Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Initial Access Brokers Now Central to Cyberattacks: Report

  The market for initial access brokers has expanded rapidly over the past two years, creating a system that allows advanced threat actors t...

All the recent news you need to know

New SVG-Based Clickjacking Technique Exposes Cross-Origin Data Through CSS Filters

 

Security researcher Lyra Rebane has developed a new type of clickjacking attack that cleverly exploits Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS) to bypass traditional web protections.

Rebane first showcased this discovery during BSides Tallinn in October and has since released a technical breakdown of the method. The attack takes advantage of a little-known behavior where SVG filters can inadvertently expose cross-origin information—directly undermining the web’s same-origin policy.

Clickjacking, also known as a user interface redress attack, involves deceiving users into performing unintended actions by visually manipulating interface elements. The concept, introduced in 2008 by security researchers Jeremiah Grossman and Robert Hansen, was originally described as a technique for redirecting mouse clicks to malicious targets such as hidden buttons or form inputs.

Over the years, browsers have implemented numerous defenses to prevent such attacks. OWASP highlights common safeguards such as blocking page rendering within frames via X-Frame-Options or CSP frame-ancestors, limiting cookie access inside frames, and using JavaScript frame-busting scripts. Even with these protections, new variants continue to appear—most recently, last year’s cross-window forgery technique.

Rebane’s discovery began while she was experimenting with recreating Apple’s Liquid Glass distortion effect using SVG filters and CSS. Once she successfully replicated the effect, she noticed that when embedded inside an iframe, her SVG/CSS implementation could detect pixel data from the page beneath it—effectively accessing information from another origin.

She told The Register that previous attempts using SVG for cross-origin attacks exist, citing Paul Stone’s “Perfect Pixel Timing Attacks With HTML” and Ron Masas’s “The Human Side Channel”. But, as Rebane stated, "I don't think anyone else has run logic on cross-origin data the way I have."

Her write-up details how she used SVG filters to construct logic gates capable of processing webpage pixels using arbitrary computation—enabling a clickjacking method that would be extremely difficult to achieve with other tools.

According to Rebane, "By using feBlend and feComposite, we can recreate all logic gates and make SVG filters functionally complete. This means that we can program anything we want, as long as it is not timing-based and doesn't take up too many resources."

To demonstrate the risks, Rebane created a proof-of-concept that extracts text from Google Docs. Her attack overlays a “Generate Document” button on a popup. When clicked, the underlying script identifies the popup and shows a CAPTCHA-style textbox. Once submitted, the attacker-controlled interface secretly feeds a suggested Google Docs file name into a hidden textbox. While typical framing restrictions would prevent this, Google Docs allows itself to be embedded, making the attack viable.

Rebane noted that this is common among services intended for embedding—such as YouTube videos, social widgets, maps, payment systems, comment modules, and advertisements. Some services also unintentionally permit framing by failing to include protective headers, which is frequently seen in API endpoints.

Beyond iframe scenarios, Rebane explained that the technique can also be adapted for sites vulnerable to HTML injection.

She said, "There's a vulnerability class known as XSS which involves injecting HTML on websites through various means to execute malicious JavaScript." With CSP now blocking many forms of unsafe JavaScript, attackers look for alternatives. In such cases, "CSS is the next best thing to use, and it can be used for many kinds of interesting attacks," she added, arguing that CSS itself behaves like a programming language. "SVG clickjacking is one of the many attacks that could be used there."

Although the method does not fundamentally overhaul existing web security principles, it significantly lowers the complexity required to execute advanced attack chains.

Google awarded Rebane a $3,133.70 bug bounty for reporting the flaw. She noted that the issue remains unresolved and may not even be classified as a browser bug, adding that Firefox and other browsers are affected as well.

Rebane also pointed out potential mitigations—highlighting the Intersection Observer v2 API, which can detect when an SVG filter is positioned above an iframe.

