2025-10-02 AI创业新闻
New WireTap Attack Extracts Intel SGX ECDSA Key via DDR4 Memory-Bus Interposer
In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intel’s Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. SGX is designed as a hardware feature in Intel server processors that allows applications to be run in a Trusted Execution Environment (TEE). It essentially isolates trusted code and resources within what’s called enclaves, preventing attackers from viewing their memory or CPU state. In doing so, the mechanism ensures that the data stays confidential even when the underlying operating system has been tampered with or compromised by other means.
However, the latest findings show the limitations of SGX. “We show how one can build a device to physically inspect all memory traffic inside a computer cheaply and easily, in environments with only basic electrical tools, and using equipment easily purchased on the internet,” the researchers said . “Using our interposer device against SGX’s attestation mechanism, we are able to extract an SGX secret attestation key from a machine in fully trusted status, thereby breaching SGX’s security.” Like the Battering RAM attack recently disclosed by KU Leuven and the University of Birmingham researchers, the newly devised method – codenamed WireTap – relies on an interposer that sits between the CPU and the memory module to observe the data that flows between them. The interposer can be installed by a threat actor either through a supply chain attack or physical compromise.
At its core, the physical attack exploits Intel’s use of deterministic encryption to stage a full key recovery against Intel SGX’s Quoting Enclave (QE), effectively making it possible to extract an ECDSA signing key that can be used to sign arbitrary SGX enclave reports. Put differently, an attacker can weaponize the deterministic nature of memory encryption to build an oracle of sorts to break the security of constant-time cryptographic code. “We have successfully extracted attestation keys, which are the primary mechanism used to determine whether code is running under SGX,” the researchers said. “This allows any hacker to masquerade as genuine SGX hardware, while in fact running code in an exposed manner and peeking into your data.” “Like two sides of the same coin, WireTap and Battering RAM look at complementary properties of deterministic encryption.
While WireTap focuses mainly on breaching confidentiality, BatteringRAM focuses mostly on integrity. The bottom line is the same; however, both SGX and SEV are easy to break using memory interposition.” However, while Battering RAM is a low-cost attack that can be pulled off using equipment costing less than $50, the WireTap setup costs about $1,000, including the logic analyzer. In a hypothetical attack scenario targeting SGX-backed blockchain deployments such as Phala Network, Secret Network, Crust Network, and IntegriTEE, the study found that WireTap can be leveraged to undermine confidentiality and integrity guarantees and allow attackers to disclose confidential transactions or illegitimately obtain transaction rewards. In response to the findings, Intel said the exploit is outside the scope of its threat model since it assumes a physical adversary that has direct access to the hardware with a memory bus interposer.
In the absence of a “patch,” it’s recommended that the servers be run in secure physical environments and use cloud providers that provide independent physical security. “Such attacks are outside the scope of the boundary of protection offered by Advanced Encryption Standard-XEX-based Tweaked Codebook Mode with Ciphertext Stealing (AES-XTS) based memory encryption,” the chipmaker said . “As it provides limited confidentiality protection, and no integrity or anti-replay protection against attackers with physical capabilities, Intel does not plan to issue a CVE.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps
A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect ( OIDC ) application client secrets under certain circumstances. The vulnerability, tracked as CVE-2025-59363 , has been assigned a CVSS score of 7.7 out of 10.0. It has been described as a case of incorrect resource transfer between spheres ( CWE-669 ), which causes a program to cross security boundaries and obtain unauthorized access to confidential data or functions. CVE-2025-59363 “allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization’s OneLogin tenant,” Clutch Security said in a report shared with The Hacker News.
The identity security said the problem stems from the fact that the application listing endpoint – /api/2/apps – was configured to return more data than expected, including the client_secret values in the API response alongside metadata related to the apps in a OneLogin account. The steps to pull off the attack are listed below - Attacker uses valid OneLogin API credentials (client ID and secret) to authenticate Request access token Call the /api/2/apps endpoint to list all applications Parse the response to retrieve client secrets for all OIDC applications Use extracted client secrets to impersonate applications and access integrated services Successful exploitation of the flaw could allow an attacker with valid OneLogin API credentials to retrieve client secrets for all OIDC applications configured within a OneLogin tenant. Armed with this access, the threat actor could leverage the exposed secret to impersonate users and gain access to other applications, offering opportunities for lateral movement. OneLogin’s role-based access control (RBAC) grants API keys broad endpoint access, meaning the compromised credentials could be used to access sensitive endpoints across the entire platform.
