Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker
Cisco Talos Blog
Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs
Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.
Fotinet zero day RCE - Stack-based buffer overflow vulnerability in AP
Status - Critical
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
Status - Critical
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
FortiGuard Labs
PSIRT | FortiGuard Labs
None
Bypassing BitLocker Encryption: Bitpixie PoC and WinPE Edition
https://blog.compass-security.com/2025/05/bypassing-bitlocker-encryption-bitpixie-poc-and-winpe-edition/
https://blog.compass-security.com/2025/05/bypassing-bitlocker-encryption-bitpixie-poc-and-winpe-edition/
Valve Probes 89 Million Steam Data Leak
https://observervoice.com/valve-probes-89-million-steam-data-leak-117641/
A note about the security of your Steam account
https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
https://observervoice.com/valve-probes-89-million-steam-data-leak-117641/
A note about the security of your Steam account
https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
Observer Voice
Valve Probes 89 Million Steam Data Leak
Valve Probes 89 Million Steam Data Leak
VMware Cloud Foundation updates address multiple vulnerabilities
HIGH
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25733
VMware ESXi, vCenter Server, Workstation, and Fusion updates address multiple vulnerabilities
HIGH
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25717
HIGH
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25733
VMware ESXi, vCenter Server, Workstation, and Fusion updates address multiple vulnerabilities
HIGH
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25717
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
Akamai
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
Akamai researchers found a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory.
CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/
https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/
Sean Heelan's Blog
How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API ̵…
Mark Your Calendar: APT41 Innovative Tactics
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Google Cloud Blog
Mark Your Calendar: APT41 Innovative Tactics | Google Cloud Blog
When OpenBLD.net is next to Wazuh, Elastic, Palo Alto - abuse.ch launches API access by keys.
Forwarded from OpenBLD.net (Yevgeniy Goncharov)
CVE-2025-33053, Stealth Falcon And Horus: A Saga Of Middle Eastern Cyber Espionage
The threat actors used a previously undisclosed technique to execute files hosted on a WebDAV server they controlled, by manipulating the working directory of a legitimate built-in Windows tool. Microsoft assigned the vulnerability CVE-2025-33053 and released a patch on June 10, 2025, as part of their June Patch Tuesday updates.
https://research.checkpoint.com/2025/stealth-falcon-zero-day/
The threat actors used a previously undisclosed technique to execute files hosted on a WebDAV server they controlled, by manipulating the working directory of a legitimate built-in Windows tool. Microsoft assigned the vulnerability CVE-2025-33053 and released a patch on June 10, 2025, as part of their June Patch Tuesday updates.
https://research.checkpoint.com/2025/stealth-falcon-zero-day/
Check Point Research
Stealth Falcon's Exploit of Microsoft Zero Day Vulnerability - Check Point Research
Check Point Research uncovers Stealth Falcon's cyber espionage campaign exploiting a Microsoft Zero Day Vulnerability
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Another Crack in the Chain of Trust: Uncovering (Yet Another) Secure Boot Bypass
https://www.binarly.io/blog/another-crack-in-the-chain-of-trust
https://www.binarly.io/blog/another-crack-in-the-chain-of-trust
www.binarly.io
Another Crack in the Chain of Trust: Uncovering (Yet Another) Secure Boot Bypass
Binarly uncovers CVE-2025-3052: a Secure Boot bypass affecting most UEFI devices, enabling attackers to run unsigned code before OS load.
Forwarded from OpenBLD.net (Yevgeniy Goncharov)
OpenBLD.net - Phishing Preveting - Toxic trend: Another malware threat targets DeepSeek
DeepSeek-R1 is one of the most popular LLMs right now. Users of all experience levels look for chatbot websites on search engines, and threat actors have started abusing the popularity of LLMs...
Phishing lure, Malicious installer, Loaded implant and more:
https://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728
DeepSeek-R1 is one of the most popular LLMs right now. Users of all experience levels look for chatbot websites on search engines, and threat actors have started abusing the popularity of LLMs...
Phishing lure, Malicious installer, Loaded implant and more:
https://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728
Red / Blue team, багбаунти, пентесты - ключевой навык в инфобезе.
Самое время прокачать навык веб-пентеста.
Курс от Яндекс Практикума в Казахстане.
Освоить веб-пентест за 6 месяцев, научиться искать уязвимости и защищать веб-приложения, что может быть проще?)
Что внутри:
• Учат и атаковать, и защищать
• Практика в облаке в формате CTF
• Наставники — практикующие специалисты
• Есть модули по безопасному коду и DevSecOps
Подходит опытным айтишникам и студентам техвузов.
Можно протестировать себя - пройдя бесплатный тест на вход.
🎁 Промокод KZ2025 — скидка 12%. Детали → Здесь.
Партнёрский материал
Самое время прокачать навык веб-пентеста.
Курс от Яндекс Практикума в Казахстане.
Освоить веб-пентест за 6 месяцев, научиться искать уязвимости и защищать веб-приложения, что может быть проще?)
Что внутри:
• Учат и атаковать, и защищать
• Практика в облаке в формате CTF
• Наставники — практикующие специалисты
• Есть модули по безопасному коду и DevSecOps
Подходит опытным айтишникам и студентам техвузов.
Можно протестировать себя - пройдя бесплатный тест на вход.
🎁 Промокод KZ2025 — скидка 12%. Детали → Здесь.
Партнёрский материал
GreyNoise - Observes Exploit Attempts Targeting Zyxel CVE-2023-28771
https://www.greynoise.io/blog/exploit-attempts-targeting-zyxel-cve-2023-28771
https://www.greynoise.io/blog/exploit-attempts-targeting-zyxel-cve-2023-28771
www.greynoise.io
GreyNoise Observes Exploit Attempts Targeting Zyxel CVE-2023-28771
On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500.
Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub
...The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems ... a supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams relying on open-source tooling..:
https://www.trendmicro.com/en_us/research/25/f/water-curse.html
...The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems ... a supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams relying on open-source tooling..:
https://www.trendmicro.com/en_us/research/25/f/water-curse.html
Trend Micro
Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub
The Trend Micro™ Managed Detection and Response team uncovered a threat campaign orchestrated by an active group, Water Curse. The threat actor exploits GitHub, one of the most trusted platforms for open-source software, as a delivery channel for weaponized…
ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware
Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. Article reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them:
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. Article reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them:
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
Gdatasoftware
Threat Actors abuse signed ConnectWise application as malware builder
Since March 2025, there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own…
Anatomy of a HexEval Loader
https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages
https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages
Socket
Another Wave: North Korean Contagious Interview Campaign Dro...
North Korean threat actors linked to the Contagious Interview campaign return with 35 new malicious npm packages using a stealthy multi-stage malware ...
Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails
https://www.varonis.com/blog/direct-send-exploit
https://www.varonis.com/blog/direct-send-exploit
Varonis
Ongoing Campaign Abuses Microsoft 365’s Direct Send to Deliver Phishing Emails
Varonis Threat Labs uncovered a phishing campaign with M365's Direct Send feature that spoofs internal users without ever needing to compromise an account.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Local Privilege Escalation via chroot option
An attacker can leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file:
https://www.sudo.ws/security/advisories/chroot_bug/
An attacker can leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file:
https://www.sudo.ws/security/advisories/chroot_bug/
Sudo
Local Privilege Escalation via chroot option
An attacker can leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.
Sudo versions affected: Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
CVE ID: This vulnerability has been assigned…
Sudo versions affected: Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
CVE ID: This vulnerability has been assigned…