-
Generative AI platforms like ChatGPT, Gemini, Copilot, and Claude are increasingly common in organizations. While these solutions improve efficiency across tasks, they also present new data leak prevention for generative AI challenges. Sensitive information may be shared through chat prompts, files uploaded for AI-driven summarization, or browser plugins that bypass familiar security controls.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Security researchers have uncovered significant vulnerabilities in code generated by Large Language Models (LLMs), demonstrating how “vibe coding” with AI assistants can introduce critical security flaws into production applications.
A new study reveals that LLM-generated code often prioritizes functionality over security, creating attack vectors that can be exploited with simple curl commands.
Key Takeaways
1. LLM-generated code inherits insecure patterns, trading security for functionality.
2. Exposed endpoints enable easy exploits via simple curl commands.
3. Human oversight threat modeling, reviews, and scans is essential.Insecure Training Data
Himanshu Anand reports that the fundamental issue stems from LLMs being trained on internet-scraped data, where most code examples are designed to demonstrate functionality rather than security best practices.
When developers rely heavily on AI-generated code without proper security review, these insecure patterns proliferate into production systems at scale.
Research shows that LLMs do not understand business risk and lack the contextual awareness needed for proper threat modeling.
The training data inherently contains vulnerable code patterns from online tutorials, Stack Overflow answers, and documentation examples that prioritize quick implementation over secure design.
A particularly concerning case involved a JavaScript application hosted on Railway[.]com, where the entire email API infrastructure was exposed client-side. The vulnerable code included:
Proof-of-concept Attack
The research includes a proof-of-concept attack showing how exposed client-side APIs can be exploited:
This simple command demonstrates three critical attack vectors:
- Email spam campaigns targeting arbitrary addresses
- Customer impersonation using convincing organizational messaging
- Internal system abuse through spoofed trusted sender addresses
The vulnerability allows attackers to bypass the intended web interface entirely, sending unlimited requests directly to backend services without authentication or rate limiting.
The research emphasizes that while LLMs serve as powerful coding assistants, they require human oversight for security considerations.
Organizations must implement proper threat modeling, security reviews, and defense-in-depth strategies rather than shipping AI-generated code directly to production.
Security teams should focus on establishing secure coding guidelines, implementing automated security scanning for LLM-generated code, and maintaining human expertise in the security review process to prevent these vulnerabilities from being systematically introduced.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post New Research With PoC Explains Security Nightmares On Coding Using LLMs appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In a concerning development for enterprise security, cybercriminals have begun exploiting Microsoft Teams—long trusted as an internal messaging and collaboration tool—to deliver PowerShell-based malware and gain unauthorized remote access to Windows systems. By impersonating IT support personnel and leveraging social engineering, these threat actors bypass traditional email filters and network defenses, striking directly at deep-seated […]
The post Microsoft Teams Abused in Cyberattack Delivering PowerShell-Based Remote Access Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Click Studios, the developer of enterprise-focused password management solution Passwordstate, said it has released security updates to address an authentication bypass vulnerability in its software. The issue, which is yet to be assigned a CVE identifier, has been addressed in Passwordstate 9.9 (Build 9972), released August 28, 2025. The Australian company said it fixed a “potential
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet. FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It’s built on top
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In a significant data breach disclosed by TransUnion LLC, more than 4.4 million consumers had sensitive personal information compromised in late July 2025. The credit reporting agency, headquartered at 555 W. Adams Street in Chicago, Illinois, revealed the incident on August 26, following its discovery on July 30. TransUnion’s Senior Privacy Counsel, Sanjana Palla, reported […]
The post TransUnion Data Breach Compromises Over 4 Million Customers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Adversary-in-the-Middle (AiTM) attacks are among the most sophisticated and dangerous phishing techniques in the modern cybersecurity landscape.
Unlike traditional phishing attacks that merely collect static credentials, AiTM attacks actively intercept and manipulate communications between users and legitimate services in real-time, enabling attackers to bypass multi-factor authentication (MFA) and evade endpoint detection and response (EDR) systems.
These attacks have surged in popularity as organizations increasingly adopt MFA protections, with Microsoft reporting that AiTM phishing campaigns have targeted over 10,000 organizations globally.
The emergence of phishing-as-a-service (PhaaS) platforms like Tycoon 2FA and Evilginx2 has industrialized these attacks, lowering the technical barrier for cybercriminals and making sophisticated AiTM capabilities accessible through subscription models starting at just $120.
