The modern workplace has undergone a seismic transformation over recent years, with hybrid work becoming the norm and businesses rapidly adopting cloud-based Software-as-a-Service (SaaS) applications to facilitate it. SaaS applications like Microsoft 365 and Google Workspace have now become the backbone of business operations, enabling seamless collaboration and productivity. However, this

2025 State of SaaS Backup and Recovery Report

Google has launched a new feature called Identity Check for supported Android devices that locks sensitive settings behind biometric authentication when outside of trusted locations.
"When you turn on Identity Check, your device will require explicit biometric authentication to access certain sensitive resources when you're outside of trusted locations," Google said in a post announcing the

Android's New Identity Check Feature Locks Device Settings Outside Trusted Locations

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

iPhones are being offered for sale with TikTok installed after the US ban caused the app to disappear from the app stores.

After TikTok was briefly banned in the US last weekend, an unusual phenomenon unearthed. Reportedly, people are selling iPhones that have TikTok installed for up to $25,000.

This may require some explanation, so bear with me.

TikTok has had a rough time in the US the last weeks. The ban we mentioned originates from back in March, when the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

Despite an overruled emergency injunction to stop or postpone the planned ban on the platform in the US, the ban took effect on January 19.

But TikTok’s messaging was clear, they were coming back.

> “Sorry TikTok isn’t available right now
> 
> A law banning TikTok has been enacted in the U.S. Unfortunately that means you can’t Use TikTok for now.
> 
> We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!

And it was indeed back for millions of US users as of January 19 and 20. That is to say, for those that had the app installed.

Update 3

> Welcome back!
> 
> Thanks for your patience and support. As a result of President Trump’s efforts, TikTok is back in the U.S.!
> 
> You can continue to create, share, and discover all the thing you love on TikTok.

However, anyone that deleted or never had the app installed are unable to download it as the Apple and Google app stores in the US still don’t have it available. And despite an executive order to delay enforcing the ban, it is unclear when it will be available for download again.

**Second hand iPhones for sale**

Some people have seized on this as a money-making opportunity, selling their iPhones for thousands of dollars on eBay. But is that a smart thing to do?

According to Apple’s Support pages, there is a recommended procedure to follow before you sell, give away, or trade in your iPhone or iPad. One of those steps is to **Erase All Content and Settings**. From that page:

> “When you tap **Erase All Content and Settings**, it completely erases your device, including any credit or debit cards you added for Apple Pay and any photos, contacts, music, or apps. It will also turn off iCloud, iMessage, FaceTime, Game Center, and other services. Your content won’t be deleted from iCloud when you erase your device.”

If you want to leave an app like TikTok behind, you will have to manually erase all the other items on that list to make sure the buyer will not get hold of other private information about you. This is tough to do and is highly likely you would leave some of your data behind.

If you’re considering buying a second hand iPhone so you can use TikTok, how can you be sure that TikTok is the only thing that’s left behind? I wouldn’t put it past cybercriminals to sell devices they can still access, or even malware.

Another bad idea is to roam the internet for unofficial TikTok apps (in the form of IPA or APK files). Installing an unsigned app requires a jailbreak and it can pose significant risks to your device and personal data. Files from unreliable sources may contain malware, spyware, or information stealers and, once installed, these malicious programs can compromise your device’s security.

My advice would be to exercise some patience. TikTok may well reappear in app stores or it’ll be completely removed from access, so everyone will be in the same boat.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Warning: Don&#8217;t sell or buy a second hand iPhone with TikTok already installed 

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.

It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza's internet-connected features and start looking for ways to exploit them. Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry, though, was that they found they could also track the Subaru's location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.

A year of location data for Sam Curry’s mother’s 2023 Subaru Impreza that Curry and Shah were able to access in Subaru’s employee admin portal thanks to its security vulnerabilities.

Screenshot Courtesy of Sam Curry

“You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day,” Curry says. “Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

Curry and Shah today revealed in a blog post their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company's vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan. Vulnerabilities they found in a Subaru website intended for the company's staff allowed them to hijack an employee's account to both reassign control of cars’ Starlink features and also access all the vehicle location data available to employees, including the car’s location every time its engine started, as shown in their video below.

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies' web tools that have yet to be discovered.

In Subaru's case, in particular, they also point out that their discovery hints at how pervasively those with access to Subaru's portal can track its customers' movements, a privacy issue that will last far longer than the web vulnerabilities that exposed it. “The thing is, even though this is patched, this functionality is still going to exist for Subaru employees,” Curry says. “It's just normal functionality that an employee can pull up a year's worth of your location history.”

