1010.cx

  • Google Gemini Vulnerabilities Let Attackers Exfiltrate User’s Saved Data and Location

    ·

    , , ,

    Three new vulnerabilities in Google’s Gemini AI assistant suite could have allowed attackers to exfiltrate users’ saved information and location data.

    The vulnerabilities uncovered by Tenable, dubbed the “Gemini Trifecta,” highlight how AI systems can be turned into attack vehicles, not just targets. The research exposed significant privacy risks across different components of the Gemini ecosystem.

    While Google has since patched the issues, the discovery serves as a critical reminder of the security challenges inherent in highly personalized, AI-driven platforms. The three distinct vulnerabilities targeted separate functions within Gemini.

    Gemini Trifecta

    Gemini Cloud Assist: A prompt-injection vulnerability in the Google Cloud tool could have enabled attackers to compromise cloud resources or execute phishing attempts. Researchers found that log entries, which Gemini can summarize, could be poisoned with malicious prompts. This represents a new attack class where log injections can manipulate AI inputs.

    Gemini Search Personalization Model: This search-injection flaw gave attackers the ability to control Gemini’s behavior by manipulating a user’s Chrome search history. By injecting malicious search queries, an attacker could trick Gemini into leaking a user’s saved information and location data.

    Gemini Browsing Tool: A vulnerability in this tool allowed for the direct exfiltration of a user’s saved information. Attackers could abuse the tool’s functionality to send sensitive data to an external server.

    The core of the attack methodology involved a two-step process: infiltration and exfiltration. Attackers first needed to inject a malicious prompt that Gemini would process as a legitimate command.

    Tenable discovered stealthy methods for this “indirect prompt injection,” such as embedding instructions within a log entry’s User-Agent header or using JavaScript to add malicious queries to a victim’s browser history silently.

    Once the prompt was injected, the next challenge was to extract the data, bypassing Google’s security measures that filter outputs like hyperlinks and image markdowns.

    The researchers discovered they could exploit the Gemini Browsing Tool as a side channel. They crafted a prompt that instructed Gemini to use its browsing tool to fetch a URL, embedding the user’s private data directly into the URL request sent to an attacker-controlled server.

    This exfiltration occurred through tool execution rather than response rendering, circumventing many of Google’s defenses.

    Google has successfully remediated all three vulnerabilities. The fixes include stopping hyperlinks from rendering in log summaries, rolling back the vulnerable search personalization model, and preventing data exfiltration through the browsing tool during indirect prompt injections.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Google Gemini Vulnerabilities Let Attackers Exfiltrate User’s Saved Data and Location appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Patchwork APT: Leveraging PowerShell to Create Scheduled Tasks and Deploy Final Payload

    ·

    , , ,

    Patchwork, the advanced persistent threat (APT) actor also known as Dropping Elephant, Monsoon, and Hangover Group, has been observed deploying a new PowerShell-based loader that abuses Windows Scheduled Tasks to execute its final payload. Active since at least 2015 and focused on political and military intelligence across South and Southeast Asia, Patchwork is renowned for […]

    The post Patchwork APT: Leveraging PowerShell to Create Scheduled Tasks and Deploy Final Payload appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Threat Actors Allegedly Listed Veeam RCE Exploit for Sale on Dark Web

    ·

    , ,

    Veeam Backup & Replication, a cornerstone of many enterprises’ data protection strategy, has reportedly become the focus of a new exploit being offered on a clandestine marketplace.

    According to a recent listing, a seller operating under the handle “SebastianPereiro” claims to possess a remote-code-execution (RCE) exploit targeting specific Veeam 12.x builds.

    Dubbed the “Bug of June 2025,” the exploit allegedly bypasses standard authentication mechanisms and grants full server control. Early signs point to a vulnerability with CVE-2025-23121, though no formal proof-of-concept has been released publicly.

    The listing specifies that successful exploitation requires only any valid Active Directory account, significantly lowering the bar for threat actors who have gained domain credentials through phishing or other lateral-movement techniques.

    Payment is set at $7,000 in cryptocurrency, with interested buyers directed to private message the seller.

    While the absence of a publicly shared proof-of-concept limits independent verification, the potential impact on backup infrastructure is profound; compromised systems could be leveraged to exfiltrate, encrypt, or permanently destroy backups.

    ThreatMon analysts noted that enterprises running Veeam Backup & Replication in mixed Windows-Linux environments might be especially vulnerable due to differences in logging and patch-management workflows.

    Organizations delaying patches for test or compliance reasons could inadvertently extend their exposure window, increasing the risk of a successful breach.

    In response, security teams are advised to prioritize audit of Active Directory accounts with elevated privileges, verify patch levels on all Veeam servers, and monitor for anomalous service-account usage.

