Tag: Cyber Threats

Aug 14, 2025Ravie LakshmananServer Security / Vulnerability

Multiple HTTP/2 implementations have been found susceptible to a new attack technique called MadeYouReset that could be explored to conduct powerful denial-of-service (DoS) attacks.

“MadeYouReset bypasses the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DoS attacks by restricting the number of simultaneous requests a client can send,” researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel said.

“With MadeYouReset, an attacker can send many thousands of requests, creating a denial-of-service condition for legitimate users and, in some vendor implementations, escalating into out-of-memory crashes.”

The vulnerability has been assigned the generic CVE identifier, CVE-2025-8671, although the issue impacts several products, including Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163).

MadeYouReset is the latest flaw in HTTP/2 after Rapid Reset (CVE-2023-44487) and HTTP/2 CONTINUATION Flood that can be potentially weaponized to stage large-scale DoS attacks.

Just like how the other two attacks leverage the RST_STREAM frame and CONTINUATION frames, respectively, in the HTTP/2 protocol to pull off the attack, MadeYouReset builds upon Rapid Reset and its mitigation, which limits the number of streams a client can cancel using RST_STREAM.

Specifically, it takes advantage of the fact that the RST_STREAM frame is used for both client‑initiated cancellation and to signal stream errors. This is achieved by sending carefully crafted frames that trigger protocol violations in unexpected ways, prompting the server to reset the stream by issuing an RST_STREAM.

“For MadeYouReset to work, the stream must begin with a valid request that the server begins working on, then trigger a stream error so the server emits RST_STREAM while the backend continues computing the response,” Bar Nahum explained.

“By crafting certain invalid control frames or violating protocol sequencing at just the right moment, we can make the server send RST_STREAM for a stream that already carried a valid request.”

The six primitives that make the server send RST_STREAM frames include –

• WINDOW_UPDATE frame with an increment of 0
• PRIORITY frame whose length is not 5 (the only valid length for it)
• PRIORITY frame that makes a stream dependent on itself
• WINDOW_UPDATE frame with an increment that makes the window exceed 2^31 − 1 (which is the largest window size allowed)
• HEADERS frame sent after the client has closed the stream (via the END_STREAM flag)
• DATA frame sent after the client has closed the stream (via the END_STREAM flag)

This attack is notable not least because it obviates the need for an attacker to send an RST_STREAM frame, thereby completely bypassing Rapid Reset mitigations, and also achieves the same impact as the latter.

In an advisory, the CERT Coordination Center (CERT/CC) said MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers, resulting in resource exhaustion — something an attacker can exploit to induce a DoS attack.

“The discovery of server-triggered Rapid Reset vulnerabilities highlights the evolving complexity of modern protocol abuse,” Imperva said. “As HTTP/2 remains a foundation of web infrastructure, protecting it against subtle, spec-compliant attacks like MadeYouReset is more critical than ever.”

HTTP/1.1 Must Die

The disclosure of MadeYouReset comes as application security firm PortSwigger detailed novel HTTP/1.1 desync attacks (aka HTTP request smuggling), including a variant of CL.0 called 0.CL, exposing millions of websites to hostile takeover. Akamai (CVE-2025-32094) and Cloudflare (CVE-2025-4366) have addressed the issues.

HTTP request smuggling is a security exploit affecting the application layer protocol that abuses the inconsistency in parsing non-RFC-compliant HTTP requests by front-end and back-end servers, permitting an attacker to “smuggle” a request and sidestep security measures.

“HTTP/1.1 has a fatal flaw: Attackers can create extreme ambiguity about where one request ends, and the next request starts,” PortSwigger’s James Kettle said. “HTTP/2+ eliminates this ambiguity, making desync attacks virtually impossible. However, simply enabling HTTP/2 on your edge server is insufficient — it must be used for the upstream connection between your reverse proxy and origin server.”

Aug 14, 2025Ravie LakshmananThreat Intelligence / Linux

Japan’s CERT coordination center (JPCERT/CC) on Thursday revealed it observed incidents that involved the use of a command-and-control (C2) framework called CrossC2, which is designed to extend the functionality of Cobalt Strike to other platforms like Linux and Apple macOS for cross-platform system control.

The agency said the activity was detected between September and December 2024, targeting multiple countries, including Japan, based on an analysis of VirusTotal artifacts.

