Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Breach. Show all posts
unauthorised access
Data Breach MTA Ransomware attack Security Breach unauthorised access

Maryland’s Paratransit Service Hit by Ransomware Attack

 

The Maryland Transit Administration (MTA), operator of one of the largest multi-modal transit systems in the United States, is currently investigating a ransomware attack that has disrupted its Mobility paratransit service for disabled travelers. 

While the agency’s core transit services—including Local Bus, Metro Subway, Light Rail, MARC, Call-A-Ride, and Commuter Bus—remain operational, the ransomware incident has left the MTA unable to accept new ride requests for its Mobility service, which is critical for individuals with disabilities who rely on specialized transportation. 

According to the MTA, the cybersecurity breach involved unauthorized access to certain internal systems. The agency is working closely with the Maryland Department of Information Technology to assess and mitigate the impact. Riders who had already scheduled Mobility trips prior to the attack will still receive their services as planned. However, until the issue is resolved, new bookings cannot be processed through the standard Mobility system.

In response to the disruption, the MTA is directing eligible customers to its Call-A-Ride program as an alternative. This service can be accessed online or by phone, providing a temporary solution for those in need of transportation while the Mobility system remains unavailable for new requests.

The agency has emphasized its commitment to resolving the incident quickly and securely, promising regular updates as more information becomes available. 

This incident is not isolated. Over the past two years, similar ransomware attacks have targeted paratransit and public transit services in multiple states, including Missouri and Virginia, often leaving municipalities to scramble for alternative solutions for disabled residents.

The MTA has stated that its primary focus is on ensuring the safety and security of both customers and employees. It is collaborating with government partners and media outlets to keep the public informed and to support affected communities throughout the recovery process. 

The MTA’s experience underscores the growing risk that ransomware poses to critical public infrastructure, particularly services that support vulnerable populations. As investigations continue, the agency urges customers to stay informed through official channels and to utilize available alternatives like Call-A-Ride until normal operations can resume.
Read more »
Security Breach
Customer Data CyberCrime Cyberhackers Cybersecurity Data Breach Jewellery Pandora Security Breach

Pandora Admits Customer Data Compromised in Security Breach


 

A major player in the global fashion jewellery market for many years, Pandora has long been positioned as a dominant force in this field as the world's largest jewellery brand. However, the luxury retailer is now one of a growing number of companies that have been targeted by cybercriminals. 

Pandora confirmed on August 5, 2025, that a cyberattack had been launched on the platform used to store customer data by a third party. A Forbes report indicates that the breach was caused by unauthorised access to basic personal information, including customer name and email address. As a result, no passwords, credit card numbers, or any other sensitive financial information were compromised, the company stressed. 

In response to the incident, Pandora has taken steps to contain it, improved its security measures, and stated that at the present time, no evidence has been found that suggests that the stolen information has been leaked or misused. There is no doubt that supply chain dependencies can be a vulnerability for attackers due to the recent breach at Danish jewellery giant Pandora, as evidenced by this breach. 

The incident, rather than being the result of a direct intrusion into Pandora's core infrastructure, has been traced back to a third-party vendor platform — a reminder of the vulnerability of external services, including customer relationship management tools and marketing automation systems, which can be used by hackers as gateways. 

Using this tactic, cybercriminals were able to gain unauthorised access to customer data. Cybercriminals often employ this tactic to facilitate secondary crimes such as phishing, identity theft, and targeted scams. This incident is part of a broader industry challenge, with organisations increasingly outsourcing critical functions while ignoring the security risks associated with these outsourcing agreements. 

However, Pandora has not revealed who the third-party platform is; however, it has confirmed that some of Pandora's customer information was accessed through it, so the company's core internal systems remained unaffected by the intrusion. According to the jewellery retailer, the intrusion has been swiftly contained, and additional security measures have been put in place in order to ensure that future attacks do not occur again. 

According to the investigation, only the most common types of data - the names, dates, and email addresses of customers - were copied, and there was no compromise of passwords, identity documents or financial information. Several researchers have noted that cybercriminals have been orchestrating social engineering campaigns on behalf of companies and help desks for as long as January 2025, often to obtain Salesforce credentials or trick the staff into authorising malicious OAuth applications. 

It is not the only issue that is concerning the retail sector, as Chanel, a French fashion and cosmetics giant, also confirmed earlier this month a cyberattack perpetrated by the ShinyHunter extortion group, reportedly targeting Salesforce applications on August 1 through a social media-based intrusion, causing a significant amount of disruption in the industry. 

In the last year, the UK retail sector has been experiencing challenges as a result of cyberattacks that have affected major brands such as M&S, Harrods, and The Co-op. This latest incident comes at a time when the retail sector has been facing an increasing number of cyberattacks. A breach earlier this year resulting in the theft of customer data led M&S to declare a loss of around £300 million for its annual profit. 

It has been noted that in recent years, retailers have become prime targets for sophisticated hackers due to the vast amounts of consumer information they collect for marketing purposes and the outdated security infrastructure they use. Many retailers have underinvested in cybersecurity resilience in their pursuit of speed, scale, and convenience, which is something well-organised threat actors, such as Scattered Spider, are exploiting by taking advantage of this gap. 

Cybersecurity expert Christoph Cemper advised Pandora customers to remain vigilant against potential phishing emails, warning that such attacks can lead to the theft of sensitive information or financial losses if recipients click malicious links or download harmful attachments. Pandora reaffirmed its commitment to data protection, stating, Cemper, however, emphasised that retailers must adopt more proactive measures to safeguard customer information. 

Despite this incident, Pandora stressed the importance of not compromising passwords, payment information, or other sensitive details of customers. Specifically, the incident only involved “very common types of customer data”, including names and e-mail addresses, with no compromises to passwords, payment information, or other sensitive information. 

As a result of its investigation, the company stated that no evidence of misuse of the stolen data was found, but it advised customers to remain vigilant, especially in situations where they receive unsolicited emails or ask for personal information online. In its warning to customers, Pandora advised them not to click on unfamiliar links or download attachments from unverified sources. 

Pandora did not specify who was responsible for the intrusion, how the hack was executed, or how many people had been affected. Nonetheless, security researchers have been able to link the incident to the ShinyHunters group, which is said to have targeted corporate Salesforce databases with various social engineering and phishing techniques since January 2025. 

Several of the members of this group claim that they will "perform a mass sale or leak" of data from companies unwilling to comply with ransom demands. As far as Salesforce is concerned, the company has not been compromised. Its statement attributed these breaches instead to sophisticated phishing attacks and social engineering attacks that have become increasingly sophisticated over the years, reiterating that customers are responsible for safeguarding their data on their own. 

Today's interconnected retail environment serves as a reminder that cyber risks are no longer confined to a company's own network perimeter but are now a part of a company's wider digital footprint. It has become increasingly apparent that the lines between internal and external security responsibilities are blurring in light of the increasing use of vulnerability in third-party platforms, social engineering tactics, and overlooked digital entry points. 

