FileFix, HTA, and MotW Bypass—The Alarming Evolution of HTML-Based Attacks

Daily Security Review

Player FM - Internet Radio Done Right

הוסף לפני twenty-five שבועות

תוכן מסופק על ידי Daily Security Review. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Daily Security Review או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

Squid Game: The Official Podcast

1
Keys and Knives - S3 Ep 1 26:28

לפני 4 weeks26:28

הפעל מאוחר יותר

רשימות

לייק

אהבתי

26:28

Squid Game is back—and this time, the knives are out. In the thrilling Season 3 premiere, Player 456 is spiraling and a brutal round of hide-and-seek forces players to kill or be killed. Hosts Phil Yu and Kiera Please break down Gi-hun’s descent into vengeance, Guard 011’s daring betrayal of the Game, and the shocking moment players are forced to choose between murdering their friends… or dying. Then, Carlos Juico and Gavin Ruta from the Jumpers Jump podcast join us to unpack their wild theories for the season. Plus, Phil and Kiera face off in a high-stakes round of “Hot Sweet Potato.” SPOILER ALERT! Make sure you watch Squid Game Season 3 Episode 1 before listening on. Play one last time. IG - @SquidGameNetflix X (f.k.a. Twitter) - @SquidGame Check out more from Phil Yu @angryasianman , Kiera Please @kieraplease and the Jumpers Jump podcast Listen to more from Netflix Podcasts . Squid Game: The Official Podcast is produced by Netflix and The Mash-Up Americans.…

לפני 26 ימים 46:04

MP3•בית הפרקים

A newly disclosed exploit dubbed FileFix is redefining how attackers bypass Microsoft Windows' built-in security protections—specifically the Mark-of-the-Web (MotW) mechanism. Developed and detailed by security researcher mr.d0x, this attack takes advantage of how browsers save HTML files and how Windows handles HTA (HTML Application) files. The result? Malicious scripts can execute without warning, bypassing the very safeguards designed to flag untrusted code.

In this episode, we break down how FileFix works, why it’s effective, and what makes it uniquely dangerous. Unlike many malware campaigns, FileFix doesn’t rely on zero-day exploits or complex payloads—instead, it exploits the weakest link in the chain: human behavior.

Key topics include:

Understanding FileFix Mechanics: How a simple rename from .html to .hta can convert a saved webpage into a launchpad for malicious code execution—without triggering MotW protections.
Social Engineering at the Core: FileFix depends on user interaction. By designing convincing phishing lures, attackers guide users to unknowingly bypass their own defenses—a modern twist on old tricks.
The Role of mshta.exe: This deprecated Windows binary remains powerful and dangerous. We examine how attackers use it to execute scripts and why defenders should consider disabling or removing it entirely.
MotW Bypass Techniques: Beyond FileFix, we dive into container-based bypasses (.iso, .img), and how utilities and encoding tricks (e.g., RLO, double extensions, invisible Unicode) help malware evade detection.
Masquerading and Human Blind Spots: From fake filenames like Invoice.pdf.exe to Unicode manipulation, attackers exploit user assumptions and default system behaviors to hide malware in plain sight.
Detection and Mitigation Strategies: We offer a practical set of defenses:
- Disable or restrict mshta.exe through AppLocker or WDAC
- Block or quarantine .html, .htm, and .hta email attachments
- Enable file extension visibility across endpoints
- Train users to recognize suspicious file behaviors and social engineering lures
- Implement behavioral detection—e.g., alert when mshta.exe spawns powershell.exe
Why FileFix Matters Now: With the rise of AI-generated content and increasingly polished phishing infrastructure, low-tech, high-impact attacks like FileFix are gaining new relevance. The simpler the technique, the broader its reach.

As Windows continues to harden its systems, attackers are shifting focus to user-driven execution paths. FileFix exemplifies this shift—blending psychological manipulation with deep technical understanding of system behaviors. For defenders, the challenge is clear: technical controls must be matched by human-aware defenses.

This is a must-listen for enterprise defenders, SOC analysts, and red teamers tracking the latest in Windows exploitation tactics. If your security strategy still assumes technical exploitation is the biggest threat, FileFix is your wake-up call.

237 פרקים

#Tech #News #Tech News #Daily Security Review

FileFix, HTA, and MotW Bypass—The Alarming Evolution of HTML-Based Attacks

Daily Security Review

published לפני 26 ימים

שתפו

MP3•בית הפרקים

Key topics include:

Understanding FileFix Mechanics: How a simple rename from .html to .hta can convert a saved webpage into a launchpad for malicious code execution—without triggering MotW protections.
Social Engineering at the Core: FileFix depends on user interaction. By designing convincing phishing lures, attackers guide users to unknowingly bypass their own defenses—a modern twist on old tricks.
The Role of mshta.exe: This deprecated Windows binary remains powerful and dangerous. We examine how attackers use it to execute scripts and why defenders should consider disabling or removing it entirely.
MotW Bypass Techniques: Beyond FileFix, we dive into container-based bypasses (.iso, .img), and how utilities and encoding tricks (e.g., RLO, double extensions, invisible Unicode) help malware evade detection.
Masquerading and Human Blind Spots: From fake filenames like Invoice.pdf.exe to Unicode manipulation, attackers exploit user assumptions and default system behaviors to hide malware in plain sight.
Detection and Mitigation Strategies: We offer a practical set of defenses:
- Disable or restrict mshta.exe through AppLocker or WDAC
- Block or quarantine .html, .htm, and .hta email attachments
- Enable file extension visibility across endpoints
- Train users to recognize suspicious file behaviors and social engineering lures
- Implement behavioral detection—e.g., alert when mshta.exe spawns powershell.exe
Why FileFix Matters Now: With the rise of AI-generated content and increasingly polished phishing infrastructure, low-tech, high-impact attacks like FileFix are gaining new relevance. The simpler the technique, the broader its reach.