“The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD. Further investigation revealed that the attacker used custom malware as a loader for Cobalt Strike,” JPCERT/CC researcher Yuma Masubuchi said in a report published today.

The bespoke Cobalt Strike Beacon loader has been codenamed ReadNimeLoader. CrossC2, an unofficial Beacon and builder, is capable of executing various Cobalt Strike commands after establishing communication with a remote server specified in the configuration.

In the attacks documented by JPCERT/CC, a scheduled task set up by the threat actor on the compromised machine is used to launch the legitimate java.exe binary, which is then abused to sideload ReadNimeLoader (“jli.dll”).

Written in the Nim programming language, the loader extracts the content of a text file and executes it directly in memory so as to avoid leaving traces on disk. This loaded content is an open-source shellcode loader dubbed OdinLdr, which ultimately decodes the embedded Cobalt Strike Beacon and runs it, also in memory.

ReadNimeLoader also incorporates various anti-debugging and anti-analysis techniques that are designed to prevent OdinLdr from being decoded unless the route is clear.

JPCERT/CC said the attack campaign shares some level of overlap with BlackSuit/Black Basta ransomware activity reported by Rapid7 back in June 2025, citing overlaps in the command-and-control (C2) domain used and similarly-named files.

Another notable aspect is the presence of several ELF versions of SystemBC, a backdoor that often acts as a precursor to the deployment of Cobalt Strike and ransomware.

“While there are numerous incidents involving Cobalt Strike, this article focused on the particular case in which CrossC2, a tool that extends Cobalt Strike Beacon functionality to multiple platforms, was used in attacks, compromising Linux servers within an internal network,” Masubuchi said.

“Many Linux servers do not have EDR or similar systems installed, making them potential entry points for further compromise, and thus, more attention is required.”

Cybersecurity researchers have disclosed a new Android trojan called PhantomCard that abuses near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil.

“PhantomCard relays NFC data from a victim’s banking card to the fraudster’s device,” ThreatFabric said in a report. “PhantomCard is based on Chinese-originating NFC relay malware-as-a-service.”

The Android malware, distributed via fake Google Play web pages mimicking apps for card protection, goes by the name “Proteção Cartões” (package name “com.nfupay.s145” or “com.rc888.baxi.English”).

The bogus pages also feature deceptive positive reviews to persuade victims into installing the app. It’s currently not known how links to these pages are distributed, but it likely involves smishing or a similar social engineering technique.

Once the app is installed and opened, it requests victims to place their credit/debit card on the back of the phone to begin the verification process, at which point the user interface displays the message: “Card Detected! Keep the card nearby until authentication is complete.”

In reality, the card data is relayed to an attacker-controlled NFC relay server by taking advantage of the built-in NFC reader built into modern devices. The PhantomCard-laced app then requests the victim to enter the PIN code with the goal of transmitting the information to the cybercriminal so as to authenticate the transaction.

“As a result, PhantomCard establishes a channel between the victim’s physical card and the PoS terminal / ATM that the cybercriminal is next to,” ThreatFabric explained. “It allows the cybercriminal to use the victim’s card as if it was in their hands.”

Similar to SuperCard X, there exists an equivalent app on the mule-side that’s installed on their device to receive the stolen card information and ensure seamless communications between the PoS terminal and the victim’s card.

It’s worth noting that NFU Pay is one of the many illicit services peddled on the underground that offer similar NFC relay capabilities, such as SuperCard X, KingNFC, and X/Z/TX-NFC.

“Such threat actors pose additional risks to local financial organizations as they open the doors for a wider variety of threats from all over the world, which could have potentially stayed away from certain regions due to language and cultural barriers, specifics of financial system, lack of cash-out ways,” ThreatFabric said.

“This, consequently, complicates the threat landscape for local financial organizations and calls out for proper monitoring of the global threats and actors behind it targeting the organization.”

In a report published last month warning of a spike in NFC-enabled fraud in the Philippines, Resecurity said Southeast Asia has become a testing ground for NFC fraud, with bad actors targeting regional banks and financial service providers.

“With tools such as Z-NFC, X-NFC, SuperCard X, and Track2NFC, attackers can clone stolen card data and perform unauthorized transactions using NFC-enabled devices,” Resecurity said.

