Tag: Cyber Threats

Jun 19, 2025Ravie LakshmananLinux / Vulnerability

Cybersecurity researchers have uncovered two local privilege escalation (LPE) flaws that could be exploited to gain root privileges on machines running major Linux distributions.

The vulnerabilities, discovered by Qualys, are listed below –

• CVE-2025-6018 – LPE from unprivileged to allow_active in SUSE 15’s Pluggable Authentication Modules (PAM)
• CVE-2025-6019 – LPE from allow_active to root in libblockdev via the udisks daemon

“These modern ‘local-to-root’ exploits have collapsed the gap between an ordinary logged-in user and a full system takeover,” Saeed Abbasi, Senior Manager at Qualys Threat Research Unit (TRU), said.

“By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit’s allow_active trust zone and emerge as root in seconds.”

The cybersecurity company said CVE-2025-6018 is present in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15, enabling an unprivileged local attacker to elevate to the “allow_active” user and call Polkit actions that are otherwise reserved for a physically present user.

CVE-2025-6019, on the other hand, affects libblockdev and is exploitable via the udisks daemon included by default on most Linux distributions. It essentially permits an “allow_active” user to gain full root privileges by chaining it with CVE-2025-6018.

“Although it nominally requires ‘allow_active’ privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable,” Abbasi added. “Techniques to gain ‘allow_active,’ including the PAM issue disclosed here, further negate that barrier.”

Once root privileges are obtained, an attacker has carte blanche access to the system, allowing them use it as a springboard for broader post-compromise actions, such as altering security controls and implanting backdoors for covert access.

Qualys said it has developed proof-of-concept (PoC) exploits to confirm the presence of these vulnerabilities on various operating systems, including Ubuntu, Debian, Fedora, and openSUSE Leap 15.

To mitigate the risk posed by these flaws, it’s essential to apply patches provided by the Linux distribution vendors. As temporary workarounds, users can modify the Polkit rule for “org.freedesktop.udisks2.modify-device” to require administrator authentication (“auth_admin”).

Flaw Disclosed in Linux PAM

The disclosure comes as maintainers of Linux PAM resolved a high-severity path traversal flaw (CVE-2025-6020, CVSS score: 7.8) that could also allow a local user to escalate to root privileges. The issue has been fixed in version 1.7.1.

“The module pam_namespace in linux-pam <= 1.7.0 may access user-controlled paths without proper protections, which allows a local user to elevate their privileges to root via multiple symlink attacks and race conditions,” Linux PAM maintainer Dmitry V. Levin said.

Linux systems are vulnerable if they use pam_namespace to set up polyinstantiated directories for which the path to either the polyinstantiated directory or instance directory is under user-control. As workarounds for CVE-2025-6020, users can disable pam_namespace or ensure it does not operate on user-controlled paths.

ANSSI’s Olivier Bal-Petre, who reported the flaw to the maintainer on January 29, 2025, said users should also update their namespace.init script if they do not use the one provided by their distribution to ensure that the either of two paths are safe to operate on as root.

A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails.

The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix.

It leverages “the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts,” security researcher Tim Peck said in a report shared with The Hacker News.

The attack starts with sending payment- or invoice-themed phishing emails bearing a link to a zipped document that contains a Windows shortcut (LNK) file. These shortcuts are disguised as documents to trick victims into opening them, effectively activating the infection sequence.

The elaborate multi-step process culminates in the execution of a Python-based shellcode loader that executes payloads packed with the open-source Donut loader entirely in memory.

Securonix said the campaign has targeted the United States, United Kingdom, Germany, and other regions across Europe and Asia. The identity of the threat actor(s) behind the campaign is presently unknown, although the cybersecurity company pointed out their English fluency.

The threat activity cluster is also notable for its shifting initial access methods, pivoting from internet shortcut (URL) files to using LNK shortcut files masquerading as PDF documents. These payloads are then used to retrieve additional stages over WebDAV via the Cloudflare Tunnel subdomains.

It’s worth noting that a variation of this campaign was previously documented by eSentire and Proofpoint last year, with the attacks paving the way for AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.

