditional security measures. Phishing attacks adopting the technique have revolved around convincing targets to open an SVG file, triggering the execution of the JavaScript code in the web browser, which then redirects them to a phishing site designed to steal credentials. “Instead of storing pixel data, SVGs use XML-based code to define vector paths, shapes, and text,” Seqrite said. “This makes them ideal for responsive design, as they scale without losing quality. However, this same structure allows SVGs to contain embedded JavaScript, which can execute when the file is opened in a browser – something that happens by default on many Windows systems.” SVG image files are also being used as a malware delivery vector in campaigns where adult sites have been found seeding obscured SVG payloads that leverage JSFuck to covertly endorse Facebook posts promoting the sites, ThreatDown found.
• Scams Targeting Elderly Led to $700 million Losses in 2024 — Americans aged 60 and older lost a staggering $700 million to online scams in 2024, signaling a steep rise in fraud targeting older adults. “Most notably, combined losses reported by older adults who lost more than $100,000 increased eight-fold, from $55 million in 2020 to $445 million in 2024,” the U.S. Federal Trade Commission (FTC) said. “While younger consumers also have reported these scams, older adults were much more likely to report these extraordinarily high losses.” The development came as authorities from the Philippines detained 20 Chinese nationals who were operating a crypto scam center in Pasay City. Thai police have also apprehended 18 Chinese nationals who were operating a scam call center in the city of Chiang Mai that targeted other Chinese speakers and operated for three months from a rented house.

