Tag: Cyber Threats

Dec 10, 2025Ravie LakshmananHardware Security / Vulnerability

Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification that could expose a local attacker to serious risks.

The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI Special Interest Group (PCI-SIG).

“This could potentially result in security exposure, including but not limited to, one or more of the following with the affected PCIe component(s), depending on the implementation: (i) information disclosure, (ii) escalation of privilege, or (iii) denial of service,” the consortium noted.

PCIe is a widely used high-speed standard to connect hardware peripherals and components, including graphics cards, sound cards, Wi-Fi and Ethernet adapters, and storage devices, inside computers and servers. Introduced in PCIe 6.0, PCIe IDE is designed to secure data transfers through encryption and integrity protections.

The three IDE vulnerabilities, discovered by Intel employees Arie Aharon, Makaram Raghunandan, Scott Constable, and Shalini Sharma, are listed below –

• CVE-2025-9612 (Forbidden IDE Reordering) – A missing integrity check on a receiving port may allow re-ordering of PCIe traffic, leading the receiver to process stale data.
• CVE-2025-9613 (Completion Timeout Redirection) – Incomplete flushing of a completion timeout may allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag.
• CVE-2025-9614 (Delayed Posted Redirection) – Incomplete flushing or re-keying of an IDE stream may result in the receiver consuming stale, incorrect data packets.

PCI-SIG said that successful exploitation of the aforementioned vulnerabilities could undermine the confidentiality, integrity, and security objectives of IDE. However, the attacks hinge on obtaining physical or low-level access to the targeted computer’s PCIe IDE interface, making them low-severity bugs (CVSS v3.1 score: 3.0/CVSS v4 score: 1.8).

“All three vulnerabilities potentially expose systems implementing IDE and Trusted Domain Interface Security Protocol (TDISP) to an adversary that can breach isolation between trusted execution environments,” it said.

In an advisory released Tuesday, the CERT Coordination Center (CERT/CC) urged manufacturers to follow the updated PCIe 6.0 standard and apply the Erratum #1 guidance to their IDE implementations. Intel and AMD have published their own alerts, stating the issues impact the following products –

• Intel Xeon 6 Processors with P-cores
• Intel Xeon 6700P-B/6500P-B series SoC with P-Cores.
• AMD EPYC 9005 Series Processors
• AMD EPYC Embedded 9005 Series Processors

“End users should apply firmware updates provided by their system or component suppliers, especially in environments that rely on IDE to protect sensitive data,” CERT/CC said.

Dec 10, 2025Ravie LakshmananEnterprise Security / Web Services

New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution.

WatchTowr Labs, which has codenamed the “invalid cast vulnerability” SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET.

The findings were presented today by watchTowr security researcher Piotr Bazydlo at the Black Hat Europe security conference, which is being held in London.

SOAPwn essentially allows attackers to abuse Web Services Description Language (WSDL) imports and HTTP client proxies to execute arbitrary code in products built on the foundations of .NET due to errors in the way they handle Simple Object Access Protocol (SOAP) messages.

“It is usually abusable through SOAP clients, especially if they are dynamically created from the attacker-controlled WSDL,” Bazydlo said.

As a result, .NET Framework HTTP client proxies can be manipulated into using file system handlers and achieve arbitrary file write by passing as URL something like “file://<attacker-controlled input>” into a SOAP client proxy, ultimately leading to code execution. To make matters worse, it can be used to overwrite existing files since the attacker controls the full write path.

In a hypothetical attack scenario, a threat actor could leverage this behavior to supply a Universal Naming Convention (UNC) path (e.g., “file://attacker.server/poc/poc”) and cause the SOAP request to be written to an SMB share under their control. This, in turn, can allow an attacker to capture the NTLM challenge and crack it.

That’s not all. The research also found that a more powerful exploitation vector can be weaponized in applications that generate HTTP client proxies from WSDL files using the ServiceDescriptionImporter class by taking advantage of the fact that it does not validate the URL used by the generated HTTP client proxy.

In this technique, an attacker can provide a URL that points to a WSDL file they control to vulnerable applications, and obtain remote code execution by dropping a fully functional ASPX web shell or additional payloads like CSHTML web shells or PowerShell scripts.

Following responsible disclosure in March 2024 and July 2025, Microsoft has opted not to fix the vulnerability, stating the issue stems from either an application issue or behavior, and that “users should not consume untrusted input that can generate and run code.”

