Tag: Cyber Threats

Jun 17, 2025Ravie LakshmananMalware / Cyber Espionage

A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper.

The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3).

Google addressed the flaw later that month after Kaspersky reported in-the-wild exploitation in a campaign dubbed Operation ForumTroll targeting various Russian organizations.

“The initial attack vector was a phishing email containing a malicious link,” security researchers Stanislav Pyzhov and Vladislav Lunin said. “When the victim clicked the link, it triggered a one-click exploit (CVE-2025-2783), leading to the installation of the Trinper backdoor employed by TaxOff.”

The phishing email is said to have been disguised as an invitation to the Primakov Readings forum – the same lure detailed by Kaspersky – urging users to click on a link that led to a fake website hosting the exploit.

TaxOff is the name assigned to a hacking group that was first documented by the Russian cybersecurity company in late November 2024 as targeting domestic government agencies using legal and finance-related phishing emails to deliver Trinper.

Written in C++, the backdoor makes use of multithreading to capture victim host information, record keystrokes, gather files matching specific extensions (.doc, .xls, .ppt, .rtf, and .pdf), and establish a connection with a remote server to receive commands and exfiltrate the results of the execution.

The instructions sent from the command-and-control (C2) server extend the implant’s functionality, allowing it to read/write files, run commands using cmd.exe, launch a reverse shell, change directory, and shutdown itself.

“Multithreading provides a high degree of parallelism to hide the backdoor while retaining the ability to collect and exfiltrate data, install additional modules, and maintain communications with C2,” Lunin noted at the time.

Positive Technologies said its investigation into the mid-March 2025 intrusion led to the discovery of another attack dating back to October 2024 that also commenced with a phishing email, which purported to be an invitation to an international conference called “Security of the Union State in the modern world.”

The email message also contained a link, which downloaded a ZIP archive file containing a Windows shortcut that, in turn, launched a PowerShell command to ultimately serve a decoy document while also dropping a loader responsible for launching the Trinper backdoor by means of the open-source Donut loader. A variation of the attack has been found to swap out the Donut loader in favor of Cobalt Strike.

This attack chain, per the company, shares several tactical similarities with that of another hacking group tracked as Team46, raising the possibility that the two threat activity clusters are one and the same.

Interestingly, another set of phishing emails sent by the Team46 attackers a month before claimed to be from Moscow-based telecom operator Rostelecom, alerting recipients of supposed maintenance outages last year.

These emails included a ZIP archive, which embedded a shortcut that launched a PowerShell command to deploy a loader that had been previously used to deliver another backdoor in an attack targeting an unnamed Russian company in the rail freight industry.

The March 2024 intrusion, detailed by Doctor Web, is notable for the fact that one of the payloads weaponized a DLL hijacking vulnerability in the Yandex Browser (CVE-2024-6473, CVSS score: 8.4) as a zero-day to download and execute unspecified malware. It was resolved in version 24.7.1.380 released in September 2024.

“This group leverages zero-day exploits, which enables it to penetrate secure infrastructures more effectively,” the researchers said. “The group also creates and uses sophisticated malware, implying that it has a long-term strategy and intends to maintain persistence on the compromised systems for an extended period.”

Jun 17, 2025Ravie LakshmananVulnerability / LLM Security

Cybersecurity researchers have disclosed a now-patched security flaw in LangChain’s LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts.

The vulnerability, which carries a CVSS score of 8.8 out of a maximum of 10.0, has been codenamed AgentSmith by Noma Security.

LangSmith is an observability and evaluation platform that allows users to develop, test, and monitor large language model (LLM) applications, including those built using LangChain. The service also offers what’s called a LangChain Hub, which acts as a repository for all publicly listed prompts, agents, and models.

“This newly identified vulnerability exploited unsuspecting users who adopt an agent containing a pre-configured malicious proxy server uploaded to ‘Prompt Hub,’” researchers Sasi Levi and Gal Moyal said in a report shared with The Hacker News.

“Once adopted, the malicious proxy discreetly intercepted all user communications – including sensitive data such as API keys (including OpenAI API Keys), user prompts, documents, images, and voice inputs – without the victim’s knowledge.”

