Comprehensive 2025 Report: Software Security Market Trends and User Pain Points in China
https://medium.com/@insbug/software-security-market-demand-research-report-2025-edition-eed16c6eda3f:

1. This research project was initiated with the goal of systematically assessing the current demand landscape for software security among enterprise users, investigating tool usage patterns, identifying core pain points, and understanding future expectations.
2. Among these “blank slate” companies: This underscores a major opportunity for vendors: there remains a large group of potential first-time users who could be converted through basic education, simpler entry-level products, and affordability-focused solutions.
3. Operations engineers focused on: Executive decision-makers (CSO, CISO, CTO) displayed sensitivity toward: Implication: Sales and pre-sales strategies must be tailored to different audiences: The survey asked companies to estimate th...

@secharvester

Why App Stores Exist And Many Developers Never Welcome Them
https://programmers.fyi/why-app-stores-exist-and-many-developers-never-welcome-them:

1. The term sideloading is relatively new, but the approach was the standard way of installing software just before 20 years ago.
2. Those of you, who are as old as I am or even older, will remember the way we installed apps on Windows 3.1 or… -- -- I love technology, programming, computers, mobile devices and the world of tomorrow.
3. Check out kammerath.com and follow me on github.com/jankammerath Help Status About Careers Press Blog Privacy Rules Terms Text to speech

@secharvester

Research Findings: Leaked AWS & Stripe Keys Common in SPAs Hosted on Vercel?
https://www.cremit.io/blog/a-study-on-secret-exposure-cases-within-vercel-environment-frontend-code-aws-stripe-github-keys-were-exposed:

1. ), and depending on the IAM permission scope of the leaked key, possibilities range from simple S3 access to hijacking of entire cloud account management privileges, which can cause significant financial loss (e.g., cryptocurrency mining abuse) and data leakage or destruction.
2. The fact that mistakes occur despite service providers like AWS, Stripe clearly warning against including sensitive keys in client-side code in official documentation suggests the possible existence of structural problems such as a speed-first culture, lack of education and awareness, poor review processes, absence of automated safeguards, the paradox of developer experience (DX), etc.
3. Attackers can use the stolen key to call the Stripe API to ...

@secharvester

RomHack 2025 Call for Papers
https://cfp.romhack.io/romhack-2025/:

1. RomHack is an initiative by the non-profit association Cyber Saiyan, consisting of: The Conference features international speakers and attracts a global audience, with 800 attendees from 32 countries in 2024, making it one of Italy’s leading cybersecurity conferences.
2. - A live hacking event during the conference day (more details).
3. - A Training session in the days leading up to the event (details here).

@secharvester

Lazarus Group Breached Semiconductor and Software Firms in South Korea
https://cyberinsider.com/lazarus-group-breached-semiconductor-and-software-firms-in-south-korea/:

1. The attackers used a custom payload to exploit version 9.2.18.496 of the software, delivering malware across internal hosts without validation checks, and employing DLL sideloading to activate additional components like ThreatNeedle and LPEClient.
2. The Lazarus Group deployed several well-known malware strains, each updated with new capabilities: Additionally, the Agamemnon downloader introduced Tartarus-TpAllocInject-based reflective loading, a method derived from a lineage of open-source evasion tools, highlighting the attackers' deep understanding of anti-EDR tactics.
3. Both Cross EX and Innorix Agent are commonly mandated in sectors that value high-assurance security features, making them ideal vectors for nation-state attackers seeking to blend in with legitim...

@secharvester

Policy Puppetry Prompt Injection Technique
https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/:

1. This includes models from OpenAI (ChatGPT 4o, 4o-mini, 4.1, 4.5, o3-mini, and o1), Google (Gemini 1.5, 2.0, and 2.5), Microsoft (Copilot), Anthropic (Claude 3.5 and 3.7), Meta (Llama 3 and 4 families), DeepSeek (V3 and R1), Qwen (2.5 72B) and Mistral (Mixtral 8x22B).
2. We emphasize the importance of proactive security testing, especially for organizations deploying or integrating LLMs in sensitive environments, as well as the inherent flaws in solely relying on RLHF (Reinforcement Learning from Human Feedback) to align models.
3. This threat shows that LLMs are incapable of truly self-monitoring for dangerous content and reinforces the need for additional security tools such as the HiddenLayer AISec Platform, that provide monitoring to detect and respond to malicious prompt injection attacks in real-time.

@secharvester

Chatter: Fake TLS, Real Chaos
https://xer0x.in/chatter-01/:

1. I’m back with another project that’s been eating up my coding hours: Chatter, a kinda-sorta stealthy server-client chat system designed to keep your communications secure and under the radar (that is the vision at least).
2. NGFWs are just glorified packet filters with extra marketing —-> layer 7 snake oil won’t save you if your rules are a dumpster fire and you do not have serious micro-segmentation.
3. These are the kinds of things you discover when you get breach attack simulation done by real hackers and not GRC human robots who barely understand what they are talking about.

@secharvester

End to End Encrypted Messaging in the News: An Editorial Usability Case Study
https://articles.59.ca/doku.php?id=em:sg:

1. From a place slightly to the side of the more popular path Recently (2025 March) a reporter was added to a Signal Messenger group intended for members of the United States of America (USA) government, apparently by accident.
2. Politics in the USA are incredibly partisan these days, so I run a significant risk of having readers from that country assume that this article is intended to support one of the factions.
3. It unfortunately prevents a regular key signing party where everyone just checks their number on a list and then proclaims that the mapping is correct, allowing everyone in the room to verify your identity at once.

@secharvester

The first publically shamed individual for leaking IDA Pro is now a Senior Security Engineer @ Apple
https://web.archive.org/web/20110903042133/https://hex-rays.com/idapro/hallofshame.html:

1. The link allowed anyone to download a complete version of IDA Pro 5.0 advanced, our main product, licensed to Paul Ashton, of BlueLane.
2. A simple "whois" request revealed that the "randorisecurity" web site belonged to Andre Derek Protas, a self-proclaimed IT security "expert".
3. Andre Protas' web site was basically freely accessible and it contained a full pirate copy of the most advanced version of our software.

@secharvester

The Cyberspace Force: A Bellwether for Conflict
https://jamestown.org/program/the-cyberspace-force-a-bellwether-for-conflict/:

1. The SSF abolished the bureau shortly after the reforms and transferred its assets to form a significant part of the newly-established Eastern TRB, despite Wuhan technically falling within the Southern Theater Command area of responsibility.
2. Composed of at least ten subordinate offices (处), this TRB maintains sites across the Southern Theater Command area of responsibility, including in Shenzhen, Shantou, Nanning, Kunming, Zhanjiang, Sanya, and Haikou (NJUers Employment Enlightening Development System, 2019; Peking University Student Careers Center, March 15, 2024).
3. The Central TRB is overwhelmingly concentrated in the Beijing area, maintaining at least six units across Haidian and Daxing districts, with additional sites in Xi’an, Jinan, Hohhot, Langfang, and Hanzhong (Haitou Net, March 10, 2023).

@secharvester

End to End Encrypted Messaging in the News: An Editorial Usability Case Study
https://articles.59.ca/doku.php?id=em:sg:

1. From a place slightly to the side of the more popular path Recently (2025 March) a reporter was added to a Signal Messenger group intended for members of the United States of America (USA) government, apparently by accident.
2. Politics in the USA are incredibly partisan these days, so I run a significant risk of having readers from that country assume that this article is intended to support one of the factions.
3. It unfortunately prevents a regular key signing party where everyone just checks their number on a list and then proclaims that the mapping is correct, allowing everyone in the room to verify your identity at once.

@secharvester

Major companies' online services crash in Ukraine over reported technical failures
https://kyivindependent.com/major-companies-online-services-crash-in-ukraine-due-to-technical-failures/:

1. During log-in to Diia, the message "Unfortunately, an error occurred" appears, which prevents Ukrainians from accessing services like digitized versions of various official documents, including their passport, driver's license, vehicle registration, or tax ID, registering a business or the birth of one's child on the app, and online marriages.
2. According to Kyiv City Administration, contactless fare payment at metro turnstiles is temporarily unavailable due to a technical failure at Oschadbank.
3. Last December, a massive Russian hacker attack on government databases containing sensitive personal information, including tax records and biometric data, temporarily restricted access to some of them.

