Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems
https://socket.dev/blog/typosquatted-go-packages-deliver-malware-loader
https://socket.dev/blog/typosquatted-go-packages-deliver-malware-loader
Socket
Typosquatted Go Packages Deliver Malware Loader Targeting Li...
Malicious Go packages are impersonating popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated pa...
Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign
Analysys:
https://blog.talosintelligence.com/new-persistent-attacks-japan/
Analysys:
https://blog.talosintelligence.com/new-persistent-attacks-japan/
Cisco Talos Blog
Unmasking the new persistent attacks on Japan
Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.
StopRansomware: Medusa Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
Cybersecurity and Infrastructure Security Agency CISA
#StopRansomware: Medusa Ransomware | CISA
Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors.
GitHub Actions - tj-actions/changed-files action is compromised
The tj-actions/changed-files GitHub Action, which is currently used in over 23,000 repositories, has been compromised. In this attack, the attackers modified the action’s code and retroactively updated multiple version tags to reference the malicious commit...
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
The tj-actions/changed-files GitHub Action, which is currently used in over 23,000 repositories, has been compromised. In this attack, the attackers modified the action’s code and retroactively updated multiple version tags to reference the malicious commit...
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
www.stepsecurity.io
Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity
Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Trend Micro
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
Trend Zero Day Initiative™ (ZDI) uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373 (aka ZDI-25-148), a Windows .lnk file vulnerability that enables hidden command execution.
Technical Explanation of NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File
https://cti.monster/blog/2025/03/18/CVE-2025-24071.html
https://cti.monster/blog/2025/03/18/CVE-2025-24071.html
0x6rss
CVE-2025-24071: NTLM Hash Leak
Technical explanation of NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File
Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants
https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/
https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/
SentinelOne
ReaderUpdate Reforged | Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants
A widespread campaign with binaries written in different source languages, ReaderUpdate presents unique challenges for detection and analysis.
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
https://www.itpro.com/security/phishing/have-i-been-pwned-owner-troy-hunts-mailing-list-compromised-in-phishing-attack
https://www.itpro.com/security/phishing/have-i-been-pwned-owner-troy-hunts-mailing-list-compromised-in-phishing-attack
IT Pro
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Industry experts say the incident shows even seasoned professionals can fall victim
Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices
Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging. This report explores the features of Crocodilus, its links to known threat actors, and how it lures victims into helping the malware steal their own credentials:
https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices
Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging. This report explores the features of Crocodilus, its links to known threat actors, and how it lures victims into helping the malware steal their own credentials:
https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices
ThreatFabric
Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices
ThreatFabric analysts discovered a new Device-Takeover Android banking Trojan equipped with remote access, black screen overlays, and advanced credential theft capabilities.
Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims
https://www.wiz.io/blog/postgresql-cryptomining
https://www.wiz.io/blog/postgresql-cryptomining
wiz.io
Fileless XMRig-C3 Cryptominer Targets PostgreSQL Servers | Wiz Blog
Wiz Threat Research uncovers a stealthy cryptomining campaign exploiting weak PostgreSQL credentials
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
wsrp4echo - 0day Chain Vulnerability
Web Services for Remote Portlets (WSRP) is an OASIS-approved network protocol standard designed for communications with remote portlets. Uses in:
- Oracle WebCenter
- IBM WebSphere
- Microsoft SharePoint
https://medium.com/@aryanchehreghani/wsrp4echo-0day-chain-vulnerability-fd2c395dc45b
P.S. Thx
Web Services for Remote Portlets (WSRP) is an OASIS-approved network protocol standard designed for communications with remote portlets. Uses in:
- Oracle WebCenter
- IBM WebSphere
- Microsoft SharePoint
https://medium.com/@aryanchehreghani/wsrp4echo-0day-chain-vulnerability-fd2c395dc45b
P.S. Thx
Reaza for the link 🤝Medium
wsrp4echo - 0day Chain Vulnerability
Message From wsrp4echo :
Hello. I’m wsrp4echo. I’m not just a vulnerability — I’m a chain reaction.
Born not from a bug, but from trust…
Hello. I’m wsrp4echo. I’m not just a vulnerability — I’m a chain reaction.
Born not from a bug, but from trust…
ImageRunner: A Privilege Escalation Vulnerability Impacting GCP Cloud Run
https://www.tenable.com/blog/imagerunner-a-privilege-escalation-vulnerability-impacting-gcp-cloud-run
https://www.tenable.com/blog/imagerunner-a-privilege-escalation-vulnerability-impacting-gcp-cloud-run
Tenable®
ImageRunner: A Privilege Escalation Vulnerability Impacting GCP Cloud Run
Tenable Research discovered a privilege escalation vulnerability in Google Cloud Platform (GCP) that is now fixed and which we dubbed ImageRunner. At issue are identities that lack registry permissions but that have edit permissions on Google Cloud Run revisions.…
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Threat actors leverage tax season to deploy tax-themed phishing campaigns
https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
Microsoft News
Threat actors leverage tax season to deploy tax-themed phishing campaigns
As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365…
Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks
https://www.trendmicro.com/en_us/research/25/d/incomplete-nvidia-patch.html
https://www.trendmicro.com/en_us/research/25/d/incomplete-nvidia-patch.html
Trend Micro
Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks
A previously disclosed vulnerability in NVIDIA Container Toolkit has an incomplete patch, which, if exploited, could put a wide range of AI infrastructure and sensitive data at risk.