Google has yet to comment on the matter. A related Chromium bug originating from earlier timing attacks has been closed with a “won’t fix” status.

How Retailers Should Harden Accounts Before the Holiday Rush




Retailers rely heavily on the year-end shopping season, but it also happens to be the period when online threats rise faster than most organizations can respond. During the rush, digital systems handle far more traffic than usual, and internal teams operate under tighter timelines. This combination creates a perfect opening for attackers who intentionally prepare their campaigns weeks in advance and deploy automated tools when stores are at their busiest.

Security analysts consistently report that fraudulent bot traffic, password-testing attempts, and customer account intrusions grow sharply during the weeks surrounding Black Friday, festive sales, and year-end shopping events. Attackers time their operations carefully because the chance of slipping through undetected is higher when systems are strained and retailers are focused on maintaining performance rather than investigating anomalies.

A critical reason criminals favor this season is the widespread reuse of passwords. Large collections of leaked usernames and passwords circulate on criminal forums, and attackers use automated software to test these combinations across retail login pages. These tools can attempt thousands of logins per minute. When one match succeeds, the attacker gains access to stored payment information, saved addresses, shopping histories, loyalty points, and in some cases stored tokenized payment methods. All of these can be exploited immediately, which makes the attack both low-effort and highly profitable.

Another layer of risk arises from the credentials of external partners. Many retailers depend on vendors for services ranging from maintenance to inventory support, which means third-party accounts often hold access to internal systems. Past retail breaches have shown that attackers frequently begin their intrusion not through the company itself but through a partner whose login rights were not secured with strong authentication or strict access controls. This amplifies the impact far beyond a single compromised account, highlighting the need for retailers to treat vendor and contractor credentials with the same seriousness as internal workforce accounts.

Balancing security with customer experience becomes especially challenging during peak seasons. Retailers cannot introduce so much friction that shoppers abandon their carts, yet they also cannot ignore the fact that most account takeovers begin with weak, reused, or compromised passwords.

Modern authentication frameworks recommend focusing on password length, screening new passwords against known breach data, and reducing reliance on outdated complexity rules that frustrate users without meaningfully improving security. Adaptive multi-factor authentication is viewed as the most practical solution. It triggers an additional verification step only when something unusual is detected, such as a login from an unfamiliar device, a significant change to account settings, or a suspicious location. This approach strengthens security without slowing down legitimate customers.

Internal systems require equal attention. Administrative dashboards, point-of-sale backends, vendor portals, and remote-access platforms usually hold higher levels of authority, which means they must follow a stricter standard. Mandatory MFA, centralized identity management, unique employee credentials, and secure vaulting of privileged passwords significantly reduce the blast radius of any single compromised account.

Holiday preparedness also requires a layered approach to blocking automated abuse. Retailers can deploy tools that differentiate real human activity from bots by studying device behavior, interaction patterns, and risk signals. Rate limits, behavioral monitoring for credential stuffing, and intelligence-based blocking of known malicious sources help limit abuse without overwhelming the customer experience. Invisible or background challenge mechanisms are often more effective than traditional CAPTCHAs, which can hinder sales during peak traffic.

A final but critical aspect of resilience is operational continuity. Authentication providers, SMS delivery routes, and verification systems can fail under heavy demand, and outages during peak shopping hours can have direct financial consequences. Retailers should run rehearsals before the season begins, including testing failover paths for sign-in systems, defining emergency access methods that are short-lived and fully auditable, and ensuring there is a manual verification process that stores can rely on if digital systems lag or fail. Running load tests and tabletop exercises helps confirm that backup procedures will hold under real stress.

Strengthening password policies and monitoring for compromised credentials also plays a vital role. Tools that enforce password screenings against known breach databases, encourage passphrases, restrict predictable patterns, and integrate directly with directory services allow retailers to apply consistent controls across both customer-facing and internal systems. Telemetry from these tools can reveal early signs of suspicious behavior, providing opportunities to intervene before attackers escalate their actions.