@secharvester

Free Course: Cybersecurity for Everyone By University of Maryland
https://www.linkedin.com/pulse/free-course-cybersecurity-everyone-university-maryland-g3vjc:

1. Your instructor, Dr. Charles Harry, has served on the front lines with the NSA (National Security Agency) and as an expert advising corporate and institutional leaders on managing cybersecurity risk.
2. Cybersecurity for Everyone lays the groundwork to understand and explore the key issues facing policy makers attempting to manage the problem of cybersecurity, from its technical foundations to the domestic and international policy considerations surrounding governance, privacy, and risk management, to applications for achieving the goals of an enterprise, an institution, or a nation.
3. This course is designed for students with some or no background in information technology, whether a novice or active in the cybersecurity field (engineers and computer scientists will learn th...

@secharvester

CTO at NCSC Summary: week ending April 27th
https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-april-252:

1. In extreme cases they can be exploited by criminals and other harmful actors to track the physical location of individuals anywhere in the world.” - UK leading the globe here.. Ofcom closes technical loophole used by criminals to intercept mobile calls and texts - Guardian reports CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide - Wired reports - “Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.” Statement from Matt Hartman on the CVE Program - CISA states - ”To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse.
2. No single discipline can fully resolve AI governance chal...

@secharvester

Exploiting Undefined Behavior in C/C++ Programs for Optimization: A Study on the Performance Impact
https://web.ist.utl.pt/nuno.lopes/pubs.php?id=ub-pldi25:

1. Lucian Popescu and Nuno P. Lopes           © The Authors, 2025.
2. Licensed under the Creative Commons Attribution 4.0 International License.
3. <-- Return

@secharvester

The Pains of Hardware Security: An Assessment Model of Real-World Hardware Security Attacks
https://ieeexplore.ieee.org/abstract/document/10966222:

1. A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.© Copyright 2025 IEEE - All rights reserved.
2. Use of this web site signifies your agreement to the terms and conditions.

@secharvester

Ghosting AMSI: Cutting RPC to disarm AV
https://medium.com/@andreabocchetti88/ghosting-amsi-cutting-rpc-to-disarm-av-04c26d67bb80:

1. Unlike traditional AMSI bypass techniques — which typically involve patching functions like AmsiScanBuffer or setting internal flags such as amsiInitFailed—this approach operates at a lower level, evading detection by avoiding any modification to amsi.dll itself.
2. From the WinDbg traces, we observed: When AMSI encounters these specific error codes, it switches to ScanStatus=2 (fallback path) and automatically sets the result to AMSI_RESULT_NOT_DETECTED without performing actual security scanning.
3. The fallback mechanism — originally intended to gracefully handle situations where antimalware providers are unavailable — becomes exploited by the AMSI Ghosting technique through strategic patching of RPC functions.

@secharvester

Cookie-Bite: How Your Digital Crumbs Let Threat Actors Bypass MFA and Maintain Access to Cloud Environments
https://www.varonis.com/blog/cookie-bite#how-info-stealers:

1. These extensions, often disguised as legitimate tools, request excessive permissions that allow them to interact with web sessions, modify page content, and extract stored authentication data.
2. The method varies depending on the operating system and browser security model, with Windows relying on DPAPI encryption, while Linux and macOS use system-specific keychain mechanisms.
3. CAP evaluates factors such as user location, device compliance, OS versions, or client applications to dynamically enforce security controls, significantly reducing the risk of unauthorized access, even when credentials or sessions are compromised.

@secharvester

My TTP was published in the MITRE ATT&CK Framework. Let's goooooo
https://attack.mitre.org/techniques/T1564/014/:

1. Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection.
2. They are not visible through standard tools like Finder, ls, or cat and require utilities such as xattr (macOS) or getfattr (Linux) for inspection.
3. Monitor for execution of xattr or getfattr used to read extended attributes, immediately followed by interpreters or loaders (e.g., bash, python, perl, sh, base64) that appear to consume the output.

@secharvester

Austria Plans to Become Europe's Favourite Playground for Hackers
https://tim.kicker.dev/2025/04/25/austria-surveillance/:

1. Austria is discussing the idea of requiring messenger services to install backdoors to “improve security” and help fight crime.
2. Even a single backdoor dramatically lowers the bar for state-sponsored hackers, criminals, or bored teenagers to wreak havoc.
3. Instead of being known for Mozart, skiing, or schnitzel, we’ll soon join other unfortunate European countries in becoming famous as digital weak spots.

@secharvester

Remote Code Execution on Viasat Modems (CVE-2024-6198)
https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198:

1. They already had uploaded Viasat firmware to the platform, and when the daily monitoring run results came back, a few stack buffer overflows were identified in different binaries.
2. The full timeline follows: ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC).
3. CONTACT:Sara FortmannSenior Marketing Managersara.fortmann@onekey.com euromarcom public relations GmbHteam@euromarcom.de Explore ONEKEY Research Lab's security advisory detailing a critical vulnerability in Viasat modems.

@secharvester

Three new vulnerabilities found related to IXON VPN client resulting in Local Privilege Escalation (LPE) and [REDACTED] | Shelltrail - Swedish offensive security experts
https://www.shelltrail.com/research/three-new-cves-related-to-ixon-vpn-client-resulting-in-local-privilege-escalation/:

1. The following steps are shown in the upcoming image: Things to highlight here is that the OpenVPN conf need to successfully connect in order for the tls-verify script to execute.
2. Wouldn’t it be cool to use the arbitrary file delete privilege escalation technique trough Windows installer rollback as described in https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks.
3. Sometimes, not every idea has to be sophisticated… Maybe a while loop in Powershell as a low privileged user which continuously copies our malicious OpenVPN conf to the predictable file location will result in ...

@secharvester

Black Basta Ransomware Leak: Key Findings and Insights
https://www.first.org/blog/20250321-black-basta-ransomware-leak:

1. The set of Russian-language messages was leaked on February 11 by a Telegram user known as "ExploitWhispers," who claimed the release was a response to the ransomware group targeting Russian banks.
2. In essence, using uncommon ports helps hackers evade detection, reduce the likelihood of triggering security alerts, and increase the chances of a successful exploitation.
3. Threat actors use platforms like Google and social media sites (such as LinkedIn, Zoominfo, and RocketReach) to identify a potential victim's annual revenue and employees.

@secharvester

SSL.com DCV Flaw Added Hostname of Approver's email Address to Verified Domains
https://bugzilla.mozilla.org/show_bug.cgi?id=1961406:

1. User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0 Steps to reproduce: SSL.com failed to conduct accurate domain validation control when utilizing the BR 3.2.2.4.14 DCV method (Email to DNS TXT Contact).
2. The Random Value MUST be sent to a DNS TXT Record Email Contact for the Authorization Domain Name selected to validate the FQDN.
3. For these two options, the DNS records must be properly configured as follows: Seo Suchan, You can register an account from here https://secure.SSL.com/account, and initialize a new evaluation session, they have free ssl to test.

@secharvester

CVE: The Big Vote of No Confidence
https://jericho.blog/2025/04/24/cve-the-big-vote-of-no-confidence/:

1. Rants of a Deranged Squirrel Yesterday, Matt Harman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program.
2. There is already a fair amount of commentary on LinkedIn, as well as blogs from Jen Easterly, Josh Bressers, the OpenSSF, and the newly created CVE Foundation.
3. We stand in alignment with CISA and this commitment to working together to ensure a resilient, trusted, and innovative CVE Program, which has a 25-year legacy of bringing some order to the chaos of cyber-security vulnerabilities.