Compounding matters further is the lack of IP address allowlisting, as a result of which it’s possible for attackers to exploit the flaw from anywhere in the world, Clutch noted. Following responsible disclosure on July 18, 2025, the vulnerability was addressed in OneLogin 2025.3.0 , which was released last month by making OIDC client_secret values no longer visible. There is no evidence that the issue was ever exploited in the wild. “Protecting our customers is our top priority, and we appreciate the responsible disclosure by Clutch Security,” Stuart Sharp, VP of Product at One Identity for OneLogin, told The Hacker News.
“The reported vulnerability was resolved within a reasonable timeframe with the OneLogin 2025.3.0 release. To our knowledge, no customers were impacted by this vulnerability.” “Identity providers serve as the backbone of enterprise security architecture,” Clutch Security said. “Vulnerabilities in these systems can have cascading effects across entire technology stacks, making rigorous API security essential.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Learn How Leading Security Teams Blend AI + Human Workflows (Free Webinar)
AI is changing automation—but not always for the better. That’s why we’re hosting a new webinar, “ Workflow Clarity: Where AI Fits in Modern Automation ,” with Thomas Kinsella, Co-founder & Chief Customer Officer at Tines, to explore how leading teams are cutting through the hype and building workflows that actually deliver. The rise of AI has changed how organizations think about automation. But here’s the reality many teams are quietly wrestling with: AI isn’t a silver bullet.
Purely human-led workflows buckle under pressure, rigid rules-based automations break the moment reality shifts, and fully autonomous AI agents risk introducing black-box decision-making that’s impossible to audit. For cybersecurity and operations leaders, the stakes are even higher. You need workflows that are fast but reliable, powerful but secure, and—above all—explainable. So where does AI really fit in?
The Hidden Problem with “All-In” Automation The push to automate everything has left many teams with fragile systems: Too much human intervention: slows down response time and eats up valuable analyst hours. Too many rigid rules: can’t adapt to new threats or business realities, leading to constant rework. Too much AI: risks shadow processes that no one fully understands, undermining trust and compliance. The truth?
The strongest workflows aren’t found at the extremes—they emerge when human judgment, traditional automation, and AI are blended intentionally. A Webinar for Teams Who Want More Than AI Hype Join Thomas Kinsella for a candid look at how top security and operations teams are blending people, rules, and AI agents to build workflows that deliver real outcomes—without over-engineering or sacrificing control. In this session, you’ll learn: Where AI belongs (and where it doesn’t): practical guidance on mapping human, rules-based, and AI-driven tasks. How to avoid AI overreach: spotting when automation is adding complexity instead of clarity.
Building for security and auditability: ensuring workflows stand up to compliance and scrutiny. Proven patterns from the field: real-world examples of how top security teams are scaling AI automation thoughtfully. This session is designed for security leaders who are tired of the AI hype and want to cut through the noise. If you’re looking for practical strategies to deploy automation that strengthens defenses—without creating new risks—this is for you.
Watch this Webinar Now It’s equally valuable for Ops and IT teams working to free up their human talent while avoiding brittle, opaque systems that collapse under real-world pressure. And if you’re an innovation-minded professional exploring how to balance people, rules, and AI agents in the workplace, you’ll walk away with a clear framework for making those choices. AI is already transforming workflows, but the winners won’t be those who chase complexity—they’ll be the teams who embrace clarity, security, and control. This webinar will give you the tools to identify the right mix of human, rules-based, and AI automation for your environment, and show you how to implement it in ways that are secure, auditable, and built to scale with confidence.
Don’t just “add AI.” Learn how to make it work for you—at scale, with control. Register now to save your spot . Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How to Discover Shadow AI [Free Guide]
Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover
A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions. OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration. The vulnerability, tracked as CVE-2025-10725 , carries a CVSS score of 9.9 out of a maximum of 10.0.
