Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the `=IF(A1=200, eval("__import__('os').system(` substring.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-pw67-xjhq-389w: Pycel allows code injection via a crafted formula

Security researchers report CVE-2025-32433, a CVSS 10.0 RCE vulnerability in Erlang/OTP SSH, allowing unauthenticated code execution on exposed…

Security researchers report CVE-2025-32433, a CVSS 10.0 RCE vulnerability in Erlang/OTP SSH, allowing unauthenticated code execution on exposed systems.

A newly disclosed vulnerability in the Erlang/OTP SSH implementation could allow attackers to run code on affected systems without logging in. The flaw, tracked as CVE-2025-32433, was reported by researchers at Ruhr University Bochum and has been rated with a maximum CVSSv3 score of 10.0 due to its potential impact on systems using the widely deployed library.

Disclosed by researchers via the oss-security mailing list, the issue affects the SSH protocol message handling within Erlang/OTP, allowing attackers to send specially crafted messages before authentication takes place. If exploited, the vulnerability could lead to arbitrary code execution. In cases where the SSH daemon is running with root privileges, this could result in a complete system compromise.

****Who Is Affected?****

Any application or service running an SSH server built on the Erlang/OTP SSH library is likely exposed. This includes a range of environments, particularly those relying on Erlang for high-availability systems such as telecommunications equipment, industrial control systems, and connected devices.

“If your application uses Erlang/OTP SSH for remote access, you should assume it is affected,” the researchers stated.

The vulnerability is caused by the way the SSH server handles certain messages during the initial connection, before authentication takes place. An attacker with network access to the server can exploit this flaw by sending connection protocol messages before the authentication step, slipping past normal checks and triggering remote code execution.

According to the advisory, the flaw could allow unauthorised users to gain the same privileges as the SSH daemon. This means if the daemon is running as root, the attacker would have unrestricted access.

****What to Do Now****

The official advisory is available on Erlang’s GitHub security page. For those unable to upgrade immediately, firewall rules should be used to block access to the SSH server from untrusted sources.

This flaw is particularly serious not just because of how it works, but where it lives. Erlang/OTP is quietly embedded in many production systems, often overlooked in routine audits. That makes widespread exposure a real concern.

When a widely used library like Erlang/OTP is affected, the impact can quickly spread. CVE-2025-32433 is a clear example, especially for systems that depend on remote access and automation. Therefore, administrators and vendors are urged to assess their systems, verify if Erlang/OTP SSH is in use, and patch or isolate as soon as possible.

****Expert Insight****

Mayuresh Dani, Manager of Security Research at Qualys, described the flaw as “extremely critical.”

“Due to improper handling of pre-authentication SSH protocol messages, a remote threat actor can bypass security checks to execute code on a system. If the SSH daemon runs with root privileges, which is common in many deployments, the threat actor will gain complete control,” Dani said.

He added that Erlang is frequently used in high-availability systems due to its reliable support for concurrent processing. “Many Cisco and Ericsson devices run Erlang. Any service using the Erlang/OTP SSH library for remote access, such as those in OT or IoT setups, is at risk.”

Dani recommends updating to the latest patched versions of Erlang/OTP. These include OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. For organisations that need more time to implement upgrades, he advises limiting SSH port access to trusted IPs only.

Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.

Thursday, April 17, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives. 

Lately, I've found myself thinking about these differences in the context of online interactions, particularly with search engines. I've become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It's often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me. 

It's easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It's not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language. 

Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.” 

I like it for three reasons: 

1.  You can try one of the public instances and check if you like it before you go all-in.
2.  You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data. 
3.  With Opensearch it seamlessly integrates with your existing browser. 

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize: 

*   “:en”, “:de” or “:fr” to search in a given language 
*   “!social\_media” or “!news” to search just a given category 

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven't explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it's wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.

**Why do I care? **

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.  

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).

**So now what? **

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.

**Top security headlines of the week **

*   **OpenAI cuts safety tests in “reckless” AI push.** According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this: 
*   **AI-hallucinated code dependencies become new supply chain risk.** “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
*   **Windows Recall seems to be back again.** More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
*   **The 25-year-old CVE program seemed to be at risk.** MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.

