Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Critical Splunk Vuln ...

 Firewall Daily

Splunk has disclosed six critical security vulnerabilities impacting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These Splunk vulnerabilities, collectively highlighting serious weaknesses in Splunk’s web components, could allow attackers to execute unauthorized JavaScript code remotely,   show more ...

access sensitive information, and perform server-side request forgery (SSRF) attacks.   Key Cross-Site Scripting (XSS) Splunk Vulnerabilities  Among the most interesting vulnerabilities are two cross-site scripting (XSS) flaws that allow malicious JavaScript execution within user browsers. Notably, CVE-2025-20367 is a reflected XSS vulnerability located in the /app/search/table endpoint, carrying a CVSS score of 5.7. Low-privileged users, those without admin or power roles, can exploit this flaw by crafting malicious payloads via the dataset.command parameter. This attack vector can compromise other users’ sessions and potentially expose sensitive data.  Another related issue, CVE-2025-20368, involves stored XSS via missing field warning messages in Saved Search and Job Inspector features. Similarly, this vulnerability allows low-privileged users to inject malicious code, posing significant risks across affected versions.  Server-Side Request Forgery and Other Flaws  A particularly severe vulnerability is CVE-2025-20371, an unauthenticated blind SSRF flaw affecting Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various Splunk Cloud Platform versions. With a CVSS score of 7.5, this vulnerability allows attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users. However, successful exploitation depends on the enableSplunkWebClientNetloc setting being enabled (true) in the web.conf configuration, and typically requires phishing to trick the victim into initiating the request.  Additionally, a denial of service (DoS) vulnerability (CVE-2025-20370) has been identified where users with the change_authentication privilege can send multiple LDAP bind requests, overwhelming the server’s CPU and forcing a restart of the affected instance. This vulnerability holds a medium severity score of 4.9.  Further vulnerabilities include:  CVE-2025-20369: XML External Entity (XXE) injection through the dashboard label field, which can result in DoS attacks.  CVE-2025-20366: Improper access control in background job submissions allows low-privileged users to access sensitive search results by guessing unique search job IDs.  Third-Party Package Security Updates  Splunk also addressed multiple vulnerabilities arising from third-party packages used within Splunk Enterprise. Released on the same day, these updates affect versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, and above. Key changes include:  Removal of vulnerable packages such as protobuf-java and webpack.  Upgrades of mongod to version 7.0.14 and curl to 8.14.1 to address multiple high-severity CVEs.  Patching of libxml2 against CVE-2025-32415.  Upgrading jackson-core to v2.15.0 and mongotools to 100.12.1.  These package updates directly address vulnerabilities that could be exploited for remote code execution or other malicious activities.  Mitigation and Patch Recommendations  Splunk strongly recommends upgrading affected instances to fixed versions to address the identified vulnerabilities:  Splunk Enterprise: Versions 10.0.1, 9.4.4, 9.3.6, 9.2.8 or higher.  Splunk Cloud Platform: Ongoing patching is actively managed by Splunk.  Where immediate upgrades are not feasible, some mitigations include:  Disabling Splunk Web to mitigate vulnerabilities dependent on its components.  Turning off the enableSplunkWebClientNetloc setting to reduce SSRF risk.  Removing high-privilege roles, such as change_authentication, to prevent DoS exploits.  No specific detection signatures currently exist for these vulnerabilities. 

image for Scattered LAPSUS$ Hu ...

