A new chain of five critical vulnerabilities discovered in Fluent Bit has exposed billions of containerized environments to remote compromise.

Fluent Bit, an open-source logging and telemetry agent deployed over 15 billion times globally, sits at the core of modern cloud infrastructure.

The tool collects, processes, and forwards logs across banking systems, cloud platforms like AWS and Microsoft Azure, and Kubernetes environments.

When failures occur at this scale, they do not just affect individual systems but ripple across the entire cloud ecosystem.

These newly disclosed flaws allow attackers to bypass authentication, perform unauthorized file operations, achieve remote code execution, and cause denial-of-service attacks through unsanitized tag manipulation.

The attack surface extends across multiple critical functionalities. Attackers exploiting these vulnerabilities could disrupt cloud services, tamper with data, and execute malicious code while hiding their tracks.

By controlling logging service behavior, adversaries gain the ability to inject fake telemetry, reroute logs to unauthorized destinations, and alter which events get recorded.

Some vulnerabilities have remained unpatched for over eight years, leaving cloud environments exposed to determined attackers. Security researchers at Oligo Security identified these flaws in collaboration with AWS through coordinated vulnerability disclosure.

The research demonstrates how weaknesses in foundational infrastructure components can enable sophisticated attack chains affecting millions of deployments worldwide.

Oligo Security analysts identified the vulnerabilities after conducting thorough security assessments of Fluent Bit’s input and output plugins.

The research team discovered that authentication mechanisms, input validation, and buffer handling contained critical security gaps.

Their findings prompted immediate coordination with AWS and the Fluent Bit maintainers, resulting in fixes released in version 4.1.1.

Technical Breakdown of Path Traversal and File Write Vulnerabilities

CVE-2025-12972 represents one of the most dangerous flaws in the chain. The File output plugin in Fluent Bit writes logs directly to the filesystem using two configuration parameters: Path and File.

Many common configurations use only the Path option and derive filenames from record tags. However, the plugin fails to sanitize these tags before constructing file paths. Attackers can inject path traversal sequences like “../” within tag values to escape the intended directory and write files anywhere on the system.

Since attackers maintain partial control over data written to these files through log content manipulation, they can create malicious configuration files, scripts, or executables in critical system locations.

When Fluent Bit runs with elevated privileges, this leads to remote code execution. The vulnerability becomes trivially exploitable when HTTP input is configured with Tag_Key settings and File output lacks an explicit File parameter.

Configurations using the forward input combined with file output are equally vulnerable, enabling unauthenticated attackers to inject malicious tags and write arbitrary files.

Immediate patching to version 4.1.1 or 4.0.12 is critical for all organizations running Fluent Bit. Organizations should prioritize updating production deployments and implement configuration changes to limit attack exposure.

Static, predefined tags eliminate untrusted input from influencing routing and file operations. Setting explicit Path and File parameters in output configurations prevents dynamic tag-based path construction.

Running Fluent Bit with non-root privileges and read-only mounted configuration files significantly reduces the impact of successful exploitation. AWS has already secured its internal systems and recommends all customers upgrade immediately.

The security community views these vulnerabilities as evidence of systemic challenges in open-source security reporting, where critical infrastructure components often rely on volunteer maintainers with limited resources to address coordinated security disclosures.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Critical FluentBit Vulnerabilities Let Attackers to Cloud Environments Remotely appeared first on Cyber Security News.

Cybersecurity authorities have raised fresh alarms over the spread of advanced commercial spyware targeting secure messaging apps like Signal and WhatsApp.

According to a recent CISA advisory, multiple cyber threat actors actively deploy this sophisticated malware to compromise users’ smartphones, using methods designed to bypass established security protections.

These threats first emerged in 2025, with attackers exploiting vulnerabilities and social engineering tactics to infect mobile devices, often targeting high-value targets.

Attackers have used deceptive techniques, such as malicious device-linking QR codes and phishing schemes, to spread spyware, sometimes integrating zero-click exploits that allow infection even if users take no direct action.

Once inside a victim’s device, the spyware can evade detection for long periods and deploy hidden payloads to compromise private messaging communications fully.

The impact is profound—victims may unknowingly lose control of sensitive material, risking exposure of confidential conversations and data.

CISA security analysts identified this malware after analyzing a surge in infections reported by U.S., Middle Eastern, and European organizations.

Their investigation revealed that adversaries increasingly target high-ranking government, military, and civil society officials, exploiting technical loopholes and user behavior to infiltrate protected messaging channels quietly.

The persistent nature of the threat prompted CISA to urge all messaging app users to review best-practice guidance on mobile security and malware mitigation.

Infection Mechanism: How the Spyware Operates

A deeper technical breakdown shows that once installed, the malware leverages Android’s service and broadcast receiver components to maintain control and persist after reboot.

The infection sequence typically begins with a disguised download—either through a phishing link or device-link QR code.

The malicious app requests excessive permissions, such as SMS access and device administrator rights, enabling silent data exfiltration, contact extraction, and message interception.

