Tag: Cyber Security

Sep 12, 2025Ravie Lakshmanan

Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR).

The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks.

The agency did not share further details on what triggered these alerts. Previous threat notifications were sent on March 5, April 29, and June 25. Apple has been sending these notices since November 2021.

“These complex attacks target individuals for their status or function: journalists, lawyers, activists, politicians, senior officials, members of steering committees of strategic sectors, etc,” CERT-FR said.

The development comes less than a month after it emerged that a security flaw in WhatsApp (CVE-2025-55177, CVSS score: 5.4) was chained with an Apple iOS bug (CVE-2025-43300, CVSS score: 8.8) as part of zero-click attacks.

WhatsApp subsequently told The Hacker News that it had sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign. It’s not known who, and which commercial spyware vendor, is behind the activity.

The disclosure comes as Apple has introduced a security feature in the latest iPhone models called Memory Integrity Enforcement (MIE) to combat memory corruption vulnerabilities and make it harder for surveillance vendors, who typically rely on such zero-days for planting spyware on a target’s phone.

In a report published this week, the Atlantic Council said the number of United States investors in spyware and surveillance technologies jumped from 11 in 2023 to 31 last year, surpassing other major investing countries such as Israel, Italy, and the United Kingdom.

Altogether, the study has flagged two holding companies, 55 individuals, 34 investors, eighteen partners, seven subsidiaries, 10 suppliers, and four vendors that established themselves in the last year in the spyware marketplace. This includes new spyware entities in Japan, Malaysia, and Panama, as well as vendors like Israel’s Bindecy and Italy’s SIO.

“The quantity of U.S.-based entities investing in the spyware market is three times greater than in the next three highest countries with the most investors,” the report said, adding “56% of investors are incorporated in Israel, the United States, Italy, and the United Kingdom.”

“Tesellers and brokers now are key actors in the spyware market – comprising more sample market share than previously demonstrated – and oftentimes are under-observed and not readily addressed in current policy deliberations.”

Sep 12, 2025Ravie LakshmananVulnerability / Mobile Security

Samsung has released its monthly security updates for Android, including a fix for a security vulnerability that it said has been exploited in zero-day attacks.

The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution.

“Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code,” Samsung said in an advisory. “The patch fixed the incorrect implementation.”

According to a 2020 report from Google Project Zero, libimagecodec.quram.so is a closed-source image parsing library developed by Quramsoft that implements support for various image formats.

The critical-rated issue, per the South Korean electronics giant, affects Android versions 13, 14, 15, and 16. The vulnerability was privately disclosed to the company on August 13, 2025.

Samsung did not share any specifics on how the vulnerability is being exploited in attacks and who may be behind these efforts. However, it acknowledged that “an exploit for this issue has existed in the wild.”

The development comes shortly after Google said it resolved two security flaws in Android (CVE-2025-38352 and CVE-2025-48543) that it said have been exploited in targeted attacks.

Sep 12, 2025Ravie LakshmananVulnerability / Cyber Espionage

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2025-5086, carries a CVSS score of 9.0 out of 10.0. According to Dassault, the issue impacts versions from Release 2020 through Release 2025.

“Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution,” the agency said in an advisory.

The addition of CVE-2025-5086 to the KEV catalog comes after the SANS Internet Storm Center reported seeing exploitation attempts targeting the flaw that originate from the IP address 156.244.33[.]162, which geolocates to Mexico.

The attacks involve sending an HTTP request to the “/apriso/WebServices/FlexNetOperationsService.svc/Invoke” endpoint with a Base64-encoded payload that decodes to a GZIP-compressed Windows executable (“fwitxz01.dll“), Johannes B. Ullrich, the dean of research at the SANS Technology Institute, said.

Kaspersky has flagged the DLL as “Trojan.MSIL.Zapchast.gen,” which the company describes as a malicious program designed to electronically spy on a user’s activities, including capturing keyboard input, taking screenshots, and gathering a list of active applications, among others.