The stakes for global brands are not limited to immediate disruption to operations. In addition to consumer trust, brand reputation, and regulatory scrutiny, cybersecurity experts agree that a holistic approach is now needed in order to mitigate cyberattacks. In addition to rigorous vendor risk assessments, continuous employee training, advanced threat detection, and resilient incident response frameworks, these strategies are all important. 

In an industry like luxury retail that is vulnerable to cyberattacks, Pandora's experience demonstrates what is becoming an increasingly common industry imperative: proactive defences are becoming not just an option but an essential tool for safeguarding the online relationships of customers and protecting their digital assets.
Read more »
Vulnerabilities and Exploits
Akira Ransomware Arctic Wolf Security Breach SonicWall Vulnerabilities and Exploits

Akira Ransomware Wave Targets SonicWall Firewall Devices

 

Cybersecurity firms report a late-July surge of Akira ransomware intrusions against SonicWall firewall devices, with evidence pointing to attackers entering via SonicWall SSL VPN connections and rapidly moving to encrypt data shortly after gaining access. 

While a previously unknown vulnerability is considered highly plausible, researchers have not ruled out credential-based entry methods such as brute force, dictionary attacks, or credential stuffing. Given the uncertainty, defenders are advised to temporarily disable SonicWall SSL VPN, enhance logging and endpoint monitoring, and block VPN authentications from hosting providers until patches or clearer guidance are available. 

Arctic Wolf detected these SonicWall-linked VPN intrusions beginning July 15, noting that malicious logins have a history dating back to at least October 2024, and that attackers often authenticate from virtual private server infrastructure rather than consumer ISPs. Huntress corroborated Arctic Wolf’s findings and shared indicators of compromise, while additional community discussion appeared on Reddit. The campaign highlights a rapid transition from initial VPN access to encryption, consistent with recent Akira activity patterns. 

Additionally, SonicWall urged customers to patch SMA 100 appliances for a separate critical flaw (CVE-2025-40599) that could allow remote code execution if an attacker already has admin rights. Although there was no evidence that CVE-2025-40599 was being exploited, Google’s Threat Intelligence Group reported adversaries using compromised credentials to deploy a new OVERSTEP rootkit on these devices. SonicWall advised SMA 100 customers to check GTIG’s IOCs, scrutinize logs for suspicious access, and contact support if compromise is suspected. 

Akira, active since March 2023, has claimed more than 300 victims on its leak site, including high-profile organizations, and the FBI estimated over $42 million in ransom payments from more than 250 victims as of April 2024. With the current SonicWall-focused wave still under investigation, security teams are urged to harden remote access, enable detailed monitoring, and be prepared for rapid containment if suspicious VPN activity is detected.
Read more »
Technology
AI Cloud Data Google Internet Security Breach Technology

Security Breach Reveals "Catwatchful" Spyware is Snooping on Users

Security Breach Reveals "Catwatchful" Spyware is Snooping on Users

A security bug in a stealthy Android spyware operation, “Catwatchful,” has exposed full user databases affecting its 62,000 customers and also its app admin. The vulnerability was found by cybersecurity expert Eric Daigle reported about the spyware app’s full database of email IDs and plaintext passwords used by Catwatchful customers to access stolen data from the devices of their victims. 

Most of the victims were based in India, Argentina, Peru, Mexico, Colombia, Bolivia, and Ecuador. A few records date back to 2018. The leaked database also revealed the identity of the Catwatchful admin called Omar Soca Char.

The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay.

About Catwatchful

Catwatchful is a spyware that pretends to be a child monitoring app, claiming to be “invisible and can not be detected,” while it uploads the victim’s data to a dashboard accessible to the person who planted the app. The stolen data includes real-time location data, victims’ photos, and messages.  The app can also track live ambient audio from the device’s mic and access the phone camera (both front and rear).

Catwatchful and similar apps are banned on app stores, and depend on being downloaded and deployed by someone having physical access to a victim’s phone. These apps are famous as “stalkerware” or “spouseware” as they are capable of unauthorized and illegal non-consensual surveillance of romantic partners and spouses. 

Rise of spyware apps

The Catwatchful incident is the fifth and latest in this year’s growing list of stalkerware scams that have been breached, hacked, or had their data exposed. 

How was the spyware found?

Daigle has previously discovered stalkerware exploits. Catwatchful uses a custom-made API, which the planted app uses to communicate to send data back to Catwatchful servers. The stalkerware also uses Google Firebase to host and store stolen data. 

According to Techradar, the “data was stored on Google Firebase, sent via a custom API that was unauthenticated, resulting in open access to user and victim data. The report also confirms that, although hosting had initially been suspended by HostGator, it had been restored via another temporary domain."

Read more »
Security Breach
Cyber Privacy Cyberhackers Cybersecurity CyberThreat malware messages Security Breach

Recognizing the Messages That Signal a Security Breach

 


Increasingly, cybersecurity experts warn that using traditional antimalware tools can lead to a false sense of security if used in conjunction with a system of prevention. In today's rapidly evolving threat environment, this software remains a staple of personal and enterprise protection strategies. However, its limitations have become painfully obvious as the threat environment rapidly evolves. 

There is no doubt in my mind that signature-based scanners, in particular, are notoriously unreliable, particularly when faced with newly released exploits and malware variants—especially when they have just been released. One way to see the impact of this problem is to submit a suspicious file to Google's VirusTotal service, which aggregates results from 60 of the most trusted anti-malware engines in the world, but the detection rates are sometimes inconsistent and shockingly low even there. 

A major issue facing cybercriminals is the fact that they no longer have to rewrite malicious code in order to evade detection. In many cases, they are only necessary to rearrange a few bytes or make minor adjustments to render the threat completely invisible to traditional scanners, thus enhancing the accuracy of the scan. 

In order to increase accuracy, security vendors have added new layers of defence to their systems. The majority of antimalware solutions are now based on heuristic algorithms, which use analysis of program behaviour in order to identify suspicious activity rather than solely on known signatures in order to identify malicious software. 

Other companies also use virtualised sandboxes to observe files in isolation, monitor system processes in real-time, and analyse network traffic to detect threats. Although there have been significant advances in defending against cyber attacks, attackers continue to develop new techniques faster than defences can respond. The reality is that no single security product matter how advanced-can detect or block every cyber threat with total reliability. 

As malware is constantly mutating and adversaries are constantly refining their techniques at unprecedented speeds, organizations and individuals alike will need to adopt a more comprehensive approach to security. It will go well beyond simply installing antimalware software to ensure security goes well. 

The term security breach is generally understood as any incident in which sensitive data, networks, computer systems, or devices are accessed, disclosed, or tampered with without the authorization of the party involved. Such breaches do much more than simply cause inconveniences; they threaten data integrity, personal privacy, and organizational confidentiality in a way that goes far beyond mere inconveniences. 