**Can’t get enough Talos? **

*   **Unmasking the new XorDDoS controller and infrastructure.** Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. 
*   **Talos Takes: Year in Review Special (Pt. 2).** Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA    
*   PIVOTcon (May 7 – 9) Malaga, Spain    
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA    
*   Cisco Connect UK & Ireland (May 20) London, UK  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385**   
MD5: 01b521c78f5bbdaba0cc221bc893e2b8   
VirusTotal: https://www.virustotal.com/gui/file/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385   
Typical Filename: toyboy.exe     
Detection Name: Gen:Variant.Tedy.758566 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**   
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277   
Typical Filename: Rainmeter-4.5.22.exe    
Detection Name: Artemis!Trojan 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: IMG001.exe    
Detection Name: Win.Trojan.Miner-9835871-0

Care what you share

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited...

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Both vulnerabilities allowed an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

To check if you’re using the latest software version, go to **Settings** > **General** > **Software Update**. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Update available

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

*   CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution due to a memory corruption issue which was addressed with improved bounds checking.
*   CVE-2025-31201: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. This issue was addressed by removing the vulnerable code.

Given that both vulnerabilities were flagged as used in extremely sophisticated attacks and are patched simultaneously, it stands to reason that they were chained for a successful exploitation.

This deserves a bit of an explanation. Apple’s Pointer Authentication (PA) is a hardware security feature designed to detect and prevent tampering with critical pointers (like function addresses or return addresses) in memory. Computers use memory to store and provide information that software programs use as they run.

When creating a pointer (like a return address), the system adds a cryptographic signature (PAC) using secret keys. Before using the pointer, the system checks if the signature still matches.

A memory corruption issue can give an attacker the option to make a change in the device’s memory, but it’s often limited to a very small portion of the memory.

What could have happened here is that the attacker was able to use that ample space to create a pointer that was able to bypass the Pointer Authentication and use this ability to point from a legitimate application to their malicious code.

In the past researchers have already found bypass scenarios for attackers that already have full memory control.

What exactly happened is unknown, because, as a protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Which is also why it’s important to update before other criminals are using the same exploits in less targeted and more widespread attacks. To help with this, the Malwarebytes iOS app will guide you through “how to fix” and assist with similar cases in the future.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple patches security vulnerabilities in iOS and iPadOS. Update now! 

After threatening to slash support for the CVE program, CISA threw MITRE a lifeline at the last minute — extending its government contract for another 11 months. After that, it looks like it's up to the private sector to find the cash to keep it going.

CVE Program Cuts Send the Cyber Sector Into Panic Mode

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-3760

**Liferay Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Apr 17, 2025 to the GitHub Advisory Database • Updated Apr 17, 2025

**Package**

maven com.liferay.portal:release.dxp.bom (Maven)

**Affected versions**

\>= 7.2.10.fp1, <= 7.2.10.fp20

\>= 7.3.10.ep1, <= 7.3.10.u36

\>= 7.4.13.u1, <= 7.4.13.u92

\>= 2023.Q3.1, <= 2023.Q3.10

\>= 2023.Q4.0, <= 2023.Q4.10

\>= 2024.Q1.1, <= 2024.Q1.12

\>= 2024.Q2.0, <= 2024.Q2.13

\>= 2024.Q3.1, <= 2024.Q3.9

\>= 2024.Q4.1, <= 2024.Q4.7

\>= 7.2.10, <= 7.2.10.8

\>= 7.3.10.0, <= 7.3.10.3

\= 7.4.13

**Patched versions**

2024.Q1.13

2024.Q3.10

2025.Q1.0

maven com.liferay.portal:release.portal.bom (Maven)

Published to the GitHub Advisory Database

Apr 17, 2025

Last updated

Apr 17, 2025

GHSA-qhp6-vp7c-g7xp: Liferay Cross-site Scripting vulnerability

The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware.
This includes updated versions of a known backdoor called TONESHELL, as well as a new lateral movement

Mustang Panda Targets Myanmar With StarProxy, EDR Bypass, and TONESHELL Updates

The New Jersey attorney general claims Discord’s features to keep children under 13 safe from sexual predators and harmful content are inadequate.