“The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request),” the Russian cybersecurity vendor added.

Zapchast variants, according to Bitdefender and Trend Micro, have been distributed via phishing emails bearing malicious attachments for over a decade. It’s currently not clear if “Trojan.MSIL.Zapchast.gen” is an improved version of the same malware.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary updates by October 2, 2025, to secure their networks.

Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year.

Slovakian cybersecurity company ESET said the samples were uploaded to the VirusTotal platform in February 2025.

“HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions,” security researcher Martin Smolár said. “Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.”

In other words, the deployed UEFI application is the central component that takes care of encrypting the Master File Table (MFT) file, which contains metadata related to all the files on the NTFS-formatted partition.

HybridPetya comes with two main components: a bootkit and an installer, with the former appearing in two distinct versions. The bootkit, which is deployed by the installer, is chiefly responsible for loading its configuration and checking its encryption status. It can have three different values –

• 0 – ready for encryption
• 1 – already encrypted, and
• 2 – ransom paid, disk decrypted

Should the value be set to 0, it proceeds to set the flag to 1 and encrypts the EFIMicrosoftBootverify file with the Salsa20 encryption algorithm using the key and nonce specified in the configuration. It also creates a file called “EFIMicrosoftBootcounter” on the EFI System Partition prior to launching the disk encryption process of all NTFS-formatted partitions. The file is used to keep track of the already encrypted disk clusters.

Furthermore, the bootkit updates the fake CHKDSK message displayed on the victim’s screen with information about the current encryption status, while the victim is deceived into thinking that the system is repairing disk errors.

If the bootkit detects that the disk is already encrypted (i.e., the flag is set to 1), it serves a ransom note to the victim, demanding them to send $1,000 in Bitcoin to the specified wallet address (34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2). The wallet is currently empty, although it has received $183.32 between February and May 2025.

It’s worth noting that bootloader changes initiated by the installer during the deployment of the UEFI bootkit component triggers a system crash (aka Blue Screen of Death or BSoD) and ensures that the bootkit binary is executed once the device is turned on.

Select variants of HybridPetya, ESET added, have been found to exploit CVE‑2024‑7344 (CVSS score: 6.7), a remote code execution vulnerability in the Howyar Reloader UEFI application (“reloader.efi”, renamed in the artifact as “EFIMicrosoftBootbootmgfw.efi”) that could result in a Secure Boot bypass.

The variant also packs in a specially crafted file named “cloak.dat,” which is loadable through reloader.efi and contains the XORed bootkit binary. Microsoft has since revoked the old, vulnerable binary as part of its Patch Tuesday update for January 2025 update.

“When the reloader.efi binary (deployed as bootmgfw.efi) is executed during boot, it searches for the presence of the cloak.dat file on the EFI System Partition, and loads the embedded UEFI application from the file in a very unsafe way, completely ignoring any integrity checks, thus bypassing UEFI Secure Boot,” ESET said.

Another aspect where HybridPetya and NotPetya differ is that, unlike the latter’s destructive capabilities, the newly identified artifact allows the threat actors to reconstruct the decryption key from the victim’s personal installation keys.

Telemetry data from ESET indicates no evidence of HybridPetya being used in the wild. The cybersecurity company also pointed out the recent discovery of a UEFI Petya Proof-of-Concept (PoC) by security researcher Aleksandra “Hasherezade” Doniec, adding it’s possible there could be “some relationship between the two cases.” However, it doesn’t rule out the possibility that HybridPetya may also be a PoC.

“HybridPetya is now at least the fourth publicly known example of a real or proof-of-concept UEFI bootkit with UEFI Secure Boot bypass functionality, joining BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200),” ESET said.

“This shows that Secure Boot bypasses are not just possible – they’re becoming more common and attractive to both researchers and attackers.”

The security landscape for cloud-native applications is undergoing a profound transformation. Containers, Kubernetes, and serverless technologies are now the default for modern enterprises, accelerating delivery but also expanding the attack surface in ways traditional security models can’t keep up with.

