2025-08-22 AI创业新闻

Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances. The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows - CVE-2025-57788 (CVSS score: 6.9) - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials CVE-2025-57789 (CVSS score: 5.3) - A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control CVE-2025-57790 (CVSS score: 8.7) - A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution CVE-2025-57791 (CVSS score: 6.9) - A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation, resulting in a valid user session for a low-privilege role watchTowr Labs researchers Sonny Macdonald and Piotr Bazydlo have been credited with discovering and reporting the four security defects in April 2025. All the flagged vulnerabilities have been resolved in versions 11.32.102 and 11.36.60. Commvault SaaS solution is not affected.

In an analysis published Wednesday, the cybersecurity company said threat actors could fashion these vulnerabilities into two pre-authenticated exploit chains to achieve code execution on susceptible instances: One that combines CVE-2025-57791 and CVE-2025-57790, and the other that strings CVE-2025-57788, CVE-2025-57789, and CVE-2025-57790. It’s worth noting that the second pre-auth remote code execution chain becomes successful only if the built-in admin password hasn’t been changed since installation. The disclosure comes nearly four months after watchTowr Labs reported a critical Commvault Command Center flaw ( CVE-2025-34028 , CVSS score: 10.0) that could allow arbitrary code execution on affected installations. A month later, the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3. Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then monetized by other threat groups. “The initial infection vector, dubbed ClickFix, involves luring users on compromised websites to copy a malicious PowerShell script and execute it via the Windows Run dialog box,” Google said in a report published today. The access provided by UNC5518 is assessed to be leveraged by at least two different hacking groups, UNC5774 and UNC4108, to initiate a multi-stage infection process and drop additional payloads - UNC5774, another financially motivated group that delivers CORNFLAKE as a way to deploy various subsequent payloads UNC4108, a threat actor with unknown motivation that uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT The attack chain likely begins with the victim landing a fake CAPTCHA verification page after interacting with search results that employ search engine optimization (SEO) poisoning or malicious ads.

The user is then tricked into running a malicious PowerShell command by launching the Windows Run dialog, which then executes the next-stage dropper payload from a remote server. The newly downloaded script checks if it’s running within a virtualized environment and ultimately launches CORNFLAKE.V3. Observed in both JavaScript and PHP versions, CORNFLAKE.V3 is a backdoor that supports the execution of payloads via HTTP, including executables, dynamic-link libraries (DLLs), JavaScript files, batch scripts, and PowerShell commands. It can also collect basic system information and transmit it to an external server.

The traffic is proxied through Cloudflare tunnels in an attempt to avoid detection. “CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, sharing a significant portion of its codebase,” Mandiant researcher Marco Galli said. “Unlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.” Both generations are markedly different from their progenitor, a C-based downloader that uses TCP sockets for command-and-control (C2) communications and only has the ability to run DLL payloads. Persistence on the host is achieved by means of Windows Registry changes.

At least three different payloads are delivered via CORNFLAKE.V3. This comprises an Active Directory reconnaissance utility, a script to harvest credentials via Kerberoasting, and another backdoor referred to as WINDYTWIST.SEA, a C version of WINDYTWIST that supports relaying TCP traffic, providing a reverse shell, executing commands, and removing itself. Select versions of WINDYTWIST.SEA have also been observed attempting to move laterally in the network of the infected machine. “To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible,” Galli said.

“Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.” USB Infection Drops XMRig Miner The disclosure comes as the threat intelligence firm detailed an ongoing campaign that employs USB drives to infect other hosts and deploy cryptocurrency miners since September 2024. “This demonstrates the continued effectiveness of initial access via infected USB drives,” Mandiant said . “The low cost and ability to bypass network security make this technique a compelling option for attackers.” The attack chain starts when a victim is tricked into executing a Windows shortcut (LNK) in the compromised USB drive.

The LNK file results in the execution of a Visual Basic script also located in the same folder. The script, for its part, launches a batch script to initiate the infection - DIRTYBULK , a C++ DLL launcher to initiate the execution of other malicious components, such as CUTFAIL CUTFAIL , a C++ malware dropper responsible for decrypting and installing malware onto a system, such as HIGHREPS and PUMPBENCH, as well as third-libraries like OpenSSL, libcurl, and WinPthreadGC HIGHREPS , a downloader that retrieves additional files to ensure persistence of PUMPBENCH PUMPBENCH , a C++ backdoor that facilitates reconnaissance, provides remote access by communicating with a PostgreSQL database server, and download XMRig XMRig , an an open-source software for mining cryptocurrencies such as Monero, Dero, and Ravencoin “PUMPBENCH spreads by infecting USB drives,” Mandiant said. “It scans the system for available drives and then creates a batch file, a VBScript file, a shortcut file, and a DAT file.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025

As security professionals, it’s easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren’t from cutting-edge exploits, but from cracked credentials and compromised accounts . Despite widespread awareness of this threat vector, Picus Security’s Blue Report 2025 shows that organizations continue to struggle with preventing password cracking attacks and detecting the malicious use of compromised accounts . With the first half of 2025 behind us, compromised valid accounts remain the most underprevented attack vector , highlighting the urgent need for a proactive approach focused on the threats that are evading organizations’ defenses.

