Aggregator

伪装Alpine Quest应用窃取俄军机密，间谍软件实时追踪定位数据！

Ketch launched Data Sentry, a frontend data map for detecting website privacy risks. Designed for privacy and security teams, Data Sentry provides real-time visibility into website data flows—pinpointing hidden vulnerabilities before they lead to lawsuits or regulatory action. Most businesses lack visibility into the total scope of data collection happening on their websites and digital properties. Hundreds of demand letters are sent each month by plaintiffs’ attorneys, alleging violations of laws such as the California … More →

The post Ketch Data Sentry uncovers hidden privacy risks appeared first on Help Net Security.

Small and medium-sized businesses (SMBs) are increasingly falling victim to cyberattacks that specifically target network edge devices, according to recent findings. These critical devices—including firewalls, virtual private network appliances, and other remote access systems—have become the initial point of compromise in over a quarter of confirmed business breaches, with the actual number likely much higher. […]

The post Hackers Attacking Network Edge Devices to Compromise SMB Organizations appeared first on Cyber Security News.

A sophisticated malware campaign is utilizing fake CAPTCHA verification pages to distribute Lumma Stealer, an advanced information-stealing malware that has gained significant traction in underground markets since its 2022 debut.  As of March 2025, this malware-as-a-service (MaaS) operation maintains over a thousand active subscribers, with subscription prices starting at $250. The Fake CAPTCHA Attack Kaspersky […]

The post Lumma Stealer Exploits Fake CAPTCHA Pages to Harvest Sensitive Data appeared first on Cyber Security News.

Simbian's industry-first AI SOC Hackathon Championship has concluded, bringing with it an exciting glimpse into the future of cybersecurity operations.

The post Augmented, Not Replaced – Humans Outpace AI in Simbian’s SOC Hackathon Championship – Results and Winners Announced! appeared first on Security Boulevard.

Cybersecurity researchers have uncovered critical SQL injection vulnerabilities in four TP-Link router models, enabling attackers to execute malicious commands, bypass authentication, and potentially hijack devices. The flaws, discovered by researcher The Veteran between February and March 2025, highlight ongoing security risks in widely used networking hardware. The vulnerabilities impact both enterprise and consumer routers, including mobile Wi-Fi […]

The post TP-Link Router Vulnerabilities Allow Attackers to Execute Malicious SQL Commands appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A prominent certificate authority (SSL.com) has disclosed a significant security vulnerability in its domain validation system that could allow attackers to obtain fraudulent SSL certificates for domains they don’t own.  The flaw was reported by David Zhao, a senior researcher from the CitadelCore Cyber Security Team, who demonstrated how the system could be manipulated to […]

The post Hacker Tricked SSL.com To Get Certificate Issued for Alibaba Cloud Domain appeared first on Cyber Security News.

根据国家信息安全漏洞库（CNNVD）统计，本周（2025年4月14日至2025年4月20日）安全漏洞情况如下

根据国家信息安全漏洞库（CNNVD）统计，本周（2025年4月14日至2025年4月20日）安全漏洞情况如下

黑客滥用Cloudflare隧道传播多款RAT，企业安全告急！

Trend Micro’s Cyber Risk Exposure Management (CREM) solution has highlighted the critical role that timely patching plays in reducing an organization’s cyber risk exposure. The report, which scrutinizes the Cyber Risk Index (CRI) a metric quantifying an organization’s security risk based on the aggregation of individual asset and risk factor scores underscores a direct link […]

The post Faster Vulnerability Patching Reduces Risk and Lowers Cyber Risk Index appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

SentinelOne introduces the next evolution of SentinelOne Singularity™ Cloud Security: a complete CNAPP powered by generative and agentic AI.

The post SentinelOne Sets a New Standard | Truly AI-Driven & Unified Cloud Security appeared first on SentinelOne.

In Q1 2025, we observed Internet disruptions around the world caused by cable damage, power outages, natural disasters, fire, a cyberattack, and technical problems.

Tenable Research discovered a privilege-escalation vulnerability in Google Cloud Platform (GCP) that is now fixed and which we dubbed ConfusedComposer. The vulnerability could have allowed an identity with permission (composer.environments.update) to edit a Cloud Composer environment to escalate privileges to the default Cloud Build service account. The default Cloud Build service account includes permissions to Cloud Build itself, as well as to Cloud Storage, Artifact Registry, and more.

What are Cloud Composer and Cloud Build?

Cloud Composer is a fully managed workflow-orchestration service in GCP based on Apache Airflow that is used for scheduling and automating data pipelines.