As adoption grows, so does complexity. Security teams are asked to monitor sprawling hybrid environments, sift through thousands of alerts, and protect dynamic applications that evolve multiple times per day. The question isn’t just how to detect risks earlier — it’s how to prioritize and respond to what really matters in real time.

That’s where cloud-native application protection platforms (CNAPPs) come into play. These platforms consolidate visibility, compliance, detection, and response into a unified system. But in 2025, one capability is proving indispensable: runtime visibility.

The New Center of Gravity: Runtime

For years, cloud security has leaned heavily on preventative controls like code scanning, configuration checks, and compliance enforcement. While essential, these measures provide only part of the picture. They identify theoretical risks, but not whether those risks are active and exploitable in production.

Runtime visibility fills that gap. By observing what workloads are actually running — and how they behave — security teams gain the highest fidelity signal for prioritizing threats. Runtime context answers critical questions:

• Is this vulnerability reachable in a live workload?
• Is this misconfiguration creating a real attack path?
• Is this workload being exploited right now?

Without runtime, organizations risk chasing false positives while attackers exploit real weaknesses. With runtime, teams can focus on fixing the issues that matter most, reducing both noise and exposure.

From Prevention to Prioritization

Partnerships and integrations play a key role here. For example, Sysdig’s collaboration with Semgrep enables organizations to connect runtime vulnerabilities to their originating source code, reducing the back-and-forth between teams and streamlining remediation.

Why Consolidation Is Inevitable

Enterprises have long relied on best-of-breed security tools. But in the cloud, fragmentation becomes a liability. Multiple point products generate duplicate findings, lack shared context, and increase operational overhead.

CNAPP represents the next stage of consolidation. By unifying vulnerability management, posture assessment, threat detection, and incident response into a single platform, organizations can:

• Eliminate silos.
• Reduce tool sprawl.
• Gain a single source of truth for cloud risk.

And most importantly, they can tie everything back to runtime, ensuring that real-world threats are never lost in the noise.

Preparing for What’s Next

The rise of containers and cloud-native applications shows no sign of slowing. In fact, by the end of the decade, containers are expected to power half of all enterprise applications. With this growth comes pressure for security teams to adopt strategies that scale, simplify, and automate.

The future of cloud security will be defined by three priorities:

1. Runtime-powered visibility to cut through noise and focus on real risk.
2. AI-driven assistance to help teams triage, prioritize, and respond at machine speed.
3. Unified platforms that consolidate fragmented tools into a single, contextual view of cloud risk.

Enterprises that embrace this model will be positioned to move faster, reduce exposure, and stay ahead of attackers. Those who cling to disconnected tools and reactive processes will find themselves increasingly outpaced.

Secure What Matters, When It Matters

The cloud has redefined how businesses build and run applications. It’s now redefining how they must secure them. Runtime visibility, AI-driven prioritization, and unified platforms are no longer optional — they’re essential.

At Sysdig, we believe the future of cloud security is rooted in real-time context and collaboration. By focusing on what’s actively happening in production, organizations can align security and development, reduce false positives, and respond to threats with confidence.

The message is clear: stop chasing every alert and start focusing on what matters most.

To explore these trends in greater depth, download the full 2025 Gartner® Market Guide for Cloud-Native Application Protection Platforms.

A security weakness has been disclosed in the artificial intelligence (AI)-powered code editor Cursor that could trigger code execution when a maliciously crafted repository is opened using the program.

The issue stems from the fact that an out-of-the-box security setting is disabled by default, opening the door for attackers to run arbitrary code on users’ computers with their privileges.

“Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: ‘folderOpen’ auto-execute the moment a developer browses a project,” Oasis Security said in an analysis. “A malicious .vscode/tasks.json turns a casual ‘open folder’ into silent code execution in the user’s context.”