 Cyber News

The Scattered LAPSUS$ Hunters threat collective has launched a new dark web data leak site to attempt to extort victims of the group’s breaches of Salesloft and Salesforce environments. Scattered LAPSUS$ Hunters – which includes members of the threat groups ShinyHunters, LAPSUS$ and Scattered Spider – published   show more ...

details and sample data on roughly 40 companies, many of them well known, and threatening to release the full data sets if a ransom isn’t paid by October 10. The data appears to stem from previously reported breaches of Salesloft and social engineering attacks on Salesforce instances. Salesforce said as much in a statement on October 2, saying the company is “aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology. We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support.” Salesforce encouraged customers to “remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.” Salesforce Targeted by Scattered LAPSUS$ Hunters Too Scattered LAPSUS$ Hunters also targeted Salesforce in its postings, claiming that “Near 1 billion records containing sensitive Personally Identifiable Information (PII) has been exfiltrated from your systems.” “Unless you comply with our demand, as of 10/10/25 (deadline), we will be openly complying with the many law firms that are pursuing civil and commercial litigation against you.” The threat collective specifically mentioned the Berger Montague law firm, and the group also threatened to cooperate with regulatory compliance authorities. “We will also be submitting a full document, with clear outlines of how your company as a data controller under European GDPR and many other similar laws such as CCPA, HIPAA, etc. could have, over our year long campaign, prevented such intrusions and data-thefts,” the groups claimed. “This document will contain technical details regarding how our attacks were conducted, the fingerprint of our requests and how this clear defined pattern of networking traffic could have easily been blocked.” The groups also threatened to work with legal authorities on any criminal proceedings, adding “all of this can be avoided. Very easily and swiftly.” The threat groups said Salesforce could settle the matter for all the affected companies: “Should you comply, we will withdraw from any active or pending negotiation individually from your customers.” Scattered LAPSUS$ Hunters Answers Questions from The Cyber Express Asked by The Cyber Express what “clear defined pattern of networking traffic could have easily been blocked,” a Scattered LAPSUS$ Hunters spokesperson replied that “Salesforce itself is not vulnerable but it certainly could've done a much better job in protecting it's customers.” The threat group told The Cyber Express that “our IoCs listed by Mandiant and the FBI clearly state we used multiple Mullvad VPN IP addresses and TOR IP addresses which could have easily been detected via YARA rules and immediately blocked. In fact, Salesforce could've applied this customer-wide as a whole so individual customers would not have to do this themselves, if they really cared about their customers and committed to stopping us.” Salesforce places too much security responsibility on customers, the group told The Cyber Express – a not uncommon complaint about the “shared responsibility” model of cloud security in general. “Essentially, Salesforce is saying ‘yeah you can use our services but when it comes to security you have to deal with most of it yourself,’” the group told The Cyber Express. “Throughout this entire time Salesforce has done nothing but say ‘We are not in the wrong here, please follow our guide to protect yourself... etc.’” Data Leak Site Shows Threat Group Tactics The Scattered LAPSUS$ Hunters data leak site shows some of the pressure and tactics that threat groups use to try to get victim organizations to meet ransom demands, and also highlights the challenges of securing SaaS environments. While the Scattered LAPSUS$ Hunters claims remain unverified, the list of claimed victims on the group’s data leak site includes such well-known brands as Toyota, FedEx, Disney/Hulu, UPS, Home Depot, Marriott, Walgreens, Stellantis, McDonalds, KFC, ASICS, GAP Inc, Houghton Mifflin Harcourt (HMH), Fujifilm, Albertsons, HBO MAX, Instacart, Petco, Puma, Cartier, Adidas, Qantas Airways, CarMax, Saks Fifth Avenue, Air France & KLM, Google AdSense, Cisco, TransUnion, Chanel, IKEA, and Salesforce.

image for Your Easiest Fix: Th ...

 Cybersecurity Awareness Month

October is here, and Cybersecurity Awareness Month 2025 is about to come into being. Department of Homeland Security (DHS) and CISA have initiated this year's campaign with the theme of 'Building our cyber safe culture'. The goal is to make cybersecurity an everyday word for governments, businesses, and   show more ...

