Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for CISA Appoints Karen ...

 Firewall Daily

Karen Evans has been appointed as the new Executive Assistant Director (EAD) for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). In this new role, Evans brings an extensive portfolio of experience spanning decades in federal cyber policy, critical infrastructure protection, and government   show more ...

IT modernization.  Before stepping into her current role at CISA, Evans had an illustrious career, holding several key leadership positions across both the public and private sectors. Most recently, she served as a senior advisor within CISA’s cybersecurity division, contributing to the agency’s mission of enhancing the cybersecurity posture of federal civilian networks and critical infrastructure. Her work in this capacity involved advising on cybersecurity strategies and providing insights into new threats and best practices for federal agencies. Karen Evans as the New Executive Assistant Director (EAD)  Karen Evans’ experience also includes her tenure as the Managing Director at the Cyber Readiness Institute (CRI), a non-profit dedicated to improving the cybersecurity resilience of small and medium-sized businesses (SMBs). At CRI, she focused on empowering businesses with the tools and resources necessary to defend against cyber threats, demonstrating her deep understanding of the intersection between private sector cybersecurity and national security.  [caption id="attachment_101131" align="alignnone" width="680"] (Source: Center for Cybersecurity Policy and Law)[/caption] Evans co-founded SafeGov, an advisory firm that helped U.S. government agencies navigate secure cloud computing strategies. This experience was instrumental in shaping her understanding of cybersecurity challenges and solutions in the cloud era, an area of growing importance as government agencies and businesses increasingly move to cloud environments.  Distinguished Federal Service  Throughout her distinguished federal career, Karen Evans has held multiple senior roles at the Department of Homeland Security (DHS) and the Department of Energy (DOE). Between June 2020 and January 2021, she served as the Chief Information Officer (CIO) at DHS, where she played a critical role in overseeing IT modernization efforts, crafting cybersecurity strategies, and driving technology investments across the department’s various components. As the Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response, Evans was at the forefront of securing the nation’s energy infrastructure and mitigating cyber threats to the nation’s power grid. In this capacity, she helped lead efforts to ensure the resilience and security of one of the most critical sectors in the country.  Evans’ early federal work dates to the George W. Bush administration, where she served as Administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget (OMB). In this role, she oversaw a staggering $71 billion in annual IT investments, highlighting her expertise in managing large-scale IT projects and understanding the intersection between technology, policy, and national security.  A Vision for CISA’s Future  Karen Evans’ appointment comes at a time of transition for CISA. The agency is undergoing a leadership shift, with key positions still awaiting confirmation, including the role of the CISA Director. Former DOE cybersecurity officials Sean Plankey and Nick Andersen have been identified as potential candidates for this role, according to sources familiar with the situation. Evans’ appointment as Executive Assistant Director for Cybersecurity is a vital piece of this larger transformation. CISA’s mission, which originally extended to combatting misinformation and disinformation, is being redefined. In January, DHS Secretary Kristi Noem expressed the need for a “refocus” on CISA’s core mission, urging the agency to concentrate more on cybersecurity efforts rather than areas outside its primary remit, like disinformation campaigns. “No one intended for CISA’s resources to be used in ways they were never meant to,” Noem said during her confirmation hearing. “CISA needs to be much more effective, smaller, and more nimble to fulfill its cybersecurity mission.”  Evans is expected to play a crucial role in this strategic shift, ensuring that CISA is better positioned to defend against cyber threats and provide enhanced cybersecurity support to federal agencies and critical infrastructure sectors.  Educational and Professional Credentials  Karen Evans holds a Ph.D. in Business Administration, a Master of Arts in Public History, and a Bachelor of Science in Chemistry from West Virginia University. She is also an elected fellow of the National Academy of Public Administration, further highlighting her leadership and contributions to the public sector. Her diverse background in both the public and private sectors, coupled with her deep understanding of cybersecurity and technology, positions her as an ideal candidate to lead CISA’s efforts to protect the nation from cyber actors.   As Karen Evans takes on her new role as Executive Assistant Director for Cybersecurity at CISA, the agency looks forward to leveraging her expertise to strengthen the nation’s cybersecurity posture and protect critical infrastructure from increasingly sophisticated cyber adversaries. With Evans at the helm, CISA is poised to play a central role in securing federal networks and supporting the broader mission of defending the nation’s cyber ecosystem. Karen Evans' leadership is widely recognized within the cybersecurity community. Ari Schwartz, Coordinator of the Center for Cybersecurity Policy and Law, praised her appointment, stating, “Throughout her work at OMB, DOE, and CRI, Karen Evans has shown her knowledge and commitment to cybersecurity and is well-positioned to help guide CISA's core cybersecurity efforts, particularly in defending federal civilian networks and protecting critical infrastructure from attacks by adversaries.” 

image for Remove These Extensi ...

