Security Boulevard

The question is no longer whether AI-driven scams will target your business, but how prepared you are to counter them.

The post Online Scams in the Age of AI appeared first on Security Boulevard.

IntroductionHijackLoader (also known as IDAT Loader and GHOSTPULSE) is a malware loader initially discovered in 2023. The loader is not only capable of delivering second-stage payloads, but also offers a variety of modules to expand the malware’s capabilities. The modules are mainly used for configuration information and to evade security software, as well as inject and execute code. Recently, Zscaler ThreatLabz uncovered new HijackLoader modules with additional evasion techniques. In this blog, we analyze these modules that implement features including call stack spoofing to mask the origin of function calls from endpoint detection, virtual machine detection to identify analysis environments, and another module that establishes persistence via scheduled tasks.Key TakeawaysHijackLoader is malware downloader dating back to 2023 that has received continuous updates via new modules.HijackLoader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls).HijackLoader added a new module to perform anti-VM checks to detect malware analysis environments and sandboxes.Another new module is designed to establish persistence via scheduled tasks.Technical AnalysisIn the following sections, we examine HijackLoader’s new modules and changes in evasion tactics. The module names added since our last analysis are the following: ANTIVM, MUTEX, CUSTOMINJECT, CUSTOMINJECTPATH, modTask, modTask64, PERSDATA, and SM.First stageHijackLoader’s first stage has undergone two changes. The first change involves the blocklist processes check, where a new process name, avastsvc.exe, was added to the list. If any of the processes in the table below are running, HijackLoader delays execution by 5 seconds. SDBM Hash ValueProcess NameDescription5C7024B2avgsvc.exeThe avgsvc.exe process is a component of AVG Internet Security.6CEA4537avastsvc.exeThe avastsvc.exe process is a component of Avast Antivirus.Table 1: Processes blocklisted by HijackLoader.The second change pertains to the decryption of modules. While most HijackLoader samples still use IDAT headers in a PNG file to store encrypted modules, a few samples are embedding them in the PNG’s pixel structure.Second stage (ti module)As mentioned in our previous blog, HijackLoader uses the Heaven's Gate technique to execute x64 direct syscalls. We have now observed that call stack spoofing has been added to the list of evasion tactics used by HijackLoader. This technique uses a chain of EBP pointers to traverse the stack and conceal the presence of a malicious call in the stack by replacing actual stack frames with fabricated ones.The ti module only uses call stack spoofing for the following native system APIs:ZwCreateSectionZwMapViewOfSectionZwUnmapViewOfSectionZwProtectVirtualMemoryZwReadVirtualMemoyZwWriteVirtualMemoryZwWriteFileZwResumeThreadZwGetContextThreadZwSetContextThreadZwRollbackTransaction ZwClose ZwTerminateProcess HijackLoader API callsHijackLoader collects the API hash, system call number, function name, and function address of all API names that start with Zw in ntdll.dll. This information is stored as an array of elements, with each element being a structure of size 16, which we will refer to as a DIRECTSYSCALL_STRUCT, as shown below.struct DIRECTSYSCALL_STRUCT {
uint32_t APIHash; // CRC32 hash of the API function name
uint32_t ssn; // System service number (SSN)
char *APIName; // API function name
void *APIFunctionAddress; // API function address
