1010.cx

  • Hackers Weaponize Amazon Simple Email Service to Send 50,000+ Malicious Emails Per Day

    ·

    , ,

    A sophisticated cybercriminal campaign has emerged, exploiting Amazon’s Simple Email Service (SES) to orchestrate large-scale phishing operations capable of delivering over 50,000 malicious emails daily.

    The attack represents a significant evolution in cloud service abuse, transforming AWS’s legitimate bulk email platform into a weapon for credential theft and financial fraud.

    The campaign begins with compromised AWS access keys, obtained through common attack vectors including accidental public exposure in code repositories, misconfigured cloud assets, or theft from developer workstations.

    Once adversaries secure these credentials, they immediately probe the environment using GetCallerIdentity requests to assess available permissions, specifically targeting accounts with SES-related naming conventions that indicate email service access.

    Wiz.io researchers identified this May 2025 campaign after detecting unusual patterns in AWS API activity across multiple regions.

    The attackers demonstrated remarkable sophistication by implementing a multi-regional approach, simultaneously issuing PutAccountDetails requests across all AWS regions within seconds to escape SES’s default “sandbox” restrictions.

    This technique, previously undocumented in security literature, allows threat actors to bypass the standard 200-email daily limit and unlock production mode capabilities.

    The phishing infrastructure targets victims with convincing tax-related content, employing subject lines such as “Your 2024 Tax Form(s) Are Now Ready to View and Print” to maximize engagement rates.

    Attack chain (Source – Wiz.io)

    These messages redirect users to credential harvesting sites hosted at domains like irss.securesusa.com, utilizing commercial traffic analysis services to obfuscate malicious infrastructure and evade traditional security scanners.

    Technical Infrastructure and Evasion Mechanisms

    The attackers establish their email infrastructure through systematic domain verification using the CreateEmailIdentity API.

    They register both attacker-controlled domains including managed7.com, street7news.org, and docfilessa.com, alongside legitimate domains with weak DMARC configurations that facilitate email spoofing.

    Each verified domain supports multiple email addresses using standard prefixes like admin@, billing@, and noreply@ to appear legitimate in recipient inboxes.

    The campaign’s technical sophistication extends to automated privilege escalation attempts.

    When standard production quotas proved insufficient, attackers programmatically created support tickets through the CreateCase API and attempted to establish IAM policies named “ses-support-policy” to gain enhanced permissions.

    Although these elevation attempts failed due to insufficient privileges, the 50,000-email daily quota remained adequate for their operational requirements.

    This SES abuse campaign demonstrates how cloud services designed for legitimate business purposes can be weaponized at scale, highlighting the critical need for enhanced monitoring of dormant access keys and unusual cross-regional API activity patterns in cloud environments.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Hackers Weaponize Amazon Simple Email Service to Send 50,000+ Malicious Emails Per Day appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Qualys Confirms Data Breach – Hackers Accessed Salesforce Data in Supply Chain Attack

    ·

    , ,

    Qualys has confirmed it was impacted by a widespread supply chain attack that targeted the Salesloft Drift marketing platform, resulting in unauthorized access to a portion of its Salesforce data.

    The breach originated from a sophisticated cyberattack campaign targeting Salesloft Drift, a third-party Software-as-a-Service (SaaS) application used by Qualys to automate sales workflows and manage marketing leads.

    According to the company, the attackers successfully stole OAuth authentication tokens that connected the Drift application to Qualys’s Salesforce instance. The malicious actors then used these tokens to gain unauthorized access.

    Qualys specified that the access was limited to some information within its Salesforce environment, which is primarily used for managing leads and contact information.

    The company confirmed in its statement that the attack did not compromise its foundational security infrastructure. There was no impact on the Qualys production environments, including its shared and private platforms, codebase, or any customer data hosted on the Qualys Cloud Platform. Furthermore, all Qualys platforms, agents, and scanners remained fully functional with no operational disruptions.

    Upon becoming aware of the incident, Qualys immediately activated its incident response plan. The company’s security team took swift action to contain the threat by disabling all Drift integrations with its Salesforce data, effectively cutting off the attackers’ access.

    To support its internal investigation efforts, Qualys has engaged the prominent cybersecurity firm Mandiant. Mandiant is reportedly assisting many of the other organizations that were also impacted by this widespread campaign against Salesloft Drift.