individuals. The call is made not only to agencies and organizations but to you and me, because we all have a way of keeping digital systems that are in a world of their own with water, power, food, finance, or communication. One of the simplest few, but often overlooked, elements of this mission are the passwords. With AI mimicking voices, sending credible emails, and attempting several hacking endeavors, some individuals ask, Do passwords still matter? Yes, they still do. The password continues to be the first barrier that protects criminals from entering your most secret information. But Why Passwords Still Matter In 2025, we have fingerprint scans, face recognition, and multi-factor apps, yet passwords remain the first line of defense for most accounts. Reports show they were still the most common security method in 2023, and the password management market is projected to exceed $7 billion by 2030. Clearly, they are not disappearing anytime soon. The issue is not that passwords don’t work. The issue is how people use them. Many still rely on weak choices like 12345 or personal details such as birthdays or pet names. That’s the digital equivalent of locking your door but leaving the key sticking out. For modern hacking tools powered by AI, such shortcuts are effortless to break. So why do we keep doing it? Because we are human. Between banking, email, social media, shopping, and work apps, most of us manage dozens of accounts. Creating and remembering a unique, 16-character password for each one feels impossible. Faced with that challenge, people recycle the same password across accounts. The risk is obvious: if one site gets breached, hackers suddenly have access to everything. It’s not laziness, it’s psychology. Our brains aren’t designed to memorize random strings of numbers, letters, and symbols. Without help, falling back on bad habits is almost guaranteed. Password Managers, Comes to Rescue The good news is technology has already given us a way out of this memory trap. Password managers can generate long, complex, and unique passwords for every account, then safely store them for you. All you need to remember is one master password. Think of it as hiring a digital bodyguard who never forgets, never gets tired, and never writes your secrets on sticky notes. It’s one of the simplest steps anyone can take to reduce the risk of being hacked. As author Abhijit Naskar, Sonnets from The Mountaintop reminds us: “The purpose of a strong password is not to keep your accounts safe, but to keep your accounts moderately secure against common scammers, however, if you become a target of actual hackers, or a person of interest to the government, have no doubt, your internet activities are already monitored.” This quote underlines a key point: passwords are not a silver bullet. They are a first line of defense. And while they may not stop attackers or state surveillance, they do protect against everyday cybercriminals trying to break into your bank, email, or social media accounts. What Makes a Strong Password [caption id="attachment_105701" align="aligncenter" width="1024"] Source: Pixabay[/caption] For Cybersecurity Awareness Month 2025, CISA reminds us of three golden rules for stronger passwords: Make them long. At least 16 characters. Longer is always better. Make them random. Use mixed letters, numbers, and symbols—or try a “passphrase” of several unrelated words. Example: HorsePurpleHatRunBay is far better than Password123. Make them unique. Never reuse passwords across accounts. Yes, those strings look messy. But that’s exactly the point. To a hacker, random gibberish is far harder to break than your dog’s name followed by the year you were born. The Psychology Behind Bad Passwords So why do we resist strong passwords, even when we know better? Convenience bias. People tend to choose the easy route, even when it’s risky. Optimism bias. We believe “it won’t happen to me.” Memory limits. Our brains don’t like remembering random strings. For example, someone might set Summer2024! as their go-to password. At first glance, it looks decent: mix of letters, numbers, and a symbol. But because it’s predictable, a hacker’s AI system can crack it in seconds. It’s not that people don’t care about security, it’s that they underestimate the risk while overestimating the strength of their 'clever' password. Why AI Makes Password Security More Urgent Artificial intelligence adds a new twist to the password problem. Hackers can now use AI tools to automate password-cracking attempts, analyze human behavior, and even predict likely combinations based on personal information found online. For example, if your Instagram bio says “Dog mom to Bella” and your password is Bella2018, an AI system could guess that in moments. The smarter the attack tools get, the less forgiving they are of human shortcuts. This doesn’t mean passwords are useless. It means they need to evolve. Strong, unique passwords combined with extra layers like multi-factor authentication give us the defense we need in an AI-driven threat landscape. Cybersecurity Awareness Month 2025: Building a Culture of Cyber Safety This leads us into the theme for Cybersecurity Awareness Month for 2023: Building our cyber safe culture. A culture involves habits. Like washing your hands without thinking about it, strong digital habits should flow naturally. After all, utilizing a password manager, enabling multi-factor authentication, and being careful about what we put online is not a high-tech thing.  These are simply our everyday habits compounding over time. So, while we think about Cybersecurity Awareness Month 2025, let’s do better and commit to a cleaner digital hygiene. Make longer, random, and unique passwords. Use a password manager. Don't be seduced by convenience. Because at the end of the day, passwords aren't meant just for protecting accounts. They are meant to protect our identity, our money, and our trust in the online world. And even as AI continues to transform both innovation and criminality, passwords, despite being small, are one of the pillars in a fortress we can all exert control over, and it is powerful in its effect.