🎉 OpenBLD.net на AppSecFest 2025!
25 апреля встречаемся на AppSecFest 2025 — крупнейшем событии года в мире прикладной безопасности.
В этом году организаторы второй год подряд поддерживают OpenBLD.net — и это чертовски приятно!
У нас будет собственная стилизованная стойка, экран для демонстрации технологий, а логотип OpenBLD.net появится на официальном сайте фестиваля. Это действительное признание того, что мы делаем действительно важное дело 💪
Что будет на нашем стенде:
• Футболки и стикеры
• Живые демки технологий OpenBLD.net
• А самое главное — возможность пообщаться, обсудить идеи, задать вопросы и вдохновиться
Если вы интересуетесь DNS-безопасностью, фильтрацией вредоносных доменов, приватностью и киберзащитой — обязательно загляните к нам. Увидимся на AppSecFest 2025!
• Подробнее о проекте: openbld.net
• О фестивале: appsecfest.kz
P.S. И да, дорогой друг — у тебя есть шанс попасть на мероприятие вместе с нашей командой 😉
25 апреля встречаемся на AppSecFest 2025 — крупнейшем событии года в мире прикладной безопасности.
В этом году организаторы второй год подряд поддерживают OpenBLD.net — и это чертовски приятно!
У нас будет собственная стилизованная стойка, экран для демонстрации технологий, а логотип OpenBLD.net появится на официальном сайте фестиваля. Это действительное признание того, что мы делаем действительно важное дело 💪
Что будет на нашем стенде:
• Футболки и стикеры
• Живые демки технологий OpenBLD.net
• А самое главное — возможность пообщаться, обсудить идеи, задать вопросы и вдохновиться
Если вы интересуетесь DNS-безопасностью, фильтрацией вредоносных доменов, приватностью и киберзащитой — обязательно загляните к нам. Увидимся на AppSecFest 2025!
• Подробнее о проекте: openbld.net
• О фестивале: appsecfest.kz
P.S. И да, дорогой друг — у тебя есть шанс попасть на мероприятие вместе с нашей командой 😉
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
MITRE Ends? US Geoverment ends support MITRE. CVE released emergency article about it:
https://www.thecvefoundation.org/home
Letter:
https://www.linkedin.com/posts/tib3rius_breaking-from-a-reliable-source-mitre-activity-7317960862332293120-t6yt
https://www.thecvefoundation.org/home
Letter:
https://www.linkedin.com/posts/tib3rius_breaking-from-a-reliable-source-mitre-activity-7317960862332293120-t6yt
CVE-2025-24054, NTLM Exploit in the Wild
CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted
CVE-2025-24054, which also allows NTLM hash disclosure with very little user interaction. For CVE-2025-24054, users can trigger the attack simply by right-clicking or navigating to the folder that holds the maliciously crafted .library-ms file...
Research:
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted
.library-msCVE-2025-24054, which also allows NTLM hash disclosure with very little user interaction. For CVE-2025-24054, users can trigger the attack simply by right-clicking or navigating to the folder that holds the maliciously crafted .library-ms file...
Research:
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
Check Point Research
CVE-2025-24054, NTLM Exploit in the Wild - Check Point Research
Key Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client…
Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker
Cisco Talos Blog
Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs
Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.
Fotinet zero day RCE - Stack-based buffer overflow vulnerability in AP
Status - Critical
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
Status - Critical
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
FortiGuard Labs
PSIRT | FortiGuard Labs
None
Bypassing BitLocker Encryption: Bitpixie PoC and WinPE Edition
https://blog.compass-security.com/2025/05/bypassing-bitlocker-encryption-bitpixie-poc-and-winpe-edition/
https://blog.compass-security.com/2025/05/bypassing-bitlocker-encryption-bitpixie-poc-and-winpe-edition/
Valve Probes 89 Million Steam Data Leak
https://observervoice.com/valve-probes-89-million-steam-data-leak-117641/
A note about the security of your Steam account
https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
https://observervoice.com/valve-probes-89-million-steam-data-leak-117641/
A note about the security of your Steam account
https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
Observer Voice
Valve Probes 89 Million Steam Data Leak
Valve Probes 89 Million Steam Data Leak