};When HijackLoader calls a Windows API function, the malware first locates the corresponding structure (DIRECTSYSCALL_STRUCT) for the specified API. HijackLoader then invokes the Windows API function either by directly calling its address (if not running under WOW64) or by utilizing a combination of call stack spoofing, Heaven's Gate, and direct syscalls (if running under WOW64).Call stack spoofingCall stack spoofing is used to mask the origin of function calls such as API and system calls. The figure below shows a high-level view of how HijackLoader leverages call stack spoofing:Figure 1: Diagram showing how HijackLoader uses call stack spoofing to mask the origin of function calls. HijackLoader uses the base pointer register (EBP) to navigate the stack by following the chain of EBP pointers. The malware retrieves the return address pointer (EBP+4) from the stack frames. If the return address is not located in the text section of NTDLL or kernelbase, HijackLoader collects both the return address pointer and the return address of the stack frame. The return address pointer is then patched with a random address from the text section of a legitimate system DLL. This activity is repeated until the stack limit is reached or when three adjacent stack frames have the return address in the text section of NTDLL or kernelbase. The process is illustrated in the diagram below:Figure 2: Diagram depicting how HijackLoader traverses the stack to retrieve and patch the return addresses to spoof stack frames.The name of this legitimate system DLL is specified in the HijackLoader SM module. After this, HijackLoader employs the Heaven’s Gate technique, which allows it to switch from executing 32-bit (x86) code to executing 64-bit (x64) code. Once in 64-bit mode, HijackLoader performs the direct syscall. HijackLoader uses the syscall number (ssn) and the necessary parameters for the native system service API to execute the direct syscall. Following the syscall, HijackLoader transitions back to x86 and patches the return address pointers with the actual return addresses.Previously, HijackLoader utilized direct syscalls for process injection and to remap the .text section of the x64 ntdll.dll in memory with the .text section of the x64 ntdll.dll from disk. In addition to remapping ntdll.dll, HijackLoader now also remaps the .text section of the x64 wow64cpu.dll from disk to memory to remove user-mode hooks.Other than the ti module, the modules modCreateProcess, modUAC, and modTask also use call stack spoofing. However, these modules do not use Heaven's Gate or make direct syscalls, but instead invoke Windows API functions directly.The figure below shows the call stack for a call to CreateProcessW after the return addresses have been patched by the modCreateProcess module. In the call stack, the return addresses outside of the text section of NTDLL and kernelbase are patched with addresses from the text section of a legitimate system DLL (shdocvw.dll) until three adjacent stack frames have the return address in the text section of NTDLL or kernelbase.Figure 3: Example of HijackLoader spoofing the call stack with the fake frames enclosed in a red square.Recent HijackLoader modulesThe table below lists information about the more recent HijackLoader modules.CRC32Module NameDescription0x4dad7707ANTIVMContains the configurations HijackLoader uses for anti-VM checks (explained in detail in the following section).0x1999709fMUTEXContains a mutex name. If a mutex with this name exists, HijackLoader will exit.0x6703f815CUSTOMINJECTContains a legitimate executable file which is used for injecting code into its process memory. The process is created in a custom path specified by the CUSTOMINJECTPATH module.0x192a4446CUSTOMINJECTPATHContains a file path used to create the legitimate file in the CUSTOMINJECT module. 0x3115355emodTaskCreates a scheduled task for persistence (explained in detail in the next section).0x9bfaf2d3modTask64A 64-bit version of the modTask module.0xa2e0ab5dPERSDATAContains the configuration used by the modTask module to create scheduled tasks.0xd8222145SMContains the name of the system DLL used in call stack spoofing to patch the return addresses. TinycallProxy module is also copied to this system DLL.0x455cbbc3TinycallProxyActs as a proxy to execute API calls. The call to the TinycallProxy module will have the address of the API function, number of parameters for the API call, and parameters for the API call as its arguments.0x5515dceaTinycallProxy64This module is a 64-bit version of the TinycallProxy module.Table 2: Description of more recent HijackLoader modules.Virtual machine detection moduleThe virtual machine detection module ANTIVM contains a configuration used by HijackLoader to identify virtual machines and analysis environments. This configuration is stored in a structure which we will refer to as the ANTIVM_STRUCT, as shown below.struct ANTIVM_STRUCT {
