A proof-of-concept exploit has been published for a critical flaw in the secure boot process of the Nothing Phone (2a) and CMF Phone 1. This exploit can break the chain of trust and allow full code execution at the highest privilege level, posing a severe risk to device security. Vulnerability Overview A logic flaw in […]
The post PoC Released for Nothing Phone Code-Execution Vulnerability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A seemingly legitimate Zoom document share from “HR” redirected victims through a fake bot-protection gate into a Gmail login phish. User credentials are exfiltrated live via WebSocket and validated in real time. This report breaks down the social engineering, the malicious infrastructure, proof-of-concept exfiltration code, and indicators of compromise to watch for. Job seekers and […]
The post Cybercriminals Impersonate HR Departments to Harvest Your Gmail Login Details appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A major service outage is affecting Microsoft 365, preventing users from accessing the admin center and other services that rely on Microsoft Entra ID for authentication.
The disruption, which began on Thursday, October 9, 2025, is causing widespread access issues for organizations that depend on Microsoft’s cloud-based productivity suite.
The scope of the impact is broad, affecting any user attempting to access the Microsoft 365 admin center or authenticate through Microsoft Entra ID.
This core dependency means that numerous Microsoft 365 services, including Outlook, Teams, and SharePoint, may be inaccessible to end-users.
Microsoft confirmed it is investigating reports from users who are unable to access these critical services. The initial phase of the investigation involved a review of dependent service pathways to identify the source of the failure and determine the first course of action.
For IT administrators, the inability to access the admin center presents a significant challenge, as it prevents them from managing their environment or troubleshooting user-facing issues.
Microsoft’s investigation has identified an issue within the Azure Front Door (AFD) service as the primary cause of the outage.
This service is responsible for managing and routing traffic to Microsoft’s global web applications, and its malfunction is leading to intermittent access problems for the Microsoft 365 admin portals.
The failure within AFD is believed to be having a cascading effect, contributing to the wider impact on services that use Entra ID.
In response, Microsoft’s engineering teams are reviewing recent changes made to the AFD environment that may have inadvertently triggered the disruption.
The company is analyzing extensive diagnostic data to isolate the exact cause of the issue and understand the mechanics of the failure.
As the investigation progresses, Microsoft’s efforts are now concentrated on the load-balancing infrastructure within its environment.
Load balancers play a critical role in distributing incoming network traffic efficiently across multiple servers, and a fault in this system could explain the intermittent connectivity issues and access failures being reported.
The company has stated that it is actively working on mitigation strategies to resolve the underlying problem and restore service as quickly as possible.
Microsoft has committed to providing an update on the situation on Thursday, October 9, 2025, at 5:30 PM GMT+5:30, as engineers continue to work toward a resolution.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Microsoft 365 Outage Disrupts Access to Admin Center, Services, and Entra ID appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A significant security flaw has been discovered within the Microsoft Events platform, which could have allowed attackers to access the personal information of users from two separate databases: the event registration list and the waitlist.
The vulnerability, uncovered by a 15-year-old bug bounty hunter known as Faav, exposed sensitive user data, including full names, email addresses, phone numbers, and in some cases, physical addresses. The flaw was responsibly disclosed to Microsoft and has since been patched.
The investigation began when the researcher started examining the events.microsoft.com subdomain, which led to the discovery of several API endpoints on the msevents.microsoft.com domain.
Initial tests for vulnerabilities on various endpoints returned no sensitive data. The first breakthrough came when an OData injection flaw was identified in the /api/GetEvents endpoint.
However, this initial entry point proved to be a dead end, as it only returned non-sensitive, public event information and threw errors when attempts were made to access other data tables like accounts or contacts.
A similar injection vulnerability was found in another endpoint /api/GetEventCustomRegistrationFields, which allowed the enumeration of all Microsoft events but still did not leak any user data.
The crucial discovery was made within a POST endpoint named /api/CheckEventRegistration. This feature was designed to check if a user’s email was already registered for a specific event.
The researcher found that by injecting malicious payloads into the email and eventId fields, it was possible to trick the system.
A specific OData injection technique revealed that the endpoint was making two separate requests to two different databases. By carefully crafting the input, Faav was able to target each database individually.
One injection allowed the enumeration of the entire Waitlist database, which contained fields such as fullname, telephone1, address1_line1, company, and email addresses, including many from government and corporate domains.
By reversing the injection technique, the researcher was able to access the second database, the Event Registration list.
This database contained personal details like first name, last name, phone number, company name, and country. Some events even included custom fields for Partner IDs and Tenant IDs.
The researcher noted that there were no rate limits in place, meaning an attacker could have scripted the extraction of all data from both databases.
After successfully demonstrating the ability to leak this information, Faav stopped further testing and reported the findings to the Microsoft Security Response Center (MSRC) on July 23, 2025.
