Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year.
"The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors," the Microsoft Threat Intelligence team said in an analysis.
The tech giant noted that

Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how…

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how to check if your SAP Java systems are affected and the immediate steps to take.

A serious security vulnerability, identified as CVE-2025-31324, was discovered in SAP NetWeaver’s Visual Composer development server. This critical issue, scoring a perfect 10.0 in severity, stems from a missing check that should verify if a user has the correct permissions and is being actively exploited, reveals a report from Onapsis Threat Intelligence. 

Research reveals that the flaw is active on between 50% and 70% of existing SAP NetWeaver Application Server Java systems, even though it’s not automatically installed.

Reportedly, the vulnerability, first documented by ReliaQuest, exists in the “developmentserver” part of the SAP Visual Composer, a component of SAP NetWeaver 7.xx, designed to create business tools without writing code.

The problem occurs because the system doesn’t properly check if someone accessing the Metadata Uploader feature is actually allowed to do so. This lack of proper authentication and authorization allows unlogged users to access powerful functions.

On April 22nd, ReliaQuest observed suspicious activity on patched SAP NetWeaver servers, suggesting attackers might have been using a different, unknown vulnerability. On the same day, SAP acknowledged unusual files being found on SAP NetWeaver Java systems, as described in their knowledge base article SAP KBA 3593336. On April 24th, SAP released a FAQ document (SAP Note 3596125) confirming that files with extensions like ‘.jsp’, ‘.java’, or ‘.class’ found in specific folders like …\\irj\\root, …\\irj\\work, and …\\irj\\work\\sync are likely malicious. 

Finally, on April 24th, SAP officially announced CVE-2025-31324, clearly stating it was due to a “Missing Authorization check in SAP NetWeaver (Visual Composer development server)”. They confirmed that the root cause is a lack of proper permission checks, allowing unauthorized individuals to upload dangerous executable files and an out-of-band emergency NetWeaver update has been released.

This flaw, classified as a Missing Authorization issue (CWE-862) or Missing Authentication for Critical Function (CWE-306), poses a significant risk of system takeover if exploited, which is why it has earned the highest severity score.

It can be remotely exploited using standard web communication methods (HTTP/HTTPS). Security experts have observed that attackers are targeting a specific web address: /developmentserver/metadatauploader, by sending specially crafted requests and since no login or authentication is needed to carry out an attack, anyone, even without an account, could interact with the system’s vulnerable part and upload any file.

According to Onapsis’s blog post, malicious code files called webshells titled “helper.jsp” or “cache.jsp” are already being uploaded, allowing attackers to execute commands with high-level permissions as software administrators (<sid>adm) and obtaining full control over SAP resources.

> _“Threat actors have been observed uploading web shells to vulnerable systems. These webshells allow the threat actor to execute arbitrary commands in the system context, with the privileges of the adm Operating System user, giving them full access to all SAP Resources.”_
> 
> Juan Perez-Etchegoyen – CTO at Onapsis

SAP urges customers to promptly assess their risk by checking for Java systems, the presence and version of the VCFRAMEWORK component (especially if older than 7.5 or specifically 7.0 with a support package below 16), as the vulnerable component might not be present in basic Java stack or default Solution Manager installations. Implementing the official fix is the only solution to mitigate this risk.

Benjamin Harris, CEO of Attack Surface Management firm watchTowr, warned that unauthenticated attackers are actively exploiting a vulnerability in SAP NetWeaver to upload arbitrary files, leading to full system compromise.

“This isn’t theoretical, it’s happening now,” Harris said, noting that attackers are planting web shell backdoors to deepen their access. He urged immediate patching via SAP Security Note 3594142, emphasizing, “If you thought you had time, you don’t.” Harris added that watchTowr clients were alerted to exposures within 12 hours, thanks to the platform’s rapid detection capabilities.

SAP NetWeaver Flaw Scores 10.0 Severity as Hackers Deploy Web Shells

Software development is about to undergo a generative change. What this means is that AI (Artificial Intelligence) has…

Software development is about to undergo a generative change. What this means is that AI (Artificial Intelligence) has the potential to make developers more productive, as three systems on the market already provide this: GitHub Copilot, Anthropic’s Claude and OpenAI’s ChatGPT.

Hence, every developer, no matter if he or she specializes in AI or not, needs to understand and realize that as this technology is advancing so rapidly, any of us needs to know what it is, why it is relevant, and how to use it.