    Confirmed victims of this supply chain attack include:

    • Palo Alto Networks: The cybersecurity firm confirmed the exposure of business contact information and internal sales data from its CRM platform.
    • Zscaler: The cloud security company reported that customer information, including names, contact details, and some support case content, was accessed.
    • Google: In addition to being an investigator, Google confirmed a “very small number” of its Workspace accounts were accessed through the compromised tokens.
    • Cloudflare: Cloudflare has confirmed a data breach where a sophisticated threat actor accessed and stole customer data from the company’s Salesforce instance.
    • PagerDuty has confirmed a security incident that resulted in unauthorized access to some of its data stored in Salesforce.
    • Tenable has confirmed a data breach that exposed the contact details and support case information of some of its customers.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post Qualys Confirms Data Breach – Hackers Accessed Salesforce Data in Supply Chain Attack appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Kimsuky Hackers’ Playbook Uncovered in Exposed ‘Kim’ Data Dump

    ·

    , ,

    A rare breach attributed to a North Korean–affiliated actor named “Kim” by the leakers has unveiled unprecedented insight into Kimsuky (APT43) operations. Dubbed the “Kim” dump, the 9 GB dataset includes active bash histories, phishing domains, OCR workflows, custom stagers, and Linux rootkit evidence—revealed a hybrid campaign that leverages Chinese-language tooling and infrastructure to target […]

    The post Kimsuky Hackers’ Playbook Uncovered in Exposed ‘Kim’ Data Dump appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Researchers Bypassed Web Application Firewall With JS Injection with Parameter Pollution

    ·

    , ,

    Cybersecurity researchers have demonstrated a sophisticated technique for bypassing Web Application Firewalls (WAFs) using JavaScript injection combined with HTTP parameter pollution, exposing critical vulnerabilities in modern web security infrastructure.

    The research, conducted during an autonomous penetration test, revealed how attackers can exploit parsing differences between WAF engines and web application frameworks to execute malicious code despite strict security configurations.

    The vulnerability emerged during testing of an ASP.NET application protected by a highly restrictive WAF.

    While the underlying Cross-Site Scripting (XSS) vulnerability was straightforward, involving breaking out of a JavaScript string delimited by single quotes, conventional XSS payloads were effectively blocked by the security system.

    This scenario presented researchers with a classic challenge: demonstrating exploitability when defensive mechanisms actively prevent traditional exploitation methods.

    The breakthrough came through understanding ASP.NET’s unique parameter handling behavior. When multiple HTTP parameters share the same name, ASP.NET concatenates their values using commas through the HttpUtility.ParseQueryString() method.

    This documented Microsoft behavior states that “multiple occurrences of the same query string parameter are listed as a single entry with a comma separating each value.”

    Ethiack analysts identified this parsing discrepancy as the key to bypassing WAF detection while maintaining valid JavaScript execution.

    The attack leverages JavaScript’s comma operator, which allows multiple expressions to execute sequentially within a single statement.

    By distributing malicious code across multiple parameters, researchers could construct payloads that appear benign individually but combine to form executable JavaScript.

    For instance, the query string /?q=1'&q=alert(1)&q='2 becomes 1',alert(1),'2 after ASP.NET processing, creating syntactically valid JavaScript that executes the alert function when inserted into vulnerable contexts.

    Technical Analysis and WAF Evasion Mechanisms

    The research methodology involved testing 17 different WAF configurations across major cloud providers and security vendors, revealing significant disparities in detection capabilities.

    Azure WAF (Source – Ethiack)

    The testing employed three distinct payload types, each demonstrating increasing sophistication in evasion techniques.

    Framework parameter pollution behavior:-

    FrameworkInput ExampleOutput Result
    ASP.NETparam=val1&param=val2param=val1,val2
    ASPparam=val1&param=val2param=val1,val2
    Golang net/httpparam=val1&param=val2param=[‘val1′,’val2’]
    Python – Zopeparam=val1&param=val2param=[‘val1′,’val2’]
    Node.jsparam=val1&param=val2param=val1,val2

    The most revealing finding emerged from payload complexity analysis. Simple injection attempts achieved only a 17.6% bypass rate against tested WAFs, while sophisticated parameter pollution techniques reached 70.6% success rates.