Discord is facing a new lawsuit from the state of New Jersey, which claims that the chat app is engaged in “deceptive and unconscionable business practices” that put its younger users in danger.

The lawsuit, filed on Thursday, comes after a multiyear investigation by the New Jersey Office of Attorney General. The AG’s office claims it has uncovered evidence that, despite Discord’s policies to protect children and teens, the popular messaging app is putting youth “at risk.”

“We’re the first state in the country to sue Discord,” Attorney General Matthew Platkin tells WIRED.

Platkin says there were two catalysts for the investigation. One is personal: A few years ago, a family friend came to Platkin, astonished that his 10-year-old son was able to sign up for Discord, despite the platform forbidding children under 13 from registering.

The second was the mass-shooting in Buffalo, in neighboring New York. The perpetrator used Discord as his personal diary in the lead-up to the attack and livestreamed the carnage directly to the chat and video app. (The footage was quickly removed.)

“These companies have consistently, knowingly, put profit ahead of the interest and well-being of our children,” Platkin says.

The AG’s office claims in the lawsuit that Discord violated the state’s Consumer Fraud Act. The allegations, which were filed on Thursday morning, turn on a set of policies adopted by Discord to keep children younger than 13 off the platform and to keep teenagers safe from sexual exploitation and violent content. The lawsuit is just the latest in a growing list of litigation from states against major social media firms—litigation that has, thus far, proven fairly ineffective.

Discord’s child and teen safety policies are clear: Children under 13 are forbidden from the messaging app, while it more broadly forbids any sexual interaction with minors, including youth “self-endangerment.” It further has algorithmic filters operating to stop unwanted sexual direct messages. The California-based company’s safety policy, published in 2023, states, “We built Discord to be different and work relentlessly to make it a fun and safe space for teens.”

But New Jersey says “Discord’s promises fell, and continue to fall, flat.”

The attorney general points out that Discord has three levels of safety to prevent youth from unwanted and exploitative messages from adults: “Keep me safe,” where the platform scans all messages into a user’s inbox; “my friends are nice,” where it does not scan messages from friends; and “do not scan,” where it scans no messages.

Even for teenage users, the lawsuit alleges, the platform defaults to “my friends are nice.” The attorney general claims this is an intentional design that represents a threat to younger users. The lawsuit also alleges that Discord is failing by not conducting age verification to prevent children under 13 from signing up for the service.

In 2023, Discord added new filters to detect and block unwanted sexual content, but the AG’s office says the company should have enabled the “keep my safe” option by default.

“Consider me unimpressed by their PR campaign,” Platkin says. He contends that the new features are insufficient and easy to get around, and they are less than what the company has made available to users in other countries. “If you put lipstick on a pig,” he says, “it’s still a pig.”

Discord responded to WIRED's requests for comment after this story was published, writing that the company is “proud” of their efforts to protect children on their platform, and insists that they dispute the claims made in the lawsuit. “Given our engagement with the Attorney General's office, we are surprised by the announcement that New Jersey has filed an action against Discord today,” the statement reads.

“Together, these open design features and default settings make it so that anyone can gain direct, private access to a child user with just a few clicks,” the filings allege. Later, the AG goes further, writing that “Discord promised parents safety but made deliberate choices to design its Application and establish default settings that rendered those promises utterly meaningless.”

The lawsuit lists a half-dozen criminal cases where adults allegedly used Discord to lure and exploited children, including the case of 764, a digital far-right pedophile ring.

The lawsuit proposes several different remedies, including a court injunction requiring that Discord improve its safety features and possible financial penalties if it’s found to be failing to keep its users safe.

While this appears to be the first state-level lawsuit against Discord, a number of private law firms have taken aim at the company on similar grounds. In 2022, the family of a then-11-year-old girl filed a class action lawsuit against Discord, alleging that the platform failed to implement enough safeguards to prevent her exploitation by other users. A similar case was filed in California earlier this year. Both cases are ongoing.

