A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-q2gv-w583-f2vq: Liferay Portal Reflected Cross-Site Scripting Vulnerability via snippet Parameter

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process
allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-w2wj-hw98-233h: Keycloak Potential Variable Reference in Model Storage Services

Qilin ransomware claims a 4TB data breach at Nissan CBI, leaking car design files, financial data, 3D models,…

Qilin ransomware claims a 4TB data breach at Nissan CBI, leaking car design files, financial data, 3D models, and VR design images as proof.

The Qilin ransomware group says it has compromised Nissan’s Creative Box Inc. (CBI), a Tokyo-based design subsidiary of Nissan Motor Co., Ltd, and is threatening to release sensitive files unless its demands are met.

On its dark web leak site, the group claimed it had copied more than 4 terabytes of data, including 405882 files, from Nissan CBI. The post alleged that the stolen material includes 3D design data, reports, photos, videos, and various internal documents linked to Nissan automobile projects.

In its message, Qilin wrote: “The 4TB of data we copied includes 3D design data, reports, photos, videos and various documents of Nissan automobiles. While we have no intention of releasing all of this data yet, if Nissan refuses to acknowledge or ignore, it will. At that point, everyone, including competitors, will have access to detailed data of all Nissan CBI projects.”

Screenshot from the Qilin ransomware group’s dark web leak site. Images are blurred for product protection. (Image credit: Hackread.com)

****What the Leaked Images Show****

As proof of its claims, Qilin published four sample files. One shows 3D CAD-style renderings of a Nissan vehicle, with both low and high-polygon models labeled with triangle counts. This suggests the group accessed advanced design data used in prototyping and visualization.

Another file is a spreadsheet written in Japanese, which appears to contain financial or operational data, including figures, project timelines, and cost estimates. Highlighted sections and color-coded blocks indicate internal planning and budgeting work.

The third leaked file is a photorealistic render of a Nissan car interior, showing the dashboard, steering wheel, and seating design in high detail. The fourth leaked image shows staff using virtual reality headsets to review and manipulate 3D vehicle designs on-screen, highlighting how Nissan CBI integrates VR into its design workflow.

If authentic, this type of file could be valuable to competitors or counterfeiters seeking insight into Nissan’s design processes.

****Qilin Ransomware, A Serious Threat!****

Qilin, also known as Agenda, has been active since 2022 and is known for targeting high-profile organizations through a ransomware-as-a-service (SaaS) model. The group gained international attention after a 2024 attack on NHS supplier Synnovis in London, which disrupted thousands of medical appointments, procedures and also caused the death of a patient due to the cyberattack.

If Nissan CBI’s data is genuine, the exposure of proprietary vehicle designs and internal documents could create long-term competitive and reputational risks for the company. Automotive design files are often closely guarded trade secrets, and the threat of competitors gaining access to them adds another layer of pressure in such incidents.

Hackread.com has reached out to Nissan for comment regarding the claims made by Qilin. At the time of writing, no official statement has been released.

Qilin Ransomware Gang Claims 4TB Data Breach at Nissan CBI

Amy (ahem, Special Agent Dale Cooper) shares lessons from their trip to the Olympic Peninsula and cybersecurity travel tips for your last-minute adventures.

Thursday, August 21, 2025 14:00

(Welcome to this week’s edition of the Threat Source newsletter.) 

Diane, 

2:01 p.m., August 21st. I’ve just returned from a remarkable journey through Seattle and the misty roads of the Olympic Peninsula. If you ever find yourself driving beneath those towering Douglas firs or dragged by your partner through the Twilight Museum in Forks, I recommend stopping for a cup of hot, black coffee and a slice of cherry pie at any roadside diner. It’s nothing short of extraordinary.  