A Wake-Up Call: The Alarming Rise in Password Cracking Success The Picus Blue Report is an annual research publication that analyzes how well organizations are preventing and detecting real-world cyber threats. Unlike traditional reports that focus solely on threat trends or survey data, the Blue Report is based on empirical findings from over 160 million attack simulations conducted within organizations’ networks around the world, using the Picus Security Validation Platform . In the Blue Report 2025 , Picus Labs found that password cracking attempts succeeded in 46% of tested environments , nearly doubling the success rate from last year. This sharp increase highlights a fundamental weakness in how organizations are managing – or mismanaging – their password policies.

Weak passwords and outdated hashing algorithms continue to leave critical systems vulnerable to attackers using brute-force or rainbow table attacks to crack passwords and gain unauthorized access. Given that password cracking is one of the oldest and most reliably effective attack methods , this finding points to a serious issue: in their race to combat the latest, most sophisticated new breed of threats, many organizations are failing to enforce strong basic password hygiene policies while failing to adopt and integrate modern authentication practices into their defenses . Why Organizations Are Failing to Prevent Password Cracking Attacks So, why are organizations still failing to prevent password cracking attacks? The root cause lies in the continued use of weak passwords and outdated credential storage methods .

Many organizations still rely on easily guessable passwords and weak hashing algorithms, often without using proper salting techniques or multi-factor authentication (MFA). In fact, our survey results showed that 46% of environments had at least one password hash cracked and converted to cleartext, highlighting the inadequacy of many password policies, particularly for internal accounts , where controls are often more lax than they are for their external counterparts. To combat this, organizations must enforce stronger password policies , implement multi-factor authentication (MFA) for all users , and regularly validate their credential defenses . Without these improvements, attackers will continue to compromise valid accounts, obtaining easy access to critical systems.

Credential-Based Attacks: A Silent but Devastating Threat The threat of credential abuse is both pervasive and dangerous, yet as the Blue Report 2025 highlights, organizations are still underprepared for this form of attack. And once attackers obtain valid credentials, they can easily move laterally , escalate privileges , and compromise critical systems . Infostealers and ransomware groups frequently rely on stolen credentials to spread across networks , burrowing deeper and deeper, often without triggering detection . This stealthy movement within the network allows attackers to maintain long dwell times , undetected, while they exfiltrate data at will .

Despite this ongoing and well-known issue, organizations continue to prioritize perimeter defenses, often leaving identity and credential protection overlooked and under-funded as a result. This year’s Blue Report clearly shows that valid account abuse is at the core of modern cyberattacks, reinforcing the urgent need for a stronger focus on identity security and credential validation . Valid Accounts (T1078): The Most Exploited Path to Compromise One of the key findings in the Blue Report 2025 is that Valid Accounts (MITRE ATT&CK T1078) remains the most exploited attack technique , with a truly concerning 98% success rate . This means that once attackers gain access to valid credentials, whether through password cracking or initial access brokers , they can swiftly move through an organization’s network, often bypassing traditional defenses.

The use of compromised credentials is particularly effective because it allows attackers to operate under the radar , making it harder for security teams to detect malicious activity. Once inside, they can access sensitive data , deploy malware , or create new attack paths , all while seamlessly blending in with legitimate user activity. How to Strengthen Your Defenses Against Credential Abuse and Password Cracking To protect against increasingly effective attacks, organizations should implement stronger password policies and enforce complexity requirements , while eliminating outdated hashing algorithms in favor of more secure alternatives. It is also essential to adopt multi-factor authentication (MFA) for all sensitive accounts, ensuring that even if credentials do become compromised, attackers can’t just use them to access the network without an additional verification step.

Regularly validating credential defenses through simulated attacks is crucial to identifying vulnerabilities and ensuring that your controls are performing as expected. Organizations also need to enhance their behavioral detection capabilities to catch anomalous activities tied to credential abuse and lateral movement. Additionally, monitoring and inspecting outbound traffic for signs of data exfiltration and ensuring that data loss prevention (DLP) measures are both in place and operating effectively are critical to protecting your sensitive information. Closing the Gaps in Credential and Password Management The findings in the Blue Report 2025 show that, unfortunately, many organizations are still vulnerable to the silent threat of password cracking and compromised accounts .

And while strengthening perimeter defenses continues to be a priority, it’s also clear that core weaknesses lie in credential management and internal controls . The report also highlighted the fact that infostealers and ransomware groups are leveraging these gaps effectively. If you’re ready to take proactive steps to harden your security posture , reduce your exposure , and prioritize your critical vulnerabilities , the Blue Report 2025 offers invaluable insights to show you where to focus. And at Picus Security , we’re always happy to talk about helping your organization meet its specific security needs..

Don’t forget to get your copy of The Blue Report 2025 and take proactive steps today to improve your security posture. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Using New QuirkyLoader Malware to Spread Agent Tesla, AsyncRAT and Snake Keylogger

Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that’s being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla , AsyncRAT , Formbook , Masslogger , Remcos RAT , Rhadamanthys Stealer , and Snake Keylogger . IBM X-Force, which detailed the malware, said the attacks involve sending spam emails from both legitimate email service providers and a self-hosted email server. These emails feature a malicious archive, which contains a DLL, an encrypted payload, and a real executable.

