Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Scattered Spider Mov ...

 Firewall Daily

Scattered Spider has shifted its operational strategy, moving away from chaotic data leaks toward a more structured and professional model of cybercrime. Now functioning as a hybrid of Ransomware-as-a-Service (RaaS) and insider threat operations, the group is building a network of internal collaborators within some of   show more ...

the world’s largest tech and telecom companies, including Microsoft and Apple.  Scattered Spider Shifts from Loud Hacks to Quiet Access Deals  Once known for their high-profile breaches and attention-grabbing leaks, Scattered Spider and its affiliated groups, LAPSUS$, ShinyHunters, and the umbrella Scattered LAPSUS$ Hunters, have turned toward access brokerage. Instead of simply exfiltrating data, they’re actively buying and selling privileged access to corporate systems.  The group is now recruiting insiders across key industries: telecommunications, cloud software, gaming, server hosting, and business process outsourcing. Target companies include names like Microsoft, Apple, IBM, EA, Claro, Telefónica, OVH, and others in the US, UK, Australia, Canada, and France.  According to recent posts from the group, they are offering 25% of profits for insider access to Active Directory (AD) systems, and 10% for access to identity platforms like Okta, Azure, or AWS IAM root credentials. This represents a move toward a more profit-sharing, affiliate-based model, where insiders are treated as partners in crime rather than simple data sources.  "We Already Have the Data. We Need Access."  A public statement by the group reads:  “We already have the data. We need access.”  This illustrates their transition from opportunistic hacking to a more calculated form of cyber extortion, aimed at gaining continuous footholds within high-value environments.  They also offered to purchase remote access tools like VPN credentials, Citrix sessions, and AnyDesk installations, which they then resell to ransomware affiliates for further exploitation.  One of their more detailed dark web posts—titled “SLSH 6.0 part 3 - lapsus$hiny$scattere…”, called for insiders to submit evidence of access, including SSH keys, OpenLDAP logs, and system network configurations. The group sets clear rules for participation: no companies under $500 million in revenue, and no targets from countries like Russia, China, North Korea, or Belarus.  Salesforce, Microsoft, Apple Among Targeted Firms  The Scattered LAPSUS$ Hunters have recently launched a new dark web leak site as part of their extortion efforts, following breaches at Salesloft and Salesforce. As of early October 2025, they claim to have compromised approximately 40 companies, with threats to release full datasets unless ransoms are paid by October 10.  Salesforce responded publicly on October 2, stating:  “There is no indication that the Salesforce platform has been compromised... Our findings indicate these attempts relate to past or unsubstantiated incidents.”  Still, the group continues to threaten legal consequences, claiming to have stolen nearly 1 billion records containing sensitive personally identifiable information (PII). They’ve named Berger Montague, a law firm known for data privacy litigation, as a potential partner in civil action against Salesforce if demands are not met.  They also threatened to expose regulatory violations under GDPR, CCPA, HIPAA, and other privacy laws. In one statement, the group said:  “We will be submitting a full document... how your company as a data controller... could have prevented such intrusions.”  Criticism of the Cloud Security Model  In comments to The Cyber Express, the group criticized the "shared responsibility" model of cloud security. They argued that Salesforce, like other platforms, shifts too much of the security burden onto customers.  “Salesforce is saying ‘yeah you can use our services but when it comes to security you have to deal with most of it yourself.’”  They further claimed that the use of known threat indicators—such as Mullvad VPN and TOR IPs—could have been blocked using basic YARA rules yet weren’t.  The leak site showcases the group’s aggressive tactics, listing household names like Microsoft, Apple, Google AdSense, Cisco, Toyota, FedEx, Disney/Hulu, UPS, McDonald’s, KFC, Instacart, Chanel, Adidas, Air France/KLM, and more. 

image for Researchers Uncover ...