• Embargo Ransomware Made About $34.2 million — Embargo ransomware is associated with about $34.2 million in cryptocurrency transactions since popping up around April 2024, with the majority of the victims located in the United States in the healthcare, business services, and manufacturing sectors. Unlike other traditional ransomware-as-a-service (RaaS) groups, Embargo retains control over infrastructure and payment negotiations and tends to avoid tactics like triple extortion and victim harassment that draw attention to itself. The attacks involve using phishing emails and drive-by downloads delivered via malicious websites as initial access vectors to disable security tools, turn off recovery options, and encrypt files. “Embargo may be a rebranded or successor operation to BlackCat (ALPHV) based on multiple technical and behavioral similarities – including using the Rust programming language, a similarly designed data leak site, and on-chain overlaps via shared wallet infrastructure,” TRM Labs said. “Embargo launders ransom proceeds through intermediary wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net. Approximately $18.8 million remains dormant in unattributed wallets — a pattern that likely reflects deliberate evasion tactics.” The links to BlackCat stem from on-chain overlaps, with historical BlackCat-linked addresses funneling funds to wallet clusters associated with Embargo victims. Technical similarities include the use of the Rust programming language, similar encryption toolkits, and the design of their data leak sites.
• Microsoft to Block File Access via FPRPC — Microsoft has announced that the Microsoft 365 apps for Windows will start blocking access to files via the insecure FPRPC legacy authentication protocol by default starting late August. “Microsoft 365 apps will block insecure file open protocols like FPRPC by default starting version 2508, with new Trust Center settings to manage these protocols,” the company said. “These changes enhance security by reducing exposure to outdated technologies like FrontPage Remote Procedure Call (FPRPC), FTP, and HTTP.” Separately, Microsoft has also announced that it intends to retire support for inline SVG images in Outlook for Web and new Outlook for Windows starting September 2025. “This change enhances security and aligns with current email client behavior, which already restricts inline SVG rendering,” the company said.
• Nearly 30K Exchange Server Instances Vulnerable to CVE-2025-53786 — A little over 29,000 Microsoft Exchange email servers are missing an April 2025 hotfix for a recently disclosed security vulnerability (CVE-2025-53786) that allows attackers to escalate access from on-prem servers to online cloud environments. As of August 10, 2025, the countries with the most exposures are the U.S., Germany, Russia, France, the U.K., and Austria, per the Shadowserver Foundation.
• ScarCruft Linked to Ransomware Attack for the First Time — The North Korean threat actor known as ScarCruft (aka APT37), which has a history of deploying RokRAT, has been linked to an attack chain that has leveraged a malicious LNK file embedded in a RAR archive to deliver a stealer (LightPeek and FadeStealer), backdoor (NubSpy and CHILLYCHINO), and ransomware (VCD Ransomware). “It further underscores the group’s persistent reliance on real-time messaging infrastructure, exemplified by NubSpy’s use of PubNub as its command-and-control (C2) channel,” S2W said. The attack has been attributed to ChinopuNK, a sub-cluster within ScarCruft known for deploying the Chinotto malware. The activity is a “notable deviation” from the group’s historical focus on espionage. “This suggests a potential shift toward financially motivated operations, or an expansion of operational goals that now include disruptive or extortion-driven tactics,” the company added.
• EDR-on-EDR Violence to Disable EDR Software — Cybersecurity researchers have uncovered a troubling new attack vector where threat actors are weaponizing free trials of endpoint detection and response (EDR) software to disable existing security tools – a phenomenon dubbed EDR-on-EDR violence, or bring your own EDR aka BYOEDR. “It turns out that one of the ways to disable EDR is with a free trial of EDR,” researchers Ezra Woods and Mike Manrod said. “This is accomplished by removing exclusions and then adding the hash of the existing AV/EDR as a blocked application.” Making matters worse, the research found that it’s possible to abuse the RMM-like features of EDR products to facilitate command shell access.
• 2 Founder of Samourai Wallet Plead Guilty to Money Laundering — Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million worth of crypto assets from criminal proceeds and concealing the nature of illicit transactions using services like Whirlpool and Ricochet. Samourai CEO Keonne Rodriguez and CTO William Lonergan Hill were arrested last year after the U.S. Federal Bureau of Investigation (FBI) took down their service. As part of their plea agreements, Rodriguez and Hill have also agreed to forfeit $237,832,360.55. “The defendants created and operated a cryptocurrency mixing service that they knew enabled criminals to wash millions in dirty money, including proceeds from cryptocurrency thefts, drug trafficking operations, and fraud schemes,” the U.S. Department of Justice (DoJ) said. “They did not just facilitate this illicit movement of money, but also encouraged it.”
• Tornado Cash Founder Convicted of Operating a Money Transmitting Business — Roman Storm, a co-founder of the cryptocurrency mixing service Tornado Cash, was found guilty of conspiring to operate an unlicensed money-transmitting business. However, the jury failed to reach a ruling on the more significant charges of conspiracy to commit money laundering and to violate sanctions. “Roman Storm and Tornado Cash provided a service for North Korean hackers and other criminals to move and hide more than $1 billion of dirty money,” the DoJ said. Storm is set to be sentenced later this year and faces a maximum prison sentence of five years. The development came as the U.S. Treasury Department dropped its appeal against a court ruling that forced it to lift sanctions against Tornado Cash last month. Tornado Cash was delisted from the Specially Designated National and Blocked Persons (SDN) list earlier this March. The service was sanctioned in 2022 for its alleged links to cybercriminals and for having “repeatedly failed to impose effective controls” to prevent money laundering.
