-
·
The comfort zone in cybersecurity is gone. Attackers are scaling down, focusing tighter, and squeezing more value from fewer, high-impact targets. At the same time, defenders face growing blind spots — from spoofed messages to large-scale social engineering. This week’s findings show how that shrinking margin of safety is redrawing the threat landscape. Here’s what’s¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical security vulnerability in Redis’s Lua scripting engine has left thousands of database instances vulnerable to remote code execution attacks. The RediShell RCE vulnerability, tracked as CVE-2025-49844, was publicly disclosed in early October 2025 by cloud security firm Wiz, revealing a use-after-free memory corruption issue that enables attackers to escape the Lua sandbox and […]
The post Critical RediShell RCE Vulnerability Threatens 8,500+ Redis Deployments Worldwide appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers’ machines. The campaign has been codenamed PhantomRaven by Koi Security. The activity is assessed to have begun in August 2025, when the first
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated botnet campaign has compromised more than 25,000 IoT devices across 40 countries while establishing 140 command-and-control servers to facilitate cybercrime operations.
The PolarEdge botnet, first disclosed in February 2025, exploits vulnerable IoT and edge devices to construct an Operational Relay Box network that provides infrastructure-as-a-service for advanced persistent threat actors.
The malware operates through a client-server architecture, with RPX_Client components installed on compromised devices and RPX_Server nodes managing proxy services across multiple cloud platforms.
The botnet’s infection campaign began gaining momentum in May 2025 when security monitoring systems detected suspicious activity from IP address 111.119.223.196 distributing an ELF file flagged as PolarEdge-related.
Through correlation analysis, researchers uncovered the RPX_Client component, which onboards compromised devices into designated C2 node proxy pools while enabling remote command execution.
Qianxin researchers identified the malware after conducting targeted investigation following detection by XLab’s Cyber Threat Insight and Analysis System.
The successive discoveries of RPX_Server and RPX_Client components enabled deeper understanding of the botnet’s relay operations and infrastructure scale.
.webp)
Multi-hop design (Source – Qianxin) Geographic distribution analysis reveals infection concentration in Southeast Asia and North America, with South Korea accounting for 41.97 percent of compromised devices, followed by China at 20.35 percent and Thailand at 8.37 percent.
Primary targets include KT CCTV systems, Shenzhen TVT DVRs, Cyberoam UTM appliances, and various router models from manufacturers including Asus, DrayTek, Cisco, and D-Link.
The botnet infrastructure operates across VPS nodes concentrated in autonomous system numbers 45102, 37963, and 132203, predominantly hosted on Alibaba Cloud and Tencent Cloud platforms.
Technical Architecture and Infection Mechanism
The RPX system implements a multi-hop proxy architecture designed for source concealment and attribution complexity. When attackers utilize the network, connections traverse from local proxy through RPX_Server to RPX_Client on compromised devices before reaching final destinations.
This layered approach effectively obscures attack origins while providing operational flexibility. The malware achieves persistence through injection into initialization scripts using the command:-
echo "/bin/sh /mnt/mtd/rpx.sh &" >> /etc/init.d/rcSUpon execution, RPX_Client disguises its process name as connect_server and enforces single-instance execution using PID file /tmp/.msc to prevent duplicate startups.
The malware attempts reading global configuration file .fccq to obtain parameters including C2 server address, communication port, device UUID, and brand information.
Configuration data undergoes single-byte XOR encryption with 0x25 before storage. Network operations utilize two independent connections: port 55555 for node registration and traffic proxying, and port 55560 for remote command execution through go-admin service.
The command structure enables flexible control through magic field values 0x11, 0x12, and 0x16 that define bot functions. Special built-in commands include change_pub_ip for updating C2 server addresses and update_vps for sample self-upgrade capabilities.
Server logs confirm execution of infrastructure migration commands, demonstrating operators’ ability to rapidly relocate proxy pools when nodes face exposure.
Traffic analysis reveals non-targeted operations primarily directed toward mainstream platforms including QQ, WeChat, Google, and Cloudflare services.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post PolarEdge Botnet Infected 25,000+ Devices and 140 C2 Servers Exploiting IoT Vulnerabilities appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft has addressed a critical privilege escalation vulnerability affecting Windows environments worldwide. Attackers can exploit misconfigured Service Principal Names (SPNs) combined with Kerberos reflection attacks to gain SYSTEM-level access on domain-joined machines, even when previous Kerberos mitigations are in place. Attribute Details CVE ID CVE-2025-58726 Vulnerability Type SMB Server Elevation of Privilege CVSS 3.1 Score […]
The post New Attack Chains Ghost SPNs and Kerberos Reflection to Elevate SMB Privileges appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated privilege escalation vulnerability in Windows SMB servers, leveraging Ghost Service Principal Names (SPNs) and Kerberos authentication reflection to achieve remote SYSTEM-level access.
Microsoft designated this as CVE-2025-58726, an “SMB Server Elevation of Privilege” flaw impacting all Windows versions absent enforced SMB signing.