When WIRED reached out to Subaru for comment on Curry and Shah's findings, a spokesperson responded in a statement that “after being notified by independent security researchers, \[Subaru\] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevancy, who can access location data." The company offered as an example that employees have that access to share a vehicle's location with first responders in the case when a collision is detected. “All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” Subaru's statement added. “These systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats.”

Responding to Subaru's example of notifying first responders about a collision, Curry notes that would hardly require a year's worth of location history. The company didn't respond to WIRED asking how far back it keeps customers' location histories and makes them available to employees.

Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they found that Curry's mother's Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees' passwords simply by guessing their email address, which gave them the ability to take over any employee's account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user's browser, not on Subaru's server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.

The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee's account, and immediately found that they could use that staffer's access to look up any Subaru owner by last name, zip code, email address, phone number, or license plate to access their Starlink configurations. In seconds, they could then reassign control of the Starlink features of that user's vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as shown in the video below.

Those vulnerabilities alone, for drivers, present serious theft and safety risks. Curry and Shah point out that a hacker could have targeted a victim for stalking or theft, looked up someone's vehicle's location, then unlocked their car at any time—though a thief would have to somehow also use a separate technique to disable the car's immobilizer, the component that prevents it from being driven away without a key.

Those car hacking and tracking techniques alone are far from unique. Last summer, Curry and another researcher, Neiko Rivera, demonstrated to WIRED that they could pull off a similar trick with any of millions of vehicles sold by Kia. Over the prior two years, a larger group of researchers, of which Curry and Shah are a part, discovered web-based security vulnerabilities that affected cars sold by Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.

More unusual in Subaru's case, Curry and Shah say, is that they were able to access fine-grained, historical location data for Subarus going back at least a year. Subaru may in fact collect multiple years of location data, but Curry and Shah tested their technique only on Curry's mother, who had owned her Subaru for about a year.

Curry argues that Subaru's extensive location tracking is a particularly disturbing demonstration of the car industry's lack of privacy safeguards around its growing collection of personal data on drivers. “It's kind of bonkers,” he says. “There's an expectation that a Google employee isn't going to be able to just go through your emails in Gmail, but there's literally a button on Subaru's admin panel that lets an employee view location history.”

The two researchers’ work contributes to a growing sense of concern over the enormous amount of location data that car companies collect. In December, information a whistleblower provided to the German hacker collective the Chaos Computer Computer and Der Spiegel revealed that Cariad, a software company that partners with Volkswagen, had left detailed location data for 800,000 electric vehicles publicly exposed online. Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla's report reads.

Curry and Shah's discovery of Subaru's security vulnerabilities in its tracking demonstrate a particularly egregious exposure of that data—but also a privacy problem that's hardly less disturbing now that the vulnerabilities are patched, says Robert Herrell, the executive director of the Consumer Federation of California, which has sought to create legislation for limiting car's data tracking.

“It seems like there are a bunch of employees at Subaru that have a scary amount of detailed information,” Herrell says. “People are being tracked in ways that they have no idea are happening.”

_Update 4:23 pm EST, January 23, 2025: The article's subheadline has been updated to clarify the scope of the researcher's work._

Subaru Security Flaws Exposed Its System for Tracking Millions of Cars

Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks.
"This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th

TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for Ransomware

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

The payment card giant **MasterCard** just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.

From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider **Akamai** \[DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage\].

All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “**akam.ne**.”

This tiny but potentially critical typo was discovered recently by **Philippe Caturegli**, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.

Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.

Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.

But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.

“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”

Meanwhile, Caturegli received a request submitted through **Bugcrowd**, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.

MasterCard’s request to Caturegli, a.k.a. “Titon” on infosec.exchange.

Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.

“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”

Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.

But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like **Cloudflare** and **Google**.

“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli said. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.

“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he said.

The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.

“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”

Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.

As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain **az.mastercard.com**. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s **Azure** cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.

“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”

One final note: The domain akam.ne has been registered previously — in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an “Ivan I.” from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.

This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “**awsdns-06.ne**” instead of “**awsdns-06.net**.” DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).

MasterCard DNS Error Went Unnoticed for Years

The advanced persistent threat (APT) group is likely India-based and targeting individuals with connections to the country's intelligence community.

Source: SROOLOVE via Shutterstock

Advanced persistent threat group "DONOT Team" is leveraging two nearly identical Android applications to conduct intelligence-gathering operations targeting individuals and groups in India who appear to be of national security interest to the country.

The "Tanzeem" and "Tanzeem Update" apps purport to be chat apps but do not work as advertised. Instead, once installed on a system they prompt the user to turn on the device's accessibility feature and grant access to several easily misused permissions. The apps then shut down and proceed to stealthily harvest information from the compromised device, according to researchers at Cyfirma, who recently spotted the new DONOT campaign.