It has been classified by Red Hat as “Important” and not “Critical” in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment. “A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator,” Red Hat said in an advisory earlier this week. “This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.” The following versions are affected by the flaw - Red Hat OpenShift AI 2.19 Red Hat OpenShift AI 2.21 Red Hat OpenShift AI (RHOAI) As mitigations, Red Hat is recommending that users avoid granting broad permissions to system-level groups, and “the ClusterRoleBinding that associates the kueue-batch-user-role with the system:authenticated group.” “The permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege,” it added.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
2025 Cybersecurity Reality Check: Breaches Hidden, Attack Surfaces Growing, and AI Misperceptions Rising
Bitdefender’s 2025 Cybersecurity Assessment Report paints a sobering picture of today’s cyber defense landscape: mounting pressure to remain silent after breaches, a gap between leadership and frontline teams, and a growing urgency to shrink the enterprise attack surface. The annual research combines insights from over 1,200 IT and security professionals across six countries, along with an analysis of 700,000 cyber incidents by Bitdefender Labs. The results reveal hard truths about how organizations are grappling with threats in an increasingly complex environment. Breaches Swept Under the Rug This year’s findings spotlight a disturbing trend: 58% of security professionals were told to keep a breach confidential , even when they believed disclosure was necessary.
That’s a 38% jump since 2023 , suggesting more organizations may be prioritizing optics over transparency. The pressure is especially acute for CISOs and CIOs , who report higher levels of expectation to remain quiet compared to frontline staff. Such secrecy risks undermining stakeholder trust, compliance obligations, and long-term resilience . Living-Off-the-Land Attacks Drive Attack Surface Focus Bitdefender analyzed 700,000 high-severity attacks and found that 84% of high-severity attacks now now leverage legitimate tools already present inside environments — so-called Living Off the Land (LOTL) techniques .
These tactics bypass traditional defenses, operate invisibly, and are increasingly used in targeted intrusions. In response, 68% of surveyed organizations list attack surface reduction as a top priority , with the U.S. (75%) and Singapore (71%) leading adoption. Proactive hardening steps — disabling unnecessary services, eliminating unused applications, and reducing lateral movement paths — are quickly shifting from best practices to business imperatives.
AI: Perception vs. Reality AI looms large in the minds of defenders, but perceptions don’t always align with on-the-ground reality. 67% believe AI-driven attacks are increasing 58% cite AI-powered malware as their top concern Yet, the report shows that while AI-enhanced attacks are growing, fears may be outpacing actual prevalence. This gap underscores the need for a balanced approach: prepare for AI threats without losing sight of today’s highlights the need for a balanced approach: prepare for AI threats without losing sight of prevalent adversary tactics.
Leadership Disconnect Risks Slowdowns Perhaps most concerning is the misalignment between executives and operational teams : 45% of C-level executives report being “very confident” in managing cyber risk Only 19% of mid-level managers agree Strategic focus areas also diverge: executives prioritize AI adoption, while frontline managers place more urgency on cloud security and identity management . These disconnects can slow progress, dilute resources, and create blind spots that attackers exploit. The Road Ahead The findings converge on one message: cyber resilience demands preemptive strategies . That means: Actively reducing attack surfaces Streamlining security tools and complexity Addressing team burnout and the skills gap Closing the perception differences between leadership and the front-line To explore additional findings, read the Bitdefender 2025 Cybersecurity Assessment report.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The ROI of AI in the SOC: What Security Teams Are Seeing
Hackers Exploit Milesight Routers to Send Phishing SMS to European Users
Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022. French cybersecurity company SEKOIA said the attackers are exploiting the cellular router’s API to send malicious SMS messages containing phishing URLs, with the campaigns primarily targeting Sweden, Italy, and Belgium using typosquatted URLs that impersonate government platforms like CSAM and eBox, as well as banking, postal, and telecom providers. Of the 18,000 routers of this type accessible on the public internet, no less than 572 are assessed to be potentially vulnerable due to their exposing the inbox/outbox APIs. About half of the identified vulnerable routers are located in Europe.
“Moreover, the API enables retrieval of both incoming and outgoing SMS messages, which indicates that the vulnerability has been actively exploited to disseminate malicious SMS campaigns since at least February 2022,” the company said . “There is no evidence of any attempt to install backdoors or exploit other vulnerabilities on the device. This suggests a targeted approach, aligned specifically with the attacker’s smishing operations.” It’s believed the attackers are exploiting a now-patched information disclosure flaw impacting Milesight routers (CVE-2023-43261, CVSS score: 7.5), which was disclosed by security researcher Bipin Jitiya exactly two years ago. Weeks later, VulnCheck revealed that the vulnerability may have been weaponized in the wild shortly following public disclosure.