@secharvester

Binary Ninja 5.0 (Gallifrey) is here with Union Support, Dyld Share Cache & Kernel Cache, Firmware Ninja, Auto Stack Arrays, Stack Structure Type Propagation, and so much more!
https://binary.ninja/2025/04/23/5.0-gallifrey.html:

1. We recently wrote up a detailed blog post covering these features, but here is a quick summary: Previously a plugin, we’ve re-implemented and integrated support for these various text-encodings commonly seen when dealing with firmware.
2. Name suggestions for data variables and functions are now generated more reliably and persist correctly across sessions, including compatibility fixes for BNDBs saved with older versions of Sidekick.
3. The example is built and shipped with paid editions of Binary Ninja and can be accessed in the Render Layers submenu in the hamburger menu in the upper-right corner of any graph or linear view.

@secharvester

io_uring Is Back, This Time as a Rootkit
https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/:

1. Luca Guerra quickly acknowledged the issue and informed us that they are working on delivering a plugin that will allow Falco users to create LSM hooks with eBPF.
2. We enabled endpoint protection and tried a range of techniques—including reading sensitive files, dropping the EICAR test malware, executing the XMRig crypto miner, and reaching out to a low-reputation network endpoint—but none of these actions were detected, regardless of whether io_uring was used.
3. The key advantage is that these LSM hooks are part of the kernel’s internal enforcement logic, meaning they are much harder to bypass through creative syscall avoidance techniques, like those employed by io_uring.

@secharvester

Safeguarding Seminar in London (Free) next week with Ryan Montgomery (Pentester) & UK Police (TOEX)
https://lu.ma/o8l0czf3:

1. ​This is part of the UK OSINT Community Seminar Series, hosted in partnership with Centre for Online-Safety, Safeguarding, Privacy and Identity (COSPI) at City University of London.
2. ​​You'll hear from: ​​Ryan Montgomery, Dark Web investigator & CTO of the Sentinel Foundation, an organisation that targets child traffickers, protects children and provides crisis response.
3. She's an experienced specialist intelligence analyst dedicated to identifying and analyzing online threats related to child safety, sex trafficking, and illegal immigration.

@secharvester

CVE: The Big Vote of No Confidence
https://jericho.blog/2025/04/24/cve-the-big-vote-of-no-confidence/:

1. Rants of a Deranged Squirrel Yesterday, Matt Harman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program.
2. There is already a fair amount of commentary on LinkedIn, as well as blogs from Jen Easterly, Josh Bressers, the OpenSSF, and the newly created CVE Foundation.
3. We stand in alignment with CISA and this commitment to working together to ensure a resilient, trusted, and innovative CVE Program, which has a 25-year legacy of bringing some order to the chaos of cyber-security vulnerabilities.

@secharvester

Spring Security CVE-2025-22234 Introduces Username Enumeration Vector
https://www.herodevs.com/vulnerability-directory/cve-2025-22234:

1. ‍ A Information Exposure vulnerability (CVE-2025-22234) has been identified in spring-security-crypto from Spring Security, which broke the timing attack mitigation.
2. Spring Security mitigates this issue by always performing a password check, regardless of whether the user exists in the system or not.
3. This change could potentially be exploited to reveal information about the service, such as the password encoder in use or measuring user lookup time.

@secharvester

How Hackers Use NMAP to Analyze Network Vulnerabilities
https://darkmarc.substack.com/p/mapping-the-cyber-battlefield-how:

1. Understanding the devices present on the network is essential for strategizing subsequent actions—whether that involves executing further attacks, moving laterally within the system, escalating privileges, or identifying pathways to high-value targets that hold sensitive data.
2. Severity of Alerts: Depending on the configuration of the IDS/IPS, a proactive network monitoring system may detect this behavior as potential reconnaissance or scanning activity, especially if it deviates significantly from normal traffic patterns.
3. Unlike stealth scans, this approach generates more noticeable traffic, increasing the chance of triggering alerts in intrusion detection systems if the activity is perceived as anomalous or excessively verbose.

@secharvester

M&S takes systems offline as 'cyber incident' lingers
https://www.theregister.com/2025/04/24/marks_spencer_outage_ongoing/:

1. The clothing, homeware, and produce purveyor told customers in an update on Wednesday evening that Click & Collect orders were also suspended until further notice, and that they should expect delays to home deliveries too.
2. M&S hasn't confirmed either way whether ransomware was involved, despite The Register's inquiries, but the detail aligns with the company's initial disclosure that stated it was taking actions to protect its network.
3. Though it may not live long in the memory of the non-technical folks, the British Library's response to its ransomware attack is routinely lauded by those in the security industry as an example of effective crisis communication.

@secharvester

GitHub potential leaking of private emails and Hacker One
https://omarabid.com/hacker-one:

1. @omarabid|Thursday, April 24, 2025 A bit over a month ago, I was crawling GitHub’s API while working on code input (—it is still in beta).
2. I was compiling a list of repositories and pull requests to identify those with merge conflicts.
3. The API still leaks emails for select profiles, and HackerOne’s dismissal—despite documented evidence—leaves the issue unresolved.

@secharvester

2 New UAF Vulnerabilities in Chrome
https://ssd-disclosure.com/ssd-advisory-miracleptr-sandbox/:

1. In the wild exploit targeting Chrome, UAF within the Browser process have frequently been a key vector for sandbox escapes.
2. MiraclePtr is a protection mechanism designed to prevent UAF in the Browser process and is now widely deployed across key components.
3. BRP is a reference counting based mitigation technique that leverages Chrome’s custom heap allocator, PartitionAlloc.

@secharvester

Heading to RSA? We collected 140+ events to make it easy to find the best events!
http://hackerparties.com:

1. HACKER PARTIES APR 25 - MAY 01 2025 HACKER PARTIES APR 25 - MAY 01 2025 HACKER PARTIES APR 25 - MAY 01 2025 Submit your event Submit your event 25 April 27 April 28 April 29 April 30 April 1 May 25 27 28 29 30 1 // Friday // Friday // Friday // SUNDAY // SUNDAY // SUNDAY // MONDAY // MONDAY // MONDAY // TUESDAY // TUESDAY // TUESDAY // WEDNESDAY // WEDNESDAY // WEDNESDAY // THURSDAY // THURSDAY // THURSDAY Send us a link to your event and we will add it!
2. Submit Submit MADE WITH 💙 BY Collaborate With Us MADE WITH 💙 BY Collaborate With Us MADE WITH 💙 BY Collaborate With Us

@secharvester

Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) - watchTowr Labs
https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/:

1. As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will.
2. No heist story is ever complete without a 10-metre thick steel door vault, silent pressure sensors beneath marble floors and laser grids slicing the air like spiderwebs — befitting of a crew reckless enough to think they can beat it all.
3. We've previously, publicly and privately, analysed vulnerabilities in various ‘Backup and Replication’ platforms, including those offered by Veeam and NAKIVO - both of which have struggled to avoid scrutiny and in some cases, even o...

@secharvester

GitHub potential leaking of private emails and Hacker One
https://omarabid.com/hacker-one:

1. @omarabid|Thursday, April 24, 2025 A bit over a month ago, I was crawling GitHub’s API while working on code input (—it is still in beta).
2. I was compiling a list of repositories and pull requests to identify those with merge conflicts.
3. The API still leaks emails for select profiles, and HackerOne’s dismissal—despite documented evidence—leaves the issue unresolved.

@secharvester

The Most Dangerous Hackers You’ve Never Heard Of [Wired Feature]
https://www.wired.com/story/most-dangerous-hackers-youve-never-heard-of/:

1. From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar.
2. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers.
3. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.

@secharvester

FBI: US lost record $16.6 billion to cybercrime in 2024
https://www.bleepingcomputer.com/news/security/fbi-us-lost-record-166-billion-to-cybercrime-in-2024/:

1. Fraud represented the bulk of reported losses in 2024, and ransomware was again the most pervasive threat to critical infrastructure, with complaints rising 9% from 2023," said B. Chad Yarbrough, the FBI's Operations Director for Criminal and Cyber.
2. "Regarding ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by an entity," the IC3 report warns.
3. Register now for CTM360's Community Edition Learn why identity attacks were the #1 threat facing organizations in 2024 Enhancing your DevSecOps with Wazuh, the open source XDR platform Rethinking Automated Penetration Testing: Why Validation Changes Everything Terms of Use - Privacy Policy - Ethics Statement - Af...