237 פרקים

#Tech #News #Tech News #Daily Security Review

כל הפרקים

Daily Security Review

1
Koske Malware Hides in Panda Images, Weaponizes AI to Target Linux 44:03

לפני 3 ימים44:03

44:03

A new and highly sophisticated malware strain named Koske is redefining the threat landscape for Linux environments. Suspected to be partially developed using artificial intelligence, Koske introduces novel and highly evasive techniques, blending image files, rootkits, and adaptive cryptomining logic to create a stealthy and persistent backdoor into systems worldwide. What sets Koske apart is its ingenious use of polyglot files—specifically, JPEG images of panda bears that look harmless to the user but contain embedded shell scripts and C code. These files not only display a cute picture but simultaneously execute malicious commands to deploy CPU- and GPU-optimized cryptominers targeting 18 different cryptocurrencies. When one mining pool goes offline, Koske switches dynamically to another, demonstrating AI-assisted adaptability. But the deception doesn't stop there. Koske uses stealth rootkits to hide its files, processes, and even its own presence from system monitoring tools. It establishes persistence through cron jobs, modifications to .bashrc and .bash_logout, and even creates custom systemd services. Its connectivity module is capable of proxy discovery and failover, giving it resilience in varied network conditions—a hallmark of AI-generated logic. Security researchers have flagged verbose, modular code structures, well-commented logic, and defensive programming patterns as signs that large language models (LLMs) played a role in writing Koske. This points to a disturbing new frontier: the rise of AI-generated malware that can learn, adapt, and hide better than anything seen before. With 70% of web servers running on Linux, and many enterprises relying on misconfigured or poorly secured systems, the danger posed by malware like Koske is immense. Traditional antivirus tools fall short, especially against polyglot-based file delivery, making runtime protection, network anomaly detection, and strict access controls more essential than ever. In this episode, we break down how Koske operates, what makes it so hard to detect, and why it represents a paradigm shift in malware evolution. We also cover defensive strategies, including Linux-specific hardening, container protection, AI-powered defense tools, and why user awareness is still one of the most powerful safeguards. This isn’t just a story about malware. It’s a case study in the cyber arms race between AI-powered offense and AI-powered defense—and why the stakes have never been higher. #KoskeMalware #LinuxSecurity #AIThreats #PolyglotFiles #CryptominingMalware #Rootkits #Cybersecurity #PandaJPEGAttack #ShellScriptMalware #GPUCryptoMiner #AIinCybercrime #CyberThreats #LLMGeneratedCode #StealthMalware #LinuxCryptojacking #AdaptiveMalware #CyberHygiene #ContainerSecurity #AIvsAI #MalwareEvasion #InfosecPodcast #APT #CyberDefense #PersistentMalware #DynamicMalware…

Daily Security Review

1
Operation Checkmate: BlackSuit Ransomware’s Dark Web Sites Seized 39:19

לפני 3 ימים39:19

39:19

BlackSuit, the ransomware strain known for crippling critical sectors and demanding multi-million dollar payouts, has just suffered a devastating blow. In a coordinated international law enforcement operation codenamed "Operation Checkmate," authorities—including the U.S. Department of Justice, Homeland Security Investigations, FBI, Europol, the UK’s NCA, Dutch and German police, and more—have seized BlackSuit’s dark web extortion platforms. These takedowns included the gang’s negotiation and data leak sites, effectively severing their means to pressure and extort victims. BlackSuit is no small player. A direct descendant of Royal ransomware, and before that Quantum and Conti, this group has orchestrated attacks against hundreds of organizations worldwide, demanding ransoms ranging from $1 million to $60 million, with total demands exceeding $500 million USD. Their tactics—ranging from phishing, RDP exploitation, to malware-assisted lateral movement and data exfiltration—showcase a sophisticated playbook powered by open-source tools like Chisel, RClone, Gootloader, Cobalt Strike, and even SystemBC. Known for double extortion, BlackSuit steals data before encrypting it, then threatens to release sensitive information on the dark web. Victims across sectors like education, healthcare, manufacturing, and construction have been affected, with the United States as the primary target. “Operation Checkmate” goes beyond disruption: a decryptor tool has now been released to help victims recover encrypted files. This move mirrors past successes against ransomware groups like HIVE and LockBit, reflecting a growing trend of international cybercrime enforcement unity. But while the infrastructure has been seized, experts warn that BlackSuit’s members—many with ties to Conti and Royal—may resurface under a new alias. The takedown is a critical win, but not the end of the game. This episode explores the technical depths of BlackSuit’s operations, their evolution from Conti-linked origins, and what this takedown means for the broader ransomware threat landscape. We also examine key defense strategies, including multi-factor authentication, network segmentation, secure logging, and real-time monitoring, to defend against future attacks. #BlackSuitRansomware #OperationCheckmate #RoyalRansomware #RansomwareTakedown #Cybercrime #DoubleExtortion #DecryptorReleased #DarkWebSeizure #FBI #CISA #HomelandSecurity #Europol #NCA #ContiRansomware #DataExfiltration #Cybersecurity #CyberThreat #BigGameHunting #RDPExploit #MalwarePersistence #Infosec #PhishingAttacks #DecryptorTool #StopRansomware…