The findings illustrate how expected behavior in a popular framework can become a potential exploit path that leads to NTLM relaying or arbitrary file writes. The issue has since been addressed in Barracuda Service Center RMM version 2025.1.1 (CVE-2025-34392, CVSS score: 9.8) and Ivanti EPM version 2024 SU4 SR1 (CVE-2025-13659, CVSS score: 8.8).

“It is possible to make SOAP proxies write SOAP requests into files rather than sending them over HTTP,” Bazydlo said. “In many cases, this leads to remote code execution through webshell uploads or PowerShell script uploads. The exact impact depends on the application using the proxy classes.”

React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress.

This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq.

The cybersecurity company said it has observed attackers targeting numerous organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution. As of December 8, 2025, these efforts have been aimed at a wide range of sectors, but prominently the construction and entertainment industries.

The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor.

In two other cases, attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server. Some of the notable intrusions also singled out Linux hosts to drop the XMRig cryptocurrency miner, not to mention leveraged a publicly available GitHub tool to identify vulnerable Next.js instances before commencing the attack.

“Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure, we assess that the threat actor is likely leveraging automated exploitation tooling,” Huntress researchers said. “This is further supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems.”

A brief description of some of the payloads downloaded in these attacks is as follows –

• sex.sh, a bash script that retrieves XMRig 6.24.0 directly from GitHub
• PeerBlight, a Linux backdoor that shares some code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a “ksoftirqd” daemon process to evade detection
• CowTunnel, a reverse proxy that initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections
• ZinFoq, a Linux ELF binary that implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities
• d5.sh, a dropper script responsible for deploying the Sliver C2 framework
• fn22.sh, a “d5.sh” variant with an added self-update mechanism to fetch a new version of the malware and restart it
• wocaosinm.sh, a variant of the Kaiji DDoS malware that incorporates remote administration, persistence, and evasion capabilities

PeerBlight supports capabilities to establish communications with a hard-coded C2 server (“185.247.224[.]41:8443”), allowing it to upload/download/delete files, spawn a reverse shell, modify file permissions, run arbitrary binaries, and update itself. The backdoor also makes use of a domain generation algorithm (DGA) and BitTorrent Distributed Hash Table (DHT) network as fallback C2 mechanisms.

“Upon joining the DHT network, the backdoor registers itself with a node ID beginning with the hardcoded prefix LOLlolLOL,” the researchers explained. “This 9-byte prefix serves as an identifier for the botnet, with the remaining 11 bytes of the 20-byte DHT node ID randomized.”

“When the backdoor receives DHT responses containing node lists, it scans for other nodes whose IDs start with LOLlolLOL. When it finds a matching node, it knows this is either another infected machine or an attacker-controlled node that can provide C2 configuration.”

Huntress said it identified over 60 unique nodes with the LOLlolLOL prefix, adding that multiple conditions have to be met in order for an infected bot to share its C2 configuration with another node: a valid client version, configuration availability on the responding bot’s side, and the correct transaction ID.

Even when all the necessary conditions are satisfied, the bots are designed such that they only share the configuration about one-third of the time based on a random check, possibly in a bid to reduce network noise and avoid detection.

ZinFoq, in a similar manner, beacons out to its C2 server and is equipped to parse incoming instructions to run commands using using “/bin/bash,” enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo terminal (PTY) shell connection.

ZinFoq also takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services (e.g., “/sbin/audispd,” “/usr/sbin/ModemManager,” “/usr/libexec/colord,” or “/usr/sbin/cron -f”) to conceal its presence.

Organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are advised to update immediately, given the “potential ease of exploitation and the severity of the vulnerability,” Huntress said.

The development comes as the Shadowserver Foundation said it detected over 165,000 IP addresses and 644,000 domains with vulnerable code as of December 8, 2025, after “scan targeting improvements.” More than 99,200 instances are located in the U.S., followed by Germany (14,100), France (6,400), and India (4,500).

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.

The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8).

“An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,” Fortinet said in an advisory.

The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle “Allow administrative login using FortiCloud SSO” in the registration page.