But these lawsuits are growing more and more common: Meta, in particular, is facing two massive lawsuits, led by dozens of states, claiming it harmed its teenage users. A similar lawsuit was filed by a coalition of school boards in the Canadian province of Ontario. The European Union, meanwhile, has crafted a suite of regulations meant to tackle these externalities—but, thus far, it is having trouble getting the American tech giants to comply.

Platkin has filed a number of other lawsuits—most recently against TikTok—in an attempt to force social media giants to improve their child protection measures.

“They can’t knowingly put out a product that’s unsafe for kids,” Platkin says. “I don’t care if you’re a social media company, or an opioid manufacturer or any other company that’s telling the public your product is safe when it’s not. We’re going to hold the company accountable.”

Platkin says he’s hopeful that the Trump administration, which has indicated some willingness to go after major social media companies, is interested in keeping children safe—not just targeting supposed conservative censorship. “Hope springs eternal for me,” Platkin says.

_Updated at 3:05 pm ET: Added comment from Discord._

New Jersey Sues Discord for Allegedly Failing to Protect Children

Researchers reveal a large-scale ransomware campaign leveraging over 1,200 stolen AWS access keys to encrypt S3 buckets. Learn…

Researchers reveal a large-scale ransomware campaign leveraging over 1,200 stolen AWS access keys to encrypt S3 buckets. Learn how attackers used SSE-C silently and the key takeaways for cloud security.

Researchers have uncovered a security incident concerning Amazon Web Services (AWS). According to Cybernews’ report, shared with Hackread.com, ransomware attacks are being launched using 1,200 unique AWS access keys. Administrators using AWS S3 buckets (a type of cloud storage offered by AWS) find their files locked with a ransom note left behind.

Researchers reportedly discovered a database with over 158 million AWS secret key records, including 1,229 unique login credentials with “an Access Key ID and corresponding Secret Access Key” after removing duplicate entries. Some were no longer active, but allowed attackers to view S3 bucket contents and demand a ransom of 0.3 BTC (approximately $25,000).

What’s worse, data owners were not aware of the encryption incident because attackers used AWS S3’s feature called Server-Side Encryption with Customer-Provided Keys (SSE-C). This method allows users to provide their own encryption keys to encrypt data at rest.  In this case, the attackers generated their own strong encryption keys using a standard called AES-256 to lock the data.

This “silent compromise” technique, documented by the Halcyon RISE Team, did not trigger typical warnings or file deletion logs, and the storage bucket structure remained unchanged. Unlike double extortion attacks, the attackers did not steal data, but they may have set automatic deletion schedules within AWS to pressure victims to pay quickly. Some affected accounts were found to be running normally, suggesting some victims may not realise their data has been encrypted, researchers assessed.

According to the Cybernews report, cybersecurity researcher Bob Diachenko identified a coordinated extortion campaign that is both unprecedented and dangerous, as it relies solely on stolen keys rather than complex hacking techniques. This means that even newly created, empty backups could be at risk in future projects.

So, how could attackers gather such a large number of AWS keys?

Researchers believe that certain mistakes like putting secret login details into public code storage sites like GitHub, weaknesses in CI/CD tools like Jenkins, misconfigured private files in web applications, data breaches of developer tools or password managers, and old and unmonitored IAM user accounts with outdated credentials could be responsible or attackers possibly found hardcoded secrets in mobile applications.

Nevertheless, attackers’ identities are still unclear, and the entire operation appears to be automated. The ransom notes are found in a file titled “warning.txt.” Interestingly, each affected S3 bucket has its own unique note with a specific Bitcoin address for payment and an email address, awsdecrypttechie.com, for victims to contact them.

Cybernews has reported this security issue to AWS and is awaiting their response for further information. Meanwhile, to secure AWS storage, researchers advise that organisations immediately audit and update IAM credentials, implement AWS security services, scan for exposed secrets, enforce short-lived tokens and least privilege, and restrict SSE-C usage with detailed logging.

Mass Ransomware Campaign Hits S3 Buckets Using Stolen AWS Keys

If security tools are challenging to use, people will look for workarounds to get around the restrictions.

Latest News