In today's digital society where every aspect of life, including financial transactions, shopping, social interaction, and entertainment, is facilitated through online platforms, the stakes are much higher than ever. In many cases, individuals entrust their most private information with digital services and presume they will be protected by robust safeguards, which is why they trust digital services so much with their sensitive information. 

However, the reality is that as the volume and value of stored data increase, the incentive for malicious actors to exploit vulnerabilities will also increase. It is no secret that cybercriminals have been relentlessly targeting databases and applications to harvest data, such as personal information, payment information, and login credentials, all of which can then be exploited in order to commit identity thefts, financial frauds, and other sophisticated forms of cybercrime. 

For organizations, the impact of a security breach will be even greater. A compromised system does not only disrupt operations immediately, but it can also cause significant financial losses, regulatory penalties, and costly legal actions. Perhaps the most damaging of these effects, however, is the erosion of customer trust and corporate reputation, which can take years to restore. 

There is a growing awareness that security and data breach risks are not abstract threats but are in fact pressing realities that require vigilant prevention, prompt detection, and effective response measures for both businesses and individuals alike. It has been reported recently by cybersecurity company ESET that the frequency of such threats has been on the rise in recent years as a result of the escalation of these threats. 

According to the company's latest Threat Report, this has now occurred in greater numbers. There have been numerous warnings issued over the past few months regarding the increase in spam and viral outbreaks, but one of the most alarming aspects of these campaigns is that they continue to ensnare unsuspecting users despite their obvious simplicity and ease of recognition in theory. 

The ESET report demonstrates the fact that the ClickFix attacks have evolved into a highly adaptable and formidable threat, employing a wide array of malicious payloads, from info stealers to ransomware to sophisticated nation-state malware. While these attack methodologies can be applied to a variety of operating systems, Windows PCs remain the most susceptible and effective targets due to the prevalence and effectiveness of these techniques. 

A key component of ClickFix is a deceptively simple yet remarkably effective method of getting victims to fix their problems. Victims are typically instructed to open the Windows Run dialogue by pressing the Windows key plus "R," paste a string of text using Ctrl + V and press "Enter" – often under the pretext of resolving an urgent issue. 

However, while the initial script may seem harmless, it is often just a way of obtaining and silently executing a much more dangerous payload without the knowledge of the user. Performing this single action can be a gateway to a wide variety of malicious programs, including the Lumma Stealer, VidarStealer, StealC, Danabot, and many more information theft programs; remote access Trojans like VenomRAT, AsyncRAT, and NetSupport RAT; and several other tools designed to attack the user. 

There are crypto miners, clipboard hijackers, post-exploitation frameworks like Havoc and Cobalt Strike, and other specialised attack tools in this category. Security professionals have given unequivocal advice: Users should treat any unsolicited prompt urging them to perform this sequence of commands as an immediate red flag that indicates a deliberate attempt to compromise their system. 

Under any circumstances, users should be cautious of following such instructions, as they can result in a significant compromise. In order to avoid any potential problems with the application in question, users should immediately close, or force-quit, restart their computers, and then run a thorough antivirus scan. Furthermore, it is necessary to change all of the key account passwords and monitor financial statements for signs of suspicious activity. 

While ClickFix attacks are most commonly associated with Windows environments, ESET's findings serve as a timely reminder that Macs are not immune to these attacks either. It has been reported that similar social engineering tactics can be used to entice macOS users to run scripts that appear benign but, in reality, facilitate unauthorized access to their devices. 

It demonstrates how important it is to remain cautious when dealing with uninvited technical instructions, regardless of the platform that users are using. ESET, a cybersecurity company that issued a recent alert regarding the increase in these threats, has indicated in its latest Threat Report that these attacks have now risen dramatically in frequency, which is in line with other previous warnings that have been issued over the past few months. 

However, what is even more alarming about these campaigns is the persistent manner in which they continue to ensnare unsuspecting users, even though these campaigns, in theory, should be easily recognised and avoided. The ESET report demonstrates the fact that the ClickFix attacks have evolved into a highly adaptable and formidable threat, employing a wide array of malicious payloads, from info stealers to ransomware to sophisticated nation-state malware.

While these attack methodologies can be applied to a variety of operating systems, Windows PCs remain the most susceptible and effective targets due to the prevalence and effectiveness of these techniques. Despite its deceptive simplicity, ClickFix's core tactic is remarkably effective as well. When victims are contacted to resolve an urgent issue, they are typically instructed to open the Windows Run dialogue by pressing the Windows key plus the "R" and then to paste a string of text using "Ctrl + V" before pressing "Enter." 

Although it may initially seem harmless or routine, the script usually serves as a conduit for retrieving and silently executing a far more dangerous payload, without the user being aware of it. By taking this action, users will be allowing themselves to be infected by a wide variety of malicious programs, such as Lumma Stealers, Vidar Stealers, StealC, Danabots, and many more. Remote Access Trojans, such as VenomRAT, AsyncRAT, and NetSupport RA, are some of the most prominent ones, along with cryptominers, clipboard hijackers, post-exploitation frameworks like Havoc and Cobalt Strike, and a variety of other specialised tools. 

Security professionals have given unequivocal advice: Users should treat any unsolicited prompt urging them to perform this sequence of commands as an immediate red flag that indicates a deliberate attempt to compromise their system. Under any circumstances, users should be cautious of following such instructions, as they can result in a significant compromise. As a matter of fact, they should close or force-quit the application in question, reboot the system, and carry out a thorough antivirus scan immediately. 

Additionally, it is essential that all critical account passwords be changed and that all financial statements be monitored closely for signs of suspicious activity. It has been found that ClickFix attacks are most common on Windows-based operating systems, but ESET's findings serve as a timely reminder that Mac users are not entirely immune to these attacks. 

The same social engineering techniques are used to trick Mac users into running scripts ostensibly benign by guiding them in a way that facilitates unauthorized access to their devices. This reinforces the crucial need to be vigilant and sceptical when dealing with any unsolicited technical instructions, regardless of the platform. For security breaches to be minimized and an effective response mounted promptly, it is important to recognize early signs of a breach. 

Several warning signs often point towards unauthorized activity within a system or network. Unusual network behaviour, such as sudden spikes in data traffic, irregular transfers, or sudden surges in bandwidth, can be a sign of an intentional data exfiltration or malicious probing of the network. In addition to unexplained system problems, including unexplained slowdowns, frequent crashes, or prolonged downtime, it is possible for malware to exploit these vulnerabilities. 

Suspicious account activity can also raise concerns. It is usually a sign of active compromise or credential theft when a user account appears unfamiliar, logins are made at odd hours, or repeated attempts are made to log in at odd hours. As a last point to note, data anomalies can be an indication that there has been a security breach. Missing, altered, or corrupted files are evidence that there has been an attack, as are access logs that indicate the entry of unauthorized individuals into sensitive databases.

By recognizing these signs and responding swiftly, organizations can better protect their data, operations, and reputation against the increasing threats of cyber-attacks. The threat landscape is becoming increasingly complex, and as a result, individuals and organisations are faced with a need to take an increasingly proactive and layered approach to cybersecurity. It has never been more important. 