“These tools are widely available in underground forums and private messaging groups. The resulting fraud is difficult to detect, as the transactions appear to originate from trusted, authenticated devices. In markets like the Philippines, where contactless payment usage is rising and low-value transactions often bypass PIN verification, such attacks are harder to trace and stop in real time.”

The disclosure comes as K7 Security uncovered an Android malware campaign dubbed SpyBanker aimed at Indian banking users that’s likely distributed to users via WhatsApp under the guise of a customer help service app.

“Interestingly, this Android SpyBanker malware edits the ‘Call Forward Number’ to a hard-coded mobile number, controlled by the attacker, by registering a service called ‘CallForwardingService’ and redirects the user’s calls,” the company said. “Incoming calls to the victims when left unattended are diverted to the call forwarded number to carry out any desired malicious activity.”

Furthermore, the malware comes fitted with capabilities to collect victims’ SIM details, sensitive banking information, SMS messages, and notification data.

Indian banking users have also been targeted by Android malware that’s designed to siphon financial information, while simultaneously dropping the XMRig cryptocurrency miner on compromised devices. The malicious credit card apps are distributed via convincing phishing pages that use real assets taken from official banking websites.

The list of malicious apps is as follows –

• Axis Bank Credit Card (com.NWilfxj.FxKDr)
• ICICI Bank Credit Card (com.NWilfxj.FxKDr)
• IndusInd Credit Card (com.NWilfxj.FxKDr)
• State Bank of India Credit Card (com.NWilfxj.FxKDr)

The malware is designed to display a bogus user interface that prompts victims to enter their personal information, including names, card numbers, CVV codes, expiry dates, and mobile numbers. A notable aspect of the app is its ability to listen to specific messages sent via Firebase Cloud Messaging (FCM) to trigger the mining process.

“The app delivered through these phishing sites functions as a dropper, meaning it initially appears harmless but later dynamically loads and executes the actual malicious payload,” McAfee researcher Dexter Shin said. “This technique helps evade static detection and complicates analysis.”

“These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate. However, they include additional elements such as ‘Get App’ or ‘Download’ buttons, which prompt users to install the malicious APK file.”

The findings also follow a report from Zimperium zLabs detailing how rooting frameworks like KernelSU, APatch, and SKRoot can be used to gain root access and escalate privileges, allowing an attacker to gain full control of Android devices.

The mobile security company said it discovered in mid-2023 a security flaw in KernelSU (version 0.5.7) that it said could allow attackers to authenticate as the KernelSU manager and completely compromise a rooted Android device via a malicious application already installed on it that also bundles the official KernelSU manager APK.

However, an important caveat to pull off this attack is that it’s only effective if the threat actor application is executed before the legitimate KernelSU manager application.

“Because system calls can be triggered by any app on the device, strong authentication and access controls are essential,” security researcher Marcel Bathke said. “Unfortunately, this layer is often poorly implemented – or entirely neglected – which opens the door to serious security risks. Improper authentication can allow malicious apps to gain root access and fully compromise the device.”

You check that the windows are shut before leaving home. Return to the kitchen to verify that the oven and stove were definitely turned off. Maybe even circle back again to confirm the front door was properly closed. These automatic safety checks give you peace of mind because you know the unlikely but potentially dangerous consequences of forgetting – a break-in, fire, or worse.

Your external-facing IT infrastructure deserves the same methodical attention. External Attack Surface Management (EASM) and Digital Risk Protection (DRP) tools provide that same peace of mind for your digital “home,” automating the everyday safety checks that prevent costly incidents.

Why does the external-facing IT infrastructure need the same care?

Just as you secure your physical home prior to leaving, your assets that are exposed to the internet require consistent safety protocols. Think about it this way:

• Locking doors = locking down exposed assets, ensuring only authorized access points remain open.
• Turning off the oven = de-provisioning unused assets and orphaned services that continue consuming resources while expanding your attack surface.

But there is one major difference: your home has physical limits, but your organization’s attack surface can span multiple providers, regions, and development teams, making manual verification nearly impossible. A forgotten cloud instance or misconfigured storage bucket, an abandoned server, or some dev-environment can expose sensitive data for months before discovery.

The hidden assets that keep security teams awake at night

Development teams spin up test servers, DevOps engineers create temporary endpoints, and shadow IT proliferates across departments. Without automated discovery, these assets become invisible until attackers find them first. This makes CMDB-based monitoring of your vulnerabilities and attack surface difficult, as one can never be sure that all exposed assets are accounted for. EASM solutions continuously map your internet-facing assets, discovering resources you may have forgotten existed.