Further investigation has revealed that some of the industrial routers expose SMS-related features, including sending messages or viewing SMS history, without requiring any form of authentication. The attacks likely involve an initial validation phase where the threat actors attempt to verify whether a given router can send SMS messages by targeting a phone number under their control. SEKOIA further noted that the API could also be publicly accessible due to misconfigurations, given that a couple of routers have been found running more recent firmware versions that are not susceptible to CVE-2023-43261. The phishing URLs distributed using this method include JavaScript that checks whether the page is being accessed from a mobile device before serving the malicious content, which, in turn, urges users to update their banking information for purported reimbursement.
What’s more, one of the domains used in the campaigns between January and April 2025 – jnsi[.]xyz – feature JavaScript code to disable right-click actions and browser debugging tools in an attempt to hinder analysis efforts. Some of the pages have also been found to log visitor connections to a Telegram bot named GroozaBot, which is operated by an actor named “Gro_oza,” who appears to speak both Arabic and French. “The smishing campaigns appear to have been conducted through the exploitation of vulnerable cellular routers – a relatively unsophisticated, yet effective, delivery vector,” SEKOIA said. “These devices are particularly appealing to threat actors as they enable decentralised SMS distribution across multiple countries, complicating both detection and takedown efforts.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones
A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy. Italian fraud prevention firm Cleafy, which discovered the sophisticated malware and remote access trojan (RAT) in late August 2025, said it leverages Hidden Virtual Network Computing (VNC) for remote control of infected devices and dynamic overlays for facilitating credential theft, ultimately enabling fraudulent transactions. “Klopatra represents a significant evolution in mobile malware sophistication,” security researchers Federico Valentini, Alessandro Strino, Simone Mattia, and Michele Roviello said . “It combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection suite, making it exceptionally difficult to detect and analyze.” Evidence gathered from the malware’s command-and-control (C2) infrastructure and linguistic clues in the associated artifacts suggests that it is being operated by a Turkish-speaking criminal group as a private botnet, given the absence of a public malware-as-a-service (MaaS) offering.
As many as 40 distinct builds have been discovered since March 2025. Attack chains distributing Klopatra employ social engineering lures to trick victims into downloading dropper apps that masquerade as seemingly harmless tools, such as IPTV applications, allowing the threat actors to bypass security defences and completely take control of their mobile devices. Offering the ability to access high-quality TV channels as a lure is a deliberate choice, as pirated streaming applications are popular among users, who are often willing to install such apps from untrusted sources, thus unwittingly infecting their phones in the process. The dropper app, once installed, requests the user to grant it permissions to install packages from unknown sources.
Upon obtaining this permission, the dropper extracts and installs the main Klopatra payload from a JSON Packer embedded within it. The banking trojan is no different from other malware of its kind, seeking permission to Android’s accessibility services to realize its goals. While accessibility services is a legitimate framework designed to assist users with disabilities to interact with the Android device, it can be a potent weapon in the hands of bad actors, who can abuse it to read contents of the screen, record keystrokes, and perform actions on behalf of the user to conduct fraudulent transactions in an autonomous manner. “What elevates Klopatra above the typical mobile threat is its advanced architecture, built for stealth and resilience,” Cleafy said.
“The malware authors have integrated Virbox, a commercial-grade code protection tool rarely seen in the Android threat landscape. This, combined with a strategic shift of core functionalities from Java to native libraries, creates a formidable defensive layer.” “This design choice drastically reduces its visibility to traditional analysis frameworks and security solutions, applying extensive code obfuscation, anti-debugging mechanisms, and runtime integrity checks to hinder analysis.” Besides incorporating features to maximize evasion, resilience, and operational effectiveness, the malware provides operators with granular, real-time control over the infected device using VNC features that are capable of serving a black screen to conceal the malicious activity, such as executing banking transactions without their knowledge. Klopatra also uses the accessibility services to grant itself additional permissions as required to prevent the malware from being terminated, and attempts to uninstall any hard-coded antivirus apps already installed on the device. Furthermore, it can launch fake overlay login screens atop financial and cryptocurrency apps to siphon credentials.