Cursor is an AI-powered fork of Visual Studio Code, which supports a feature called Workspace Trust to allow developers to safely browse and edit code regardless of where it came from or who wrote it.

With this option disabled, an attacker can make available a project in GitHub (or any platform) and include a hidden “autorun” instruction that instructs the IDE to execute a task as soon as a folder is opened, causing malicious code to be executed when the victim attempts to browse the booby-trapped repository in Cursor.

“This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise, placing Cursor users at significant risk from supply chain attacks,” Oasis Security researcher Erez Schwartz said.

To counter this threat, users are advised to enable Workplace Trust in Cursor, open untrusted repositories in a different code editor, and audit them before opening them in the tool.

The development comes as prompt injections and jailbreaks have emerged as a stealthy and systemic threat plaguing AI-powered coding and reasoning agents like Claude Code, Cline, K2 Think, and Windsurf, allowing threat actors to embed malicious instructions in sneaky ways to trick the systems into performing malicious actions or leaking data from software development environments.

Software supply chain security outfit Checkmarx, in a report last week, revealed how Anthropic’s newly introduced automated security reviews in Claude Code could inadvertently expose projects to security risks, including instructing it to ignore vulnerable code through prompt injections, causing developers to push malicious or insecure code past security reviews.

“In this case, a carefully written comment can convince Claude that even plainly dangerous code is completely safe,” the company said. “The end result: a developer – whether malicious or just trying to shut Claude up – can easily trick Claude into thinking a vulnerability is safe.”

Another problem is that the AI inspection process also generates and executes test cases, which could lead to a scenario where malicious code is run against production databases if Claude Code isn’t properly sandboxed.

The AI company, which also recently launched a new file creation and editing feature in Claude, has warned that the feature carries prompt injection risks due to it running in a “sandboxed computing environment with limited internet access.”

Specifically, it’s possible for a bad actor to “inconspicuously” add instructions via external files or websites – aka indirect prompt injection – that trick the chatbot into downloading and running untrusted code or reading sensitive data from a knowledge source connected via the Model Context Protocol (MCP).

“This means Claude can be tricked into sending information from its context (e.g., prompts, projects, data via MCP, Google integrations) to malicious third parties,” Anthropic said. “To mitigate these risks, we recommend you monitor Claude while using the feature and stop it if you see it using or accessing data unexpectedly.”

“New forms of prompt injection attacks are also constantly being developed by malicious actors,” it added. “By uncovering real-world examples of unsafe behavior and new attack patterns that aren’t present in controlled tests, we’ll teach our models to recognize the attacks and account for the related behaviors, and ensure that safety classifiers will pick up anything that the model itself misses.”

At the same time, these tools have also been found susceptible to traditional security vulnerabilities, broadening the attack surface with potential real-world impact –

• A WebSocket authentication bypass in Claude Code IDE extensions (CVE-2025-52882, CVSS score: 8.8) that could have allowed an attacker to connect to a victim’s unauthenticated local WebSocket server simply by luring them to visit a website under their control, enabling remote command execution
• An SQL injection vulnerability in the Postgres MCP server that could have allowed an attacker to bypass the read-only restriction and execute arbitrary SQL statements
• A path traversal vulnerability in Microsoft NLWeb that could have allowed a remote attacker to read sensitive files, including system configurations (“/etc/passwd”) and cloud credentials (.env files), using a specially crafted URL
• An incorrect authorization vulnerability in Lovable (CVE-2025-48757, CVSS score: 9.3) that could have allowed remote unauthenticated attackers to read or write to arbitrary database tables of generated sites
• Open redirect, stored cross-site scripting (XSS), and sensitive data leakage vulnerabilities in Base44 that could have allowed attackers to access the victim’s apps and development workspace, harvest API keys, inject malicious logic into user-generated applications, and exfiltrate data
• A vulnerability in Ollama Desktop arising as a result of incomplete cross-origin controls that could have allowed an attacker to stage a drive-by attack, where visiting a malicious website can reconfigure the application’s settings to intercept chats and even alter responses using poisoned models

“As AI-driven development accelerates, the most pressing threats are often not exotic AI attacks but failures in classical security controls,” Imperva said. “To protect the growing ecosystem of ‘vibe coding’ platforms, security must be treated as a foundation, not an afterthought.”