Consider the typical scenario: a developer creates a staging environment for testing new features, complete with a snapshot of production data. They complete the project and move on to other priorities, but the staging server remains online. EASM uses automated reconnaissance to identify this orphaned asset before it becomes a security incident – scanning your entire external footprint to find forgotten development servers, open ports that should have been closed after testing, and subdomains pointing to decommissioned services.

The threats lurking beyond your firewall

While EASM focuses on asset discovery, DRP tackles a different but equally important challenge: monitoring external threats that challenge your organization, whether on Facebook or the dark web. Finding all your assets is only half the battle, knowing when criminals are posting leaked credentials for sale, discussing planned attacks against your infrastructure, or impersonating your brand online is the other half.

DRP platforms continuously scan external channels like social media sites, underground forums, and data leak sites for mentions of your organization, providing immediate alerts when threats are detected.

Figure 1: Example View of data leakage overview within Outpost24’s CompassDRP platform.

These external threats develop gradually but can explode quickly. For example, a disgruntled employee may intentionally leak sensitive documents to file-sharing sites, or a hacker may start selling access to your systems on dark web forums. Without ongoing monitoring, threats can continue to grow and gain momentum before you realize they exist.

Early detection tools work like a smoke alarm for your organization’s reputation and cybersecurity posture. It gives you a heads up that something is wrong – hopefully before damage can be caused or the threat can no longer be contained. DRP platforms help detect when cybercriminals discuss your company in attack forums or create fake social media profiles using your branding for phishing campaigns. These early warnings let you immediately respond, protecting your customers and mitigating the threat.

Figure 2: Example details of a ransomware group operating on the dark web with Outpost24’s CompassDRP platform.

Building a “Did I leave anything on?” security ritual

Just like you develop a routine for checking your home before leaving, you need to build operational habits around EASM and DRP. Set up daily or weekly scan summaries based on the continuous scans of the tools that answer that nagging question: “Did I leave anything on?” Regularly generating these reports ensures you can surface newly discovered assets, configuration changes, and potential risks that need your attention.

The beauty lies in making your security systematic rather than reactive. You review high-risk items, quickly approving legitimate resources or shutting down unnecessary ones. Instead of scrambling to find forgotten infrastructure after an incident or patch alert, you prevent the accumulation of risk before it becomes a problem.

Better yet, you can integrate these insights both into your existing Cybersecurity tech-stack as well as any change management workflows. When you make infrastructure changes, EASM validates your external footprint while DRP ensures configurations stay within acceptable parameters. And keep in mind that the tool should automatically create audit trails so that you can demonstrate due diligence without extra paperwork.

Keeping track of changes

Additionally, quantify your security improvements to justify continued investment in easy-to-manage dashboards and customized reports. Track metrics like the number of “virtual ovens” you’ve turned off, your time to detect and react to orphaned services, and your time to remediate critical vulnerabilities. These measurements will help you demonstrate program effectiveness while identifying areas for improvement.

Figure 3: Keep track of your threat and vulnerability landscape within one dashboard.

You’ll also appreciate how automated alerts and customizable workflows prioritize your attention on the most critical issues. Rather than overwhelming you with every discovered asset, intelligent, AI-powered filtering and summaries highlight genuine risks that require your immediate action. The system learns from your responses, reducing false positives while maintaining sensitivity to legitimate threats.

Attack Surface Management for peace of mind

The comfort of knowing nothing’s left unmonitored – whether a physical oven or a misconfigured cloud service – comes from verification, not just hoping for the best. EASM and DRP tools help automate the essential proactive safety monitoring steps that prevent costly security incidents.

Solutions like Outpost24’s CompassDRP combine EASM capabilities with comprehensive Digital Risk Protection and Threat Intelligence, giving you continuous visibility across your entire digital footprint and the risks associated with it. You get automated asset discovery and threat intelligence-based risk prioritization in a single platform, letting you focus on addressing business-critical risks.

Start building a continuous external attack surface and digital risk management today – book your CompassDRP demo.