@secharvester

Verizon's 2025 DBIR is out!
https://www.verizon.com/business/resources/reports/dbir/:

1. Read the complete report for an in-depth, authoritative analysis of the latest cyber threats and data breaches.
2. of breaches were linked to third-party involvement, twice as much as last year, and driven in part by vulnerability exploitation and business interruptions increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches compared to last year's report of perimeter-device vulnerabilities were fully remediated by organizations in the past year, while almost half remained unresolved of all breaches analyzed showed ransomware was present, marking a notable rise from last year’s report Learn from renowned cybersecurity experts as they reveal the latest threats uncovered in the 2025 DBIR, along with innovative strategies to help combat them.
3. Learn from our expert panelists as they share proactive defense...

@secharvester

How a 20 year old bug in GTA San Andreas surfaced in Windows 11 24H2
https://cookieplmonster.github.io/2025/04/23/gta-san-andreas-win11-24h2-bug/:

1. Funny enough, you can still kind of make out the shape of the plane even though the animations give up completely to the inaccuracies of the floating point values: But, enough messing around; now I knew it was a real bug and I needed to figure out the root cause.
2. Upon entering the seaplane, the game froze in a very small loop in CPlane::PreRender, attempting to normalize the rotor blade angle to the 0-360 degree range: In the debugged session, this->m_fBladeSpeed was 3.73340132e+29.
3. I set up an experiment where I broke into a debugger before a sscanf call when parsing Skimmer’s line (vehicle ID 460) specifically, and the observed variable values supported that claim.

@secharvester

Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs
https://www.helpnetsecurity.com/2025/04/23/released-mitre-attck-v17-0-now-with-esxi-attack-ttps/:

1. MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hypervisors.
2. “While we initially considered creating a broader type-1 hypervisor platform, in the wild reporting on adversaries has been heavily focused on ESXi,” explained Amy L. Robertson, principal cyber threat intelligence engineer at MITRE.
3. “The virtualization landscape will continue to change, and while ESXi’s role may shift, attackers have been actively leveraging its capabilities, especially in ransomware and persistent access campaigns.

@secharvester

Verizon's 2025 DBIR is out!
https://www.verizon.com/business/resources/reports/dbir/:

1. Read the complete report for an in-depth, authoritative analysis of the latest cyber threats and data breaches.
2. of breaches were linked to third-party involvement, twice as much as last year, and driven in part by vulnerability exploitation and business interruptions increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches compared to last year's report of perimeter-device vulnerabilities were fully remediated by organizations in the past year, while almost half remained unresolved of all breaches analyzed showed ransomware was present, marking a notable rise from last year’s report Learn from renowned cybersecurity experts as they reveal the latest threats uncovered in the 2025 DBIR, along with innovative strategies to help combat them.
3. Learn from our expert panelists as they share proactive defense...

@secharvester

Stealing the Future: Infostealers Power Cybercrime in 2025
https://www.infostealers.com/article/private-stealing-the-future-infostealers-power-cybercrime-in-2025/:

1. This article for Infostealers.com synthesizes insights from Verizon’s 2025 Data Breach Investigations Report (DBIR), IBM’s X-Force Threat Intelligence Index 2025, and perspectives from cybersecurity leaders like Check Point, Hudson Rock, Huntress, Recorded Future, CrowdStrike, SpyCloud, Sophos, and Mandiant.
2. IBM notes, “Threat actors have shifted to using cloud hosting services to facilitate mass phishing campaigns,” exploiting trusted platforms like Microsoft Azure Blob Storage to evade detection.
3. The Verizon 2025 DBIR, IBM X-Force Threat Intelligence Index 2025, and insights from Check Point, Huntress, Recorded Future, CrowdStrike, SpyCloud, Sophos, and Mandiant reveal their surging volume and sophistication, targeting SMBs, healthcare, and technology sectors.

@secharvester

Malicious npm Package Impersonating Popular Express Cookie Parser
https://safedep.io/malicious-npm-package-express-cookie-parser/:

1. This an unique malicious npm sample that does not depend on pre or post install hooks.
2. However, it was minified and obfuscated to make it harder to read and analyze by humans or static analysis tools.
3. This talk highlights a case study of using policy as code for setting up guardrails This is a '#buildinpublic' update for SafeDep Cloud Development.

@secharvester

Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs
https://www.helpnetsecurity.com/2025/04/23/released-mitre-attck-v17-0-now-with-esxi-attack-ttps/:

1. MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hypervisors.
2. “While we initially considered creating a broader type-1 hypervisor platform, in the wild reporting on adversaries has been heavily focused on ESXi,” explained Amy L. Robertson, principal cyber threat intelligence engineer at MITRE.
3. “The virtualization landscape will continue to change, and while ESXi’s role may shift, attackers have been actively leveraging its capabilities, especially in ransomware and persistent access campaigns.

@secharvester

Malicious npm Package Impersonating Popular Express Cookie Parser
https://safedep.io/malicious-npm-package-express-cookie-parser/:

1. This an unique malicious npm sample that does not depend on pre or post install hooks.
2. However, it was minified and obfuscated to make it harder to read and analyze by humans or static analysis tools.
3. This talk highlights a case study of using policy as code for setting up guardrails This is a '#buildinpublic' update for SafeDep Cloud Development.

@secharvester

The State of Authorization - 2025
https://www.permit.io/blog/state-of-authorization-2025:

1. The high number of custom implementations points to another common reality: Most teams aren't building their own auth layers because they want to—they're doing it because existing tools don’t fit cleanly into their architecture or workflow.
2. While RBAC still dominates, the survey data shows growing interest in more expressive and flexible models, particularly relationship and attribute-based access control.
3. Implementing premium features like secure collaboration, scoped access, or approval workflows often requires a level of flexibility that most in-house solutions can’t easily support.

@secharvester

Does your phone eavesdrop to target ads? A Samsung engineer and Korean regulators weigh in
https://www.koreaherald.com/article/10471900:

1. “But doing that in secret would be a massive legal risk — and likely detected quickly in markets with strict privacy laws, like Korea or the EU.” But again, professor Park emphasized that the real concern might not be hidden microphones — it’s invisible modeling.
2. The real privacy problem That’s why the phone-listening myth, while mostly inaccurate, distracts from a more pressing reality: tech companies can infer a disturbing amount of personal information about you through legal, behind-the-scenes data analysis — and you might never know how or why it was done.
3. South Korea seeks tariff relief in high-level trade talks with US Flexible work schedules for S. Korean parents only 1/3 of EU levels, study warns Is Yongsan's brief time as seat of presidency coming to an end?

@secharvester

Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731)
https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731/:

1. See also his advisory at: Because of my previous research on Zyxel appliances, after discovering a remote command execution vulnerability in the latest USG FLEX H Series (CVE-2025-1731), Alessandro Sgreccia contacted me to ask for help with finding local privilege escalation vectors.
2. Since USG FLEX H Series devices are based on a new AArch64 hardware and ship with a completely revamped Linux-based operating system (Zyxel uOS) that is supposed to be “secure by default” (a claim reminiscent of Oracle’s “unbreakable” marketing campaign in the days of yore), I couldn’t resist giving it a try… I quickly identified a viable privilege escalation vector related to the Recovery Manager functionality (CVE-2025-1732) that was reported to the vendor by Alessandro togethe...

@secharvester

The State of Authorization - 2025
https://www.permit.io/blog/state-of-authorization-2025:

1. The high number of custom implementations points to another common reality: Most teams aren't building their own auth layers because they want to—they're doing it because existing tools don’t fit cleanly into their architecture or workflow.
2. While RBAC still dominates, the survey data shows growing interest in more expressive and flexible models, particularly relationship and attribute-based access control.
3. Implementing premium features like secure collaboration, scoped access, or approval workflows often requires a level of flexibility that most in-house solutions can’t easily support.

