Tag: Cyber Security

Jul 14, 2025Ravie LakshmananCybercrime / Law Enforcement

India’s Central Bureau of Investigation (CBI) has announced that it has taken steps to dismantle what it said was a transnational cybercrime syndicate that carried out “sophisticated” tech support scams targeting citizens of Australia and the United Kingdom.

The fraudulent scheme is estimated to have led to losses worth more than £390,000 ($525,000) in the United Kingdom alone.

The law enforcement effort, which was carried out on July 7, 2025, as part of Operation Chakra V, involved searches at three locations in Noida, one of which was a fully functional fraudulent call center operating from the Noida Special Economic Zone.

Evidence gathered by the CBI revealed that the call center, named FirstIdea, made use of advanced calling infrastructure and malicious scripts to facilitate cross-border anonymity and victim targeting at scale. A total of two arrests have been made, including a key operative partner of FirstIdea.

“The operation was meticulously timed with the time zones of the victims, resulting in the detection of live scam calls in progress during the raids,” the CBI said in a press statement.

The syndicate, the agency added, masqueraded as technical support staff of reputed multinational companies, including Microsoft with an intent to cheat foreign nationals by falsely claiming that their devices were compromised and extort money from them to address non-existent technical problems.

The U.K. National Crime Agency (NCA) said the arrest and disruption was the result of 18 months of “groundbreaking collaboration” between CBI, NCA, the U.S. Federal Bureau of Investigation (FBI), and Microsoft to identify the organized crime group and target the IT infrastructure used.

More than 100 people in the United Kingdom are said to have fallen prey to the tech support scam, which involved the threat actors using spoofed phone numbers and Voice Over Internet Protocol (VoIP) to route calls through multiple servers in several countries.

“More than 100 U.K. victims had been contacted by a group offering to fix their computers for a fee, following a screen pop up that suggested their device was infected or had been hacked,” the NCA noted. “In reality, the fraudsters were posing as employees of Microsoft, offering software solutions to an attack that had never taken place.”

The development comes as Nikkei Asia revealed that the number of scam centers used to pull off crypto scams in eastern Myanmar is continuing to expand at a rapid pace despite a crackdown earlier this February, with at least 16 suspected scam sites being documented and construction ongoing at eight of them.

Jul 14, 2025Ravie LakshmananMobile Security / Vulnerability

Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks.

The issues impact the Kigen eUICC card. According to the Irish company’s website, more than two billion SIMs in IoT devices have been enabled as of December 2020.

The findings come from Security Explorations, a research lab of AG Security Research company. Kigen awarded the company a $30,000 bounty for their report.

An eSIM, or embedded SIM, is a digital SIM card that’s embedded directly into a device as software installed onto an Embedded Universal Integrated Circuit Card (eUICC) chip.

eSIMs allow users to activate a cellular plan from a carrier without the need for a physical SIM card. eUICC software offers the ability to change operator profiles, remote provisioning, and management of SIM profiles.

“The eUICC card makes it possible to install the so-called eSIM profiles into the target chip,” Security Explorations said. “eSIM profiles are software representations of mobile subscriptions.”

According to an advisory released by Kigen, the vulnerability is rooted in the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, which is said to be used in eSIM products for radio compliance testing.

Specifically, the shortcoming allows for the installation of non-verified, and potentially malicious applets. GSMA TS.48 v7.0, released last month, mitigates the problem by restricting the use of the test profile. All other versions of the TS.48 specification have been deprecated.

“Successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys,” Kigen said. “This enables the attacker to install a malicious JavaCard applet.”

Furthermore, the vulnerability could facilitate the extraction of the Kigen eUICC identity certificate, thereby making it possible to download arbitrary profiles from mobile network operators (MNOs) in cleartext, access MNO secrets, and tamper with profiles and put them into an arbitrary eUICC without being flagged by MNO.

Security Explorations said the findings build upon its own prior research from 2019, which found multiple security vulnerabilities in Oracle Java Card that could pave the way for the deployment of a persistent backdoor in the card. One of the flaws also impacted Gemalto SIM, which relies on the Java Card technology.