 Cyber Essentials

A new cybersecurity breach has put over 3.2 million Google Chrome users at risk after hackers hijacked popular browser extensions, injecting malicious scripts and redirecting web traffic for fraud. This Google Chrome extensions cyberattack, which researchers believe was executed through a supply chain compromise,   show more ...

allowed cybercriminals to exploit trusted extensions and distribute harmful updates without users realizing it. The Google Chrome Extensions cyberattack: What Happened? A total of 16 widely used Google Chrome extensions, including ad blockers, emoji keyboards, and screen capture tools, were identified as compromised. These extensions, which initially appeared legitimate, were later updated with obfuscated scripts designed to steal data, modify HTTP requests, and inject unauthorized advertisements. This meant that millions of unsuspecting users had already been granted permissions that enabled attackers to manipulate web activity in real time. List of Affected Chrome Extensions: Blipshot (One-Click Full Page Screenshots) Emojis - Emoji Keyboard WAToolkit Color Changer for YouTube Video Effects for YouTube and Audio Enhancer Themes for Chrome and YouTube™ Picture in Picture Mike Adblock für Chrome | Chrome-Werbeblocker Page Refresh Wistia Video Downloader Super Dark Mode Emoji Keyboard Emojis for Chrome Adblocker for Chrome - NoAds Adblock for You Adblock for Chrome Nimble Capture KProxy How Did This Happen? Cybersecurity researchers traced the attack back to compromised developer accounts, where hackers either obtained access through phishing schemes or tricked developers into transferring control of their extensions. Once in control, the attackers pushed malicious updates through the Chrome Web Store, bypassing traditional security checks. The cyberattack on the Google Chrome extension is reminiscent of past supply chain breaches, where cybercriminals exploit trusted software to distribute malware. Because browser extension updates happen automatically, users had no indication that their trusted tools had been weaponized against them. How the Malicious Extensions Worked Security experts found that these extensions contained hidden service worker functionality that performed the following actions: Checked in with a remote server on installation, transmitting extension details and a unique identifier. Stored configuration data in local storage, with updates periodically pushed by the attackers. Injected malicious scripts into websites to steal data and manipulate browser activity. Stripped security protections from visited websites by removing Content Security Policy headers, increasing the risk of further malware infections. Monitored browser sessions to reload tabs and maintain persistence. Risks to Users The compromised extensions could: Steal sensitive data such as login credentials, browsing history, and personal information. Modify search engine results to redirect users to malicious or affiliate-linked pages for monetary gain. Inject harmful advertisements into websites, further exposing users to scams and potential phishing attacks. Bypass browser security settings, making it easier for attackers to install additional malware on a user’s device. What Google Chrome Users Should Do While Google has removed these extensions from the Chrome Web Store, they will not be automatically uninstalled from users' browsers. If you have installed any of the affected extensions, follow these steps immediately: 1. Remove Suspicious Extensions Open Google Chrome and go to Settings > Extensions or type chrome://extensions/ in the address bar. Look for any of the affected extensions listed above. Click Remove and confirm the action. 2. Reset Browser Settings To ensure no residual malware remains in your browser: Open Chrome settings and go to Reset settings under Advanced. Click Restore settings to their original defaults and confirm. 3. Check for Unauthorized Activity Review your saved passwords and accounts for any unauthorized access. Change passwords for critical accounts, especially if you used autofill while using the compromised extensions. Enable two-factor authentication (2FA) for additional security. 4. Install Trusted Security Software Use a reliable antivirus or anti-malware solution to scan your system for any remaining threats. Consider using a password manager to avoid storing credentials in your browser. Lessons Learned: How to Stay Safe from Malicious Extensions Browser extensions can enhance your online experience, but they can also pose significant risks. Here are some best practices to stay safe: Regularly Audit Installed Extensions – Periodically review which extensions you have installed and remove any that you no longer use. Check Permissions Before Installing – Only install extensions that request minimal permissions. Be wary of those asking for extensive access to your browsing data. Research Before Downloading – Don’t rely solely on high ratings. Read recent reviews and search for security reports on any extension before installation. Enable Browser Security Features – Use Chrome’s built-in security tools to limit extension permissions and prevent unauthorized activity. Keep Your Browser Updated – Ensure that Chrome is always up to date to benefit from the latest security patches. This large-scale cyberattack highlights the growing risks associated with browser extensions and the ease with which attackers can exploit them. With cybercriminals targeting even well-known and trusted extensions, users must remain vigilant and proactive in protecting their online security. By following best practices and staying informed about cybersecurity threats, you can minimize risks and maintain a safer browsing experience.

image for 7 Tools to Prevent B ...