• Microsoft SharePoint Flaws Exploited to Drop China Chopper and ANTSWORD — Microsoft revealed that Chinese state-sponsored hackers had exploited new vulnerabilities in SharePoint to breach the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security. According to ProPublica, support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years. Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.” It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. Attacks exploiting the SharePoint flaws (CVE-2025-49706 and CVE-2025-53770) have been observed performing unauthenticated code execution, extracting cryptographic keys, and deploying web shells like China Chopper and ANTSWORD. “The use of AntSword and China Chopper in the mid-2025 SharePoint exploitation campaigns aligns with tooling observed in prior incidents,” Trustwave said. “Notably, in 2022, the same ANTSWORD and China Chopper were also observed to be deployed in an incident related to ProxyNotShell RCE vulnerabilities.
• E.U. Law Protecting Journalists from Spyware Goes into Effect — A new law in the European Union, called the European Media Freedom Act (EMFA), has taken effect starting August 8, 2025, seeking to promote independence, safeguard media against unjustified online content removal by very large online platforms, and protect journalistic sources, including against the use of spyware. However, the European Centre for Press and Media Freedom (ECPMF) said it’s “deeply concerned that many national governments are neither prepared nor politically willing to make the required legislative changes,” adding “this lack of commitment poses a serious risk to the EMFA’s effectiveness.”
• Israel Created Azure-Backed System to Store Palestinian Communications — Israel’s elite military surveillance agency, Unit 8200, stored vast volumes of intercepted Palestinian phone calls on Microsoft’s Azure cloud servers, according to a joint investigation by The Guardian, +972 Magazine, and Local Call. The massive phone surveillance operation intercepted and tracked all phone calls and messages sent across Palestine and was hosted in a segregated part of Azure. The cloud-based system is believed to have become operational in 2022. “Thanks to the control it exerts over Palestinian telecommunications infrastructure, Israel has long intercepted phone calls in the occupied territories,” The Guardian reported. “But the indiscriminate new system allows intelligence officers to play back the content of cellular calls made by Palestinians, capturing the conversations of a much larger pool of ordinary civilians.”
• South Korea Targeted by Makop Ransomware — Users in South Korea have been targeted by Makop ransomware attacks that leverage remote desktop protocol (RDP) as an entry point, shifting from its previous distribution strategy of relying on fake resumes or emails related to copyrights. “It is worth noting that the use of RDP in the initial access phase and the installation of various tools from NirSoft and Mimikatz with an installation path of ‘mimik’ are the same as what the Crysis ransomware threat actor did when installing the Venus ransomware,” AhnLab said. “This suggests the possibility that the same threat actor is behind the Crysis, Venus, and recent Makop ransomware attacks.”
• WhatsApp Rolls Out New Feature to Tackle Scams — WhatsApp is introducing a new security feature that will help users spot potential scams when they are being added to a group chat by someone who is not in their contact list by serving additional information and options to exit the group. The messaging platform said it’s also exploring ways to caution people when they are individually contacted by people not in their contacts. This includes showing more context about who has messaged, so users can make an informed decision. The Meta-owned company said it also took down over 6.8 million WhatsApp accounts linked to criminal scam centers based in Southeast Asia targeting people across the internet and around the world. “These scam centers typically run many scam campaigns at once – from cryptocurrency investments to pyramid schemes,” the company said. “The scammers used ChatGPT to generate the initial text message containing a link to a WhatsApp chat, and then quickly directed the target to Telegram, where they were assigned a task of liking videos on TikTok. The scammers attempted to build trust in their scheme by sharing how much the target has already ‘earned’ in theory, before asking them to deposit money into a crypto account as the next task.”
• Praetorian Releases ChromeAlone — Cybersecurity company Praetorian has released a tool called ChromeAlone that transforms Chromium browsers into a C2 framework and can be implanted and used in place of conventional tools like Cobalt Strike. The program offers the ability to steal browser credentials and session cookies, launch executables on the host from Chrome, phish for WebAuthn requests for physical security tokens like YubiKeys or Titan Security Keys, and offer EDR resistance. Separately, Praetorian also found that it’s possible to abuse Traversal Using Relays around NAT (TURN) servers used by conferencing apps like Zoom and Microsoft Teams as a new C2 evasion method called ‘Ghost Calls’ to tunnel traffic through trusted infrastructure. This is accomplished by means of a tool called TURNt. “This approach allows operators to blend interactive C2 sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting,” Praetorian noted, stating the approach uses legitimate credentials, WebRTC, and custom tooling to get around existing defenses.
• New Jailbreak Against AI Chatbots Employs Information Overload — AI chatbots like OpenAI ChatGPT and Google Gemini can be derived into generating illicit instructions for making a bomb or hacking an ATM if the prompt is made complicated, full of academic jargon, and cites non-existent sources. That’s according to a new paper authored by a team of researchers from Intel, Boise State University, and the University of Illinois at Urbana-Champaign. The LLM jailbreaking technique called InfoFlood “transforms malicious queries into complex, information-overloaded queries capable of bypassing built-in safety mechanisms,” the paper explained. “Specifically, InfoFlood: (1) uses linguistic transformations to rephrase malicious queries, (2) identifies the root cause of failure when an attempt is unsuccessful, and (3) refines the prompt’s linguistic structure to address the failure while preserving its malicious intent.”
• Israeli spyware vendor Candiru is still active — Cybersecurity firm Recorded Future has discovered new infrastructure for managing and delivering Candiru’s DevilsTongue spyware. “Eight distinct clusters were identified, with five being likely still active, including those linked to Hungary and Saudi Arabia,” it said. “One cluster tied to Indonesia was active until November 2024, and two associated with Azerbaijan have uncertain status due to a lack of identified victim-facing infrastructure.”