To temporarily protect their systems against attacks exploiting these vulnerabilities, organizations are advised to disable the FortiCloud login feature (if enabled) until it can be updated. This can be done in two ways –

• Go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off
• Run the below command in the CLI –

config system global
set admin-forticloud-sso-login disable
end

Ivanti Releases Fix for Critical EPM Flaw

Ivanti has also shipped updates to address four security flaws in Endpoint Manager (EPM), one of which is a critical severity bug in the EPM core and remote consoles. The vulnerability, assigned the CVE identifier CVE-2025-10573, carries a CVSS score of 9.6.

“Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session,” Ivanti said.

Rapid7 security researcher Ryan Emmons, who discovered and reported the shortcoming on August 15, 2025, said it allows an attacker with unauthenticated access to the primary EPM web service to join fake managed endpoints to the EPM server so as to poison the administrator web dashboard with malicious JavaScript.

“When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session,” Emmons said.

Douglas McKee, director of vulnerability intelligence at Rapid7, said in a statement that CVE-2025-10573 represents a serious risk as it’s trivial to exploit and can be done so by sending a fake device report to the server using a basic file format.

“While the attack only fully executes when an administrator views the dashboard, this is a routine and necessary task for IT staff; consequently, the likelihood of triggering the exploit during normal operations is high, ultimately allowing the attacker to take control of the administrator’s session,” McKee added.

Ensar Seker, CISO at threat intelligence company SOCRadar, also emphasized that the user interaction requirement doesn’t reduce the vulnerability’s threat level and that it has a “significant” exploitation potential when combined with social engineering.

“Remote code execution via JavaScript injection is no longer theoretical in supply chain attacks; it’s become operationally viable,” Seker said. “Organizations must act swiftly to patch, and more importantly, implement rigorous user interface sanitization and privilege segmentation.”

The company noted that user interaction is required to exploit the flaw and that it’s not aware of any attacks in the wild. It has been patched in EPM version 2024 SU4 SR1.

Also patched in the same version are three other high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662) that could allow a remote, unauthenticated attacker to achieve arbitrary code execution. CVE-2025-13662, like in the case of CVE-2025-59718 and CVE-2025-59719, stems from improper verification of cryptographic signatures in the patch management component.

SAP Fixes Three Critical Flaws

Lastly, SAP has pushed December security updates to address 14 vulnerabilities across multiple products, including three critical-severity flaws. They are listed below –

• CVE-2025-42880 (CVSS score: 9.9) – A code injection vulnerability in SAP Solution Manager
• CVE-2025-55754 (CVSS score: 9.6) – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
• CVE-2025-42928 (CVSS score: 9.1) – A deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE)

Boston-based SAP security platform Onapsis has been credited with reporting CVE-2025-42880 and CVE-2025-42928. The company said it identified a remote-enabled function module in SAP Solution Manager that enables an authenticated attacker to inject arbitrary code.

“Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch,” Onapsis security researcher Thomas Fritsch said.

CVE-2025-42928, on the other hand, allows for remote code execution by providing specially crafted input to the SAP jConnect SDK component. However, a successful exploitation requires elevated privileges.

With security vulnerabilities in Fortinet, Ivanti, and SAP’s software frequently exploited by bad actors, it’s essential that users move quickly to apply the fixes.

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.

Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.

In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable’s Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It’s the third time it has done so since Patch Tuesday’s inception.

The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also consists of a spoofing vulnerability in Edge for iOS (CVE-2025-62223, CVSS score: 4.3).

The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.

“File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target,” Adam Barnett, lead software engineer at Rapid7, said in a statement. “Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage.”

“The Cloud Files minifilter is used by OneDrive, Google Drive, iCloud, and others, although as a core Windows component, it would still be present on a system where none of those apps were installed.”

It’s currently not known how the vulnerability is being abused in the wild and in what context, but successful exploitation requires an attacker to obtain access to a susceptible system through some other means. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the flaw.

The exploitation of CVE-2025-62221 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the patch by December 30, 2025.

The remaining two zero-days are listed below –

• CVE-2025-54100 (CVSS score: 7.8) – A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally
• CVE-2025-64671 (CVSS score: 8.4) – A command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally

“This is a command injection flaw in how Windows PowerShell processes web content,” Action1’s Alex Vovk said about CVE-2025-54100. “It lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest.”