Aug 14, 2025The Hacker NewsEndpoint Security / Application Security

Story teaser text: Cybersecurity leaders face mounting pressure to stop attacks before they start, and the best defense may come down to the settings you choose on day one. In this piece, Yuriy Tsibere explores how default policies like deny-by-default, MFA enforcement, and application Ringfencing ™ can eliminate entire categories of risk. From disabling Office macros to blocking outbound server traffic, these simple but strategic moves create a hardened environment that attackers can’t easily penetrate. Whether you’re securing endpoints or overseeing policy rollouts, adopting a security-by-default mindset can reduce complexity, shrink your attack surface, and help you stay ahead of evolving threats.

Cybersecurity has changed dramatically since the days of the “Love Bug” virus in 2001. What was once an annoyance is now a profit-driven criminal enterprise worth billions. This shift demands proactive defense strategies that don’t just respond to threats—they prevent them from ever reaching your network. CISOs, IT admins, and MSPs need solutions that block attacks by default, not just detect them after the fact. Industry frameworks like NIST, ISO, CIS, and HIPAA provide guidance, but they often lack the clear, actionable steps needed to implement effective security.

For anyone starting a new security leadership role, the mission is clear: Stop as many attacks as possible, frustrate threat actors, and do it without alienating the IT team. That’s where a security-by-default mindset comes in—configuring systems to block risks out of the gate. As I’ve often said, the attackers only have to be right once. We have to be right 100% of the time.

Here’s how setting the right defaults can eliminate entire categories of risk.

Require multi-factor authentication (MFA) on all remote accounts

Enabling MFA across all remote services—including SaaS platforms like Office 365 and G Suite, as well as domain registrars and remote access tools—is a foundational security default. Even if a password is compromised, MFA can prevent unauthorized access. Try to avoid using text messages for MFA as it can be intercepted.

While it may introduce some friction, the security benefits far outweigh the risk of data theft or financial loss.

One of the most effective security measures nowadays is application whitelisting or allowlisting. This approach blocks everything by default and only allows known, approved software to run. The result: Ransomware and other malicious applications are stopped before they can execute. It also blocks legitimate-but-unauthorized remote tools like AnyDesk or similar, which attackers often try to sneak in through social engineering.

Users can still access what they need via a pre-approved store of safe applications, and visibility tools make it easy to track everything that runs—including portable apps.

Quick wins through secure configuration

Small changes to default settings can close major security gaps on Windows and other platforms:

• Turn off Office macros: It takes five minutes and blocks one of the most common attack vectors for ransomware.
• Use password-protected screensavers: Auto-lock your screen after a short break to stop anyone from snooping around.
• Disable SMBv1: This old-school protocol is outdated and has been used in big attacks like WannaCry. Most systems don’t need it anymore.
• Turn off the Windows keylogger: It’s rarely useful and could be a security risk if left on.

Control network and application behavior for organizations

• Remove local admin rights: Most malware doesn’t need admin access to run, but taking it away stops users from messing with security settings or even installing malicious software.
• Block unused ports and limit outbound traffic:
  • Shut down SMB and RDP ports unless absolutely necessary—and only allow trusted sources.
  • Stop servers from reaching the internet unless they need to. This helps avoid attacks like SolarWinds.
• Control application behaviors: Tools like ThreatLocker Ringfencing ™ can stop apps from doing sketchy things—like Word launching PowerShell (yes, that’s a real attack method).
• Secure your VPN: If you don’t need it, turn it off. If you do, limit access to specific IPs and restrict what users can access.

Strengthen data and web controls

• Block USB drives by default: They’re a common way for malware to spread. Only allow secure managed, encrypted ones if needed.
• Limit file access: Apps shouldn’t be able to poke around in user files unless they really need to.
• Filter out unapproved tools: Block random SaaS or cloud apps that haven’t been vetted. Let users request access if they need something.
• Track file activity: Keep an eye on who’s doing what with files—both on devices and in the cloud. It’s key for spotting shady behavior.

Go beyond defaults with monitoring and patching

Strong defaults are just the beginning. Ongoing vigilance is critical:

• Regular patching: Most attacks use known bugs. Keep everything updated—including portable apps.
• Automated threat detection: EDR tools are great, but if no one’s watching alerts 24/7, threats can slip through. MDR services can jump in fast, even after hours.

Security by default isn’t just smart, it’s non-negotiable. Blocking unknown apps, using strong authentication, locking down networks and app behavior can wipe out a ton of risk. Attackers only need one shot, but solid default settings keep your defenses ready all the time. The payoff? Fewer breaches, less hassle, and a stronger, more resilient setup.