The first phase of the attack essentially unfolds thus: A bad actor crafts an artificial intelligence (AI) agent and configures it with a model server under their control via the Proxy Provider feature, which allows the prompts to be tested against any model that is compliant with the OpenAI API. The attacker then shares the agent on LangChain Hub.

The next stage kicks in when a user finds this malicious agent via LangChain Hub and proceeds to “Try It” by providing a prompt as input. In doing so, all of their communications with the agent are stealthily routed through the attacker’s proxy server, causing the data to be exfiltrated without the user’s knowledge.

The captured data could include OpenAI API keys, prompt data, and any uploaded attachments. The threat actor could weaponize the OpenAI API key to gain unauthorized access to the victim’s OpenAI environment, leading to more severe consequences, such as model theft and system prompt leakage.

What’s more, the attacker could use up all of the organization’s API quota, driving up billing costs or temporarily restricting access to OpenAI services.

It doesn’t end there. Should the victim opt to clone the agent into their enterprise environment, along with the embedded malicious proxy configuration, it risks continuously leaking valuable data to the attackers without giving any indication to them that their traffic is being intercepted.

Following responsible disclosure on October 29, 2024, the vulnerability was addressed in the backend by LangChain as part of a fix deployed on November 6. In addition, the patch implements a warning prompt about data exposure when users attempt to clone an agent containing a custom proxy configuration.

“Beyond the immediate risk of unexpected financial losses from unauthorized API usage, malicious actors could gain persistent access to internal datasets uploaded to OpenAI, proprietary models, trade secrets and other intellectual property, resulting in legal liabilities and reputational damage,” the researchers said.

New WormGPT Variants Detailed

The disclosure comes as Cato Networks revealed that threat actors have released two previously unreported WormGPT variants that are powered by xAI Grok and Mistral AI Mixtral.

WormGPT launched in mid-2023 as an uncensored generative AI tool designed to expressly facilitate malicious activities for threat actors, such as creating tailored phishing emails and writing snippets of malware. The project shut down not long after the tool’s author was outed as a 23-year-old Portuguese programmer.

Since then several new “WormGPT” variants have been advertised on cybercrime forums like BreachForums, including xzin0vich-WormGPT and keanu-WormGPT, that are designed to provide “uncensored responses to a wide range of topics” even if they are “unethical or illegal.”

“‘WormGPT’ now serves as a recognizable brand for a new class of uncensored LLMs,” security researcher Vitaly Simonovich said.

“These new iterations of WormGPT are not bespoke models built from the ground up, but rather the result of threat actors skillfully adapting existing LLMs. By manipulating system prompts and potentially employing fine-tuning on illicit data, the creators offer potent AI-driven tools for cybercriminal operations under the WormGPT brand.”

Jun 17, 2025Ravie LakshmananMalware / Email Security

Cybersecurity researchers are warning of a new phishing campaign that’s targeting users in Taiwan with malware families such as HoldingHands RAT and Gh0stCringe.

The activity is part of a broader campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan’s National Taxation Bureau, Fortinet FortiGuard Labs said in a report shared with The Hacker News.

The cybersecurity company said it identified additional malware samples through continuous monitoring and that it observed the same threat actor, referred to as Silver Fox APT, using malware-laced PDF documents or ZIP files distributed via phishing emails to deliver Gh0stCringe and a malware strain based on HoldingHands RAT.

It’s worth noting that both HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of a known remote access trojan called Gh0st RAT, which is widely used by Chinese hacking groups.

The starting point of the attack is a phishing email that masquerades as messages from the government or business partners, employing lures related to taxes, invoices, and pensions to persuade recipients into opening the attachment. Alternate attack chains have been found to leverage an embedded image that, when clicked, downloads the malware.

The PDF files, in turn, contain a link that redirects prospective targets to a download page hosting a ZIP archive. Present within the file are several legitimate executables, shellcode loaders, and encrypted shellcode.

The multi-stage infection sequence entails the use of the shellcode loader to decrypt and execute the shellcode, which is nothing but DLL files sideloaded by the legitimate binaries using DLL side-loading techniques. Intermediate payloads deployed as part of the attack incorporate anti-VM and privilege escalation so as to ensure that the malware runs unimpeded on the compromised host.