“The threat becomes significant when this vulnerability is combined with common attack patterns. For example, an attacker can use social engineering to persuade a user or admin to run a PowerShell snippet using Invoke-WebRequest, allowing a remote server to return crafted content that triggers the parsing flaw and leads to code execution and implant deployment.”

It’s worth noting that CVE-2025-64671 comes in the wake of a broader set of security vulnerabilities collectively named IDEsaster that was recently disclosed by security researcher Ari Marzouk. The issues arise as a result of adding agentic capabilities to an integrated development environment (IDE), exposing new security risks in the process.

These attacks leverage prompt injections against the artificial intelligence (AI) agents embedded into IDEs and combine them with the base IDE layer to result in information disclosure or command execution.

“This uses an ‘old’ attack chain of using a vulnerable tool, so not exactly part of the IDEsaster novel attack chain,” Marzouk, who is credited with discovering and reporting the flaw, told The Hacker News. “Specifically, a vulnerable ‘execute command’ tool where you can bypass the user-configured allow list.”

Marzouk also said multiple IDEs were found vulnerable to the same attack, including Kiro.dev, Cursor (CVE-2025-54131), JetBrains Junie (CVE-2025-59458), Gemini CLI, Windsurf, and Roo Code (CVE-2025-54377, CVE-2025-57771, and CVE-2025-65946). Furthermore, GitHub Copilot for Visual Studio Code has been found to be susceptible to the vulnerability, although, in this case, Microsoft assigned it a “Medium” severity rating with no CVE.

“The vulnerability states that it’s possible to gain code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions in the user’s ‘auto-approve’ settings,” Kev Breen, senior director of cyber threat research at Immersive, said.

“This can be achieved through ‘Cross Prompt Injection,’ which is where the prompt is modified not by the user but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server that has risen in popularity with agent-based LLMs.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify multiple vulnerabilities, including —

• Adobe
• Amazon Web Services
• AMD
• Arm
• ASUS
• Atlassian
• Bosch
• Broadcom (including VMware)
• Canon
• Cisco
• Citrix
• CODESYS
• Dell
• Devolutions
• Drupal
• F5
• Fortinet
• Fortra
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Google Pixel Watch
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networking and Juniper Networks)
• IBM
• Imagination Technologies
• Intel
• Ivanti
• Lenovo
• Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• MongoDB
• Moxa
• Mozilla Firefox and Firefox ESR
• NVIDIA
• OPPO
• Progress Software
• Qualcomm
• React
• Rockwell Automation
• Samsung
• SAP
• Schneider Electric
• Siemens
• SolarWinds
• Splunk
• Synology
• TP-Link
• WatchGuard
• Zoom, and
• Zyxel

Google on Monday announced a set of new security features in Chrome, following the company’s addition of agentic artificial intelligence (AI) capabilities to the web browser.

To that end, the tech giant said it has implemented layered defenses to make it harder for bad actors to exploit indirect prompt injections that arise as a result of exposure to untrusted web content and inflict harm.

Chief among the features is a User Alignment Critic, which uses a second model to independently evaluate the agent’s actions in a manner that’s isolated from malicious prompts. This approach complements Google’s existing techniques, like spotlighting, which instruct the model to stick to user and system instructions rather than abiding by what’s embedded in a web page.

“The User Alignment Critic runs after the planning is complete to double-check each proposed action,” Google said. “Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the Alignment Critic will veto it.”

The component is designed to view only metadata about the proposed action and is prevented from accessing any untrustworthy web content, thereby ensuring that it is not poisoned through malicious prompts that may be included in a website. With the User Alignment Critic, the idea is to provide safeguards against any malicious attempts to exfiltrate data or hijack the intended goals to carry out the attacker’s bidding.

“When an action is rejected, the Critic provides feedback to the planning model to re-formulate its plan, and the planner can return control to the user if there are repeated failures,” Nathan Parker from the Chrome security team said.

Google is also enforcing what’s called Agent Origin Sets to ensure that the agent only has access to data from origins that are relevant to the task at hand or data sources the user has opted to share with the agent. This aims to address site isolation bypasses where a compromised agent can interact with arbitrary sites and enable it to exfiltrate data from logged-in sites.