@secharvester

ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures
https://medium.com/mitre-attack/attack-v17-dfb59eae2204:

1. This release continues our focus on capturing impactful intrusions, from cybercriminal campaigns to state-directed espionage, showcasing how adversaries combine social engineering alongside custom implants, share and reuse infrastructure, and constantly improve their encryption and evasion techniques.
2. We included two other PRC-linked groups, G1042: RedEcho, who reuses S0596: ShadowPad and shares infrastructure with G0096: APT41 to persist in India’s critical sectors, and G1047: Velvet Ant, who exploits zero-days in devices like Cisco Nexus switches to implant custom backdoors and maintain long-term access.
3. In Australia and Southeast Asia, C0049: Leviathan and C0047: RedDelta used credential theft and lateral movement to quietly extract sensitive data in long-running intrusions, and in espion...

@secharvester

Analyzing Dark Web Malware
https://blas.me/analyzing-dark-web-malware:

1. Despite this, we have enough to get started with a report since the VT sandboxes did find Network Based Indicators, and we know the sample loads something in memoyr, but now we want to validate our hunches and have absolute concrete proof to explain why we feel this is an in-memory dropper.
2. Copying snippets of code and running them in isolation is a common strategy when analyzing .NET samples since it can spare you having to debug the entire program from the beginning to trigger the right conditions for decryption.
3. We would know for sure with either more time or through dynamic analysis, but from experience we can tell that an embedded resource that looks like a bunch of noise in a sample that is an in-memory dropper strongly suggests it is a second stage payload, in this case it likely encrypted with BabelVm.

@secharvester

Glitching STM32 Read Out Protection - Anvil Secure
https://www.anvilsecure.com/blog/glitching-stm32-read-out-protection-with-voltage-fault-injection.html:

1. However, when RDP is activated, this operation is effectively blocked, ensuring the confidentiality of the device's memory contents.  To gain insights into this feature’s underlying implementation on the target, reverse-engineering approach was applied to the system bootloader.
2. This direct connection makes them ideal candidates for precise VFI.  As previously mentioned, VFI is recognized as a particularly powerful technique that is widely employed by testers during security assessments of devices.
3. Subsequently, the firmware can be read, obtaining all the secrets in it:  Glitching is inherently unpredictable and non-deterministic, with variables such as temperature, wire length, and environmental conditions significantly affecting the outcome.

@secharvester

Analyzing Dark Web Malware
https://blas.me/analyzing-dark-web-malware:

1. Despite this, we have enough to get started with a report since the VT sandboxes did find Network Based Indicators, and we know the sample loads something in memoyr, but now we want to validate our hunches and have absolute concrete proof to explain why we feel this is an in-memory dropper.
2. Copying snippets of code and running them in isolation is a common strategy when analyzing .NET samples since it can spare you having to debug the entire program from the beginning to trigger the right conditions for decryption.
3. We would know for sure with either more time or through dynamic analysis, but from experience we can tell that an embedded resource that looks like a bunch of noise in a sample that is an in-memory dropper strongly suggests it is a second stage payload, in this case it likely encrypted with BabelVm.

@secharvester

New Pacu Module: Secret Enumeration in Elastic Beanstalk
https://rhinosecuritylabs.com/tools/new-pacu-module-enumerating-elastic-beanstalk/:

1. Environment properties allow developers to pass configuration details like database credentials or API keys directly into applications at runtime.
2. Similarly, the application’s source code (which Elastic Beanstalk bundles and stores in an S3 Bucket) may contain hardcoded secrets like API tokens or even AWS access keys.
3. In the scenario, you are provided with low-privileged AWS credentials, tasked with enumerating and exploiting the Elastic Beanstalk environment, and elevating your privileges to capture the final flag.

@secharvester

Why RAG is Crucial For LLM Analysis Workflows
https://peytoninthefog.substack.com/p/ai-agents-why-rag-is-crucial-for:

1. For many industry verticals Large Language Models (“LLMs”) have replaced the need for Google by directly providing the answer versus the previous status quo of “you figure it out with these 10 blue links”.
2. An LLM’s training set is often several months old at a minimum, meaning it lacks recent cybersecurity information and insights, frequently leading to hallucinations and inaccurate responses.
3. While this cadence will likely improve over time as compute becomes cheaper, for the foreseeable future foundational LLMs will not have up to date cybersecurity information, resulting in hallucinations and incorrect answers.

@secharvester

Hack Your Way In - Web CTF Challenge
https://openprocessing.org/sketch/2620681:

1. This sketch is created with an older version of Processing, and doesn't work on browsers anymore.
2. Since 2008, OpenProcessing has provided tools for creative coders to learn, create, and share over a million open source projects in a friendly environment.
3. Niche websites like ours need your continued support for future development and maintenance, while keeping it an ad-free platform that respects your data and privacy!

@secharvester

Zoom's Remote Control Feature Exploited in ELUSIVE COMET Attacks
https://cyberinsider.com/zooms-remote-control-feature-exploited-in-elusive-comet-attacks/:

1. In addition to news, we also publish in-depth guides and resources.See our Mission > A new campaign by ELUSIVE COMET, a threat actor responsible for large-scale cryptocurrency thefts, exploits Zoom's remote control feature through social engineering.
2. The request, routed through unofficial Calendly links and Gmail addresses, exhibited suspicious traits — such as avoiding email communication and mimicking legitimate business workflows — that raised red flags for the security-conscious executive.
3. The firm traced the origin to ELUSIVE COMET, a threat actor previously linked to the $1.5 billion Bybit breach earlier this year, which similarly relied on human error over code flaws.

@secharvester

Deceptive Browser Extensions within the Google Store - AI Slop
https://dti.domaintools.com/deceptive-browser-extensions-google-store-ai-slop/?utm_source=Reddit&utm_medium=Social&utm_campaign=BrowserExtensions-AISlop:

1. Risk, then, is the shadow cast by these deceptive extensions, a reminder of the potential cost of their transient existence – the loss of privacy, the compromise of personal information, the erosion of trust in the digital tools we rely upon.
2. This story is a reminder that the digital world, like the natural one, is in constant flux, and our experience within it is shaped by this delicate and ever-shifting balance between aspiration and risk, between the fleeting beauty of innovation and the enduring need for security.
3. The generic stock imagery, boilerplate text, and superficial explanations of extension functionality, align with the definition, indicating a potential reliance on automated AI generation rather than...

@secharvester

Hack Your Way In - Web CTF Challenge
https://openprocessing.org/sketch/2620681:

1. This sketch is created with an older version of Processing, and doesn't work on browsers anymore.
2. Since 2008, OpenProcessing has provided tools for creative coders to learn, create, and share over a million open source projects in a friendly environment.
3. Niche websites like ours need your continued support for future development and maintenance, while keeping it an ad-free platform that respects your data and privacy!

@secharvester

Windows Defender antivirus bypass in 2025 - Part 2
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-2/:

1. It is up to you to make it work again by adding (often minor) modifications to it (hint : Look into threatcheck.exe) 😊 Our approach relies on several pillars: Now that the lab is ready and the first injection done, let’s get started with evasion !
2. Some people use more advanced encryption methods such as AES, which works great but is not really needed as long as the shellcode’s original form is completely altered, using a unique key.
3. Antivirus software often look at it for static detection because it provides crucial insights into how a potentially malicious program interacts with system libraries and other code.

@secharvester

Hack Your Way In - Web CTF Challenge
https://openprocessing.org/sketch/2620681:

1. This sketch is created with an older version of Processing, and doesn't work on browsers anymore.
2. Since 2008, OpenProcessing has provided tools for creative coders to learn, create, and share over a million open source projects in a friendly environment.
3. Niche websites like ours need your continued support for future development and maintenance, while keeping it an ad-free platform that respects your data and privacy!

@secharvester

UN warns of massive cyberscams spreading across the world
https://www.dw.com/en/un-warns-of-massive-cyberscams-spreading-across-the-world/a-72304457:

1. Asian crime networks behind the multi-billion-dollar cyberscam industry are expanding their operations globally, the UN warned in a report released on Monday, adding that the official clampdown in Southeast Asia is failing to contain them.
2. According to the United Nations Office on Drugs and Crime (UNODC), cyberscams are now a sophisticated global industry, featuring sprawling compounds housing tens of thousands of mostly trafficked workers who are forced to con other people online.
3. While the activity had largely been focused on the border areas in Myanmar, a country torn by civil war, and dubious "special economic zones" set up in Cambodia and Laos, UNODC reported networks are expanding their operations to South America, Africa, the Middle East, Europe and some Pacific islands.