uint32_t antiVMType;
uint32_t timeThreshold;
uint32_t minPhysicalMemory;
uint32_t minProcessorCount;
uint32_t antiVMType2;
wchar_t username[20]; // Hardcoded to "george" (may change between samples)
byte PhysicalMemory;
byte ProcessorCount;
};The first member, antiVMType determines the type of anti-VM check to be performed. These checks employ common anti-VM techniques. The antiVMType can include multiple values combined using bitwise OR operations. The values supported are listed in the table below.ValueCheck Performed0x1Calculates the average time taken to execute the CPUID instruction using the RDTSC instruction and compares it against the timeThreshold member of the ANTIVM_STRUCT. If the measured time equals or exceeds the timeThreshold, HijackLoader exits.0x4Calls the CPUID instruction with EAX set to 1 and checks if the 31st bit of the ECX register (the hypervisor present bit) is set. If the bit is set, HijackLoader terminates.0x8Retrieves the maximum input value for hypervisor CPUID information by calling the CPUID instruction with EAX set to 0x40000000. If this value is greater than or equal to 0x40000000, HijackLoader exits. For instance, on Microsoft hypervisors, this value will be at least 0x40000005.0x10Retrieves the total physical memory of the system in gigabytes and compares it to the minPhysicalMemory member of the ANTIVM_STRUCT. If the total physical memory is less than or equal to minPhysicalMemory, HijackLoader exits.0x20Retrieves the number of processors on the system and compares it to the minProcessorCount member of the ANTIVM_STRUCT. If the processor count is less than or equal to minProcessorCount, HijackLoader exits.0x40Encompasses multiple checks, determined by the antiVMType2 member of the ANTIVM_STRUCT. The supported checks are:0x1 - Verifies if the computer name consists only of numbers. 0x2 - Verifies if the username matches the username member of the ANTIVM_STRUCT. 0x4 - Verifies if HijackLoader is executed from the Desktop folder or any of its subfolders. ANALYST NOTE: These three checks appear to be in development, as HijackLoader does not exit even if the conditions are met. Additionally, irrespective of the antiVMType2 value, HijackLoader compares the system's total physical memory in gigabytes with the PhysicalMemory member of the ANTIVM_STRUCT and the number of processors with the ProcessorCount member of the ANTIVM_STRUCT. If both of these checks are equal (which may be a specific configuration for a malware sandbox), HijackLoader exits.Table 3: Description of values supported by the HijackLoader virtual machine detection module.Persistence moduleBefore transferring control to the modTask persistence module, the ti module copies itself to a new address and the ti module copy is XOR’ed with the performance counter value obtained by calling the QueryPerformanceCounter API. The new address of the XOR’ed ti module and the XOR key are stored for restoration purposes.When control is transferred to the modTask module, HijackLoader begins by overwriting the entire plaintext ti module with zeros. HijackLoader then performs call stack spoofing as previously described. Next, the modTask module copies the TinycallProxy module into the text section of the system DLL specified in the SM module and uses this copied TinycallProxy module to call APIs. Then, HijackLoader creates a scheduled task for persistence using the configuration in the PERSDATA configuration module. The configuration is stored in a structure which we will refer to as the PERSDATA_STRUCT, with the definition shown below.struct PERSDATA_STRUCT {
uint32_t triggerTaskOnLogon; // If set, the task will be triggered when the
// user logs in, otherwise the task will execute
// at regular intervals.
uint32_t TaskFlag; // Flag used in ITask::SetFlags method
uin32_t MinutesInterval; // Task execution interval in minutes
uin32_t wRandMinutesInterval;// Unused by the TASK_TRIGGER structure