The abuse of TryCloudflare offers manifold advantages. For starters, malicious actors have long made it harder to detect by using legitimate cloud service providers as a front for their operations, including payload delivery and command-and-control (C2) communication.

By using a reputable subdomain (“*.trycloudflare[.]com”) for nefarious ends, it makes it exceedingly tough for defenders to distinguish between harmful and benign activities, thereby allowing it to evade URL or domain-based blocking mechanisms.

The initial infection occurs when the LNK files are launched, causing it to download a next-stage payload, a Windows Script File (WSF), from a remote WebDAV share hosted on a Cloudflare Tunnel subdomain. The WSF file is subsequently executed using cscript.exe in a manner without arousing the victim’s suspicion.

“This WSF file functions as a lightweight VBScript-based loader, designed to execute an external batch file from a second Cloudflare domain,” Peck said. “The ‘kiki.bat’ file serves as the main payload delivery script next in the series of stagers. Overall, it’s designed for stealth and persistence.”

The primary responsibility of the batch script is to display a decoy PDF document, check for antivirus software, and download and execute Python payloads, which are then used to run Donut-packed payloads like AsyncRAT or Revenge RAT in memory.

“Attackers distributed spear-phishing emails impersonating trusted institutions in Colombia, delivering SVG decoys with embedded links to JS / VBS stagers hosted on public platforms, or password-protected ZIP files containing the payloads directly,” Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Ilia Dafchev said.

The attacks led to the deployment of remote access trojans like AsyncRAT and Remcos RAT, with recent campaigns also utilizing a .NET loader associated with Katz Stealer. These attack chains involve hiding the payloads within Base64-encoded text of image files hosted on the Internet Archive.

A noteworthy aspect of the campaign is the use of SVG smuggling techniques to deliver malicious ZIP archives using SVG files. These payloads are hosted on file-sharing services such as Bitbucket, Dropbox, Discord, and YDRAY. The download archives contain both legitimate executables and malicious DLLs, the latter of which are sideloaded to ultimately serve the trojans.

“A natural evolution from its earlier SVG smuggling techniques, this threat actor has adopted a modular, memory-resident loader that can execute payloads dynamically and entirely in memory, leaving minimal traces behind,” the researchers said.

“The presence of Portuguese-language strings and method parameters within the loader mirrors TTPs commonly observed in Brazilian banking malware, suggesting potential code reuse, shared development resources or even cross-regional actor collaboration.”

ClickFix Surge Propels Drive-By Compromises

The findings also coincide with a rise in social engineering attacks that employ the ClickFix tactic to deploy stealers and remote access trojans like Lumma Stealer and SectopRAT under the guise of fixing an issue or completing a CAPTCHA verification.

According to statistics shared by ReliaQuest, drive-by compromises accounted for 23% of all phishing-based tactics observed between March and May 2025. “Techniques like ClickFix were central to drive-by downloads,” the cybersecurity company said.

ClickFix is effective primarily because it deceives targets into carrying out seemingly harmless, everyday actions that are unlikely to raise any red flags, because they’re so used to seeing CAPTCHA screening pages and other notifications. What makes it compelling is that it gets users to do the main work of infecting their own machines instead of having to resort to more sophisticated methods like exploiting software flaws.

“External remote resources dropped from third to fourth place as attackers increasingly exploit user mistakes rather than technical vulnerabilities,” ReliaQuest said. “This shift is likely driven by the simplicity, success rate, and universal applicability of social engineering campaigns like ClickFix.”

A new multi-stage malware campaign is targeting Minecraft users with a Java-based malware that employs a distribution-as-service (DaaS) offering called Stargazers Ghost Network.

“The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically,” Check Point researchers Jaromír Hořejší and Antonis Terefos said in a report shared with The Hacker News.

“The malware was impersonating Oringo and Taunahi, which are ‘Scripts and macros tools’ (aka cheats). Both the first and second stages are developed in Java and can only be executed if the Minecraft runtime is installed on the host machine.”

