#intel

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.

Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. GitLab Duo is an artificial intelligence (AI)-powered coding assistant that enables users to write,

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

ABB Cylon Aspect MIX's IPConfigServlet allows unauthenticated network config changes via the Host: 127.0.0.1 bypass, writing to /etc/hosts and config files. Attackers can redirect traffic (e.g. localhost to 1.2.3.4) or disrupt connectivity, amplifying impact with network restarts.

ABB Cylon Aspect MIX's NTPServlet allows NTP config changes via the Host: 127.0.0.1 bypass, writing attacker-controlled hosts to NTPTickers and syncing the system clock. A malicious NTP server can manipulate time, enabling DoS or time-based attacks.

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the HTTPDownloadServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can delete arbitrary PHP files outside the intended directory scope.

Multiple PHP and Java components across the system fail to properly sanitize user-supplied input before including it in application logs. In PHP, files like supervisorProxy.php directly embed values such as $_SERVER['REQUEST_URI'] and raw POST bodies into log messages without filtering, enabling attackers to inject arbitrary log entries using encoded newline characters. Similarly, Java classes using LoggerUtil.logger.* methods concatenate user-controlled strings like usernames and cookie keys into logs without validation. This systemic flaw allows for log forging, manipulating log content to obfuscate activity, insert misleading entries, or facilitate follow-up attacks.