wchar_t taskName[50]; // Name of the task
};More information about HijackLoader’s modules are available in our previous blog.ConclusionHijackLoader is a highly modular malware loader that shows no signs of slowing down. HijackLoader's new modules demonstrate the malware’s evolving evasion tactics that increasingly focus on enhancing its anti-detection capabilities. Thus, we anticipate that HijackLoader will continue to introduce new modules that are further designed to complicate analysis and detection.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to HijackLoader at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for HijackLoader.Figure 4: Zscaler Cloud Sandbox report for HijackLoader.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to HijackLoader at various levels with the following threat names:Win64.Downloader.HijackLoaderWin32.Downloader.HijackLoaderIndicators Of Compromise (IOCs) SHA256 HashDescription67173036149718a3a06847d20d0f30616e5b9d6796e050dc520259a15588ddc8HijackLoader sample7b399ccced1048d15198aeb67d6bcc49ebd88c7ac484811a7000b9e79a5aac90HijackLoader sample6cfbffa4e0327969aeb955921333f5a635a9b2103e05989b80bb690f376e4404HijackLoader sampleb2b5c6a6a3e050dfe2aa13db6f9b02ce578dd224926f270ea0a433195ac1ba26HijackLoader sampled75d545269b0393bed9fd28340ff42cc51d5a1bd7d5d43694dac28f6ca61df03HijackLoader sample9218c8607323d7667f69ef26faea57cb861f9b3888a457ed9093c1b65eefa42bHijackLoader sampleb8f1341ade1fe50c4936b8f7bec7a8e47ad753465f716a1ec2f8220a18bf34a5HijackLoader sample35dca05612aede9c1db55a868b1cd314b5d05bac00bed577fd0d437103c2a4a4HijackLoader sample08f1ca6071cb206f53c2e81568b73d4bee7ac6a019d93d3ceaac7637b6dc891aHijackLoader sampleb480fec95b84980e88e0e5958873b7194029ffbaa78369cfe5c0e4d64849fb32HijackLoader sample273bc7700e9153f7063b689f57ece3090c79e6b1038a9bc7865f61452c7377b0HijackLoader encrypted modules.28eb6ce005d34e22f6805a132e7080b96f236d627078bcc1bedee1a3a209bd1fHijackLoader encrypted modules.2be2c90c725c2a03d2bd68e39d52c0e16e7678d1d42fa7fdf75797806e0eb036HijackLoader encrypted modules.2e5cf739a84c726dfe3cfa3ddf47893357713240e77adf929ef30d87b1ccb52eHijackLoader encrypted modules.307c1756c21ee8f4f866ff8327823b55d597fecca379f98bcd45581e2e33adeeHijackLoader encrypted modules.3142e4b40d27f63bcf7c787e96811e9a801224ce368624d75e88fa6408af896eHijackLoader encrypted modules.3500426eb9bb67fa91d4848cabeab2fe8e8a614768ed1e389e1f42a2428f64a8HijackLoader encrypted modules.3aa32545a2f53138d5f816d002b00d45c581cd56b1cfa66a2f72a03d604f1346HijackLoader encrypted modules.3ca78fbfbb46722af5f8acac511e77ec0382439f84c78c5710496fe1c377893dHijackLoader encrypted modules.MITRE ATT&CK TechniquesIDTechnique NameDescriptionT1574.002Hijack Execution Flow: DLL Side-LoadingHijackLoader samples mostly use DLL sideloading for execution.T1027.007Dynamic API ResolutionHijackLoader uses the SDBM hashing algorithm and CRC32 hashing algorithm for API resolution.T1027.003SteganographyHijackLoader uses steganography to hide its modules in a PNG image.T1140Deobfuscate/Decode Files or InformationHijackLoader uses XOR to decode its modules and final payload.T1057Process DiscoveryHijackLoader checks for process names and compares them against antivirus security software.T1620Reflective Code LoadingThe ti module is reflectively loaded by stomping it to a legitimate DLL using LoadLibrary and VirtualProtect.T1547.001Registry Run Keys / Startup FolderHijackLoader creates a shortcut file (LNK) in the Windows Startup folder as one of its methods for persistence.T1197BITS JobsHijackLoader uses BITS Jobs to achieve persistence.T1053Scheduled Task/JobHijackLoader’s modTask module uses Windows Task Scheduler for persistence.T1548.001Abuse Elevation Control MechanismHijackLoader’s modUAC modules use CMSTPLUA COM interface for UAC bypass.T1055Process InjectionHijackLoader uses process injection techniques to inject its final payload.T1497Virtualization/Sandbox EvasionHijackLoader’s ANTIVM modules contain multiple virtualization evasion techniques.T1562.001Impair Defenses: Disable or Modify ToolsHijackLoader’s WDDATA module contains the PowerShell (PS) command for Windows Defender exclusion.