These security defects can be exploited to “break memory safety of the underlying Java Card VM” and gain full access to the card’s memory, break the applet firewall, and potentially even achieve native code execution.

However, Oracle downplayed the potential impact and indicated that the “security concerns” did not affect their production of Java Card VM. Security Explorations said these “concerns” have now been proven to be “real bugs.”

The attacks might sound prohibitive to execute, but, to the contrary, they are well within the reach of capable nation-state groups. They could allow the attackers to compromise an eSIM card and deploy a stealthy backdoor, effectively intercepting all communications.

“The downloaded profile can be potentially modified in such a way, so that the operator loses control over the profile (no ability for remote control / no ability to disable/invalidate it, etc.), the operator can be provided with a completely false view of the profile state or all of its activity can be subject to monitoring,” the company added.

“In our opinion, the ability for a single broken eUICC / single eUICC GSMA cert theft to peek into (download in plaintext) eSIMs of arbitrary MNO constitutes a significant eSIM architecture weak point.”

Jul 12, 2025Ravie LakshmananAI Security / Vulnerability

NVIDIA is urging customers to enable System-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs).

“Risk of successful exploitation from RowHammer attacks varies based on DRAM device, platform, design specification, and system settings,” the GPU maker said in an advisory released this week.

Dubbed GPUHammer, the attacks mark the first-ever RowHammer exploit demonstrated against NVIDIA’s GPUs (e.g., NVIDIA A6000 GPU with GDDR6 Memory), causing malicious GPU users to tamper with other users’ data by triggering bit flips in GPU memory.

The most concerning consequence of this behavior, University of Toronto researchers found, is the degradation of an artificial intelligence (AI) model’s accuracy from 80% to less than 1%.

RowHammer is to modern DRAMs just like how Spectre and Meltdown are to contemporary CPUs. While both are hardware-level security vulnerabilities, RowHammer targets the physical behavior of DRAM memory, whereas Spectre exploits speculative execution in CPUs.

RowHammer causes bit flips in nearby memory cells due to electrical interference in DRAM stemming from repeated memory access, while Spectre and Meltdown allow attackers to obtain privileged information from memory via a side-channel attack, potentially leaking sensitive data.

In 2022, academics from the University of Michigan and Georgia Tech described a technique called SpecHammer that combines RowHammer and Spectre to launch speculative attacks. The approach essentially entails triggering a Spectre v1 attack by using Rowhammer bit-flips to insert malicious values into victim gadgets.

GPUHammer is the latest variant of RowHammer, but one that’s capable of inducing bit flips in NVIDIA GPUs despite the presence of mitigations like target refresh rate (TRR).

In a proof-of-concept developed by the researchers, using a single-bit flip to tamper with a victim’s ImageNet deep neural network (DNN) models can degrade model accuracy from 80% to 0.1%.

Exploits like GPUHammer threaten the integrity of AI models, which are increasingly reliant on GPUs to perform parallel processing and carry out computationally demanding tasks, not to mention open up a new attack surface for cloud platforms.

To mitigate the risk posed by GPUHammer, it’s advised to enable ECC through “nvidia-smi -e 1.” Newer NVIDIA GPUs like H100 or RTX 5090 are not affected due to them featuring on-die ECC, which helps detect and correct errors arising due to voltage fluctuations associated with smaller, denser memory chips.

“Enabling Error Correction Codes (ECC) can mitigate this risk, but ECC can introduce up to a 10% slowdown for [machine learning] inference workloads on an A6000 GPU,” Chris (Shaopeng) Lin, Joyce Qu, and Gururaj Saileshwar, the lead authors of the study, said, adding it also reduces memory capacity by 6.25%.

The disclosure comes as researchers from NTT Social Informatics Laboratories and CentraleSupelec presented CrowHammer, a type of RowHammer attack that enables a key recovery attack against the FALCON (FIPS 206) post-quantum signature scheme, which has been selected by NIST for standardization.