The end goal of the attack is to trick players into downloading a Minecraft mod from GitHub and deliver a .NET information stealer with comprehensive data theft capabilities. The campaign was first detected by the cybersecurity company in March 2025.

What makes the activity notable is its use of an illicit offering called the Stargazers Ghost Network, which makes use of thousands of GitHub accounts to set up tainted repositories that masquerade as cracked software and game cheats.

These malicious repositories, masquerading as Minecraft mods, serve as a conduit for infecting users of the popular video game with a Java loader (e.g., “Oringo-1.8.9.jar”) that remains undetected by all antivirus engines as of writing.

The Java archive (JAR) files implement simple anti-VM and anti-analysis techniques to sidestep detection efforts. Their main objective is to download and run another JAR file, a second-stage stealer that fetches and executes a .NET stealer as the final payload when the game is started by the victim.

The second-stage component is retrieved from an IP address (“147.45.79.104”) that’s stored in Base64-encoded format Pastebin, essentially turning the paste tool into a dead drop resolver.

“To add mods to a Minecraft game, the user must copy the malicious JAR archive into the Minecraft mods folder. After starting the game, the Minecraft process will load all mods from the folder, including the malicious mod, which will download and execute the second stage,” the researchers said.

Besides downloading the .NET stealer, the second-stage stealer is equipped to steal Discord and Minecraft tokens, as well as Telegram-related data. The .NET stealer, on the other hand, is capable of harvesting credentials from various web browsers and gathering files, and information from cryptocurrency wallets and other apps like Steam, and FileZilla.

It can also take screenshots and amass information related to running processes, the system’s external IP address, and clipboard contents. The captured information is eventually bundled and transmitted back to the attacker via a Discord webhook.

The campaign is suspected to be the work of a Russian-speaking threat actor owing to the presence of several artifacts written in the Russian language and the timezone of the attacker’s commits (UTC+03:00). It’s estimated that more than 1,500 devices may have fallen prey to the scheme.

“This case highlights how popular gaming communities can be exploited as effective vectors for malware distribution, emphasizing the importance of caution when downloading third-party content,” the researchers said.

“The Stargazers Ghost Network has been actively distributing this malware, targeting Minecraft players seeking mods to enhance their gameplay. What appeared to be harmless downloads were, in fact, Java-based loaders that deployed two additional stealers, capable of exfiltrating credentials and other sensitive data.”

New Variants of KimJongRAT Stealer Detected

The development comes as Palo Alto Networks Unit 42 detailed two new variants of an information stealer codenamed KimJongRAT that’s likely connected to the same North Korean threat actor behind BabyShark and Stolen Pencil. KimJongRAT has been detected in the wild as far back as May 2013, delivered as a secondary payload in BabyShark attacks.

“One of the new variants uses a Portable Executable (PE) file and the other uses a PowerShell implementation,” security researcher Dominik Reichel said. “The PE and PowerShell variants are both initiated by clicking a Windows shortcut (LNK) file that downloads a dropper file from an attacker-controlled content delivery network (CDN) account.”

While the PE variant’s dropper deploys a loader, a decoy PDF and a text file, the dropper in the PowerShell variant deploys a decoy PDF file along with a ZIP archive. The loader, in turn, downloads auxiliary payloads, including the stealer component for KimJongRAT.

The ZIP archive delivered by the PowerShell variant’s dropper contains scripts that embed the KimJongRAT PowerShell-based stealer and keylogger components.

Both the new incarnations are capable of gathering and transferring victim information, files matching specific extensions, and browser data, such as credentials and details from cryptocurrency wallet extensions. The PE variant of KimJongRAT is also designed to harvest FTP and email client information.

“The continued development and deployment of KimJongRAT, featuring changing techniques such as using a legitimate CDN server to disguise its distribution, demonstrates a clear and ongoing threat,” Unit 42 said. “This adaptability not only showcases the persistent threat posed by such malware but also underscores its developers’ commitment to updating and expanding its capabilities.”

Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware.

“The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems,” Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week.

The “broad and sustained” campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, but harbored within their Visual Studio project configuration files malicious payloads such as SMTP email bomber and Sakura-RAT.