According to the timeline provided, Microsoft acknowledged the issue and completed a fix by August 26, 2025.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Microsoft Events Vulnerability Exposes Users Personal Data From Registration And Waitlist Databases appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Shuyal Stealer has rapidly ascended as one of the most versatile credential theft tools observed in recent months.
First detected in early August 2025, its modular architecture allows it to target an expansive range of web browsers, including Chromium-based, Gecko-based, and legacy engines alike.
Initial indicators of compromise emerged as anomalous network traffic from compromised hosts, where users reported unexplained browser crashes followed by surges in outbound connections to unfamiliar command-and-control (C2) servers.
Point Wild researchers noted that within days of its emergence, Shuyal Stealer had already compromised hundreds of endpoints across multiple industry sectors, including finance, healthcare, and manufacturing.
The malware’s attack vectors are rooted in traditional social engineering techniques, primarily masquerading as software updates or utility installers.
Delivered through phishing emails or malicious advertisements, the installer payload employs a self-extracting archive that unpacks and executes a legitimate system binary alongside an obfuscated DLL loader.
.webp)
This side-loading mechanism allows Shuyal Stealer to evade common application whitelist solutions.
As the loader executes, it injects the core stealer module into running browser processes, granting it full access to stored cookies, saved passwords, and form-autofill data.
Point Wild analysts identified the use of encrypted strings and API hashing to conceal calls to key Windows functions such as LoadLibrary and GetProcAddress, complicating static analysis by security researchers.
Upon successful injection, Shuyal Stealer begins its payload routines, harvesting credentials from browser SQLite databases and memory.
It supports 19 different browsers, including Chrome, Edge, Firefox, Opera, Vivaldi, Brave, and several lesser-known forks popular in certain regions.
The stealer can also extract banking session tokens and two-factor authentication approvals stored in local cache.
Once collected, data is compressed using a custom ZIP implementation and encrypted with AES-256 in CBC mode before exfiltration.
Traffic analysis shows the malware batching stolen credentials into 512 KB chunks, which are sent over HTTPS to a dynamically generated subdomain for each victim, complicating takedown efforts.
Shuyal Stealer’s infection mechanism hinges on DLL side-loading and unhooked API calls to maintain stealth.
After decompressing the archive, the loader writes a benign system executable (for example, svchost.exe) into the Windows directory and drops an accompanying malicious DLL in the same location.
The executable is then launched with a crafted registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, ensuring persistence across reboots.
Once the legitimate executable loads, Windows automatically resolves and loads the malicious DLL due to its naming convention match.
Within the DLL’s DllMain, the loader invokes a staged unpacker:-
// Simplified unpack routine
void UnpackAndInject() {
BYTE* encryptedPayload = LoadResource(MAKEINTRESOURCE(101));
BYTE* payload = DecryptAES256(encryptedPayload, payloadSize, key, iv);
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPid);
LPVOID remoteMem = VirtualAllocEx(hProc, NULL, payloadSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProc, remoteMem, payload, payloadSize, NULL);
CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)remoteMem, NULL, 0, NULL);
}This unpacker decrypts the core stealer module in memory and injects it into the target browser process.
By avoiding writing the primary payload to disk and leveraging legitimate binaries, Shuyal Stealer bypasses many endpoint detection solutions.
The use of API hashing further thwarts heuristic detection, as function names never appear in string tables.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Shuyal Stealer Attacking 19 Browsers to Steal Login Credentials appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A critical authentication bypass in the Service Finder Bookings plugin has enabled unauthenticated attackers to assume administrator privileges on thousands of WordPress sites. Exploitation began within 24 hours of public disclosure, and over 13,800 exploit attempts have been blocked by the Wordfence Firewall to date. On June 8, 2025, a submission to the Wordfence Bug […]
The post Hackers Targeting WordPress Plugin Vulnerability to Seize Admin Access appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
A proof-of-concept (PoC) exploit has been released for a critical vulnerability in the secure boot chain of the Nothing Phone (2a) and CMF Phone 1, potentially affecting other devices using MediaTek systems-on-a-chip (SoCs).
The exploit, named Fenrir and published by researcher R0rt1z2, allows for arbitrary code execution at the highest privilege level, effectively breaking the secure boot process.
The vulnerability stems from a logical flaw in the MediaTek boot chain, where a key component is not properly verified when the bootloader is in an unlocked state.
The vulnerability resides in the Preloader stage of the MediaTek boot process. When a device’s bootloader is unlocked (seccfg is set to unlocked), the Preloader fails to verify the cryptographic signature of the bl2_ext partition.
This oversight is critical because bl2_ext is responsible for verifying all subsequent components in the boot chain.
The Preloader transfers execution to bl2_ext while still operating at Exception Level 3 (EL3), the highest privilege level in ARM architecture.
An attacker can therefore patch bl2_ext to bypass all further signature checks, causing a total collapse of the chain of trust and allowing the loading of unverified and malicious code.
By exploiting this flaw, an attacker can achieve code execution at EL3, granting them deep control over the device before the main operating system even begins to load.