    The research identified three primary reasons for WAF vulnerability: individual parameter analysis without relationship understanding, lack of framework-specific parsing simulation, and reliance on traditional XSS signatures that miss functionally equivalent but structurally different payloads.

    Google Cloud Armor (Source – Ethiack)

    Payload effectiveness analysis:-

    Payload TypeExampleSuccess Rate
    Simple Injectionq=';alert(1),'17.6%
    Pollution + Semicolonq=1'+1;let+asd=window&q=def='al'+'ert'52.9%
    Pollution + Line Breaksq=1'%0aasd=window&q=def="al"+"ert"70.6%

    Autonomous testing systems demonstrated remarkable adaptability, discovering previously unknown bypasses for supposedly secure configurations.

    Notably, Azure WAF was defeated using the payload test\\';alert(1);//, which exploits parsing discrepancies in escaped character handling between WAF pattern matching and JavaScript interpretation.

    The research underscores the critical need for WAFs to implement framework-specific parsing logic and context-aware analysis capabilities, though such enhancements would significantly impact performance in production environments.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post Researchers Bypassed Web Application Firewall With JS Injection with Parameter Pollution appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Exploit Amazon SES to Blast Over 50,000 Malicious Emails Daily

    ·

    , , ,

    A sophisticated cyberattack campaign where threat actors exploited compromised AWS credentials to hijack Amazon’s Simple Email Service (SES), launching large-scale phishing operations capable of sending over 50,000 malicious emails daily. The Wiz Research team identified this alarming SES abuse campaign in May 2025, highlighting a concerning trend where cybercriminals are weaponizing legitimate cloud services to […]

    The post Hackers Exploit Amazon SES to Blast Over 50,000 Malicious Emails Daily appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • PgAdmin Vulnerability Lets Attackers Gain Unauthorised Account Access

    ·

    , ,

    A significant security flaw has been discovered in pgAdmin, the widely used open-source administration and development platform for PostgreSQL databases.

    The vulnerability, tracked as CVE-2025-9636, affects all pgAdmin versions up to and including 9.7, potentially allowing remote attackers to gain unauthorized access to user accounts and the sensitive data they manage.

    The core of the issue lies in an improperly configured Cross-Origin Opener Policy (COOP). This security feature is designed to isolate a web application’s window from other windows, preventing malicious pages from interacting with it.

    In affected pgAdmin versions, this policy was not enforced correctly, creating an opening for attackers to manipulate the OAuth authentication flow.

    OAuth is a standard protocol used for secure authorization, often seen in “Log in with Google” or “Log in with GitHub” functionalities.

    PgAdmin Vulnerability Exploited

    An attacker could exploit this vulnerability by tricking a user into clicking a specially crafted link. This link would open the pgAdmin login page in a new browser window while the attacker’s malicious page remains active in the original window.

    Due to the COOP misconfiguration, the attacker’s page can maintain a reference to the pgAdmin window and interfere with the authentication process.

    If the user then proceeds to log in using an OAuth provider, the attacker can intercept the authentication token, effectively hijacking the session.

    The successful exploitation of this flaw carries severe risks for organizations and their data. The primary consequences include:

    • Unauthorised Account Access: An attacker can gain control of a legitimate user’s pgAdmin session, granting them the same level of access as the victim.
    • Data Breaches: Once inside, an attacker can view, modify, or exfiltrate sensitive information from any PostgreSQL databases connected to the compromised pgAdmin instance.
    • Account Takeover: The vulnerability could be leveraged to perform a full account takeover, locking the legitimate user out.
    • Privilege Escalation: If the hijacked account has administrative privileges, the attacker could potentially escalate their access within the database or even the underlying server infrastructure.

    Mitigations

    The pgAdmin development team has swiftly responded to the issue. A patch has been released that corrects the COOP header configuration, closing the security gap.

    The fix is detailed in a commit on the project’s official GitHub repository. All users of pgAdmin versions 9.7 and earlier are strongly urged to update to the latest version immediately to protect their systems from potential attacks.