@secharvester

Urgent alert issued to 1.8 billion Gmail users over a sophisticated attack targeting personal data.
https://www.dailymail.co.uk/sciencetech/article-14631849/warning-google-gmail-users-attack-personal-information.html:

1. In a statement to DailyMail.com, a Google spokesperson said: 'We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.
2. The company added that it has shut down the mechanism that allowed this method of attack to work, and recently shared guidance on spotting and avoiding email scams.
3. Phishing messages typically use a generic greeting, inform you that there is an urgent issue that cannot be resolved without your action, and invite you to click on a link.

@secharvester

Wrote a blog explaining V8 parser workflow with a CVE as a case study.
https://w1redch4d.github.io/post/parser-workflow/:

1. Here is the video of the callstack for a better understanding: Now, the core issue arises from the misuse of lexical tracking mechanisms during the parsing and scope resolution of the this keyword within certain special constructs—specifically, class static blocks.
2. When the this keyword is encountered during the parsing of code inside an arrow function, and prior to the actual allocation of its lexical scope, a mechanism is employed where references to this are deferred via the ExpressionScope chain.
3. Yet, since the static block is not currently being treated as a boundary or terminator in the ExpressionScope chain (i.e., not being recognized as a scope that should stop the upward propagation of this usage), any this reference within it is mistakenly marked as an access to an outer lexical this.

@secharvester

IoT Network Security: Analyzing Decrypted Zigbee Traffic Data
https://rackenzik.com/enhancing-iot-network-security-and-performance-insights-from-decrypted-zigbee-traffic-data/:

1. IoT networks facilitate automation by allowing devices to communicate, monitor, and execute tasks autonomously, improving energy efficiency, security, and convenience.
2. Zigbee is a widely adopted low-power wireless communication protocol designed for IoT networks, particularly in smart homes, industrial automation, and medical applications.
3. Some of its key advantages include: The study highlights Zigbee’s ability to maintain network integrity through mesh connectivity, ensuring consistent data transmission across smart homes and industrial environments.

@secharvester

APKTool MCP Server
https://github.com/zinja-coder/apktool-mcp-server:

1. )” “Get metadata about the project dvac from its apktool.yml.” “Check which APKTool version is currently installed on the server.” Make sure Claude Desktop is running with MCP enabled.
2. This project is a MCP Server for Apktool, an amazing open-source Android reverse engineering tool created and maintained by @iBotPeaches.
3. Any misuse of these tools for unauthorized reverse engineering, infringement of intellectual property rights, or malicious activity is strictly prohibited.

@secharvester

Suspicious Cisco-like binary found in AppData – likely stealth malware, dumped to GitHub
https://github.com/fourfive6/voldemort-cisco-implant:

1. In-the-wild malware sample masquerading as Cisco Webex – April 2025 In-the-wild malware sample masquerading as Cisco Webex – April 2025 All files are renamed to prevent accidental execution.
2. Whether this sample is a fork, evolution, or unreported sibling remains unclear — but its stealth, impersonation, and delivery method are consistent with state-grade implants historically linked to Langley-based interests.
3. If you're a researcher, analyst, or journalist interested in further context or forensic logs, feel free to open an issue or email anonymously.

@secharvester

Emulate hash functions in IDA with Unicorn — hash-resolver (x86/x64, CLI + GUI)
https://github.com/moreveal/hash-resolver:

1. Resolve hashed API names by emulating the hashing function in-place using Unicorn Engine + IDA integration.
2. Designed for reverse engineers dealing with obfuscated malware, shellcode, or custom loaders.
3. Make sure you're using the same Python version as IDA (e.g. Python 3.10) Use from CLI: Integrate with IDA: Then open a binary in IDA → right click a hash function → Resolve hash for this function CLI tests run in subprocesses to validate emulation MIT, do what you want.

@secharvester

XSerum - Web Attack Payload Generator
https://github.com/gh0st359/xserum:

1. It supports a wide range of attack types including XSS, CSRF, HTML Injection, CSP Bypass, and more — with advanced obfuscation techniques and customizable output formats.
2. It enables rapid creation of web attack payloads including XSS, CSRF, HTML Injection, DOM-based exploits, and more — with advanced obfuscation layers and output options.
3. It supports a wide range of attack types including XSS, CSRF, HTML Injection, CSP Bypass, and more — with advanced obfuscation techniques and customizable output formats.

@secharvester

CTO at NCSC Summary: week ending April 20th
https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-april-c57:

1. While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools).” Peters and Rounds Introduce Bipartisan Bill to Extend Information Sharing Provisions that Help Address Cybersecurity Threats - U.S.
2. But that's precisely why responsible disclosure and collaborative security practices matter more than ever.” CaMeL offers a promising new direction for mitigating prompt injection attacks - Simon Willison analyses - “The new DeepMind paper introduces a system called CaMeL (short for CApabilities for MachinE Learning) … It works by taking a ...

@secharvester

Built an AI-powered OSINT tool that simulates automated HUMINT on Reddit. Would love input from anyone in cyber, policy, or natsec.
https://v.redd.it/obct27xphkve1:

1. Hey folks,I'm in college rn and recently built a prototype OSINT system that blends AI, behavioral analytics, and automated human intelligence (HUMINT) on Reddit.
2. Generates structured intelligence reports that include behavioral archetypes, potential ideological affiliations, trigger maps, and next-step recommendations.
3. PRISMx also explores the ethical edge:The same architecture used to detect and de-escalate radicalization can theoretically escalate it — by mirroring belief, reinforcing grievance, or subtly introducing polarizing frames.

@secharvester

TikTok Virtual Machine Reverse Engineering
https://github.com/LukasOgunfeitimi/TikTok-ReverseEngineering:

1. We can make this readable by: We can do this by using the AST form of the script via bapel as seen here Which gives us ems2 When debugging the Virtual Machine later and seeing which function it uses i was able to tell what it's doing and changed some of var names.
2. The Virtual Machine part of the script, specifically when executing the bytecode is a massively nested if else statement as seen here It is actually just a normal switch case but has been disguised pretty well.
3. NOTE: The string was gZip-ed and each value was leb128 encoded both for compression TikTok is using a full-fledged bytecode VM, if you browse through it it supports scopes, nested functions and exeception handling.

@secharvester

How A Hacker Used My Staging Environment for Phishing
https://blog.abdu.dev/how-a-hacker-used-my-staging-environment-for-phishing-839daf6dd05c?source=friends_link&sk=cdd18c34f9d09cd2e90551a1fa57cbbc:

1. Not because it was brilliant or something but because the hacker found my staging server which has a very weird long name including random numbers like this one: “http://editor-1733357790454.wpmt.test/” Note: This article is ONLY for educational purposes.
2. I have been working for the past months with a client building an advanced self-hosted WordPress multi-tenancy solution.
3. Each tenant can have a domain but it gets an immediate sub-domain with the following format: But I wanted to deploy my solution on a staging server so that the client can test and try it out.

@secharvester

One Tech Tip: Locking down your device when crossing borders
https://apnews.com/article/internet-privacy-smartphones-travel-e0a3146ae7966ea0e4157dbfae1f6a81:

1. “While 100% privacy may be impossible in these situations, there are a few things you can easily do that make it much harder for someone to see your private data even with physical access to your device,” said Patricia Egger, head of security at encrypted service Proton Mail.
2. Most modern phones and some laptops encrypt their data using a strong cryptographic keys only accessible when the user unlocks it with the passcode, said Will Greenberg, the EFF’s senior staff technologist.
3. Even though content is mainly stored on a social media company’s servers, Cope says some posts or images might remain on your phone’s memory cache and therefore viewable even in airplane mode.