Daily Security Review

1
Coyote Malware Exploits Microsoft UI Automation in First-Ever Wild Attack 34:14

לפני 3 ימים34:14

34:14

A new banking trojan called Coyote has emerged as a groundbreaking cyber threat, becoming the first known malware in the wild to exploit Microsoft’s User Interface Automation (UIA) framework—an accessibility tool originally designed to help users interact with Windows interfaces. But in the hands of attackers, UIA becomes a weapon of stealth and precision. Primarily targeting Brazilian banking and crypto users, Coyote uses sophisticated techniques to extract credentials from over 60 financial institutions by reading UI elements in active windows and phishing through subtle interface manipulation. Leveraging tools like GetForegroundWindow() and UIAutomation COM objects, Coyote identifies sensitive browser elements such as tabs and address bars—without ever requiring prior knowledge of the application’s structure. What makes this threat even more dangerous is its stealth. Traditional endpoint detection and response (EDR) tools struggle to detect UIA-based intrusions, allowing Coyote to operate quietly in the background—whether online or offline. Beyond keylogging and phishing, it can take screenshots, kill processes, mimic system updates, and even freeze entire systems. Even more alarming is the technical novelty: Coyote's final payload is written in Nim, a lesser-known programming language that helps it avoid signature-based detection. This Trojan spreads using the Squirrel installer, masquerading as a legitimate updater to gain initial access. Researchers warn this technique could be the beginning of a wave of UIA-based attacks, which will be much harder to detect and stop. Detection strategies now include monitoring the loading of UIAutomationCore.dll, and inspecting named pipes like UIA_PIPE_* to catch inter-process communication anomalies. In this episode, we also explore Cryptika’s role as a leading cybersecurity provider in the Middle East. From penetration testing and DFIR to GRC consulting and threat hunting, Cryptika is equipping organizations with the tools to detect and prevent threats like Coyote before they cause damage. Coyote is a harbinger of a future where even accessibility features can be turned against us—highlighting the urgent need for proactive monitoring, multi-layered defenses, and vigilant detection of abused system components. #CoyoteMalware #MicrosoftUIAutomation #UIAExploit #BankingTrojan #CredentialTheft #WindowsAccessibilityAbuse #NimMalware #CyberThreat #BrazilianTrojan #CryptocurrencySecurity #Cybersecurity #EDREvasion #NamedPipes #UIAutomationCore #InfoStealer #C2Infrastructure #BankingMalware #Phishing #CommandAndControl #AdvancedThreats #Cryptika #CyberDefense #ThreatDetection #DFIR #GRC #RedTeaming #InfosecPodcast…

Daily Security Review

1
No Fix Coming: Remote Code Execution Flaw in 1,300 LG Security Cameras 31:12

לפני 3 ימים31:12

31:12

A newly disclosed critical vulnerability, CVE-2025-7742, is putting hundreds of LG Innotek LNV5110R security cameras at risk around the world—including within critical infrastructure. This high-severity authentication bypass flaw allows remote attackers to gain full administrative control without credentials, giving them access to live camera feeds, the ability to disable or disrupt device functionality, and the opportunity to pivot deeper into internal networks. The most alarming detail? LG Innotek has confirmed it will not release a patch, as the affected camera model has officially reached its end-of-life (EOL) status. Security researcher Souvik Kandar uncovered the vulnerability, which is now being highlighted by major security bodies like CISA. With over 1,300 internet-exposed devices still active, the risk of exploitation is very real—and immediate. This episode unpacks the technical details of the vulnerability, the wider dangers of unpatched EOL devices, and the pressing need for network segmentation, Zero Trust access controls, and proactive EOL management policies. We examine how remote code execution (RCE) enables threat actors to escalate privileges, maintain persistence, and launch further attacks—all starting with an unpatched IoT device. From the failure to patch, to poor lifecycle management, to the broader lessons in infrastructure security, this is more than just a flaw in one device—it’s a case study in how old tech becomes a new threat. #CVE20257742 #LGInnotek #SecurityCameras #RemoteCodeExecution #RCE #CriticalInfrastructure #IoTSecurity #Cybersecurity #UnpatchedDevices #EndOfLife #NetworkSegmentation #ZeroTrust #VulnerabilityDisclosure #CISAwarning #PivotAttack #ReverseShell #AdminAccess #CyberThreats #Infosec #ThreatHunting…