In this article, we will explain what generative AI exactly is, what functionality current systems bring, why it is going to be ubiquitous for developers, and tips on how to start working with it. Additionally, we’ll bust some of the generative AI replacement of developers altogether. Acquiring this new tool and doing so while not becoming too attached to it will give technology an advantage over other forms of technology.

****What is Generative AI?****

Machine learning systems that generate digital content, novel and of high-quality on-demand are generative AI. It includes anything from images, audio, and video to text as well as computer code and companies are increasingly turning to generative AI development services to harness their full potential.

In contrast to the analysis most AI has been focused on to date (categorizing existing data), generative models create brand-new artefacts. Advances in deep learning have enabled them to take in enormous datasets and to build an understanding to generate outputs that have never been seen before.

Prominent examples include DALL-E 3 for images, Jasper for audio, and GitHub Copilot for code. These models can take in a text prompt and return a relevant, realistic output in seconds without manual programming.

****Current Capabilities for Developers****

For programmers specifically, generative AI promises to boost their productivity. Modern systems can suggest entire code functions or applications based on English descriptions to save developers time and reduce bugs.

GitHub Copilot, for example, is a plugin for code editors like VS Code. As a developer writes a function, Copilot can suggest full implementations by analyzing existing code and understanding the English context. It can complete boilerplate code, debug issues, integrate APIs, and more.

Claude 3.7, Anthropic’s writing assistant, offers interactions that fall into the same category as writing assistants. Conversing with an AI in plain English to translate ideas into code in code. You can give an application what to do, walk through examples, ask questions to clarify, and Claude gives you runnable programs.

Such early examples show how generative AI accepts natural language rather than rigid, fixed rules as older technologies were; it is based on accepting natural language as input. With this, it is more intuitive and even accessible.

****Why Every Developer Should Care****

Even if you don’t specialize in AI, there are compelling reasons all technologists should closely monitor advancements in generative models:

It will become ubiquitous whether you like it or not

There is too much momentum and progress for generative AI not to infiltrate software workflows. OpenAI alone recently received nearly $750 million from Microsoft, plus more from other tech giants using its systems. With so much investment, expect rapid improvements.

It will make you more productive

Studies on Copilot show it can boost developer velocity by at least 30% once accustomed to the workflow. You don’t want competitors leveraging generative AI to build faster while you code manually.

It reduces simple but time-consuming tasks

No developer enjoys manually writing boilerplate code, documentation, tests, etc. But these tasks still take up a lot of time. Generative AI can autogenerate these routine but necessary functions to focus human efforts on complex problem-solving.

It handles legacy systems, so you don’t have to

Generative models are great for working with legacy systems. They integrate easily with outdated codebases, protocols and architectures that human engineers don’t want to work with. This allows you to build new solutions as opposed to keeping old ones.

It makes you a 2x engineer

Conceptual breakthroughs are created by outstanding developers and used to have an impact across the board. Generative AI’s power is that any engineer can create any logic in reality at least 2x faster (PDF). This technology enables world-changing applications to be brought to market today instead of months or years from now.

****How To Prepare as a Developer****

Generative AI will soon be a basic skill for professional engineers, like using IDEs or version control. Here are key ways to get ahead of the curve:

*   Experiment with GitHub Copilot, Claude, and related playgrounds. Get firsthand experience prompts that can spark whole applications.

*   Don’t fear; these tools will “take your job.” Enhance your human creativity with AI as a force multiplier. Find gaps in existing models where humans still shine over pure automation.

*   Advocate for adopting these tools at your company early, before the competition does. Pitch how it benefits users and customers, alongside developers.

*   Develop feedback loops, sharing why certain generated outputs are valuable or inadequate. The more humans train models, the better they become for everyone.

*   Get to understand the latest research from the company and its efforts. To keep up to date with anthropic frontiers, sign up for newsletters and updates from pioneers: Anthropic, Cohere, Google and others.

AI will never have the capacity to master all tasks, whether those are too unique, dynamic or complex for AI to do on its own. However, use models for what they do well and augment your human skills. This will be the future path of development: combining minds with machines.

****Busting Myths that Generative AI Replaces Developers****

With any disruptive technology, fears and misconceptions often arise around impacts on jobs. Rest assured, human developers will remain essential even as generative AI becomes widespread.

