Tag: malicious
-
‘Grafana Ghost’ XSS flaw exposes 47,000 servers to account takeover
From open-redirect to plugin-powered takeover: Based on the PoC shared by OX Security, the exploit leverages a clever combo of client-side path traversal and open-redirect mechanics in Grafana’s staticHandler, the component responsible for serving static files like HTML, CSS, JavaScript, and images from the server to the user’s browser.A potential attack can have a crafted…
-
Hackers Compromise Discord Invite to Inject Malicious Links Delivering AsyncRAT
Threat actors have exploited Discord’s invite system to distribute malicious links, ultimately delivering AsyncRAT and other harmful payloads. Discord, a widely trusted platform for gamers, developers, and communities, has become a target for cybercriminals who abuse its infrastructure particularly the invite link and content delivery features to orchestrate phishing schemes and malware infections. This campaign,…
-
Over 20 Malicious Google Play Apps Steal Users’ Login Credentials
Tags: android, credentials, crypto, cyber, cybersecurity, google, intelligence, login, malicious, phishingA major security alert has been issued for Android users after cybersecurity researchers uncovered more than 20 malicious applications on the Google Play Store designed to steal users’ login credentials, specifically targeting cryptocurrency wallet holders. The campaign, identified by Cyble Research and Intelligence Labs (CRIL), reveals a sophisticated phishing operation that has already compromised the…
-
Malicious PyPI Package Masquerades as Chimera Module to Steal AWS, CI/CD, and macOS Data
Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that’s capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others.The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, First seen on thehackernews.com Jump to article: thehackernews.com/2025/06/malicious-pypi-package-masquerades-as.html
-
Protecting Against Origin Server DDoS Attacks
An origin server DDoS attack (sometimes referred to as direct-to-origin attack) is a technique used to bypass cloud-based DDoS protections such as CDNs and WAFs by targeting the origin server environment directly. Because the malicious traffic avoids the protective proxy layer, it hits the origin server unfiltered, potentially overwhelming systems that are not… First seen…
-
Over 46,000 Grafana instances exposed to account takeover bug
More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/over-46-000-grafana-instances-exposed-to-account-takeover-bug/
-
Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets
A new malware campaign is exploiting a weakness in Discord’s invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan.”Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers,” Check Point said in a technical report. “The attackers combined the…
-
‘Dangerous’ vulnerability in GitLab Ultimate Enterprise Edition
Tags: access, ai, attack, authentication, best-practice, ceo, communications, control, cve, cvss, data, flaw, github, gitlab, incident response, injection, malicious, mfa, password, risk, service, vulnerabilityCVE-2025-2254, a cross-site scripting issue, which, under certain conditions, could allow an attacker to act like a legitimate user by injecting a malicious script into the snippet viewer.All GitLab CE/EE versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2 are impacted;CVE-2025-0673, a vulnerability that can cause a denial of service by triggering…
-
Discord flaw lets hackers reuse expired invites in malware campaign
Hackers are hijacking expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/discord-flaw-lets-hackers-reuse-expired-invites-in-malware-campaign/
-
Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
Cybersecurity researchers are calling attention to a “large-scale campaign” that has been observed compromising legitimate websites with malicious JavaScript injections.According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an “esoteric and educational programming style” that uses only a limited set of characters to write and execute code.…
-
Spring Framework Flaw Enables Remote File Disclosure via “Content”‘Disposition” Header
A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware’s Spring Framework has been patched, affecting multiple versions of the widely used Java framework. The flaw enables attackers to execute malicious code by exploiting improperly configured Content-Disposition headers in a web application. Technical Breakdown The vulnerability arises when applications use Spring’s org.springframework.http.ContentDisposition class to set…
-
Acer Control Center Flaw Lets Attackers Run Malicious Code as Elevated User
A critical security flaw (CVE-2025-5491) in Acer ControlCenter allows remote attackers to execute arbitrary code with NT AUTHORITY\SYSTEM privileges via a misconfigured Windows Named Pipe. The vulnerability, rated 8.8 on the CVSS scale, stems from insecure permissions on a custom protocol pipe exposed by the ACCSvc.exe service. Acer has released patched versions (4.00.3058+) to address…
-
JSFireTruck Obfuscation Helps Cybercriminals Hijack Trusted Sites with Malicious JavaScript
A sophisticated and extensive cyber attack campaign has been uncovered, in which threat actors are compromising legitimate websites to inject highly obfuscated JavaScript code. Dubbed “JSFireTruck,” this obfuscation technique enables cybercriminals to quietly redirect unsuspecting visitors to malicious sites capable of delivering malware, executing exploits, and serving unwanted advertisements. The campaign, detected across over 200,000…
-
PoC Exploit Unveiled for Windows Disk Cleanup Elevation Vulnerability
Microsoft addressed a high-severity elevation of privilege vulnerability (CVE-2025-21420) in its Windows Disk Cleanup Utility (cleanmgr.exe) during February 2025’s Patch Tuesday. The flaw, scoring 7.8 on the CVSS scale, enabled attackers to execute malicious code with SYSTEM privileges through DLL sideloading and a directory traversal technique. Technical Analysis of CVE-2025-21420 The vulnerability stems from cleanmgr.exe’s…
-
How to log and monitor PowerShell activity for suspicious scripts and commands