“The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL,” security researcher Raymond Joseph Alfonso said . “This DLL, in turn, loads, decrypts, and injects the final payload into its target process.” This is achieved by using process hollowing to inject the malware into one of the three processes: AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe. The DLL loader, per IBM, has been used in limited campaigns for the past few months, with two campaigns observed in July 2025 targeting Taiwan and Mexico. The campaign targeting Taiwan is said to have specifically singled out employees of Nusoft Taiwan, a network and internet security research company based in New Taipei City, with the goal of infecting them with Snake Keylogger, which is capable of stealing sensitive information from popular web browsers, keystrokes, and clipboard content.

The Mexico-related campaign, on the other hand, is assessed to be random, with the infection chains delivering Remcos RAT and AsyncRAT. “The threat actor consistently writes the DLL loader module in .NET languages and uses ahead-of-time (AOT) compilation,” Alfonso said. “This process compiles the code into native machine code before execution, making the resulting binary appear as though it were written in C or C++.” New Phishing Trends The development comes as threat actors are using new QR code phishing (aka quishing) tactics like splitting malicious QR codes into two parts or embedding them within legitimate ones in email messages propagated via phishing kits like Gabagool and Tycoon, respectively, to evade detection, demonstrating ongoing evolution. “Malicious QR codes are popular with attackers for several reasons,” Barracuda researcher Rohit Suresh Kanase said .

“They cannot be read by humans so don’t raise any red flags, and they can often bypass traditional security measures such as email filters and link scanners.” “Furthermore, since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection.” The findings also follow the emergence of a phishing kit used by the PoisonSeed threat actor to acquire credentials and two-factor authentication (2FA) codes from individuals and organizations to gain access to victims’ accounts and use them to send emails for carrying out cryptocurrency scams. “The domains hosting this phishing kit impersonate login services from prominent CRM and bulk email companies like Google, SendGrid, Mailchimp, and likely others, targeting individuals’ credentials,” NVISO Labs said . “PoisonSeed employs spear-phishing emails embedding malicious links, which redirect victims to their phishing kit.” A noteworthy aspect of the kit is the use of a technique known as precision-validated phishing in which the attacker validates an email address in real-time in the background, while a fake Cloudflare Turnstile challenge is served to the user. Once the checks are passed, a login form impersonating the legitimate online platform appears, allowing the threat actors to capture submitted credentials and then relay them to the service.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft

A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban’s sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX .

In addition, 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust. Urban, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023.

These incidents led to the theft of at least $800,000 from at least five different victims, per the U.S. Department of Justice (DoJ). Prosecutors said Urban and his co-conspirators engaged in SIM swapping attacks to hijack victims’ cryptocurrency accounts and plunder the digital assets. Later that November, the DoJ unsealed criminal charges against Urban and four other members of Scattered Spider for using social engineering techniques to target employees of companies across the U.S.

and to break into corporate networks and steal proprietary data and to siphon millions of dollars in cryptocurrency. Tyler Robert Buchanan, who is among those indicted, was extradited from Spain to the U.S. in April following his arrest in the European nation last June. The development comes as Scattered Spider has joined forces with other threat groups ShinyHunters and LAPSUS$ to form a new cybercrime alliance.

The group, associated with a broader English-speaking cybercriminal collective called The Com, has a history of conducting social engineering, credential theft, and SIM swapping, initial access, ransomware deployment, data theft, and extortion attacks. “Scattered Spider has historically leaned on tactics that generate urgency, drive media and industry attention, create fear of exposure, and help force victims to payout quicker,” Adam Darrah, vice president of intelligence at ZeroFox, told The Hacker News in a statement. “Timed leaks, countdown threats, and taunts directed at security firms are all part of their playbook. They have ties to a wider network of like-minded actors, which has given them access to more tools, data, and infrastructure, multiplying their effectiveness.

We regularly see groups team up when there is an increase in external pressures, like law enforcement crackdowns. To survive, these groups need to consolidate. And the result is often a more versatile and potentially dangerous combined operation.” Cybersecurity firm Flashpoint, which published a profile of Scattered Spider last week, said the financially-motivated hacking group adopts a wave-like approach by choosing a specific sector and attacking as many organizations within that vertical over a short span of time. “The tactics employed by Scattered Spider demonstrate their ability to exploit weaknesses in security programs by targeting people rather than strictly systems or technical vulnerabilities,” it said .

“Their use of social engineering, via vishing, smishing, and MFA fatigue attacks, proves that even the most advanced technical defenses can be circumvented through human deception.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks

Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300, resides in the ImageIO framework that could result in memory corruption when processing a malicious image. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in an advisory. The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking.