The attack culminates with the execution of “msgDb.dat,” which implements command-and-control (C2) functions to collect user information and download additional modules to facilitate file management and remote desktop capabilities.

Fortinet said it also discovered the threat actor propagating Gh0stCringe via PDF attachments in phishing emails that take users to document download HTM pages.

“The attack chain comprises numerous snippets of shellcode and loaders, making the attack flow complex,” the company said. “Across winos, HoldingHands, and Gh0stCringe, this threat group continuously evolves its malware and distribution strategies.”

Jun 17, 2025Ravie LakshmananThreat Intelligence / Identity Security

The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG).

“Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity,” John Hultquist, chief analyst at GTIG, said in an email Monday.

“We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

Scattered Spider is the name assigned to an amorphous collective that’s known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the wake of the latter’s supposed takeover of RansomHub‘s infrastructure.

“The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics,” SOS Intelligence said.

“Often described as ‘native English speakers,’ they are suspected to operate in or have ties to Western countries, bringing a cultural fluency that makes their phishing and phone-based attacks alarmingly effective.”

Earlier this month, ReliaQuest revealed that Scattered Spider and DragonForce are increasingly targeting managed service providers (MSPs) and IT contractors to obtain access to several downstream customers through a single compromise.

Google-owned Mandiant said the threat actors often single out large enterprise organizations, likely hoping to land a bigger payday.

Particularly targeted are enterprises with large help desks and outsourced IT functions that are susceptible to social engineering attacks.

To mitigate against tactics utilized by the e-crime group, it’s recommended to enhance authentication, enforce rigorous identity controls, implement access restrictions and boundaries to prevent privilege escalation and lateral movement, and train help desk personnel to positively identify employees before resetting their accounts.

Ransomware has become a highly coordinated and pervasive threat, and traditional defenses are increasingly struggling to neutralize it. Today’s ransomware attacks initially target your last line of defense — your backup infrastructure. Before locking up your production environment, cybercriminals go after your backups to cripple your ability to recover, increasing the odds of a ransom payout.

Notably, these attacks are carefully engineered takedowns of your defenses. The threat actors disable backup agents, delete snapshots, modify retention policies, encrypt backup volumes (especially those that are network accessible) and exploit vulnerabilities in integrated backup platforms. They are no longer trying just to deny your access but erase the very means of recovery. If your backup environment isn’t built with this evolving threat landscape in mind, it’s at high risk of getting compromised.

How can IT pros defend against this? In this guide, we’ll uncover the weak strategies that leave backups exposed and explore actionable steps to harden both on-site and cloud-based backups against ransomware. Let’s see how to build a resilient backup strategy, one that you can trust 100% even in the face of sophisticated ransomware attacks.

Common pitfalls that leave backups exposed

Inadequate separation and the lack of offsite or immutable copies are among the most common weaknesses in backup strategies. Snapshots or local backups alone aren’t enough; if they reside in the same on-site environment as production systems, they can be easily discovered, encrypted or deleted by attackers. Without proper isolation, backup environments are highly susceptible to lateral movement, allowing ransomware to spread from compromised systems to backup infrastructure.

Here are some of the most common lateral attack techniques used to compromise backups:

• Active Directory (AD) attacks: Attackers exploit AD to escalate privileges and gain access to backup systems.
• Virtual host takeover: Malicious actors utilize a misconfiguration or vulnerability in the guest tools or hypervisor code to control the hypervisor and virtual machines (VMs), including those hosting backups.
• Windows-based software attacks: Threat actors exploit built-in Windows services and known behaviors across versions for entry points into backup software and backup repositories.
• Common vulnerabilities and exposures (CVE) exploit: High-severity CVEs are routinely targeted to breach backup hosts before patches are applied.

Another major pitfall is relying on a single cloud provider for cloud backups, which creates a single point of failure and increases the risk of total data loss. For instance, if you’re backing up Microsoft 365 data in the Microsoft environment, your backup infrastructure and source systems share the same ecosystem, making them easy to discover. With stolen credentials or application programming interface (API) access, attackers can compromise both at once.

