Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Zero Day. Show all posts
Zero Day
CVE exploits LNKs Microsoft Vulnerabilities and Exploits Windows Zero Day

Microsoft Quietly Changes Windows Shortcut Handling After Dangerous Zero-day Abuse

 



Microsoft has changed how Windows displays information inside shortcut files after researchers confirmed that multiple hacking groups were exploiting a long-standing weakness in Windows Shell Link (.lnk) files to spread malware in real attacks.

The vulnerability, CVE-2025-9491, pertains to how Windows accesses and displays the "Target" field of a shortcut file. The attackers found that they could fill the Target field with big sets of blank spaces, followed by malicious commands. When a user looks at a file's properties, Windows only displays the first part of that field. The malicious command remains hidden behind whitespace, making the shortcut seem innocuous.

These types of shortcuts are usually distributed inside ZIP folders or other similar archives, since many email services block .lnk files outright. The attack relies on persuasion: Victims must willingly open the shortcut for the malware to gain an entry point on the system. When opened, the hidden command can install additional tools or create persistence.


Active Exploitation by Multiple Threat Groups

Trend Micro researchers documented in early 2025 that this trick was already being used broadly. Several state-backed groups and financially motivated actors had adopted the method to deliver a range of malware families, from remote access trojans to banking trojans. Later, Arctic Wolf Labs also observed attempts to use the same technique against diplomats in parts of Europe, where attackers used the disguised shortcut files to drop remote access malware.

The campaigns followed a familiar pattern. Victims received a compressed folder containing what looked like a legitimate document or utility. Inside sat a shortcut that looked ordinary but actually executed a concealed command once it was opened.


Microsoft introduces a quiet mitigation

Although Microsoft first said the bug did not meet the criteria for out-of-band servicing because it required user interaction, the company nonetheless issued a silent fix via standard Windows patching. With the patches in place, Windows now displays the full Target field in a shortcut's properties window instead of truncating the display after about 260 characters.

This adjustment does not automatically remove malicious arguments inside a shortcut, nor does it pop up with a special warning when an unusually long command is present. It merely provides full visibility to users, which may make suspicious content more easily identifiable for the more cautious users.

When questioned about the reason for the change, Microsoft repeated its long-held guidance: users shouldn't open files from unknown sources and should pay attention to its built-in security warnings.


Independent patch offers stricter safeguards

Because Microsoft's update is more a matter of visibility than enforcement, ACROS Security has issued an unofficial micropatch via its 0patch service. The update its team released limits the length of Target fields and pops up a warning before allowing a potentially suspicious shortcut to open. This more strict treatment, according to the group, would block the vast majority of malicious shortcuts seen in the wild.

This unofficial patch is now available to 0patch customers using various versions of Windows, including editions that are no longer officially supported.


How users can protect themselves

Users and organizations can minimize the risk by refraining from taking shortcuts coming from unfamiliar sources, especially those that are wrapped inside compressed folders. Security teams are encouraged to ensure Windows systems are fully updated, apply endpoint protection tools, and treat unsolicited attachments with care. Training users to inspect file properties and avoid launching unexpected shortcut files is also a top priority.

However, as the exploitation of CVE-2025-9491 continues to manifest in targeted attacks, the updated Windows behavior, user awareness, and security controls are layered together for the best defense for now. 

Read more »
Zero Day
Cyber Security EDR elastic PoC Software Zero Day

Elastic Denies Serious Security Flaw in Its Defend Software

 



Elastic, the company known for its enterprise search and security products, has pushed back against recent claims of a serious vulnerability in its Defend endpoint detection and response (EDR) tool.

The controversy began after a small cybersecurity group, AshES Cybersecurity, published a blog post on August 16. In their write-up, they said they had discovered a “zero-day” bug, a term used to describe flaws that are unknown to the software maker and therefore left unpatched. According to AshES, the issue was a remote code execution (RCE) vulnerability in Elastic Defend’s kernel driver called elastic-endpoint-driver.sys. They suggested that an attacker could exploit this flaw to avoid being monitored by the EDR system, run malicious code, and even maintain long-term access to a computer.

To support their claims, the researcher from AshES described using a custom-built driver in a controlled test to trigger the flaw. However, the group did not provide Elastic with a full proof-of-concept (PoC) — the technical demonstration usually required to verify a security bug.

Elastic quickly responded with a detailed statement. Its internal Security Engineering team said they carried out a “thorough investigation” but were unable to find any evidence that the vulnerability exists. They also noted that AshES had sent in multiple reports but that none contained sufficient detail to recreate the alleged exploit. Elastic stressed that without reproducible proof, such claims cannot be confirmed.