With attackers preparing earlier each year and using highly automated methods, retailers must enter the holiday season with defenses that are both proactive and adaptable. By tightening access controls, reinforcing authentication, preparing for system failures, and using layered detection methods, retailers can significantly reduce the likelihood of account takeovers and fraud, all while maintaining smooth and reliable shopping experiences for their customers.


Critical CVE-2025-66516 Exposes Apache Tika to XXE Attacks Across Core and Parser Modules

 

A newly disclosed vulnerability in Apache Tika has had the cybersecurity community seriously concerned because researchers have confirmed that it holds a maximum CVSS severity score of 10.0. Labeled as CVE-2025-66516, the vulnerability facilitates XXE attacks and may allow attackers to gain access to internal systems along with sensitive data by taking advantage of how Tika processes certain PDF files. 

Apache Tika is an open-source, highly-used framework for extracting text, metadata, and structured content from a wide array of file formats. It is commonly used within enterprise workflows including compliance systems, document ingestion pipelines, Elasticsearch and Apache Solr indexing, search engines, and automated content scanning processes. Because of its broad use, any severe issue within the platform has wide-ranging consequences.  

According to the advisory for the project, the vulnerability exists in several modules, such as tika-core, tika-parsers, and the tika-pdf-module, on different versions, from 1.13 to 3.2.1. The issue allows an attacker to embed malicious XFA -- a technology that enables XML Forms Architecture -- content inside PDF files. Upon processing, Tika may execute unwanted calls to embedded external XML entities, thus providing a way to fetch restricted files or gain access to internal resources.  

The advisory points out that CVE-2025-66516 concerns an issue that was previously disclosed as CVE-2025-54988, but its scope is considerably broader. Whereas the initial advisory indicated the bug was limited to the PDF parser, subsequent analysis indicated that the root cause of the bug-and therefore the fix-represented in tika-core, not solely its parser component. Consequently, any organization that has patched only the parser without updating tika-core to version 3.2.2 or newer remains vulnerable. 

Researchers also provided some clarification to note that earlier 1.x releases contained the vulnerable PDF parser in the tika-parsers module, so the number of affected systems is higher than initial reporting indicated. 

XXE vulnerabilities arise when software processes XML input without required restrictions, permitting an attacker to use external entities (these are references that can point to either remote URLs or local files). Successfully exploited, this can lead to unauthorized access, SSRF, disclosure of confidential files, or even an escalation of this attack chain into broader compromise. 

Project maintainers strongly recommend immediate updates for all deployments. As no temporary configuration workaround has been confirmed, one can only install patched versions.

FinCEN: Ransomware Gangs Extorted Over $2.1B from 2022 to 2024

 

FinCEN’s most recent report has revealed that ransomware activity reached a new peak in 2023, accumulating over $1.1 billion in payments before a decline in 2024, as law enforcement pursued major gangs such as ALPHV/BlackCat, LockBit. In general, FinCEN data reveals $2.1 billion in ransoms paid from 2022 through 2024, and about $4.5 billion from 2013 to 2024. 

FinCEN’s findings draw on thousands of Bank Secrecy Act reports, that registered 4,194 ransomware incidents between January 2022 and December 2024. Ransomware earnings peaked 2023 with 1,512 incidents and a 77% increase in payouts from 2022, but dropped to nearly $734 million in 1,476 incidents during 2024, decrease attributed to the global disruption of the BlackCat and LockBit operations. These takedowns left affiliates to either transition to other ransomware brands or try to rebuild. 

The report does note that most single ransom amounts were under $250,000, although some sectors consistently took the biggest hits. By number of incidents, manufacturing, financial services, healthcare, retail, and legal services were the most frequently targeted industries from 2022 to 2024. By total losses, financial services led with about $365.6 million paid, followed by healthcare, manufacturing, science and technology, and retail, each suffering hundreds of millions in extorted funds.