This is implemented by means of a gating function that determines which origins are related to the task and categorizes them into two sets –

• Read-only origins, from which Google’s Gemini AI model is permitted to consume content
• Read-writable origins, to which the agent can type or click on in addition to reading from

Another key pillar underpinning the new security architecture relates to transparency and user control, allowing the agent to create a work log for user observability and request their explicit approval before navigating to sensitive sites, such as banking and healthcare portals, permitting sign-ins via Google Password Manager, or completing web actions like purchases, payments, or sending messages.

Lastly, the agent also checks each page for indirect prompt injections and operates alongside Safe Browsing and on-device scam detection to block potentially suspicious content.

“This prompt-injection classifier runs in parallel to the planning model’s inference, and will prevent actions from being taken based on content that the classifier determined has intentionally targeted the model to do something unaligned with the user’s goal,” Google said.

To further incentivize research and poke holes in the system, the company said it will pay up to $20,000 for demonstrations that result in a breach of the security boundaries. These include indirect prompt injections that allow an attacker to –

• Carry out rogue actions without confirmation
• Exfiltrate sensitive data without an effective opportunity for user approval
• Bypass a mitigation that should have ideally prevented the attack from succeeding in the first place

“By extending some core principles like origin-isolation and layered defenses, and introducing a trusted-model architecture, we’re building a secure foundation for Gemini’s agentic experiences in Chrome,” Google said. “We remain committed to continuous innovation and collaboration with the security community to ensure Chrome users can explore this new era of the web safely.”

The announcement follows research from Gartner that called on enterprises to block the use of agentic AI browsers until the associated risks, such as indirect prompt injections, erroneous agent actions, and data loss, can be appropriately managed.

The research also warns of a possible scenario where employees “might be tempted to use AI browsers and automate certain tasks that are mandatory, repetitive, and less interesting.” This could cover cases where an individual dodges mandatory cybersecurity training by instructing the AI browser to complete it on their behalf.

“Agentic browsers, or what many call AI browsers, have the potential to transform how users interact with websites and automate transactions while introducing critical cybersecurity risks,” the advisory firm said. “CISOs must block all AI browsers in the foreseeable future to minimize risk exposure.”

The development comes as the U.S. National Cyber Security Centre (NCSC) said that large language models (LLMs) may suffer from a persistent class of vulnerability known as prompt injection and that the problem can never be resolved in its entirety.

“Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt,” said David C, NCSC technical director for Platforms Research. “Design protections need to therefore focus more on deterministic (non-LLM) safeguards that constrain the actions of the system, rather than just attempting to prevent malicious content reaching the LLM.”

Zero Trust helps organizations shrink their attack surface and respond to threats faster, but many still struggle to implement it because their security tools don’t share signals reliably. 88% of organizations admit they’ve suffered significant challenges in trying to implement such approaches, according to Accenture. When products can’t communicate, real-time access decisions break down.

The Shared Signals Framework (SSF) aims to fix this with a standardized way to exchange security events. Yet adoption is uneven. For example, Kolide Device Trust doesn’t currently support SSF.

Scott Bean, Senior IAM and Security Engineer at MongoDB, proposed a way to solve the problem, giving teams an easy and intuitive way to operationalize SSF across their environment.

In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.

The problem – IAM tools don’t support SSF

A core requirement of Zero Trust is continuous, reliable signals about user and device posture. But many tools don’t support SSF for Continuous Access Evaluation Protocol (CAEP), making it hard to share or act on these signals.

Teams often face three challenges:

• Tools lack native SSF support
• Signals require enrichment or correlation
• Managing SSF endpoints and token handling adds overhead

Without this interoperability, organizations struggle to apply consistent policies — and in cases like Kolide Device Trust, critical device events never reach systems like Okta.

The solution – a SSF transmitter that turns Kolide issues into CAEP events

Because SSF is built on HTTPS requests, the OpenID standard works with Tines’ HTTP Action.

Scott developed a new workflow integrating Kolide Device Trust with Tines, enabling it to send SSF signals to Okta. If a device is non-compliant, Kolide sends a message to the workflow via webhook. Tines enriches the signal, makes sure it can be linked to a user, builds a Security Event Token (SET), and then sends it to Okta.

In this way, Tines acts as the connective tissue that makes SSF work across the distributed IT environment, even if individual tools don’t natively support the standard.

If you want to go deeper into identity modernization, the Tines IAM guide explores how teams are unifying device trust, access decisions, and least-privilege enforcement with automation. Scott’s workflow is one of several real-world patterns inside.