These overlays are delivered dynamically from the C2 server when the victim opens one of the targeted apps. It’s said the human operator actively engages in fraud attempts over what’s described as a “carefully orchestrated sequence” that involves first checking if the device is charging, the screen is off, and is currently not being actively used. If these conditions are met, a command is issued to reduce the screen brightness to zero and display a black overlay, giving the impression to the victim that the device is inactive and off. In the background, however, the threat actors use the device PIN or pattern previously stolen to gain unauthorized access, launch the targeted banking app, and drain the funds through multiple instant bank transfers.
The findings show that although Klopatra doesn’t try to reinvent the wheel, it poses a serious threat to the financial sector owing to a technically advanced assemblage of features to obfuscate its true nature. “Klopatra marks a significant step in the professionalization of mobile malware, demonstrating a clear trend of threat actors adopting commercial-grade protections to maximize the lifespan and profitability of their operations,” the company said. “The operators show a clear preference for conducting their attacks during the night. This timing is strategic: the victim is likely asleep, and their device is often left charging, ensuring it remains powered on and connected.
This provides the perfect window for the attacker to operate undetected.” The development comes a day after ThreatFabric flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover (DTO) attacks and perform fraudulent transactions by preying on the elderly. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new targeted cyber attacks in the country using a backdoor called CABINETRAT. The activity, observed in September 2025, has been attributed to a threat cluster it tracks as UAC-0245 . The agency said it spotted the attack following the discovery of software tools taking the form of XLL files , which refer to Microsoft Excel add-ins that are typically used to extend the functionality of Excel with custom functions. Further investigation has uncovered that the XLL files are distributed within ZIP archives shared on the Signal messaging app, disguised as a document concerning the detention of individuals who had attempted to cross the Ukrainian border.
The XLL, once launched, is designed to create a number of executables on the compromised host, namely an EXE file in the Startup folder, an XLL file named “BasicExcelMath.xll” in the “%APPDATA%\Microsoft\Excel\XLSTART" directory, and a PNG image named “Office.png.” Windows Registry modifications are done to ensure persistence of the executable, after which it launches the Excel application (“excel.exe”) with the “/e” (“/embed”) parameter in hidden mode in order to ultimately run the XLL add-in. The main purpose of the XLL is to parse and extract from the PNG file shellcode that’s classified as CABINETRAT. Both the XLL payload and the shellcode come with a number of anti-VM and anti-analysis procedures to evade detection, including checking for at least two processor cores and at least 3GB of RAM, and the presence of tools like VMware, VirtualBox, Xen, QEMU, Parallels, and Hyper-V. A full-fledged backdoor written in the C programming language, CABINETRAT is mainly designed to gather system information, a list of installed programs, screenshots, as well as enumerate directory contents, deleting specific files or directories, running commands, and carrying out file uploads/downloads.
It communicates with a remote server over a TCP connection. The disclosure comes days after Fortinet FortiGuard Labs warned of attacks targeting Ukraine by impersonating the National Police of Ukraine in a fileless phishing campaign that delivers Amatera Stealer and PureMiner for harvesting sensitive data and mining cryptocurrency from targeted systems. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New $50 Battering RAM Attack Breaks Intel and AMD Cloud Security Protections
A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors. “We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks,” researchers Jesse De Meulemeester, David Oswald, Ingrid Verbauwhede, and Jo Van Bulck said on a website publicizing the findings. “Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory.” Battering RAM compromises Intel’s Software Guard Extensions ( SGX ) and AMD’s Secure Encrypted Virtualization with Secure Nested Paging ( SEV-SNP ) hardware security features, which ensure that customer data remains encrypted in memory and protected during use. It affects all systems using DDR4 memory, specifically those relying on confidential computing workloads running in public cloud environments to secure data from the cloud service provider using hardware-level access control and memory encryption.
The attack, in a nutshell, involves leveraging a custom-built, low-cost DDR4 interposer hardware hack to stealthily redirect physical addresses and gain unauthorized access to protected memory regions. The interposer makes use of simple analog switches to actively manipulate signals between the processor and memory, and can be built for less than $50. On Intel platforms, Battering RAM achieves arbitrary read access to victim plaintext or write plaintext into victim enclaves, whereas on AMD systems, the attack can be used to sidestep recent firmware mitigations against BadRAM , which was documented by the researchers back in December 2024, and introduce arbitrary backdoors into the virtual machine without raising any suspicion. Successful exploitation of the vulnerability can allow a rogue cloud infrastructure provider or insider with limited physical access to compromise remote attestation and enable the insertion of arbitrary backdoors into protected workloads.