Over the period under review, FinCEN counted 267 unique ransomware families; however, a handful caused the majority of distraught. Akira accounted for the most reports (376), followed by ALPHV/BlackCat with the highest earnings at close to $395 million, and LockBit with $252.4 million. As for the top 10 most active groups, they were a combined $1.5 billion between 2022 and 2024, featuring Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. 

The flow of money is still largely in cryptocurrency, with around 97% of ransom payments in Bitcoin and the remainder in Monero, Ether, Litecoin and Tether. Notification of Ransomware Incident to FBI FinCEN stressed that routine, detailed reporting of ransomware incidents to the FBI and ransom payments to FinCEN continues to be critical to enable tracking of funds, further disrupting them, and sustaining the pressure that resulted in the decline noted in 2024.

New Android Malware SeedSnatcher and FvncBot Found By Experts


New Android malware found

Researchers have revealed details of two Android malware strains called SeedSnatcher and FvncBot. Upgraded version of ClayRat was also found in the wild. 

About the malware 

FvncBot works as a security app built by mBank and attacks mobile banking users in Poland. The malware is written from scratch and is different from other banking trojans such as ERMAC whose source codes have been leaked.

According to Intel 471, the malware "implemented multiple features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud."

Like the Albiriox banking malware, this trojan is shielded by a service called apk0day that Golden Crypt offers.

Attack tactic 

After the dropper app is launched, users are asked to download a Google Play component for security of the app. But in reality, it deploys the malware via session-based approach which other actors adopt to escape accessibility restrictions on Android devices version 13 and above.

According to Intel 471, "During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot." After this, the malware asks victims for accessibility services permission, it then gets privileges and connects to an external server. 

Malware capabilities 

FvncBot also triggers a text mode to analyze the device screen layout and content even in cases where an app doesn't allow screenshots by setting the FLAG_SECURE option. 

Experts don't yet know how FvncBot is getting widespread, but Android banking trojans leverage third-party app stores and SMS phishing as a distribution vector. 

According to Intel 471, "Android's accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen's display." 

The firm added that the sample was built to "target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions."


Beyond the immediate threat to banking and cryptocurrency users, the emergence of FvncBot, SeedSnatcher, and the upgraded ClayRat underscores a troubling evolution in mobile-malware design: an increasing shift toward “full-device takeover” rather than mere credential theft. By exploiting legitimate features, such as Android’s accessibility services, screen-streaming APIs, and overlay permissions, these trojans can invisibly hijack almost every function of a smartphone: logging keystrokes, intercepting SMS-delivered 2FA codes, capturing screen contents even when apps try to block screenshots, and executing arbitrary commands as though the real user were interacting with the device. 

This marks a new class of threat in which a compromised phone becomes a proxy tool for remote attackers: they don’t just steal data, they can impersonate the user, conduct fraudulent transactions, or monitor every digital activity. Hence, users worldwide, not only in Poland or crypto-heavy regions, must remain vigilant: the architecture these threats use is platform-wide, not region-specific, and could easily be repurposed for broader global campaigns.

ShadowV2 Botnet Activity Quietly Intensified During AWS Outage

 


The recently discovered wave of malicious activity has raised fresh concerns for cybersecurity analysts, who claim that ShadowV2 - a fast-evolving strain of malware that is quietly assembling a global network of compromised devices - is quietly causing alarm. It appears that the operation is based heavily upon Mirai's source code and is much more deliberate and calculated than previous variants. The operation is spread across more than 20 countries. 

Moreover, ShadowV2 has been determined to have been created by actors exploiting widespread misconfigurations in everyday Internet of Things hardware. This is an increasingly common weakness in modern digital ecosystems and it is aimed at building a resilient, stealthy, and scaleable botnet. The campaign was discovered by FortiGuard Labs during the Amazon Web Services disruption in late October, which the operators appeared to have been using to cover up their activity. 