U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called “gross cybersecurity negligence” that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks.

“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” Wyden wrote in a four-page letter to FTC Chairman Andrew Ferguson, likening Redmond to an “arsonist selling firefighting services to their victims.”

The development comes after Wyden’s office obtained new information from healthcare system Ascension, which suffered a crippling ransomware attack last year, resulting in the theft of personal and medical information associated with nearly 5.6 million individuals.

The ransomware attack, which also disrupted access to electronic health records, was attributed to a ransomware group known as Black Basta. According to the U.S. Department of Health and Human Services, the breach has been ranked as the third-largest healthcare-related incident over the past year.

According to the senator’s office, the breach occurred when a contractor clicked on a malicious link after conducting a web search on Microsoft’s Bing search engine, causing their system to be infected with malware. Subsequently, the attackers leveraged “dangerously insecure default settings” on Microsoft software to obtain elevated access to the most sensitive parts of Ascension’s network.

This involved the use of a technique called Kerberoasting that targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory.

Kerberoasting “exploits an insecure encryption technology from the 1980s known as ‘RC4’ that is still supported by Microsoft software in its default configuration,” Wyden’s office said, adding it urged Microsoft to warn customers about the threat posed by the threat on July 29, 2024.

RC4, short for Rivest Cipher 4, is a stream cipher that was first developed in 1987. Originally intended to be a trade secret, it was leaked in a public forum in 1994. As of 2015, the Engineering Task Force (ETF) has prohibited the use of RC4 in TLS, citing a “variety of cryptographic weaknesses” that allow plaintext recovery.

Eventually, Microsoft did publish an alert in October 2024 outlining the steps users can take to stay protected, in addition to stating its plans to deprecate support for RC4 as a future update to Windows 11 24H2 and Windows Server 2025 –

Microsoft, which removed support for the Data Encryption Standard (DES) in Kerberos for Windows Server 2025 and Windows 11, version 24H2 earlier this February, said it has also introduced security improvements in Server 2025 that prevent the Kerberos Distribution Center from issuing Ticket Granting Tickets using RC4 encryption, such as RC4-HMAC(NT).

Some of Microsoft’s recommended mitigations to harden environments against Kerberoasting include –

• Using Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever possible
• Securing service accounts by setting randomly generated, long passwords that are at least 14 characters long
• Making sure all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption
• Auditing user accounts with Service Principal Names (SPNs)

However, Wyden wrote that Microsoft’s software does not enforce a 14-character password length for privileged accounts, and that the company’s continued support for the insecure RC4 encryption technology “needlessly exposes” its customers to ransomware and other cyber threats by allowing attackers to crack the passwords of privileged accounts.

The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back. This is not the first time the Windows maker has been blasted for its cybersecurity practices.

In a report released last year, U.S. Cyber Safety Review Board (CSRB) lambasted the company for a series of avoidable errors that could have prevented Chinese threat actors known as Storm-0558 from compromising the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world.

“Ultimately, Microsoft’s abysmal cybersecurity track record has had no impact on its lucrative federal contracts thanks to its dominant market position and inaction by government agencies in the face of the company’s string of security failures,” Wyden’s office argued.

“The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design,” Ensar Seker, CISO at SOCRadar, said. “It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences.”

“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered.”

Sep 11, 2025Ravie LakshmananArtificial Intelligence / Mobile Security

Google on Tuesday announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content.

To that end, support for C2PA’s Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media transparency.

C2PA’s Content Credentials are a tamper-evident, cryptographically signed digital manifest providing verifiable provenance for digital content such as images, videos, or audio files. The metadata type, according to Adobe, serves as a “digital nutrition label,” giving information about the creator, how it was made, and if it was generated using artificial intelligence (AI).