 Firewall Daily

The dawn of AI and advanced technological tools has rendered previous security measures vulnerable to high-level cyberattacks. However, cybersecurity specialists have successfully provided next-generation tools to prevent these breaches. Understanding E-Wallets and Crypto Wallet Threats Financial account owners are   show more ...

constantly at risk of exposure to online fraud, ranging from Wi-Fi snooping, where fraudsters hack users' internet connection to steal sensitive financial information, to phishing, which involves creating fake websites or links to trick unsuspecting individuals into a scam. For context, new reports show that scam victims lost over $1 trillion in 2024. Due to cryptocurrencies' unique blockchain operational model, crypto users are exposed to different levels of threats. A crypto trading platform may offer a higher level of security than blockchain wallets due to the built-in security protocols on the platform. On the other hand, blockchain wallets allow users to control their assets completely but expose them to more cyber threats. Tools To Safeguard Against Unauthorized Access to E-Wallets and Crypto Wallets Most e-wallets and blockchain wallets are built with security protocols to prevent breaches, but some of these features must be activated manually to work. Here are the top security  tools to safeguard your funds: 1. Passwords Passwords for e-wallets should not be birth dates or phone numbers, which is common among the older and less-technology-inclined population. A good rule of thumb is to ensure the password is at least 12 characters long and contains letters, symbols, and numbers. Avoid using the same passwords for website signups for digital wallet protection. Most of the time, strong passwords may be hard to memorize, so storing them in a password manager can be handy. However, sharing passwords through email, instant messaging, social media, or any other platform can expose users to data breaches. 2. Alerts Many e-wallet issuers and crypto exchanges allow users to turn on real-time alerts on their accounts. These instant notifications alert users to all transactions or login attempts on their accounts. Some work primarily using email, while others provide fraud alerts via text. Users can avoid such fraud attempts by subscribing to such alert services. However, users must also ensure that they take extra measures to prevent their email addresses and phone numbers from being compromised. The risks that can compromise them could include phishing attacks, weak passwords, and other forms of carelessness from the user, such as reusing passwords across multiple sites or failing to enable two-factor authentication. 3. Authentication Tools Authentication security tools were previously limited to 2-factor authentication systems. However, next-generation tools feature multi-factor authentication protocols and dedicated authentication software like Google Authenticator. Users with multi-factor authentication must validate their sign-in with alternative methods like SMS, email, or passkey. 4. Biometrics Most e-wallet and crypto wallet apps now support biometrics for both login and payment initiation, providing an additional layer of security to online transactions. While fingerprint ID is still the most used biometric, facial recognition is fast becoming popular. Fintechs that integrate facial recognition usually program them to be activated when large amounts of money are about to be transferred. Users may have to turn on biometrics to benefit from these services manually. 5. Anti-Malware Software According to data from Statista, over 6 billion malware attacks were detected worldwide in 2023. Malware attacks expose individuals to data breaches, financial theft, and considerable financial loss in the event of ransomware. Modern anti-malware software prevents malware in viruses, Trojan horses, worms, and ransomware from accessing users' sensitive information, corrupting systems, or encrypting files and locking the system. This ensures individuals can open their e-wallets and crypto wallets on their devices without falling victim to malware attacks. 6. Cryptojacking Blocker Browser Extension Individuals active in the crypto space are exposed to cryptojacking, a new type of threat. In this attack, malicious actors use a victim's computing power to mine for cryptocurrency. Exposure to crypto hackers can indirectly place owners' crypto wallets at risk. Browser add-on marketplaces have crypto-jacking blocker extensions that can help prevent such occurrences. 7. Cold Storage Solutions The internet's threats to crypto holders are unlimited as cyber attackers continue to develop new strategies to hack crypto wallets. Cold storage wallets are one of the next-gen technologies used to ensure high-level asset security. Cold wallets allow crypto users to keep their cryptocurrencies offline. The only time the cold wallet is connected to the internet is when assets are transferred from an exchange or blockchain wallet to the offline wallet. This reduces the possibility of users encountering data breaches or other cyber frauds. Improved Security Measures for Safer Transactions With the advent of AI, we’ve also seen a new wave of more advanced cyber threats. However, e-wallet and crypto wallet users have more advanced tools to prevent data breaches and financial theft. AI-powered next-gen technologies like multi-factor authentication systems and biometrics, combined with old-school password protocols, make up a strong security setup that limits the possibility of falling victim to cyberattacks.

image for MITRE Caldera Hit by ...

 Firewall Daily

CVE-2025-27364, a critical Remote Code Execution (RCE) flaw has been discovered in MITRE Caldera, an open-source adversary emulation platform used by security professionals. This flaw could allow attackers to execute arbitrary code on the server running Caldera, leading to the compromise of sensitive systems. MITRE   show more ...