As a result, we must go beyond conventional security tools and take deliberate steps to harden systems, train users, and prepare for contingencies besides conventional tools. When users create robust incident response procedures, conduct regular security audits, and invest in employee training, they can significantly reduce the chance that simple social engineering techniques or undetected malware will succeed, thereby reducing the likelihood that they will succeed. 

It is equally important for the organisation to utilise threat intelligence feeds, maintain current software, and enforce strong access controls to remain on top of an adversary that is continually refining its methods. A culture of security awareness is crucial for organizations to create where all users are aware that vigilance is not optional but rather a shared responsibility, which is why organizations should cultivate it. 

The businesses, as well as the individuals, can strengthen their defenses, and make sure that when the next attempt comes—and it will—they will be ready to detect, contain, and recover quickly, as the next attempt will be a result of the combination of modern technologies, disciplined operational practices, and a mindset that emphasizes continuous improvement.
Read more »
United States
Data Breach Military Operations National Security Security Breach Signal app United States

Experts Warn Trump Officials Using Signal for War Plans Risk Massive Leaks

 

Reports that senior Trump administration officials discussed classified military operations using the encrypted texting app Signal have raised serious security concerns. Although Signal provides encryption, lawmakers and cybersecurity specialists have warned that it is still susceptible to hacking and should never be used for private government communications. 

When journalist Jeffrey Goldberg of The Atlantic was accidentally included in a Signal group discussion where senior Trump officials were discussing military operations in Yemen, the issue became apparent. Goldberg called the conversation an act of "shocking recklessness" and said it included "precise information about weapons packages, targets, and timing.” 

Mark Montgomery, senior director of the Foundation for Defence of Democracies, criticised the decision, saying, "I guess Signal is a few steps above leaving a copy of your war plan at the Chinese Embassy—but it's far below the standards required for discussing any elements of a war plan.” 

Signal has become increasingly popular in Washington despite cybersecurity concerns after Chinese-affiliated hackers significantly compromised U.S. telecommunications networks. To safeguard against spying, officials recommend using encrypted services such as Signal. Experts warn that even while the app has robust encryption and deletes messages automatically, it is not approved for use in government-level sensitive communications. 

Lawmakers call for investigation

Top Democrats have slammed the use of Signal for military discussions, describing it as a significant security breach. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, criticised the Trump administration for failing to vet group chat users. “It should go without saying that administration officials should not be using Signal for discussing intelligence matters,” Thompson noted. 

House Foreign Affairs Committee Ranking Member Gregory Meeks (D-N.Y.) has requested a hearing, calling the episode "the most astonishing breach of our national security in recent history." Ranking member of the House Intelligence Committee, Jim Himes (D-Conn.), said he was "horrified" by the usage of an insecure app. He cautioned that lower-level officials might risk criminal charges for such a failure. 

Michael Waltz, Trump's National Security Adviser, admits to organising the Signal group chat, which inadvertently included writer Jeffrey Goldberg. Waltz first blamed a staff member, but later admitted that he founded the group himself. "It is embarrassing, definitely. We're going to get to the bottom of it," he added, adding that he was engaging Elon Musk on technical matters. 

In support of Waltz, Trump described him as a "good man" who had only "learnt a lesson." "The leak was the only glitch in two months, and it turned out not to be a serious one," he said, downplaying the breach as a small mistake. But there has been a quick pushback, with lawmakers and security experts voicing serious concerns.
Read more »
Vulnerabiliies
Cyber Security Cyberattacks GitHub Security Breach Supply Chain. CI/CD Vulnerabiliies

GitHub Action Security Breach Raises Concerns Over Supply Chain Risks

 


An attack of a cascading supply chain was recently triggered by the compromise of the GitHub action "reviewdog/action-setup@v1", which ultimately led to the security breach of the "tj-actions/changed-files" repository. As a result of this breach, unintended secrets about continuous integration and delivery were exposed, raising concerns about the integrity of software supply chains. 

There was a malicious code in the tj-actions/changed-files application last week, which introduced malicious code that was capable of extracting CI/CD secrets from the workflow logs and logging them within the log files. This incident affected approximately 23,000 repositories. Even though these logs were not accessible to the public, this exposure highlights significant security risks. In the case that the logs had become public, the attacker would have been able to gain unauthorized access to vital credentials.

Even though there has been an ongoing investigation into tj-actions/changed files, its developers have been unable to determine exactly how the attackers compromised GitHub's Personal Access Token (PAT) to gain access to critical data. For the unauthorized changes to be made, this token, which was used by an automated bot to modify code, appears to have played a pivotal role in the process. GitHub Actions and CI/CD pipelines need to be enhanced to prevent the spread of software supply chain vulnerabilities. This incident underscores the increasing threat of software supply chain vulnerabilities. 

A critical security breach has been identified in the widely used third-party GitHub Action, tj-actions/changed-files, that has been assigned the CVE-2025-30066 vulnerability. When a supply chain attack compromises the action that tracks file changes in pull requests and commits, it results in unauthorized disclosure of sensitive credentials since this action tracks file modifications. Among the secrets that were exposed were valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. 

A security patch was implemented in version 46.0.1 as a response to the incident to mitigate the risk associated with it. As a result of an updated analysis from March 19, 2025, security researchers have suggested that this breach may have been the result of a similar compromise of another GitHub action, reviewdog/action-setup@v1, identified as CVE-2025-30154 by security researchers. Considering the timing of both incidents and the growing threat landscape surrounding software supply chains, there is a strong likelihood that there is a connection between them. 

The developments highlighted in this article underscore the importance of conducting rigorous security audits and maintaining enhanced monitoring practices within the GitHub ecosystem to prevent future threats. In the recent past, there was a security breach affecting GitHub Action tj-actions/changed-files that exposed critical security vulnerabilities in software supply chains, emphasizing the risks associated with third-party dependencies in continuous integration/continuous delivery. 

Through GitHub Actions, a widely used automation platform, developers can optimize their workflows through reusable components, allowing them to save time and money. However, due to the compromise of tj-actions/changed-files—a tool that detects changes in files in pull requests and commits—over 23,000 repositories were accessed unauthorized, resulting in the theft of sensitive workflow secrets. A security researcher first noticed unusual activity related to the repository on March 14, 2025, which led to the discovery of the breach. 

A malicious payload has been injected into CI/CD runners in an attempt to extract CI/CD runner memory, which exposed critical environment variables and workflow secrets within logs, which were discovered to have been injected by the attackers. An exploit like this could result in unauthorized access to confidential credentials, thereby posing a significant security risk to the organization. Having been provided with a critical lead by security researcher Adnan Khan, it has been confirmed that the root cause of this compromise stems from another GitHub Action called reviewdog/action-setup, which an independent organization maintains. 