image for Cyberattack on Shami ...

 Cyber News

On Yom Kippur, one of the holiest days in the Jewish calendar, Shamir Medical Center, also known as Assaf Harofeh Medical Center, was targeted in a cyberattack that exposed email communications containing sensitive patient information. While the hospital's core medical record system remained uncompromised, the   show more ...

cyberattack on Shamir Medical Center has reignited concerns over the increasing number of cyberattacks on hospitals across Israel.  According to a joint statement from the Israeli Health Ministry and the National Cyber Directorate issued on Friday, the cyberattack on Shamir Medical Center resulted in the unauthorized access and leak of hospital emails dated September 25. Some of the compromised emails reportedly included confidential patient data.  However, the hospital’s central medical data platform, known as Chameleon, which houses complete patient medical records, was not breached. Authorities confirmed that the attack was intercepted before it could penetrate this core system. Hospital officials have assured the public that all clinical operations remained unaffected, and patient care continued as usual.  Cyberattack on Shamir Medical Center and Ongoing Investigation The cyberattack on Shamir Medical Center occurred during an attempted infiltration of the hospital’s servers on Yom Kippur, an attempt that was initially blocked. While the Health Ministry and National Cyber Directorate have managed to contain the threat, they are still investigating the possibility that some information may have been exfiltrated by hostile actors.  Cybersecurity experts, law enforcement, and government agencies are collaborating with the hospital to assess the full scope of the breach. In the meantime, the hospital has been directed to tighten its cybersecurity protocols, limit access to sensitive systems, and remain on alert for further intrusion attempts.  Russian Cybercrime Group Claims Responsibility The Ynet news outlet reported that a cybercrime organization known as Qilin, a Russian-speaking group believed to operate out of Eastern Europe, is behind the cyberattack on Shamir Medical Center. According to Ynet, Qilin briefly disrupted a medical records system shared among hospitals in Israel, although critical operations at Shamir remained intact and have since returned to normal.  In a message reportedly posted by Qilin, the group claimed to have gained full access to the hospital’s internal systems, extracting approximately 8 terabytes of data. This cache allegedly includes patient records, internal communications, and operational information. The hackers demanded a $700,000 ransom and warned that failure to comply would result in the public release of the stolen data.  The ransom note stated:  “We have successfully infiltrated and gained full access to your systems at Shamir Hospital, the largest medical facility in Israel... Failure to comply with our demands will result in the immediate publication of all stolen data, causing irreparable damage to your institution and compromising patient privacy.”  Ynet also indicated that the ransom note included a direct message to Israeli Prime Minister Benjamin Netanyahu and his wife, although this portion was not visible in the screenshots released.  Pattern of Cyberattacks on Israeli Hospitals This cyberattack on Shamir Medical Center is not an isolated incident. In recent years, Israel’s healthcare system has been the target of multiple cyberattacks on hospitals. In one of the most disruptive cases, Hillel Yaffe Medical Center in Hadera suffered a severe ransomware attack, forcing staff to revert to manual operations and distribute patients to other facilities.  These ongoing cyberattacks on hospitals underscore the vulnerability of critical infrastructure and the urgent need for enhanced cybersecurity measures. The Health Ministry, in cooperation with the National Cyber Directorate, has been actively working with hospitals and healthcare providers to implement stronger defenses. These efforts include stricter access controls, network segmentation, secure backups, and real-time monitoring systems. Training medical staff in basic cybersecurity hygiene has also become a priority. 

image for Japan’s Beer Taps ...