Caldera is a powerful open-source platform designed for simulating cyberattacks in a controlled environment. Its core functionality revolves around emulating advanced persistent threats (APTs) by deploying agents, or implants, to carry out operations such as reconnaissance, exploitation, and post-exploitation activities. These agents, including Sandcat and Manx, are used to simulate adversarial tactics by executing commands remotely. The Caldera platform provides a command-and-control (C2) server API that handles requests to compile and deploy these agents to target systems. What is CVE-2025-27364?  CVE-2025-27364 is the vulnerability in MITRE Caldera's dynamic agent compilation functionality, present in versions 4.2.0 and earlier (up to commit 35bc06e) of the platform. This flaw specifically affects the process by which Caldera compiles and downloads its Sandcat or Manx agents. In the absence of proper input sanitization, attackers can manipulate this process to execute arbitrary code on the server via specially crafted web requests directed at the Caldera server API. This type of attack is classified as a Remote Code Execution (RCE) vulnerability. The Technical Breakdown of CVE-2025-27364  The vulnerability stems from the Caldera server’s use of dynamic compilation for its Sandcat and Manx agents. These agents are small reverse shells designed to communicate with the Caldera server, carrying out tasks as assigned during a simulated cyberattack operation. The compilation endpoint, which is a critical part of the Caldera platform, is particularly susceptible because it lacks proper authentication mechanisms. This absence of authentication allows unauthorized actors to exploit the system without needing any valid credentials.  The core of the issue lies in the Caldera server’s handling of certain linker flags, specifically the -extldflags option, used when compiling agents. These linker flags are passed to the gcc (GNU Compiler Collection) tool, which processes them during the agent compilation process. By manipulating these flags, attackers can inject malicious commands into the compilation process, potentially leading to the execution of arbitrary code on the server. How Vulnerability Works?  To better understand how this vulnerability works, it's essential to trace the execution flow within Caldera's codebase. According to MITRE Caldera Medium post by Dawid Kulikowski, when an attacker submits a crafted request to the Caldera server API, the server processes this request to compile the desired agent. One of the steps in this process involves passing user-controlled data (the agent parameters) to a function responsible for compiling the agent on the fly.  In particular, the vulnerability is triggered by the interaction with the gcc tool during compilation. By using the -extldflags linker flag, an attacker can control certain execution aspects, such as specifying which external linker to use and the flags that are appended to the invocation. These actions can be exploited to execute arbitrary binaries, like Python or Bash scripts, under the control of the attacker.  While a simple command injection might not be immediately possible due to the way subprocess calls are structured in Caldera, attackers can still exploit the vulnerability by controlling the parameters passed to the linker. This makes it possible for an attacker to execute arbitrary binaries with the permissions of the Caldera server process, which could be disastrous if the server is running with elevated privileges. Severity and Risk Assessment  The vulnerability has been assigned a critical severity rating by the MITRE Caldera team, with a CVSS (Common Vulnerability Scoring System) score of 10.0, indicating a high level of risk. The severity of this vulnerability is exacerbated by its widespread availability; any default configuration of Caldera, with the required dependencies (Go, Python, and GCC), is vulnerable to exploitation. Since GCC is a common dependency on many systems, including those running Caldera, this makes the vulnerability highly likely to be exploitable. The MITRE Caldera team has urged all users to patch their systems immediately by upgrading to version 5.1.0 or later, as these versions contain fixes for the vulnerability. As always, the MITRE Caldera team has emphasized the importance of securing such tools and recommends that users do not expose Caldera instances to the internet unless absolutely necessary. Impact and Exploitation If left unpatched, CVE-2025-27364 could have serious consequences. An attacker who successfully exploits this vulnerability could gain full control over the Caldera server, potentially compromising sensitive data or using the server as a launchpad for further attacks on the network. The attacker could execute arbitrary code, install backdoors, or deploy additional agents that could be used for more advanced exploitation. The vulnerability’s remote nature also means that attackers do not need direct access to the internal network, making it easier for them to exploit vulnerable instances exposed to the internet. This increases the attack surface and makes timely patching even more crucial. Conclusion   In response to CVE-2025-27364, the MITRE Caldera team acted quickly to patch the vulnerability, incorporating changes to sanitize user-controlled data and prevent malicious exploitation via linker flags. They also acknowledged the contribution of Dawid Kulikowski, who reported the issue and supported the patching process Users are urged to upgrade to version 5.1.0 or later and to avoid exposing Caldera instances to the internet unless necessary. This incident highlights the risks associated with open-source security tools like MITRE Caldera, highlighting the importance of input validation and security best practices to protect against cyber threats.  

image for Cleveland Municipal ...