The investigation revealed that the tj-actions/changed-files action was compromised because it was dependent on the tj-actions/eslint-changed-files action, which was itself dependent on the reviewdog/action-setup action. In addition to the attack on the review dog organization, multiple activities were also affected within that organization, indicating that the attack was more widespread than that. Maintainers of TJ-actions and Review Dog quickly mitigated this incident by implementing security patches and reducing further risks. 

To counteract growing threats within software supply chains, continuous security monitoring, dependency validation, and rapid mitigation strategies must be implemented to protect continuous integration/continuous delivery pipelines from future attacks. Wiz, one of the leading security firms, recommended that developers evaluate their potential exposure by performing a GitHub query to determine if any references to reviewdog/action-setup@v1 were found in their repositories. 

As part of this process, it is important to determine if any of the projects might have been compromised by the recent supply chain compromise. It would be prudent to treat the detection of double-encoded base64 payloads within workflow logs as a confirmation of the leakage of sensitive information. If this happens, immediate remediation measures are required to prevent further security incidents. 

To reduce the risks associated with compromised actions, developers are advised to remove all references to these actions across branches, remove workflow logs that might contain exposed credentials, and rotate any potentially compromised secrets so that unauthorized access cannot occur. There is a need to take proactive security measures, such as pin GitHub Actions to specific commit hashes rather than version tags to reduce the probability that similar breaches will occur in the future. Furthermore, by utilizing GitHub's allow-listing feature, we can restrict unauthorized actions and enhance the security of our repositories. 

One must respond quickly to supply chain attacks, which may have far-reaching consequences as well as leak CI/CD secrets. Immediately following the breach, organizations must take steps to contain the breach, and they must develop long-term security strategies to protect themselves against future threats as well. The companies that are potentially impacted by this GitHub Actions supply chain attack should take immediate measures to protect their systems from further harm. To effectively counteract unauthorized access and further exploitation, all exposed secrets must be rotated. This is especially true for those secrets that were used between March 14 and March 15, 2025. 

Failure to replace compromised credentials could result in further exploitation. Further, security teams need to thoroughly review CI/CD workflows, paying close attention to unexpected outputs, particularly within the section on "changed files". There is a good chance that any anomalies may indicate an unauthorized modification or possible data leak. All workflow references should be updated to point to specific commit hashes rather than mutable tags so that they can be used to enhance security and mitigate the risk of a similar incident in the future. This will reduce the risk that attackers may inject malicious code into widely used GitHub Actions in the future. 

A robust security policy is also crucial for organizations. For this reason, organizations must utilize GitHub's allow-listing feature to restrict access to unauthorized actions, and they should conduct regular security audits of their third-party dependencies before integrating them into workflows. This kind of prevention measure can greatly reduce the chances of an attack on the supply chain or an unauthorized change in the source code. As a result of the recent breach, it has been highlighted how widely used automation tools are prone to vulnerabilities, which emphasizes the need to maintain continuous security monitoring and develop proactive defence strategies. 

Although some organizations, like Coinbase, successfully mitigated the impact of this incident, it serves as a reaffirmation that all organizations should continue strengthening their security postures and remain vigilant when it comes to evolving threats in the software industry. Recent information about a security breach with GitHub Actions confirms that the threats associated with supply chain attacks are continuing to grow in the modern software development industry. It has become increasingly important for organizations to enforce strong security frameworks for the sake of preventing cyber threats by implementing continuous monitoring mechanisms, thorough dependency audits, and enhanced access controls as cyber threats become more sophisticated. 

CI/CD pipelines need to be protected against unauthorized intrusions at all costs, and this incident highlights the urgency for proactive defense strategies to prevent this type of activity. Teams can mitigate vulnerabilities and ensure their workflows are protected by adopting secure coding best practices, enforcing strict authentication policies, and utilizing GitHub's security features, if they implement secure coding practices and enforce strict authentication policies. As software supply chain security has become a world-wide concern, maintaining vigilance and immediate response to incidents is crucial to ensuring operational integrity and resilience against evolving threats in an era when it has become paramount.
Read more »
Security Breach
Clothing Firm Cyber Attacks IT Breach Raymond Security Breach

Raymond Cyberattack: IT Teams, Authorities Investigate Massive Breach

 

Raymond Limited, a leading textile and apparel firm, acknowledged a cyberattack on its IT infrastructure on February 19. The company quickly segregated affected systems to protect essential business operations and avoid disruptions to customer-facing platforms or shop networks.

Rakesh Darji, Raymond's Company Secretary and Compliance Officer, stated in a regulatory filing that its retail and physical store operations will continue unchanged. While the filing provided no details on the attackers or confirmed any ransomware involvement, the company noted that "necessary precautions and protocols" were implemented to mitigate the impact. 

Raymond reassured stakeholders that its critical manufacturing and retail systems are safe despite the security intrusion, and that there haven't been any notable service interruptions. To determine the attack's entry points, length, and any threats of data exposure, the company's cybersecurity specialists and internal IT teams are performing forensic investigation. An inquiry is also in progress after notification was sent to India's cybersecurity organisation, CERT-In. 

The incident highlights the growing significance of strong cybersecurity measures for multinational organisations, especially those with complicated supply networks. It serves as a warning to firms to always improve their cyber defences against evolving threats. 

Raymond's disclosure is aligned with India's new cybersecurity standards, which demand the timely notification of major IT issues to regulatory bodies and investors. Shortly after discovering the breach, the company followed compliance measures and notified stock markets under the scrip codes BSE:500330 and NSE:RAYMOND. 

While the full scope of the assault is unknown, Raymond's proactive response and transparency demonstrate its commitment to ensuring company continuity and consumer trust.
Read more »
Threat Intelligence
Online Security Quantum Computers Security Breach Technology Threat Intelligence

Quantum Computers Threaten to Breach Online Security in Minutes

 

A perfect quantum computer could decrypt RSA-2048, our current strongest encryption, in 10 seconds. Quantum computing employs the principle of quantum physics to process information using quantum bits (qubits) rather than standard computer bits. Qubits can represent both states at the same time, unlike traditional computers, which employ bits that are either 0 or 1. This capacity makes quantum computers extremely effective in solving complicated problems, particularly in cryptography, artificial intelligence, and materials research. 

While this computational leap opens up incredible opportunities across businesses, it also raises serious security concerns. When quantum computers achieve their full capacity, they will be able to break through standard encryption methods used to safeguard our most sensitive data. While the timescale for commercial availability of fully working quantum computers is still uncertain, projections vary widely.

The Boston Consulting Group predicts a significant quantum advantage between 2030 and 2040, although Gartner believes that developments in quantum computing could begin to undermine present encryption approaches as early as 2029, with complete vulnerability by 2034. Regardless of the precise timetable, the conclusion is unanimous: the era of quantum computing is quickly approaching. 