“The Pixel Camera app achieved Assurance Level 2, the highest security rating currently defined by the C2PA Conformance Program,” Google’s Android Security and C2PA Core teams said. “Assurance Level 2 for a mobile app is currently only possible on the Android platform.”

“Pixel 10 phones support on-device trusted time-stamps, which ensures images captured with your native camera app can be trusted after the certificate expires, even if they were captured when your device was offline.”

The capability is made possible using a combination of Google Tensor G5, Titan M2 security chip, and hardware-backed security features built into the Android operating system.

Google said it has implemented C2PA to be secure, verifiable, and usable offline, thereby ensuring that provenance data is trustworthy, the process is not personally identifiable, and works even when the device is not connected to the internet.

This is achieved using –

• Android Key Attestation to allow Google C2PA Certification Authorities (CAs) to verify that they are communicating with a genuine physical device
• Hardware-backed Android Key Attestation certificates that include the package name and signing certificates associated with the app that requested the generation of the C2PA signing key to verify the request originated from a trusted, registered app
• Generating and storing C2PA claim signing keys using Android StrongBox in the Titan M2 security chip for tamper-resistance
• Anonymous, hardware-backed attestation to certify new cryptographic keys generated on-device without knowing who is using it
• Unique certificates to sign each image, making it “cryptographically impossible” to deanonymize the creator
• On-device, offline Time-Stamping Authority (TSA) component within the Tensor chip to generate cryptographically-signed time-stamps when the camera’s shutter is pressed

“C2PA Content Credentials are not the sole solution for identifying the provenance of digital media,” Google said. “They are, however, a tangible step toward more media transparency and trust as we continue to unlock more human creativity with AI.”

Threat actors affiliated with the Akira ransomware group have continued to target SonicWall devices for initial access.

Cybersecurity firm Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July 2025.

SonicWall subsequently revealed the SSL VPN activity aimed at its firewalls involved a year-old security flaw (CVE-2024-40766, CVSS score: 9.3) where local user passwords were carried over during the migration and not reset.

“We are observing increased threat activity from actors attempting to brute-force user credentials,” the company noted. “To mitigate risk, customers should enable Botnet Filtering to block known threat actors and ensure Account Lockout policies are enabled.”

SonicWall has also urged users to review LDAP SSL VPN Default User Groups, describing it as a “critical weak point” if misconfigured in the context of an Akira ransomware attack —

This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.

This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.

Rapid7, in its alert, said it has also observed threat actors accessing the Virtual Office Portal hosted by SonicWall appliances, which, in certain default configurations, can facilitate public access and enable attackers to configure mMFA/TOTP with valid accounts, assuming there is a prior credential exposure.

“The Akira group is potentially utilizing a combination of all three of these security risks to gain unauthorized access and conduct ransomware operations,” it said.

To mitigate the risk, organizations are advised to rotate passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA/TOTP policies are configured, and restrict Virtual Office Portal access to the internal network.

Akira’s targeting of SonicWall SSL VPNs has also been echoed by the Australian Cyber Security Centre (ACSC), which acknowledged it’s aware of the ransomware gang striking vulnerable Australian organizations through the devices.

Since its debut in March 2023, Akira has been a persistent threat in the ransomware threat landscape, claiming 967 victims to date, as per information from Ransomware.Live. According to statistics shared by CYFIRMA, Akira accounted for 40 attacks in the month of July 2025, making it the third most active group after Qilin and INC Ransom.

Of the 657 ransomware attacks impacting industrial entities worldwide flagged in Q2 2025, Qilin, Akira, and Play ransomware families took the top three slots, each reporting 101, 79, and 75 incidents, respectively.

Akira maintained “substantial activity with consistent targeting of manufacturing and transportation sectors through sophisticated phishing and multi-platform ransomware deployments,” industrial cybersecurity company Dragos said in a report published last month.