 Firewall Daily

Japan’s largest brewery, Asahi Group Holdings, is racing against time as it struggles to recover from a cyberattack that has severely disrupted its operations. The Asahi cyberattack, which was first reported last week, led to a complete halt in production at most of the company’s 30 factories across the country.   show more ...

As a result, Japan is now days away from running out of its most popular beer, Asahi Super Dry, unless the company can quickly restore its systems and resume production.  The cyberattack on Asahi has triggered a widespread crisis, with many retailers, wholesalers, and pubs bracing for empty shelves and a shortage of the mass-market lager. Asahi Super Dry, a cornerstone of Japan’s drinking culture, sells over 73 million cases annually, making it a major fixture in bars, restaurants, and supermarkets across the nation. However, due to the system outage caused by the cyberattack on Asahi Super Dry, its supply chain has been severely compromised, and the company has warned that it could exhaust its remaining stock of beer in just two or three days.  Decoding Cyberattack on Asahi Group The cyberattack on Asahi specifically targeted Asahi’s ordering and delivery systems, rendering them inoperable. This forced the brewery to stop production and delivery operations at its domestic plants. Asahi has not yet provided a timeline for when its factories will resume production.   Meanwhile, the lack of fresh stock is putting pressure on retailers, especially those that rely heavily on the brand’s flagship product. Supermarkets, izakayas (traditional Japanese pubs), and convenience stores have already started to feel the impact, with some outlets suspending the sale of Asahi products.  A report from Financial Times confirmed that the company was facing the imminent risk of running out of its popular beer, while other products, such as soda and protein bars, have also been delayed indefinitely due to the attack. The company has not disclosed whether it plans to release new products in the near future, adding to the uncertainty.  Supply Chain and Retail Impact  The cyberattack on Asahi Super Dry has disrupted not just beer production but also the broader supply chain for the company’s various beverage and food products. Retailers such as Lawson Inc., Familymart Co., and 7-Eleven have warned customers that Asahi products, including beverages and private label items like Mitsuya Cider and Seven Premium Clear Cooler, may become scarce in the coming days. Some convenience stores, such as 7-Eleven, have already posted notices informing customers that shipments of Asahi Super Dry have been suspended.  E-commerce platforms have not been spared. For example, Aeon supermarket’s online store has temporarily halted the sale of Asahi beer and soft drinks. The disruption is so widespread that even restaurants and chains like Monogatari Corp., which operates the Marugen Ramen chain, are contemplating switching beer suppliers. If the crisis persists, establishments like Kisoji Co., a popular shabu-shabu restaurant chain, may also be forced to source beer from other brands like Suntory or Kirin.  No Customer Data Compromised  Asahi has publicly stated that no customer data was compromised during the cyberattack, and its overseas operations have not been affected. However, the company’s internal communications and customer service operations have been severely disrupted. With the company’s email systems offline, employees are now forced to take orders over the phone and process them manually, adding to the operational chaos.  The brewery has reported the incident to the Tokyo Metropolitan Police and is cooperating with authorities to investigate the cyberattack, which is suspected to be a ransomware attack. Asahi has not yet identified the perpetrators, but this attack comes amid a rise in ransomware incidents in Japan. According to the National Police Agency, there were 116 reported ransomware cases in the first half of 2025, matching the highest number ever recorded for six months.  Beer Shortage on the Horizon  In Japan, beer is a significant part of the cultural fabric, and Asahi Super Dry is a dominant player in the market. The potential shortage of this beloved beer is likely to have a profound impact on both consumers and businesses. Pubs and restaurants may need to consider alternative beer suppliers, while wholesalers and retailers will need to manage dwindling stocks in the face of growing demand.  The cyberattack on Asahi Super Dry has cast a shadow over Japan’s beer market, with the country now on the brink of running out of its most popular beer. Asahi’s ability to recover quickly from this cyberattack will be crucial in determining how long the shortage lasts and its impact on the broader food and beverage industry in Japan.  The Cyber Express has reached out to the Asahi group to learn more about the incident. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the attack or any additional information from the organization. 

image for Phoenix: Rowhammer t ...