Building quantum resilience 

To address this impending threat, organisations must: 

  • Adopt new cryptographic algorithms that are resistant against impending quantum attacks, such as post-quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) recently published its first set of PQC algorithm standards (FIPS 203, FIPS 204, and FIPS 205) to assist organisations in safeguarding their data from quantum attacks. 
  • Upgrades will be required across the infrastructure. Develop crypto agility to adapt to new cryptographic methods without requiring massive system overhauls as threats continue to evolve. 

This requires four essential steps: 

Discover and assess: Map out where your organisation utilises cryptography and evaluate the quantum threats to its assets. Identify the crown jewels and potential business consequences. 

Strategise: Determine the current cryptography inventory, asset lives against quantum threat timelines, quantum risk levels for essential business assets, and create an extensive PQC migration path. 

Modernise: Implement quantum-resilient algorithms while remaining consistent with overall company strategy.

Enhance: Maintain crypto agility by providing regular updates, asset assessments, modular procedures, continual education, and compliance monitoring. 

The urgency to act 

In the past, cryptographic migrations often took more than ten years to finish. Quantum-resistant encryption early adopters have noticed wide-ranging effects, such as interoperability issues, infrastructure rewrites, and other upgrading challenges, which have resulted in multi-year modernisation program delays. 

The lengthy implementation period makes getting started immediately crucial, even though the shift to PQC may be a practical challenge given its extensive and dispersed distribution throughout the digital infrastructure. Prioritising crypto agility will help organisations safeguard critical details before quantum threats materialise.
Read more »
Security Breach
Crypto Exchange Crypto Hack cryptocurrency Cyber Attacks Digital Assets Lazarus Group Security Breach

Bybit Crypto Exchange Hacked for $1.5 Billion in Largest Crypto Heist

 

Bybit, one of the world’s largest cryptocurrency exchanges, has suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack, now considered the largest in crypto history, compromised the exchange’s cold wallet—an offline storage system designed to provide enhanced security against cyber threats. 

Despite the breach, Bybit CEO Ben Zhou assured users that other cold wallets remain secure and that withdrawals continue as normal. Blockchain analysis firms, including Elliptic and Arkham Intelligence, traced the stolen funds as they were quickly moved across multiple wallets and laundered through various platforms. Most of the stolen assets were in ether, which were liquidated swiftly to avoid detection. 

The scale of the attack far exceeds previous high-profile crypto thefts, including the $611 million Poly Network hack in 2021 and the $570 million stolen from Binance’s BNB token in 2022. Investigators later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking organization known for targeting cryptocurrency platforms. The group has a history of siphoning billions from the digital asset industry to fund the North Korean regime. 

Experts say Lazarus employs advanced laundering techniques to hide the stolen funds, making recovery difficult. Elliptic’s chief scientist, Tom Robinson, confirmed that the hacker’s addresses have been flagged in an attempt to prevent further transactions or cash-outs on other exchanges. However, the sheer speed and sophistication of the operation suggest that a significant portion of the funds may already be out of reach. The news of the breach sent shockwaves through the crypto community, triggering a surge in withdrawals as users feared the worst. 

While Bybit has managed to stabilize outflows, concerns remain over the platform’s ability to recover from such a massive loss. To reassure customers, Bybit announced that it had secured a bridge loan from undisclosed partners to cover any unrecoverable losses and maintain operations. The Lazarus Group’s involvement highlights the persistent security risks in the cryptocurrency industry. Since 2017, the group has orchestrated multiple cyberattacks, including the theft of $200 million in bitcoin from South Korean exchanges. 

Their methods have become increasingly sophisticated, exploiting vulnerabilities in crypto platforms to fund North Korea’s financial needs. Industry experts warn that large-scale thefts like this will continue unless exchanges implement stronger security measures. Robinson emphasized that making it harder for criminals to profit from these attacks is the best deterrent against future incidents. 

Meanwhile, law enforcement agencies and crypto-tracking firms are working to trace the stolen assets in hopes of recovering a portion of the funds. While exchanges have made strides in improving security, cybercriminals continue to find ways to exploit weaknesses, making robust protections more crucial than ever.
Read more »
Security Breach
browser hijacking Chrome Extension Cyber Security Cybersecurity Data Theft Google Workspace Hacking phishing Security Breach

New 'Browser Syncjacking' Attack Exploits Chrome Extensions for Full Device Takeover

 

'Browser Syncjacking,' which allows threat actors to hijack Google profiles, compromise browsers, and eventually gain full control over a victim's device—all through a seemingly harmless Chrome extension.

This stealthy multi-stage attack requires minimal permissions and almost no user interaction beyond installing a malicious Chrome extension. The attack begins with:

1. Fake Google Workspace Setup – Attackers create a fraudulent Google Workspace domain with pre-configured user profiles where security features like multi-factor authentication are disabled.

2. Publishing a Malicious Extension – A Chrome extension, disguised as a useful tool, is uploaded to the Chrome Web Store.

3. Social Engineering Trap – Victims are tricked into installing the extension, which then secretly logs them into an attacker's managed Google Workspace profile via a hidden browser session.

4. Sync Activation – The extension opens a legitimate Google support page and injects content instructing users to enable Chrome Sync. Once activated, attackers gain access to stored credentials, browsing history, and other sensitive data.

5. Full Browser Takeover – Using deceptive tactics, such as a fake Zoom update prompt, the extension delivers an executable file containing an enrollment token. This grants attackers full control over the browser.

"Once enrolled, the attacker gains full control over the victim's browser, allowing them to silently access all web apps, install additional malicious extensions, redirect users to phishing sites, monitor/modify file downloads, and many more," explains SquareX researchers.

By leveraging Chrome's Native Messaging API, attackers establish a direct communication channel between the malicious extension and the victim's operating system. This enables them to:
  • Browse directories
  • Modify files
  • Install malware
  • Execute commands
  • Capture keystrokes
  • Extract sensitive data
  • Activate the webcam and microphone
The Browser Syncjacking attack is difficult to detect. Unlike traditional extension-based threats that require extensive social engineering, this method operates with minimal user interaction.

"Unless the victim is extremely security paranoid and is technically savvy enough to constantly navigate the Chrome settings to look for managed browser labels, there is no real visual indication that a browser has been hijacked," the report warns.

Recent incidents, including hijacks of legitimate Chrome extensions, have demonstrated that browser extensions pose significant cybersecurity risks.

BleepingComputer has reached out to Google for comments on this new attack and will provide updates as soon as a response is received.
Read more »
Security Breach
CNI Email malware phishing Security Breach

Email Attacks Target 80% of Key Infrastructure Firms, Study Reveals

 


Strong security for emails is one of the top concerns of CNI dealing companies. According to a recent OPSWAT report, 80% of CNI companies reported an email-related security breach in the past year. Malicious emails are being exploited to target essential services, and email-based attacks are increasingly used as a key strategy for gaining unauthorised access.

CNI organisations, such as utilities, transportation, telecommunications, and data centres, are prime targets for cybercriminals. The appeal lies in the widespread disruption a successful attack can cause. For example, a report from Malwarebytes highlighted that the services industry, which includes many CNI sectors, has been heavily impacted by ransomware, accounting for nearly a quarter of global attacks.