Workflow overview

Required tools:

• Tines – workflow orchestration and AI platform
• Kolide – device trust and posture monitoring
• Okta – identity platform receiving CAEP events

Required credentials:

• Tines API Key – `Team` Scoped with the `Editor` role
• Kolide API Key – Read Only
• Kolide Webhook Signing Secret

Required resources:

Okta domain, such as example.okta.com, example.oktapreview.com, or a branded domain.

How it works:

The workflow creates a proof-of-concept SSF transmitter that can be registered with Okta and sends device compliance change CAEP events (sent as SETs), based on issues generated in Kolide. There are three elements:

1. Generate and store SET signing keys (SETs are signed JSON Web Tokens):

• Creates an RSA key pair and converts it to JWK format.
• Publishes the public key for SSF receivers to validate SET signatures.
• Stores the private JWK keyset as a Tines secret.

2. Expose SSF transmitter API

SSF receivers (like Okta) need:

• a .well-known/sse-configuration endpoint describing the transmitter
• a JWK endpoint exposing the public key used to verify SET signatures
• a webhook trigger acts as the SSF API surface
• logic returns the .well-known config
• logic returns the JWKs

Once this is live, teams can register a new SSF receiver in Okta under:

• Security → Device Integrations → Receive shared signals

And create a new stream using the API’s URL and the new `.well-known` endpoint

3. Create, sign and send of SETs from Kolide events

• Receives Kolide issue events via webhook and validates them using the signing secret.
• Fetches device and user metadata from Kolide.
• Builds a SET for a Device Compliance Change CAEP event.
• Signs the SET with the stored private key using the JWT_SIGN formula.
• Sends the signed token to Okta’s security-events endpoint.

This delivers real-time device-compliance updates to Okta so access policies can respond immediately.

Configuring the workflow — a step-by-step guide

You can build and run this entire workflow using Tines Community Edition.

1. Log into Tines or create a new account.

2. Navigate to the pre-built workflow in the library. Select import. This should take you straight to your new pre-built workflow.

3. Gather the required credentials

• Tines API Key (team-scoped with Editor role)
• Kolide API Key (read-only)
• Kolide Webhook Signing Secret

These ensure authenticated calls to Kolide and secure webhook validation.

4. Collect your required resources

You’ll need an Okta tenant domain, such as:

• example.oktapreview.com
• example.okta.com
• or your custom Okta brand domain

This domain is used when sending signed SETs to Okta’s security-events endpoint.

Note: In the example provided, Scott set up as a `push` rather than a `poll` provider as tokens are sent based off of inbound webhooks, so there’s no need to store state.

5. Generate your SET signing keys

• Use the Generate JWK keyset action to create RSA keys
• Convert both public and private keys to JWK format (two event transforms)
• Store the resulting keyset using a Tines secret

This is required before Okta will accept and verify your SETs.

6. Publish the SSF transmitter API

The SSF API webhook contains two branches:

• .well-known endpoint
  • Trigger: well-known
  • Event transform: returns the SSF configuration declaring the transmitter’s capabilities
• JWKS endpoint
  • Trigger: JWKs
  • Event transform: returns the public JWKs so Okta can verify signatures

Once live, Okta can register this transmitter as a shared signals sender.

7. Connect Kolide and process device issues

The Kolide integration flow follows these steps:

• Webhook: Kolide webhook – receives issue opened/resolved events
• Get device details – fetches metadata for the device involved
• Device has a user – branching logic to confirm a user is associated
• Get user details – look up user metadata for the CAEP payload

Depending on whether the issue is new or resolved:

• Build SET – construct the CAEP device_compliance_change event
• Sign SET – use the RSA private key stored earlier to produce an SSF-compliant SET
• Send SET – send the final signed token to Okta’s security-events endpoint

As soon as Okta receives and verifies the SET, the associated user risk level updates.

Bringing it all together

SSF exists to help security tools speak the same language, delivering continuous insight into risk and device posture. But when key tools don’t support the standard, gaps open up, and access policies lag behind real-world changes.

Tines bridges these gaps by enabling new intelligent workflows. They ensure that even tools that don’t support SSF can send information in the same standardized way. By using Tines to generate, sign, and deliver compliance signals in real time, you get the benefits of SSF even when the source tool wasn’t built for it.