Code Snippet Example:-

java
// Main spyware service initializing after install
public void onStart(Intent intent, int startId) {
exfiltrateMessages();
extractContacts();
hideFromLauncher();
}

As noted by CISA, the combination of stealthy entry, exploitation of core Android features, and aggressive privilege escalation makes this spyware an ongoing risk to secure communications apps worldwide.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post CISA Warns of Threat Actors Leveraging Commercial Spyware to Target Users of Signal and WhatsApp appeared first on Cyber Security News.

Cybercriminals have discovered a new attack vector targeting the creative design community by exploiting Blender, a widely used open-source 3D modeling application.

Threat actors are uploading malicious files to popular asset platforms like CGTrader, containing embedded Python scripts that execute automatically when users open the files in Blender.

This sophisticated campaign, uncovered through ongoing threat investigations, demonstrates how attackers continue to adapt their tactics to compromise unsuspecting users across Windows, macOS, and Linux systems.

The operation has been active for at least six months and connects to previously identified Russian-linked campaigns that used similar evasion techniques and decoy documentation methods.

These malicious .blend files are weaponized to steal sensitive information from victim machines, including passwords, cryptocurrency wallets, and authentication credentials from multiple browsers and applications.

The threat represents a significant risk to the creative industry, where Blender’s free and powerful capabilities make it an essential tool for professionals and hobbyists alike.

Morphisec security researchers identified and tracked this campaign after analyzing the infection chain and command and control infrastructure.

The research revealed direct connections to StealC V2, a dangerous information-stealing malware that has become increasingly popular in underground criminal markets since its emergence in April 2025.

Understanding the Infection Mechanism

When users open a compromised .blend file with Blender’s Auto Run Python Scripts setting enabled, the embedded Rig_Ui.py script executes automatically.

The malware then fetches a PowerShell loader from remote servers controlled by the attackers. This loader downloads multiple archive files containing a fully functional Python environment preloaded with StealC V2 and additional stealing components.

The extracted files create hidden shortcut files (LNK) that are copied to the Windows Startup folder, ensuring the malware persists across system reboots.

The attack chain involves multiple stages of obfuscation and uses encrypted communication channels.

Python scripts download encrypted payloads using ChaCha20 encryption through the Pyramid command and control infrastructure, making detection and analysis significantly more challenging.

StealC V2 itself targets over 23 web browsers, more than 100 browser extensions, 15 desktop cryptocurrency wallets, messaging applications like Telegram and Discord, and VPN clients.

The malware includes updated privilege escalation techniques and maintains low detection rates on security analysis platforms, allowing it to evade traditional security solutions.

Users should disable Blender’s Auto Run feature for untrusted file sources and exercise caution when downloading 3D models from community platforms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Leverage Blender Foundation Files to Deliver Notorious StealC V2 Infostealer appeared first on Cyber Security News.

The 2025 Black Friday shopping season has become a prime hunting ground for cybercriminals, with threat actors recording over 2 million phishing attacks targeting online gamers and shoppers worldwide.

As global e-commerce continues to grow at 7-9% annually, attackers have adapted their tactics to exploit the seasonal rush, reduced user vigilance, and high-demand retail periods.

This year, the gaming industry emerged as a particularly lucrative target, with attackers launching campaigns disguised as popular platforms like Discord and Steam. The attack landscape in 2025 reveals a significant shift in targeting priorities.

From January through October, nearly 6.4 million phishing attempts were blocked across online stores, payment systems, and banks. Among all these, 48.2% targeted online shoppers directly, a sharp increase from 37.5% in 2024.

The first two weeks of November alone saw over 146,000 Black Friday-themed spam messages detected, with attackers impersonating major brands including Amazon, which accounted for 606,369 blocked phishing attempts.

Securelist security analysts identified that gaming platforms experienced an unprecedented surge in malicious activity, with over 20 million attack attempts recorded in 2025.

Discord-related attacks skyrocketed more than 14 times compared to the previous year, reaching 18.5 million attempted attacks.

This dramatic increase correlates with platform restrictions introduced in late 2024, which pushed users toward unofficial clients and proxy tools, thereby expanding the attack surface for threat actors distributing fake installers and malicious updates.

Gaming Platform Exploitation Tactics

The technical analysis of these campaigns reveals sophisticated delivery mechanisms. Attackers primarily distributed RiskTool variants, accounting for 17.8 million detections.

These tools hide files and mask processes, enabling persistent abuse, including covert crypto-mining operations.

Downloaders ranked second with 1.3 million detections, often embedded in unofficial patches or cracked game clients.

Banking Trojans also remained active throughout the season, with over 1.09 million attacks recorded globally.

These trojans employ web injection and form-grabbing techniques to capture login credentials when users visit targeted checkout pages during transactions.

The scam pages follow consistent patterns, featuring countdown timers, urgency messaging, and polished layouts that mimic official promotions.

Once victims submit credentials or payment details, attackers gain full account access and can steal in-game assets or execute fraudulent transactions against unsuspecting users.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Exploiting Black Friday Shopping Hype – 2+ Million Attacks Recorded appeared first on Cyber Security News.