But as I navigated the Rialto Beach tidepools (at 5:30 a.m., no less) and moss-laden trees of the Hoh Rainforest, I made a classic misstep: I forgot to connect to Wi-Fi the entire trip. By the time I returned, my high-speed data allowance had vanished into the mist, leaving me puzzled and restarting my cell phone for days — a humbling reminder that even seasoned agents can overlook the basics. 

Travel is a curious thing, Diane. When you’re on the road, it’s easy to let your guard down, become enchanted by the scenery and forget that digital dangers can lurk behind every public WiFi signal or seemingly harmless USB charging station. 

As the summer draws to a close and more people venture out of Twin Peaks for those last-minute adventures, I’ve compiled a list of field-tested precautions for the journey ahead, because even professionals need a reminder sometimes: 

1.  Update your devices and back up important data before you leave. If a device is lost, stolen or infected with malware, you’ll still have access to your files. 
2.  Turn off auto-connect features to reduce the risk of connecting to rogue networks or devices. 
3.  Only take what you need. The fewer devices you take, the fewer you have to keep track of and worry about. 
4.  Limit the use of location services on your devices and apps unless necessary. This protects your privacy and reduces the risk of targeted attacks while traveling. 
5.  Steer clear of public computers in hotel lobbies and libraries, especially for accessing sensitive accounts. If you must use them — or if you log in to any streaming services during your stay —  don't forget to log out of your accounts. 
6.  Public WiFi is convenient, but we know its security can be questionable. Use a VPN or your phone’s hotspot for a more secure connection. 
7.  Set up device tracking (like Find My iPhone or Find My Device) and know how to remotely wipe your device in case it’s lost or stolen. 
8.  Take a power bank with you to avoid using USB charging stations, which could result in malware being downloaded to your device. 

Diane, the woods are lovely, dark and deep, and so are the digital trails we leave behind. Stay vigilant, stay caffeinated and remember that the best protection is awareness. 

Special Agent Dale Cooper

**The one big thing **

Static Tundra, a Russian state-backed group, is exploiting end-of-life and unpatched Cisco network devices using a seven-year-old patched vulnerability (CVE-2018-0171) to steal data and maintain long-term hidden access in organizations worldwide. Their tactics include persistent implants and bespoke SNMP tools to exfiltrate data and maintain undetected access, with a focus on entities of strategic interest to the Russian government. We urge immediate patching or disabling of at-risk features to prevent compromise. 

**Why do I care? **

If your organization uses Cisco devices that haven’t been patched or replaced, you could be vulnerable to undetected cyberattacks and data breaches—even if the vulnerability is years old. This risk affects organizations of all sizes and industries, putting sensitive data and business operations in jeopardy. 

**So now what? **

Immediately review your network infrastructure for unpatched or end-of-life Cisco devices and apply available patches or disable vulnerable features as recommended. Ongoing security hardening, regular updates and vigilant monitoring are critical to defend against this and similar state-sponsored threats.

**Top security headlines of the week **

**Workday Data Breach Bears Signs of Widespread Salesforce Hack**   
Workday said threat actors gained access to a third-party customer relationship management (CRM) system and obtained “commonly available business contact information” such as names, phone numbers, and email addresses. (SecurityWeek) 

**Novel 5G Attack Bypasses Need for Malicious Base Station**   
A team of researchers from the Singapore University of Technology and Design released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. (SecurityWeek) 

**Internet-wide Vulnerability Enables Giant DDoS Attacks**   
Researchers from Tel Aviv University have identified a way around the Rapid Reset fix called "MadeYouReset," and it's raising the possibility that attackers could enact cyberattacks against up to one-third of all websites globally. (Dark Reading) 

**Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web**   
The threat actor claims it targets fully updated Windows 10, Windows 11, and Windows Server 2022 systems. The sale conditions emphasize exclusivity, prohibiting resale unless explicitly negotiated, which is typical for premium exploits. (Cybersecurity News) 

**XenoRAT malware campaign hits multiple embassies in South Korea**    
The targets were generally European embassies in Seoul and the themes included fake meeting invites, official letters, and event invitations, often sent from impersonated diplomats. (BleepingComputer)

**Can’t get enough Talos? **

**The art of controlling information**   
JJ Cummings leads Talos' Threat Intelligence and Interdiction team on nation-state security and intelligence. He shares his story, thoughts on burnout and motivation, and advice for anyone looking to join Talos.