 Business

In September 2025, researchers at ETH Zurich (the Swiss Federal Institute of Technology) published a paper introducing Phoenix, a modification of the Rowhammer attack that works on DDR5 memory modules. The authors not only demonstrated the new attack’s effectiveness against 15 tested modules, but also proposed three   show more ...

practical use cases: reading and writing data from memory, stealing a private encryption key stored in memory, and bypassing Linux’s sudo utility protections to escalate privileges. The Rowhammer attack: a brief history To understand this rather complex study, we need to first briefly revisit the history of Rowhammer. The Rowhammer attack was first described in a 2014 research paper. Back then, researchers from both Carnegie Mellon University and Intel showed how repeatedly accessing rows of memory cells could cause adjacent memory cells to change value. These neighboring cells could contain critical data — the alteration of which could have serious consequences (such as privilege escalation). This happens because each cell in a memory chip is essentially a capacitor: a simple component that can hold an electrical charge for only a short time. That’s why such memory is volatile: turn off the computer or server, and the data disappears. For the same reason the charge in cells must be frequently refreshed — even if no one is accessing that memory region. Memory cells aren’t isolated; they’re organized in rows and columns, interconnected in ways that can cause interference. Accessing one row can affect a neighboring row; for example, refreshing one row can corrupt data in another. For years, this effect was only known to memory manufacturers — who tried their best to mitigate it in order to improve reliability. But as cells became smaller and therefore packed more tightly together, the “row hammering” effect became exploitable in real-world attacks. After the Rowhammer attack was demonstrated, memory developers began to introduce defenses, resulting in Target Row Refresh (TRR) hardware technology. In theory, TRR is simple: it monitors aggressive access to rows and, if detected, forcibly refreshes adjacent rows. In practice, it wasn’t so effective. In 2021, researchers described the Blacksmith attack, which bypassed TRR by using more sophisticated memory-cell access patterns. Developers adapted again — adding even more advanced defenses against Rowhammer-like attacks in DDR5 modules and increasing the enforced refresh rate. To further impede new attacks, manufacturers avoided disclosing which countermeasures were in place. This led many to believe that DDR5 had effectively solved the Rowhammer problem. However, just last year, researchers from the same ETH Zurich managed to successfully attack DDR5 modules — albeit under certain conditions: the memory had to be paired with AMD Zen 2 or Zen 3 CPUs, and, even then, some modules remained unaffected. Features of the new attack To develop Phoenix, the researchers reverse-engineered the TRR mechanism. They analyzed its behavior under various memory row access patterns and checked whether the protection triggered for adjacent rows. It turned out that TRR has become significantly more complex, and previously known access patterns no longer work — the protection now correctly flags those patterns as potentially dangerous and forcibly refreshes adjacent rows. As a result, the researchers discovered that after 128 TRR-tracked memory accesses, a “window of opportunity” of 64 accesses appears, during which defenses are weaker. It’s not that the protection system completely fails, but its responses are insufficient to prevent a value change in a targeted memory cell. The second window presents itself after accessing memory cells over the course of 2608 refresh intervals. The researchers then studied these vulnerable points in detail to deliver a highly targeted strike on memory cells while knocking out the defenses. Put simply, the attack works like this: malicious code performs a series of dummy accesses that effectively lull the TRR mechanism into a false sense of security. Then the active phase of the attack occurs, which ultimately modifies the target cell value. As a result, the team confirmed that the attack reliably worked against all 15 tested DDR5 modules manufactured by SK Hynix, one of the market leaders. Three real-world attack scenarios A realistic attack must change a value in a precisely defined memory region — a difficult task. Firstly, an attacker needs detailed knowledge of the target software. They must bypass multiple conventional security controls, and missing the target by just one or two bits can result in a system crash instead of a successful hack. The Swiss researchers set out to prove that Phoenix could be used to cause real-world damage. They evaluated three attack scenarios. The first (PTE) involved accessing the page table to create conditions for arbitrary reading/writing of RAM data. The second (RSA) aimed to steal an RSA-2048 private encryption key from memory. The third (sudo) involved bypassing the protections of the standard Linux sudo utility with the aim of privilege escalation. The study’s final results are shown in this table: [phoenix-rowhammer-attack-results.jpg]Phoenix attack effectiveness. Source For some modules, the first attack variant (128 refresh intervals) was effective, while for others only the second (2608 intervals) method worked. In some experiments the RSA key theft and sudo exploits didn’t succeed. However, a method for arbitrary memory read/write was found for all modules, and the exploitation time was relatively short for this class of attacks — from about five seconds up to seven minutes. That’s enough to demonstrate that Rowhammer attacks pose a real risk, albeit in a highly constrained set of scenarios. Relevance and countermeasures The Phoenix attack shows that Rowhammer-style attacks can be carried out against DDR5 modules just as effectively as on DDR4 and DDR3. Though modules from a just single vendor were tested and the researchers uncovered a fairly simple weakness in that vendor’s TRR algorithm that will most likely be easy to fix, this is a significant step forward in the security research of memory modules. The authors proposed several countermeasures against Rowhammer-type attacks. First, reducing the enforced refresh interval across all cells can significantly impede the attack. This may increase power consumption and chip temperature, but it’s a straightforward solution. Second, memory with an error correction code (ECC) can be used. This complicates Rowhammer attacks, although — somewhat paradoxically — it doesn’t make them completely impossible. Beyond these obvious measures, the authors mention two more. The first is the Fine Granularity Refresh protection method, which is already being implemented. Built into the processor’s memory controller, it modifies memory-cell refresh behavior in order to resist Rowhammer attacks. As for the second, the researchers urge memory-module and chip developers to stop relying on proprietary security measures (“security through obscurity”). Instead, they recommend adopting an approach common in cryptography — where security algorithms are publicly available and subject to independent testing.