Build backup resilience with the 3-2-1-1-0 strategy

The 3-2-1 backup rule has long been the gold standard in data protection. However, as ransomware increasingly targets backup infrastructure, it’s no longer enough. Today’s threat landscape calls for a more resilient approach, one that assumes attackers will try to destroy your ability to recover.

That’s where the 3-2-1-1-0 strategy comes in. This approach aims to keep three copies of your data and store them on two different media, with one copy offsite, one immutable copy and zero backup errors.

Fig 1: The 3-2-1-1-0 backup strategy

Here’s how it works:

3 copies of data: 1 production + 2 backups

When backing up, it’s critical not to rely solely on file-level backups. Use image-based backups that capture the full system — the operating system (OS), applications, settings and data — for more complete recovery. Look for capabilities, such as bare metal recovery and instant virtualization.

Use a dedicated backup appliance (physical or virtual) instead of standard backup software for greater isolation and control. When looking for appliances, consider ones built on hardened Linux to reduce the attack surface and avoid Windows-based vulnerabilities and commonly targeted file types.

2 different media formats

Store backups on two distinct media types — local disk and cloud storage — to diversify risk and prevent simultaneous compromise.

1 offsite copy

Ensure one backup copy is stored offsite and geographically separated to protect against natural disasters or site-wide attacks. Use a physical or logical airgap wherever possible.

1 immutable copy

Maintain at least one backup copy in an immutable cloud storage so that it cannot be altered, encrypted or deleted by ransomware or rogue users.

0 errors

Backups must be regularly verified, tested and monitored to ensure they’re error-free and recoverable when needed. Your strategy isn’t complete until you have full confidence in recovery.

To make the 3-2-1-1-0 strategy truly effective, it’s critical to harden the environment where your backups live. Consider the following best practices:

• Deploy the backup server in a secure local area network (LAN) environment to limit accessibility.
• Restrict access using the principle of least privilege. Use role-based access control (RBAC) to ensure no local domain accounts have admin rights over the backup systems.
• Segment backup networks with no inbound traffic from the internet. Only allow outbound. Also, only protected systems should be able to communicate with the backup server.
• Employ a firewall to enforce network access controls and use port-based access control lists (ACLs) on network switch ports.
• Deploy agent-level encryption so data written to the backup server is encrypted using a unique key that only you can generate with your own passphrase.
• Disable unused services and ports to reduce the number of potential attack vectors.
• Enable multifactor authentication (MFA) — preferably biometric rather than time-based one-time password (TOTP) — for all access to the backup environment.
• Keep backup systems patched and up to date to avoid exposure to known vulnerabilities.
• Physically secure all backup devices with locked enclosures, access logs and surveillance measures.

Best practices for securing cloud-based backups

Ransomware can just as easily target cloud platforms, especially when backups live in the same ecosystem. That’s why segmentation and isolation are critical.

Data segmentation and isolation

To build a true air gap in the cloud, backup data must reside in a separate cloud infrastructure with its own authentication system. Avoid any reliance on production-stored secrets or credentials. This separation reduces the risk of a compromised production environment impacting your backups.

Use private cloud backup architecture

Choose services that move backup data out of the source environment and into an alternative cloud environment, such as a private cloud. This creates a logically isolated environment that’s shielded from original access vectors, delivering the air-gapped protection needed to withstand modern ransomware. Shared environments make it easier for attackers to discover, access or destroy both source and backup assets in a single campaign.

Authentication and access control

Cloud-based backups should use a completely separate identity system. Implement MFA (preferably biometric), RBAC and alerting for unauthorized changes, such as agent removal or retention policy modifications. Credentials must never be stored in the same ecosystem being backed up. Keeping access tokens and secrets outside of the production environment (like Azure or Microsoft 365) eliminates any dependency on them for backup recovery.

How Datto BCDR secures your backups for 100% recovery confidence

Even with the right strategy, resilience ultimately depends on the tools you choose. That’s where Datto’s business continuity and disaster recovery (BCDR) platform stands out. Datto BCDR offers seamless local and cloud continuity powered by its SIRIS and ALTO appliances and immutable Datto BCDR Cloud. It ensures your backups are always recoverable, even in worst-case scenarios.