Note: This article is expertly written and contributed by Yuriy Tsibere, Product Manager and Business Analyst at ThreatLocker.

Aug 14, 2025Ravie LakshmananCryptocurrency / Financial Crime

Google said it’s implementing a new policy requiring developers of cryptocurrency exchanges and wallets to obtain government licenses before publishing apps in 15 jurisdictions in order to “ensure a safe and compliant ecosystem for users.”

The policy applies to markets like Bahrain, Canada, Hong Kong, Indonesia, Israel, Japan, the Philippines, South Africa, South Korea, Switzerland, Thailand, the United Arab Emirates, the United Kingdom, the United States, and the European Union. The changes do not apply to non-custodial wallets.

This means developers publishing cryptocurrency exchange and wallet apps have to hold appropriate licences or be registered with relevant authorities like the Financial Conduct Authority (FCA) or Financial Crimes Enforcement Network (FinCEN), or authorized as a crypto-asset service provider (CASP) under the Markets in Crypto-Assets (MiCA) regulation before distribution.

“If your targeted location is not on the list, you may continue to publish cryptocurrency exchanges and software wallets. However, due to the rapidly evolving regulatory landscape worldwide, developers are expected to obtain any additional licensure requirements per local laws,” the tech giant said.

Google noted that developers have to declare under the App Content section that their app is a cryptocurrency exchange and/or software wallet in the Financial Features Declaration. In addition, the company said it may request developers to provide more information regarding their compliance in a given jurisdiction that’s not covered in the aforementioned list.

Developers who don’t have the required registration or licensing information for certain locations are being urged to remove the apps from those targeting countries/regions.

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) issued an updated alert warning of cryptocurrency scams in which companies falsely claim to help victims recover their stolen funds to further defraud them.

Fraudsters have been observed posing as lawyers representing fictitious law firms, approaching scam victims on social media and other messaging platforms to assist with fund recovery, only to dupe them a second time under the pretext of receiving their information from the FBI, Consumer Financial Protection Bureau (CFPB), or other government agency.

“Between February 2023 and February 2024, cryptocurrency scam victims who were further exploited by fictitious law firms reported losses totaling over $9.9 million,” the FBI said in an alert last June.

The FBI also listed a number of potential red flags that users are advised to look for that could indicate a potential scam –

• Impersonation of government entities or actual lawyers
• References to fictitious government or regulatory entities
• Requesting payment in cryptocurrency or prepaid gift cards (the U.S. government does not request payment for law enforcement services provided)
• Having knowledge of the exact amounts and dates of previous wire transfers and the third-party company where the victim previously sent scammed funds
• Stating the victim was on a government-affiliated list of scam victims
• Referring victims to a “crypto recovery law firm”
• Stating the victims’ funds are in an account held at a foreign bank and instructing them to register an account at that bank
• Placing victims into a group chat on WhatsApp, or other messaging applications, for supposed client safety
• Requesting victims send payment to a third-party trading company for maintaining secrecy and safety
• Inability to provide credentials or a license

“Be cautious of law firms contacting you unexpectedly, especially if you have not reported the crime to any law enforcement or civil protection agencies,” the FBI said, urging citizens to exercise due diligence and adopt a zero-trust model.

“Request video verification or documentation or a photo of their law license. Request verification of employment for anyone claiming to work for the US Government or law enforcement.”

Aug 14, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting N-able N-central to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

N-able N-central is a Remote Monitoring and Management (RMM) platform designed for Managed Service Providers (MSPs), allowing customers to efficiently manage and secure their clients’ Windows, Apple, and Linux endpoints from a single, unified platform.

The vulnerabilities in question are listed below –

• CVE-2025-8875 (CVSS score: N/A) – An insecure deserialization vulnerability that could lead to command execution
• CVE-2025-8876 (CVSS score: N/A) – A command injection vulnerability via improper sanitization of user input

Both shortcomings have been addressed in N-central versions 2025.3.1 and 2024.6 HF2 released on August 13, 2025. N-able is also urging customers to make sure that multi-factor authentication (MFA) is enabled, particularly for admin accounts.

“These vulnerabilities require authentication to exploit,” N-able said in an alert. “However, there is a potential risk to the security of your N-central environment, if unpatched. You must upgrade your on-premises N-central to 2025.3.1.”