According to Semperis, the issue persists in environments with default Active Directory (AD) configurations, underscoring Kerberos’ susceptibility to reflection despite mitigations for related flaws like CVE-2025-33073.
Disclosed to the Microsoft Security Response Center (MSRC) on June 25, 2025, and confirmed as “Important” severity by July 22, CVE-2025-58726 exploits the interplay between unresolved SPNs and permissive DNS registration.
Domain users, by default, hold write access to DNS zones, enabling attackers to hijack ghost SPNs entries referencing non-resolvable hostnames from legacy systems, deployment errors, or hybrid setups.
This facilitates Kerberos ticket relaying, bypassing credential requirements and granting administrative control, with escalation to domain dominance if Tier 0 assets like AD Certificate Services are compromised.
Kerberos Reflection Mechanics And Ghost SPN Exploitation
Kerberos authentication, integral to Windows domains, employs asymmetric tickets for secure service access but lacks inherent reflection safeguards, unlike NTLM’s channel-binding mitigations.
Authentication reflection entails capturing a victim’s Kerberos AP-REQ (Application Request) and replaying it to the victim’s own endpoint, coercing self-authentication.
In CVE-2025-58726, ghost SPNs (prefixed with HOST/ or CIFS/) on target computer accounts serve as the pivot.
Prerequisites include low-privilege domain access, a domain-joined target without SMB signing (allowing unsigned Negotiate/Kerberos blobs), and a ghost SPN, Semperis added.
Attackers query AD for SPNs via LDAP, identify unresolved ones (e.g., via nslookup failures), and register a DNS A-record mapping the ghost hostname to their controlled IP, exploiting domain users’ default dnsHost permissions.
Coercion follows: tools like PrinterBug (MS-RPRN coercion) or PetitPotam (MS-EFSRPC) trigger the target’s machine account to request a TGS (Ticket Granting Service) ticket for the ghost SPN cifs/ghost@domain.
The KDC issues this ticket, bound to the target’s computer account (mapped to SYSTEM in LSASS).
A relay tool, such as KrbRelayEx, intercepts the AP-REQ during SMB session setup (SMB2 Negotiate and Session Setup phases), extracts the Kerberos token via SSPI, and relays it to the target’s SMB server.
The relayed token impersonates the machine account, enabling SMB commands like Tree Connect and NTCreateAndX for arbitrary execution.
Network traces reveal the TGS-REQ for cifs/ghost, with the target computer as the sname, confirming reflection.
This vector evades CVE-2025-33073’s SMB client fix, which addressed CredMarshal-based relaying; here, the flaw resides in Kerberos’ failure to validate SPN-to-hostname binding against DNS resolution, extending to protocols like WMI (RPC/DCOM) or RDP if SPNs permit.
Mitigations
Microsoft’s remediation targets the srv2.sys driver, governing SMB 2.0+ server logic.
In Smb2ExecuteSessionSetupReal(), the update integrates Feature_3857492281__private_IsEnabledDeviceUsage(), invoking SrvAdminValidateSpn_Old() to verify SPN legitimacy against local security contexts.
For valid local SPNs, Smb2ValidateLoopbackAddress() assesses the source IP; remote (non-127.0.0.1) connections yield a negative return, terminating the session pre-token impersonation.
This blocks the reflection loop without altering core Kerberos flows. However, residual risks linger for unpatched or multi-protocol setups.
Mitigate by enforcing SMB signing via Group Policy (RequireSecuritySignature=1 on clients/servers), auditing SPNs with tools like TestComputerSpnDNS to enumerate and purge ghosts (setspn -D), and revoking domain users’ DNS write ACLs (via dnscmd /config).
Deploy Kerberos monitoring for anomalous TGS-REQs (e.g., via ETW or Wireshark filters on port 88), and neutralize coercion via RPC restrictions (e.g., DisableUnencryptedRpc=1) and service hardening.
The October 14 patch rollout emphasizes proactive AD hygiene: ghost SPNs proliferate in 70% of audited environments per industry reports.
As attackers refine relay chains, integrating these controls fortifies against evolving Kerberos abuses.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New Attack Combines Ghost SPNs and Kerberos Reflection to Elevate Privileges on SMB Servers appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft addressed a critical race condition vulnerability affecting its Windows Cloud Files Minifilter driver in October 2025. The flaw, assigned CVE-2025-55680, was originally discovered in March 2024 and represents a significant security concern for systems utilising OneDrive and similar cloud synchronisation services. Attribute Details CVE Identifier CVE-2025-55680 Vulnerability Type Race Condition (TOCTOU) Affected Component cldflt.sys […]
The post Privilege Escalation Exploit Targets Windows Cloud Files Minifilter appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Canadian authorities have issued an urgent alert following multiple confirmed incidents where cybercriminals compromised internet-accessible Industrial Control Systems (ICS) devices protecting critical infrastructure across the nation.
The Canadian Centre for Cyber Security and the Royal Canadian Mounted Police report that water treatment facilities, energy companies, and agricultural operations have fallen victim to coordinated attacks, raising serious concerns about the vulnerability of Canada’s essential services.
