Aggregator

You must login to view this content

Leveraging a native IIS module named BadIIS, attackers manipulated search engine crawler traffic to poison search results and redirect legitimate users to scam or adult-oriented websites. Infrastructure overlaps link this activity to ESET’s “Group 9” cluster and share functional similarities with Cisco Talos’s “DragonRank” campaign. In March 2025, Unit 42 researchers uncovered an advanced SEO […]

The post Hackers Hijacking IIS Servers Using Malicious BadIIS Module to Serve Malicious Content appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Systems Engineer shares how Cloud Monitor streamlines investigations, secures PII, and provides peace of mind without increasing his budget Webb City School District in Missouri serves approximately 4,500 students and employs around 500 staff members. The district primarily uses Google Workspace for communication, collaboration, and data storage with students and staff.  “Before Cloud Monitor, we ...

The post How Webb City School District Improved Google Security and Safety Without Adding Costs appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post How Webb City School District Improved Google Security and Safety Without Adding Costs appeared first on Security Boulevard.

SolarWinds has released an urgent security advisory for a critical vulnerability in its Web Help Desk software that could allow an unauthenticated attacker to achieve remote code execution (RCE). The flaw, tracked as CVE-2025-26399, carries a critical severity rating of 9.8 out of 10, highlighting the severe risk it poses to affected systems. The vulnerability […]

The post SolarWinds Web Help Desk Vulnerability Enables Unauthenticated RCE appeared first on Cyber Security News.

You must login to view this content

Microsoft has released comprehensive guidance for implementing certificate-based authentication in Windows Admin Center (WAC), providing administrators with enhanced security through smart card integration and Active Directory Certificate Services. This authentication method significantly strengthens access controls by requiring administrators to present valid certificates before accessing the management gateway, effectively adding a strong second authentication factor beyond […]

The post Microsoft Publishes Guide for Certificate-Based Authentication in Windows Admin Center appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Dragos released Dragos Platform 3.0, providing capabilities that enable industrial defenders to act faster and more confidently against intensifying cyber threats. The Dragos Platform’s new Insights Hub consolidates risk-based vulnerability, asset, and threat alerts into a single prioritized view, while streamlined workflows, AI-enhanced vulnerability processes, and smaller footprint deployment options reduce time-to-value for industrial organizations. A number of additional capabilities are included in 3.0 to simplify management and lower cost of operation. According to the … More →

The post Dragos Platform 3.0 consolidates risk alerts and streamlines industrial cybersecurity appeared first on Help Net Security.

Austin, Texas, USA, 23rd September 2025, CyberNewsWire

The post SpyCloud Report: 2/3 Orgs Extremely Concerned About Identity Attacks Yet Major Blind Spots Persist appeared first on Security Boulevard.

CISA is releasing this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.[i]

After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.[ii]

The malware then:

• Exfiltrated the harvested credentials to an endpoint controlled by the actor.
• Uploaded the credentials to a public repository named Shai-Hulud via the GitHub/user/repos API.
• Leveraged an automated process to rapidly spread by authenticating to the npm registry as the compromised developer, injecting code into other packages, and publishing compromised versions to the registry.[iii]

CISA urges organizations to implement the following recommendations to detect and remediate this compromise:

• Conduct a dependency review of all software leveraging the npm package ecosystem.
  • Check for package-lock.json or yarn.lock files to identify affected packages, including those nested in dependency trees.
• Search for cached versions of affected dependencies in artifact repositories and dependency management tools.
• Pin npm package dependency versions to known safe releases produced prior to Sept. 16, 2025.
• Immediately rotate all developer credentials.
• Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and npm.
• Monitor for anomalous network behavior.
  • Block outbound connections to webhook.site domains.
  • Monitor firewall logs for connections to suspicious domains.
• Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets.
• Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates.

See the following resources for additional guidance on this compromise:

• GitHub: Our plan for a more secure npm supply chain
• StepSecurity: Shai-Hulud: Self Replicating Work Compromises 500+ NPM Packages
• Palo Alto Networks Unit 42: "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 18)
• Socket: Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
• ReversingLabs: Shai-hulud supply chain attack spreads token-stealing malware on npm

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

[i] Ashish Kurmi, “Shai-Hulud: Self Replicating Work Compromises 500+ NPM Packages,” StepSecurity, (September 15, 2025), https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised; 
Kush Pandya, Peter van der Zee, and Olivia Brown, “Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages,” Socket, (September 16, 2025), https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages.

[ii] Palo Alto Networks Unit 42, “‘Shai-Hulud’ Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19),” Unit 42, Palo Alto Networks, (September 17, 2025), https://unit42.paloaltonetworks.com/npm-supply-chain-attack/.

[iii] Palo Alto Networks Unit 42, “Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19).”

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Today, CISA released a cybersecurity advisory detailing lessons learned from an incident response engagement following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response tool. 

This advisory, CISA Shares Lessons Learned from an Incident Response Engagement, highlights takeaways that illuminate the urgent need for timely patching, comprehensive incident response planning, and proactive threat monitoring to mitigate risks from similar vulnerabilities.

The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by cyber threat actors, including exploitation of GeoServer Vulnerability CVE-2024-36401 for initial access. By understanding these TTPs, organizations can enhance their defenses against similar threats.

CISA recommends organizations take the following actions:

• Prioritize Patch Management: Expedite patching of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities catalog, with a focus on public-facing systems.
• Strengthen Incident Response Plans: Regularly update, test, and maintain incident response plans, ensuring they include procedures for engaging third-party responders and deploying security tools without delay.
• Enhance Threat Monitoring: Implement centralized, out-of-band logging and ensure security operations centers continuously monitor and investigate abnormal network activity to detect and respond to malicious activity effectively.

CISA urges organizations to apply these lessons learned to bolster their security posture, improve preparedness, and reduce the risk of future compromises. For additional details, review the full cybersecurity advisory.

CISA released six Industrial Control Systems (ICS) advisories on September 23, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-266-01 AutomationDirect CLICK PLUS
• ICSA-25-266-02 Mitsubishi Electric MELSEC-Q Series CPU Module
• ICSA-25-266-03 Schneider Electric SESU
• ICSA-25-266-04 Viessmann Vitogate 300
• ICSA-25-023-02 Hitachi Energy RTU500 Series Product (Update A)
• ICSA-25-093-01 Hitachi Energy RTU500 Series (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.