 Vulnerabilities

Researchers have uncovered a 13-year-old critical remote-code-execution flaw in Redis that let attackers escape the product’s Lua sandbox and execute native code on the host, creating a straight line from a malicious script to complete system compromise. The bug, tracked as CVE-2025-49844 and nicknamed RediShell,   show more ...

carried a top severity score — 10.0 on the CVSS scale — and affected every Redis release the researchers tested. The vulnerability originated in a use-after-free defect that had lived in Redis source for roughly 13 years, researchers at Wiz said. An attacker with the ability to submit a Lua script — a capability that Redis supports by default — could trigger the flaw, break out of the embedded Lua interpreter and run arbitrary native code on the host. That sequence let attackers steal credentials, deploy malware or pivot to other cloud services by using stolen IAM tokens. Wiz quantified the exposure for cloud operators. The researchers found roughly 330,000 Redis instances exposed to the internet, about 60,000 without any authentication enabled, and a majority of cloud deployments running Redis as container images without security hardening. Those defaults, combined with the ubiquity of Redis for caching and session storage, meant defenders face a rapidly escalating attack surface. Attack flow mapped by researchers followed a familiar but dangerous pattern. An attacker could send a crafted Lua payload, exploit the use-after-free to escape the sandbox, establish a reverse shell, then harvest SSH keys, IAM tokens and certificates before moving laterally. The post-exploit phase could include installing cryptominers, exfiltrating sensitive keys or encrypting data for extortion. Because the exploit requires no prior authentication on many default installs, defenders cannot rely on account controls to blunt initial access. Redis developers moved quickly after responsible disclosure. The Redis project published a security advisory and released patched builds on Oct. 3; Wiz credited the Redis team for collaborating during the disclosure. Still, researchers urged organizations to treat any Redis instance that faces the internet — and many internal, unauthenticated instances — as high priority for patching given the exploitability and reach. Also read: New Malware ‘Redigo’ Detected, Exploits Redis Servers Mitigations followed three practical threads. First, upgrade Redis to the vendor’s patched version immediately and prioritize internet-facing hosts. Second, harden configurations by enabling authentication, remove or restrict Lua scripting where operations do not need it, run Redis under a non-root account and lock down container images. Third, apply network controls and monitoring. Place Redis behind firewalls or private VPCs, log and alert on unusual Lua execution, and hunt for newly written binaries or reverse-shell indicators on hosts that run Redis. The discovery also raised broader supply-chain and cloud governance questions. Wiz argued the root cause traced to an aging code path in a dependency that many cloud services implicitly trust; in practice that made Redis a risk multiplier across modern infrastructure. The research reinforced a recurring theme. Infrastructure components that handle high-value data and run with broad privileges represent attractive, high-impact targets for attackers. For CISO and security operations teams, the immediate calculus will hinge on exposure and posture. Teams that ran Redis in default container images without ACLs or put instances on public subnets faced the shortest window for action. Those with Redis isolated in private networks or wrapped behind robust WAF and network policy controls could buy time to stage careful patching and verification. Researchers also recommended rotating any credentials or tokens that Redis instances might have stored or exposed prior to patching. Wiz researchers said they would publish deeper technical analysis later and intentionally withheld exploit specifics to give defenders time to act. Meanwhile, the company invited organizations to use its threat-center queries to inventory and triage Redis instances. The discovery reminded cloud operators that decades-old code paths can still yield modern, high-severity breakouts — and that rapid, deterministic patching remains a first-line defense.

image for Attackers Deployed M ...