Here are common myths about generative models replacing engineers rather than augmenting them:

*   **Myth.** AI can build full-stack consumer web apps today with no human involvement.

*   **Reality.** Modern systems only generate code, not deploy full-stack apps. You still need developers to integrate outputs, train models, and handle infrastructure.

*   **Myth.** These models understand user needs and product requirements without human input.

*   **Reality.** AI has no sense of end-user behaviour or product thinking. Humans must provide a creative vision and real-world grounding.

*   **Myth.** Generated code is highly reliable and secure.

*   **Reality.** Raw model outputs still contain bugs and vulnerabilities. Humans provide QA, testing, auditing and oversight where AI falls short.

*   **Myth.** Anyone can prompt an AI to build an app without programming skills.

*   **Reality.** You still need engineers to validate code quality, connect components, identify limitations, and guide iterative improvement.

The key is viewing AI as a supportive tool rather than a wholesale replacement. Developers themselves utilize generative models just as they do compilers, debuggers, and clouds. But human creativity, judgment, and oversight remain indispensable.

**Augmenting Developers for the Future**

Hopefully, this breakdown demystifies generative AI and why it matters. These technologies aim to free engineers from drudgery so they can focus on more fulfilling, impactful work only humans can perform.

However, development will transform in the next five to ten years. Those who embrace this shift will have the most dynamic, stimulating, and rewarding careers. Others who deny how software creation is changing risk frustrating obsolescence.

Increasing general coding and automated task democratization means more people can make more ambitious projects than ever before possible. The future of AI-assisted inventions is something developers should cheer about rather than fear, with things remaining the same.

An open-minded attitude towards human and AI coexistence allows engineers to dream bigger, and faster and to make those dreams real. Complex problems in the world are desperate for innovative applications. Shortcuts are provided to that long timeline imposed by traditional code: generative models.

So while modern AI does have clear limits, its rapid pace of progress makes anticipating its potential more prudent than downplaying its capabilities. Get hands-on experience today rather than dismissing models as toys. Help drive breakthroughs by training them ethically. Then code the future you wish to see.

Why Developers Should Care About Generative AI (Even They Aren’t AI Expert)

After hearing about ChatGPT o3 ability at geo-guessing we decided to run some tests and the tested AIs didn't fail to amaze us

If you are worried about revealing your exact location—or if you maybe even fib about it at times—there are some good reasons to worry about what is visible in background photos, because Artificial Intelligence (AI) is getting very good at guessing where you are based on the smallest of clues. And that might even include audio clues, if given the right data.

Our curiosity was triggered by this article in TechRadar claiming that ChatGPT o3 can geo-guess your location from almost any photo. So, we decided to do some tests and removed the metadata from a few selected photographs that I took myself and never published anywhere (for quality reasons, obviously).

Metadata can include technical details like camera settings, date and time, location, and descriptive information like captions or keywords. And we wanted to test the AI’s capability on the picture itself—not on additional data included in the file. I also used a VPN so I didn’t give away my current location.

We started with an easy one. A landmark in a relatively large city, but from a strange perspective. The picture was part of a selfie taken through a window of an office building in Cork.

view over Cork, Ireland

It was no real surprise that ChatGPT got this right.

> “Alright, let’s break this one down — this does have some standout features that make it easier to geo-locate. Here’s the reasoning step by step:”

> **🧱 Architectural Clues:**
> 
> *   The old stone building in the foreground has **Georgian-style windows and masonry**, which are common in parts of the British Isles, especially in **Ireland** and **the UK**.
> *   The clock tower in the back-left with the **green copper dome** is particularly distinctive and often used in civic buildings in Ireland.
> *   The **mix of historical and modern buildings**, with the newer glass-fronted offices across a small river or canal, suggests urban regeneration in a historically rich city.

> **🌉 Infrastructure and Environment:**
> 
> *   The modern bridge with a **blue banner advertisement** and the **tree-lined waterfront** hints at a city that integrates riverways into its urban design.
> *   The road signs and general driving direction suggest **left-hand traffic**, supporting a guess of **Ireland or the UK**.

> **🏛** **Key Landmark:**
> 
> The building with the green dome in the background looks **very much like the clock tower of Cork City Hall in Ireland**. The angle of the shot shows the old Custom House building in front, and the modern offices across the **River Lee**, which runs through Cork.