The post Analyzing New HijackLoader Evasion Tactics appeared first on Security Boulevard.

Secrets aren't just in code. GitGuardian’s 2025 report shows major leaks in collaboration tools like Slack, Jira, and Confluence. Here’s what security teams need to know.

The post The Hidden Breach: Secrets Leaked Outside the Codebase Pose a Serious Threat appeared first on Security Boulevard.

New research from F5 Labs examined over 200 billion web and API traffic requests from businesses with bot controls in place.

The post The Unseen Battle: How Bots and Automation Threaten the Web  appeared first on Security Boulevard.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this blog, we share three challenges cybersecurity leaders say exposure management helps them solve. You can read the entire Exposure Management Academy series here.  

Traditional vulnerability management is undergoing a transformation. The core cybersecurity discipline is evolving into exposure management, which is built on a broader, more strategic approach to identifying, prioritizing and mitigating risk. 

Modern IT environments have long been evolving beyond the on-premises data center to include cloud infrastructure, mobile devices, internet-of-things (IoT) systems and operational technology (OT). 

To get a close look at this shift, the Tenable Exposure Management Academy regularly interviews cybersecurity leaders around the world. Our goal is to gain insights into their real-world experiences making the shift from traditional vulnerability management to exposure management. We conduct these discussions on the condition of anonymity. This blog reveals the three key challenges they're solving with cyber exposure management.

The three challenges exposure management addresses

The leaders we spoke with want to do more than just track vulnerabilities. They want to understand and reduce real-world cyber risk across their expanding attack surfaces. Exposure management empowers them to tackle these three challenges:

1. Lack of attack surface visibility

For effective risk management, the leaders we spoke with are seeking a complete, unified view of all assets and their associated threat exposures across diverse environments. Visibility is essential because security teams can’t protect what they can’t see. In our discussion, a security leader working at a distributor noted that many organizations struggle with asset ownership and accountability in expansive environments. 

"Sometimes, if you have a vulnerability happening, you just need to know who owns it,” the leader pointed out. “But no matter who owns it, we need to track it. We didn’t have a lot of visibility on that and we needed to know in order to effectively manage vulnerabilities.”

Security exposure management provides visibility beyond traditional siloed IT assets, including:

• Cloud environments (including public, private, multi-cloud and hybrid) 
• Mobile and remote endpoints 
• Containers and microservices 
• OT and industrial control systems 
• Third-party and supply-chain integrations

The key: With the right exposure management strategy, you can consolidate and standardize security data from multiple tools and environments, ensuring every detail is correct (including asset ownership), while reducing blind spots and improving response times.

2. Difficulty prioritizing remediation 

An important point to remember: Not all vulnerabilities pose the same level of risk. But determining how much risk any vulnerability presents requires context specific to your environment. You need to understand who or what has access to that asset, their privileges and how critical the asset is to business functions. Traditional vulnerability management can’t help you connect these dots for effective risk prioritization. 

When your security teams are overwhelmed by thousands of potential issues, they can’t effectively guide their IT counterparts tasked with remediation.

Exposure management in cybersecurity provides the additional context needed to practice risk-based vulnerability management, focusing remediation on the vulnerabilities with greatest potential impact in your unique environment.

Exposure management helps you understand whether bad actors are actively using a vulnerability in attacks (we call this “exploitability”), how important the affected system is to your organization (we call this “asset criticality rating”) and how an attacker could exploit a vulnerability in real-world scenarios (also known as “potential attack pathways”).

As a security leader for an industrial real estate firm explained, the challenge is not just fixing vulnerabilities but also measuring security progress in a meaningful way. 

"We're trying to move to a risk-type of reporting instead of ‘You fixed a thousand exposures,’” this security leader told us. “Say you have 10,000 exposures and the team knocks out 2,000 in a month. But Microsoft releases 3,000 more. Now you have 11,000. What did you actually accomplish? We have to shift to a risk approach."

The key: Risk-based exposure management ensures security teams focus on what matters most, rather than being buried under an ever-growing vulnerability backlog.

3. Staying stuck in reactive mode

Exposure management introduces a new way of thinking about cybersecurity. Instead of staying in reactive mode, responding to each new incident as it arises, continuous exposure management enables your teams to practice proactive security. You can anticipate potential attack scenarios and implement security controls to mitigate threats before attackers exploit them.

What does proactive cybersecurity look like? Here are three requirements:

• Attack path analysis to identify potential ways attackers could move laterally through your network
• Automated threat modeling to simulate potential breach scenarios
• Pre-emptive security controls such as segmentation, access restrictions and zero-trust architectures

One leader emphasized an important point: Cyber risk requires a shift in mindset and organizational culture.

"We’re quite reactive,” the security leader said. “And because we’ve been very manual, we needed a tool to help us get to the next stage. That means more automation to ease our workload so we can focus on more value-added work — like educating stakeholders to prevent repeat mistakes."

The key: By embedding best practices for cyber exposure management into daily operations, you can minimize risk before attackers can take advantage of vulnerabilities.