Fig 2: How Datto BCDR delivers business continuity

Here’s how Datto BCDR delivers guaranteed recovery:

• Local and cloud redundancy: Datto BCDR provides robust backup appliances that double as local recovery targets. You can run workloads and applications directly on the device during a failure. If on-prem systems are compromised, recovery shifts seamlessly to the Datto BCDR Cloud for virtualized operations, ensuring business continuity without disruption.
• The power of immutable Datto BCDR Cloud: Purpose-built for backup and disaster recovery, the Datto BCDR Cloud delivers unmatched flexibility, security and performance. It goes beyond basic offsite storage to offer multilayered protection, making critical data both safe and instantly recoverable.
• Effective ransomware defense: Datto appliances run on a hardened Linux architecture to mitigate vulnerabilities commonly targeted in Windows systems. They also include built-in ransomware detection that actively scans for threats before any recovery is initiated.
• Automated, verified backup testing: Datto’s automated screenshot verification confirms that VMs can boot from backups. It also performs application-level checks to ensure workloads function correctly after restore, helping IT teams validate recovery without guesswork.
• Lightning-fast recovery options to make recovery seamless include:
  • Features like 1-Click Disaster Recovery (1-Click DR) that make disaster recovery near instant.
  • Secure, image-based backups for full-system restoration.
  • Cloud Deletion Defense™ to instantly recover deleted cloud snapshots, whether accidental or malicious.

Is it time to rethink your backup strategy?

Cyber resilience starts with backup security. Before ransomware strikes, ask yourself: Are your backups truly separated from your production systems? Can they be deleted or encrypted by compromised accounts? When was the last time you tested them?

Now is the time to evaluate your backup strategy through a risk-based lens. Identify the gaps, fortify the weak points and make recovery a certainty — not a question.

Explore how Datto BCDR can help you implement a secure, resilient backup architecture that’s built for real-world threats. Get pricing today.

Jun 17, 2025Ravie LakshmananVulnerability / Enterprise Software

Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution.

Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports.

The list of vulnerabilities, which are yet to be assigned CVE identifiers, is as follows –

• Use of hard-coded credentials
• Post-authenticated remote code execution via path traversal
• Post-authenticated remote code execution via Sitecore PowerShell Extension

watchTowr Labs researcher Piotr Bazydlo said the default user account “sitecoreServicesAPI” has a single-character password that’s hard-coded to “b.”

While the user has no roles and permissions assigned in Sitecore, the attack surface management firm found that the credentials could be alternately used against the “/sitecore/admin” API endpoint to sign in as “sitecoreServicesAPI” and obtain a valid session cookie for the user.

“While we can’t access ‘Sitecore Applications’ (where a significant portion of functionality is defined) as the ServicesAPI has no roles assigned, we can still: (1) Access a number of APIs, and (2) Pass through IIS authorization rules and directly access some endpoints,” Bazydlo explained.

This, in turn, opens the door to remote code execution via a zip slip vulnerability that makes it possible to upload a specially crafted ZIP file via the “/sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx” endpoint and causes the archive’s contents (e.g., a web shell) to be written to the webroot directory.

The entire sequence of actions is listed below –

• Authenticate as the “sitecoreServicesAPI” user
• Access Upload2.aspx
• Upload a ZIP file, which contains a web shell called //../<web_shell>
• When prompted, check the Unzip option and complete the upload
• Access the web shell

The third vulnerability has to do with an unrestricted file upload flaw in PowerShell Extensions that can also be exploited as the “sitecoreServicesAPI” user to achieve remote code execution through the “/sitecore%20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx” endpoint.

watchTowr pointed out that the hard-coded password originates from within the Sitecore installer that imports a pre-configured user database with the ServicesAPI password set to “b.” This change, the company said, went into effect starting version 10.1.

This also means that the exploit chain only works if users have installed Sitecore using installers for versions ≥ 10.1. Users are likely not impacted if they were previously running a version prior to 10.1 and then upgraded to a newer vulnerable version, assuming the old database is being migrated, and not the database embedded within the installation package.

With previously disclosed flaws in Sitecore XP coming under active exploitation in the wild (CVE-2019-9874 and CVE-2019-9875), it’s essential that users apply the latest patches, if not already, to safeguard against potential cyber threats.