🎥 Cybersecurity Webinars

• AI Threats Are Real—Learn How to Secure Every Agent Now: AI-powered shadow agents are becoming a serious security threat. Deployed without oversight, these invisible entities have access to sensitive data, making them prime targets for attackers. In this session, we’ll explore how these agents emerge, why they’re risky, and how to take control before they cause harm.
• How AI-Fueled Attacks are Targeting Identity—Learn to Stop Them: AI is changing the way cyberattacks happen, making traditional defenses obsolete. In this webinar, Karl Henrik Smith from Okta explains how AI is targeting identity security and how you can protect your organization from these new threats. Learn how to adapt your defenses for the AI-driven future.
• What You’re Missing in Python Security: 2025’s Must-Know Threats: In 2025, securing your Python supply chain is more critical than ever. With increasing threats like repojacking, typosquatting, and known vulnerabilities in core Python infrastructure, simply relying on “pip install and pray” won’t cut it. Join our webinar to learn how to protect your Python projects, tackle current supply chain risks, and explore practical solutions to safeguard your code with industry-leading tools like Sigstore and Chainguard. Take action now to secure your Python environment and stay ahead of emerging threats.

🔧 Cybersecurity Tools

• DoomArena is a modular, plug-in framework for testing AI agents against evolving security threats. It works with platforms like τ-Bench, BrowserGym, and OSWorld, allowing realistic simulations of attacks such as prompt injections or malicious data sources. Its design separates attack logic from environments, making tests reusable across tasks, and supports detailed threat models, multiple attack types, and custom success checks to help identify vulnerabilities and evaluate defenses.
• Yamato Security, a volunteer-led group in Japan, has released a suite of open-source tools aimed at strengthening digital forensics and threat hunting. The lineup includes Hayabusa for Sigma-based Windows log analysis, Takajo for parsing Hayabusa results, Suzaku for cloud log forensics, and WELA for auditing Windows Event Logs, supported by detailed configuration guides. Also in the toolkit is SigmaOptimizer-UI, a user-friendly interface that streamlines the creation, testing, and refinement of Sigma rules from real-world logs, incorporating automated checks and optional LLM-powered enhancements.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Boost Your Threat Detection with Easy, Free Tools — Cybersecurity isn’t just about defending against attacks—it’s also about detecting them early. One of the most effective ways to stay ahead of threats is by setting up real-time monitoring. Free tools like UptimeRobot allow you to monitor your website or systems for unexpected downtime, a common sign of an attack. By receiving instant alerts, you can act quickly if something goes wrong.

Another simple yet powerful step is running regular vulnerability scans. Qualys Community Edition is a free tool that helps you identify weak spots in your network or website. Regular scans will help you spot problems before attackers can exploit them, keeping your defenses strong.

Endpoint protection is equally important. While Windows Defender provides solid security, you can take it a step further with OSSEC, an open-source intrusion detection system. OSSEC monitors your devices for unusual behavior, helping catch threats that traditional antivirus software might miss.

Lastly, staying aware of malicious actors is key. Use resources like AlienVault Open Threat Exchange (OTX) to track known harmful IP addresses and domains. These free databases keep you informed about the latest threats targeting your network, allowing you to block risky traffic before it causes harm.

By integrating these free tools into your routine, you’ll significantly enhance your ability to detect and respond to cyber threats quickly and effectively.

Conclusion

As we wrap up this week’s cybersecurity update, remember that staying informed is your best defense. The threats are real, and the stakes are high—but with the right steps, your organization can stay ahead of attackers. Regular updates, timely patches, and continuous monitoring are your first line of defense. Keep working to build a culture of security, and always be ready to adapt to the changing landscape.

We’ll be back next week with more insights, so keep those systems secure and stay vigilant. Until then, stay proactive, stay safe, and don’t let your guard down. Cyber threats wait for no one.

The Evolution of Exposure Management

Most security teams have a good sense of what’s critical in their environment. What’s harder to pin down is what’s business-critical. These are the assets that support the processes the business can’t function without. They’re not always the loudest or most exposed. They’re the ones tied to revenue, operations, and delivery. If one goes down, it’s more than a security issue – It’s a business problem.

Over the past year since publishing our 4-step approach to mapping and securing business-critical assets, my team and I have had the opportunity to engage deeply with dozens of customer workshops across multiple industry verticals, including finance, manufacturing, energy, and more. These sessions have revealed valuable insights into how organizations are evolving their security posture.

This article takes an updated look at that approach, incorporating what we have learned along the way, helping organizations align exposure management strategy with business priorities. What began as a theoretical 4-step approach has matured into a proven methodology with measurable results. Organizations implementing this framework have reported remarkable efficiency gains—some reducing remediation efforts by up to 96% while simultaneously strengthening their security posture where it matters most.

Our engagement with CISOs, security directors, and increasingly, CFOs and business executives, has revealed consistent patterns across industries. Security teams struggle not with identifying vulnerabilities but with determining which ones pose genuine business risk. Meanwhile, business leaders want assurance that security investments protect what matters most—but often lack a framework to communicate these priorities effectively to technical teams.