 Cyber News

Cleveland Municipal Court has been closed for three consecutive days following a cybersecurity incident that has disrupted its internal systems. The court announced the closure on Monday and has since issued identical statements daily, emphasizing that the nature and scope of the incident remain unclear. Officials   show more ...

have taken precautionary measures by shutting down all affected systems to ensure the security and safe restoration of services. “As a precautionary measure, the Court has shut down the affected systems while we focus on securing and restoring services safely,” the statement read. “These systems will remain offline until we have a better understanding of the situation.” The municipal court has not provided further details on whether the disruption was caused by ransomware, data breaches, or another type of cyberattack. The Cyber Express Team reached out to the Court's spokesperson, however, no one responded to requests for comment. [caption id="attachment_101100" align="aligncenter" width="473"] Source: Facebook[/caption] Growing Trend of Cyberattacks on Municipal Governments This incident is part of a broader trend of cyberattacks targeting municipal governments across the United States. Just this week, Anne Arundel County in Maryland was also affected by a cyberattack, leading to the closure of several municipal offices. While these offices reopened on Tuesday, officials continue to exercise caution to protect their systems. Cybercriminals have increasingly targeted local governments, which often operate on limited cybersecurity budgets. Last month, the Qilin ransomware group claimed responsibility for an attack on West Haven, Connecticut, forcing the city to shut down its IT infrastructure. Similarly, Columbus, Ohio, suffered a ransomware attack in July 2024 that exposed personal information of more than 500,000 current and former residents. Court Operations on Hold As of Thursday, February 27, 2025, the Cleveland Municipal Court remains closed to the public, except for essential staff. Officials have not provided a timeline for when normal operations will resume, stating only that they are working “expeditiously” to resolve the issue. All internal systems and software platforms will remain offline until further notice. Residents relying on court services have been advised to monitor official channels for updates. In similar past incidents, municipalities have taken days or even weeks to fully restore their systems, depending on the severity of the attack. Potential Impact and Concerns Cybersecurity experts warn that disruptions like this can have significant consequences, including delays in legal proceedings, potential exposure of sensitive data, and financial losses. While no ransomware group has yet claimed responsibility for the Cleveland Municipal Court incident, similar attacks in other cities have involved demands for ransom payments in exchange for restored access to systems. Local governments are being urged to strengthen their cybersecurity defenses by implementing regular security audits, employee training programs, and incident response plans. Given the rise in attacks, experts stress the importance of proactive measures to protect critical public services. Cleveland Municipal Court: Ongoing Investigation County officials have assured the public that they are taking necessary precautions to safeguard their systems. Residents are encouraged to check with individual departments before visiting municipal offices, as some services may remain limited. In the meantime, Cleveland officials have not provided details on whether law enforcement or federal cybersecurity agencies are involved in the investigation. However, similar incidents have often required the assistance of the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). As Cleveland Municipal Court continues to assess the impact of this cyber incident, local residents and legal professionals are left in limbo, awaiting further updates on when normal operations will resume.

image for Google OAuth: abando ...

 Business

Just over a year ago, in our post entitled Google OAuth and phantom accounts, we discussed how using the Sign in with Google option for corporate services allows employees to create phantom Google accounts that arent controlled by the corporate Google Workspace admin, and continue to function after offboarding.   show more ...