Daily Security Review

1
ToolShell Exploited: China-Linked Hackers Breach NNSA and U.S. Government Networks 1:14:36

לפני 4 ימים1:14:36

1:14:36

In one of the most concerning state-sponsored cyber incidents of the year, Chinese hackers exploited zero-day vulnerabilities in Microsoft SharePoint to breach the networks of the National Nuclear Security Administration (NNSA)—the U.S. agency responsible for managing the nation's nuclear arsenal. The attackers, part of a suspected Chinese state-sponsored group, used a sophisticated chain of vulnerabilities dubbed ToolShell, targeting not only the NNSA but also other high-profile U.S. and global entities, including the National Institutes of Health (NIH). While the U.S. Department of Energy reports no classified data was compromised, cybersecurity experts are sounding the alarm. The campaign, active since at least July 7, 2025, has compromised hundreds of servers and affected more than 148 organizations worldwide, making it one of the broadest cyber-espionage campaigns in recent history. This episode unpacks: How Chinese state-sponsored actors exploited SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-49706 to deploy malware and maintain persistence The TTPs (Tactics, Techniques, and Procedures) these actors used, including web shells, lateral movement, credential harvesting, and even disabling Microsoft Defender protections Why the NNSA’s use of cloud-based infrastructure and rapid detection minimized the breach’s impact The growing sophistication of China’s cyber espionage campaigns, from economic and political spying to targeting critical U.S. defense infrastructure The broader implications for international cybersecurity, attribution, and the increasingly blurred lines between cybercrime and cyberwarfare We also explore the cybersecurity gaps that persist across the U.S. public sector, the urgency of "security by design," and the need for immediate patching, endpoint protection, and coordinated threat intelligence sharing. As geopolitical tensions rise and cyberspace becomes the newest front in international conflict, this incident offers a chilling reminder: even the most sensitive government systems are not immune from sophisticated, well-funded nation-state actors. #NNSA #CyberEspionage #ChineseHackers #SharePointZeroDay #ToolShell #MicrosoftVulnerability #CVE202553770 #StateSponsoredHacking #USNationalSecurity #CriticalInfrastructure #ZeroDayExploit #CyberAttack #DOE #Storm2603 #WebShell #Cybersecurity #InfoSec #CloudSecurity #TTPs #GovernmentCyberDefense #CyberWarfare #MicrosoftDefender #PersistentAccess #NuclearSecurity #APT #ChinaCyberOps #CyberThreats #NationalSecurity #CISA #CyberStrategicPlan #CyberResilience…

Daily Security Review

1
Massive NPM Breach: Malicious Packages Spread via Compromised Maintainer Accounts 41:44

לפני 4 ימים41:44

41:44

In this episode, we expose the alarming supply chain attack that compromised millions of JavaScript projects across the globe. This sophisticated breach targeted the NPM ecosystem, infecting widely-used packages like eslint-config-prettier and is, through a coordinated phishing campaign and the exploitation of non-expiring legacy access tokens. Attackers began by impersonating the official npm registry with a typosquatted domain (npnjs[.]com), stealing credentials from developers via fake login prompts. Once inside, they bypassed GitHub commit histories and published rogue versions of key packages directly to the registry, effectively weaponizing trusted developer pipelines. The real payload? Scavenger malware—a stealthy, cross-platform info-stealer designed to harvest sensitive data from Chromium-based browsers. It ran entirely in JavaScript or injected malicious DLLs, evading detection with anti-VM and antivirus checks, and even capable of disabling browser security alerts. We break down: The timeline and tactics of the attack Why NPM’s legacy access tokens became the attackers’ golden ticket The vulnerabilities in Chromium’s local security model that allowed malware like Scavenger to thrive How human error and overlooked MFA practices amplified the threat Lessons on securing software supply chains and managing third-party risks With over 180 million weekly downloads potentially affected, this breach wasn’t just a security failure—it was a wake-up call for the entire developer community. We also explore the assigned CVE-2025-54313, and what this means for NPM and open source governance going forward. You'll hear what security professionals, maintainers, and platforms must do now to prevent another incident of this scale—from granular access token enforcement to phishing-resistant MFA and proactive malware scanning. This is more than a breach—it’s a blueprint for future attacks if safeguards don’t evolve. #NPM #ScavengerMalware #SupplyChainAttack #CVE202554313 #JavaScriptSecurity #OpenSourceSecurity #eslint #Prettier #InfoStealer #LegacyTokens #TokenSecurity #Chromium #Typosquatting #SoftwareSupplyChain #Cybersecurity #Phishing #2FA #Nodejs #Malware #DeveloperSecurity #DevSecOps #npmEcosystem #MaliciousPackages #CrossPlatformMalware #CredentialTheft…

Daily Security Review

1
Clorox Sues Cognizant Over $356M Cyberattack: Who's Really to Blame? 44:38

לפני 4 ימים44:38

44:38

In one of the most dramatic cybersecurity legal battles of the past year, Clorox has filed a lawsuit against IT services giant Cognizant, accusing the company of gross negligence that allegedly enabled a catastrophic 2023 cyberattack. The breach wreaked havoc on Clorox's operations—causing widespread product shortages, a multibillion-dollar hit to its market cap, and an estimated $356 million in damages. At the center of the controversy? A series of alleged failures by Cognizant's help desk staff, who Clorox claims repeatedly reset passwords and multi-factor authentication (MFA) credentials without verifying identities. Hackers, believed to be part of the Scattered Spider group, reportedly exploited these lapses to gain system access via social engineering—highlighting a growing trend of attacks bypassing technical safeguards by targeting human weaknesses. But Cognizant is pushing back hard, arguing that its role was limited to narrow help desk services and that Clorox's own cybersecurity defenses were inadequate. The dispute raises urgent questions about third-party risk, contractual clarity, and the fine line between support roles and security responsibilities in IT outsourcing relationships. This episode dives deep into: The timeline and tactics behind the Clorox breach What the lawsuit reveals about gaps in MFA implementation and help desk protocols The contractual gray areas now under legal scrutiny Why even companies hailed for cybersecurity investments—Clorox spent over $500 million on IT upgrades—can fall victim to poor vendor oversight Lessons for organizations on drafting better IT service contracts, vetting MSPs, and strengthening protections against social engineering attacks We also examine how this case underscores the broader industry shift: Organizations may outsource IT functions, but they can never outsource accountability. Whether you’re in legal, IT, procurement, or the C-suite, this is a must-listen episode on how a help desk misstep became a case study in enterprise risk, and what every company can learn from it. #Clorox #Cognizant #Cybersecurity #CyberAttack #DataBreach #Lawsuit #MFA #SocialEngineering #ITContracts #ThirdPartyRisk #ScatteredSpider #CyberLiability #OutsourcedIT #HelpDeskBreach #InfoSec #SupplyChainDisruption #CISO #TechLaw #DigitalRisk #EnterpriseSecurity #SecurityAwareness #BusinessContinuity #DataProtection #SecurityCompliance #CyberInsurance…