 Ransomware News

Cybercriminals exploited a critical deserialization flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) tool—tracked as CVE-2025-10035—to drop Medusa ransomware, Microsoft disclosed Monday. The campaign, attributed to a group Microsoft tracks as Storm-1175, illustrates how file-transfer infrastructure once   show more ...

again becomes a staging ground for high-impact attacks. According to Microsoft, Storm-1175 used the vulnerability to gain initial access into target networks. Once inside, attackers deployed remote administration tools like SimpleHelp and MeshAgent before escalating privileges and spreading laterally. The impact was severe. After exploitation, adversaries conducted system and user discovery, maintained long-term access, and prepared the environment to deploy ransomware. How the Vulnerability Worked CVE-2025-10035 resides in GoAnywhere MFT’s License Servlet and stems from unsafe deserialization logic. Attackers forge a “valid license response signature” and cause the servlet to deserialize attacker-controlled objects, triggering command injection. Fortra confirmed the flaw in its advisory and published patches for version 7.8.4 (and updated sustain release 7.6.3) to remediate it. Security researchers say the vulnerability isn’t stand-alone. Rapid7 flagged a multi-step chain combining an access control bypass (dating from 2023) with the unsafe deserialization flaw and a yet-unconfirmed mechanism related to the license key structure. Exploitation requires that the GoAnywhere Admin Console or the license endpoint be externally accessible. In 2023, the GoAnywhere platform had already been subject to compromise via CVE-2023-0669, which was weaponized by ransomware operators, illustrating that attackers have considered GoAnywhere a valuable target. From File Transfer to Medusa Ransomware Deployment Once attackers breached a GoAnywhere instance, they typically uploaded webshells disguised within the MFT environment to establish a foothold. Microsoft observed lateral movement beginning with remote monitoring tools, followed by reconnaissance and staging of Medusa payloads. The attack chain indicates that the vulnerability did not directly encrypt files; instead, it served as a pivot into the network where Medusa victims were selected and encrypted later. Storm-1175 has been active in the ransomware ecosystem and is known for targeting public-facing applications for initial access. The group’s use of GoAnywhere demonstrates how criminals reuse known tools in new exploitation vectors. Medusa itself has targeted more than 300 critical infrastructure organizations to date, employing double-extortion tactics and public leak sites to pressure victims. According to Cyble, a cybersecurity threat intelligence firm, the group has seen a 45% increase in its operations in 2025 compared to the previous year. Also read: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next? Detection tips in Microsoft’s advisory focused on both network and host artifacts. Incident responders were told to search for anomalous HTTP POSTs to admin endpoints, newly created JSP/WAR files in webapp paths, unexplained scheduled tasks and unusual Java process invocations. Microsoft published IOCs and suggested hunting for the specific webshell file names and hashes it observed, while recommending telemetry collection for process command lines and file-write events tied to the MFT server user.

image for Critical CVE-2025-27 ...

 Firewall Daily

A security vulnerability has been identified in Zabbix Agent and Agent2 for Windows, potentially allowing local users to escalate their privileges to the SYSTEM level. Tracked as CVE-2025-27237, the flaw originates from the way these agents handle the OpenSSL configuration file on Windows systems.  Zabbix, a   show more ...