“Using RowHammer, we target Falcon’s RCDT [reverse cumulative distribution table] to trigger a very small number of targeted bit flips, and prove that the resulting distribution is sufficiently skewed to perform a key recovery attack,” the study said.

“We show that a single targeted bit flip suffices to fully recover the signing key, given a few hundred million signatures, with more bit flips enabling key recovery with fewer signatures.”

Cybersecurity researchers have discovered a serious security issue that allows leaked Laravel APP_KEYs to be weaponized to gain remote code execution capabilities on hundreds of applications.

“Laravel’s APP_KEY, essential for encrypting sensitive data, is often leaked publicly (e.g., on GitHub),” GitGuardian said. “If attackers get access to this key, they can exploit a deserialization flaw to execute arbitrary code on the server – putting data and infrastructure at risk.”

The company, in collaboration with Synacktiv, said it was able to extract more than 260,000 APP_KEYs from GitHub from 2018 to May 30, 2025, identifying over 600 vulnerable Laravel applications in the process. GitGuardian said it observed over 10,000 unique APP_KEYs across GitHub, of which 400 APP_KEYs were validated as functional.

APP_KEY is a random 32-byte encryption key that’s generated during the installation of Laravel. Stored in the .env file of the application, it’s used to encrypt and decrypt data, generate secure, random strings, sign and verify data, and create unique authentication tokens, making a crucial security component.

GitGuardian noted that Laravel’s current implementation of decrypt() function introduces a security issue wherein it automatically deserializes decrypted data, thereby opening the door for possible remote code execution.

“Specifically in Laravel applications, if attackers obtain the APP_KEY and can invoke the decrypt() function with a maliciously crafted payload, they can achieve remote code execution on the Laravel web server,” security researcher Guillaume Valadon said.

“This vulnerability was first documented with CVE-2018-15133, which affected Laravel versions prior to 5.6.30. However, this attack vector persists in newer Laravel versions when developers explicitly configure session serialization in cookies using the SESSION_DRIVER=cookie setting, as demonstrated by CVE-2024-55556.”

It’s worth noting that CVE-2018-15133 has been exploited in the wild by threat actors associated with the AndroxGh0st malware, after scanning the internet for Laravel applications with misconfigured .env files.

Further analysis has found that 63% of APP_KEY exposures originate from .env files (or their variants) that typically contain other valuable secrets, such as cloud storage tokens, database credentials, and secrets associated with e-commerce platforms, customer support tools, and artificial intelligence (AI) services.

More importantly, approximately 28,000 APP_KEY and APP_URL pairs have been concurrently exposed on GitHub. Of these, approximately 10% have been found to be valid, rendering 120 applications vulnerable to trivial remote code execution attacks.

Given that the APP_URL configuration specifies the application’s base URL, exposing both APP_URL and APP_KEY creates a potent attack vector that threat actors can leverage to directly access the app, retrieve session cookies, and attempt to decrypt them using the exposed key.

Simply scrubbing secrets from repositories isn’t enough—especially when they’ve already been cloned or cached by third-party tools. What developers need is a clear rotation path, backed by monitoring that flags every future reappearance of sensitive strings across CI logs, image builds, and container layers.

“Developers should never simply delete exposed APP_KEYs from repositories without proper rotation,” GitGuardian said. “The proper response involves: immediately rotating the compromised APP_KEY, updating all production systems with the new key, and implementing continuous secret monitoring to prevent future exposures.”

These types of incidents also align with a broader class of PHP deserialization vulnerabilities, where tools like phpggc help attackers craft gadget chains that trigger unintended behaviors during object loading. When used in Laravel environments with leaked keys, such gadgets can achieve full RCE without needing to breach the app’s logic or routes.

The disclosure comes after GitGuardian revealed that it discovered a “staggering 100,000 valid secrets” in Docker images publicly accessible on the DockerHub registry. This includes secrets associated with Amazon Web Services (AWS), Google Cloud, and GitHub tokens.