Daily Security Review

1
HeroDevs Secures $125M to Extend Life of Critical Open Source Software 35:36

לפני 4 ימים35:36

35:36

In this episode, we dive deep into HeroDevs' recent $125 million strategic growth investment, a move that signals a major expansion in the fight against the vulnerabilities of end-of-life (EOL) open source software. Based in Salt Lake City, HeroDevs has carved out a critical niche—providing "Never-Ending Support" (NES) to ensure security, compliance, and functionality for deprecated OSS widely used across enterprise systems. With this latest round, HeroDevs has raised a total of $133 million, and they’re putting it to strategic use. The funding will enhance their NES offerings, reinforce proactive defense against AI-driven vulnerabilities, and expand compatibility across more frameworks like Drupal 7, Bootstrap, jQuery, and even CentOS. Perhaps most significantly, $20 million of the raise is earmarked for their Open Source Sustainability Fund, a powerful initiative supporting creators and maintainers of OSS projects that follow best practices when entering end-of-life. HeroDevs already supports over 900 organizations, including nearly a third of the Fortune 100. Their NES model allows companies to avoid the costly burden of migrating away from deprecated tools while maintaining security and regulatory compliance with standards like HIPAA, PCI-DSS, and FedRAMP. As the adoption of AI accelerates and increases security surface area, the need for long-term, secure OSS support becomes more urgent. We explore how HeroDevs plans to meet that demand, the risks of unmanaged EOL software, and how their NES services are already mitigating threats before they’re disclosed publicly. This is not just about patching old code. It’s about sustaining the backbone of modern digital infrastructure, supporting the developers who maintain it, and giving companies a viable path forward in a rapidly evolving threat landscape. #HeroDevs #OpenSourceSecurity #NeverEndingSupport #OSS #EndOfLifeSoftware #CyberSecurity #Compliance #VulnerabilityManagement #SustainabilityFund #AIThreats #CentOS #Drupal7 #Bootstrap #jQuery #OpenSourceFunding #SoftwareMaintenance #DevSecOps #EnterpriseSecurity #LegacySoftware #AaronFrost #PSGInvestments…

Daily Security Review

1
UK Moves to Ban Ransomware Payments for Public Sector and Critical Infrastructure 48:22

לפני 5 ימים48:22

48:22

In a landmark move to disrupt the financial engine powering ransomware attacks, the United Kingdom is pushing forward with legislation that would ban ransom payments across the public sector and critical national infrastructure (CNI). This sweeping proposal covers everything from local councils and schools to healthcare providers like the NHS, aiming to make essential public services less attractive to cybercriminals. The government is also introducing a mandatory ransomware incident reporting regime , requiring organizations to notify authorities within 72 hours of a suspected attack and submit a detailed report within 28 days. For private sector businesses, a new Ransomware Payment Prevention Regime would require prior government notification before any ransom can be paid — a measure designed to ensure sanctions compliance and transparency. While ransomware groups increasingly target vulnerable and underfunded public services, the UK’s targeted ban seeks to remove the core incentive: money. The plan enjoys overwhelming support from the public sector and critical infrastructure organizations, though debate continues over exemptions for essential services and how to support victims during live incidents. This episode breaks down what these legislative proposals mean, how they fit into the larger fight against ransomware, and why the timing couldn’t be more urgent. With ransomware attacks surging to record levels — fueled by leaked credentials, infostealers, and ransomware-as-a-service — the UK aims to shift the risk-reward calculus for threat actors. We’ll also explore how attackers are adapting post-macro disablement, turning to container payloads and social engineering to gain access, and how nation-state groups from Russia, China, Iran, and North Korea are blending financial and political motives in their cyber operations. As ransomware groups continue to evolve, the UK is trying to stay one step ahead — not just by catching criminals, but by cutting off their funding altogether. #RansomwareBan #UKCyberSecurity #NHS #CriticalInfrastructure #NoMoreRansoms #RansomwareReporting #Infostealers #CNI #CyberCrime #UKGov #CyberLegislation #RansomwareEconomics #MandatoryReporting #CyberResilience #MFA #ZeroTrust #CredentialTheft #PublicSectorSecurity #SecureWorks #RansomwareAsAService #Clop #LaceTempest #StateSponsoredCyber #CyberPolicy…