Block executable content from email client and webmailBlock executable files from running unless they meet a prevalence, age, or trusted list criterionBlock execution of potentially obfuscated scriptsBlock JavaScript or VBScript from launching downloaded executable contentBlock process creations originating from PSExec and WMI commands Log workstation PowerShell commands: Even without Microsoft Defender resources you need to…
-
TokenBreak Exploit Tricks AI Models Using Minimal Input Changes
HiddenLayer’s security research team has uncovered TokenBreak, a novel attack technique that bypasses AI text classification models by exploiting tokenization strategies. This vulnerability affects models designed to detect malicious inputs like prompt injection, spam, and toxic content, leaving protected systems exposed to attacks they were meant to prevent. Technical Breakdown of TokenBreak According to the…
-
Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware
Security researchers have uncovered a sophisticated malware campaign exploiting a little-known flaw in Discord’s invitation system, enabling cybercriminals to hijack expired or deleted invite links and redirect unsuspecting users to malicious servers. This attack chain, discovered by Check Point Research, leverages trusted cloud services and advanced evasion techniques to deliver powerful malware, with a particular…
-
WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own that’s designed to distribute malicious content.”VexTrio is a group of malicious adtech companies that distribute scams and harmful…
-
Unpatched holes could allow takeover of GitLab accounts
Tags: access, attack, authentication, best-practice, ceo, communications, control, cve, cvss, data, github, gitlab, incident response, malicious, mfa, password, risk, service, vulnerabilityCVE-2025-2254, a cross-site scripting issue, which, under certain conditions, could allow an attacker to act like a legitimate user by injecting a malicious script into the snippet viewer.All GitLab CE/EE versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2 are impacted;CVE-2025-0673, a vulnerability that can cause a denial of service by triggering…
-
OneLogin AD Connector Vulnerabilities Expose Authentication Credentials
Tags: access, authentication, credentials, cyber, data-breach, flaw, identity, malicious, risk, service, vulnerabilityA critical security vulnerability in OneLogin’s Active Directory (AD) Connector service has exposed enterprise authentication systems to significant risk The flaw, now reportedly fixed, uncovered by SpecterOps allowed malicious actors to obtain authentication credentials, impersonate users, and access sensitive applications through OneLogin’s platform. OneLogin, a prominent identity and access management (IAM) solution, integrates with popular…
-
Multiple GitLab Vulnerabilities Expose Users to Complete Account Takeover Risks
GitLab, the widely used DevSecOps platform, has released urgent security updates addressing multiple high-severity vulnerabilities that could allow attackers to take over user accounts, inject malicious code, and disrupt services. The new versions”, 18.0.2, 17.11.4, and 17.10.8 for both Community Edition (CE) and Enterprise Edition (EE)”, contain critical fixes, and administrators are strongly advised to…
-
Infostealer Malware Targeted by Police in Operation Secure
32 Suspects Arrested Across Asia-Pacific During Interpol-Coordinated Crackdown. Interpol on Wednesday unveiled Operation Secure, an information-stealing malware crackdown that it coordinated, resulting in the arrest of 32 suspects and the seizure of over 20,000 malicious IP addresses and 41 servers tied to infostealer-fueled crime. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/infostealer-malware-targeted-by-police-in-operation-secure-a-28655
-
Infostealer crackdown: Operation Secure takes down 20,000 malicious IPs and domains
More than 20,000 malicious IP addresses and domains used by information-stealing malware were taken down during an international cybercrime crackdown led by INTERPOL. Called … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/06/11/operation-secure-cybercrime-infostealer-crackdown/
-
Insyde UEFI Application Vulnerability Enables Digital Certificate Injection Through NVRAM Variable
A critical vulnerability in Insyde H2O UEFI firmware (tracked as CVE-2025-XXXX) allows attackers to bypass Secure Boot protections by injecting malicious digital certificates via an unprotected NVRAM variable. This flaw exposes millions of devices to pre-boot malware and kernel-level rootkits that evade traditional security monitoring. How SecureFlashCertData Undermines Secure Boot The vulnerability centers on improper…
-
Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks
Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks.”Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads,” ReliaQuest said in a report First…
-
Asia dismantles 20,000 malicious domains in infostealer crackdown
Interpol coordinates operation, nabs 32 across Vietnam, Sri Lanka, and Nauru First seen on theregister.com Jump to article: www.theregister.com/2025/06/11/asia_cracks_down_on_infostealers/
-
295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager
Threat intelligence firm GreyNoise has warned of a “coordinated brute-force activity” targeting Apache Tomcat Manager interfaces.The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to “identify and access exposed Tomcat services at scale.”To that end, 295 unique IP addresses have…
-
Dozens arrested across Asia in global infostealer malware crackdown
A global law enforcement crackdown on information-stealing malware led to the arrest of 32 suspects and the dismantling of more than 20,000 malicious IP addresses and domains linked to cybercrime. First seen on therecord.media Jump to article: therecord.media/dozens-arrested-infostealer-interpol-crackdown
-
Apache Kafka Arbitrary File Read and SSRF Vulnerability (CVE-2025-27817)
Overview Recently, NSFOCUS CERT detected that Apache issued a security bulletin to fix the arbitrary file read and SSRF vulnerabilities in Apache Kafka (CVE-2025-27817); Because the Apache Kafka client does not strictly validate and restrict user input, an unauthenticated attacker can elevate the file system/environment/URL access rights of the REST API by constructing malicious configurations…The…