AiTM Attack Flow Process. Introduction to AiTM Attacks
Adversary-in-the-Middle attacks fundamentally differ from traditional man-in-the-middle (MitM) attacks through their active manipulation and sophisticated orchestration of authentication processes.
While traditional MitM attacks often focus on passive eavesdropping, AiTM attacks involve attackers positioning themselves as active intermediaries between victims and legitimate services, using reverse proxy servers to create seamless, real-time communication channels.
The technical foundation of AiTM attacks relies on reverse proxy architecture, where attackers deploy servers that act as intermediaries between victims and legitimate authentication portals.
This approach allows attackers to present users with authentic-looking login pages that are actually legitimate pages served through the malicious proxy, making detection extremely difficult.
Modern AiTM toolkits leverage sophisticated technologies, including WebSocket connections for real-time bidirectional communication, automated SSL certificate generation through services like Let’s Encrypt, and advanced cloaking mechanisms using tokenized URLs to evade detection.
When a victim attempts to access a service like Microsoft 365 or Gmail, the AiTM proxy intercepts the request, forwards it to the legitimate service, captures the response, and relays it back to the victim while simultaneously harvesting all authentication data in transit.
The most prominent open-source AiTM frameworks include Evilginx2, Muraena, and Modlishka, each offering unique capabilities for credential harvesting and session hijacking.
These tools have evolved to include features such as multi-domain hosting, custom branding integration, and advanced evasion techniques that make them particularly effective against modern security measures.
AiTM Attack Architecture. The Role of MFA in Modern Security
Multi-factor authentication has become the cornerstone of modern cybersecurity strategies, with Microsoft blocking over 7,000 password attacks per second, representing a 75% year-over-year increase.
MFA implementations typically require users to provide something they know (password), something they have (mobile device or hardware token), or something they are (biometric data).
Traditional MFA methods include SMS codes, push notifications, authenticator apps generating time-based one-time passwords (TOTP), and hardware security keys.
MFA Method Authentication Factor Adoption Rate AiTM Vulnerability Traditional Security Level Common Bypass Methods SMS Codes (SMS OTP) Something you have High (60%+) High – Easily intercepted Low SIM swapping, SS7 attacks Push Notifications Something you have High (50%+) High – Tokens stolen post-auth Medium-High Push fatigue, device compromise Authenticator Apps (TOTP) Something you have Medium (35%+) High – Codes relayed in real-time High Device compromise, phishing Hardware Security Keys (FIDO2) Something you have Low (15%+) Medium – Session tokens still stolen Very High Session token theft (AiTM only) Voice Calls Something you have Medium (25%+) High – Codes intercepted Low Voice phishing, call forwarding Email OTP Something you have Medium (30%+) High – Easily intercepted Low-Medium Email compromise, phishing Biometric Authentication Something you are Growing (20%+) Medium – Session tokens stolen Very High Session token theft Certificate-based Authentication Something you have Low (10%+) Medium – Certificates bypassed Very High Session token theft, cert theft The security model of MFA relies on the assumption that compromising multiple authentication factors simultaneously is significantly more difficult than bypassing a single password.
However, this assumption breaks down in the face of AiTM attacks, which don’t need to compromise individual factors but instead exploit the trust relationship established after successful authentication.
When users complete the MFA challenge through an AiTM proxy, they unknowingly provide attackers with both their credentials and the session tokens issued by the legitimate service.
How AiTM Attack Bypasses MFA and EDR
The MFA bypass mechanism in AiTM attacks operates through session token theft rather than authentication factor compromise. When victims interact with an AiTM phishing page, they complete the entire authentication process, including MFA challenges, but all communications pass through the attacker’s proxy server.
The proxy forwards the user’s credentials and MFA responses to the legitimate service, which then issues session cookies and authentication tokens back through the proxy.
The attacker captures these tokens while allowing the authentication to complete successfully, creating a scenario where the victim believes they’ve securely logged in while the attacker has gained persistent access to their account.
Session tokens, particularly Primary Refresh Tokens (PRTs) in Microsoft environments, can provide extended access lasting 30 days or more if kept active.
These tokens contain cryptographic proof of successful authentication and can be replayed by attackers to access accounts without triggering additional MFA challenges.
The sophistication of modern AiTM kits like Tycoon 2FA includes features for session token management, automatic token refresh, and persistence mechanisms that allow attackers to maintain access even after password changes.
EDR evasion in AiTM attacks occurs through several mechanisms that exploit fundamental limitations in endpoint monitoring. Traditional EDR solutions focus on detecting malicious processes, file modifications, and network connections originating from the endpoint itself.