widely-used open-source network monitoring platform, deploys its agents with elevated privileges to collect system-level performance data. However, in certain versions of its Windows agents, the OpenSSL configuration file is loaded from a file path that can be modified by users without administrative permissions. This misconfiguration opens the door to local privilege escalation attacks.  Technical Overview of CVE-2025-27237  According to the official security advisory, versions 6.0.0 through 6.0.40, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.1 of Zabbix Agent and Agent2 for Windows are affected by this flaw. In these versions, the agent loads the OpenSSL configuration from a directory where low-privileged users can write or alter files. By tampering with this file, a malicious user could inject a malicious DLL, which gets executed the next time the Zabbix service or system is restarted.  When successfully exploited, the malicious code executes with SYSTEM privileges, effectively granting the attacker full control over the machine.  The issue, categorized under CVE-2025-27237, has been assigned a CVSS 4.0 score of 7.3, reflecting a high severity level. The scoring vector provided is:  CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N   Discovery and Response  The vulnerability was responsibly disclosed by security researcher himbeer. The Zabbix Support Team acknowledged the issue under internal reference ZBX-27061 and confirmed the vulnerability as a security defect. The resolution was classified as major and has been marked as fixed in subsequent updates.  The affected component, specifically tied to the OpenSSL configuration file handling, was reported under the Zabbix internal project "ZABBIX BUGS AND ISSUES."  Patched Versions and Mitigation  Zabbix users running affected versions on Windows are strongly encouraged to upgrade to the fixed releases immediately. The patched versions that address CVE-2025-27237 are:  6.0.41  7.0.18  7.2.12  7.4.2  These updates correct the insecure file path behavior, ensuring that the OpenSSL configuration can no longer be modified by low-privilege users. After applying the update, it is crucial to restart the Zabbix Agent or Agent2 service to complete the remediation process.  Currently, no known workarounds exist for this vulnerability aside from applying the official patch.  Implications  While the flaw requires local access to exploit, its impact is considerable. By executing malicious code with SYSTEM-level privileges, an attacker could bypass user-level restrictions, install software, access sensitive data, and potentially use the compromised machine as a launchpad for lateral movement within a network.  Given Zabbix's popularity in enterprise and infrastructure monitoring, systems relying on Windows-based agents are especially urged to take swift action. The widespread deployment of these agents with elevated privileges makes them high-value targets in environments where strict privilege separation is critical.  The vulnerability in Zabbix Agent and Agent2 for Windows stresses the importance of regularly auditing software configurations—especially when external dependencies like OpenSSL are involved.  Administrators should review their systems for affected versions, apply the latest patches without delay, and follow best practices to prevent unauthorized file access and modification.  For full technical details, affected version breakdowns, and update instructions, refer to the official Zabbix security advisory. 

image for The CVE-2025-59489 v ...

 Threats

In early October, Unity announced that game developers have a lot of work to do. The popular game engine, used for PC, console and mobile games, has a software vulnerability in it that requires all published games to be updated. The vulnerability was added eight years ago, in engine version 2017.01, so it affects all   show more ...

modern Unity games and applications on Android, Linux, MacOS, and Windows platforms. It wasn’t only developers who reacted to the announcement. Valve announced that it would block Steam from launching games with unsafe settings, and Microsoft went further and recommended temporarily uninstalling vulnerable games until they can be patched. So what is the threat from this vulnerability, and how to fix it without uninstalling games? How the Unity vulnerability works Exploitation of the CVE-2025-59489 vulnerability can cause a game to run malicious code, or give an attacker access to information on the given device. An attacker can pass startup parameters to the game, and vulnerable versions of Unity Runtime will process several commands intended for debugging: -xrsdk-pre-init-library, – dataFolder , overrideMonoSearchPath, and -monoProfiler, among others. With these commands, the Unity engine loads any libraries specified in the startup parameters – including malicious ones. It can load .dll files on Windows, .so libraries on Android and Linux, and .dylib libraries on macOS. This way, a malicious application with low privileges can launch a game with modified startup parameters, and make it download and run the malicious library. Thus it will have the same privileges and access as the game itself. Another type of attack that can exploit this vulnerability can be carried out remotely. If a game can be launched by clicking on certain hyperlinks in the browser (the game must be registered as a URI schema handler), the malicious site can first convince the user to download the malicious library file, and then launch the vulnerable game along with this library. The danger of exploitation of this vulnerability depends largely on the game’s settings, version and OS settings, but Unity, Valve and Microsoft unanimously recommend updating all games on the system. What’s the danger of a vulnerability in a game? Exploitation of this vulnerability serves to escalate privileges and bypass defenses. An unknown application in modern operating systems is usually isolated from others and deprived of access to sensitive information. But it can still launch already installed applications. So when the game is launched with parameters crafted by an attacker, it loads a malicious library, and this library is considered by the system and its defense mechanisms to be part of the game. It has the same rights and access as the game itself, and can also slip under the radar of some antiviruses. Games sometimes require relatively high privileges in the system, so this is a way for an attacker to become, if not the administrator of the device, at least a “respected user”. Is this vulnerability being exploited in real-world attacks? Unity emphasizes that the flaw was discovered by ethical hackers and there is no evidence to date that the vulnerability is being used in real attacks. But given the widespread publicity of the issue and the ease of exploitation, any willing attacker could arm themselves with CVE-2025-59489 in just a couple of days. So taking precautionary measures won’t be unreasonable. How to fix the vulnerability The main work should be done by game developers. Having updated Unity Editor, they should recompile the game with the patched version of Unity Runtime, and publish it on the website or in app stores. Users need to keep track of updates to their Unity-based games, and update them promptly. Valve has updated the Steam client and fixed this issue for those games that run via the client. Now it blocks the launch of games with the aforementioned dangerous parameters. Microsoft has confirmed that the vulnerability doesn’t affect Xbox versions of games, but provides an extensive list of vulnerable games available in its app stores for other platforms. Until the vulnerabilities in the specified games are fixed, Microsoft recommends uninstalling them. In addition to updating your games, be sure your computers and smartphones are protected by a comprehensive cyberthreat prevention system such as Kaspersky Premium. It not only prevents many vulnerabilities from being exploited, but also prevents first-stage malware from running. How to fix a vulnerability if the game is no longer updated For developers who don’t have access to the Unity editor or don’t support the game anymore, Unity offers the Unity Application Patcher app. It detects which version of Unity the game is using, and downloads an updated library (libunity.so for Android, UnityPlayer.dll for Windows, UnityPlayer.dylib for macOS), fixing the flaw. The patched game still needs to be republished on the website or app stores. For gamers, only the Windows version of the patcher will be useful, since it’s very problematic to change the game component for MacOS or Android while keeping the game functional.