The company also pointed out that AshES declined to share the PoC directly with Elastic or its bug bounty team. Instead, the researchers chose to publish their findings publicly, which runs counter to the practice of coordinated disclosure: a process where researchers privately alert a company first, allowing time to investigate and fix issues before public release.

Elastic reaffirmed that it takes all security reports seriously and highlighted its long-standing bug bounty program, which has been in place since 2017. Through this program, the company has paid more than $600,000 to independent researchers who responsibly report real, verifiable vulnerabilities.

At this stage, the alleged zero-day flaw remains unconfirmed, and Elastic maintains that no evidence supports the existence of the supposed bug.


Read more »
Zero Day
Amnesty International Android Google Qualcomm Vulnerabilities and Exploits Zero Day

Millions of Android Devices at Risk, New Chip Bug Exploited in Targeted Attacks

 



Overview of the Exploit

Hackers recently leveraged a serious security weakness, said to be a "zero-day," that exists within the Qualcomm chipsets used in many popular Android devices. Qualcomm confirmed that at the time they were first exploited by hackers, they were unaware of the bug, which was tracked under CVE-2024-43047. This flaw actually existed in real-world cyberattacks where it could have impacted millions of Android users globally.

Vulnerability Details

This zero-day flaw was uncovered in 64 different Qualcomm chipsets, including the highly sought-after flagship Snapdragon 8 (Gen 1), a chipset used by many Android devices from reputable brands such as Motorola, Samsung, OnePlus, Oppo, Xiaomi, and ZTE. In their advisory, Qualcomm states that attackers have been able to exploit the flaw, but the company does not elaborate on who the attackers are or what their motive might be or who they specifically targeted. In light of both Google's Threat Analysis Group (TAG) and the Amnesty International Security Lab investigating the incidents, Qualcomm believes these instances constitute "limited, targeted exploitation," rather than widespread attacks.

Response to Attack

The vulnerability was apparently noticed by the CISA US, who have listed it on their known exploited vulnerabilities list. Qualcomm has issued appreciation to Google Project Zero and Amnesty International's Security Lab for coordinated disclosure of this vulnerability. Through such coordination, Qualcomm has been able to develop its fixes starting from September 2024 that it has since issued to customers, which includes Android device manufacturers operating its own chipsets.

Patch Distribution and User Security

So far, patch development is the task of Android device manufacturers. As Qualcomm has publicly released the fix, users need to ensure that their devices are up to date with respect to security patches from their device manufacturer.

Investigation Continues

The broader investigation into the hack is still going on with Google and Amnesty International digging deeper into the details of the targeted attack. Google TAG didn't have anything further to say, but an Amnesty spokesperson confirmed that it would soon publish more research findings on this vulnerability.

The necessity for security research and collaboration from technology entities and organisations to prevent new threats from happening is highlighted in this case. Android users of devices that use Qualcomm should thus remain vigilant and roll out whichever system updates for now.


Read more »
Zero Day
Browser Data Google Chrome Vulnerability and Exploits Zero Day

Google Issues Emergency Update for New Chrome Vulnerability

 



Google has announced an urgent security update for its Chrome browser to fix a newly discovered vulnerability that is actively being exploited. This recent flaw, identified as CVE-2024-5274, is the eighth zero-day vulnerability that Google has patched in Chrome this year.

Details of the Vulnerability

The CVE-2024-5274 vulnerability, classified as high severity, involves a 'type confusion' error in Chrome's V8 JavaScript engine. This type of error occurs when the software mistakenly treats a piece of data as a different type than it is, potentially leading to crashes, data corruption, or allowing attackers to execute arbitrary code. The vulnerability was discovered by Google security researcher Clément Lecigne.

Google has acknowledged that the flaw is being exploited in the wild, which means that malicious actors are already using it to target users. To protect against further attacks, Google has not yet disclosed detailed technical information about the flaw.

To address the issue, Google has released a fix that is being rolled out via the Chrome Stable channel. Users on Windows and Mac will receive the update in versions 125.0.6422.112/.113, while Linux users will get the update in version 125.0.6422.112. Chrome typically updates automatically, but users need to relaunch the browser for the updates to take effect. To ensure the update is installed, users can check their Chrome version in the About section of the Settings menu.

Ongoing Security Efforts

This marks the third actively exploited zero-day vulnerability in Chrome that Google has fixed in May alone. Earlier this year, Google adjusted its security update schedule, reducing it from twice weekly to once weekly. This change aims to close the patch gap and reduce the time attackers have to exploit known vulnerabilities before a fix is released.