However, AiTM attacks primarily occur server-side, where the malicious proxy operates independently of the victim’s endpoint. The victim’s device only interacts with what appears to be legitimate web traffic to authentic domains, making the malicious activity invisible to endpoint-based detection systems.
Advanced AiTM campaigns employ sophisticated evasion techniques, including code obfuscation using Base64 encoding, dynamic code generation that alters signatures with each execution, and anti-debugging mechanisms designed to frustrate automated analysis.
These techniques specifically target the static and behavioral analysis capabilities of EDR systems. Additionally, attackers abuse legitimate services like CodeSandbox, Glitch, and Notion as redirect mechanisms, leveraging the trust these domains have with security systems to bypass URL filtering and reputation-based blocking.
The use of living-off-the-land techniques further complicates EDR detection, as AiTM attacks often rely on standard web protocols and legitimate authentication flows.
Attackers may also implement EDR communication blocking techniques, using tools like Windows Filtering Platform (WFP) to prevent EDR agents from communicating with their cloud infrastructure, effectively blinding the security solution to ongoing malicious activities.
Indicators of AiTM Attacks
Authentication log analysis reveals several key indicators of AiTM activity, with impossible travel being among the most reliable signals. When attackers use stolen session tokens, they often authenticate from geographic locations that would be impossible for the legitimate user to reach within the observed timeframe.
Microsoft’s delayed logging can complicate this analysis, as some authentication events may take up to 20 hours to appear in audit logs, making real-time detection challenging.
Multiple rapid sign-ins from different locations within short timeframes, particularly when accompanied by successful MFA completion, often indicate session token replay attacks.
Category Indicator Description MITRE_ATT&CK Authentication Logs Impossible Travel User authentication from geographically impossible locations within short timeframes T1078.004 Authentication Logs Multiple Rapid Sign-ins Multiple successful authentications from different locations in rapid succession T1078.004 Authentication Logs Session Token Anomalies Authentication without password entry or MFA prompts in logs T1078.004 Network Indicators Unknown IP Addresses Sign-ins from previously unseen IP addresses or suspicious ASNs T1557 Network Indicators Suspicious Domains Connections to domains mimicking legitimate services or suspicious TLDs T1557 User Behavior Mailbox Rule Creation Creation of inbox rules to hide or redirect emails, especially with random names T1564.008 User Behavior Email Forwarding Rules New forwarding rules redirecting emails to external addresses T1114.003 Email Indicators Phishing Email Patterns Emails from trusted senders with suspicious links or urgent language T1566.002 Email Indicators Legitimate Service Abuse Abuse of legitimate services like CodeSandbox, Glitch, or Notion for redirection T1566.002 Technical Artifacts Reverse Proxy Artifacts WebSocket connections, specific HTTP headers, or proxy-related network signatures T1557 The evolution of AiTM attacks from simple credential harvesting to sophisticated, service-oriented attack platforms represents a fundamental shift in the threat landscape that requires equally sophisticated defense strategies.
Organizations must recognize that traditional perimeter defenses and even MFA are insufficient against these advanced persistent threats, necessitating comprehensive security architectures that include behavioral analytics, session token protection, and continuous authentication mechanisms to counter this growing menace effectively.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post How Adversary-In-The-Middle (AiTM) Attack Bypasses MFA and EDR? appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Authorities from the Netherlands and the United States have announced the dismantling of an illicit marketplace called VerifTools that peddled fraudulent identity documents to cybercriminals across the world. To that end, two marketplace domains (verif[.]tools and veriftools[.]net) and one blog have been taken down, redirecting site visitors to a splash page stating the action was undertaken by
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the widely used PhpSpreadsheet library, potentially allowing attackers to exploit internal network resources and compromise server security.
The vulnerability, tracked as CVE-2025-54370, affects multiple versions of the phpoffice/phpspreadsheet package and carries a CVSS v4.0 score of 8.7.
Key Takeaways
1. SSRF in PhpSpreadsheet’s Worksheet\Drawing::setPath via malicious HTML image tags.
2. Affects < 1.30.0, 2.0.0–2.1.11, 2.2.0–2.3.x, 3.0.0–3.9.x, 4.x < 5.0.0
3. Update immediately and validate inputs.High-Severity SSRF Vulnerability
The vulnerability resides in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where malicious HTML input can trigger unauthorized server-side requests.