Recently, it was discovered that this isnt the only issue with OAuth. Due to weaknesses in this authentication mechanism, anyone can gain access to data of many defunct organizations by re-registering domains they abandoned. In this article, we explore this attack in more detail. How authentication works with Sign in with Google Some organizations may believe that Sign in with Google provides a reliable authentication mechanism backed by Googles advanced technology and vast user monitoring capabilities. However, in reality, the Google OAuth authentication check is quite basic. It generally comes down to verifying that a user has access to an email address linked to an organizations Google Workspace. Moreover, as mentioned in our previous article on Google OAuth, this doesnt necessarily have to be a Gmail address — Google accounts can be linked to any email address. Therefore, the security of accessing a corporate service via Sign in with Google is only as strong as the security of the email linked to the Google account. Now lets get into the details When authenticating a user in a corporate service, Google OAuth sends the following information to that service: In theory, the Google OAuth ID token includes a unique parameter called sub for each Google account. However, in practice, due to issues with its usage, services often only check the domain and email address. Source Google recommends that services use the sub parameter, claiming that this identifier is unique and constant for the user account — unlike an email address. But in reality, the sub parameter isnt always constant; for a small number of users, it changes over time, which can cause authentication failures. As a result, services tend not to use it, and instead verify only the domain and email address — contrary to Googles recommendations. Sign in with Google using an abandoned domain Thus, an attacker can gain unauthorized access to a companys services by simply having access to an email within that companys domain. This is particularly easy to do if the company has ceased operations and abandoned its domain: anyone can register it for themselves. The attacker can then create any email address under this domain, and use it to log into one of the services the company likely used. Some of these services may display a list of real users linked to the organizations workspace — even if the address entered by the attacker was never actually used. With this list — and complete control over all email addresses within the abandoned domain — the attacker can reconstruct the original Google Workspace of the defunct company. In this way, attackers can gain access to the profiles of former employees in services that used Google OAuth for authentication. How serious a problem is this? Dylan Ayrey, the researcher who discovered this Google OAuth vulnerability (and the previous issue with phantom accounts), aimed to demonstrate the severity of potential consequences. Using data from Crunchbase, Ayrey compiled a list of over 100,000 terminated startups whose domains are now up for sale. Ayrey purchased one of these abandoned domains and tested the feasibility of the attack. Among the corporate services he managed to access using this vulnerability were Slack, Zoom, Notion, ChatGPT, and HR systems. Thus, with this relatively simple attack requiring minimal resources, an attacker can gain access to a wealth of confidential information, ranging from employee correspondence and notes to personal data from HR systems. According to Ayreys estimates, around 50% of startups use Google Workspace. If we suppose that the average defunct startup had about 10 employees, we could be talking about hundreds of thousands of people and millions of vulnerable accounts. Whos responsible, and what can be done? Ayrey dutifully notified Google of this vulnerability through its bug bounty program. He also suggested a long-term solution: creating truly permanent and unique identifiers for Google accounts and Google Workspace. However, his report was initially rejected, with the comment no fix needed and labeled as fraud or abuse! However, a few months after Ayrey presented his findings at a hacker conference (!) the report was reopened, and he was awarded $1337. Notably, he received the same minimal reward for his previous discovery of the phantom Google accounts vulnerability. According to Ayrey, Google promised to fix the vulnerability in Google OAuth, but didnt specify when or how exactly they plan to do this. Therefore, the problem with the Sign in with Google mechanism remains an unresolved issue, for which no one is willing to take responsibility. Potential victims of this attack include former employees of defunct companies who no longer have control over their accounts. Worse still, theres no one to hold accountable for the security of these accounts anymore. The wise move here would be for companies to take preventive measures in advance. However, very few startups seriously plan for their own demise — let alone what will happen afterward. Fortunately, defending against this Google OAuth vulnerability is relatively straightforward. There are two non-mutually exclusive options: Use a traditional login-and-password combo instead of Sign in with Google, and always enable two-factor authentication. If your company ceases operations, dont abandon workspaces in corporate services; delete them instead. This is quite easy to do; for example, here are the instructions for Slack and Notion.

image for Notorious Malware, S ...

 A Little Sunshine

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned. Security experts say the Russia-based service provider Prospero   show more ...

OOO (the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites. Last year, the French security firm Intrinsec detailed Prospero’s connections to bulletproof services advertised on Russian cybercrime forums under the names Securehost and BEARHOST. The bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com. Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019. “If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.” Intrinsec found Prospero has courted some of Russia’s nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions — including ransomware. A fake browser update page pushing mobile malware. Image: Intrinsec. BEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow. Kaspersky did not respond to repeated requests for comment. Kaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days. Cybersecurity reporter Kim Zetter notes that DHS didn’t cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote: According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets. Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker’s machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker’s machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code. Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20, 2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in all official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence on its behalf. Phishing data gathered last year by the Interisle Consulting Group ranked hosting networks by their size and concentration of spambot hosts, and found Prospero had a higher spam score than any other provider by far. AS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org. It remains unclear why Kaspersky is providing transit to Prospero. Doug Madory, director of Internet analysis at Kentik, said routing records show the relationship between Prospero and Kaspersky started at the beginning of December 2024. Madory said Kaspersky’s network appears to be hosting several financial institutions, including Russia’s largest — Alfa-Bank. Kaspersky sells services to help protect customers from distributed denial-of-service (DDoS) attacks, and Madory said it could be that Prospero is simply purchasing that protection from Kaspersky. But if that is the case, it doesn’t make the situation any better, said Zach Edwards, a senior threat researcher at the security firm Silent Push. “In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” Edwards said.

image for Third-Party Risk Top ...

 Feed

Data collected by cyber-insurers show that ransomware accounts for the majority of insurance claims, but that much of the losses stem from third-party breaches affecting policyholders.

 Government

The California Privacy Protection Agency (CPPA) on Thursday announced that a data broker must shut down its business for three years for failing to comply with the state’s Delete Act, which requires certain brokers to register with the state.