This was spot on. But surely ChatGPT is not the only AI good at geo-guessing, so we used the same picture to test Perplexity as well.

> “This image provides several strong clues for geo-guessing:
> 
> The architecture of the foreground building is classic Georgian or early Victorian, with grey stone and sash windows—styles common in the British Isles, especially Ireland and the UK.
> 
> The river, modern glass buildings, and the steel bridge suggest a city that blends historical and contemporary elements.
> 
> The most distinctive feature is the clock tower with a green dome in the background. This is a well-known landmark: the Cork Courthouse clock tower in Cork, Ireland.
> 
> The bridge over the river and the combination of old and new buildings align with the area around the River Lee in Cork city centre.
> 
> **Conclusion**
> 
> This photo was taken in Cork, Ireland, looking out over the River Lee. The stone building in the foreground is part of the historic courthouse complex, and the green-domed clock tower is a prominent feature of Cork’s skyline. The modern glass buildings and bridge further confirm this as central Cork, a city known for its mix of heritage and modern development.”

Perplexity provided almost the same level of accuracy, so we decided to raise the difficulty level. A lot.

Landscaping in progress around Dutch holiday home

You’ll have to agree that this photo doesn’t give away a lot. But the AI tools took some unexpected clues from the picture.

Here is what ChatGPT determined:

> **🧩 Visual Clues:**
> 
> 1.  **Architecture:**
>     *   The buildings are modular and prefabricated in appearance, with light-colored paneling and dark window/door frames.
>     *   This type of house is common in northern Europe, especially in the Netherlands, Germany, Denmark, or parts of the UK.
> 2.  **Landscape:**
>     *   Very flat terrain with closely trimmed hedges and grassy areas.
>     *   This suggests low-lying regions—again pointing to places like the Netherlands or Belgium.
> 3.  **Infrastructure & Construction Tools:**
>     *   The pavers being laid and the wheelbarrows used (particularly the yellow color and shape) are very common in northern and western European construction.
> 4.  **Weather and Lighting:**
>     *   Overcast sky and soft, diffused lighting typical of northern Europe in autumn or early spring.
> 5.  **Small Details:**
>     *   The small shed in the back, the organization of tools, and cleanliness/horticulture are consistent with Dutch/German design sensibilities.
>     *   The wheelbarrow has the brand name “Fort”, which is a Dutch manufacturer—this is a **very strong clue**.
> 
> **🌍** **Likely Guess:**
> 
> **The Netherlands** 🇳🇱
> 
> **📍****Narrowing it Down:**
> 
> Given the modular housing, flat landscape, and Fort-brand wheelbarrow, this could be a holiday park, construction site, or suburban area in the Dutch countryside. Possibly in a province like **North Holland**, **South Holland**, or **Friesland** where such structures and environments are typical.

I must admit I was amazed that it mentioned South Holland which is where this photograph was taken.

Perplexity did not come as close as ChatGPT, but the tool did reach this conclusion:

> “Based on architectural style, landscaping, and contextual clues, this scene is almost certainly from the Netherlands. It showcases the country’s embrace of modular housing and practical, tidy outdoor spaces, reflecting broader trends in Dutch residential design and sustainable living.”

Which is still a lot better than I expected when I selected that picture.

**Bird songs**

So, modern AI tools can pick up visible clues. But then I had another idea—call it an epiphany if you will—which deserves a brief explanation. I use an app called Merlin Bird ID which is able to identify birds based on their singing.

Some bird species are a lot more local than others, so I asked Perplexity:

> “Would it be possible to do geo-guessing based on bird songs? And how many species do you think it would take to make a good guess?”

The answer:

> “How Many Species Are Needed?
> 
> One Species: Sometimes, a single species is enough if it’s highly range-restricted (e.g., endemic to an island or a small region). However, this is rare.
> 
> A Few Species (3–5): In most cases, hearing three to five distinct species can allow for a strong guess, especially if their ranges only overlap in a limited area.
> 
> More Species, More Precision: The more species you can identify, the more precisely you can geo-locate. With about 10–15 species, especially if some are local specialties, you can often narrow it down to a specific region, habitat, or even a particular park or reserve.”