The following versions address the security defect - iOS 18.6.2 and iPadOS 18.6.2

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later iPadOS 17.7.10
iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation macOS Ventura 13.7.8
Macs running macOS Ventura macOS Sonoma 14.7.8
Macs running macOS Sonoma macOS Sequoia 15.6.1
Macs running macOS Sequoia It’s currently not known who is behind the attacks and who may have been targeted, but it’s likely that the vulnerability has been weaponised as part of highly targeted attacks. With the latest update, Apple has so far fixed a total of seven zero-days that have been abused in real-world attacks since the start of the year: CVE-2025-24085 , CVE-2025-24200 , CVE-2025-24201 , CVE-2025-31200, CVE-2025-31201 , and CVE-2025-43200 . Last month, the company also issued patches for a Safari vulnerability residing in an open-source component ( CVE-2025-6558 ) that Google reported as having been exploited as a zero-day in the Chrome web browser. Found this article interesting?

DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft

Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model ( DOM )-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month. “A single click anywhere on an attacker-controlled website could allow attackers to steal users’ data (credit card details, personal data, login credentials, including TOTP),” Tóth said . “The new technique is general and can be applied to other types of extensions.” Clickjacking , also called UI redressing, refers to a type of attack in which users are tricked into performing a series of actions on a website that appear ostensibly harmless, such as clicking on buttons, when, in reality, they are inadvertently carrying out the attacker’s bidding.

The new technique detailed by Tóth essentially involves using a malicious script to manipulate UI elements in a web page that browser extensions inject into the DOM – for example, auto-fill prompts, by making them invisible by setting their opacity to zero. The research specifically focused on 11 popular password manager browser add-ons, ranging from 1Password to iCloud Passwords, all of which have been found to be susceptible to DOM-based extension clickjacking. Collectively, these extensions have millions of users. To pull off the attack, all a bad actor has to do is create a fake site with an intrusive pop-up, such as a login screen or a cookie consent banner, while embedding an invisible login form such that clicking on the site to close the pop-up causes the credential information to be auto-filled by the password manager and exfiltrated to a remote server.

“All password managers filled credentials not only to the ‘main’ domain, but also to all subdomains,” Tóth explained. “An attacker could easily find XSS or other vulnerabilities and steal the user’s stored credentials with a single click (10 out of 11), including TOTP (9 out of 11). In some scenarios, passkey authentication could also be exploited (8 out of 11).” Following responsible disclosure, six of the vendors have yet to release fixes for the defect - 1Password Password Manager 8.11.4.27 Apple iCloud Passwords 3.1.25 Bitwarden Password Manager 2025.7.0 Enpass 6.11.6 LastPass 4.146.3 LogMeOnce 7.12.4 Software supply chain security firm Socket, which independently reviewed the research, said Bitwarden, Enpass, and iCloud Passwords are actively working on fixes, while 1Password and LastPass marked them as informative. It has also reached out to US-CERT to assign CVE identifiers for the identified issues.

Until fixes are available, it’s advised that users disable the auto-fill function in their password managers and only use copy/paste. “For Chromium-based browser users, it is recommended to configure site access to ‘on click’ in extension settings,” Tóth said. “This configuration allows users to manually control auto-fill functionality.” Update Bitwarden has released version 2025.8.0 of the password manager to address the clickjacking vulnerabilities. It is also advising users to pay close attention to website URLs and stay alert for phishing campaigns to avoid malicious websites.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

🕵️ Webinar: Discover and Control Shadow AI Agents in Your Enterprise Before Hackers Do

Do you know how many AI agents are running inside your business right now? If the answer is “not sure,” you’re not alone—and that’s exactly the concern. Across industries, AI agents are being set up every day. Sometimes by IT, but often by business units moving fast to get results.

That means agents are running quietly in the background—without proper IDs, without owners, and without logs of what they’re doing. In short: they’re invisible. 👉 Register now for Shadow Agents and Silent Threats: Securing AI’s New Identity Frontier and learn how to get ahead of this growing challenge. The Hidden Risk of Shadow AI Agents Shadow agents aren’t harmless helpers.

Once compromised, they can move through systems, grab sensitive data, or escalate privileges at machine speed. Unlike humans, they don’t pause to think—they just execute 24/7. The truth is, most security programs weren’t built for this. They manage people, not autonomous software agents.

And as adoption grows, these shadow agents multiply—scaling risk just as fast as innovation. This session isn’t theory—it’s about what’s happening now. You’ll learn: How shadow AI agents appear in real environments The kinds of attacks already being used against them Practical steps to bring them under control Our expert guest, Steve Toole, Principal Solutions Consultant at SailPoint , has seen firsthand how enterprises are grappling with AI-driven identities. Steve will share proven strategies to give AI agents proper identities, assign accountability, and enforce the right guardrails—so innovation remains safe instead of risky.

Watch this Webinar Now Act Before It’s Too Late Shadow AI agents aren’t going away. They’re already active inside organizations today. The real choice is whether they’ll become trusted assets —or dangerous liabilities . That decision depends on the steps you take right now.

Reserve your spot today for Shadow Agents and Silent Threats: Securing AI’s New Identity Frontier and learn how to take back control before attackers exploit the gap. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage

A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks. Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. Prospective victims are chosen based on their “strategic interest” to Russia, it added, with recent efforts directed against Ukraine and its allies following the onset of the Russo-Ukrainian war in 2022. The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8), a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition or execute arbitrary code.