@secharvester

b3rito/b3acon: b3acon - a mail-based C2 that communicates via an in-memory C# IMAP client dynamically compiled in memory using PowerShell.
https://meterpreter.org/b3acon-in-memory-c-imap-c2-over-email/:

1. Published April 19, 2025 · Updated April 19, 2025 b3acon is a mail based C2 that uses an in-memory, dynamically compiled C# IMAP client via PowerShell.
2. You (the operator) create a draft email: The script runs on the target system and: Output delivery: To issue new commands: The project includes a self-contained HTML file that lets you generate scripts via browser.
3. Tags: b3aconC# IMAPC2 frameworkemail command and controlPowerShellthreat intelligence Follow: Ethical Hacking b3acon: In-Memory C# IMAP C2 over Email April 19, 2025 Vulnerability Assessment gubble: audit Google Workspace group settings March 19, 2025 Malware Defense freki: Malware analysis platform March 20, 2025 Ethical Hacking SharpADWS: Active Directory reconnaissa...

@secharvester

Hacking US crosswalks to talk like Zuck is as easy as 1234
https://www.theregister.com/2025/04/19/us_crosswalk_button_hacking/:

1. Video Crosswalk buttons in various US cities were hijacked over the past week or so to – rather than robotically tell people it's safe to walk or wait – instead emit the AI-spoofed voices of Jeff Bezos, Elon Musk, and Mark Zuckerberg.
2. Similar hacks were spotted, or rather heard, in Silicon Valley, where crosswalk buttons have been made to spout AI-generated voices impersonating Mark Zuckerberg, Elon Musk, and Donald Trump telling the SpaceX oligarch to "come back to bed."
3. "Polara presumably made for an appealing target because they have a wireless management interface by Bluetooth, they have a huge market share, and the results are hilariously public in the form of spoken voices on every corner," Ollam told The Register.

@secharvester

Need a little help reverse engineering a steam game (non unity/unreal)
https://store.steampowered.com/app/618080/Martial_Arts_Brutality/:

1. Sign in to add this item to your wishlist, follow it, or mark it as ignored The developers describe the content like this: This Game may contain content not appropriate for all ages, or may not be appropriate for viewing at work: Frequent Violence or Gore, General Mature Content You can use this widget-maker to generate a bit of HTML that can be embedded in your website to easily allow customers to purchase this game on Steam.
2. Enter up to 375 characters to add a description to your widget: Copy and paste the HTML below into your website to make the above widget appear Sign in to add your own tags to this product.
3. Sign In

@secharvester

Chainalysis Successful Deanonymization Attack on Monero
https://darkwebinformer.com/chainalysis-successful-deanonymization-attack-on-monero-2/:

1. Chainalysis: Countermeasures From what we have mentioned above, lets break the same points to the potential, currently available and easily applicable countermeasures: An example of the combined deanonymization attack against the Monero users – who is Joe: Joe sits at home and connects to Tor from his home router.
2. Chanalysis contracted the US and German ISPs and they send them their required data from April 1st 2024, 12:00AM and they focus on Tor users, which is nicely visible.
3. So if you were using the public remote nodes or even plus you were sending the transactions from te IP linked to your RL identity, consider yourself potentially compromised down to your home address.

@secharvester

15,000 lines of verified cryptography now in Python
https://jonathan.protzenko.fr/2025/04/18/python.html:

1. The presence of option types in the source compiles to tagged unions in the generated C; this is a little verbose, and we may change our definition of a piece of state to feature a has_failed run-time function that can assess whether a memory allocation failed, at the expense of more complexity and verification effort.
2. Later on, once it became clear that the upstream code was maintainable and pretty stable, that pile of seds was eliminated, on the basis that it’s not the end of the world if a header contains a few extra definitions, and it all makes maintenance easier.
3. Now, anyone who wishes to refresh HACL* can run the shell script in their checkout of Python, and provided they tweak the expected hash in Python’s SBOM (software bill of materials), they are good to go and can integrate the latest improvements.

@secharvester

A Battlefield Named Isfahan: Targeted Use of IMSI-Catchers and Surveillance Cameras to the Enforce Chastity and Hijab Law
https://filter.watch/english/2025/04/17/investigated-report-isfahan-targeted-with-imsi-catchers-and-surveillance-cameras/:

1. The combined use of IMSI-Catchers, contactless card readers, and surveillance cameras—along with access to government databases and the cooperation of telecom operators—has created a powerful, multilayered tool to systematically violate women’s rights through identification, tracking, and intimidation of those who choose voluntary dress.
2. The history of state control over Iran’s telecommunications and systems like “SIAM,” a web program for remotely manipulating cellular connections, developed by the Communications Regulatory Authority, has the technical ability to force network downgrades from 3G/4G/5G to 2G, which is required for such attacks.
3. One recipient told Filterwatch that during ...

@secharvester

CVE-2025-25364: Speedify VPN MacOS privilege Escalation
https://blog.securelayer7.net/cve-2025-25364-speedify-vpn-macos-escalation/:

1. March 21, 2025 Table of Contents SecureLayer7 discovered CVE-2025-25364, which is a crit­i­cal com­mand in­jec­tion vul­ner­a­bil­i­ty dis­cov­ered in the me.connectify.SMJobBlessHelper XPC ser­vice, a priv­i­leged helper tool used by Speed­i­fy VPN on ma­cOS.
2. On the website the existing version now is 15.4.1 which patched the vulnerability, By re-writing the whole helper tool and not using the XPC api written in C without any verifications.
3. For expert guidance on vulnerability management and/or penetration testing services contact SecureLayer7 to leverage tailored solutions and stay ahead of evolving security risks.

@secharvester

b3rito/b3acon: b3acon - a mail-based C2 that communicates via an in-memory C# IMAP client dynamically compiled in memory using PowerShell.
https://github.com/b3rito/b3acon:

1. b3acon - a mail-based C2 that communicates via an in-memory C# IMAP client dynamically compiled in memory using PowerShell.
2. You (the operator) create a draft email: The script runs on the target system and: Output delivery: To issue new commands: The project includes a self-contained HTML file that lets you generate scripts via browser.
3. Created by b3rito at mes3hacklab and GioPpeTto b3acon - a mail-based C2 that communicates via an in-memory C# IMAP client dynamically compiled in memory using PowerShell.

@secharvester

Community colleges have in recent years been plagued by AI-powered fraudsters posing as students to swindle financial aid money. They've gotten away with tens of millions in California alone. Here’s how it works.
https://voiceofsandiego.org/2025/04/16/how-fraudsters-swindle-community-college-financial-aid/:

1. They’re essentially sock puppet accounts made by fraudsters to enroll in online classes and bilk federal financial aid dollars – and they’ve been wreaking havoc.
2. The fraudsters have engaged in large-scale identity theft, swindled millions in financial aid, and filled up classes, making it difficult for real students to get a seat.
3. Learning CurveYour biweekly update on the state of education in San Diego County schools.​ Browse all newsletters at vosd.org/newsletters When students fill out those FAFSA applications, community colleges are notified whether the social security number they submit matches the name and date of bir...

@secharvester

The Zoom attack you didn’t see coming
https://www.helpnetsecurity.com/2025/04/18/zoom-remote-control-attack/:

1. While this feature may come in handy when dealing with trusted family, friends and colleagues, threat actors have started abusing it to install malware on targets’ computer.
2. “Two separate Twitter accounts approached our CEO with invitations to participate in a ‘Bloomberg Crypto’ series—a scenario that immediately raised red flags,” shared Andrew Mills, security engineer at Trail of Bits.
3. As we’ve entered the era of operational security failures, organizations must evolve their defensive posture to address these human-centric attack vectors,” Mills concluded.

@secharvester

SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation | Cleafy
https://www.cleafy.com/cleafy-labs/supercardx-exposing-chinese-speaker-maas-for-nfc-relay-fraud-operation:

1. This campaign employs a novel NFC-relay technique, enabling Threat Actors (TAs) to fraudulently authorize Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices.
2. The malware is distributed through Social Engineering tactics, deceiving victims into installing the malicious application and subsequently “tapping” their payment cards on their infected phones.  Preliminary analysis suggests that TAs are leveraging a Chinese-speaking Malware-as-a-Service (MaaS) platform promoted as SuperCard X.
3. During our Threat Intelligence investigations into the SuperCard X campaign targeting Italy, our team identified several malware samples exhibiting characte...