It’s currently not known how the vulnerabilities are being exploited in real-world attacks, in what context, and what is the scale of such efforts. The Hacker News has reached out to N-able for comment, and we will update the story if we hear back.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by August 20, 2025, to secure their networks.

The development comes a day after CISA placed two-year-old security flaws affecting Microsoft Internet Explorer and Office in the KEV catalog –

• CVE-2013-3893 (CVSS score: 8.8) – A memory corruption vulnerability in Microsoft Internet Explorer that allows for remote code execution
• CVE-2007-0671 (CVSS score: 8.8) – A remote code execution vulnerability in Microsoft Office Excel that can be exploited when a specially crafted Excel file is opened to achieve remote code execution

FCEB agencies have time till September 9, 2025, to update to the latest versions, or discontinue their use if the product has reached end-of-life (EoL) status, as is the case with Internet Explorer.

Aug 13, 2025Ravie LakshmananMalvertising / Cryptocurrency

Cybersecurity researchers have discovered a new malvertising campaign that’s designed to infect victims with a multi-stage malware framework called PS1Bot.

“PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access,” Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said.

“PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.”

Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share technical overlaps with AHK Bot, an AutoHotkey-based malware previously put to use by threat actors Asylum Ambuscade and TA866.

Furthermore, the activity cluster has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet) with an aim to steal data and establish remote control over compromised hosts.

The starting point of the attack is a compressed archive that’s delivered to victims via malvertising or search engine optimization (SEO) poisoning. Present within the ZIP file is a JavaScript payload that serves as a downloader to retrieve a scriptlet from an external server, which then writes a PowerShell script to a file on disk and executes it.

The PowerShell script is responsible for contacting a command-and-control (C2) server and fetching next-stage PowerShell commands that allow the operators to augment the malware’s functionality in a modular fashion and carry out a wide range of actions on the compromised host –

• Antivirus detection, which obtains and reports the list of antivirus programs present on the infected system
• Screen capture, which captures screenshots on infected systems and transmits the resulting images to the C2 server
• Wallet grabber, which steals data from web browsers (and wallet extensions), application data for cryptocurrency wallet applications, and files containing passwords, sensitive strings, or wallet seed phrases
• Keylogger, which logs keystrokes and gathers clipboard content
• Information collection, which harvests and transmits information about the infected system and environment to the attacker
• Persistence, which creates a PowerShell script such that it’s automatically launched when the system restarts, incorporating the same logic used to establish the C2 polling process to fetch the modules

“The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems,” Talos noted.

“The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed.”

The disclosure comes as Google said it’s leveraging artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors.

“Our new applications provide faster and stronger protections by analyzing app and web content, ad placements and user interactions,” Google said. “For example, they’ve significantly improved our content review capabilities, leading to a 40% reduction in IVT stemming from deceptive or disruptive ad serving practices.”

Aug 13, 2025Ravie LakshmananVulnerability / Software Security

Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.

The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation.

“Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access,” Zoom said in a security bulletin on Tuesday.

The issue, reported by its own Offensive Security team, affects the following products –

• Zoom Workplace for Windows before version 6.3.10
• Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
• Zoom Rooms for Windows before version 6.3.10
• Zoom Rooms Controller for Windows before version 6.3.10
• Zoom Meeting SDK for Windows before version 6.3.10

The disclosure comes as multiple vulnerabilities have been disclosed in Xerox FreeFlow Core, the most severe of which could result in remote code execution. The issues, which have been addressed in version 8.0.4, include –

• CVE-2025-8355 (CVSS score: 7.5) – XML External Entity (XXE) injection vulnerability leading to server-side request forgery (SSRF)
• CVE-2025-8356 (CVSS score: 9.8) – Path traversal vulnerability leading to remote code execution

“These vulnerabilities are rudimentary to exploit and if exploited, could allow an attacker to execute arbitrary commands on the affected system, steal sensitive data, or attempt to move laterally into a given corporate environment to further their attack,” Horizon3.ai said.

Aug 13, 2025The Hacker NewsArtificial Intelligence / Threat Hunting

Security operations have never been a 9-to-5 job. For SOC analysts, the day often starts and ends deep in a queue of alerts, chasing down what turns out to be false positives, or switching between half a dozen tools to piece together context. The work is repetitive, time-consuming, and high-stakes, leaving SOCs under constant pressure to keep up, yet often struggling to stay ahead of emerging threats. That combination of inefficiency, elevated risk, and a reactive operating model is exactly where AI-powered SOC capabilities are starting to make a difference.