Water Curse’s arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with “developer-oriented information stealers that blur the line between red team tooling and active malware distribution.”

“Upon execution, the malicious payloads initiated complex multistage infection chains utilizing obfuscated scripts written in Visual Basic Script (VBS) and PowerShell,” the researchers said. “These scripts downloaded encrypted archives, extracted Electron-based applications, and performed extensive system reconnaissance.”

The attacks are also characterized by the use of anti-debugging techniques, privilege escalation methods, and persistence mechanisms to maintain a long-term foothold on the affected hosts. Also employed are PowerShell scripts to weaken host defenses and inhibit system recovery.

Water Curse has been described as a financially motivated threat actor that’s driven by credential theft, session hijacking, and resale of illicit access. As many as 76 GitHub accounts have been linked to the campaign. There is evidence to suggest related activity may have been ongoing all the way back to March 2023.

The emergence of Water Curse is the latest example of how threat actors are abusing the trust associated with legitimate platforms like GitHub as a delivery channel for malware and stage software supply chain attacks.

“Their repositories include malware, evasion utilities, game cheats, aimbots, cryptocurrency wallet tools, OSINT scrapers, spamming bots, and credential stealers,” Trend Micro said. “This reflects a multi-vertical targeting strategy that blends cybercrime with opportunistic monetization.”

“Their infrastructure and behavior indicate a focus on stealth, automation, and scalability, with active exfiltration via Telegram and public file-sharing services.”

The disclosure comes as multiple campaigns have been observed leveraging the prevalent ClickFix strategy to deploy various malware families such as AsyncRAT, DeerStealer (via a loader named Hijack Loader), Filch Stealer, LightPerlGirl, and SectopRAT (also via Hijack Loader).

AsyncRAT is one of the many readily available remote access trojans (RATs) that has been put to use by unidentified threat actors to indiscriminately target thousands of organizations spanning multiple sectors since early 2024. Some aspects of the campaign were documented by Forcepoint in August 2024 and January 2025.

“This tradecraft allows the malware to bypass traditional perimeter defenses, particularly by using Cloudflare’s temporary tunnels to serve payloads from seemingly legitimate infrastructure,” Halcyon said. “These tunnels provide attackers with ephemeral and unregistered subdomains that appear trustworthy to perimeter controls, making it difficult to pre-block or blacklist.”

“Because the infrastructure is spun up dynamically via legitimate services, defenders face challenges in distinguishing malicious use from authorized DevOps or IT maintenance workflows. This tactic enables threat actors to deliver payloads without relying on compromised servers or bulletproof hosting, increasing both the scale and stealth of the campaign.”

The findings also follow the discovery of an ongoing malicious campaign that has targeted various European organizations located in Spain, Portugal, Italy, France, Belgium, and the Netherlands with invoice-themed phishing lures to deliver a named Sorillus RAT (aka Ratty RAT).

Previous campaigns distributing the malware have singled out accounting and tax professionals using income tax return decoys, some of which have leveraged HTML smuggling techniques to conceal the malicious payloads.

The attack chain detailed by Orange Cyberdefense employs similar phishing emails that aim to trick recipients into opening PDF attachments containing a OneDrive link that points to a PDF file directly hosted on the cloud storage service while prompting the user to click an “Open the document” button.

Doing so redirects the victim to a malicious web server that acts as a traffic distribution system (TDS) to evaluate the incoming request and determine whether they need to proceed further to the next stage of the infection. If the victim’s machine meets the necessary criteria, they are displayed a benign PDF while a JAR file is stealthily downloaded to drop and execute Sorillus RAT.

A Java-based RAT that first surfaced in 2019, Sorillus is a cross-platform malware that can harvest sensitive information, download/upload files, take screenshots, record audio, log keystrokes, run arbitrary commands, and even uninstall itself. It also doesn’t help that numerous racked versions of the trojan are available online.

The attacks are assessed to be part of a broader campaign that has been observed delivering SambaSpy to users in Italy. SambaSpy, per Orange Cyberdefense, belongs to the Sorillus malware family.