Daily Security Review

1
New SysAid Vulnerabilities Added to CISA’s KEV List: XXE Flaws Could Enable RCE 26:10

לפני 5 ימים26:10

26:10

Two newly added vulnerabilities in SysAid’s On-Prem IT support software — CVE-2025-2775 and CVE-2025-2776 — have officially joined the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, signaling increased concern around their potential abuse. While there are no confirmed reports of public exploitation or ransomware involvement to date, history suggests that SysAid products remain a viable target for threat actors. These flaws, discovered by watchTowr Labs in late 2024 and patched in early 2025, are XML External Entity (XXE) injection vulnerabilities that allow attackers to extract sensitive files and administrator credentials from vulnerable servers. When chained with a separate post-authentication command injection bug (CVE-2024-36394), they can lead to full remote code execution (RCE) as SYSTEM — an extremely dangerous scenario that effectively gives attackers unrestricted access to compromised servers. Though no active ransomware campaigns have yet exploited these specific flaws, CISA’s KEV designation highlights the need for urgent remediation — particularly given that SysAid products have been targeted before. In 2023, the Cl0p ransomware gang exploited a separate zero-day (CVE-2023-47246), using it to deploy malware across enterprise networks. That precedent, combined with the stealthy nature of XXE and RCE attacks, underscores why organizations must treat these vulnerabilities as critical. This episode explores how the vulnerabilities work, what makes them exploitable in real-world attack chains, and why CISA’s inclusion in the KEV catalog should be taken seriously — especially under Binding Operational Directive 22-01, which mandates federal agencies to patch affected systems by strict deadlines. We also dive into broader threat trends from CrowdStrike’s 2025 Global Threat Report: how attackers are increasingly going malware-free, leveraging AI, and moving at unprecedented speeds. With 79% of breaches no longer relying on malware and a 442% rise in vishing attacks, defenders must prepare for identity-based intrusions and rapidly evolving social engineering. We wrap with actionable guidance: patch to SysAid version 24.4.60 or higher, conduct compromise assessments, disable external XML entity parsing, and strengthen access controls and monitoring to reduce lateral movement risk. Even if these vulnerabilities haven’t yet been publicly exploited, waiting for proof-of-exploit is no longer an option in today’s threat landscape. #SysAid #CVE20252775 #CVE20252776 #CISAKEV #XXEVulnerability #RemoteCodeExecution #RCE #KEVCatalog #WatchTowrLabs #CISAWarning #Cybersecurity #PatchNow #CommandInjection #Infosec #ITSupportSecurity #Cl0pRansomware #SysAidSecurity #XMLInjection #CrowdStrike2025 #CyberThreats #BindingDirective #IdentitySecurity #AdminTakeover #ThreatIntelligence…

Daily Security Review

1
Lumma Stealer Returns: Malware-as-a-Service Resurges After Global Takedown 44:16

לפני 5 ימים44:16

44:16

In this episode, we unpack the rapid and concerning resurgence of Lumma Stealer , a sophisticated Malware-as-a-Service (MaaS) platform, just months after a major international takedown. Despite Microsoft, the FBI, Europol, and global partners dismantling over 2,500 malicious domains and seizing critical infrastructure in May 2025, Lumma Stealer has come roaring back. The cybercriminal group behind the malware — tracked as Water Kurita by Trend Micro and Storm-2477 by Microsoft — adapted quickly, hardening their operations and adopting stealthier tactics to evade future disruptions. We delve into how Lumma’s developers responded by shifting away from public cybercrime forums and deploying infrastructure across Russian data centers like Selectel. Their latest strategies include abusing cloud services, fake software websites, and social media platforms like YouTube and Facebook to spread the infostealer — often disguised as cracked tools, Photoshop downloads, or game cheats. Even GitHub is being weaponized with AI-generated lures targeting unsuspecting users. Lumma Stealer’s capabilities are dangerous and comprehensive: it steals credentials, financial data, crypto wallets, and even hijacks session cookies — effectively bypassing multi-factor authentication (MFA). Its code can run directly in memory, avoiding detection by traditional antivirus. The consequences are real — the malware has already been tied to breaches of Jaguar Land Rover and customer data leaks from Royal Mail. This episode also highlights the larger trend of information stealers enabling modern cybercrime. With generative AI accelerating phishing, malware coding, and even infrastructure building, the bar to entry for cybercriminals has never been lower. We explore actionable defense strategies including DNS filtering, browser hardening, dark web monitoring, and the critical role of behavioral endpoint detection. Listeners will also learn how companies can adjust security policies, implement segmentation, and improve staff awareness to defend against this evolving threat landscape. Lumma’s comeback isn’t just a case study in cyber resilience — it’s a wake-up call. Cybercrime doesn’t disappear when servers go offline. It morphs, rebuilds, and strikes again — smarter, faster, and harder to detect. #LummaStealer #MalwareAsAService #MaaS #InformationStealer #MicrosoftDCU #WaterKurita #Storm2477 #Cybercrime #FakeSoftware #Phishing #SessionHijacking #MFABypass #AIInCybercrime #DarkWeb #CredentialTheft #Infostealer #GitHubAbuse #CyberThreats #RansomwareEcosystem #BYODSecurity #DNSFiltering #CyberSecurity #TrendMicro #TakedownFail #PersistenceOfMalware…