Battering RAM was reported to the vendors earlier this year, following which Intel , AMD , and Arm have responded that physical attacks are currently considered out of scope of their product’s threat model. However, defending against Battering RAM would require a fundamental redesign of memory encryption itself, the researchers noted. “Battering RAM exposes the fundamental limits of the scalable memory encryption designs currently used by Intel and AMD, which omit cryptographic freshness checks in favor of larger protected memory sizes,” they added. “Battering RAM […] is capable of introducing memory aliases dynamically at runtime.
As a result, Battering RAM can circumvent Intel’s and AMD’s boot-time alias checks.” The disclosure comes as AMD released mitigations for attacks dubbed Heracles and Relocate-Vote disclosed by the University of Toronto and ETH Zürich, respectively, that can leak sensitive data from cloud environments and confidential virtual machines that rely on AMD’s SEV-SNP technology by means of a malicious hypervisor. “The system lets the hypervisor move data around to manage memory efficiently,” David Lie, director of the Schwartz Reisman Institute (SRI) at the University of Toronto, said . “So when data is relocated, AMD’s hardware decrypts it from the old location and re-encrypts it for the new location. But, what we found was that by doing this over and over again, a malicious hypervisor can learn recurring patterns from within the data, which could lead to privacy breaches.” Last month, ETH Zürich researchers also demonstrated that a CPU optimization known as the stack engine can be abused as a side channel for attacks that lead to information leakage.
A proof-of-concept (PoC) has been developed for AMD Zen 5 machines, although it’s believed that all models have this “abusable hardware feature.” The discovery of Battering RAM also follows a report from Vrije Universiteit Amsterdam researchers about a new, realistic attack technique referred to as L1TF Reloaded that combines L1 Terminal Fault (aka Foreshadow ) and Half-Spectre gadgets (aka incomplete Spectre -like code patterns) to leak memory from virtual machines running on public cloud services. “L1TF is a CPU vulnerability that allows an (attacker) VM to speculatively read any data residing in the (core-local) L1 data cache – including data the VM shouldn’t have access to,” VUSec researchers said . “At a high level, L1TF Reloaded abuses this to obtain an arbitrary RAM read primitive.” Google, which provided the researchers with a sole-tenant node in order to conduct the research safely without potentially affecting any other customers, awarded a $151,515 bug bounty and “ applied fixes to the affected assets .” Amazon said the L1TF Reloaded vulnerability does not impact the guest data of AWS customers running on the AWS Nitro System or Nitro Hypervisor. Spectre, which first came to light in early 2018, continues to haunt modern CPUs, albeit in the form of different variants.
As recently as two weeks ago, academics from ETH Zürich devised a new attack known as VMScape ( CVE-2025-40300 , CVSS score: 6.5) that breaks virtualization boundaries in AMD Zen CPUs and Intel Coffee Lake processors. Described as a Spectre branch target injection (Spectre-BTI) attack targeting the cloud, it exploits isolation gaps across host and guest in user and supervisor modes to leak arbitrary memory from an unmodified QEMU process. A software fix has been introduced in the Linux kernel to counter the cross-virtualization BTI (vBTI) attack primitive. “VMScape can leak the memory of the QEMU process at the rate of 32 B/s on AMD Zen 4,” the authors said in a study.
“We use VMScape to find the location of secret data and leak the secret data, all within 772 s, extracting the cryptographic key used for disk encryption/decryption as an example.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware
Government and telecommunications organizations across Africa, the Middle East, and Asia have emerged as the target of a previously undocumented China-aligned nation-state actor dubbed Phantom Taurus over the past two-and-a-half years. “Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events, and military operations,” Palo Alto Networks Unit 42 researcher Lior Rochberger said . “The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence, and an ability to quickly adapt their tactics, techniques, and procedures (TTPs).” It’s worth pointing out that the hacking group was first detailed by the cybersecurity company back in June 2023 under the moniker CL-STA-0043 .
