Rendershock: Weaponizing Trust In File Rendering Pipelines
RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments.
Unlike traditional phishing or malware campaigns requiring a user’s active participation, RenderShock uses standard system behaviours and trusted automation features to perform malicious actions ranging from reconnaissance and data exfiltration to credential theft and remote code execution. By embedding malicious logic in metadata, preview triggers, and document formats, RenderShock capitalizes on system convenience as an unguarded attack vector..:
https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/
RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments.
Unlike traditional phishing or malware campaigns requiring a user’s active participation, RenderShock uses standard system behaviours and trusted automation features to perform malicious actions ranging from reconnaissance and data exfiltration to credential theft and remote code execution. By embedding malicious logic in metadata, preview triggers, and document formats, RenderShock capitalizes on system convenience as an unguarded attack vector..:
https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/
CYFIRMA
RENDERSHOCK: WEAPONIZING TRUST IN FILE RENDERING PIPELINES - CYFIRMA
EXECUTIVE SUMMARY RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern...
VMware ESXi, Workstation, Fusion, and Tools Multiple Vulnerabilities
Affected Products
VMware Cloud Foundation
VMware vSphere Foundation
VMware ESXi
VMware Workstation Pro
VMware Fusion
VMware Tools
VMware Telco Cloud Platform
VMware Telco Cloud Infrastructure
https://threatprotect.qualys.com/2025/07/16/vmware-esxi-workstation-fusion-and-tools-multiple-vulnerabilities-cve-2025-41236-cve-2025-41237-cve-2025-41238-cve-2025-41239/
Affected Products
VMware Cloud Foundation
VMware vSphere Foundation
VMware ESXi
VMware Workstation Pro
VMware Fusion
VMware Tools
VMware Telco Cloud Platform
VMware Telco Cloud Infrastructure
https://threatprotect.qualys.com/2025/07/16/vmware-esxi-workstation-fusion-and-tools-multiple-vulnerabilities-cve-2025-41236-cve-2025-41237-cve-2025-41238-cve-2025-41239/
Popular fitness app Fitify exposes 138K user photos
Fitify’s publicly accessible Google cloud storage bucket has exposed hundreds of thousands of files. Some of the files were user-uploaded progress pictures that individuals upload to track their body changes over time...
https://cybernews.com/security/fitify-app-data-leak-user-photos-exposed/
Fitify’s publicly accessible Google cloud storage bucket has exposed hundreds of thousands of files. Some of the files were user-uploaded progress pictures that individuals upload to track their body changes over time...
https://cybernews.com/security/fitify-app-data-leak-user-photos-exposed/
Cybernews
Popular fitness app Fitify exposes 138K user progress photos
Fitify fitness app exposed 138K user progress photos through unsecured Google cloud storage. Some of the photos include barely dressed people.
Coyote in the Wild: First-Ever Malware That Abuses UI Automation
https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild
https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild
Akamai
Coyote in the Wild: First-Ever Malware That Abuses UI Automation | Akamai
Learn about the latest Coyote malware variant: The first malware that abuses UI Automation.
🎉 Open SysConf’25 — с Днём системного администратора!
Сегодня благодарность тем, кто держит цифровой мир на плаву:
серверы работают, сети не падают, почта ходит, а баги чинятся ещё до того, как мы их заметим.
Open SysConf’25 — конференция для таких людей: инженеров, девопсов, исследователей, безопасников.
Тех, кто делает ИТ лучше каждый день. 💪
4 октября мы собираемся в Алматы, чтобы снова поговорить о хаках, ресерчах, опыте и… немного о жизни.
А пока — регистрируйся, подавай заявку на доклад, делись своей историей:
👉 https://sysconf.io/2025
#sysconf25 #деньсисадмина #devops #conference #cfp #community #opensysconf #sysadminday
Сегодня благодарность тем, кто держит цифровой мир на плаву:
серверы работают, сети не падают, почта ходит, а баги чинятся ещё до того, как мы их заметим.
Open SysConf’25 — конференция для таких людей: инженеров, девопсов, исследователей, безопасников.
Тех, кто делает ИТ лучше каждый день. 💪
4 октября мы собираемся в Алматы, чтобы снова поговорить о хаках, ресерчах, опыте и… немного о жизни.