“By default, recent versions of Sitecore shipped with a user that had a hard-coded password of ‘b.’ It’s 2025, and we can’t believe we still have to say this, but that’s very bad,” Benjamin Harris, CEO and founder of watchTowr, told The Hacker News in a statement.

“Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises – so the blast radius here is massive. And no, this isn’t theoretical: we’ve run the full chain, end-to-end. If you’re running Sitecore, it doesn’t get worse than this – rotate creds and patch immediately before attackers inevitably reverse engineer the fix.”

For many organizations, Active Directory (AD) service accounts are quiet afterthoughts, persisting in the background long after their original purpose has been forgotten. To make matters worse, these orphaned service accounts (created for legacy applications, scheduled tasks, automation scripts, or test environments) are often left active with non-expiring or stale passwords.

It’s no surprise that AD service accounts often evade routine security oversight. Security teams, overwhelmed by daily demands and lingering technical debt, often overlook service accounts (unlinked to individual users and rarely scrutinized) allowing them to quietly fade into the background. However, this obscurity makes them prime targets for attackers seeking stealthy ways into the network. And left unchecked, forgotten service accounts can serve as silent gateways for attack paths and lateral movement across enterprise environments. In this article, we’ll examine the risks that forgotten AD service accounts pose and how you can reduce your exposure.

Uncover and inventory the forgotten

As the old cybersecurity adage goes, you can’t protect what you can’t see. This holds especially true for AD service accounts. Gaining visibility is the first step to securing them, but orphaned or unmonitored service accounts often operate silently in the background, escaping notice and oversight. These forgotten service accounts are especially problematic, as they’ve played a central role in some of the most damaging breaches in recent years. In the case of the 2020 SolarWinds attack, compromised service accounts were instrumental in helping threat actors navigate targeted environments and access sensitive systems.

Once attackers gain a foothold through phishing or social engineering, their next move typically involves hunting for service accounts to exploit and using them to elevate privileges and move laterally through the network. Fortunately, administrators have a variety of techniques available to identify and uncover forgotten or unmonitored AD service accounts:

• Query AD for service principal name (SPN)-enabled accounts, which are typically used by services to authenticate with other systems.
• Filter for accounts with non-expiring passwords, or those that haven’t logged in for an extended period.
• Scan scheduled tasks and scripts for hard-coded or embedded credentials that reference unused accounts.
• Review group membership anomalies, where service accounts may have inherited elevated privileges over time.
• Audit your Active Directory. You can run a read-only scan today with Specops’ free AD auditing tool: Specops Password Auditor

A real-world example: Botnet exploits forgotten accounts

In early 2024, security researchers discovered a botnet of over 130,000 devices targeting Microsoft 365 service accounts in a massive password-spraying campaign. The attackers bypassed multi-factor authentication (MFA) by abusing basic authentication, an outdated authentication scheme still enabled in many environments. Because these attacks didn’t trigger typical security alerts, many organizations were unaware they were compromised. This example is just one of many that highlight the importance of securing service accounts and eliminating legacy authentication mechanisms.

Privilege creep leads to silent escalation

Even service accounts that were initially created with minimal permissions can become dangerous over time. This scenario, known as privilege creep, occurs when accounts accumulate permissions due to system upgrades, role changes, or nested group memberships. What starts as a low-risk utility account can quietly evolve into a high-impact threat, capable of accessing critical systems without anyone realizing it.

Security teams should therefore review service account roles and permissions on a regular basis; if access isn’t actively managed, even well-intentioned configurations can drift into risky territory.

Key practices for securing AD service accounts

Effective AD service account management requires a deliberate, disciplined approach, as these logins are high-value targets that require proper handling. Here are some best practices that form the backbone of a strong AD service account security strategy:

Enforce least privilege

Grant only the permissions absolutely necessary for each account to function. Avoid placing service accounts in broad or powerful groups like Domain Admins.

Use managed service accounts and group managed service accounts

Managed service accounts (MSAs) and group managed service accounts (gMSAs) provide automatic password rotation and cannot be used for interactive logins—this makes them safer than traditional user accounts and easier to maintain securely.