Then last May, the threat cluster was graduated to a temporary group, TGR-STA-0043 , following revelations about its sustained cyber espionage efforts aimed at governmental entities since at least late 2022 as part of a campaign codenamed Operation Diplomatic Specter. Unit 42 said its continued observation of the group yielded enough evidence to classify it as a new threat actor whose primary goal is to enable long-term intelligence collection and obtain confidential data from targets that are of strategic interest to China, both economically and geopolitically. “The group takes an interest in diplomatic communications, defense-related intelligence and the operations of critical governmental ministries,” the company said. “The timing and scope of the group’s operations frequently coincide with major global events and regional security affairs.” This aspect is particularly revealing, not least because other Chinese hacking groups have also embraced a similar approach.
For instance, a new adversary tracked by Recorded Future as RedNovember is assessed to have targeted entities in Taiwan and Panama in close proximity to “geopolitical and military events of key strategic interest to China.” Phantom Taurus’ modus operandi also stands out due to the use of custom-developed tools and techniques rarely observed in the threat landscape. This includes a never-before-seen bespoke malware suite dubbed NET-STAR. Developed in .NET, the program is designed to target Internet Information Services (IIS) web servers. That said, the hacking crew has relied on shared operational infrastructure that has been previously employed by groups like AT27 (aka Iron Taurus), APT41 (aka Starchy Taurus or Winnti), and Mustang Panda (aka Stately Taurus).
Conversely, the infrastructure components used by the threat actor have not been detected in operations carried out by others, indicating some sort of “operational compartmentalization” within the shared ecosystem. The exact initial access vector is not clear, but prior intrusions have weaponized vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers, abusing flaws like ProxyLogon and ProxyShell, to infiltrate target networks. “So far we have seen them exploiting known vulnerabilities for IIS and Microsoft Exchange servers (such as ProxyLogon and ProxyShell), but that doesn’t mean it won’t change in the future,” Assaf Dahan, director of threat research at Unit 42, told The Hacker News. “The group is very resourceful and motivated – they will find a way in one way or another.” Another significant facet of the attacks is the shift from gathering emails to the direct targeting of databases using a batch script that makes it possible to connect to an SQL Server database, export the results in the form of a CSV file, and terminate the connection.
The script is executed using the Windows Management Instrumentation ( WMI ) infrastructure. Unit 42 said the threat actor used this method to methodically search for documents of interest and information related to specific countries such as Afghanistan and Pakistan. Recent attacks mounted by Phantom Taurus have also leveraged NET-STAR, which consists of three web-based backdoors, each of which performs a specific function while maintaining access to the compromised IIS environment - IIServerCore , a fileless modular backdoor loaded by means of an ASPX web shell that supports in-memory execution of command-line arguments, arbitrary commands, and payloads, and transmits the results in an encrypted command-and-control (C2) communication channel AssemblyExecuter V1 , which loads and executes additional .NET payloads in memory AssemblyExecuter V2 , an enhanced version of AssemblyExecuter V1 that also comes fitted with the ability to bypass Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) “The NET-STAR malware suite demonstrates Phantom Taurus’ advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers,” Unit 42 said. “IIServerCore also supports a command called changeLastModified.
This suggests that the malware has active timestomping capabilities, designed to confuse security analysts and digital forensics tools.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits
Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Google’s Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. “They made Gemini vulnerable to search-injection attacks on its Search Personalization Model; log-to-prompt injection attacks against Gemini Cloud Assist; and exfiltration of the user’s saved information and location data via the Gemini Browsing Tool,” Tenable security researcher Liv Matan said in a report shared with The Hacker News. The vulnerabilities have been collectively codenamed the Gemini Trifecta by the cybersecurity company. They reside in three distinct components of the Gemini suite - A prompt injection flaw in Gemini Cloud Assist that could allow attackers to exploit cloud-based services and compromise cloud resources by taking advantage of the fact that the tool is capable of summarizing logs pulled directly from raw logs, enabling the threat actor to conceal a prompt within a User-Agent header as part of an HTTP request to a Cloud Function and other services like Cloud Run, App Engine, Compute Engine, Cloud Endpoints, Cloud Asset API, Cloud Monitoring API, and Recommender API A search-injection flaw in the Gemini Search Personalization model that could allow attackers to inject prompts and control the AI chatbot’s behavior to leak a user’s saved information and location data by manipulating their Chrome search history using JavaScript and leveraging the model’s inability to differentiate between legitimate user queries and injected prompts from external sources An indirect prompt injection flaw in Gemini Browsing Tool that could allow attackers to exfiltrate a user’s saved information and location data to an external server by taking advantage of the internal call Gemini makes to summarize the content of a web page Tenable said the vulnerabilities could have been abused to embed the user’s private data inside a request to a malicious server controlled by the attacker without the need for Gemini to render links or images.