Takeaways

Making the shift and practicing exposure management vs vulnerability management reflects a broader evolution in cybersecurity that aims to move from reactive security posture management to proactive risk management. 

Leaders are tackling the three key challenges — lack of attack surface visibility, difficulty prioritizing remediation and staying stuck in reactive mode — by embracing exposure management to build a more resilient security posture that aligns with business priorities. 

The post Cybersecurity Leaders Share Three Challenges Exposure Management Helps Them Solve appeared first on Security Boulevard.

Despite advancements in API security, access control vulnerabilities, such as broken object-level authentication (BOLA) and broken function-level authentication (BFLA), remain almost impossible to detect.  This blog will explore why these vulnerabilities are so difficult to detect, the limitations of current security tools, and the implications for businesses relying on API-driven applications. It will also discuss [...]

The post Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk appeared first on Wallarm.

The post Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk appeared first on Security Boulevard.

People pick weak passwords or reuse them over devices, tokens are lost, compromised or bypassed, and biometrics can be forced or spoofed.

The post The PIN is Mightier Than the Face appeared first on Security Boulevard.

Articles related to cyber risk quantification, cyber risk management, and cyber resilience.

The post CRQ & CTEM: Prioritizing Cyber Threats Effectively | Kovrr appeared first on Security Boulevard.

Proper secrets management could have prevented or reduced the impact of the Oracle Cloud & Coinbase breaches-- learn what steps you can take.

The post Lessons from the Oracle and Coinbase Breaches appeared first on Akeyless.

The post Lessons from the Oracle and Coinbase Breaches appeared first on Security Boulevard.

Learn what CCPA penalties look like and how your business can avoid costly fines with the right compliance strategy.

The post What are CCPA Penalties for Violating Compliance Requirements? appeared first on Scytale.

The post What are CCPA Penalties for Violating Compliance Requirements? appeared first on Security Boulevard.

What is HECVAT 4.0? HECVAT 4.0 (Higher Education Community Vendor Assessment Toolkit) is a standardized framework designed to help higher education institutions evaluate the cybersecurity, privacy, and compliance practices of their third-party vendors. This toolkit is particularly relevant to colleges, universities, and other educational institutions that rely on external vendors for various services, especially those […]

The post HECVAT 4.0 appeared first on Centraleyes.

The post HECVAT 4.0 appeared first on Security Boulevard.

In this episode, host Tom Eston discusses recent privacy changes on eBay related to AI training and the implications for user data. He highlights the hidden opt-out feature for AI data usage and questions the transparency of such policies, especially in regions without strict privacy laws like the United States. The host also explores how […]

The post Understanding Privacy Changes: eBay’s AI Policy and The Future of Data Privacy appeared first on Shared Security Podcast.

The post Understanding Privacy Changes: eBay’s AI Policy and The Future of Data Privacy appeared first on Security Boulevard.

UK Cybersecurity Weekly News Roundup - 31 March 2025

Welcome to this week's edition of our cybersecurity news roundup, bringing you the latest developments and insights from the UK and beyond.

UK Warned of Inadequate Readiness Against State-Backed Cyberattacks

Cybersecurity experts have sounded the alarm over the UK's growing vulnerability to state-sponsored cyber threats. A recent report by the National Cyber Security Centre (NCSC) shows a 16% increase in severe cyber incidents affecting national infrastructure in 2024. A worrying 64% of public sector IT leaders said they are unsure about best practices, with legacy systems worsening the risk. As digital transformation accelerates, public infrastructure like energy and healthcare face increasing exposure to ransomware and espionage.
Read more

NCSC Publishes Roadmap for Post-Quantum Cryptography Migration

The NCSC has published official guidance on migrating to post-quantum cryptography (PQC) to protect against future quantum computing threats. The document urges critical infrastructure operators to begin preparations now, with system discovery and risk assessments expected by 2028. Full migration should be completed by 2035. The roadmap highlights the need for cryptographic agility and risk-based planning in anticipation of quantum threats.
Read more