Daily Security Review

1
Cisco ISE Critical Flaws Now Actively Exploited: No Workarounds, Just Root Access 37:32

לפני 5 ימים37:32

37:32

Hackers are actively exploiting a trio of critical zero-day vulnerabilities in Cisco’s Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), prompting urgent patching directives from the company. The flaws — CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337 — each carry a maximum CVSS severity score of 10.0, indicating the highest possible risk. These vulnerabilities allow remote, unauthenticated attackers to execute arbitrary code with root-level access, completely compromising the underlying system. Cisco has confirmed active exploitation attempts as of July 2025, making this not a theoretical threat but a real and present danger to enterprise networks. Each vulnerability is distinct and does not require chaining, yet all enable full system compromise. CVE-2025-20281 and CVE-2025-20337 exploit poor input validation on exposed APIs, while CVE-2025-20282 takes advantage of insecure file handling to write malicious files into privileged directories. None of these attacks require credentials or user interaction, making exploitation trivial for attackers once systems are exposed to the internet or internal threat actors. Cisco has urgently advised customers running ISE or ISE-PIC version 3.3 to upgrade to Patch 7, and version 3.4 to Patch 2. Importantly, earlier hot patches released by Cisco do not address CVE-2025-20337, leading to a patching gap for many organizations. There are no workarounds available — the only protection is to patch immediately. This episode breaks down how the vulnerabilities work, what makes them so dangerous, and why attackers are targeting Cisco’s identity infrastructure right now. We also cover who discovered these bugs, Cisco's delayed but critical patch guidance, and how privilege escalation to root on Linux opens the door for complete system takeover. If your network uses Cisco ISE or ISE-PIC, this episode could be the difference between resilience and root-level compromise. #CiscoISE #ZeroDay #CVE202520281 #CVE202520282 #CVE202520337 #PrivilegeEscalation #RemoteCodeExecution #RootAccess #CVSS10 #PatchNow #CyberSecurity #Cisco #ISEPIC #ThreatIntel #ExploitInTheWild #VulnerabilityManagement #LinuxSecurity #NetworkSecurity #RCE #ZeroDayExploit #CiscoPatch #TrendMicroZDI…

Daily Security Review

1
ToolShell: SharePoint Zero-Day Chain Gives Hackers Full Remote Access 58:23

לפני 6 ימים58:23

58:23

A new wave of zero-day attacks—collectively known as ToolShell—is actively targeting Microsoft SharePoint servers, with two vulnerabilities (CVE-2025-53770 and CVE-2025-53771) allowing unauthenticated remote code execution and identity control bypass. First observed in high-value targets across government, critical infrastructure, and manufacturing sectors, the ToolShell exploit chain has since expanded into opportunistic attacks, with early attribution pointing to China-linked threat actors. The attack chain begins by exploiting a deserialization flaw and a spoofing/path traversal bug to gain unauthenticated access to SharePoint’s ToolPane functionality. Once inside, attackers deploy stealthy ASPX webshells like xxx.aspx and spinstall0.aspx to exfiltrate cryptographic secrets—including ASP.NET MachineKey values—without triggering alerts. In more advanced cases, attackers avoid persistent shell artifacts altogether, using in-memory modules for fileless exploitation and credential theft. This episode dives into the full lifecycle of the ToolShell attacks: How attackers rapidly evolved their tactics after initial Microsoft patches were released Why SharePoint 2016 users remain at elevated risk due to the absence of a patch Evidence of AMSI evasion, SSO and MFA bypasses, and credential harvesting across victim networks Best practices for mitigation: patching, enabling AMSI "Full Mode", deploying antivirus with EDR, and rotating cryptographic keys Why machine key rotation is essential even post-patching to revoke compromised credentials and prevent persistent access We’ll also discuss the role of SharePoint's layout endpoints, how logging POST requests to /_layouts/15/ToolPane.aspx can reveal exploitation attempts, and why incident response planning and forensic readiness are now non-negotiable for organizations running on-prem SharePoint. The ToolShell campaign is a sobering example of how quickly adversaries can pivot in response to public disclosures—and why organizations must treat patching as a race against weaponization. If your infrastructure still relies on SharePoint Server, this is a must-listen breakdown of one of the most sophisticated exploit chains of 2025. #ToolShell #SharePointZeroDay #CVE202553770 #CVE202553771 #MicrosoftSharePoint #RemoteCodeExecution #ZeroDayExploit #Webshell #MachineKey #CryptographicTheft #AMSI #PatchNow #AdvancedPersistentThreat #Cyberattack #Infosec #ChinaAPT #EDR #SSOBreach #MFABypass #EnterpriseSecurity #ThreatIntel #OnPremSecurity #CyberThreats…