    Infection Mechanism

    The exploit appears to leverage improper input validation in Veeam’s REST API endpoint. An attacker authenticates with any AD account and submits a specially crafted JSON payload to the /api/sessions/startBackup endpoint, injecting shell commands directly into the backup session creation logic.

    A simplified proof-of-concept in PowerShell might resemble:-

    $uri = "https://veeam-server:4443/api/sessions/startBackup"
$payload = @{
    jobName = "WeeklyBackup";
    preScript = "powershell -Enc SQBuAG..."  # Base64-encoded malicious command
} | ConvertTo-Json
Invoke-RestMethod -Uri $uri -Method Post -Body $payload -Credential (Get-Credential) -UseBasicParsing

    This payload instructs the service to execute arbitrary PowerShell code under the context of the Veeam service account, granting the attacker elevated privileges and full control over backup jobs and repository contents.

    Continuous monitoring of API traffic and strict AD account hygiene are critical to detecting and disrupting this attack vector.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Threat Actors Allegedly Listed Veeam RCE Exploit for Sale on Dark Web appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New Chinese Nexus APT Group Targeting Organizations to Deploy NET-STAR Malware Suite

    ·

    , , ,

    China-linked advanced persistent threat (APT) group Phantom Taurus has intensified espionage operations against government and telecommunications targets across Africa, the Middle East, and Asia, deploying a newly discovered .NET malware suite called NET-STAR. First tracked by Unit 42 in June 2023 as cluster CL-STA-0043 and temporarily designated TGR-STA-0043 (Operation Diplomatic Specter) in May 2024, the […]

    The post New Chinese Nexus APT Group Targeting Organizations to Deploy NET-STAR Malware Suite appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Posing as Google Careers Recruiter to Steal Gmail Login Details

    ·

    , ,

    An emerging phishing campaign is targeting job seekers by masquerading as Google Careers recruiters, delivering seemingly legitimate emails that lead victims to malicious sites designed to harvest Gmail credentials. Security researchers have uncovered a sophisticated multi-stage attack that leverages Salesforce infrastructure, Cloudflare protection and WebSocket command-and-control to manipulate victims into surrendering sensitive information. The phishing […]

    The post Hackers Posing as Google Careers Recruiter to Steal Gmail Login Details appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Actively Scanning to Exploit Palo Alto Networks PAN-OS Global Protect Vulnerability

    ·

    , , ,

    Security researchers are observing a significant increase in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). 

    Exploit attempts have surged as attackers seek to leverage an arbitrary file creation flaw to achieve OS command injection and ultimately full root code execution on vulnerable firewalls.

    Exploitation of Critical PAN-OS SSL VPN Flaw (CVE-2024-3400)

    Since late September 2025, honeypots deployed globally have logged thousands of TCP connections probing PAN-OS SSL VPN portals. 

    SANS Technology Institute observed that one prominent source IP, 141.98.82.26, has repeatedly issued malicious POST requests to the /ssl-vpn/hipreport.esp endpoint, exploiting the lack of session ID validation. The attacker supplies a crafted Cookie header:

    Exploit Palo Alto Networks PAN-OS Global Protect Vulnerability

    If the upload succeeds, a follow-up GET request for /global-protect/portal/images/evil.txt will return HTTP/403, confirming file presence. 

    Attackers then pivot file placement to directories, allowing command execution. These automated scans reflect the high CVSS 10.0 severity and network-accessible, unauthenticated attack vector of CVE-2024-3400.

    Risk FactorsDetails
    Affected ProductsPAN-OS 10.2 versions before 10.2.9-h1, 11.0 versions before 11.0.4-h1, 11.1 versions before 11.1.2-h3  (with GlobalProtect gateway or portal enabled)
    ImpactArbitrary file creation leading to OS command injection and root code execution
    Exploit PrerequisitesNone (network-accessible, unauthenticated)
    CVSS 3.1 Score10. 0 (Critical)

    Mitigations

    Palo Alto Networks has released fixed PAN-OS versions—10.2.9-h1, 11.0.4-h1, 11.1.2-h3—and new hotfixes for affected branches. 

    An immediate upgrade is strongly advised to thwart ongoing exploitation. Administrators can also deploy Threat Prevention signatures 95187, 95189, and 95191 to block the initial arbitrary file creation interaction at the GlobalProtect interface.

    For detection, operators should grep GPSvc logs for anomalous session ID strings:

    Exploit Palo Alto Networks PAN-OS Global Protect Vulnerability

    Legitimate GUID patterns appear as hex-digit groups; any file-system path or shell snippet between sessions ( and ) indicates exploitation attempts. 