It’s worth noting that the security defect has also been likely weaponized by the China-aligned Salt Typhoon (aka Operator Panda) actors as part of attacks targeting U.S. telecommunication providers in late 2024. Static Tundra, per Talos, is assessed to be linked to the Federal Security Service’s (FSB) Center 16 unit and operational for over a decade, with a focus on long-term intelligence gathering operations. It’s believed to be a sub-cluster of another group that’s tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex.

The U.S. Federal Bureau of Investigation (FBI), in a concurrent advisory , said it has observed FSB cyber actors “exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.” In these attacks observed over the past year, the threat actors have been found collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. The activity is also characterized by the attackers modifying configuration files on susceptible devices to facilitate unauthorized access.

The foothold is then abused to conduct reconnaissance within the victim networks, while simultaneously deploying custom tools like SYNful Knock , a router implant first reported by Mandiant in September 2015. “SYNful Knock is a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network,” the threat intelligence firm said at the time. “It is customizable and modular in nature and thus can be updated once implanted.” Another noteworthy aspect of the attacks concerns the use of SNMP to send instructions to download a text file from a remote server and append it to the current running configuration so as to allow for additional means of access to the network devices. Defense evasion is achieved by modifying TACACS+ configuration on infected appliances to interfere with remote logging functions.

“Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest,” Talos researchers Sara McBroom and Brandon White said. “One of Static Tundra’s primary actions on objectives is to capture network traffic that would be of value from an intelligence perspective.” This is accomplished by setting up Generic Routing Encapsulation (GRE) tunnels that redirect traffic of interest to attacker-controlled infrastructure. The adversary has also been spotted collecting and exfiltrating NetFlow data on compromised systems. The harvested data is exfiltrated via outbound TFTP or FTP connections.

Static Tundra’s activities are primarily focused on unpatched, and often end-of-life, network devices with the goal of establishing access on primary targets and facilitating secondary operations against related targets of interest. Upon gaining initial access, the threat actors burrow deeper into the environment and hack into additional network devices for long-term access and information gathering. To mitigate the risk posed by the threat, Cisco is advising customers to apply the patch for CVE-2018-0171 or disable Smart Install if patching is not an option. “The purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government,” Talos said.

“This is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have changed over time.” Update Cisco has also updated its advisory for CVE-2018-0171, warning of ongoing exploitation of the vulnerability and urging customers to apply the necessary fixes as soon as possible. “Cisco is aware of continued exploitation activity of the vulnerability that is described in this advisory and strongly recommends that customers assess their systems and upgrade to a fixed software release as soon as possible,” the company said . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an “AI-era take on the ClickFix scam,” the attack technique demonstrates how AI-driven browsers, such as Perplexity’s Comet , that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user’s knowledge or intervention. “With PromptFix, the approach is different: We don’t try to glitch the model into obedience,” Guardio researchers Nati Tal and Shaked Chen said . “Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core design goal: to help its human quickly, completely, and without hesitation.” This leads to a new reality that the company calls Scamlexity , a portmanteau of the terms “scam” and “complexity,” where agentic AI – systems that can autonomously pursue goals, make decisions, and take actions with minimal human supervision – takes scams to a whole new level.

With AI-powered coding assistants like Lovable proven to be susceptible to techniques like VibeScamming , an attacker can effectively trick the AI model into handing over sensitive information or carrying out purchases on lookalike websites masquerading as Walmart. All of this can be accomplished by issuing an instruction as simple as “Buy me an Apple Watch” after the human lands on the bogus website in question through one of the several methods, like social media ads, spam messages, or search engine optimization (SEO) poisoning. Scamlexity is “a complex new era of scams, where AI convenience collides with a new, invisible scam surface and humans become the collateral damage,” Guardio said. The cybersecurity company said it ran the test several times on Comet, with the browser only stopping occasionally and asking the human user to complete the checkout process manually.

But in several instances, the browser went all in, adding the product to the cart and auto-filling the user’s saved address and credit card details without asking for their confirmation on a fake shopping site. In a similar vein, it has been found that asking Comet to check their email messages for any action items is enough to parse spam emails purporting to be from their bank, automatically click on an embedded link in the message, and enter the login credentials on the phony login page. “The result: a perfect trust chain gone rogue. By handling the entire interaction from email to website, Comet effectively vouched for the phishing page,” Guardio said.

“The human never saw the suspicious sender address, never hovered over the link, and never had the chance to question the domain.” That’s not all. As prompt injections continue to plague AI systems in ways direct and indirect, AI Browsers will also have to deal with hidden prompts concealed within a web page that’s invisible to the human user, but can be parsed by the AI model to trigger unintended actions. This so-called PromptFix attack is designed to convince the AI model to click on invisible buttons in a web page to bypass CAPTCHA checks and download malicious payloads without any involvement on the part of the human user, resulting in a drive-by download attack. “PromptFix works only on Comet (which truly functions as an AI Agent) and, for that matter, also on ChatGPT’s Agent Mode , where we successfully got it to click the button or carry out actions as instructed,” Guardio told The Hacker News.