 Feed

A dataset used to train large language models (LLMs) has been found to contain nearly 12,000 live secrets, which allow for successful authentication. The findings once again highlight how hard-coded credentials pose a severe security risk to users and organizations alike, not to mention compounding the problem when LLMs end up suggesting insecure coding practices to their users. Truffle

 Feed

The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant. Cybersecurity company Kaspersky is tracking the activity under the name Angry Likho, which it said bears a "strong resemblance" to Awaken Likho (aka Core Werewolf, GamaCopy, and

 Feed

Remote Desktop Protocol (RDP) is an amazing technology developed by Microsoft that lets you access and control another computer over a network. It’s like having your office computer with you wherever you go. For businesses, this means IT staff can manage systems remotely, and employees can work from home or anywhere, making RDP a true game-changer in today’s work environment. But here’s the

 Feed

Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflow's content delivery network (CDN) to deliver the Lumma stealer malware. Netskope Threat Labs said it discovered 260 unique domains hosting 5,000 phishing PDF files that redirect victims to malicious websites. "The attacker uses SEO to trick victims into

 Feed

Microsoft on Thursday unmasked four of the individuals that it said were behind an Azure Abuse Enterprise scheme that involves leveraging unauthorized access to generative artificial intelligence (GenAI) services in order to produce offensive and harmful content. The campaign, called LLMjacking, has targeted various AI offerings, including Microsoft's Azure OpenAI Service. The tech giant is

 Feed

A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International. "The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental

 1 - Cyber Security News Post

Source: hackread.com – Author: Waqas. A coordinated effort between law enforcement in Thailand, Singapore, and cybersecurity firm Group-IB has led to the arrest of a prolific hacker tied to more than 90 data breaches worldwide. The individual, operating under multiple online identities such as GHOSTR, ALTDOS,   show more ...

DESORDEN, and 0mid16B, reportedly stole and sold over 13 […] La entrada GHOSTR Hacker Linked to 90+ Data Breaches Arrested – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 1 - Cyber Security News Post

Source: hackread.com – Author: Owais Sultan. Great online customer support starts with the fundamentals that make shoppers feel valued and understood when they can’t see your face or walk into your store. The basics include responding quickly across multiple channels, writing in a friendly human tone (not   show more ...

corporate-speak), and making it super easy for customers […] La entrada eCommerce Customer Service Tips For Online Support: The Basics – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 1 - Cyber Security News Post

Source: hackread.com – Author: Owais Sultan. Do you want to have the best communication system at your workplace? Learn how to maximize the benefits of Slack for business. This guide walks you through setting up your workspace and explores how its features can enhance team collaboration. Setting Up Your Slack   show more ...

Workspace The initial task to solve […] La entrada How to Use Slack for Business: Workplace Communication – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

Source: hackread.com – Author: Deeba Ahmed. Auto-color: New Linux backdoor malware targeting the US and Asia. Learn about its advanced evasion, persistence, and detection methods. A newly discovered Linux malware, dubbed Auto-color, is targeting educational institutions and government entities in North America   show more ...

and Asia, employing advanced stealth techniques to avoid detection and removal. Researchers at […] La entrada New Backdoor Auto-color Linux Targets Systems in US and Asia – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 1 - Cyber Security News Post

Source: hackread.com – Author: Deeba Ahmed. FortiGuard Labs discovers Winos 4.0 malware targeting Taiwan via phishing. Learn how this advanced threat steals data and how to protect your Windows system. Fortinet’s FortiGuard Labs has disclosed details of a new malware campaign targeting Taiwanese businesses.   show more ...

Reaching out to Hackread.com on this discovery, prior to its publishing […] La entrada Hackers Impersonate Taiwan’s Tax Authority to Deploy Winos 4.0 Malware – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 1 - Cyber Security News Post

Source: hackread.com – Author: Waqas. Cybersecurity researchers at Kaspersky’s Securelist have found a cyber espionage group known as Angry Likho APT (also referred to as Sticky Werewolf by some security vendors) has reemerged with a new wave of cyberattacks, primarily targeting organizations in Russia   show more ...

and Belarus. This group, which has been active since 2023, shares similarities with the previously […] La entrada Angry Likho APT Resurfaces with Lumma Stealer Attacks Against Russia – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

Source: www.darkreading.com – Author: Kristina Beek, Associate Editor, Dark Reading Please enable cookies. Sorry, you have been blocked You are unable to access darkreading.com Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed   show more ...

triggered the security solution. There are several actions […] La entrada Cleveland Municipal Court Remains Closed After Cyber Incident – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Jai Vijayan, Contributing Writer Please enable cookies. Sorry, you have been blocked You are unable to access darkreading.com Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed triggered the   show more ...

security solution. There are several actions that could […] La entrada Nakivo Fixes Critical Flaw in Backup & Replication Tool – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