**Intelligence Gathering and Beyond**

"The ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they have also targeted various organizations in South Asia," Cyfirma noted in a blog post on Jan. 17. The goal appears to be to collect intelligence of strategic importance to India, the security vendor said.

Cyfirma's analysis of Tanzeem and Tanzeem Update showed the apps using OneSignal, a popular customer engagement platform, to send push notifications to users who install either app on their devices. OneSignal basically allows developers and businesses to send in-app messages, emails, and SMS messages to users across mobile devices, Web browsers, desktop apps, and other platforms.

When a user installs Tanzeem or Tanzeem Update on their device, they receive a push notification via OneSignal that prompts them to start a fake chat. Users tricked into clicking on the "Start Chat" prompt receive a subsequent prompt asking them to enable Android accessibility services to use the app. The victim is then directed to the accessibility settings page from which the app accesses several dangerous permissions. These include permissions that allow the two malicious Android apps to read and fetch call logs from the compromised device; to read and fetch contact information; and to search for and fetch data from the file manager.

Researchers at Cyfirma also found the apps to access several other permissions such as those that allow the threat actor to delete and read both incoming and outgoing text messages. They also can access the Android device's internal storage to extract its exact location and monitor its movement on a real-time basis.

Significantly, Cyfirma found the malicious apps using push notifications to try and get victims to install additional malicious payloads on compromised devices to ensure persistence. "This tactic enhances the malware's ability to remain active on the targeted device, indicating the threat group's evolving intentions to continue participating in intelligence gathering for national interests," Cyfirma noted.

**A Persistent South Asian Threat**

DONOT Team, which some vendors track as APT-C-35, SectorE02, and Viceroy Tiger, is a threat group with a likely nexus to India that has been operational since at least 2016. Several vendors have associated the group with attacks and data theft campaigns targeting entities in South Asia. In November 2024, Cyble linked DONOT Team to a campaign targeting manufacturing companies in Pakistan associated with the country's defense and maritime industries.

Others, such as ESET have reported on DONOT Team using sophisticated Windows and Android malware in espionage campaigns targeting organizations in Sri Lanka, Bangladesh, Pakistan, and Nepal. In 2023, Cyfirma reported finding three malicious Android apps on Google's Play store that the threat actor used against targeted individuals in Kashmir and Pakistan.

DONOT Team is one of several APT groups believed to be operating out of India that is engaged in a range of malicious activities, including online extortion scams, hacktivism, and increasingly, cyber espionage and surveillance. Security experts believe that at least some of the activity is tied to geopolitical tensions in the region and to a broader growth in all kinds of cybercrime in South Asia in recent years.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

DONOT Group Deploys Malicious Android Apps in India

Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing…

Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing weak practices, malware trends, and security gaps.

Cybersecurity researchers at Specops are delivering a global wake-up call over a major password-related issue: over 1 billion **passwords** were stolen by malware in the past year. According to Specops Software’s 2025 Specops Breached Password Report shared with Hackread.com ahead of its publishing on Tuesday, millions of stolen passwords met standard complexity requirements. The report also highlights the prevalence of malware stolen credentials, with over a billion found in the last 12 months.

The Report’s Key Findings:

*   Despite meeting common complexity requirements (length, uppercase, numbers, symbols), 230 million stolen passwords were still compromised.

*   Common weak passwords like “123456” and “admin” continue to plague systems, revealing a significant gap in user awareness and education.

*   Common base terms like “qwerty,” “guest,” and “student” are frequently used as password foundations.

*   **Redline, Vidar, and Raccoon Stealer** emerged as the top three credential-stealing malware, demonstrating the sophistication and persistence of these threats. These sophisticated malware strains actively target and steal credentials from various sources, including web browsers, email clients, and even VPN clients. Check out Hackread.com’s detailed analysis of these malware **here**.

*   The “malware-as-a-service” model, where cybercriminals rent out these tools, has increased the accessibility and availability of these powerful attack vector.

The **report** highlights the ongoing struggle which unsuspecting users and organizations face in addressing weak password practices, with end users still creating short, weak passwords despite knowing the risks.

Via Specops

Users often employ the same or slightly modified passwords across multiple accounts, including work, personal, and online services, which is a risky practice as reusing work passwords on personal devices and less secure platforms significantly increases the potential for compromise. A single breach on a less secure platform can compromise access to sensitive corporate systems, including Active Directory and **VPNs**.

Moreover, **stolen credentials** provide attackers with direct access to valuable data, including personal information, financial records, and corporate secrets. These credentials can be used to launch further attacks, such as phishing campaigns and more sophisticated breaches, enabling attackers to gain deeper access to organizational systems.  