Daily Security Review

1
CVE-2025-54309: CrushFTP Zero-Day Exploited in Global Admin Access Attacks 22:13

לפני 6 ימים22:13

22:13

A critical zero-day vulnerability in CrushFTP (CVE-2025-54309) is being actively exploited, giving attackers administrative access to over a thousand unpatched servers globally. This severe security flaw—caused by improper validation in the AS2 protocol—has exposed enterprise-managed file transfer (MFT) systems across the US, Europe, and Canada. Security experts are sounding the alarm, and organizations relying on CrushFTP are urged to patch immediately. Discovered in mid-July 2025, the bug has been traced to reverse-engineering of recent CrushFTP patches. The vulnerability grants unauthenticated attackers complete control via exposed web interfaces, making it a high-value exploit for data theft, surveillance, and potential ransomware staging. While patched versions (10.8.5 and 11.3.4_23 or later) and properly configured DMZ instances are immune, over 1,000 servers remain vulnerable, according to Shadowserver. This is not CrushFTP’s first brush with exploitation. A similar zero-day (CVE-2024-4040) was weaponized in April 2024 by espionage-linked actors. A separate authentication bypass (CVE-2025-31161) was publicly exploited just two months ago. The rapid cadence of these exploits underscores the high-stakes environment surrounding MFT tools, which are increasingly targeted by ransomware gangs like Clop and advanced persistent threat (APT) groups. This episode dives deep into: The technical root of CVE-2025-54309 and how attackers exploit AS2 mishandling Indicators of compromise, including rogue admin accounts and fake version numbers How CrushFTP users can mitigate risk through patching, DMZ deployment, and backup restoration Why MFT tools have become a goldmine for threat actors—and how to defend them Best practices: zero trust policies, IP whitelisting, SFTP isolation, and automated encryption The CrushFTP zero-day is a case study in how unmanaged MFT exposure can lead to catastrophic administrative compromise. If you’re in IT, DevOps, or cybersecurity, this episode is a must-listen to understand the evolving risks in file transfer infrastructure and how to respond effectively before attackers strike. #CrushFTP #CVE202554309 #ZeroDay #MFTSecurity #ManagedFileTransfer #DataBreach #Cyberattack #AS2Protocol #PatchNow #FileTransferVulnerability #Shadowserver #Infosec #AdminTakeover #Exploit #Cybersecurity #ITSecurity #ClopGang #DataTheft #SFTP #DMZ #EnterpriseSecurity #CyberThreats #ZeroTrust #CVEAlert #CrushFTPExploit…

Daily Security Review

1
Dell Breach by World Leaks: Extortion Attempt Hits Demo Platform 23:49

לפני 6 ימים23:49

23:49

Dell Technologies is the latest target in a growing trend of data extortion attacks as threat actors pivot away from traditional ransomware. The cybercrime group known as World Leaks—a rebrand of the former Hunters International gang—has claimed responsibility for breaching Dell’s Customer Solution Centers (CSC), a sandbox environment used primarily for product demonstrations and proofs of concept. Although World Leaks claims to have exfiltrated 1.3 TB of data, Dell has confirmed that the vast majority of it consists of synthetic, publicly available, or demonstration data, with the only legitimate information being an outdated internal contact list. Despite limited direct risk to customers, this breach underscores a dangerous and evolving trend in cybercrime: data extortion without encryption. In this episode, we analyze how World Leaks has shifted away from ransomware’s traditional encrypt-and-demand model in favor of stealthy data theft paired with psychological extortion tactics. The group has built out a data brokerage platform with open-source intelligence (OSINT) capabilities designed to contact, harass, and pressure victims across channels, making non-production systems like Dell’s CSC a prime target for leverage rather than disruption. We break down how synthetic data helps mitigate some risks, but also explore why “safe” environments aren’t really safe anymore—and why developers, security teams, and enterprise leaders must now treat demonstration and development platforms as attack surfaces. As the industry sees rising costs in cybersecurity investments and cyber insurance, organizations must now prepare for extortion scenarios with no encryption, no downtime—but serious reputational stakes. Join us for a deep dive into: The anatomy of the Dell breach The rise of extortion-as-a-service Best practices for securing non-production environments How organizations should update incident response plans to account for silent breaches Why consumer trust is on the line, even in “low-risk” attacks This breach may not be catastrophic in data terms—but its implications are loud and clear: data is the new weapon, and extortion is its delivery mechanism. #DellBreach #WorldLeaks #CyberExtortion #DataLeak #Cybersecurity #RansomwareEvolved #NonProductionSecurity #SyntheticData #CustomerSolutionCenters #Infosec #CyberAttack #HuntersInternational #DataBreach #DevOpsSecurity #SandboxBreach #DataPrivacy #NetworkSegmentation #ExtortionAsAService #CorporateCyberRisk #TechNews…

ברוכים הבאים אל Player FM!

Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.

תקשיבו ל-500+ נושאים

דומה לDaily Security Review

Bounty Quick Size Paper Towels, White, 8 Family Rolls = 20 Regular Rolls (Packaging May Vary)

Amazon eGift Card - Bright Balloons (Animated)

Zevo Flying Insect Trap & Cartridge - Plug in Fly Trap & Indoor Bug Catcher for Gnats, House & Fruit Flies - Mess-Free - Use in Any Room - Uses Blue & UV Light (1 Plug in Device & 1 Cartridge)

פודקאסטים ששווה להאזין

Daily Security Review « » FileFix, HTA, and MotW Bypass—The Alarming Evolution of HTML-Based Attacks

FileFix, HTA, and MotW Bypass—The Alarming Evolution of HTML-Based Attacks

פודקאסטים ששווה להאזין

ברוכים הבאים אל Player FM!

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

Dr. Elsey's Ultra UnScented Clumping Clay Cat Litter 40 lb. Bag

Crayola Broad Line Markers (12 Count), Washable Markers for Kids, Assorted, Back to School Essentials, Teacher Classrooms Must Have, School Supplies, 3+

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

דומה לDaily Security Review

מדריך עזר מהיר

Daily Security Review « »
FileFix, HTA, and MotW Bypass—The Alarming Evolution of HTML-Based Attacks