A new Binarly analysis of over 80,000 unique Docker images spanning 54 organizations and 3,539 repositories has likewise uncovered 644 unique secrets that encompassed generic credentials, JSON Web Tokens, HTTP Basic Authorization header, Google Cloud API key, AWS access tokens, and CircleCI API tokens, among others.

“Secrets appear in a wide variety of file types, including source code, configuration files, and even large binary files, areas where many existing scanners fall short,” the company said. “Moreover, the presence of entire Git repositories inside container images represents a serious and often overlooked security risk.”

But that’s not all. The rapid adoption of Model Context Protocol (MCP) to enable agentic workflows in enterprise-driven AI applications has opened up brand new attack vectors – a concerning one being the leakage of secrets from MCP servers published to GitHub repositories.

Specifically, GitGuardian found that 202 of them leaked at least one secret, accounting for 5.2% of all the repositories – a number that the company said is “slightly higher than the 4.6% occurrence rate observed on all public repositories,” making MCP servers a “new source of secret leaks.”

While this research focuses on Laravel, the same root problem—unguarded secrets in public repositories—applies to other stacks. Organizations should explore centralized secret scanning, Laravel-specific hardening guides, and secure-by-design patterns for managing .env files and container secrets across frameworks.

Jul 05, 2025Ravie LakshmananNational Security / Privacy

Taiwan’s National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, Douyin, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China.

The alert comes following an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency.

“The results indicate the existence of security issues, including excessive data collection and privacy infringement,” the NSB said. “The public is advised to exercise caution when choosing mobile apps.”

The agency said it evaluated the apps against 15 indicators spanning five broad categories: Personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.

According to the analysis, RedNote violated all 15 indicators, followed by Weibo and Douyin that were found to breach 13 indicators. WeChat and Baidu Cloud violated 10 and 9 of the 15 indicators, respectively.

These issues encompassed extensive collection of personal data, including facial recognition information, screenshots, clipboard contents, contact lists, and location information. All the apps have also been flagged for harvesting the list of installed apps and device parameters.

“With regard to data transmission and sharing, the said five apps were found to send packets back to servers located in China,” the NSB said. “This type of transmission has raised serious concerns over the potential misuse of personal data by third-parties.”

NSB also pointed out that companies operating in China are obligated to turn over user data under domestic laws for national security, public security, and intelligence purposes, and that using these apps can breach the privacy of Taiwanese users.

The development comes as countries like India have enacted bans against Chinese-made apps, citing security concerns. In November 2024, Canada ordered TikTok to dissolve its operations in the country, although its fate in the U.S. still remains in limbo, as the ban – which was supposed to take effect in January 2025 – has been extended for a third time.

Last week, one of Germany’s data protection authorities urged Apple and Google to remove Chinese artificial intelligence (AI) chatbot DeepSeek from their respective app stores due to unlawful user data transfers to China. Similar restrictions have also been imposed by other nations.

“The NSB strongly advises the public to remain vigilant regarding mobile device security and avoid downloading China-made apps that pose cybersecurity risks, so as to protect personal data privacy and corporate business secrets,” it added.

(The story was updated after publication to emphasize that the NSB referred to Douyin, TikTok’s China-focused app, and not TikTok itself.)

Jul 11, 2025Ravie LakshmananUnited States

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances.

Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.

“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,” Fortinet said in an advisory released this week.

The shortcoming impacts the following versions –

• FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above)
• FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above)
• FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above)
• FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above)

Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has acknowledged for discovering the issue.

In an analysis published today, watchTowr Labs said the problem is rooted in a function called “get_fabric_user_by_token” that’s associated with the Fabric Connector component, which acts as a bridge between FortiWeb and other Fortinet products.

The function, in turn, is invoked from another function named “fabric_access_check,” that’s called from three different API endpoints: “/api/fabric/device/status,” “/api/v[0-9]/fabric/widget/[a-z]+,” and “/api/v[0-9]/fabric/widget.”