    A timeline of updates shows that enhanced factory reset (EFR) procedures and CLI commands for evidence collection were published between April and May 2024, underscoring the ongoing remediation efforts.

    Cloud NGFW and Prisma Access customers are not affected; only on-premises PAN-OS 10.2–11.1 devices with GlobalProtect gateway or portal enabled are at risk. 

    Organizations should verify configuration via the firewall GUI under Network > GlobalProtect > Gateways/Portals and audit for unauthorized files in /var/appweb/sslvpndocs.

    As threat actors continue to weaponize CVE-2024-3400, vigilant patch management, proactive log inspection, and robust Threat Prevention enforcement remain critical to defend against unauthorized root-level access.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Hackers Actively Scanning to Exploit Palo Alto Networks PAN-OS Global Protect Vulnerability appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits

    ·

    Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Google’s Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. “They made Gemini vulnerable to search-injection attacks on its Search Personalization Model; log-to-prompt injection attacks against Gemini Cloud

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Linux 6.17 Released With Fix for use-after-free Vulnerabilities

    ·

    ,

    Linux Torvalds has announced the release of Linux Kernel 6.17, a new version focused on stability and incremental improvements rather than groundbreaking features. The update brings a host of bug fixes, security enhancements, and driver updates across various subsystems.

    In his release message, Torvalds described the final week of development as having “no huge surprises,” which he considers a positive indicator of a smooth release cycle.

    A notable fix for the Bluetooth subsystem is the most significant change in the last week. This patch addresses locking issues that could lead to race conditions and use-after-free (UAF) vulnerabilities, which are critical memory safety flaws.

    Linux 6.17 Security and Stability Fixes

    While the overall release was quiet, version 6.17 includes several important fixes that bolster the kernel’s security and reliability.

    • Bluetooth Vulnerabilities: Multiple patches were merged to resolve UAF bugs in the Bluetooth stack, including in the HCI (Host Controller Interface) and MGMT (Management) layers. These fixes prevent potential system crashes or security exploits related to device connections and advertising.
    • Virtualization and I/O: The vhost-net driver, essential for high-performance virtualized networking, received fixes to correct busy-polling behavior. Additionally, the iommufd subsystem, which provides userspace access to I/O Memory Management Units, was patched to fix race conditions during memory mapping.
    • Core Kernel: Fixes were applied to the futex (Fast Userspace Mutex) implementation to prevent a use-after-free condition during requeue operations, improving the robustness of a core synchronization mechanism.
    • Networking: The xfrm subsystem, which handles IPsec configurations, was updated to prevent the allocation of a zero-value Security Parameter Index (SPI) and to fix offloading for certain tunnels.

    As with any kernel release, version 6.17 incorporates a broad range of updates for hardware drivers and core subsystems. The shortlog reveals contributions affecting numerous components.

    • Graphics Drivers: Updates were made to the Direct Rendering Manager (DRM) drivers for AMD, Intel (Xe), and Panthor GPUs.
    • Networking: Various networking drivers saw improvements, including those for Mellanox, Intel (i40e), and Broadcom hardware. Multiple CAN (Controller Area Network) bus drivers were also updated to prevent potential buffer overflows.
    • Filesystems and Storage: The Btrfs filesystem received a fix for zoned devices, and the core block layer was improved to handle devices with zero sectors correctly.
    • Platform Support: Patches were added to improve support for various ARM-based SoCs from Rockchip, Marvell, and Allwinner, as well as for x86 platforms from Dell and LG.

    With this release finalized, the merge window for Linux 6.18 is now open. Torvalds noted that he has already received dozens of pull requests, indicating that the development community is already hard at work on the next version of the kernel.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Linux 6.17 Released With Fix for use-after-free Vulnerabilities appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Hackers Use Cellular Router API to Send Malicious SMS with Weaponized Links

    ·

    , ,

    The monitoring and analysis of vulnerability exploitations are among the primary responsibilities of Sekoia.io’s Threat Detection & Research (TDR) team. Using honeypots, the team monitors traffic targeting edge devices and internet-facing applications. On 22 July 2025, suspicious network traces appeared in our honeypots, reveals that a cellular router’s API was exploited to deliver smishing campaigns […]

    The post Hackers Use Cellular Router API to Send Malicious SMS with Weaponized Links appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Microsoft Expands Sentinel Into Agentic Security Platform With Unified Data Lake

    ·

    Microsoft on Tuesday unveiled the expansion of its Sentinel Security Incidents and Event Management solution (SIEM) as a unified agentic platform with the general availability of the Sentinel data lake. In addition, the tech giant said it’s also releasing a public preview of Sentinel Graph and Sentinel Model Context Protocol (MCP) server. “With graph-based context, semantic access, and agentic

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