**Ransomware incidents in Japan during the first half of 2025**   
In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Read our blog to learn the most recent trends.

**Cyber Analyst Series: Cybersecurity overview and the role of the cybersecurity analyst**   
A series of videos on the profession of cybersecurity analysts made in conjunction with the Ministry of Digital Transformation of Ukraine for Diia.Education (available in English and Ukrainian languages).

**Upcoming events where you can find Talos **

*   BlueTeamCon (Sept. 4 – 7) Chicago, IL 
*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 

**Most prevalent malware files from Talos telemetry over the past week**

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**     
MD5: 71fea034b422e4a17ebb06022532fdde      
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe      
Claimed Product: N/A      
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc     
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details    
Typical Filename: N/A    
Claimed Product: Self-extracting archive    
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection    

**SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa**    
MD5: df11b3105df8d7c70e7b501e210e3cc3    
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa/details    
Typical Filename: DOC001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201

Cherry pie, Douglas firs and the last trip of the summer

New research highlights how threat actors abuse legitimate virtual private server offerings in order to spin up infrastructure cheaply, quietly, and fast.

Hackers Abuse VPS Infrastructure for Stealth, Speed

Europol has confirmed that a widely reported $50,000 reward for information on the Qilin ransomware group is a…

Europol has confirmed that a widely reported $50,000 reward for information on the Qilin ransomware group is a “scam.” The fake announcement is believed to be a tactic used by rival gangs.

A $50,000 reward from Europol for information on two top members of the Qilin ransomware group has been exposed as fake. According to Europol, the announcement, which was shared on a Telegram channel and later reported by several news outlets, is a scam and did not come from the official law enforcement agency.

The organisation confirmed that it does not use Telegram for official announcements. The agency maintains accounts on other platforms like Instagram, LinkedIn, and Facebook.

The fraudulent message claimed that Europol was offering a reward for two cybercriminals known by the online names Haise and XORacle, who allegedly oversee the Qilin ransomware operation. Here is the fake message:

“During the course of ongoing international investigations, we have confirmed that the cybercriminal group Qilin has carried out ransomware attacks worldwide, severely disrupting critical infrastructure and causing significant financial losses,” Europol said in a post to one of its Telegram channels.”

“We have identified two primary administrators operating under the aliases Haise and XORacle, who coordinate affiliates and oversee extortion activities.”

“We are actively pursuing all available leads in cooperation with international partners. A reward of up to US$50,000 is offered for information that directly leads to the identification or location of these administrators.”

The fake reward announcement

****Qilin: A Highly Active Threat****

Qilin, aka Agenda, is a very active ransomware group operating since 2022. It made headlines with a high-profile cyberattack in mid-2024 against Synnovis, a key NHS lab provider in London. The attack caused widespread disruption, delaying over 10,000 outpatient appointments, forcing the postponement of 1,710 operations, and stalling 1,100 cancer treatments.

After demanding a $50 million ransom, the gang eventually leaked nearly 400GB of sensitive patient data, including names and NHS numbers. A review conducted by the NHS in June 2025 revealed that a patient’s death was also caused by the incident.

The group’s members are believed to be based in Eastern Europe and are known to speak Russian. The organization runs on a ransomware-as-a-service (RaaS) model, where it allows other criminals to use its tools in exchange for a share of the profits. This year alone, Qilin has claimed over 400 victims on its leak website, including large companies and organizations.

Source: Bitdefender

****Why The Fake Announcement?****

The fake reward announcement is a strange but familiar tactic in the world of cybercrime. Experts suggest that such fraudulent claims can be used by rival criminal groups to damage the reputation of their competitors, sow distrust, and even lure away their members.