The issue is that attacker-controlled input – passed via a Bearer token Authorization header in a specially crafted HTTP request – is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code.

The attack can be extended further by embedding a SELECT … INTO OUTFILE statement to write the results of command execution to a file in the underlying operating system by taking advantage of the fact that the query is run as the “mysql” user.

“The new version of the function replaces the previous format-string query with prepared statements – a reasonable attempt to prevent straightforward SQL injection,” security researcher Sina Kheirkhah said.

As temporary workarounds until the necessary patches can be applied, users are recommended to disable HTTP/HTTPS administrative interface.

With flaws in Fortinet devices having been exploited by threat actors in the past, it’s essential that users move quickly to update to the latest version to mitigate potential risks.

Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.

The vulnerabilities, dubbed PerfektBlue, can be fashioned together as an exploit chain to run arbitrary code on cars from at least three major automakers, Mercedes-Benz, Volkswagen, and Skoda, according to PCA Cyber Security (formerly PCAutomotive). Outside of these three, a fourth unnamed original equipment manufacturer (OEM) has been confirmed to be affected as well.

“PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” the cybersecurity company said.

While infotainment systems are often seen as isolated from critical vehicle controls, in practice, this separation depends heavily on how each automaker designs internal network segmentation. In some cases, weak isolation allows attackers to use IVI access as a springboard into more sensitive zones—especially if the system lacks gateway-level enforcement or secure communication protocols.

The only requirement to pull off the attack is that the bad actor needs to be within range and be able to pair their setup with the target vehicle’s infotainment system over Bluetooth. It essentially amounts to a one-click attack to trigger over-the-air exploitation.

“However, this limitation is implementation-specific due to the framework nature of BlueSDK,” PCA Cyber Security added. “Thus, the pairing process might look different between various devices: limited/unlimited number of pairing requests, presence/absence of user interaction, or pairing might be disabled completely.”

The list of identified vulnerabilities is as follows –

• CVE-2024-45434 (CVSS score: 8.0) – Use-After-Free in AVRCP service
• CVE-2024-45431 (CVSS score: 3.5) – Improper validation of an L2CAP channel’s remote CID
• CVE-2024-45433 (CVSS score: 5.7) – Incorrect function termination in RFCOMM
• CVE-2024-45432 (CVSS score: 5.7) – Function call with incorrect parameter in RFCOMM

Successfully obtaining code execution on the In-Vehicle Infotainment (IVI) system enables an attacker to track GPS coordinates, record audio, access contact lists, and even perform lateral movement to other systems and potentially take control of critical software functions of the car, such as the engine.

Following responsible disclosure in May 2024, patches were rolled out in September 2024.

“PerfektBlue allows an attacker to achieve remote code execution on a vulnerable device,” PCA Cyber Security said. “Consider it as an entrypoint to the targeted system which is critical. Speaking about vehicles, it’s an IVI system. Further lateral movement within a vehicle depends on its architecture and might involve additional vulnerabilities.”

Earlier this April, the company presented a series of vulnerabilities that could be exploited to remotely break into a Nissan Leaf electric vehicle and take control of critical functions. The findings were presented at the Black Hat Asia conference held in Singapore.

“Our approach began by exploiting weaknesses in Bluetooth to infiltrate the internal network, followed by bypassing the secure boot process to escalate access,” it said.

“Establishing a command-and-control (C2) channel over DNS allowed us to maintain a covert, persistent link with the vehicle, enabling full remote control. By compromising an independent communication CPU, we could interface directly with the CAN bus, which governs critical body elements, including mirrors, wipers, door locks, and even the steering.”

CAN, short for Controller Area Network, is a communication protocol mainly used in vehicles and industrial systems to facilitate communication between multiple electronic control units (ECUs). Should an attacker with physical access to the car be able to tap into it, the scenario opens the door for injection attacks and impersonation of trusted devices.

“One notorious example involves a small electronic device hidden inside an innocuous object (like a portable speaker),” the Hungarian company said. “Thieves covertly plug this device into an exposed CAN wiring junction on the car.”