Cloud Build is a fully managed continuous integration and delivery (CI/CD) service in GCP that builds, tests and deploys applications and containers at scale.

Cloud Composer uses Cloud Build to build packages, and that is exactly where attackers could have abused the process to escalate privileges.

ConfusedComposer vulnerability details

 

Cloud Composer allows users to install custom PyPI packages in their environments. However, this functionality introduced a privilege escalation vulnerability due to how Composer interacts with Cloud Build. When a user specifies a custom PyPI package, Composer initiates a behind-the-scenes build process, and the Cloud Composer service account automatically provisions a Cloud Build instance in the user's project. This instance is attached to the default Cloud Build service account, a highly privileged identity with broad permissions to GCP services including to Cloud Build itself, as well as to Cloud Storage, Artifact Registry or Container Registry, and more. (Click here to learn more about the default Cloud Build service account permissions).

An attacker with the composer.environments.update permission could have abused the Cloud Composer service orchestration process to escalate privileges. The attack would have been executed by injecting an attacker-controlled malicious PyPI package into the victim’s Composer custom-package configuration: 

 

 

When Cloud Build installs this package in an attempt to build the environment, it uses Pip. 

But how would one have executed remote code by adding a package to the Composer service? Turns out that Pip automatically runs pre- and post-package installation scripts. This would have allowed an attacker to execute arbitrary code within the correlated Cloud Build environment by using installation scripts inside their malicious package, despite lacking direct control over Composer’s underlying service account. 

The privilege escalation would have occurred when an attacker injected code that accessed the Cloud Build’s metadata API. Because the build instance runs with the default Cloud Build service account, an attacker could have extracted and exfiltrated its token. With this token, the attacker would have gained control over a privileged service account, allowing further escalation across the victim’s GCP project. This attack was particularly dangerous because the attacker did not need direct access to the Composer’s service account or to Cloud Build’s service account—only the ability to update a Composer environment. By simply adding a PyPI package to Composer, they could have manipulated the trusted automation pipeline to escalate privileges beyond their original access level. To clarify the impact of the now-fixed vulnerability: gaining full ownership of the project from the default Cloud Build service account was well within reach. 

The vulnerability fix and extra steps taken by GCP to enhance overall security

Previously, during update operations to perform PyPI module installations, Composer used the Cloud Build service account, which might have had broader permissions than the user performing the operation. After implementing the fix, Composer stopped using the Cloud Build service account and instead will use the Composer environment service account for performing PyPI module installations.

The fix has been rolled out to new Composer instances already (rel. notes), and existing instances should be updated to exhibit this behavior by April 2025 (rel. notes).

In addition, our findings led GCP to update parts of Composer’s documentation, such as the sections on Access Control, Installing Python Dependencies and Accessing the Airflow CLI.

A new attack class: Following the ConfusedFunction vulnerability

The ConfusedComposer privilege-escalation vulnerability in GCP builds upon a broader attack class of vulnerabilities in cloud services that we call "Jenga®" . This attack vector is a variant of ConfusedFunction, another GCP privilege-escalation vulnerability we discovered last year, and exploits the somewhat-hidden cloud provider misconfigurations related to cloud services permissions to escalate privileges beyond intended access levels. This variant highlights how attackers can abuse interconnected services the cloud provider automatically deploys behind the scenes, as part of a service-orchestration process.

(JENGA® is a registered trademark owned by Pokonobe Associates.)

 

Threat actors are increasingly exploiting mavinject.exe, a legitimate Microsoft utility, to bypass security controls and compromise systems.  This sophisticated attack technique allows hackers to hide malicious activity behind trusted Windows processes. Mavinject.exe is the Microsoft Application Virtualization Injector, designed to inject code into external processes as part of Microsoft’s App-V environment.  Included by default since […]

The post Hackers Leverage Windows MS Utility Tool to Inject Malicious DLL Payload appeared first on Cyber Security News.

Cybersecurity researchers have recently uncovered a sophisticated new variant of the notorious Lumma InfoStealer malware, featuring advanced code flow obfuscation techniques designed to evade detection by security solutions. This latest iteration represents a significant evolution in the malware’s capabilities, with threat actors implementing multiple layers of obfuscation to conceal the malicious code’s true purpose and […]

The post Researchers Uncovered Latest Version of Lumma InfoStealer with Code Flow Obfuscation appeared first on Cyber Security News.

Справится ли ваш NGFW/NGIPS с возрастающей нагрузкой?