Audit regularly

Use built-in AD auditing or third-party tools to track account usage, logins, and permission changes. Watch for signs of misuse or misconfiguration.

Enforce strong password policies

Long, complex passphrases should be the standard. Avoid reused or hard-coded credentials. Passwords should be rotated regularly or managed through automated tooling.

Restrict usage

Service accounts should not allow interactive logins. Assign a unique account to each service or application to contain any potential compromise.

Actively disable unused accounts

If an account is no longer in use, it should be disabled immediately. Periodic PowerShell queries can help identify stale or inactive accounts.

Separate roles

Create distinct service accounts for different functions like application services, database access, network tasks. This compartmentalization reduces the impact radius of any one compromise.

Apply MFA where necessary

Although service accounts should not support interactive logins, some instances may require exceptions. For these edge cases, enable MFA to increase security.

Use dedicated organizational units

Grouping service accounts in specific organizational units (OUs) simplifies policy enforcement and auditing. It also makes it easier to spot anomalies and maintain consistency.

Review dependencies and access

As environments evolve, revisit what each service account is used for and whether it still needs the same level of access. Adjust or retire accounts accordingly.

Automation and tools streamline AD service account security

Specops Password Auditor performs read-only scans of Active Directory to identify weak passwords, unused accounts, and other vulnerabilities, all without changing any AD settings. With built-in reports and alerts, security teams can proactively address AD service account risks instead of waiting for a breach to happen. Automating password management, policy enforcement, and auditing both strengthens security and reduces administrative overhead. Download for free.

Finding issues is one thing, but we also need to focus on prevention. Implementing the other best practices listed in this article manually is no small feat. Fortunately, tools like Specops Password Policy can help automate many of these processes, enforcing these best practices in a manageable and scalable way across your entire Active Directory environment. Book a Specops Password Policy demo today.

Jun 17, 2025Ravie LakshmananBotnet / Vulnerability

Cybersecurity researchers have called attention to a new campaign that’s actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware.

“Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware,” Trend Micro researchers Aliakbar Zahravi, Ahmed Mohamed Ibrahim, Sunil Bharti, and Shubham Singh said in a technical report published today.

The activity entails the exploitation of CVE-2025-3248 (CVSS score: 9.8), a missing authentication vulnerability in Langflow, a Python-based “visual framework” for building artificial intelligence (AI) applications.

Successful exploitation of the flaw could enable unauthenticated attackers to execute arbitrary code via crafted HTTP requests. It was patched by Langflow in March 2025 with version 1.3.0.

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged the active exploitation of CVE-2025-3248 in the wild, with the SANS Technology Institute revealing that it detected exploit attempts against its honeypot servers.

The latest findings from Trend Micro show that threat actors are targeting unpatched internet-exposed Langflow instances leveraging a publicly-available proof-of-concept (PoC) code to conduct reconnaissance and drop a shell script downloader responsible for retrieving and executing the Flodrix botnet malware from “80.66.75[.]121:25565.”

Once installed, Flodrix sets up communications with a remote server to receive commands over TCP in order to launch distributed denial-of-service (DDoS) attacks against target IP addresses of interest. The botnet also supports connections over the TOR anonymity network.

“Since Langflow does not enforce input validation or sandboxing, these payloads are compiled and executed within the server’s context, leading to [remote code execution],” the researchers said. “Based on these steps, the attacker is likely profiling all vulnerable servers and uses the collected data to identify high-value targets for future infections.”

Trend Micro said it identified the unknown threat actors to be hosting different downloader scripts on the same host used to fetch Flodrix, suggesting that the campaign is undergoing active development.

Flodrix is assessed to be an evolution of another botnet called LeetHozer that’s linked to the Moobot group. The improved variant incorporates the ability to discreetly remove itself, minimize forensic traces, and complicate analysis efforts by obfuscating command-and-control (C2) server addresses and other important indicators.

“Another significant change is the introduction of new DDoS attack types, which are now also encrypted, adding a further layer of obfuscation,” Trend Micro said. “The new sample also notably enumerates the running processes by opening /proc directory to access all running processes.”

Jun 17, 2025Ravie LakshmananNetwork Security / IoT Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request.

“TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm,” the agency said.