“One impactful attack scenario would be an attacker who injects a prompt that instructs Gemini to query all public assets, or to query for IAM misconfigurations, and then creates a hyperlink that contains this sensitive data,” Matan said of the Cloud Assist flaw. “This should be possible since Gemini has the permission to query assets through the Cloud Asset API.” In the case of the second attack, the threat actor would first need to persuade a user to visit a website that they had set up to inject malicious search queries containing prompt injections into the victim’s browsing history and poison it. Thus, when the victim later interacts with Gemini’s search personalization model, the attacker’s instructions are processed to steal sensitive data. Following responsible disclosure, Google has since stopped rendering hyperlinks in the responses for all log summarization responses, and has added more hardening measures to safeguard against prompt injections.
“The Gemini Trifecta shows that AI itself can be turned into the attack vehicle, not just the target. As organizations adopt AI, they cannot overlook security,” Matan said. “Protecting AI tools requires visibility into where they exist across the environment and strict enforcement of policies to maintain control.” The development comes as agentic security platform CodeIntegrity detailed a new attack that abuses Notion’s AI agent for data exfiltration by hiding prompt instructions in a PDF file using white text on a white background that instructs the model to collect confidential data and then send it to the attackers. “An agent with broad workspace access can chain tasks across documents, databases, and external connectors in ways RBAC never anticipated,” the company said .
“This creates a vastly expanded threat surface where sensitive data or actions can be exfiltrated or misused through multi step, automated workflows.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Expands Sentinel Into Agentic Security Platform With Unified Data Lake
Microsoft on Tuesday unveiled the expansion of its Sentinel Security Incidents and Event Management solution (SIEM) as a unified agentic platform with the general availability of the Sentinel data lake. In addition, the tech giant said it’s also releasing a public preview of Sentinel Graph and Sentinel Model Context Protocol ( MCP ) server to turn telemetry into a security graph and allow AI agents access an organization’s security context in a standardized manner. “With graph-based context, semantic access, and agentic orchestration, Sentinel gives defenders a single platform to ingest signals, correlate across domains, and empower AI agents built in Security Copilot, VS Code using GitHub Copilot, or other developer platforms,” Vasu Jakkal, corporate vice president at Microsoft Security, said in a post shared with The Hacker News. Microsoft released Sentinel data lake in public preview earlier this July as a purpose-built, cloud-native tool to ingest, manage, and analyze security data to provide better visibility and advanced analytics.
With the data lake , the idea is to lay the foundation for an agentic defense by bringing data from diverse sources and enabling artificial intelligence (AI) models like Security Copilot to have the full context necessary to detect subtle patterns, correlate signals, and surface high-fidelity alerts. The shift, Redmond added, allows security teams to uncover attacker behavior, retroactively hunt over historical data, and trigger detections automatically based on the latest tradecraft. “Sentinel ingests signals, either structured or semi-structured, and builds a rich, contextual understanding of your digital estate through vectorized security data and graph-based relationships,” Jakkal said. “By integrating these insights with Defender and Purview, Sentinel brings graph-powered context to the tools security teams already use, helping defenders trace attack paths, understand impact, and prioritize response – all within familiar workflows.” Microsoft further noted that Sentinel organizes and enriches security data so as to detect issues faster and better respond to events at scale, shifting cybersecurity from “reactive to predictive.” In addition, the company said users can build Security Copilot agents in a Sentinel MCP server-enabled coding platform, such as VS Code, using GitHub Copilot, that are tailored to their organizational workflows .
The Windows maker has also emphasized the need for securing AI platforms and implementing guardrails to detect (cross-)prompt injection attacks, stating it intends to roll out new enhancements to Azure AI Foundry that incorporate more protection for AI agents against such risks. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.