Email attacks prove to be particularly effective, according to a report by OPSWAT, which polled 250 IT and security leaders of CNI firms. For instance, CNI organisations experienced 5.7 phishing incidents, 5.6 account compromises, and 4.4 instances of data leakage per year for every 1,000 employees. Yet still, more than half of the respondents assumed that email messages and attachments were safe by default.

Why Cybercriminals Target Emails

Emails are a straightforward way for attackers to deliver phishing scams, malicious links, and harmful attachments. Once opened, these can give hackers access to critical systems. More than 80% of CNI organisations believe that email threats will increase or stay the same over the next year, with phishing, data theft, and zero-day malware attacks being the most likely.

As operational technology (OT) and IT systems become more connected, the risk grows. The report warns that fewer OT networks are isolated from the internet today. This interconnection means a single email attack could spread from IT to OT systems, causing further damage and enabling attackers to launch new attacks from within the network.

UK Steps up Data Center Security End

Data centres have just been designated by the UK government as critical national infrastructure, thus putting them in a category qualifying for further protection from growing cyber threats. This is the first new CNI designation since 2015. The measure aims to enhance the security of these critical facilities that guarantee the running of all services across the country pretty slickly.

This change also means that data centres will receive more government support in the event of cyber incidents, including access to the National Cyber Security Centre and emergency services when necessary. However, the increased designation also comes with tighter regulations, including the need for physical security measures, audits, and updated contingency plans.

Despite the serious threat email attacks pose, most CNI companies struggle with compliance. As revealed in the OPSWAT report, 65% of leaders admit that their organisations do not meet regulatory standards. However, for EMEA companies, this number goes down to 28%. Poor compliance leaves these organisations more vulnerable to attack.

Recent data shows that cyber attacks on CNI organisations are on the rise. The NCC Group’s latest Threat Pulse found that in July alone, 34% of ransomware attacks targeted CNI, up from 32% in June. Experts suggest that cybercriminals may now feel less concerned about consequences from law enforcement. Initially, ransomware groups avoided high-profile targets like hospitals to avoid severe crackdowns. However, recent attacks on CNI suggest they are no longer holding back.

Legacy Technology: The Soft Underbelly 

One of the biggest issues facing CNI companies is their reliance on outdated technology. The National Cyber Security Centre’s 2023 Annual Review noted that many critical infrastructure organisations still use legacy systems that are not regularly updated, making them easy targets for cyber attacks. These systems are often decades old and lack basic security features, making it easier for attackers to exploit them. A Microsoft report from May supported these findings, showing that security measures for OT systems are often inadequate, making attacks on water and other key infrastructure systems both attractive and easy for hackers. As cyber threats continue to rise, the need for CNI companies to update their technology and strengthen their security protocols becomes increasingly urgent. 

As email attacks continue to plague critical infrastructure organisations, it’s clear that a stronger approach to email security is needed. OPSWAT’s report stresses the importance of prevention, urging CNI companies to prioritise email security measures to protect their networks. With cybercriminals targeting these vital systems more than ever before, improving defences against email-borne threats is essential for ensuring the security and stability of national infrastructure.

CNI companies are facing a growing threat from email-based cyber attacks. As technology develops and attackers become more sophisticated, it’s crucial for organisations to update their security measures and comply with regulations to safeguard their operations. Email remains a key entry point for cybercriminals, and without the necessary precautions, the consequences could be severe.



Read more »
Security Breach
Cyber Attacks Gas Industry Oil Firm SEC Security Breach

Oil Giant Halliburton Hit by Cyberattack, Certain Systems Affected

 

On Friday, oil firm Halliburton revealed further details to regulators regarding a recent attack that forced the shutdown of critical systems. The company told news outlets that it was struck by a cyberattack on Wednesday, which disrupted operations at its Houston headquarters. 

In an 8-K filing filed Thursday with the Securities and Exchange Commission (SEC), the firm stated that attackers "gained access to certain of its systems." The firm is currently investigating the matter with the assistance of contractors. 

“The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement. The Company’s ongoing investigation and response include restoration of its systems and assessment of materiality,” Halliburton vice president Charles Geer noted in the report. 

Geer also stated that they are in contact with users and other stakeholders as they try "to identify any effects of the incident." According to Reuters, following the cyberattack, some employees were instructed not to access the company's internal network. No group claimed responsibility for the incident as of Friday afternoon. 

Halliburton, known for its controversial role in the Iraq War, is one of the world's major oil field service businesses, with almost 48,000 employees. The firm generated $5.8 billion in revenue in the first quarter of 2024. Businesses in the oil and gas industry continue to be targeted by hackers and ransomware gangs because they have a history for paying ransoms. 

While no cases have been confirmed, ransomware gangs have discovered at least five oil and gas businesses on their leak sites since June. For the past three years, oil and gas firms have been impacted by a number of cyber incidents, however the attacks on Colonial Pipeline and Shell have garnered the most media attention. 

It has become a major issue that G7 members in June have "committed to taking critical action to strengthen the cybersecurity of the global supply chain of key technologies used to manage and operate electricity, oil, and natural gas systems across the world." 

In May, the Transportation Security Administration (TSA) updated cybersecurity standards for operators of potentially dangerous liquid and natural gas pipelines, as well as liquefied natural gas installations. 

The regulations, which have been in place since the Colonial Pipeline attack, require operators to confirm to TSA that they have implemented a variety of cybersecurity policies, including an incident response plan, the establishment of a cybersecurity coordinator position, vulnerability inspections, network segmentation, and more.
Read more »
VPN security
CISA Cyber Attacks Ivanti Ivanti security flaws Ivanti VPN Exploitation Security Breach VPN VPN security

Lessons from the Ivanti VPN Cyberattack: Security Breaches and Mitigation Strategies

 

The recent cyberattack on Ivanti’s VPN software has prompted swift action from the Cybersecurity and Infrastructure Security Agency (CISA). This incident not only highlights the need for stronger cybersecurity measures but also raises important questions about exploit techniques, organizational responses to security breaches, and the escalating costs associated with downtime. 

The vulnerabilities in Ivanti’s VPN gateway allowed threat actors to bypass authentication and gain unauthorized access. Attackers could send maliciously crafted packets to infiltrate the system without needing to steal credentials, giving them access to user credentials, including domain administrator credentials. A second vulnerability enabled the injection of malicious code into the Ivanti appliance, allowing attackers to maintain persistent access, even after reboots or patches. Security researchers, including Mandiant, identified that Ivanti’s initial mitigations were insufficient. 

CISA warned that Ivanti’s interim containment measures were not adequate to detect compromises, leaving systems vulnerable to persistent threats. This uncertainty about the effectiveness of proposed mitigations necessitated CISA’s prompt intervention. The ability of attackers to gain persistent access to a VPN gateway poses significant risks. From this trusted position, attackers can move laterally within the network, accessing critical credentials and data. The compromise of the VPN allowed attackers to take over stored privileged administrative account credentials, a much more severe threat than the initial breach. In response to the breach, CISA advised organizations to assume that critical credentials had been stolen. 