“The difference is that in ChatGPT’s case, the downloaded file lands inside its virtual environment, not directly on your computer, since everything still runs in a sandboxed setup.” The findings show the need for AI systems to go beyond reactive defenses to anticipate, detect, and neutralize these attacks by building robust guardrails for phishing detection, URL reputation checks, domain spoofing, and malicious files. The development also comes as adversaries are increasingly leaning on GenAI platforms like website builders and writing assistants to craft realistic phishing content, clone trusted brands, and automate large-scale deployment using services like low-code site builders, per Palo Alto Networks Unit 42 . What’s more, AI coding assistants can inadvertently expose proprietary code or sensitive intellectual property, creating potential entry points for targeted attacks, the company added. Enterprise security firm Proofpoint said it has observed “numerous campaigns leveraging Lovable services to distribute multi-factor authentication (MFA) phishing kits like Tycoon , malware such as cryptocurrency wallet drainers or malware loaders, and phishing kits targeting credit card and personal information.” The counterfeit websites created using Lovable lead to CAPTCHA checks that, when solved, redirect to a Microsoft-branded credential phishing page.

Other websites have been found to impersonate shipping and logistics services like UPS to dupe victims into entering their personal and financial information, or lead them to pages that download remote access trojans like zgRAT . Lovable URLs have also been abused for investment scams and banking credential phishing, significantly lowering the barrier to entry for cybercrime. Lovable has since taken down the sites and implemented AI-driven security protections to prevent the creation of malicious websites. Other campaigns have capitalized on deceptive deepfaked content distributed on YouTube and social media platforms to redirect users to fraudulent investment sites.

These AI trading scams also rely on fake blogs and review sites, often hosted on platforms like Medium, Blogger, and Pinterest, to create a false sense of legitimacy. Once users land on these bogus platforms, they are asked to sign up for a trading account and instructed via email by their “account manager” to make a small initial deposit anywhere between $100 and $250 in order to supposedly activate the accounts. The trading platform also urges them to provide proof of identity for verification and enter their cryptocurrency wallet, credit card, or internet banking details as payment methods. These campaigns, per Group-IB, have targeted users in several countries, including India, the U.K., Germany, France, Spain, Belgium, Mexico, Canada, Australia, the Czech Republic, Argentina, Japan, and Turkey.

However, the fraudulent platforms are inaccessible from IP addresses originating in the U.S. and Israel. “GenAI enhances threat actors’ operations rather than replacing existing attack methodologies,” CrowdStrike said in its Threat Hunting Report for 2025. “Threat actors of all motivations and skill levels will almost certainly increase their use of GenAI tools for social engineering in the near-to mid-term, particularly as these tools become more available, user-friendly, and sophisticated.” Found this article interesting?

From Impact to Action: Turning BIA Insights Into Resilient Recovery

Modern businesses face a rapidly evolving and expanding threat landscape, but what does this mean for your business? It means a growing number of risks, along with an increase in their frequency, variety, complexity, severity, and potential business impact. The real question is, “How do you tackle these rising threats?” The answer lies in having a robust BCDR strategy. However, to build a rock-solid BCDR plan, you must first conduct a business impact analysis (BIA).

Read on to learn what BIA is and how it forms the foundation of an effective BCDR strategy. What Is a BIA? A BIA is a structured approach to identifying and evaluating the operational impact of disruptions across departments. Disruptive incidents or emergencies can occur due to several factors, such as cyberattacks, natural disasters or supply chain issues.

Conducting a BIA helps identify critical functions for a business’s operations and survival. Businesses can use insights from BIA to develop strategies to resume those functions first to maintain core services in the event of a crisis. It informs key priorities, such as RTO/RPO SLAs, and aligns technological capabilities proportionally with the level of threat and risk, which are critical for continuity and recovery planning. The IT Leader’s Role in Enabling an Effective BIA While business continuity, risk, or compliance teams often lead business impact analysis, IT leaders play a crucial role in making it work.

They bring critical visibility into system dependencies and infrastructure across the organization. They provide valuable insights into what’s technically feasible when disaster strikes. IT leaders also play a key part in validating recovery commitments, whether the set RTO and RPO goals can be achieved within the current infrastructure, or if upgrades are needed. IT leaders operationalize the recovery strategy with appropriate tooling, from selecting and configuring DR tools to automating failover processes.

This helps ensure the recovery plan is executable, integrated into everyday operations, tested and ready to scale with the business. In SMBs or IT-led orgs, IT often leads the BIA by necessity. Because of their cross-functional view of operations, infrastructure and business continuity, IT leaders are uniquely positioned to drive the BIA. Pro Tip: IT’s involvement ensures the BIA isn’t just a business document; it becomes an actionable recovery plan.

Identifying Threat Vectors Before you can protect what matters, you must understand what threatens it. Assess the threat landscape facing your organization and tailor your response plan based on industry, geographic risk and operational profile. Here are the key threat vectors to consider: Cyberthreats: From ransomware to insider threats and credential compromise, cyberattacks are growing in complexity, frequency and severity. One weak point in your defense systems can lead to massive data loss and operational downtime.