“The operation showcases a strategic blend of legitimate services – such as OneDrive, MediaFire, and tunneling platforms like Ngrok and LocaltoNet – to evade detection,” the cybersecurity company said. “The repeated use of Brazilian Portuguese in payloads supports a likely attribution to Brazilian-speaking threat actors.”

Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware.

“The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems,” Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week.

The “broad and sustained” campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, but harbored within their Visual Studio project configuration files malicious payloads such as SMTP email bomber and Sakura-RAT.

Water Curse’s arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with “developer-oriented information stealers that blur the line between red team tooling and active malware distribution.”

“Upon execution, the malicious payloads initiated complex multistage infection chains utilizing obfuscated scripts written in Visual Basic Script (VBS) and PowerShell,” the researchers said. “These scripts downloaded encrypted archives, extracted Electron-based applications, and performed extensive system reconnaissance.”

The attacks are also characterized by the use of anti-debugging techniques, privilege escalation methods, and persistence mechanisms to maintain a long-term foothold on the affected hosts. Also employed are PowerShell scripts to weaken host defenses and inhibit system recovery.

Water Curse has been described as a financially motivated threat actor that’s driven by credential theft, session hijacking, and resale of illicit access. As many as 76 GitHub accounts have been linked to the campaign. There is evidence to suggest related activity may have been ongoing all the way back to March 2023.

The emergence of Water Curse is the latest example of how threat actors are abusing the trust associated with legitimate platforms like GitHub as a delivery channel for malware and stage software supply chain attacks.

“Their repositories include malware, evasion utilities, game cheats, aimbots, cryptocurrency wallet tools, OSINT scrapers, spamming bots, and credential stealers,” Trend Micro said. “This reflects a multi-vertical targeting strategy that blends cybercrime with opportunistic monetization.”

“Their infrastructure and behavior indicate a focus on stealth, automation, and scalability, with active exfiltration via Telegram and public file-sharing services.”

The disclosure comes as multiple campaigns have been observed leveraging the prevalent ClickFix strategy to deploy various malware families such as AsyncRAT, DeerStealer (via a loader named Hijack Loader), Filch Stealer, LightPerlGirl, and SectopRAT (also via Hijack Loader).

AsyncRAT is one of the many readily available remote access trojans (RATs) that has been put to use by unidentified threat actors to indiscriminately target thousands of organizations spanning multiple sectors since early 2024. Some aspects of the campaign were documented by Forcepoint in August 2024 and January 2025.

“This tradecraft allows the malware to bypass traditional perimeter defenses, particularly by using Cloudflare’s temporary tunnels to serve payloads from seemingly legitimate infrastructure,” Halcyon said. “These tunnels provide attackers with ephemeral and unregistered subdomains that appear trustworthy to perimeter controls, making it difficult to pre-block or blacklist.”

“Because the infrastructure is spun up dynamically via legitimate services, defenders face challenges in distinguishing malicious use from authorized DevOps or IT maintenance workflows. This tactic enables threat actors to deliver payloads without relying on compromised servers or bulletproof hosting, increasing both the scale and stealth of the campaign.”

The findings also follow the discovery of an ongoing malicious campaign that has targeted various European organizations located in Spain, Portugal, Italy, France, Belgium, and the Netherlands with invoice-themed phishing lures to deliver a named Sorillus RAT (aka Ratty RAT).

Previous campaigns distributing the malware have singled out accounting and tax professionals using income tax return decoys, some of which have leveraged HTML smuggling techniques to conceal the malicious payloads.

The attack chain detailed by Orange Cyberdefense employs similar phishing emails that aim to trick recipients into opening PDF attachments containing a OneDrive link that points to a PDF file directly hosted on the cloud storage service while prompting the user to click an “Open the document” button.

Doing so redirects the victim to a malicious web server that acts as a traffic distribution system (TDS) to evaluate the incoming request and determine whether they need to proceed further to the next stage of the infection. If the victim’s machine meets the necessary criteria, they are displayed a benign PDF while a JAR file is stealthily downloaded to drop and execute Sorillus RAT.