CISA has also warned that there is a possibility that affected products could be end-of-life (EoL) and/or end-of-service (EoS), urging users to discontinue their use if no mitigations are available.

There is currently no public information about how the shortcoming may be exploited in the wild.

In December 2024, Palo Alto Networks Unit 42 revealed that it had identified additional samples of an operational technology (OT)-centric malware called FrostyGoop (aka BUSTLEBERM) and that one of the IP addresses corresponding to an ENCO control device also acted as a router web server using TP-Link WR740N to access the ENCO device from a web browser.

However, it further pointed out that “there is no hard evidence to indicate that the attackers exploited [CVE-2023-33538] in the July 2024 FrostyGoop attack.”

The Hacker News has reached out to TP-Link for further details, and we will update the story if we hear back. In light of active exploitation, federal agencies are required to remediate the flaw by July 7, 2025.

New Activity Targets CVE-2023-28771

The disclosure comes as GreyNoise has warned of exploit attempts targeting a critical security flaw impacting Zyxel firewalls (CVE-2023-28771, CVSS score: 9.8).

CVE-2023-28771 refers to another operating system command injection vulnerability that could permit an unauthenticated attacker to execute commands by sending crafted requests to a susceptible device. It was patched by Zyxel in April 2023.

While the vulnerability was weaponized to build distributed denial-of-service (DDoS) botnets such as Mirai shortly after public disclosure, the threat intelligence firm said it spotted heightened attempts to exploit it as recently as June 16, 2025.

As many as 244 unique IP addresses are said to have participated in the efforts over a short timespan, with the activity targeting the United States, United Kingdom, Spain, Germany, and India.

“Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771,” GreyNoise said, adding it identified “indicators consistent with Mirai botnet variants.”

To mitigate the threat, users are recommended to update their Zyxel devices to the latest version, monitor for any anomalous activity, and limit exposure where applicable.

Jun 17, 2025Ravie LakshmananPrivacy / Data Protection

Meta Platforms on Monday announced that it’s bringing advertising to WhatsApp, but emphasized that the ads are “built with privacy in mind.”

The ads are expected to be displayed on the Updates tab through its Stories-like Status feature, which allows ephemeral sharing of photos, videos, voice notes, and text for 24 hours. These efforts are “rolling out gradually,” per the company.

The media giant, which acquired WhatsApp for a record $19.3 billion in February 2014, first announced its plans for ads in Status way back in November 2018.

Meta also claimed that the ads implementation was developed in the “most privacy-oriented way possible” and that it only uses limited information to serve ads.

“Your personal messages, calls, and statuses remain end-to-end encrypted, meaning no one can see or hear them,” the company said.

It’s worth noting that Meta will use ad preferences from across a user’s accounts, including Facebook and Instagram, should they have added WhatsApp to the Accounts Center. Adding WhatsApp to Accounts Center is an optional setting, and is off by default.

The exact nature of the information collected includes –

• Country code and age (where applicable)
• Device information, such as language settings
• General location, like city or country
• Activity information on Status and Channels such as channels people follow, content people engage with in channels and how people interact with the ads they see
• Activity on Meta’s other apps

Furthermore, Meta said it will neither sell or share users’ phone numbers with marketers, nor will it tap into users’ personal messages, calls, and groups for ad targeting.

“By default, WhatsApp removes or alters personal information (like phone numbers) before sharing it with Meta so that Meta cannot identify individuals and is only able to suggest ads that may appeal to people who share broad characteristics, such as people in the same general area,” WhatsApp said.

WhatsApp has long been marketed as a more private and secure messaging platform. However, its foray into advertisements could color its reputation as the company tries to balance user features vis-à-vis monetizing the service.

The development comes as Meta has added a warning prompt to its Meta AI chatbot app before letting users share their artificial intelligence (AI) prompts to the public Discover feed, following reports of users accidentally sharing chats with sensitive personal information.

Privacy and security experts criticized the feature, with the Mozilla Foundation stating that the app does not make it clear that the prompts users share are accessible to anyone across the world.

“Prompts you post are public and visible to everyone. Your prompts may be suggested by Meta on other Meta apps. Avoid sharing personal or sensitive information,” a message now reads. The change was first reported by Business Insider.