Natural Disasters: Events like hurricanes, wildfires, floods and earthquakes strike fast and hard. The effects of these events can ripple across regions, disrupting supply chains, data centers and physical offices. Operational Disruptions: Unexpected outages due to power failure, software bugs or network downtime can bring daily operations to a grinding halt if you aren’t prepared. Human Error: Anyone, including your best employees, can make mistakes.

Accidental deletions or misconfigurations can lead to costly downtime. Regulatory and Compliance Risks: Data breaches and data loss can not only hurt your business financially but also lead to legal issues and compliance violations. Fig 1: Impact analysis of different threats Industry-specific risks Every sector operates in its own unique way and relies on different systems to stay up and running. Certain threats can hinder those systems and core functions more than others.

Here are a few examples to guide you in identifying and prioritizing threats based on industry. Healthcare If you operate in the healthcare sector, ransomware and system availability must be your top priorities since any disruption or downtime can directly impact patient care and safety. As regulations like HIPAA get more stringent, data protection and privacy become critical to meet compliance requirements. Education Phishing and account compromise attacks targeting staff and students are common in the education sector.

Additionally, the rise of hybrid learning environments has expanded the threat surface, stretching across student endpoints, SaaS platforms and on-premises servers. To make matters more challenging, many institutions operate with limited IT staff and resources, making them more vulnerable to human error, slower threat detection and delayed response times. Manufacturing and Logistics In manufacturing and logistics, operational technology (OT) uptime is mission-critical as downtime caused by power failures, network outages or system disruptions can halt production lines and delay deliveries. Unlike traditional IT environments, many OT systems aren’t easily backed up or virtualized, requiring specific DR considerations.

Moreover, any disruption to just-in-time (JIT) supply chains can delay inventory, increase costs and jeopardize vendor relationships. As you build your BIA threat matrix, score each threat by likelihood and impact: What’s the chance this will occur in the next one to three years? If it happens, what systems, people and business functions will it affect? Can this threat create a cascading failure?

Prioritization helps you focus recovery resources where the risk is highest and the cost of downtime is greatest. Running the BIA Follow these steps to conduct a BIA to strengthen your recovery strategy:

Identify and List Critical Business Functions Knowing what matters most for your business’s survival is critical for designing effective BCDR plans that align with your business requirements. Work with department heads to identify critical business functions and associate them with the IT assets, apps and services that support them.
Assess the Impact of Downtime Downtime, depending on the duration, can severely or mildly impact business operations. It’s important to evaluate the consequences across revenue, compliance, productivity and reputation. Categorize business functions by impact severity (e.g., high, medium, low).
Define RTOs and RPOs RTOs and RPOs are critical benchmarks that define how quickly your systems must be restored and how much data loss your organization can endure. Work with business and technical teams to establish: RTO: Maximum acceptable downtime. RPO: Maximum acceptable data loss.
Prioritize Systems and Data When the unexpected occurs, being able to recover quickly can help maintain business continuity and minimize downtime risks. Create a backup and recovery plan by linking impact tiers with IT assets and applications they rely on. 5.

Document Dependencies Documenting dependencies between business functions and IT systems is important to understand the critical links between them, ensure accurate impact assessments and drive effective recovery planning. Include infrastructure, SaaS tools, third-party integrations and interdependent apps. Turn Insights Into Action With Datto BCDR A well-executed BIA lays the foundation for a resilient, recovery-ready organization. It provides the essential data to make risk-based, cost-effective decisions.

While BIA offers valuable insights into recovery objectives, dependencies and risks, Datto turns those insights into automated, repeatable recovery actions. Datto provides a unified platform for backup, disaster recovery, ransomware detection, business continuity and disaster recovery orchestration. It offers policy-based backups, allowing you to use RTO and RPO findings to assign backup frequency and retention. You can create tiered backup schedules based on criticality to strengthen data protection, optimize resources and costs, and ensure fast, targeted recovery.

Datto’s Inverse Chain Technology and image-based backups reduce storage footprint while maximizing recovery performance by storing every previous recovery point in an independent, fully constructed state on the Datto device or the Datto cloud. They simplify backup chain management and speed up recovery. Datto 1-Click Disaster Recovery lets you test and define DR runbooks in the Datto Cloud that are executable with just a single click. Whether you are protecting data stored on endpoints, SaaS platforms or on-premises servers, Datto has you covered.

It regularly validates recovery configurations with screenshots and test results, and uses test automation to verify that you meet RTOs under real conditions. Datto detects abnormal file change behavior to protect your backups and prevent them from being corrupted by ransomware. It seamlessly integrates with BCDR workflows to support rapid recovery to the pre-attack state. In a fast-changing business environment where threats loom large and operational downtime isn’t an option, resilience is your competitive advantage.

The BIA is your map, and Datto is your vehicle. Get customized Datto BCDR pricing today . Discover how our solutions help you stay operational and secure, regardless of the circumstances. Found this article interesting?