> _“The amount of passwords being stolen by malware should be a concern for organizations. Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware.”_
> 
> Darren James, Senior Product Manager – Specops Software.

Considering these dangerous implications, security experts recommend organizations implement stronger password policies and regularly scan Active Directory for compromised passwords for immediate remediation. Educating users about weak passwords, and staying updated on threats and vulnerabilities to defend against emerging attacks is essential. Lastly, implement Multi-Factor Authentication (MFA) to add an extra layer of security beyond passwords.

1.  **Google Makes Passkeys Default for All Users**
2.  **Why Browser Security Matters More Than You Think**
3.  **Are We on the Brink of Saying Goodbye to Passwords?**
4.  **Pop Culture Passwords Most Likely to Get You Hacked**
5.  **Nissan source code leaked, it used “admin” as username, password**

Redline, Vidar and Raccoon Malware Stole 1 Billion Passwords in 2024

Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws…

Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws in common tunnelling protocols like IPIP, GRE, and 6in4/4in6. Learn how these vulnerabilities can be exploited for malicious attacks and how to protect your devices.

New vulnerabilities in multiple tunnelling protocols (IPIP/IP6IP6, GRE/GRE6, 4in6, 6in4) have been discovered by Top10VPN in collaboration with security researcher Mathy Vanhoef. These vulnerabilities allow attackers to hijack affected internet hosts to perform anonymous attacks and gain unauthorized network access. 

A large-scale internet scan identified 4.2 million open tunnelling hosts. This includes critical infrastructure such as VPN servers, home routers, core internet routers, mobile network gateways, and even content delivery networks (CDNs) operated by major players like Facebook and Tencent. Vulnerable hosts can enable a range of attacks, including new DoS techniques and DNS spoofing. The identified vulnerabilities include CVE-2024-7595, CVE-2025-23018/23019, and CVE-2024-7596.

The most affected countries are China, France, Japan, the U.S., and Brazil. Over 11,000 autonomous systems (AS) have been impacted, with Softbank, Eircom, Telmex, and China Mobile being the most affected.

The vulnerabilities stem from many internet hosts accepting tunneling traffic without verifying the sender’s identity. This lack of authentication allows attackers to exploit these hosts as proxies for malicious activities. 

“These hosts accept unauthenticated tunneling traffic from any source. This means they can be abused as one-way proxies to perform a range of anonymous attacks. Vulnerable hosts can also potentially be abused to gain access to victims’ private networks,” Top10VPN’s researcher and report author Simon Migliano noted.

Specifically, attackers can manipulate these hosts to send traffic on their behalf, concealing their true origin and making it difficult to trace attacks back to them. In some cases, attackers might be able to exploit these vulnerabilities to gain access to private networks connected to the hijacked host.

Tunneling protocols, such as IPIP, GRE, and 6in4/4in6, play a crucial role in modern networking, enabling seamless communication across diverse networks. However, many devices utilizing these protocols lack proper authentication and encryption, leaving them vulnerable to exploitation. 

According to Top10VPN’s report, at least 1,365 vulnerable VPN servers were identified, including consumer VPNs, routers with remote access features, and business VPNs. AoxVPN, a service with over a million users, was among those with vulnerabilities.

Additionally, around 1,200 vulnerable dynamic DNS routers, primarily Synology models offering remote access via VPN Plus Server, were detected. And, 171 company VPN servers were exposed, mainly using the GRE protocol, belonging to businesses and organizations in 33 countries, with the United States, China, and Hong Kong being the most affected. Over 17% of vulnerable devices were Free ISP’s home routers in France, which accepted unauthenticated traffic.

Furthermore, researchers discovered novel attack methods, such as “Ping-pong Amplification” and “Tunneled-Temporal Lensing,” which leverage these vulnerabilities to launch powerful Denial-of-Service (DoS) attacks. These vulnerabilities can also amplify the impact of existing attacks, such as DNS spoofing, traditional amplification DoS attacks, off-path TCP hijacking, SYN floods, and certain WiFi attacks.

The research highlights the need for enhanced security measures in these protocols to mitigate risks and ensure the reliability of our interconnected world. Proactive measures, including regular security audits, software updates, and increased awareness among system administrators and end-users, are also important for identifying and patching vulnerable devices.

1.  **Millions of websites using CDNs at risk of CPDoS attack**
2.  **DNS Tunneling Used for Stealthy Scans and Email Tracking**
3.  **GoogleUserContent CDN Hosting Images Infected with Malware**
4.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**
5.  **Millions of Email Servers Exposed Due to Missing TLS Encryption**

Tag

#google