Aggregator

A vulnerability was found in Linux Kernel up to 6.1.128/6.6.75/6.12.12/6.13.1. It has been classified as problematic. Affected is the function usb_submit_urb of the file drivers/usb/core/urb.c. The manipulation leads to privilege escalation. This vulnerability is traded as CVE-2025-21708. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.1.128/6.6.78/6.12.15/6.13.3/6.14-rc2 and classified as critical. This vulnerability affects the function acm_ctrl_irq of the file /dev/ttyACM* of the component USB. The manipulation leads to memory corruption. This vulnerability was named CVE-2025-21704. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.1.128/6.6.75/6.12.12/6.13.1 and classified as problematic. This issue affects the function __mptcp_expand_seq. The manipulation leads to improper initialization. The identification of this vulnerability is CVE-2025-21707. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 6.6.73/6.12.10. This vulnerability affects the function gpio_lock of the component xilinx. The manipulation leads to stack-based buffer overflow. This vulnerability was named CVE-2025-21684. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.6.75/6.12.12/6.13.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file kernel/locking/mutex.c. The manipulation leads to information disclosure. This vulnerability is known as CVE-2025-21701. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.1.128/6.6.77/6.12.13/6.13.2. This issue affects the function handle_policy_update of the component safesetid. The manipulation leads to buffer overflow. The identification of this vulnerability is CVE-2024-58016. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.1.128/6.6.78/6.12.15/6.13.3/6.14-rc2 and classified as critical. Affected by this vulnerability is the function devm_kasprintf of the component multitouch. The manipulation leads to null pointer dereference. This vulnerability is known as CVE-2024-58020. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.1.128/6.6.75/6.12.12/6.13.1 and classified as critical. This vulnerability affects the function tegra_emc_find_node_by_ram_code of the component tegra20-emc. The manipulation of the argument device leads to use after free. This vulnerability was named CVE-2024-58034. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 6.1.128/6.6.77/6.12.13/6.13.2. This vulnerability affects the function l2cap_sock_alloc. The manipulation leads to improper initialization. This vulnerability was named CVE-2024-58009. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.1.128/6.6.77/6.12.13/6.13.2. This issue affects some unknown processing of the component binfmt_flat. The manipulation of the argument full_data leads to integer overflow. The identification of this vulnerability is CVE-2024-58010. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

Name: Capture Point 5353 3.0 (an Capture Point event.)
Date: March 30, 2025, 6 p.m. — 01 April 2025, 08:10 UTC  [add to calendar]
Format: Jeopardy
On-line
Offical URL: https://iiitv.capturepoint5353.tech/
Rating weight: 22.20
Event organizers: HORIZON_03

Written by: Jamie Collier

Since our September 2024 report outlining the Democratic People's Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime. This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption.

In collaboration with partners, Google Threat Intelligence Group (GTIG) has identified an increase of active operations in Europe, confirming the threat's expansion beyond the United States. This growth is coupled with evolving tactics, such as intensified extortion campaigns and the move to conduct operations within corporate virtualized infrastructure. 

On The March: IT Workers Expand Globally with a Focus on Europe

DPRK IT workers' activity across multiple countries now establishes them as a global threat. While the United States remains a key target, over the past months, DPRK IT workers have encountered challenges in seeking and maintaining employment in the country. This is likely due to increased awareness of the threat through public reporting, United States Department of Justice indictments, and right-to-work verification challenges. These factors have instigated a global expansion of IT worker operations, with a notable focus on Europe.

Figure 1: List of countries impacted by DPRK IT workers

IT Worker Activity in Europe 

In late 2024, one DPRK IT worker operated at least 12 personas across Europe and the United States. The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility.

Separately, additional investigations uncovered other IT worker personas seeking employment in Germany and Portugal, alongside login credentials for user accounts of European job websites and human capital management platforms.

GTIG has also observed a diverse portfolio of projects in the United Kingdom undertaken by DPRK IT workers. These projects included web development, bot development, content management system (CMS) development, and blockchain technology, indicating a broad range of technical expertise, spanning traditional web development to advanced blockchain and AI applications. 

Specific projects identified include:

• Development of a Nodexa token hosting plan platform using Next.js, React, CosmosSDK, and Golang, as well as the creation of a job marketplace using Next.js, Tailwind CSS, MongoDB, and Node.js. 

• Further blockchain-related projects involved Solana and Anchor/Rust smart contract development, and a blockchain job marketplace built using the MERN stack and Solana. 