North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms

North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025. The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts with the goal of luring embassy staff and foreign ministry personnel with convincing meeting invites, official letters, and event invitations. “The attackers leveraged GitHub, typically known as a legitimate developer platform, as a covert command-and-control channel,” Trellix researchers Pham Duy Phuc and Alex Lanstein said . The infection chains have been observed to rely on trusted cloud storage solutions like Dropbox and Daum Cloud, an online service from South Korean internet conglomerate Kakao Corporation, in order to deliver a variant of an open-source remote access trojan called Xeno RAT that grants the threat actors to take control of compromised systems.

The campaign is assessed to be the work of a North Korean hacking group called Kimsuky, which was recently linked to phishing attacks that employ GitHub as a stager for an Xeno RAT known as MoonPeak. Despite the infrastructure and tactical overlaps, there are indications that the phishing attacks match China-based operatives. The email messages, per Trellix, are carefully crafted to appear legitimate, often spoofing real diplomats or officials so as to entice recipients into opening password-protected malicious ZIP files hosted on Dropbox, Google Drive, or Daum. The messages are written in Korean, English, Persian, Arabic, French, and Russian.

“The spear-phishing content was carefully crafted to mimic legitimate diplomatic correspondence,” Trellix said. “Many emails included official signature, diplomatic terminology, and references to real events (e.g., summits, forums, or meetings).” “The attackers impersonated trusted entities (embassies, ministries, international organizations), a long-running Kimsuky tactic. By strategically timing lures alongside real diplomatic happenings, they enhanced the credibility.” Present within the ZIP archive is a Windows shortcut (LNK) masquerading as a PDF document, launching which results in the execution of PowerShell code that, in turn, runs an embedded payload, which reaches out to GitHub for fetching next-stage malware and establishes persistence through scheduled tasks. In parallel, a decoy document is displayed to the victims.

The script is also designed to harvest system information and exfiltrate the details to an attacker-controlled private GitHub repository, while simultaneously retrieving additional payloads by parsing the contents of a text file (“onf.txt”) in the repository to extract the Dropbox URL hosting the MoonPeak trojan. “By simply updating onf.txt in the repository (pointing to a new Dropbox file), the operators could rotate payloads to infected machines,” Trellix explained. “They also practiced ‘rapid’ infrastructure rotation: log data suggests that the ofx.txt payload was updated multiple times in an hour to deploy malware and to remove traces after use. This rapid update cycle, combined with the use of cloud infrastructure, helped the malicious activities fly under the radar.” Interestingly, the cybersecurity company’s time-based analysis of the attackers’ activity has found it to be largely originating from a timezone that’s consistent with China, with a smaller proportion aligning with that of the Koreas.

To add to the intrigue, a “perfect 3-day pause” was observed coinciding with Chinese national holidays in early April 2025, but not during North or South Korean holidays. This has raised the possibility that the campaign, mirroring Chinese operational cadence while operating with motives that align with North Korea, is likely the result of - North Korean operatives working from Chinese territory A Chinese APT operation mimicking Kimsuky techniques, or A collaborative effort leveraging Chinese resources for North Korean intelligence gathering efforts With North Korean cyber actors frequently stationed in China and Russia , as observed in the case of the remote information technology (IT) worker fraud scheme , Trellix said with medium-confidence that the operators are operating from China or are culturally Chinese. “The use of Korean services and infrastructure was likely intentional to blend into the South Korean network,” Trellix said. “It’s a known Kimsuky trait to operate out of Chinese and Russian IP space while targeting South Korea, often using Korean services to mask their traffic as legitimate.” N.

Korea IT Worker Scheme Infiltrates 100s of Companies The disclosure comes as CrowdStrike revealed that it has identified more than 320 incidents over the past 12 months where North Koreans posing as remote IT workers have infiltrated companies to generate illicit revenue for the regime, a 220% jump from last year. The IT worker scheme , tracked as Famous Chollima and Jasper Sleet , is believed to use generative artificial intelligence (GenAI) coding assistants like Microsoft Copilot or VSCodium and translation tools to help assist with their daily tasks and respond to instant messages and emails. They are also likely to work three or four jobs simultaneously. A crucial component of these operations encompasses recruiting people to run laptop farms, which include racks of corporate laptops used by the North Koreans to remotely do their work using tools like AnyDesk as if they were physically located in the country where the companies are based.

“Famous Chollima IT workers use GenAI to create attractive résumés for companies, reportedly use real-time deepfake technology to mask their true identities in video interviews, and leverage AI code tools to assist in their job duties, all of which pose a substantial challenge to traditional security defenses,” the company said . Famous Chollima’s use of GenAI in insider threat operations | Image Source: CrowdStrike What’s more, a leak of 1,389 email addresses linked to the IT workers has uncovered that 29 of the 63 unique email service providers are online tools that allow users to create temporary or disposable email addresses, while another six are related to privacy-focused services like Skiff, Proton Mail, and SimpleLogin. Nearly 89% of the email addresses are Gmail accounts. “All the Gmail accounts are guarded using Google Authenticator, 2FA, and Recovery BackUp Email,” security researcher Rakesh Krishnan said .

“Many usernames include terms like developer, code, coder, tech, software, indicating a tech or programming focus.” Some of these email addresses are present in a user database leak of the AI photo editing tool Cutout.Pro, suggesting potential use of the software to alter images for social media profiles or identification documents. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.