So, I tried an experiment and offered both AI tools (ChatGPT and Perplexity) a list of bird song matches made from my Merlin Bird ID app. Here is the bird list, and what they tell us about where those birds are located:

**Latin Name**

**Common Name**

**Clue**

**Fringilla coelebs**

Chaffinch

Common across Europe

**Turdus merula**

Eurasian Blackbird

Also common across Europe

**Parus major**

Great Tit

Ubiquitous, widespread

**Grus grus**

Common Crane

Migratory — breeds in Scandinavia, Baltics, parts of Central Europe; passage bird elsewhere

**Carduelis carduelis**

European Goldfinch

Europe and western Asia

**Turdus viscivorus**

Mistle Thrush

Forests, open woodland — common in Europe

**Certhia brachydactyla**

Short-toed Treecreeper

Tells us something — this species avoids northern/colder parts of Europe (rare in the UK, absent in Scandinavia)

**Ardea alba**

Great Egret

Formerly rare in Europe, but now expanding — increasingly common in wetlands and rivers of Central and Southern Europe

**Sylvia atricapilla**

Eurasian Blackcap

Woodland; migratory in north, resident in south

**Anthus trivialis**

Tree Pipit

Breeds in open woodlands across Europe; migratory

**Vanellus vanellus**

Northern Lapwing

Farmland, wet grasslands; declining in the west but still widespread

In analyzing this list, Perplexity was the “winner,” able to more accurately guess my location:

> “Given all of these factors, my best guess is that you were somewhere in Northern Europe, likely Germany, Denmark, the Netherlands, or the UK. Without more information about habitat (e.g., forest, farmland, coast), it’s difficult to narrow it down further.”

Here was ChatGPT’s response to the same bird song list:

> **🗺️** **My Final Geo-Guess:**
> 
> You were likely in **Germany** — possibly in **northern or eastern Germany** (e.g., Brandenburg or Mecklenburg-Vorpommern), which is:
> 
> *   On the **Grus grus migration route**
> *   Rich in mixed forests and wetlands
> *   Within the range of **Certhia brachydactyla**
> *   Likely to host **all the species** you heard, in late April

In reality, the birds were recorded near the Dutch-German border, which put ChatGPT off by almost 400 miles, whereas Perplexity mentioned both countries I was in or close to, but covered a large area with its geo-guess.

**Conclusion**

If you’re making selfies or vlogging and you don’t want to give away your location, you’ll need to be very aware of your visual and auditory surroundings. A wheelbarrow of a specific brand or the sound of a bird with a limited habitat are enough to provide hints about your location. With enough hints, AI can deduce your exact location.

With social media being used for AI training, it is likely that these results will rapidly gain even more in accuracy.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 AI is getting “creepy good” at geo-guessing 

Silent Push reveals a complex scheme where North Korean hackers posed as crypto companies, using AI and fake…

Silent Push reveals a complex scheme where North Korean hackers posed as crypto companies, using AI and fake job interviews to distribute malware. Protect yourself from these deceptive tactics. 

Cybersecurity firm Silent Push has uncovered a clever operation run by a North Korean hacker group, known as Contagious Interview, which has a link to the notorious Lazarus Group.

Reportedly, Contagious Interview has been tricking people looking for jobs in the crypto world through three different fake cryptocurrency companies: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. Their goal? To lure job aspirants into downloading harmful software onto their computers.

Fake Companies Profiles (Source: Silent Push)

According to Silent Push’s investigation, shared exclusively with Hackread.com, these fake companies use job postings on various websites, including well-known platforms like CryptoJobsList, CryptoTask, and Upwork, to attract applicants.

Once someone applies, the hackers send them what looks like legitimate interview-related files. However, these files contain malware. Researchers have observed several types of malware being used in this campaign, including BeaverTail, InvisibleFerret, and OtterCookie.

To make the scam seem real, Contagious Interview uses images created by artificial intelligence (AI) tools for employee profiles. Specifically, they used Remaker AI to generate some of these fake faces. Also, they use real online platforms like GitHub and job websites to appear more trustworthy.

Remaker AI Tool (Source: Silent Push)

Silent Push’s investigation revealed that Contagious Interview has a history of carrying out complex cyberattacks. In this new scheme, they use fake job offers and these three front companies to spread their malware. Once a victim’s computer is infected, the hackers can potentially access it remotely and steal sensitive data. They even try to hide their online activity using tools like VPNs.