Previous Zero-Day Vulnerabilities Fixed This Year

Google has been actively addressing several critical vulnerabilities in Chrome throughout 2024. Notable fixes include:

1. CVE-2024-0519: An out-of-bounds memory access issue in the V8 engine, which could lead to heap corruption and unauthorised data access.

2. CVE-2024-2887: A type confusion vulnerability in the WebAssembly standard, which could be exploited for remote code execution.

3. CVE-2024-2886: A use-after-free bug in the WebCodecs API, allowing arbitrary reads and writes, leading to remote code execution.

4. CVE-2024-3159: An out-of-bounds read in the V8 engine, enabling attackers to access sensitive information.

5. CVE-2024-4671: A use-after-free flaw in the Visuals component, affecting how content is rendered in the browser.

6. CVE-2024-4761: An out-of-bounds write issue in the V8 engine.

7. CVE-2024-4947: Another type confusion vulnerability in the V8 engine, risking arbitrary code execution.

Importance of Keeping Chrome Updated

The continuous discovery and exploitation of vulnerabilities surfaces that it's imperative to keep our softwares up to date. Chrome’s automatic update feature helps ensure users receive the latest security patches without delay. Users should regularly check for updates and restart their browsers to apply them promptly.

Overall, Google’s quick response to these vulnerabilities highlights the critical need for robust security measures and careful practices in maintaining up-to-date software to protect against potential cyber threats.


Read more »
Zero Day
Antivirus Detection Honeypot honeypot system malware Zero Day

Empowering Global Cybersecurity: The Future with Dianoea Darwis Honeypot

 

The digital world, vast and interconnected, demands robust cybersecurity measures that can keep pace with rapidly evolving threats. The Dianoea Darwis Honeypot and the initiatives of the Cyber Security and Privacy Foundation are pivotal in shaping this future. This final section explores the broader impact of these efforts and the global call to action for enhanced cybersecurity. 
 
A Global Network in Need of Protection In our digitally interconnected world, a threat to one is a threat to all. The Dianoea Darwis Honeypot isn't just a tool for individual organizations; it's a guardian for the global digital network. Its ability to identify and analyze cyber threats has far-reaching implications, helping to safeguard not just individual systems but entire infrastructures. 
 
The Significance of Collaboration in Cybersecurity 
 
The challenges posed by cyber threats are too vast for any single entity to tackle alone. The Foundation's initiative highlights the importance of collaboration in cybersecurity. By providing tools like the Dianoea Darwis Honeypot and its analysis API, they are fostering a community-oriented approach where shared knowledge leads to stronger defenses for everyone. 
 

Preparing for the Future 

 
As we look towards the future, the role of technologies like the Dianoea Darwis Honeypot becomes increasingly significant. Cybersecurity is an ever-evolving field, and staying ahead requires tools that are not only advanced but also adaptable. The Foundation's ongoing efforts to enhance and update the honeypot ensure that it remains a potent weapon against cyber threats. 
 

Join the Cybersecurity Revolution 

 
The journey to a safer digital world is a collective effort. The Dianoea Darwis Honeypot and the Foundation's free analysis API are open to use, inviting everyone to play a role in this revolution. Whether you're a cybersecurity expert, part of an organization, or an individual with an interest in the field, your involvement can make a difference. 
 

A Unified Stand Against Cyber Threats 

 
The Cyber Security and Privacy Foundation's initiative, highlighted by the Dianoea Darwis Honeypot, is more than just a technological advancement; it's a call to arms in the digital realm. As we embrace these tools and join forces in the fight against cybercrime, we forge a path towards a more secure and resilient digital future for all. 

Written by Founder, Cyber Security And Privacy Foundation
Read more »
Zero Day
API security Artificial Intelligence Chat Bot Chat GPT Cyber Security Encryption Malicious Codes Sensitive data Unauthorized access Zero Day

Adopting ChatGPT Securely: Best Practices for Enterprises

As businesses continue to embrace the power of artificial intelligence (AI), chatbots are becoming increasingly popular. One of the most advanced chatbots available today is ChatGPT, a language model developed by OpenAI that uses deep learning to generate human-like responses to text-based queries. While ChatGPT can be a powerful tool for businesses, it is important to adopt it securely to avoid any potential risks to sensitive data.