Recent Akira ransomware infections have also leveraged search engine optimization (SEO) poisoning techniques to deliver trojanized installers for popular IT management tools, which are then used to drop the Bumblebee malware loader.

The attacks then utilize Bumblebee as a conduit to distribute the AdaptixC2 post-exploitation and adversarial emulation framework, install RustDesk for persistent remote access, exfiltrate data, and deploy the ransomware.

According to Palo Alto Networks Unit 42, the versatile and modular nature of AdaptixC2 can allow threat actors to execute commands, transfer files, and perform data exfiltration on infected systems. The fact that it’s also open-source means it can be customized by adversaries to fit their needs.

Other campaigns propagating AdaptixC2, the cybersecurity company said, have used Microsoft Teams calls mimicking IT help desk to trick unsuspecting users into granting them remote access via Quick Assist and drop a PowerShell script that decrypts and loads into memory the shellcode payload.

“The Akira ransomware group follows a standard attack flow: obtaining initial access via the SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level,” Rapid7 said.

Sep 11, 2025Ravie LakshmananMalvertising / Browser Security

Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data.

The malvertising campaign, per Bitdefender, is designed to push fake “Meta Verified” browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads have been observed serving the extension in question.

“The malicious ads are bundled with a video tutorial that guides viewers through the process of downloading and installing a so-called browser extension, which claims to unlock the blue verification tick on Facebook or other special features,” the Romanian cybersecurity vendor said.

But, in reality, the extension – which is hosted on a legitimate cloud service called Box — is capable of collecting session cookies from Facebook and sending them to a Telegram bot controlled by the attackers. It’s also equipped to obtain the victim’s IP address by sending a query to ipinfo[.]io/json.

Select variants of the rogue browser add-on have been observed using the stolen cookies to interact with the Facebook Graph API to likely fetch additional information related to the accounts. In the past, malware like NodeStealer has leveraged the Facebook Graph API to collect budget details of the account.

The end goal of these efforts is to sell valuable Facebook Business and Ads accounts on underground forums for profit to other fraudsters, or repurpose them to fuel more malvertising campaigns, which, in turn, leads to more hijacked accounts – effectively creating a self-perpetuating cycle.

The campaign exhibits all the “fingerprints” typically associated with Vietnamese-speaking threat actors, who are known to adopt various stealer families to target and gain unauthorized access to Facebook accounts. This hypothesis is also bolstered by the use of Vietnamese to narrate the tutorial and add source code comments.

“By using a trusted platform, attackers can mass-generate links, automatically embed them into tutorials, and continuously refresh their campaigns,” Bitdefender said. “This fits a larger pattern of attackers industrializing malvertising, where everything from ad images to tutorials is created en masse.”

The disclosure with another campaign that’s targeting Meta advertisers with rogue Chrome extensions distributed via counterfeit websites posing as artificial intelligence (AI)-powered ad optimization tools for Facebook and Instagram. At the heart of the operation is a fake platform named Madgicx Plus.

“Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts,” Cybereason said.

“The extensions are promoted as productivity or ad performance enhancers, but they operate as dual-purpose malware capable of stealing credentials, accessing session tokens, or enabling account takeover.

The extensions, the first of which is still available for download from the Chrome Web Store as of writing, are listed below –

Once installed, the extension gains full access to all websites the user visits, enabling the threat actors to inject arbitrary scripts, as well as intercept and modify network traffic, monitor browsing activity, capture form inputs, and harvest sensitive data.

It also prompts users to link their Facebook and Google accounts to access the service, while their identity information is covertly harvested in the background. Furthermore, the add-ons function similarly to the aforementioned fake Meta Verified extension in that it uses victims’ stolen Facebook credentials to interact with the Facebook Graph API.

“This staged approach reveals a clear threat-actor strategy: first capturing Google identity data, then pivoting to Facebook to broaden access and increase the chances of hijacking valuable business or advertising assets,” Cybereason said.