During the outage, the malware spiked in activity, an activity investigators interpret to be the result of a controlled test run rather than an opportunistic attack, according to the report. During its analysis of devices from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375), and DigiEver (CVE-2024-53375), ShadowV2 was observed exploiting a wide range of CVE-2024-53375. 

A campaign’s ability to reach out across industries and geographies, coupled with its precise use of IoT flaws, is indicative of a maturing cybercriminal ecosystem, according to experts. This ecosystem is becoming increasingly adept at leveraging consumer-grade technology to stage sophisticated and coordinated attacks in the future. 

ShadowV2 exploited a variety of vulnerabilities that have been identified for a long time in IoT security, particularly in devices that have already been retired by manufacturers. This report, which is based on a research project conducted by NetSecFish, identified a number of vulnerabilities that could be affecting D-Link products that are at the end of their life cycle. 

The most concerning issue is CVE-2024-10914, which is a command-injection flaw affecting end-of-life D-Link products. In November 2024, a related issue, CVE-2024-10915, was found by researchers in a report published by NetSecFish. However, after finding no advisory, D-Link later confirmed that the affected devices had reached end of support and were unpatched. 

The vendor responded to inquiries by updating an existing bulletin to include the newly assigned CVE and issuing a further announcement that has directly related to the ShadowV2 campaign, reminding customers that outdated hardware will no longer receive security updates or maintenance, and that security updates will not be provided on them anymore. 

During the same period, a vulnerability exploited by the botnet, CVE-2024-53375, was revealed. This vulnerability has been reported to have been resolved through a beta firmware update. Considering that all of these lapses are occurring together, they serve as an excellent illustration of the fact that aging consumer devices continue to serve as a fertile ground for large-scale malicious operations long after support has ended, as many of these devices are left running even after support has ended. 

Based on the analysis of the campaign, it seems as though ShadowV2's operators use a familiar yet effective distribution chain to spread its popularity and reach as widely as possible. By exploiting a range of vulnerable IoT vulnerabilities, the attackers are able to download a software program known as binary.sh, which is located at 81[.]88[.]18[.]108, which is the command server's location. As soon as the script is executed, it fetches the ShadowV2 payload - every sample is identified by the Shadow prefix - which is similar to the well-known Mirai offshoot LZRD in many ways.

A recent study examining the x86-64 build of the malware, shadow.x86_64, has found that the malware initializes its configuration and attack routines by encoding them using a light-weight XOR-encoding algorithm, encrypting them with one byte (0x22) to protect file system paths, HTTP headers, and User-Agent strings using a single byte key. 

As soon as these parameters are decoded, the bot connects with its command-and-control server, where it waits for instructions on how to launch distributed denial-of-service attacks. While aesthetically modest in nature, this streamlined design is a reflection of a disciplined and purpose-built approach which makes it easy for deployment across diverse hardware systems without attracting attention right away. 

According to Fortinet, a deeper analysis of the malware—which uses XOR capabilities to encrypt configuration data and compact binaries—underscores that ShadowV2 shares many of the same features as the LZRD strain derived from Mirai. This allows ShadowV2 to minimize its visibility on compromised systems in a similar fashion. 

An infection sequence that has been observed across multiple incidents follows a consistent pattern: attackers are the ones who break into a vulnerable device, then they download the ShadowV2 payload via 81[.]88[.]18[.]108, and then they proceed to install it. The malware connects to its command server at silverpath[.]shadowstresser[.]info immediately after it has been installed, allowing it to be part of a distributed network geared towards coordinated attacks. 

Once installed, the malware immediately resides on the compromised device. In addition to supporting a wide range of DDoS techniques, including UDP, TCP, and HTTP, the botnet is well suited for high-volume denial-of-service operations, including those associated with for-hire DDoS services, criminal extortion, and targeted disruption campaigns. 