The analysts successfully tracked the malware back to specific websites and internet addresses used by the hackers, including lianxinxiaocom, and even found a hidden online “dashboard” on a BlockNovas subdomain (mailblocknovascom) where the hackers were monitoring their fake websites and other tools. This “significant OPSEC failure” helped them identify the different fake companies and the malware being used.

Further investigation revealed many red flags. For example, the profile picture of a Backend Developer named Mehmet Demir linked to all three fake companies is AI-generated. This person is linked to three fake companies and has a history of suspicious online activity under the alias Bigrocks918. Another user, thegoodearth918, shared the same numerical suffix ‘918,’ used the same email and was linked to SoftGlide.

One user, “hades255,” identified as CTO of BlockNovas Gabriel Lima has an AI-generated photo and suspicious resume.  Other employee profiles also show signs of being fake, with AI-generated photos and other inconsistencies in their digital footprints. Even the recruiter for BlockNovas, Alexander Nolan, is using the image of a real person who has no connection to the company.

Analysis of files from the fake job application websites revealed hidden links leading to more malicious software, including FrostyFerret, and an unusual control panel named Kryptoneer, likely targeting the relatively newer crypto technology, Sui blockchain.

Silent Push researchers warn job seekers to be wary of unusual interview processes, requests to run unfamiliar code, and employee profiles that seem too good to be true or use generic-looking photos. These North Korean hackers are using increasingly sophisticated methods to trick unsuspecting individuals, and awareness is the best defence, researchers concluded.

North Korean Hackers Use Fake Crypto Firms in Job Malware Scam

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

Protecting Your Phone—and Your Privacy—at the US Border

XRP Ledger SDK hit by supply chain attack: Malicious NPM versions stole private keys; users urged to update…

XRP Ledger SDK hit by supply chain attack: Malicious NPM versions stole private keys; users urged to update xrpl package to 4.2.5 or 2.14.3 immediately.

A serious security breach targeting users of the XRP Ledger has been uncovered by the Aikido Intel threat detection system. Aikido’s research reveals that it was a sophisticated supply chain attack that compromised the official xrpl Node Package Manager (NPM) package, a widely utilized software development kit (SDK) for interacting with the XRP Ledger.

This malicious infiltration resulted in the introduction of a backdoor designed to steal users’ private keys, granting attackers complete control over their cryptocurrency wallets. Suspicion was raised on April 21st at 20:53 GMT+0 when five newly released versions of the xrpl package on NPM, which has over 140,000 weekly downloads, contained malicious code that did not align with the official releases on GitHub.

The compromised versions were 4.2.4, 4.2.3, 4.2.2, 4.2.1, and 2.14.2 whereas the latest legitimate version on GitHub was 4.2.0 at the time of the attack. This discrepancy raised concerns.

“The fact that these packages showed up without a matching release on GitHub is very suspicious,” Aikido’s malware researcher Charlie Eriksen revealed in the blog post shared exclusively with Hackread.com.

Further probing revealed unusual code in the src/index.ts file of version 4.2.4 of rogue packages (tagged as the latest version), which had a harmless-looking function named checkValidityOfSeed, but it led to an HTTP POST request to an unfamiliar domain, 0x9cxyz. The domain’s registration information analysis indicated it was newly created, fuelling concerns about its legitimacy.

Source: Aikido

Digging deeper, researchers discovered that checkValidityOfSeed was being called within critical functions, including the constructor of the Wallet class in src/Wallet/index.ts. This allowed the malicious code to execute when a Wallet object was instantiated within an application using the compromised xrpl package, attempting to send the user’s private key (needed to access and manage a user’s XRP funds) to the attacker’s server.

This allowed the backdoor to steal private keys “as soon as a Wallet object is instantiated.”

Researchers also noted that attackers’ methods evolved. Initial malicious versions (4.2.1 and 4.2.2) showed different modifications compared to later compromised versions. The first versions introduced malicious code into built JavaScript files, removing scripts and prettier configurations (the settings and rules that govern how the Prettier code formatter automatically formats your code) from the package.json file. Versions 4.2.3 and 4.2.4 integrated the malicious code directly into the TypeScript source code, indicating a refinement in their approach to remain undetected.

Following the disclosure of this supply chain attack, the official xrpl team released two new, clean versions of the package: 4.2.5 and 2.14.3. Users are strongly encouraged to update to these secure versions immediately to mitigate any potential risk.