Ivanti’s failure to detect the compromise allowed attackers to operate within a trusted zone, bypassing zero-trust principles and exposing sensitive data to heightened risks. The severity of the vulnerabilities led CISA to take the unusual step of taking two of Ivanti’s systems offline, a decision made to protect the most sensitive credentials. Despite later clarifications from Ivanti that patches could have been applied more discreetly, the miscommunications highlight the importance of clear, open channels during a crisis. Mixed messages can lead to unnecessary chaos and confusion. System-level downtime is costly, both in terms of IT resources required for shutdown and recovery and the losses incurred from service outages. 

The exact cost of Ivanti’s downtime remains uncertain, but for mission-critical systems, such interruptions are extremely expensive. This incident serves as a warning about the costs of addressing the aftermath of a cyberattack. CISA’s decision to shut down the systems was based on the potential blast radius of the attack. The trusted position of the VPN gateway and the ability to export stored credentials made lateral movement easier for attackers. 

Building systems based on the principle of least privilege can help minimize the blast radius of attacks, reducing the need for broad shutdowns. The Ivanti VPN cyberattack underscores the pressing need for robust cybersecurity measures. Organizations must adopt proactive infrastructure design and response strategies to mitigate risks and protect critical assets. Reducing the number of high-value targets in IT infrastructure is crucial. Privileged account credentials and stored keys are among the highest value targets, and IT leaders should prioritize strategies and technologies that minimize or eliminate such targets. 
Read more »
Vulnerabilities and Exploits
CVE-2024-29510 Cybersecurity Ghostscript flaw Ghostscript security Ghostscript vulnerability infosec PDF interpreter security Remote Code Execution Security Breach Vulnerabilities and Exploits

New Ghostscript Vulnerability Alarms Experts as Major Breach Threat

 

The information security community is buzzing with discussions about a vulnerability in Ghostscript, which some experts believe could lead to significant breaches in the coming months.

Ghostscript, a Postscript and Adobe PDF interpreter, allows users on various platforms including *nix, Windows, macOS, and several embedded operating systems to view, print, and convert PDFs and image files. It is commonly installed by default in many distributions and is also utilized by other packages for printing or conversion tasks.

This vulnerability, identified as CVE-2024-29510 and given a CVSS score of 5.5 (medium) by Tenable, was first reported to the Ghostscript team in March and was addressed in the April release of version 10.03.1. However, the researcher's blog post that uncovered this flaw has recently sparked widespread interest.

Thomas Rinsma, the lead security analyst at Codean Labs in the Netherlands, discovered a method to achieve remote code execution (RCE) on systems running Ghostscript by bypassing the -dSAFER sandbox. Rinsma highlighted the potential impact on web applications and services that use Ghostscript for document conversion and preview functionalities.

Ghostscript's extensive use in various applications, such as cloud storage preview images, chat programs, PDF conversion, printing, and optical character recognition (OCR) workflows, underscores its importance. Stephen Robinson, a senior threat intelligence analyst at WithSecure, noted that Ghostscript's integral role in many solutions often goes unnoticed.

To enhance security, the Ghostscript development team has implemented increasingly robust sandboxing capabilities, with the -dSAFER sandbox enabled by default to prevent dangerous operations like command execution. Detailed technical information and a proof of concept (PoC) exploit for Linux (x86-64) can be found on the researcher's blog. The PoC demonstrates the ability to read and write files arbitrarily and achieve RCE on affected systems.

Rinsma confirmed that the PoC may not work universally due to assumptions about stack and structure offsets that vary by system. The PoC, shared by Codean Labs, is an EPS file, and any image conversion service or workflow compatible with EPS could be exploited for RCE, according to Robinson.

Tenable's assessment of the CVE as a local vulnerability requiring user interaction has been questioned by experts like Bob Rudis, VP of data science at GreyNoise. Rudis and others believe that no user interaction is needed for the exploit to succeed, which could mean the severity score is underestimated.

Accurate severity assessments are crucial for the infosec industry, as they guide organizations on the urgency of applying patches and mitigations. The delayed recognition of this vulnerability's severity highlights the importance of precise evaluations.

Rudis expects several notifications from organizations about breaches related to this vulnerability in the next six months. Bill Mill, a full-stack developer at ReadMe, reported seeing attacks in the wild and emphasized the need for organizations to prioritize applying patches.

This is the second notable RCE vulnerability in Ghostscript within 12 months. Last July, CVE-2023-36664, rated 9.8 on the severity scale, made headlines after Kroll's investigation. Ghostscript's widespread use in modern software, including 131 packages in Debian 12 and applications like LibreOffice, underscores the critical need for security measures.


Read more »
Technology
Artifcial Intelligence ChatGPT OpenAI Security Breach Technology

Breaking the Silence: The OpenAI Security Breach Unveiled

Breaking the Silence: The OpenAI Security Breach Unveiled

In April 2023, OpenAI, a leading artificial intelligence research organization, faced a significant security breach. A hacker gained unauthorized access to the company’s internal messaging system, raising concerns about data security, transparency, and the protection of intellectual property. 

In this blog, we delve into the incident, its implications, and the steps taken by OpenAI to prevent such breaches in the future.

The OpenAI Breach

The breach targeted an online forum where OpenAI employees discussed upcoming technologies, including features for the popular chatbot. While the actual GPT code and user data remained secure, the hacker obtained sensitive information related to AI designs and research. 

While Open AI shared the information with its staff and board members last year, it did not tell the public or the FBI about the breach, stating that doing so was unnecessary because no user data was stolen. 

OpenAI does not regard the attack as a national security issue and believes the attacker was a single individual with no links to foreign powers. OpenAI’s decision not to disclose the breach publicly sparked debate within the tech community.

Breach Impact

Leopold Aschenbrenner, a former OpenAI employee, had expressed worries about the company's security infrastructure and warned that its systems could be accessible to hostile intelligence services such as China. The company abruptly fired Aschenbrenner, although OpenAI spokesperson Liz Bourgeois told the New York Times that his dismissal had nothing to do with the document.

Similar Attacks and Open AI’s Response

This is not the first time OpenAI has had a security lapse. Since its launch in November 2022, ChatGPT has been continuously attacked by malicious actors, frequently resulting in data leaks. A separate attack exposed user names and passwords in February of this year. 

In March of last year, OpenAI had to take ChatGPT completely down to fix a fault that exposed customers' payment information to other active users, including their first and last names, email IDs, payment addresses, credit card info, and the last four digits of their card number. 

Last December, security experts found that they could convince ChatGPT to release pieces of its training data by prompting the system to endlessly repeat the word "poem."

OpenAI has taken steps to enhance security since then, including additional safety measures and a Safety and Security Committee.

Read more »
Subscribe to: Posts (Atom)