Researchers claim that ShadowV2's initial activity window may have been purposefully chosen to be the right time to conduct its initial operations. It is perfectly possible to test botnets at an early stage in the early stages of their development during major outages, such as the AWS disruption of late October, as sudden traffic irregularities are easily blended into the broader instability of the service. 

By targeting both consumer-grade and enterprise-grade IoT systems, operators seem to be building an attack fabric that is flexible and geographically diffuse, and capable of scaling rapidly, even in times of overwhelming defensive measures. While the observation was brief, analysts believe that it served as a controlled proof-of-concept that could be used to determine if a more expansive or destructive return could occur as a result of future widespread outages or high-profile international events. 

Fortinet has issued a warning for consumers and organizations to strengthen their defenses before similar operations occur in the future, in light of the implications of the campaign. In addition to installing the latest firmware on all supported IoT and networking devices, the company emphasizes the importance of decommissioning any end-of-life D-Link or other vendor devices, as well as preventing unnecessary internet-exposed features such as remote management and UPnP, to name just a few. 

Additionally, IoT hardware should be isolated within segmented networks, outbound traffic and DNS queries are monitored for anomalies, and strong, unique passwords should be enforced across all interfaces of all connected devices. As a whole, these measures aim to reduce the attack surface that has enabled the rapid emergence of IoT-driven botnets such as ShadowV2 to flourish. 

As for ShadowV2's activity, it has only been limited to the short window of the Amazon Web Services outage, but researchers stress that it should act as a timely reminder of the fragile state of global IoT security at the moment. During the campaign, it is stressed that the continued importance of protecting internet-connected devices, updating firmware regularly, and monitoring network activity for unfamiliar or high-volume traffic patterns that may signal an early compromise of those devices has been underscored. 

Defendants will benefit from an extensive set of indicators of compromise that Fortinet has released in order to assist them with proactive threat hunting, further supporting what researcher Li has described as an ongoing reality in cybersecurity: IoT hardware remains one of the most vulnerable entry points for cybercriminals. When ShadowV2 emerged, there was an even greater sense of concern when Microsoft disclosed just days later, days after its suspected test run, that Azure had been able to defend against what they called the largest cloud-based DDoS attack ever recorded. 

As a result of this attack, attributed to the Aisuru botnet, an unprecedented 15.72 Tbps was reached, resulting in nearly 3.64 billion packets per second being delivered. Despite the attack, Microsoft reported that it had successfully been absorbed by its cloud DDoS protection systems on October 24, thus preventing any disruptions to customer workflows. 

Analysts suggest that the timing of the two incidents indicates a rapidly intensifying threat landscape in which adversaries are increasingly preparing to launch large-scale attacks, often without much advance notice. Analysts are pointing out that the ShadowV2 incident is not merely an isolated event, but should also be considered a preview of what a more volatile era of botnet-driven disruption might look like once the dust settles on these consecutive warning shots. 

Due to the convergence of aging consumer hardware and incomplete patch ecosystems, as well as the increasing sophistication of adversaries, an overlooked device can become a launchpad for global-scale attacks as a result of this emergence. According to experts, real resilience will require more than reactive patching: settings that embed sustained visibility into their networks, enforcing strict asset lifecycle management, and incorporating architectures that limit the blast radius of inevitable compromises are all priorities that need to be addressed. 

Consumers also play a crucial role in preventing botnets from spreading by replacing unsupported devices, enabling automatic updates, and regularly reviewing router and Internet-of-Things configurations, which collectively help to reduce the number of vulnerable nodes available to botnets. 

In the face of attacks that demonstrate a clear willingness to demonstrate their capabilities during times of widespread disruption, cybersecurity experts warn that proactive preparedness must replace event-based preparedness as soon as possible. As they argue, the ShadowV2 incident serves as a timely reminder that strengthening the foundations of IoT security today is crucial to preventing much more disruptive campaigns from unfolding tomorrow.

Featured