 Feed

CrowdStrike on Monday said it's attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025. The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates

 Feed

Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances. The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0. "An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free,

 Feed

Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware. The vulnerability is CVE-2025-10035 (CVSS score: 10.0), a critical deserialization bug that could result in command injection without authentication. It was addressed in version 7.8.4, or the Sustain

 Feed

For years, security leaders have treated artificial intelligence as an “emerging” technology, something to keep an eye on but not yet mission-critical. A new Enterprise AI and SaaS Data Security Report by AI & Browser Security company LayerX proves just how outdated that mindset has become. Far from a future concern, AI is already the single largest uncontrolled channel for corporate data

 Feed

Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a versatile tool for supporting a wide range of malicious actions on compromised hosts. "XWorm's modular design is built around a core client and an array of specialized components known as plugins," Trellix researchers Niranjan Hegde and Sijo Jacob said in an analysis published last week. "These plugins are

 Feed

A Vietnamese threat actor named BatShadow has been attributed to a new campaign that leverages social engineering tactics to deceive job seekers and digital marketing professionals to deliver a previously undocumented malware called Vampire Bot. "The attackers pose as recruiters, distributing malicious files disguised as job descriptions and corporate documents," Aryaka Threat Research Labs

 Feed

Google's DeepMind division on Monday announced an artificial intelligence (AI)-powered agent called CodeMender that automatically detects, patches, and rewrites vulnerable code to prevent future exploits. The efforts add to the company's ongoing efforts to improve AI-powered vulnerability discovery, such as Big Sleep and OSS-Fuzz. DeepMind said the AI agent is designed to be both reactive and

 AI

In episode 71 of The AI Fix, a giant robot spider goes backpacking for a year before starting its job in lunar construction, DoorDash builds a delivery Minion, and a TikToker punishes an AI by making it talk to condiments. GPT-5 crushes the humans at the ICPC World Finals, Claude Sonnet 4.5 codes for 30 hours   show more ...

straight, and someone builds a 5-million-parameter transformer entirely inside Minecraft. Plus: Graham investigates how a simple security flaw left fleets of Unitree robots wide open to hackers, and Mark learns that we’re going to need five nuclear power plants to train just one frontier model by 2028. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

2025-10
Aggregator history
Tuesday, October 07
WED
THU
FRI
SAT
SUN
MON
TUE
OctoberNovember