 Cybercrime

The Scattered Spider cybercriminal group published a new leak site on Thursday evening with dozens of large companies listed, claiming to have stolen data from the organizations through Salesforce. The group attached a lengthy extortion note threatening Salesforce and offering to rescind the extortion demands if Salesforce itself paid a ransom.

 Cybercrime

Incident responders at Mandiant and Google Threat Intelligence Group (GTIG) released a warning about the incident on Wednesday evening, telling Recorded Future News in an email that they are tracking a campaign launched by a threat actor potentially linked to Clop.

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, CVE-2025-4008 (CVSS score: 8.7), is a case of command injection in the Meteobridge web interface that could result in code execution. "

 Feed

Brazilian users have emerged as the target of a new self-propagating malware that spreads via the popular messaging app WhatsApp. The campaign, codenamed SORVEPOTEL by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is "engineered for speed and propagation" rather than data theft or ransomware. "SORVEPOTEL has been observed to

 Feed

Passwork is positioned as an on-premises unified platform for both password and secrets management, aiming to address the increasing complexity of credential storage and sharing in modern organizations. The platform recently received a major update that reworks all the core mechanics. Passwork 7 introduces significant changes to how credentials are organized, accessed, and managed, reflecting

 Feed

A threat actor that's known to share overlaps with a hacking group called YoroTrooper has been observed targeting the Russian public sector with malware families such as FoalShell and StallionRAT. Cybersecurity vendor BI.ZONE is tracking the activity under the moniker Cavalry Werewolf. It's also assessed to have commonalities with clusters tracked as SturgeonPhisher, Silent Lynx, Comrade Saiga,

 Feed

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer. That's according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish. The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when

 Feed

The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others. "Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a

2025-10
Aggregator history
Friday, October 03
WED
THU
FRI
SAT
SUN
MON
TUE
OctoberNovember