Security researcher Aleksey Solovev from Positive Technologies discovered this zero-day flaw while analyzing version 3.8.0 of the library.
The exploitation occurs when attackers craft malicious HTML documents containing image tags with src attributes pointing to internal network resources.
When the PhpSpreadsheet HTML reader processes these documents, the library inadvertently makes requests to the specified URLs, potentially exposing sensitive internal services.
Proof-of-concept code demonstrates the attack vector:
The malicious HTML file contains:
Risk Factors Details Affected Products – Versions < 1.30.0- 2.0.0–2.1.11- 2.2.0–2.3.x- 3.0.0–3.9.x- 4.x < 5.0.0 Impact High confidentiality impact via SSRF Exploit Prerequisites Untrusted HTML input passed to the HTML reader CVSS 3.1 Score 7.5 (High) Affected Versions and Security Patches
The vulnerability impacts multiple version ranges across the PhpSpreadsheet ecosystem:
- Legacy versions: All versions prior to 1.30.0
- Version 2.x series: 2.0.0 through 2.1.11 and 2.2.0 through 2.3.x
- Version 3.x series: 3.0.0 through 3.9.x
- Version 4.x series: All 4.x versions prior to 5.0.0
Patched versions include 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. Organizations using affected versions should prioritize immediate updates to prevent potential exploitation.
The vulnerability classification follows CWE-918: Server-Side Request Forgery, with attack vectors requiring no authentication or user interaction (AV:N/AC:L/PR:N/UI:N).
This enables remote attackers to exploit the flaw through network-accessible applications processing user-supplied HTML content.
Additional security concerns include potential phar deserialization attacks through the file_exists method of the vulnerable code, creating multiple attack surfaces within the same component.
Organizations utilizing PhpSpreadsheet for HTML document processing should implement input validation and network segmentation as additional protective measures while deploying the security updates.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post PhpSpreadsheet Library Vulnerability Enables Attackers to Feed Malicious HTML Input appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Nagios XI, a widely-deployed network monitoring solution, has addressed a critical cross-site scripting (XSS) vulnerability in its Graph Explorer feature that could enable remote attackers to execute malicious JavaScript code within users’ browsers.
The security flaw was patched in version 2024R2.1, released on August 12, 2025, following responsible disclosure by security researcher Marius Lihet.
Key Takeaways
1. Critical XSS in Nagios XI Graph Explorer allows remote JS execution.
2. Can enable session hijack, data theft, or config tampering.
3. Upgrade and enforce WAF XSS protections.The vulnerability specifically affects certain parameters within the Graph Explorer component, a key feature used by administrators to visualize network performance metrics and historical data trends.
XSS vulnerabilities of this nature typically occur when user-supplied input is not properly sanitized before being rendered in web pages, allowing malicious scripts to be injected and executed in the context of legitimate users’ sessions.
Cross-Site Scripting (XSS) Vulnerability
Cross-site scripting attacks through the Graph Explorer feature could potentially allow threat actors to perform session hijacking, steal authentication cookies, or execute unauthorized administrative actions within the Nagios XI interface.
Attackers could craft malicious URLs containing JavaScript payloads that, when accessed by authenticated users, would execute within their browser context with the privileges of their Nagios session.
The vulnerability’s exploitation requires social engineering tactics to trick legitimate users into clicking specially crafted links or visiting compromised pages that trigger the XSS payload.
Once executed, the malicious JavaScript could access sensitive monitoring data, modify system configurations, or serve as a pivot point for further lateral movement within the network infrastructure.
Beyond addressing the XSS vulnerability, the 2024R2.1 release introduces several significant security and functionality improvements.
The update includes enhanced Nagios Mod-Gearman integration (GL:XI#1242), which provides distributed monitoring capabilities and improved scalability for large enterprise environments.
Critical fixes address authentication and dashboard management issues, including resolving problems with null dashboard entries for users without home dashboards (GL:XI#1975) and improving the SSO user import functionality when handling large user directories (GL:XI#1966).
The release also implements updated logrotate configuration logic (GL:XI#333) to ensure proper log management across system upgrades.
Network administrators should immediately update to version 2024R2.1 to mitigate the XSS vulnerability and benefit from enhanced security controls.
Organizations should also review their Nagios XI access logs for any suspicious Graph Explorer activity and implement additional web application firewall (WAF) rules to detect and block potential XSS attempts targeting monitoring infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Nagios XSS Vulnerability Let Remote Attackers to Execute Arbitrary JavaScript appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
