Google has released its Cybersecurity Forecast 2026 report, providing a comprehensive analysis of emerging threats and security trends anticipated throughout the coming year. Rather than relying on speculation, the report is grounded in real-world data and insights gathered from Google Cloud security leaders, dozens of experts, analysts, researchers, and frontline security responders. The forecast reveals […]
Raise your hand if you’ve heard the myth, “Android isn’t secure.”
Android phones, such as the Samsung Galaxy, unlock new ways of working. But, as an IT admin, you may worry about the security—after all, work data is critical.
However, outdated concerns can hold your business back from unlocking its full potential. The truth is, with work happening everywhere, every device connected to your
NGate represents a sophisticated Android-based threat that exploits NFC technology to enable unauthorized ATM cash withdrawals without physically stealing payment cards. Rather than stealing cards outright, threat actors use an ingenious relay attack that intercepts the card’s NFC communications from a victim’s Android phone and transmits them to an attacker-controlled device positioned at an ATM, […]
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding a dangerous OS command injection vulnerability affecting Control Web Panel (CWP), formerly known as CentOS Web Panel.
The vulnerability, tracked as CVE-2025-48703, enables unauthenticated remote attackers to execute arbitrary commands on vulnerable systems with minimal prerequisites.
CVE-2025-48703 represents a significant security risk because it allows attackers to bypass authentication requirements entirely.
The flaw resides in the file manager changePerm request functionality, where malicious shell metacharacters are injected into the t_total parameter, triggering remote code execution.
What makes this vulnerability particularly concerning is that attackers need only knowledge of a valid non-root username to exploit it successfully.
This relatively low barrier to entry means threat actors can systematically target exposed CWP installations without specialized access or credentials.
CWP OS Command Injection Vulnerability
The vulnerability is classified under CWE-78, which covers improper neutralization of special elements used in an OS command.
This categorization reflects the fundamental input validation failure that allows attackers to break out of intended command contexts and execute arbitrary system commands with the privileges of the web application process.
CISA added CVE-2025-48703 to its Known Exploited Vulnerabilities catalog on November 4, 2025, indicating active exploitation in the wild.
The agency has established a mitigation deadline of November 25, 2025, giving organizations roughly three weeks to secure their systems.
CISA’s advisory emphasizes the urgent need for immediate action, particularly for organizations operating cloud services that must support Binding Operational Directive 22-01 (BOD 22-01) compliance requirements.
Organizations running vulnerable CWP installations face three primary remediation pathways. First, apply vendor-provided security patches and mitigations immediately.
Second, organizations relying on cloud service providers should ensure BOD 22-01 guidance is implemented.
Third, if patches prove unavailable or insufficient, organizations should consider discontinuing use of the product entirely to eliminate exposure.
CVE ID
Vulnerability
Affected Component
CVE-2025-48703
OS Command Injection
Control Web Panel (CWP) – filemanager changePerm
System administrators managing Control Web Panel deployments should prioritize this vulnerability in their patching schedules.
Immediate network segmentation, access control reviews, and monitoring for suspicious activity on CWP systems are essential temporary measures.
Additionally, administrators should verify whether their installations have been compromised by checking logs for irregular filemanager changePerm requests containing shell metacharacters or unusual parameter values.
Organizations unfamiliar with their CWP deployment status should conduct urgent infrastructure audits to identify all instances.
The combination of unauthenticated access requirements and minimal exploitation prerequisites makes this vulnerability exceptionally dangerous for exposed systems.
JPCERT/CC has issued an urgent warning about ongoing attacks by the advanced persistent threat group APT-C-60, which continues to target recruitment professionals in Japan through sophisticated spear-phishing campaigns. The attack campaign specifically impersonates job seekers contacting recruitment staff, exploiting the natural workflow of human resources professionals who regularly review candidate submissions. Between June and August […]
DragonForce, a ransomware-as-a-service operation active since 2023, has dramatically evolved into what researchers now describe as a structured cybercriminal cartel, leveraging the publicly leaked Conti v3 source code to establish a formidable threat infrastructure.
The group initially relied on the LockBit 3.0 builder for developing encryptors before transitioning to a customized Conti v3 codebase, giving it significant operational advantages and technical capabilities that rival established ransomware operations.
The transition marked a turning point in DragonForce’s evolution. Rather than operating as a traditional ransomware group, the organization rebranded itself as a cartel in early 2025, fundamentally changing how it conducts business.
This shift enables affiliates to white-label payloads and create their own branded variants while maintaining operational independence under DragonForce’s infrastructure umbrella.
By offering affiliates 80 percent of profits, the cartel structure removes technical barriers to entry and incentivizes recruitment of new operators.
The group now provides comprehensive tools including automated deployment systems, customizable encryptors, reliable infrastructure with 24/7 monitoring, and support for multiple platforms spanning Windows, ESXi, Linux, BSD, and NAS systems.
Acronis researchers and threat analysts identified that DragonForce employs sophisticated attack methodologies alongside Scattered Spider, a financially motivated initial access broker specializing in social engineering and multi-factor authentication bypass tactics.
Execution chain (Source – Acronis)
Scattered Spider conducts reconnaissance on target employees through social media and open-source intelligence, crafting convincing pretexts to orchestrate phishing campaigns and voice phishing attacks.
Once credentials are compromised, the group deploys remote monitoring tools like ScreenConnect and AnyDesk to establish persistence, then conducts extensive network reconnaissance focusing on backup infrastructure, credential repositories, and VMware environments.
Advanced Encryption Mechanisms and Technical Refinement
DragonForce’s technical sophistication distinguishes it from competing operations.
The malware employs ChaCha20 encryption for configuration files and generates unique encryption keys for each targeted file.
Notably, after security researchers disclosed encryption weaknesses in Akira ransomware through a Habr article, DragonForce promptly reinforced its own cipher implementation, demonstrating active threat intelligence monitoring and rapid technical adaptation.
The group implements multiple encryption modes including full, header, and partial encryption, with configurable thresholds determining encryption strategies for individual files.
A particularly concerning technique involves BYOVD attacks utilizing vulnerable drivers like truesight.sys and rentdrv2.sys to terminate security software and protected processes.
The malware communicates with these drivers through DeviceIoControl functions using specific control codes, effectively bypassing endpoint detection and response solutions.
Configuration parameters reveal sophisticated operational planning, with targeted process termination lists including SQL Server instances, Oracle databases, and Microsoft productivity applications to maximize encryption success rates.
Since late 2023, DragonForce has exposed more than 200 victims across retail, airlines, insurance, managed service providers, and enterprise sectors.
The Marks & Spencer attack, attributed to Scattered Spider and DragonForce collaboration, exemplifies the operational effectiveness of their partnership.
As DragonForce continues recruiting affiliates and establishing market dominance through infrastructure takeovers targeting rival groups, the cartel model represents a concerning evolution in ransomware operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.
“UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the
The U.S. Treasury Department on Tuesday imposed sanctions against eight individuals and two entities within North Korea’s global financial network for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud.
“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said Under Secretary of
The Cybersecurity and Infrastructure Security Agency has issued an urgent alert about a critical command-injection vulnerability in Control Web Panel that is currently being actively exploited in the wild. Tracked as CVE-2025-48703, this flaw poses a significant threat to organizations running the popular server management platform and demands immediate attention from system administrators worldwide. Control […]
Behind every alert is an analyst; tired eyes scanning dashboards, long nights spent on false positives, and the constant fear of missing something big. It’s no surprise that many SOCs face burnout before they face their next breach. But this doesn’t have to be the norm. The path out isn’t through working harder, but through working smarter, together.
Here are three practical steps every SOC can
.webp)