“Once connected to the car’s CAN bus, the rogue device mimics the messages of an authorized ECU. It floods the bus with a burst of CAN messages declaring ‘a valid key is present’ or instructing specific actions like unlocking the doors.”

In a report published late last month, Pen Test Partners revealed it turned a 2016 Renault Clio into a Mario Kart controller by intercepting CAN bus data to gain control of the car and mapping its steering, brake, and throttle signals to a Python-based game controller.

An Iranian-backed ransomware-as-a-service (RaaS) named Pay2Key has resurfaced in the wake of the Israel-Iran-U.S. conflict last month, offering bigger payouts to cybercriminals who launch attacks against Israel and the U.S.

The financially motivated scheme, now operating under the moniker Pay2Key.I2P, is assessed to be linked to a hacking group tracked as Fox Kitten (aka Lemon Sandstorm).

“Linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware, […] Pay2Key.I2P appears to partner with or incorporate Mimic’s capabilities,” Morphisec security researcher Ilia Kulmin said.

“Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment.”

Last year, the U.S. government revealed the advanced persistent threat’s (APT) modus operandi of carrying out ransomware attacks by covertly partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) crews.

The use of Pay2Key by Iranian threat actors goes back to October 2020, with the attacks targeting Israeli companies by exploiting known security vulnerabilities.

Pay2Key.I2P, per Morphisec, emerged on the scene in February 2025, claiming over 51 successful ransom payouts in four months, netting it more than $4 million in ransom payments and $100,000 in profits for individual operators.

While their financial motives are apparent and doubtless effective, there is also an underlying ideological agenda behind them: the campaign appears to be a case of cyber warfare waged against targets in Israel and the U.S.

A notable aspect of the latest variant of Pay2Key.I2P is that it’s the first known RaaS platform to be hosted on the Invisible Internet Project (I2P).

“While some malware families have used I2P for [command-and-control] communication, this is a step further – a Ransomware-as-a-Service operation running its infrastructure directly on I2P,” Swiss cybersecurity company PRODAFT said in a post shared on X in March 2025. The post was subsequently reposted by Pay2Key.I2P’s own X account.

What’s more, Pay2Key.I2P has observed posting on a Russian darknet forum that allowed anyone to deploy the ransomware binary for a $20,000 payout per successful attack, marking a shift in RaaS operations. The post was made by a user named “Isreactive” on February 20, 2025.

“Unlike traditional Ransomware-as-a-Service (RaaS) models, where developers take a cut only from selling the ransomware, this model allows them to capture the full ransom from successful attacks, only sharing a portion with the attackers who deploy it,” Kulmin noted at the time.

“This shift moves away from a simple tool-sale model, creating a more decentralized ecosystem, where ransomware developers earn from attack success rather than just from selling the tool.”

As of June 2025, the ransomware builder includes an option to target Linux systems, indicating that the threat actors are actively refining and improving the locker’s functionality. The Windows counterpart, on the other hand, is delivered as a Windows executable within a self-extracting (SFX) archive.

It also incorporates various evasion techniques that allow it to run unimpeded by disabling Microsoft Defender Antivirus and deleting malicious artifacts deployed as part of the attack to minimize forensic trail.

“Pay2Key.I2P represents a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime,” Morphisec said. “With ties to Fox Kitten and Mimic, an 80% profit incentive for Iran’s supporters, and over $4 million in ransoms, this RaaS operation threatens Western organizations with advanced, evasive ransomware.”

The findings come as the U.S. cybersecurity and intelligence agencies have warned of retaliatory attacks by Iran after American airstrikes on three nuclear facilities in the country.

Operational technology (OT) security company Nozomi Networks said it has observed Iranian hacking groups like MuddyWater, APT33, OilRig, Cyber Av3ngers, Fox Kitten, and Homeland Justice targeting transportation and manufacturing organizations in the U.S.