А пока — регистрируйся, подавай заявку на доклад, делись своей историей:
👉 https://sysconf.io/2025
#sysconf25 #деньсисадмина #devops #conference #cfp #community #opensysconf #sysadminday
Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability
https://www.microsoft.com/en-us/security/blog/2025/07/28/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability/
https://www.microsoft.com/en-us/security/blog/2025/07/28/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability/
Microsoft News
Sploitlight: Analyzing a Spotlight-based macOS TCC vulnerability
Microsoft Threat Intelligence has discovered a macOS vulnerability, tracked as CVE-2025-31199, that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), including the ability to extract and leak…
Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools
trojanized PuTTY and WinSCP trgets to users...
https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/
trojanized PuTTY and WinSCP trgets to users...
https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
PyPi Incident Report: Phishing Attack
- 4 user accounts were successfully phished
- 2 API Tokens were generated by the attackers
- 2 releases of the num2words project were uploaded by the attacker
https://blog.pypi.org/posts/2025-07-31-incident-report-phishing-attack/
- 4 user accounts were successfully phished
- 2 API Tokens were generated by the attackers
- 2 releases of the num2words project were uploaded by the attacker
https://blog.pypi.org/posts/2025-07-31-incident-report-phishing-attack/
blog.pypi.org
PyPI Phishing Attack: Incident Report - The Python Package Index Blog
Follow-up on the recent phishing attack targeting PyPI users.
Forwarded from Sys-Admin Up (Yevgeniy Goncharov)
Arch Infected AUR packages - firefox, zen-browser, chrome
Just ten days after a previous incident, malware with a Remote Access Trojan has once again been discovered in Arch Linux AUR packages.
https://linuxiac.com/arch-aur-under-fire-once-more-as-malware-resurfaces/
Just ten days after a previous incident, malware with a Remote Access Trojan has once again been discovered in Arch Linux AUR packages.
https://linuxiac.com/arch-aur-under-fire-once-more-as-malware-resurfaces/
Linuxiac
Arch AUR Under Fire Once More as Malware Resurfaces
Just ten days after a previous incident, malware with a Remote Access Trojan has once again been discovered in Arch Linux AUR packages.
RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic
www.genians.co.kr
RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
A new RoKRAT variant used by APT37 was found hiding malware in image files via steganography and using two-layer encrypted shellcode to evade analysis.
MCP Horror Stories: The Security Issues Threatening AI Infrastructure
https://www.docker.com/blog/mcp-security-issues-threatening-ai-infrastructure/
https://www.docker.com/blog/mcp-security-issues-threatening-ai-infrastructure/
Docker
MCP Security Issues Threatening AI Infrastructure | Docker
Learn about critical MCP security issues, their real-world horror stories, and how to best mitigate these rising vulnerabilities.
AWS deleted 10-year account and all data without warning
https://www.seuros.com/blog/aws-deleted-my-10-year-account-without-warning/
History of restoring:
https://www.seuros.com/blog/aws-restored-account-plot-twist/
https://www.seuros.com/blog/aws-deleted-my-10-year-account-without-warning/
History of restoring:
https://www.seuros.com/blog/aws-restored-account-plot-twist/
Seuros Blog
AWS deleted my 10-year account and all data without warning
After 10 years as an AWS customer and open-source contributor, they deleted my account and all data with zero warning. Here's how AWS's 'verification' process became a digital execution, and why you should never trust cloud providers with your only copy of…
New Streamlit Vulnerability Enables Cloud Account Takeover Attack and Stock Market Dashboard Tampering
https://www.catonetworks.com/blog/cato-ctrl-new-streamlit-vulnerability/
https://www.catonetworks.com/blog/cato-ctrl-new-streamlit-vulnerability/
Cato Networks
Cato CTRL™ Threat Research: New Streamlit Vulnerability Enables Cloud Account Takeover Attack and Stock Market Dashboard Tampering
Cato CTRL found a Streamlit flaw allowing attackers to bypass file checks, take over cloud instances, and access or alter stock data.