If you’d like to try this workflow yourself, you can spin it up in minutes with a free Tines account. And if you want to see how device posture fits into a broader identity strategy, this guide to modern IAM workflows offers practical patterns and real-world workflows like Scott’s you can start building on today.

Dec 09, 2025Ravie LakshmananRansomware / Endpoint Security

The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks.

“These methods allow them to bypass defenses, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams,” ReliaQuest said in a report shared with The Hacker News.

Storm-0249 is the moniker assigned by Microsoft to an initial access broker that has sold footholds into organizations to other cybercrime groups, including ransomware and extortion actors like Storm-0501. It was first highlighted by the tech giant in September 2024.

Then, earlier this year, Microsoft also revealed details of a phishing campaign mounted by the threat actor that used tax-related themes to target users in the U.S. ahead of the tax filing season and infect them with Latrodectus and the BruteRatel C4 (BRc4) post-exploitation framework.

The end goal of these infections is to obtain persistent access to various enterprise networks and monetize them by selling them to ransomware gangs, providing them with a ready supply of targets, and accelerating the pace of such attacks.

The latest findings from ReliaQuest demonstrate a tactical shift, where Storm-0249 has resorted to using the infamous ClickFix social engineering tactic to trick prospective targets into running malicious commands via the Windows Run dialog under the pretext of resolving a technical issue.

In this case, the command copied and executed leverages the legitimate “curl.exe” to fetch a PowerShell script from a URL that mimics a Microsoft domain to give victims a false sense of trust (“sgcipl[.]com/us.microsoft.com/bdo/”) and execute it in a fileless manner via PowerShell.

This, in turn, results in the execution of a malicious MSI package with SYSTEM privileges, which drops a trojanized DLL associated with SentinelOne’s endpoint security solution (“SentinelAgentCore.dll”) into the user’s AppData folder along with the legitimate “SentinelAgentWorker.exe” executable.

In doing so, the idea is to sideload the rogue DLL when the “SentinelAgentWorker.exe” process is launched, thereby allowing the activity to stay undetected. The DLL then establishes encrypted communication with a command-and-control (C2) server.

Storm-0249 has also been observed making use of legitimate Windows administrative utilities like reg.exe and findstr.exe to extract unique system identifiers like MachineGuid to lay the groundwork for follow-on ransomware attacks. The use of living-off-the-land (LotL) tactics, coupled with the fact that these commands are run under the trusted “SentinelAgentWorker.exe” process, means the activity is unlikely to raise any red flags.

The findings indicate a departure from mass phishing campaigns to precision attacks that weaponize the trust associated with signed processes for added stealth.

“This isn’t just generic reconnaissance – it’s preparation for ransomware affiliates,” ReliaQuest said. “Ransomware groups like LockBit and ALPHV use MachineGuid to bind encryption keys to individual victim systems.”

“By tying encryption keys to MachineGuid, attackers ensure that even if defenders capture the ransomware binary or attempt to reverse-engineer the encryption algorithm, they cannot decrypt files without the attacker-controlled key.”

Dec 09, 2025Ravie LakshmananCybersecurity / Malware

Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model.

The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future’s Insikt Group, which was previously tracking it as TAG-150.

GrayBravo is “characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure,” the Mastercard-owned company said in an analysis published today.

Some of the notable tools in the threat actor’s toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor.

The CastleBot loader is responsible for injecting the core module, which is equipped to contact its command-and-control (C2) server to retrieve tasks that enable it to download and execute DLL, EXE, and PE (portable executable) payloads. Some of the malware families distributed via this framework are DeerStealer, RedLine Stealer, StealC Stealer, NetSupport RAT, SectopRAT, MonsterV2, WARMCOOKIE, and even other loaders like Hijack Loader.

Recorded Future’s latest analysis has uncovered four clusters of activity, each operating with distinct tactics –

• Cluster 1 (TAG-160), which targets the logistics sector using phishing and ClickFix techniques to distribute CastleLoader (Active since at least March 2025)
• Cluster 2 (TAG-161), which uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0 (Active since at least June 2025)
• Cluster 3, which uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader (Active since at least March 2025)
• Cluster 4, which uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT (Active since at least April 2025)

GrayBravo has been found to leverage a multi-tiered infrastructure to support its operations. This includes Tier 1 victim-facing C2 servers associated with malware families like CastleLoader, CastleRAT, SectopRAT, and WARMCOOKIE, as well as multiple VPS servers that likely operate as backups.