The methodology we’ve refined bridges this gap, creating a common language between security practitioners and business stakeholders. The lessons that follow distill what we’ve learned through implementing this approach across diverse organizational contexts. They represent not just theoretical best practices, but practical insights gained through successful real-world applications.

Lesson 1: Not All Assets Are Created Equal

What We Discovered: Most security teams can identify what’s technically critical, but struggle to determine what’s business-critical. The difference is significant – business-critical assets directly support revenue generation, operations, and service delivery.

Key Takeaway: Focus your security resources on systems that, if compromised, would create actual business disruption rather than just technical issues. Organizations that implemented this targeted approach reduced remediation efforts by up to 96%.

Lesson 2: Business Context Changes Everything

What We Discovered: Security teams are drowning in signals – vulnerability scans, CVSS scores, and alerts from across the technology stack. Without business context, these signals lack meaning. A “critical” vulnerability on an unused system is less important than a “moderate” one on a revenue-generating platform.

Key Takeaway: Integrate business context into your security prioritization. When you know which systems support core business functions, you can make decisions based on actual impact rather than technical severity alone.

Lesson 3: The Four-Step Method Works

What We Discovered: Organizations need a structured approach to connect security efforts with business priorities. Our four-step methodology has proven effective across diverse industries:

• Identify Critical Business Processes

Takeaway: Start with how your company makes and spends money. You don’t need to map everything – just the processes that would cause significant disruption if interrupted.

• Map Processes to Technology

Takeaway: Determine which systems, databases, credentials, and infrastructure support those critical processes. Perfect mapping isn’t necessary – aim for “good enough” to guide decisions.

• Prioritize Based on Business Risk

Takeaway: Focus on choke points – the systems attackers would likely pass through to reach business-critical assets. These aren’t always the most severe vulnerabilities but fixing them delivers the highest return on effort.

• Act Where It Matters

Takeaway: Remediate exposures that create paths to business-critical systems first. This targeted approach makes security work more efficient and easier to justify to leadership.

Lesson 4: CFOs Are Becoming Security Stakeholders

What We Discovered: Financial leaders are increasingly involved in cybersecurity decisions. As one director of cybersecurity told us, “Our CFO wants to know how we see cybersecurity risks from a business perspective.”

Key Takeaway: Frame security in terms of business risk management to gain support from financial leadership. This approach has proven essential for promoting initiatives and securing necessary budgets.

The journey to effective security isn’t about securing everything, but about protecting what truly drives your business forward. By aligning security efforts with business priorities, organizations can achieve both stronger protection and more efficient operations—transforming security from a technical function into a strategic business enabler. Want to learn more about this methodology? Check out my recent webinar here and learn how to start protecting what matters most.

Bonus checklist:

Getting Started – How to Secure Your Business Critical Assets

STEP 1: IDENTIFY CRITICAL BUSINESS PROCESSES

□ Schedule focused discussions with business unit leaders to identify core revenue-generating processes

□ Review how the company makes and spends money to surface high-value operations

□ Create a short list of business processes that would cause significant disruption if interrupted

□ Document these processes with clear descriptions of their business importance

STEP 2: MAP BUSINESS PROCESSES TO TECHNOLOGY

□ For each critical process, identify the supporting systems, databases, and infrastructure

□ Document which admin credentials and access points protect these systems

□ Consult with system owners about dependencies and recovery requirements

□ Compile findings from CMDBs, architecture documents, or direct interviews

STEP 3: PRIORITIZE BASED ON BUSINESS RISK

□ Identify the choke points attackers would likely pass through to reach critical assets

□ Evaluate which exposures create direct paths to business-critical systems

□ Determine which systems have the tightest SLAs or recovery windows

□ Create a prioritized list of exposures based on business impact, not just technical severity

STEP 4: TURN INSIGHTS INTO ACTION

□ Focus remediation efforts on exposures that directly impact business-critical systems

□ Develop clear communication about why these priorities matter in business terms

□ Track progress based on reduction of risk to core business functions

□ Present results to leadership in terms of business protection, not just technical metrics

Bridging the gap between technical findings and executive leadership, as highlighted in lessons 4 and 5, is one of the most critical skills for a modern CISO. To help you master this essential dialogue, we are now offering our practical course, “Risk Reporting to the Board,” completely free of charge. This program is designed to equip you with the frameworks and language needed to transform your conversations with the board and confidently present security as a strategic business function. Access the free course today and start building a stronger relationship with your leadership team.

Note: This article was expertly written by Yaron Mazor, Principal Customer Advisor at XM Cyber.