AWS Community Day 2025 Алматы — Доклады
Собраны в кучу темы первой части докладов:
• Building AI Agent on the AWS Bedrock Platform. Тельман И. (Tele2/Altel)
• Building Production GenAI: MCP and Multi-Agent Systems — Виктор В. (AWS)
• MVP with AWS Serverless by a Real Example — Виталий К. (ITS, Signify)
• Building production ready agents with Amazon Bedrock — Дазик А. (AWS)
• Гибридное облако + AI-инфраструктура - платформа для ML/GenAI-сервисов — Максим Г. (БЦК)
• Improve auction house search with vector capabilities: Bedrock or SageMaker Serverless — Михаил Ч. (ACTUM Digital)
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Собраны в кучу темы первой части докладов:
• Building AI Agent on the AWS Bedrock Platform. Тельман И. (Tele2/Altel)
• Building Production GenAI: MCP and Multi-Agent Systems — Виктор В. (AWS)
• MVP with AWS Serverless by a Real Example — Виталий К. (ITS, Signify)
• Building production ready agents with Amazon Bedrock — Дазик А. (AWS)
• Гибридное облако + AI-инфраструктура - платформа для ML/GenAI-сервисов — Максим Г. (БЦК)
• Improve auction house search with vector capabilities: Bedrock or SageMaker Serverless — Михаил Ч. (ACTUM Digital)
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
A way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host.
https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs
A way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host.
https://www.sweet.security/blog/ecscape-understanding-iam-privilege-boundaries-in-amazon-ecs
www.sweet.security
ECScape: Understanding IAM Privilege Boundaries in Amazon ECS
The Cost of a Call: From Voice Phishing to Data Extortion
Google Data Breach
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Google Data Breach
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Google Cloud Blog
The Cost of a Call: From Voice Phishing to Data Extortion | Google Cloud Blog
UNC6040 uses vishing to impersonate IT support, deceiving victims into granting access to their Salesforce instances.
📌 AWS Community Day Almaty — Известны Доклады (вторая часть)
Доклады на 22 августа 2025:
• Гибридное облако+AI-инфраструктура: защищённая платформа для ML/GenAI-сервисов
• Гибридное облако по-казахски: опыт Freedom Cloud и AWS Outposts
• Centras Rankings: аналитика и ML на базе AWS: от сырых данных к бизнес-инсайтам
• Building AI Agent on the AWS Bedrock Platform
• 23 августа будет GameDay - командная симуляция реальных проблем в продакшне, когда "что-то пошло не так” и нужно принять решение и восстановить систему
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Доклады на 22 августа 2025:
• Гибридное облако+AI-инфраструктура: защищённая платформа для ML/GenAI-сервисов
• Гибридное облако по-казахски: опыт Freedom Cloud и AWS Outposts
• Centras Rankings: аналитика и ML на базе AWS: от сырых данных к бизнес-инсайтам
• Building AI Agent on the AWS Bedrock Platform
• 23 августа будет GameDay - командная симуляция реальных проблем в продакшне, когда "что-то пошло не так” и нужно принять решение и восстановить систему
📍 22-23 августа, Алматы, детали: community-day.awsug.kz
Adult sites trick users into Liking Facebook posts using a clickjack Trojan
https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
Malwarebytes
Adult sites trick users into Liking Facebook posts using a clickjack Trojan
We found a host of blogspot pages involved in a malware campaign to promote their own content by using a LikeJack Trojan.
Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
Unit 42
Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings.
A Comprehensive Analysis of HijackLoader and Its Infection Chain
Software repacks - bypass uBlock, Windows Defender...
https://www.trellix.com/blogs/research/analysis-of-hijackloader-and-its-infection-chain/
Software repacks - bypass uBlock, Windows Defender...
https://www.trellix.com/blogs/research/analysis-of-hijackloader-and-its-infection-chain/
Trellix
A Comprehensive Analysis of HijackLoader and its Infection Chain
HijackLoader, a stealthy loader which delivers a wide variety of payloads, has been found to be spreading using fake download links on various piracy websites as well as SEO poisoning using legitimate websites. In some cases, the malicious domains were not…
Dissecting PipeMagic: Inside the architecture of a modular backdoor framework
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced..:
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced..:
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/