A Java-based RAT that first surfaced in 2019, Sorillus is a cross-platform malware that can harvest sensitive information, download/upload files, take screenshots, record audio, log keystrokes, run arbitrary commands, and even uninstall itself. It also doesn’t help that numerous racked versions of the trojan are available online.

The attacks are assessed to be part of a broader campaign that has been observed delivering SambaSpy to users in Italy. SambaSpy, per Orange Cyberdefense, belongs to the Sorillus malware family.

“The operation showcases a strategic blend of legitimate services – such as OneDrive, MediaFire, and tunneling platforms like Ngrok and LocaltoNet – to evade detection,” the cybersecurity company said. “The repeated use of Brazilian Portuguese in payloads supports a likely attribution to Brazilian-speaking threat actors.”

Jun 18, 2025The Hacker NewsDevSecOps / Security Architecture

For organizations eyeing the federal market, FedRAMP can feel like a gated fortress. With strict compliance requirements and a notoriously long runway, many companies assume the path to authorization is reserved for the well-resourced enterprise. But that’s changing.

In this post, we break down how fast-moving startups can realistically achieve FedRAMP Moderate authorization without derailing product velocity, drawing from real-world lessons, technical insights, and the bruises earned along the way from a cybersecurity startup that just went through the process.

Why It Matters

Winning in the federal space starts with trust—and that trust begins with FedRAMP. But pursuing authorization is not a simple compliance checkbox. It’s a company-wide shift that requires intentional strategy, deep security investment, and a willingness to move differently than most startups.

Let’s get into what that actually looks like.

Keys to a Successful FedRAMP Authorization

1. Align to NIST 800-53 from Day One

Startups that bolt on compliance late in the game usually end up rewriting their infrastructure to fit. The better path? Build directly against the NIST 800-53 Rev. 5 Moderate baseline as your internal security framework—even before FedRAMP is on the roadmap.

This early commitment reduces rework, accelerates ATO prep, and fosters a security-first mindset that scales. Additionally, compliance is often a must have for organizations to do business with mid to large enterprises so it’s more than a checkbox, it’s a business enabler. Here at Beyond Identity, when we say “secure-by-design” platform, a foundational component is alignment to strict compliance frameworks from the start.

2. Build an Integrated Security Team

FedRAMP isn’t just an InfoSec problem—it’s a team sport. Success requires tight integration across:

• Compliance-focused InfoSec leads who understand the nuances of FedRAMP controls
• Application security engineers who can embed guardrails without bottlenecking delivery
• DevSecOps teams to operationalize security across pipelines
• Platform engineers responsible for both cloud posture and deployment parity

Cross-functional collaboration isn’t a nice-to-have—it’s how you survive the inevitable curveballs.

3. Mirror Your Commercial and Federal Architectures

Attempting to run a separate product for the federal market? Don’t.

Winning startups keep a single software release chain, with identical configurations and infrastructure across both environments. That means:

• No federal-only forks
• No custom hardening outside the mainline
• One platform, one set of controls

This approach dramatically reduces technical drift, simplifies audits, and ensures your engineers aren’t context-switching between two worlds.

Scrutinize the Business Case

FedRAMP isn’t cheap. Initial investments often exceed $1 million, and timelines can stretch beyond 12 months. Before you start:

• Validate the market opportunity—can you actually win federal deals?
• Confirm executive sponsorship—FedRAMP requires top-down alignment
• Look for 10x return potential—not just for the cost, but for the time and energy involved

This isn’t a growth experiment. It’s a long play that demands conviction.

Pick the Right Partners

Navigating FedRAMP alone is a losing strategy. Choose external vendors carefully:

• Ask for customer references with successful FedRAMP delivery
• Watch for predatory pricing—especially from Third Party Assessment Organizations and automation tools
• Prioritize collaboration and transparency—your partner becomes an extension of your team

Cut corners here and you’ll pay for it later—in both delays and trust.

Build Internal Muscle

No external vendor can replace internal readiness. You’ll need:

• Security architecture skills with depth in cryptography, PKI, and TPMs
• Ops maturity to manage change control, evidence collection, and ticketing rigor
• Strong program management to coordinate vendors, auditors, and internal stakeholders
• Team training—FedRAMP has a steep learning curve. Invest early.