@secharvester

Global Telecom Networks Host Hidden Chinese Surveillance Nodes
https://cyberinsider.com/global-telecom-networks-host-hidden-chinese-surveillance-nodes/:

1. In addition to news, we also publish in-depth guides and resources.See our Mission > A new report from iVerify has revealed a far-reaching global surveillance threat enabled by China’s state-owned telecom interconnect providers.
2. Notably, mobile operators in countries such as New Zealand, South Korea, Japan, and several Southeast Asian nations — including Taiwan — use China-based networks like CMI and CITIC Telecom International.
3. Some of these operators simultaneously deploy Huawei or ZTE core network equipment, creating an end-to-end surveillance surface that combines hardware-level access with unencrypted data transport.

@secharvester

AES & ChaCha — A Case for Simplicity in Cryptography
https://phase.dev/blog/chacha-and-aes-simplicity-in-cryptography/:

1. A full understanding of this operation involves finite-field arithmetic, which is beyond the scope of this blog — but worth exploring if you're curious about how AES achieves both performance and cryptographic strength at such a low level.
2. ChaCha20, derived from it's predecessor Salsa, is a stream cipher that is designed as a pseudorandom function that uses a combination of Add, Rotate and XOR operations, commonly referred to as ARX.
3. By measuring how long AES takes to encrypt different inputs, an attacker can statistically infer which parts of the lookup tables were accessed—and by extension, reconstruct portions of the secret key.

@secharvester

GitHub - sterrasec/anti-disassembly-poc: A collection of Proof-of-Concept implementations of various anti-disassembly techniques for ARM32 and ARM64 architectures.
https://github.com/sterrasec/anti-disassembly-poc:

1. Similar to the above but with an offset from PC, making it more complex for disassemblers to handle.
2. Combines the PLD instruction with a NOP sled, creating a more sophisticated anti-disassembly pattern.
3. The condition is designed to always evaluate to false, but disassemblers may still try to analyze the dead code path.

@secharvester

Binance Captcha Solver
https://github.com/xKiian/binance-captcha-solver:

1. We read every piece of feedback, and take your input very seriously.
2. Binance Captcha solver fully implemented in 100% python.
3. Binance Captcha solver fully implemented in 100% python.

@secharvester

Cross-Site WebSocket Hijacking Exploitation in 2025 - Include Security Research Blog
https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/:

1. Team Research blog Some of my favorite findings discovered during our client assessments at Include Security have exploited Cross-Site Websocket Hijacking (CSWSH) vulnerabilities.
2. Due to breakage of SSO logins during rollout, back in 2020 Chrome rolled out a temporary measure making default SameSite=Lax work slightly differently to a cookie that has explicitly been set to SameSite=Lax by the backend application.
3. Now, malicious websites on the Internet could stream video from the devices and configure them, through the medium of a targeted user’s browser who was connected to the private network.

@secharvester

Understanding the X-Forwarded-For HTTP Header – Security Risks and Best Practices
https://devsec-blog.com/2025/04/understanding-the-x-forwarded-for-http-header-security-risks-and-best-practices/:

1. Cloudflare acts as a reverse proxy that protects backend applications from DDoS attacks, malicious bots and other threats, while also accelerating traffic through caching and network optimizations.
2. Unlike X-Forwarded-For, which may contain multiple comma-separated IPs representing the full proxy chain, CF-Connecting-IP provides a single, unambiguous value — assuming the traffic has passed through Cloudflare.
3. This can lead to IP spoofing vulnerabilities, especially if your application uses IP-based logic (e.g., rate limiting, access control, audit logging) and trusts these headers blindly.

@secharvester

Computer Networking Basics Every Business Owner Must Know for Cybersecurity
https://darkmarc.substack.com/p/computer-networking-basics-every:

1. Data theft, ransomware attacks, and other threats can lead to severe consequences such as lawsuits, hefty fines, loss of trade secrets and intellectual property, and significant disruptions to your operations.
2. The image above shows a sample implementation of the concepts we'll explore—from basic building blocks like hosts and switches to more advanced security components such as firewalls, VPN gateways, and monitoring systems.
3. Utilizing tools such as Security Information and Event Management (SIEM) systems enhances these audits by aggregating and analyzing log data from various network components, providing insights into suspicious activity or potential threats.

@secharvester

Windows NTLM vulnerability exploited in multiple attack campaigns
https://www.helpnetsecurity.com/2025/04/17/windows-ntlm-vulnerability-exploited-in-multiple-attack-campaigns-cve-2025-24054/:

1. CVE-2025-24054, a Windows NTLM hash disclosure vulnerability that Microsoft has issued patches for last month, has been leveraged by threat actors in campaigns targeting government and private institutions in Poland and Romania.
2. “Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems,” Check Point researchers have shared.
3. Until March 25, Check Point have observed approximately 10 additional campaigns with the end goal of retrieving NTLMV2-SSp hashes from the targeted victims.

@secharvester

🕹️ apk.sh v1.1 is out. Now it supports direct DEX bytecode manipulation, this avoids decompilation/recompilation issues and preserves original obfuscation and optimizations when injecting frida-gadget.so.
http://github.com/ax/apk.sh:

1. Makes reverse engineering Android apps easier, automating repetitive tasks like pulling, decoding, rebuilding and patching an APK.
2. apk.sh is a Bash script that makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK.
3. If you don’t want this blocking behavior and want to let the program boot right up, or you’d prefer it listening on a different interface or port, you can customize this through a json configuration file.

@secharvester

Google blocked over 5 billion ads in 2024 amid rise in AI-powered scams
https://www.bleepingcomputer.com/news/google/google-blocked-over-5-billion-ads-in-2024-amid-rise-in-ai-powered-scams/:

1. The company says the increasing enforcement activity is caused by the growing threat of AI-generated content, impersonation scams, and abuse of its ad platform.
2. Audit your Active Directory for free Enhancing your DevSecOps with Wazuh, the open source XDR platform Are Your Security Controls Working Right Now?
3. Rethinking Automated Penetration Testing: Why Validation Changes Everything Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved Not a member yet?

@secharvester

Over 16,000 Fortinet devices compromised with symlink backdoor
https://www.bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/:

1. Last week, Fortinet warned customers that they had discovered a new persistence mechanism used by a threat actor to retain read-only remote access to files in the root filesystem of previously compromised but now patched FortiGate devices.
2. Register Now SSL/TLS certificate lifespans reduced to 47 days by 2029 CISA extends funding to ensure 'no lapse in critical CVE services' Kidney dialysis firm DaVita hit by weekend ransomware attack Overdue a password health-check?
3. Access the reports now Enhancing your DevSecOps with Wazuh, the open source XDR platform Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved Not a member yet?

@secharvester

How a vulnerability in PHP's extract() function allows attackers to trigger a double-free in version 5.x or a user-after-free in versions 7.x, 8.x, which in turn allows arbitrary code execution (native code)
https://ssd-disclosure.com/ssd-advisory-extract-double-free5-x-use-after-free7-x-8-x/:

1. cachex used below is a gdb script to view the current cache entries for specific index.
2. The zend_mm_heap.cache directly after calling extract() and hitting the double free: Correlating the cache with the allocations from the exploit.
3. Arbitrary Read is achieved by setting the type to string (0x6) and modifying the zvals zvalue_value.str.val and zvalue_value.str.len as the str is a char * this allows us to provide a pointer to read/write from/to.

@secharvester

Krebs: Today I announced that I am stepping away from my position at SentinelOne.
https://www.linkedin.com/posts/christopherckrebs_krebs-organizational-announcement-activity-7318394838817599489-9n62:

1. I'm so sorry, and really hope it all works out in the end Marketing Director at UW Carbone Cancer Center Chris Krebs - we will unlikely never meet but you're a class act through and through.
2. If you’re a 3–25 person MSP struggling to package, price, or deliver GRC, you’re not alone.. ComplianceScorecard.com Grace and dignity Chris Krebs you are on the right side of history here.
3. You are a fearless leader, and there’s no doubt you’ll continue doing great things to make the world a safer place 💜 Head of Revenue Go get them Chris and you're a true Patriot!

@secharvester