Here are some tips for enterprises looking to adopt ChatGPT securely:
  • Conduct a risk assessment: Before implementing ChatGPT, it is important to conduct a comprehensive risk assessment to identify any potential vulnerabilities that could be exploited by attackers. This will help organizations to develop a plan to mitigate risks and ensure that their data is protected.
  • Use secure channels: To prevent unauthorized access to ChatGPT, it is important to use secure channels to communicate with the chatbot. This includes using encrypted communication channels and secure APIs.
  • Monitor access: It is important to monitor who has access to ChatGPT and ensure that access is granted only to authorized individuals. This can be done by implementing strong access controls and monitoring access logs.
  • Train employees: Employees should be trained on the proper use of ChatGPT and the potential risks associated with its use. This includes ensuring that employees do not share sensitive data with the chatbot and that they are aware of the potential for social engineering attacks.
  • Implement zero-trust security: Zero-trust security is an approach that assumes that every user and device on a network is a potential threat. This means that access to resources should be granted only on a need-to-know basis and after proper authentication.
By adopting these best practices, enterprises can ensure that ChatGPT is used securely and that their data is protected. However, it is important to note that AI technology is constantly evolving, and businesses must stay up-to-date with the latest security trends to stay ahead of potential threats.
Read more »
Zero Day
Atlassian CISA Critical Flaw Exploits Flaws Microsoft Exchange Microsoft Exchange Server Vulnerabilities and Exploits Zero Day

CISA: Atlassian Bitbucket Server Flaws added to KEV Catalog List

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three recently disclosed security flaws to its list of Known Exploited Vulnerabilities (KEV ) Catalog, including critical vulnerability in Atlassian’s Bitbucket Server and Data Center, and two Microsoft Exchange zero-days.

At the end of August, Atlassian rectified a security flaw, tracked as CVE-2002-36804 (CVSS score 9.9) in Bitbucket Server and Data Center. The flaw is a critical severity and is related to a command injection vulnerability that enables malicious actors access to arbitrary code execution, by exploiting the flaw through malicious HTTP requests.

"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," Atlassain states in an advisory released in late August.

Although CISA did not provide further details on how the security flaw is being exploited or how widespread the exploitation efforts are, researchers at GreyNoise, on September 20 and 23 confirms to have detected evidence of in-the-wild abuse.

The other two KEV flaws, Microsoft Exchange zero-days (tracked as CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks according to Microsoft.

"Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. [..] We are working on an accelerated timeline to release a fix," states Microsoft.

The Federal Civilian Executive Branch Agencies (FCEB) have applied patches or mitigation measures for these three security vulnerabilities after being added to CISA’s KEV catalog as required by the binding operational directive (BOD 22-01) from November.

Since the directive was issued last year, CISA has added more than 800 security vulnerabilities to its KEV catalog, while requiring federal agencies to direct them on a tighter schedule.

Although BOD 22-01 only applies to U.S. FCEB agencies, CISA has suggested to all the private and public sector organizations worldwide to put forward these security flaws, as applying mitigation measures will assist in containing potential attacks and breach attempts. In the same regard, CISA furthermore stated, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise”
Read more »
Zero Day
Exchange Server Microsoft Vulnerabilities and Exploits Zero Day

Microsoft Accepts Breach of Two Zero Day Vulnerabilties

Exchange Server Vulnerabilities

Microsoft accepted that it knows about the two Exchange Server zero-day vulnerabilities that have been compromised in targeted cyberattacks. GSTC, a cybersecurity agency from Vietnam, reports finding attacks comprising two latest Microsoft Exchange zero-day vulnerabilities. It thinks that the attacks, which first surfaced in August and aimed at crucial infrastructure, were orchestrated by Chinese threat actors. 

Technical details about the vulnerabilities have not been disclosed publicly yet, however, GSTC says that the attacker's exploitation activities following the attack include the installation of backdoors, deployment of Malware, and lateral movement. 

Details about zero-day vulnerabilities

Microsoft was informed about vulnerabilities through the Zero Day Initiative (ZDI), by Trend Micro. Microsoft posted a blog telling its customers that the company is looking into two reported zero-day vulnerabilities. As per Microsoft, one flaw is a server-side request forgery (SSRF) issue, identified as CVE-2022-41040 and the second flaw is an RCE (remote code execution) flaw identified as CVE-2022-41082. The security loopholes seem to affect Exchange Server 2013, 2016, and 2019. 

According to Microsoft, it is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. 

Microsoft fixing the issue

Microsoft is currently working on an accelerated timeline to fix the vulnerabilities. For the time being, it has given detailed guidelines to protect against the vulnerability. It believes that its products should identify post-exploitation malware and any malicious activities related to it. Microsoft Online Exchange users don't have to do anything. 

"Security researcher Kevin Beaumont has named the vulnerabilities ProxyNotShell due to similarities with the old ProxyShell flaw, which has been exploited in the wild for more than a year. In fact, before Microsoft confirmed the zero-days, Beaumont believed it might just be a new and more effective variant of the ProxyShell exploit, rather than an actual new vulnerability," reports Security Week.

Read more »
Subscribe to: Comments (Atom)