“Industrial and critical infrastructure organizations in the U.S. and abroad are urged to be vigilant and review their security posture,” the company said, adding it detected 28 cyber attacks related to Iranian threat actors between May and June 2025.

Jul 11, 2025Ravie LakshmananCyber Attack / Vulnerability

A recently disclosed maximum-severity security flaw impacting the Wing FTP Server has come under active exploitation in the wild, according to Huntress.

The vulnerability, tracked as CVE-2025-47812 (CVSS score: 10.0), is a case of improper handling of null (‘’) bytes in the server’s web interface, which allows for remote code execution. It has been addressed in version 7.4.4.

“The user and admin web interfaces mishandle ‘’ bytes, ultimately allowing injection of arbitrary Lua code into user session files,” according to an advisory for the flaw on CVE.org. “This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).”

What makes it even more concerning is that the flaw can be exploited via anonymous FTP accounts. A comprehensive breakdown of the vulnerability entered the public domain towards the end of June 2025, courtesy of RCE Security researcher Julien Ahrens.

Cybersecurity company Huntress said it observed threat actors exploiting the flaw to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software.

“CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process),” Huntress researchers said. “This can allow remote attackers to perform Lua injection after using the null byte in the username parameter.”

“By taking advantage of the null-byte injection, the adversary disrupts the anticipated input in the Lua file which stores these session characteristics.”

Evidence of active exploitation was first observed against a single customer on July 1, 2025, merely a day after details of the exploit were disclosed. Upon gaining access, the threat actors are said to have run enumeration and reconnaissance commands, created new users as a form of persistence, and dropped Lua files to drop an installer for ScreenConnect.

There is no evidence that the remote desktop software was actually installed, as the attack was detected and stopped before it could progress any further. It’s currently not clear who is behind the activity.

Data from Censys shows that there are 8,103 publicly-accessible devices running Wing FTP Server, out of which 5,004 have their web interface exposed. The majority of the instances are located in the U.S., China, Germany, the U.K., and India.

In light of active exploitation, it’s essential that users move quickly to apply the latest patches and update their Wing FTP Server versions of 7.4.4 or later.

Jul 11, 2025The Hacker NewsData Security / Enterprise Security

The 2025 Data Risk Report: Enterprises face potentially serious data loss risks from AI-fueled tools. Adopting a unified, AI-driven approach to data security can help.

As businesses increasingly rely on cloud-driven platforms and AI-powered tools to accelerate digital transformation, the stakes for safeguarding sensitive enterprise data have reached unprecedented levels. The Zscaler ThreatLabz 2025 Data Risk Report reveals how evolving technology landscapes are amplifying vulnerabilities, highlighting the critical need for a proactive and unified approach to data protection.

Drawing on insights from more than 1.2 billion blocked transactions recorded by the Zscaler Zero Trust Exchange between February and December 2024, this year’s report paints a clear picture of the data security challenges that enterprises face. From the rise of data leakage through generative AI tools to the undiminished risks stemming from email, SaaS applications, and file-sharing services, the findings are both eye-opening and urgent.

The 2025 Data Risk Report sheds light on the multifaceted data security risks enterprises face in today’s digitally enabled world. Some of the most noteworthy trends include:

• AI apps are a major data loss vector: AI tools like ChatGPT and Microsoft Copilot contributed to millions of data loss incidents in 2024, particularly social security numbers.
• SaaS data loss is surging: Spanning 3,000+ SaaS apps, enterprises saw more than 872 million data loss violations.
• Email remains a leading source of data loss: Nearly 104 million transactions leaked billions of instances of sensitive data.
• File-sharing data loss spikes: Among the most popular file-sharing apps, 212 million transactions saw data loss incidents.

There has never been a more critical time to rethink your enterprise’s approach to data security. The 2025 ThreatLabz Data Risk Report offers a comprehensive look at where risks lie, what drives them, and how organizations can respond effectively to secure their sensitive data in today’s rapidly evolving, AI-driven ecosystem.

To learn more about Zscaler Zero Trust Architecture and Zero Trust + AI, visit zscaler.com/security