By creating confusion and paranoia within a rival group, a competing gang can try to gain a competitive edge in the illegal market. In this case, the fake Europol reward may serve as a strategic move in an ongoing battle between cybercriminal organizations.

Europol Denies $50K Reward for Qilin Ransomware, Calls It a Scam

Quick recovery relies on three security measures.

K-12 School Incident Response Plans Fall Short

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances.
The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows -

CVE-2025-57788 (CVSS score: 6.9) - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user

Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks

The PromptFix attack tricks AI browsers with fake CAPTCHAs, leading them to phishing sites and fake stores where…

The PromptFix attack tricks AI browsers with fake CAPTCHAs, leading them to phishing sites and fake stores where they auto-complete purchases.

Cybersecurity experts at Guardio Labs have revealed how artificial intelligence (AI) designed to assist users online can be tricked into falling for scams, calling it a “new era of digital threats they call Scamlexity.”

The findings, shared with Hackread.com, detail a unique attack method named PromptFix. This technique uses a fake CAPTCHA, a security check meant to prove a user isn’t a robot, to hide malicious instructions. While a human might easily spot the fake check and ignore it, the AI sees it as a legitimate command to follow.

Source: Guardio Labs

The report highlights that these AI helpers, called agentic AIs, can be deceived into giving away sensitive information or even making purchases without the user’s knowledge. Researchers demonstrated how these AI browsers, like Perplexity‘s Comet, could be fooled by scams that have been around for years through different tests.

In one test, they created a fake online store that looked just like Walmart. When the AI was asked to buy an item, it didn’t hesitate. It checked the fake website and, without asking for permission, automatically entered saved payment information to complete the purchase.

The researchers emphasize that the AI was so focused on completing its task that it ignored obvious red flags obvious red flags a human would have noticed, such as a suspicious website address and other missing security signals, which a human would have noticed.

Source: Guardio Labs

In another scenario, the AI browser was given a phishing email that looked like it was from a bank. The AI confidently clicked on the malicious link and, without any warnings, took the user to a fake login page, asking them to enter their personal information. The researchers call this a “perfect trust chain gone rogue,” because the user relies on the AI, never sees the warning signs, and is led directly into a trap.

Source: Guardio Labs

The report warns that in the future, scammers won’t need to trick millions of people. Instead, they can simply break one AI model and use that same trick to compromise millions of users at the same time. It is highly crucial to make these AI systems safe and secure from the very beginning, rather than adding them later, because the consequences could be detrimental.

“The trust we place in Agentic AI is going to be absolute, and when that trust is misplaced, the cost is immediate,” researchers conclude in their report.

Therefore, AI is going to handle our emails and finances; it needs the same level of protection we use for ourselves. Otherwise, our trusted AI could become an invisible accomplice for hackers.

_“_As adversaries double down on the use and optimization of autonomous agents for attacks, human defenders will become increasingly reliant on and trusting of autonomous agents for defense,_“_ said Nicole Carignan, Senior Vice President, Security & AI Strategy, and Field CISO at Darktrace.

_“_Specific types of AI can perform thousands of calculations in real time to detect suspicious behavior and perform the micro decision-making necessary to respond to and contain malicious behavior in seconds. Transparency and explainability in the AI outcomes are critical to foster a productive human-AI partnership,_“_ she added.

AI Browsers Can Be Tricked Into Paying Fake Stores in PromptFix Attack

Threat actors have been observed leveraging the deceptive social engineering tactic known as ClickFix to deploy a versatile backdoor codenamed CORNFLAKE.V3.
Google-owned Mandiant described the activity, which it tracks as UNC5518, as part of an access-as-a-service scheme that employs fake CAPTCHA pages as lures to trick users into providing initial access to their systems, which is then

Latest News