Why AI SOC is gaining traction now

The recent Gartner Hype Cycle for Security Operations 2025 (download a complimentary copy) recognizes AI SOC Agents as an innovation trigger, reflecting a broader shift in how teams approach automation. Instead of relying solely on static playbooks or manual investigation workflows, AI SOC capabilities bring reasoning, adaptability, and context-aware decision-making into the mix.

SOC teams report that their most pressing challenges are inefficient investigations, siloed tools, and a lack of effective automation. These issues slow response and increase risk. The latest SANS SOC Survey underscores this, showing these operational hurdles consistently outpace other concerns. AI-driven triage, investigation, and detection coverage analysis are well-positioned to address these gaps head-on.

AI’s biggest wins in the SOC

An AI SOC brings together a range of capabilities that strengthen and scale the core functions of a security operations center. These capabilities work alongside human expertise to improve how teams triage alerts, investigate threats, respond to incidents, and refine detections over time.

Triage at speed and scale

AI systems can review and prioritize every incoming alert within minutes, pulling telemetry from across the environment. True threats rise to the top quickly, while false positives are resolved without draining analyst time.

Faster, deeper investigations and response

By correlating data from SIEM, EDR, identity, email, and cloud platforms, AI SOC tools reduce mean time to investigate (MTTI) and mean time to respond (MTTR). This shortens dwell time and limits the opportunity for threats to spread.

Detection engineering insights

AI can pinpoint coverage gaps against frameworks such as MITRE ATT&CK, identify rules that need tuning, and recommend adjustments based on real investigation data. This gives detection engineers a clear view of where changes will make the most impact.

Enabling more threat hunting

With less time spent working alert queues, analysts can shift to proactive threat hunting. AI SOC platforms with natural language query support make it easier to explore data, run complex hunts, and surface hidden threats.

The AI SOC market is filled with sweeping claims about fully autonomous SOC and instant results. While AI can automate large portions of tier 1 and tier 2 investigations and even support tier 3 work, it is not a replacement for experienced analysts. Complex, high impact cases still require human judgment, contextual understanding, and decision making.

The real value lies in shifting the balance of work. By removing repetitive triage and speeding investigations, AI frees analysts to focus on higher impact activities like advanced threat hunting, tuning detections, and investigating sophisticated threats. This is the work that improves both security outcomes and analyst retention.

Guiding principles for evaluating AI SOC capabilities

When assessing AI SOC solutions, focus on principles that determine whether they can deliver sustainable improvements to security operations:

• Transparency and explainability – The system should provide clear, detailed reasoning for its findings, allowing analysts to trace conclusions back to the underlying data and logic. This builds trust and enables informed decision making.
• Data privacy and security – Understand exactly where data is processed and stored, how it is protected in transit and at rest, and whether the deployment model meets your compliance requirements.
• Integration depth – The solution should integrate seamlessly with your existing SOC stack and workflows. This includes preserving the familiar user experience of tools like SIEM, EDR, and case management systems to avoid introducing friction.
• Adaptability and learning – AI should improve over time by incorporating analyst feedback, adapting to changes in your environment, and staying effective against evolving threats.
• Accuracy and trust – Evaluate not just the volume of work automated, but the precision and reliability of results. A tool that closes false positives at scale but misses real threats creates more risk than it solves.
• Time to value – Favor solutions that deliver measurable gains in investigation speed, accuracy, or coverage within weeks rather than months, without heavy customization or lengthy deployments.

The human and AI hybrid SOC

The most effective SOCs combine the speed and scale of AI with the contextual understanding and judgment of human analysts. This model gives people the capacity to focus on the work that matters most.

How Prophet Security aligns with this vision

Prophet Security helps organizations move beyond manual investigations and alert fatigue with an agentic AI SOC platform that automates triage, accelerates investigations, and ensures every alert gets the attention it deserves. By integrating across the existing stack, Prophet AI improves analyst efficiency, reduces incident dwell time, and delivers more consistent security outcomes. Security leaders use Prophet AI to maximize the value of their people and tools, strengthen their security posture, and turn daily SOC operations into measurable business results. Visit Prophet Security to request a demo and see how Prophet AI can elevate your SOC operations.