FedRAMP reshapes how you ship, with slower velocity, higher overhead, and the need for tight cross-functional alignment. While the impact is real, the long-term payoff is disciplined security and process maturity that goes well beyond compliance.

The Toughest Challenges

Every FedRAMP journey hits turbulence. Some of the hardest problems include:

• Interpreting FedRAMP Moderate controls without clear guidance
• Defining authorization boundaries across microservices and shared components
• Operationalizing DevSecOps gates that enforce security without stalling builds
• Choosing the right tools for SAST, DAST, SBOM, and SCA—and integrating them

Don’t underestimate these. They can become critical blockers without careful planning.

Achieving FedRAMP at startup speed is possible—but only with ruthless prioritization, integrated security culture, and a deep understanding of what you’re signing up for.

If you’re considering the journey: start small, move deliberately, and commit fully. The federal market rewards trust—but only for those who earn it.

Beyond Identity is a FedRAMP-moderate identity and access management platform that eliminates identity-based attacks. Learn more at beyondidentity.com.

Jun 18, 2025Ravie LakshmananLinux / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.

The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible systems. It was patched in early 2023.

“Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount,” the agency said.

“This uid mapping bug allows a local user to escalate their privileges on the system.”

It’s currently not known how the security flaw is being exploited in the wild. In a report published in May 2023, Datadog said the vulnerability is trivial to exploit and that it works by tricking the kernel into creating a SUID binary owned by root in a folder like “/tmp” and executing it.

“CVE-2023-0386 lies in the fact that when the kernel copied a file from the overlay file system to the ‘upper’ directory, it did not check if the user/group owning this file was mapped in the current user namespace,” the company said.

“This allows an unprivileged user to smuggle an SUID binary from a ‘lower’ directory to the ‘upper’ directory, by using OverlayFS as an intermediary.”

Later that year, cloud security firm Wiz detailed two security vulnerabilities dubbed GameOver(lay) (CVE-2023-32629 and CVE-2023-2640) affecting Unix systems that led to similar consequences as CVE-2023-0386.

“These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine,” Wiz researchers said.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by July 8, 2025, to secure their networks against active threats.

Jun 18, 2025Ravie LakshmananEspionage / National Security

A former U.S. Central Intelligence Agency (CIA) analyst has been sentenced to little more than three years in prison for unlawfully retaining and transmitting top secret National Defense Information (NDI) to people who were not entitled to receive them and for attempting to cover up the malicious activity.

Asif William Rahman, 34, of Vienna, has been sentenced today to 37 months on charges of stealing and divulging classified information. He was an employee of the CIA since 2016 and had Top Secret security clearance to access Sensitive Compartmented Information (SCI) until he was terminated from his job after he was arrested last November in Cambodia.

Earlier this January, Rahman pleaded guilty to two counts of willful retention and transmission of classified information related to the national defense.

As previously reported by The Hacker News, Rahman retained multiple Secret and Top Secret documents without authorization on October 17, 2024, took them to his place of residence in a backpack, and wilfully sent them to several individuals who did not have the necessary clearance to receive them.

“The defendant photographed the documents and transferred those images to a computer program that allowed him to edit the images to attempt to conceal their source and delete his activity,” according to court documents. “The defendant also took steps to conceal his identity while unlawfully sharing classified information with others.”

Some of these documents were related to Israel’s plans to attack Iran around that time. They eventually began circulating online after they were posted on Telegram by an account called Middle East Spectator.

To cover up these acts, Rahman engaged in what the U.S. Department of Justice (DoJ) described as a “deletion campaign of work product” on his computer, wiping roughly 1.5 GB of data from his email and personal folder on his system. He also deleted and edited certain journal entries to conceal his personal opinions on U.S. policy.

“Asif Rahman violated his position of trust by illegally accessing, removing, and transmitting Top Secret documents vital to the national security of the United States and its allies,” said Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia.