• Contributions to existing websites by adding pages using Next.js and Tailwind CSS, 

• Development of an artificial intelligence (AI) web application leveraging Electron, Next.js, AI, and blockchain technologies. 

In their efforts to secure these positions, DPRK IT workers employed deceptive tactics, falsely claiming nationalities from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. The identities used were a combination of real and fabricated personas. 

IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer. Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds.

Facilitators Support European Operations 

The facilitators used by IT workers to help them get jobs, defeat identity verification, and receive funds fraudulently have also been found in Europe. One incident involved a DPRK IT worker using facilitators located in both the United States and the United Kingdom. Notably, a corporate laptop, ostensibly intended for use in New York, was found to be operational in London, indicating a complex logistical chain. 

An investigation into infrastructure used by a suspected facilitator also highlighted heightened interest in Europe. Resources discovered contained fabricated personas, including resumes listing degrees from Belgrade University in Serbia and residences in Slovakia, as well as instructions for navigating European job sites. Additionally, contact information for a broker specializing in false passports was discovered, indicating a coordinated effort to acquire fraudulent identification documents. One document provided specific guidance on seeking employment in Serbia, including the use of a Serbian time zone during communications. 

Extortion Heating Up

Alongside global expansion, DPRK IT workers are also evolving their tactics. Based on data from multiple sources, GTIG assesses that since late October 2024, IT workers have increased the volume of extortion attempts and gone after larger organizations. 

In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects. 

The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments. This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream. 

Previously, workers terminated from their places of employment might attempt to provide references for their other personas so that they could be rehired by the company. It is possible that the workers suspected they were terminated due to discovery of their true identities, which would preclude attempts to be rehired.

The Virtual Workspace: BYOD Brings IT Worker Risks 

To avoid distributing corporate laptops, some companies operate a bring your own device (BYOD) policy, allowing employees to access company systems through virtual machines. Unlike corporate laptops that can be monitored, personal devices operating under a BYOD policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats. This absence of conventional security measures means that typical evidence trails linked to IT workers, such as those derived from corporate laptop shipping addresses and endpoint software inventories, are unavailable. All of this increases the risk of undetected malicious activity.

GTIG believes that IT workers have identified BYOD environments as potentially ripe for their schemes, and in January 2025, IT workers are now conducting operations against their employers in these scenarios. 

Conclusion 

Global expansion, extortion tactics, and the use of virtualized infrastructure all highlight the adaptable strategies employed by DPRK IT workers. In response to heightened awareness of the threat within the United States, they've established a global ecosystem of fraudulent personas to enhance operational agility. Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations.

For detailed mitigation and detection strategies, please read our previous report on DPRK IT workers. For even more details, read our IT worker Transform post.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-24813 Apache Tomcat Path Equivalence Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on April 1, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-091-01 Rockwell Automation Lifecycle Services with Veeam Backup and Replication
   
• ICSA-24-331-04 Hitachi Energy MicroSCADA Pro/X SYS600 (Update A)
   

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Developers have always had a conflicted relationship with security. While they don't want to produce software with security flaws, they don't want to be security experts either. With that in mind, the Open Source Security Foundation (OpenSSF) has released the Open Source Project Security Baseline.

The post OpenSSF guidelines encourage OSS developers to build securely appeared first on Security Boulevard.

Компания утверждает, что угрозы нет, но доказательства говорят об обратном.

Kentico Xperience CMS, a widely used platform designed for enterprises and organizations, is under scrutiny after a vulnerability chain was discovered that exploits Cross-Site Scripting (XSS) to enable Remote Code Execution (RCE). This vulnerability was disclosed by researchers who demonstrated its potential harm through a detailed proof of concept. CVE-2025-2748: Cross-Site Scripting Vulnerability According to […]

The post Kentico Xperience CMS XSS Vulnerability Allows Remote Code Execution appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Escape has created the first ever push-to-post automation to revolutionize vulnerability management by giving you the recognition you deserve.

The post Product Update: Automate alerts to your social media appeared first on Security Boulevard.

A vulnerability was found in Folders Pro Plugin up to 3.0.2 on WordPress. It has been declared as problematic. This vulnerability affects unknown code. The manipulation of the argument First Name/Last Name leads to cross site scripting. This vulnerability was named CVE-2024-3868. The attack can be initiated remotely. There is no exploit available.