Source: www.darkreading.com – Author: Kristina Beek, Associate Editor, Dark Reading Please enable cookies. Sorry, you have been blocked You are unable to access darkreading.com Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed   show more ...

triggered the security solution. There are several actions […] La entrada Microsoft Rolls Out Fresh Outlook Fix After Faulty Windows Update – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.darkreading.com – Author: Arvind Nithrakashyap Please enable cookies. Sorry, you have been blocked You are unable to access darkreading.com Why have I been blocked? This website is using a security service to protect itself from online attacks. The action you just performed triggered the security   show more ...

solution. There are several actions that could trigger this […] La entrada 3 Things to Know About AI Data Poisoning – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

View some of our Women’s History Month resources from 2024, including some of our magazine features and blog posts, and tune in to a few episodes from our Diverse podcast as well. Source Views: 0 La entrada Celebrate Women’s History Month With SWE se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

Theresa Sigillito Hollema (she/her) shares a real-world case study of how an international team improved its psychological safety. Plus, join her upcoming free live event, “Managing Global Teams: Ideas to Improve Collaboration and Impact,” in SWE’s Advance Learning Center on April 17! Source Views: 0 La   show more ...

entrada 5 Steps to Improve Psychological Safety in a Virtual Team se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

Linda Thomas, F.SWE, reflects on her career journey in this interview with Hang Loi Source Views: 0 La entrada Living Without Limits With Linda Thomas, F. SWE se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

Calling all high school seniors! Scholarship application season is here. Source Views: 0 La entrada SWENext Tips: How to Apply for SWE Scholarships se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

This new exhibit, located in Alexandria, Va., highlights the achievements of six women leaders in STEM who are breaking boundaries in engineering and beyond. Source Views: 0 La entrada SWE and NIHF Museum Partner on Women’s History Month Exhibit se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.troyhunt.com – Author: Troy Hunt Sponsored by: Processing data breaches (especially big ones), can be extremely laborious. And, of course, everyone commenting on them is an expert, so there’s a heap of opinions out there. And so it was with the latest stealer logs, a corpus of data that took   show more ...

the better part of […] La entrada Weekly Update 441 – Source: www.troyhunt.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AnyDesk

Source: www.tripwire.com – Author: Graham Cluley Companies are being warned that malicious hackers are using a novel technique to break into businesses – by pretending to offer audits of the company’s cybersecurity. With ransomware and other cybersecurity threats high in the mind of many business   show more ...

owners, it is all too easy to imagine how many […] La entrada Warning issued as hackers offer firms fake cybersecurity audits to break into their systems – Source: www.tripwire.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: go.theregister.com – Author: Jessica Lyons Microsoft has named four of the ten people it is suing for allegedly snatching Azure cloud credentials and developing tools to bypass safety guardrails in its generative AI services – ultimately to generate deepfake smut videos of celebrities and others.   show more ...

Redmond filed a civil lawsuit in Virginia in December […] La entrada Microsoft names alleged credential-snatching ‘Azure Abuse Enterprise’ operators – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: go.theregister.com – Author: Jessica Lyons The US Army soldier suspected of compromising AT&T and bragging about getting his hands on President Trump’s call logs allegedly tried to sell stolen information to a foreign intel agent. The military man even Google searched for “can hacking   show more ...

be treason,” and “US military personnel defecting to Russia,” according […] La entrada Feds: Army soldier suspected of AT&T heist Googled ‘can hacking be treason,’ ‘defecting to Russia’ – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: go.theregister.com – Author: Iain Thomson The FBI has officially accused North Korea’s Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds. In an alert Wednesday, the bureau said Pyongyang’s   show more ...

cyber-crime gang, dubbed TraderTraitor by the Feds, was responsible for the […] La entrada FBI officially fingers North Korea for $1.5B Bybit crypto-burglary – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: heimdalsecurity.com – Author: Andrei Minca Phishing scams are no longer just poorly written emails full of typos. The era of messages from long-lost, wealthy relatives leaving fortunes to unknown heirs has passed its peak.   Today’s sophisticated back-end technologies take phishing and social   show more ...

engineering to the next level. Hackers are now able to create not […] La entrada Next-Gen Phishing Techniques – How Back-End Tech Made Scams More Effective – Source: heimdalsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: heimdalsecurity.com – Author: Livia Gyongyoși In January 2025, the European Union’s new Digital Operational Resilience Act (DORA) came into effect. If you’re an MSP and you have clients in the financial services sector, they will likely be turning to you for help with DORA compliance So, where   show more ...

should you begin? In this article, we […] La entrada DORA Compliance for MSPs – How to Help Your Clients – Source: heimdalsecurity.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2025-02
Aggregator history
Friday, February 28
SAT
SUN
MON
TUE
WED
THU
FRI
FebruaryMarchApril