The attacks mounted by TAG-160 are also notable for using fraudulent or compromised accounts created on freight-matching platforms like DAT Freight & Analytics and Loadlink Technologies to enhance the credibility of its phishing campaigns. The activity, Recorded Future added, illustrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact.

It’s been assessed with low confidence that the activity could be related to another unattributed cluster that targeted transportation and logistics companies in North America last year to distribute various malware families.

“GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware,” Recorded Future said. “This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective.”

Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT.

“EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org,” Sysdig said in a report published Monday.

The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview, which has been observed leveraging the EtherHiding technique to distribute malware since February 2025.

Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typically begin with a ruse that lures victims via platforms like LinkedIn, Upwork, or Fiverr, where the threat actors pose as recruiters offering lucrative job opportunities.

According to software supply chain security company Socket, it’s one of the most prolific campaigns exploiting the npm ecosystem, highlighting their ability to adapt to JavaScript and cryptocurrency-centric workflows.

The attack chain commences with the exploitation of CVE-2025-55182 (CVSS score: 10.0), a maximum-severity security vulnerability in RSC, to execute a Base64-encoded shell command that downloads and runs a shell script responsible for deploying the main JavaScript implant.

The shell script is retrieved using a curl command, with wget and python3 used as fallbacks. It is also designed to prepare the environment by downloading Node.js v20.10.0 from nodejs.org, following which it writes to disk an encrypted blob and an obfuscated JavaScript dropper. Once all these steps are complete, it proceeds to delete the shell script to minimize the forensic trail and runs the dropper.

It’s worth noting that a similar implementation was previously observed in two npm packages named colortoolsv2 and mimelib2 that were found to deliver downloader malware on developer systems.

Once EtherRAT establishes contact with the C2 server, it enters a polling loop that executes every 500 milliseconds, interpreting any response that’s longer than 10 characters as JavaScript code to be run on the infected machine. Persistence is accomplished by using five different methods –

• Systemd user service
• XDG autostart entry
• Cron jobs
• .bashrc injection
• Profile injection

By using multiple mechanisms, the threat actors can ensure the malware runs even after a system reboot and grants them continued access to the infected systems. Another sign that points to the malware’s sophistication is the self-update ability that overwrites itself with the new code received from the C2 server after sending its own source code to an API endpoint.

It then launches a new process with the updated payload. What’s notable here is that the C2 returns a functionally identical but differently obfuscated version, thereby possibly allowing it to bypass static signature-based detection.

In addition to the use of EtherHiding, the links to Contagious Interview stem from overlaps between the encrypted loader pattern used in EtherRAT and a known JavaScript information stealer and downloader named BeaverTail.

“EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations,” Sysdig said.

“Whether this represents North Korean actors pivoting to new exploitation vectors or sophisticated technique borrowing by another actor, the result is the same: defenders face a challenging new implant that resists traditional detection and takedown methods.”

Contagious Interview Shifts from npm to VS Code

The disclosure comes as OpenSourceMalware revealed details of a new Contagious Interview variant that urges victims to clone a malicious repository on GitHub, GitLab, or Bitbucket as part of a programming assignment, and launch the project in Microsoft Visual Studio Code (VS Code).

This results in the execution of a VS Code tasks.json file due to it being configured with runOptions.runOn: ‘folderOpen,’ causing it to auto-run as soon as the project is opened. The file is engineered to download a loader script using curl or wget based on the operating system of the compromised host.

In the case of Linux, the next stage is a shell script that downloads and runs another shell script named “vscode-bootstrap.sh,” which then fetches two more files, “package.json” and “env-setup.js,” the latter of which serves as a launchpad for BeaverTail and InvisibleFerret.

OpenSourceMalware said it identified 13 different versions of this campaign spread across 27 different GitHub users and 11 different versions of BeaverTail. The earliest repository (“github[.]com/MentarisHub121/TokenPresaleApp”) dates back to April 22, 2025, and the most recent version (“github[.]com/eferos93/test4”) was created on December 1, 2025.

“DPRK threat actors have flocked to Vercel, and are now using it almost exclusively,” the OpenSourceMalware team said. “We don’t know why, but Contagious Interview has stopped using Fly.io, Platform.sh, Render and other hosting providers.”