    Administrators should prioritize applying this update to all pgAdmin instances within their environments to prevent unauthorized access and safeguard their database assets.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post PgAdmin Vulnerability Lets Attackers Gain Unauthorised Account Access appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • PoC Exploit Released for ImageMagick RCE Vulnerability – Update Now

    ·

    , , , ,

    A proof-of-concept (PoC) exploit has been released for a critical remote code execution (RCE) vulnerability in ImageMagick 7’s MagickCore subsystem, specifically affecting the blob I/O (BlobStream) implementation.

    Security researchers and the ImageMagick team urge all users and organizations to update immediately to prevent exploitation.

    ImageMagick, a widely used image processing library, was found to contain a heap out-of-bounds write flaw in its SeekBlob() and WriteBlob() functions within the MagickCore/blob.c component.

    This vulnerability, tracked as CVE-2025-57807 and rated CVSS 9.8 (Critical), allows attackers to corrupt memory and reliably execute arbitrary code under certain conditions.

    The flaw lies in the handling of forward seeks in memory-backed blobs: seeking beyond the end of the buffer allows the subsequent write to overrun the buffer and corrupt the heap, with attacker-controlled data written at attacker-chosen offsets.

    Exploit and Impact

    • The root cause is a contract mismatch between SeekBlob() (which advances the offset) and WriteBlob() (which fails to allocate sufficient memory for later writes far from the buffer’s end). This makes exploits reliable when a forward seek is performed prior to writing data.
    • The issue affects ImageMagick 7.1.2-0 and 7.1.2-1 (and possibly other versions with similar logic), and is architecture-agnostic on LP64 systems.
    • Easy reachability of the bug means even third-party or custom encode-to-memory workflows may inadvertently introduce exploit paths.

    Security researcher Lumina Mescuwa released a working proof-of-concept exploit demonstrating memory corruption following a forward seek well past the buffer’s end, followed by a write.

    This provides an attacker a strong primitive for remote code execution, as heap corruption can be leveraged for process takeover or denial of service. The exploit does not require special delegates, policy changes, or arithmetic wraparounds.

    Given ImageMagick’s use in web services and cloud pipelines, unsanitized workloads may allow attackers to run code remotely by simply uploading a crafted image.

    Organizations using ImageMagick for image handling are at high risk if external images are processed without strict isolation.

    Mitigations

    The ImageMagick project has released patches closing this vulnerability, with 7.1.2-3 (7.x) and 6.9.13-29 (6.x) as the first safe releases.

    The fix ensures that all writes are preceded by buffer expansion to meet the actual offset plus length, eliminating the out-of-bounds write. All users should:

    • Upgrade ImageMagick immediately to the patched versions.
    • Audit deployments and ensure no legacy builds remain in production.
    • Consider hardening downstream processing to detect suspicious seeks and file writes.

    Security teams worldwide are monitoring for exploit attempts. With the release of a public PoC, prompt action is essential for all environments relying on ImageMagick.

    Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant Updates.

    The post PoC Exploit Released for ImageMagick RCE Vulnerability – Update Now appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • PgAdmin Vulnerability Allows Attackers to Gain Unauthorized Account Access

    ·

    , , ,

    A newly disclosed security flaw in pgAdmin4, the widely used open-source tool for managing PostgreSQL databases, has raised serious concerns among developers and database administrators across the world. The vulnerability, tracked as CVE-2025-9636, was recently highlighted in the GitHub Advisory Database and classified as High severity. The issue lies in a Cross-Origin Opener Policy (COOP) vulnerability that affects versions of […]

    The post PgAdmin Vulnerability Allows Attackers to Gain Unauthorized Account Access appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Web Application Firewall Bypassed via JS Injection with Parameter Pollution

    ·

    , , , ,

    In a recent autonomous penetration test, a novel cross-site scripting (XSS) bypass that sidesteps even highly restrictive Web Application Firewalls (WAFs). Security researchers uncovered a ASP.NET application protected by a rigorously configured WAF. Conventional XSS payloads—breaking out of single-quoted JavaScript strings—were promptly blocked. Yet by abusing HTTP parameter pollution, the team managed to split malicious […]

    The post Web Application Firewall Bypassed via JS Injection with Parameter Pollution appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • ⚡ Weekly Recap: Drift Breach Chaos, Zero-Days Active, Patch Warnings, Smarter Threats & More

    ·

    Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