“The urgency with which Mr. Rahman was identified, arrested, charged, and prosecuted is a testament to the commitment and professionalism of the investigators and prosecutors who brought him to justice. This case should serve as a stern warning to those who choose to place their own goals over their allegiance to our nation.”

Jun 18, 2025Ravie LakshmananHacktivism / Cyber Warfare

Iran has throttled internet access in the country in a purported attempt to hamper Israel’s ability to conduct covert cyber operations, days after the latter launched an unprecedented attack on the country, escalating geopolitical tensions in the region.

Fatemeh Mohajerani, the spokesperson of the Iranian Government, and the Iranian Cyber Police, FATA, said the internet slowdown was designed to maintain internet stability and that the move is “temporary, targeted, and controlled, to ward off cyber attacks.” Data shared by NetBlocks shows a “significant reduction in internet traffic” around 5:30 p.m. local time.

The development comes amid deepening conflict, with Israel and Iran trading missile attacks since Friday. These attacks have spilled over into cyberspace, as security experts warned of retaliatory cyber operations by Iranian state actors and hacktivist groups.

The digital conflict unfolding behind the scenes goes two ways. Earlier this week, a pro-Israeli group known as Predatory Sparrow claimed responsibility for a cyber attack on Iran’s Bank Sepah, crippling access to its website and ATMs.

“‘Bank Sepah’ was an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program, and its military nuclear program,” the group said in a public statement posted on X.

Predatory Sparrow also said it sabotaged the bank’s infrastructure with help from “brave Iranians,” adding “This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies.” Israel has a storied history of sophisticated cyber operations, most notably the Stuxnet attack targeting Iran’s nuclear program.

Tel Aviv-based cybersecurity firm Radware said it has observed heightened activity from threat actors affiliated with Iran across public and private Telegram channels.

Some of the groups, including Mysterious Team Bangladesh and Arabian Ghost, have warned neighboring countries Jordan and Saudi Arabia against supporting Israel and claimed to have shut down Israeli radio stations.

Furthermore, the Iranian government has also urged citizens to delete WhatsApp, one of the country’s most popular messaging platforms, stating without giving any evidence that the Meta-owned app has been weaponized by Israel to spy on its users.

WhatsApp has denied the allegations. In a statement to the Associated Press, the company said it does not track users nor does it provide “bulk information to any government.”

The cyber conflict also follows an announcement from the U.S. Department of State that they were seeking information on Iranian hackers who they accused of targeting critical infrastructure in the U.S., Israel, and other countries using the IOCONTROL (aka OrpaCrab) malware to breach Industrial Control Systems (ICS).

“Cyber Av3ngers, which is associated with the online persona Mr. Soul, has launched a series of malicious cyber activities against U.S. critical infrastructure on behalf of Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC),” the department’s Rewards for Justice (RFJ) program said.

“Cyber Av3ngers actors have utilized malware known as IOCONTROL to target ICS/SCADA devices used by critical infrastructure sectors in the United States and worldwide.”

Jun 18, 2025Ravie LakshmananVulnerability / Data Protection

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions.

The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0.

“A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,” the company said in an advisory.

CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability.

Cybersecurity company Rapid7 noted that the update likely addresses concerns shared by CODE WHITE in late March 2025 that the patch put in place to plug a similar hole (CVE-2025-23120, CVSS score: 9.9) could be bypassed.

Also addressed by Veeam is another flaw in the same product (CVE-2025-24286, CVSS score: 7.2) that allows an authenticated user with the Backup Operator role to modify backup jobs, which could result in arbitrary code execution.

The American company separately patched a vulnerability that affected Veeam Agent for Microsoft Windows (CVE-2025-24287, CVSS score: 6.1) that permits local system users to modify directory contents, leading to code execution with elevated permissions. The issue has been patched in version 6.3.2 (build 6.3.2.1205).

According to Rapid7, more than 20% of its incident response cases in 2024 involved either the access or exploitation of Veeam, once a threat actor has already established a foothold in the target environment.

With security flaws in Veeam backup software becoming a prime target for attackers in recent years, it’s crucial that customers update to the latest version of the software with immediate effect.