UK Government to Update Software Vendor Security Code of Practice

Following a public consultation, the UK government will publish a revised voluntary code of practice for software vendors later this year. The updated framework will include clearer technical requirements and a new attestation mechanism for vendors to demonstrate compliance. The initiative aims to raise the standard of cybersecurity in commercial software used by UK businesses and public services.
Read more

Google Patches Actively Exploited Chrome Zero-Day (CVE-2025-2783)

Google has released an emergency update for Chrome to patch CVE-2025-2783, a high-severity zero-day vulnerability that was being actively exploited in the wild. The flaw allowed attackers to bypass sandbox protections. All users are urged to update their browsers immediately. This marks the second major Chrome zero-day reported in 2025.
Read more

UK Considers Ransomware Payment Ban for Public Sector

A proposal to ban ransomware payments by UK public sector and critical infrastructure organizations is under review. While the policy aims to discourage threat actors, experts warn that it may increase the pressure on under-prepared organizations and push attacks toward entities with no ability to recover quickly

The post UK Cybersecurity Weekly News Roundup – 31 March 2025 appeared first on Security Boulevard.

Authors/Presenters: David Batz, Josh Corman

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – IATC – Introduction To I Am The Cavalry – Day Two – Preparing for 2027 appeared first on Security Boulevard.

Veriti research recently analyzed stolen data that was published in a telegram group named “Daisy Cloud” (potentially associated with the RedLine Stealer), exposing the inner workings of a cybercrime marketplace. This group offers thousands of stolen credentials in an ongoing basis across a wide range of services, from crypto exchanges to government portals, at disturbingly […]

The post Inside Daisy Cloud: 30K Stolen Credentials Exposed  appeared first on VERITI.

The post Inside Daisy Cloud: 30K Stolen Credentials Exposed  appeared first on Security Boulevard.

“We passed the audit. No idea how, but we passed.” If that sentence sounds familiar – or worse, relatable – it’s time for a serious look in the mirror. Every year, companies across industries breathe a collective sigh of relief when the auditors give the thumbs-up. The SOC 2, ISO 27001, PCI DSS – pick […]

The post From checkbox to confidence: Why passing the audit isn’t the endgame first appeared on TrustCloud.

The post From checkbox to confidence: Why passing the audit isn’t the endgame appeared first on Security Boulevard.

In 2023, a massive data breach at 23andMe shook the foundation of the consumer genomics industry. Fast forward to today, the company has filed for bankruptcy. From Veriti’s perspective, this incident highlights the devastating consequences of failing to secure deeply sensitive personal data, especially when that data reaches beyond individuals and into family legacies.  Veriti […]

The post Genetic Breach Fallout: 23andMe’s Collapse Raises Security Alarms  appeared first on VERITI.

The post Genetic Breach Fallout: 23andMe’s Collapse Raises Security Alarms  appeared first on Security Boulevard.

Does Non-Human Identities Compliance Come with a Hefty Price Tag? Foremost among these challenges is securing a cloud environment from potential threats. One of the most significant components of this effort is the effective management of Non-Human Identities (NHIs) and their associated secrets. With the financial sector already witnessing the impact of KYC-AML compliance, NHIs […]

The post What are the cost implications of maintaining NHI compliance? appeared first on Entro.

The post What are the cost implications of maintaining NHI compliance? appeared first on Security Boulevard.

What Are the Essential Considerations for Long-Term Compliance of Non-Human Identities? The importance of Non-Human Identities (NHIs) in cybersecurity cannot be overstated. But how do organizations ensure the long-term compliance of these NHIs? In a nutshell, it requires a conscientious approach that integrates both strategy and technology. The Strategic Importance of NHIs Non-Human Identities are […]

The post What best practices ensure long-term compliance for NHIs? appeared first on Entro.

The post What best practices ensure long-term compliance for NHIs? appeared first on Security Boulevard.

How is Technology Revolutionizing Non-Human Identities (NHI) Compliance? How can the integration of advanced technology streamline the process of NHI compliance? A robust cybersecurity strategy is indispensable, especially regarding the management of non-human identities (NHIs) and secrets for comprehensive cloud security. The critical importance of NHI and its intricacies lies in its ability to bridge […]

The post How can technology simplify the process of NHI compliance? appeared first on Entro.

The post How can technology simplify the process of NHI compliance? appeared first on Security Boulevard.