The PoC demonstrates this by patching a single function, sec_get_vfy_policy(), to always return a value of 0, tricking the bootloader into believing that all subsequent images are verified.
The released exploit includes a payload that can register custom fastboot commands, control the device’s boot mode, and dynamically call native bootloader functions.
Additionally, the PoC can spoof the device’s lock state, making it appear as “locked” to pass strong integrity checks even when the bootloader is unlocked.
The researcher notes that while the current payload cannot modify memory at runtime due to MMU faults, the exploit provides a powerful foundation for further development.
The exploit has been confirmed to work on the Nothing Phone (2a) (codenamed “Pacman”) and the CMF Phone 1 (codenamed “Tetris”).
The developer of the exploit also notes that the Vivo X80 Pro is affected by a similar, and potentially more severe, vulnerability where bl2_ext is not verified even with a locked bootloader.
The issue is believed to be present in other MediaTek devices that use “lk2” as their secondary bootloader.
The researcher has issued a strong warning, stating that any attempt to use the exploit can permanently damage or “brick” a device if not performed correctly.
Users are advised to exercise extreme caution, as the process involves flashing a modified bootloader image that can lead to irreversible hardware failure.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post PoC Exploit Released For Nothing Phone Code Execution Vulnerability appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Security researcher Norbert Szetei published the final installment of his deep-dive into the ksmbd filesystem module, culminating in a working proof-of-concept exploit targeting CVE-2025-37947. Unlike earlier use-after-free candidates that required complex race conditions or depended on external factors, this vulnerability offers a deterministic out-of-bounds (OOB) write primitive. Szetei’s PoC was tested on Ubuntu 22.04.5 LTS […]
The post PoC Released for Linux Kernel ksmbd Filesystem Vulnerability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
Corporate data security faces an unprecedented crisis as new research reveals widespread employee misuse of generative AI platforms.
A comprehensive study examining enterprise browsing behavior has uncovered alarming patterns of sensitive data exposure across organizations worldwide.
The research, based on real-world telemetry from enterprise browsers, demonstrates that artificial intelligence tools have become the primary vector for unauthorized data transfer from corporate environments.
The study exposes how rapidly generative AI has integrated into workplace routines, with 45% of enterprise users now actively engaging with AI platforms.
ChatGPT dominates this landscape, capturing 43% of overall employee usage and representing 92% of all generative AI activity within organizations.
This remarkable adoption rate places AI tools alongside established enterprise categories like email and file sharing in terms of daily utilization.
Most concerning is the scale of sensitive information exposure through these platforms. The research reveals that 77% of employees regularly paste data into generative AI tools, with 82% of this activity occurring through unmanaged personal accounts that bypass corporate oversight.
This behavior has positioned generative AI as the leading channel for corporate-to-personal data exfiltration, accounting for 32% of all unauthorized data movement outside sanctioned environments.
LayerX Security analysts identified these patterns through comprehensive monitoring of enterprise browser activity, providing unprecedented visibility into employee interactions with AI platforms.
Their research methodology involved deploying security solutions directly within user browsers across multiple large-scale enterprises, capturing complete visibility into data flows between corporate systems and external AI services.
The financial and compliance implications are staggering, with 40% of files uploaded to generative AI platforms containing personally identifiable information (PII) or payment card industry (PCI) data.
Similarly, 22% of data pasted into these tools includes sensitive regulatory information. This exposure creates substantial risks for organizations subject to data protection regulations like GDPR, HIPAA, or SOX compliance requirements.
The research reveals a critical identity management crisis within enterprise environments, where traditional access controls have failed to contain employee behavior.
Personal account usage dominates high-risk categories, with 67% of generative AI access occurring through unmanaged accounts that exist outside corporate identity systems.
This pattern extends beyond AI tools, affecting business-critical applications including Salesforce (77% non-corporate access), Microsoft Online (68% non-corporate), and Zoom (64% non-corporate).
Even when employees use corporate credentials, authentication weaknesses persist across enterprise systems. The study found that 83% of ERP logins and 71% of CRM access occurs without single sign-on (SSO) federation, effectively treating corporate accounts like personal ones.
This creates massive visibility gaps where sensitive business workflows operate outside IT oversight and security controls.
The copy-paste behavior represents the most dangerous data transfer method, as it bypasses traditional data loss prevention (DLP) systems entirely.
Employees average 46 paste operations daily, with personal accounts generating an average of 15 pastes per day, including at least 4 containing sensitive data.
Popular destinations include ChatGPT, Google services, Databricks, LinkedIn, Snowflake, and Slack, demonstrating how corporate information flows into diverse external platforms through routine productivity activities.
Chat and instant messaging applications compound these risks, with 87% of activity occurring through unmanaged accounts while 62% of users paste PII/PCI data into these platforms.
This combination of high personal account usage and frequent sensitive data exposure makes messaging apps among the most dangerous channels for unauthorized information transfer.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post 77% of Employees Share Company Secrets on ChatGPT Compromising Enterprise Policies appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