The scope of these attacks extends beyond isolated incidents. Hackers have successfully manipulated programmable logic controllers and automated systems at water facilities, deliberately tampering with pressure values that degraded service for entire communities.
In another case, attackers targeted a major Canadian oil and gas company, compromising an Automated Tank Gauge system that triggered false alarms.
A third incident involved a grain drying silo on a Canadian farm, where unauthorized actors manipulated temperature and humidity readings, potentially creating dangerous conditions if security teams had not detected the breach promptly.
Hacktivism Attacks Growing Rapidly
While sophisticated state-sponsored actors typically target specific organizations, Canadian authorities warn that hacktivists increasingly exploit vulnerable ICS devices as targets of opportunity.
These threat actors gain media attention, discredit organizations, and undermine Canada’s broader reputation by compromising systems that control essential services.
The Canadian public remains unaware of how close these attacks come to causing cascading failures across critical infrastructure.
Exposed components including Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), SCADA systems, and Building Management Systems (BMS) create substantial risks not only to individual organizations but to their clients and the wider Canadian population.
The interconnected nature of modern infrastructure means that a single compromised device can trigger failures affecting thousands of citizens.
Canadian authorities emphasize that unclear roles and responsibilities between organizations, municipalities, and provincial governments create dangerous security gaps.
Organizations must immediately conduct thorough inventories of all internet-accessible ICS devices and evaluate their necessity.
Where feasible, implementing Virtual Private Networks (VPNs) with two-factor authentication should replace direct internet exposure.
For systems that cannot be isolated, enhanced monitoring through Intrusion Prevention Systems and regular penetration testing becomes essential. Continuous vulnerability management throughout the device lifecycle is mandatory.
Provincial and territorial governments should coordinate with municipalities to ensure all critical infrastructure receives proper documentation and protection, particularly in sectors like water, food, and manufacturing that lack comprehensive regulatory cyber oversight.
Beyond technical measures, organizations must conduct regular tabletop exercises to evaluate incident response capabilities and clearly define roles during cyber emergencies.
Early reporting to both the Cyber Centre and local law enforcement enables coordinated investigations and mitigation efforts.
The post Canada Warns of Hackers Breached ICS Devices Controlling Water and Energy Facilities appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Global advertising and marketing giant Dentsu has confirmed that its U.S.-based subsidiary Merkle experienced a cyberattack, prompting immediate incident response measures and system shutdowns to contain the breach.
The company detected abnormal activity within Merkle’s network infrastructure, which led to proactive security protocols being deployed to minimize operational impact.
Merkle, recognized as a leader in Customer Experience Management for Dentsu’s international operations, was targeted in the cyber incident that affected portions of its network systems.
Upon discovering the suspicious activity, Dentsu’s security teams immediately activated incident response procedures and made the strategic decision to shut down certain systems as a precautionary measure.
Investigation and Regulatory Compliance
The incident underscores the growing threat landscape facing major marketing and customer data management firms that handle sensitive client information across multiple industries.
Merkle serves numerous Fortune 500 companies and manages vast amounts of customer data, making it an attractive target for cybercriminals seeking valuable corporate and consumer information.
Dentsu has engaged an external cybersecurity firm with extensive experience handling similar breach investigations to assist with forensic analysis and remediation efforts.
The company emphasized its commitment to transparency by reporting the incident to relevant authorities in compliance with data protection regulations across different jurisdictions where it operates.
The ongoing investigation aims to determine the full extent of the breach, including what data may have been accessed or compromised, the attack vector used by threat actors, and whether any client information was exposed.
As organizations increasingly face sophisticated cyber threats, rapid detection and response have become critical components of enterprise security strategies. Dentsu has clarified that the cyberattack was isolated to Merkle’s U.S. operations and did not impact the company’s network systems in Japan.
This geographic containment suggests that Dentsu maintains segmented network infrastructure across its global operations, which helped prevent the incident from spreading to other regional divisions. However, the company acknowledged that financial repercussions are anticipated as a result of the breach.
Dentsu stated it is continuing to assess both the magnitude and timeline of the expected financial impact, which could include incident response costs, potential regulatory fines, customer notification expenses, and possible remediation investments to strengthen security controls.
The disclosure comes amid heightened scrutiny of cybersecurity practices across the marketing technology sector, where companies process massive volumes of consumer data for targeted advertising and personalized customer experiences.
As investigations continue, Dentsu remains focused on restoring full operational capabilities while implementing enhanced security measures to prevent future incidents.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Dentsu has Disclosed that its U.S.-based Subsidiary Merkle Suffers Cyberattack appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated malware campaign is actively targeting WordPress e-commerce websites using the WooCommerce plugin, according to recent findings from the Wordfence Threat Intelligence Team. The malware campaign, which employs advanced evasion techniques and multi-layered attack strategies, disguises itself as a legitimate WordPress plugin while secretly stealing credit card information from unsuspecting online shoppers. The malicious […]
The post New Malware Infects WooCommerce Sites Through Fake Plugins to Steal Credit Card Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