Researchers also highlighted that “any seed or private key that was processed by the code has been compromised,” and hence should be considered unusable. Any cryptocurrency assets associated with them should be immediately transferred to a new, secure wallet with a newly generated private key.

Backdoor Found in Official XRP Ledger NPM Package

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

Google is rolling out an end-to-end encrypted email feature for business customers, but it could spawn phishing attacks, particularly in non-Gmail inboxes.

Google announced at the beginning of April that it is launching a streamlined tool that will allow business users to easily send “end-to-end encrypted” emails—an effort to address the longstanding challenge of adding additional security protections to email messages. The feature is currently in beta for enterprise users to try out within their own organization. It will then expand to allow Google Workspace users to send end-to-end encrypted emails to any Gmail user. By the end of the year, the feature will allow Workspace users to send the more secure emails to any inbox. Email spam and digital fraud researchers warn, though, that while the feature will provide a new option for email privacy and security, it will also inevitably spawn new phishing attacks.

End-to-end encryption is a protection that keeps data scrambled at all times except on the sender and recipient's devices, and it is difficult to add to the historic email protocol. Mechanisms to do it are typically very complicated and costly to implement and only make sense for large organizations trying to meet specific compliance requirements. In contrast, Google's end-to-end encrypted email tool is simple to use and doesn't require significant IT overhead. The scenario that digital fraud researchers are most concerned about, though, relates to the case where a Workspace user sends an end-to-end encrypted email to a non-Gmail user.

“When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail,” Google wrote in a blog post. “The recipient can then use a guest Google Workspace account to securely view and reply to the email.”

The fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.

“Looking at Google's implementation, we can see it introduces a new workflow for non-Gmail users—receiving a link to view an email,” says Jérôme Segura, senior director of threat intelligence at Malwarebytes. “Users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.”

Given email's technical limitations, Google created a way for an organization's Workspace to automatically manage keys—used to descramble encrypted messages. Key management is what makes end-to-end encrypting email so difficult, so offering a solution that is easy for customers is a departure from what's currently available. The fact that the organization's Workspace controls the keys rather than storing them locally on a sender and recipient's devices does mean that the feature doesn't quite qualify as end-to-end encryption in the strictest sense of the term. But researchers say that for use cases like business compliance, the tool could still be extremely useful. And individuals who want end-to-end encrypted communications should just use a purpose-built app like Signal.

When Gmail users receive one of the new encrypted emails from a Google Workspace user, Google's extensive array of dynamic spam filters and fraud detection mechanisms will be in play to protect against spam, phishing, and rogue imposters broadly. But email users outside the Google ecosystem will also be able to receive encrypted email invitations, which makes the service available to anyone, but also will leave non-Google users to their own devices.

Scammers will prey on anything topical to generate new scams, and this threat certainly isn't unique to Google's new encrypted email feature. The invitations to view end-to-end encrypted emails will come with a warning that says, “Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”

“While it’s absolutely true that scammers are always looking for new ways to abuse any product, we built this particular technology with this risk in mind,” Google spokesperson Ross Richendrfer said in a statement. “The notifications users will receive in this case are very similar to Drive file sharing notifications that go out whenever someone shares a doc or file. All the protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well.”

Generations of Google Drive and Google Docs scams show, though, that it is particularly difficult to combat imposter invitations outside of Google's ecosystem. But when it comes to the new end-to-end encrypted email feature, “it was either adding a warning or not allowing this feature for non-Gmail users,” Malwarebytes's Segura says.

In fact, the new tool may offer particularly good fodder for scammers, given that Google is such a trusted organization, and targets may have heard about how end-to-end encryption is a special, gold-standard security feature.

“It's almost as if someone at Google knew this was a bad idea and asked for a warning to be added,” Malwarebytes’ Segura says. “It's quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.”

Gmail’s New Encrypted Messages Feature Opens a Door for Scams

SessionShark phishing kit bypasses Office 365 MFA by stealing session tokens. Experts warn of real-time attacks via fake…

SessionShark phishing kit bypasses Office 365 MFA by stealing session tokens. Experts warn of real-time attacks via fake login pages and Telegram alerts.

SlashNext security experts have discovered a new tool called “SessionShark” used by cyber criminals to steal login information for Microsoft Office 365. This tool can bypass multi-factor authentication (MFA), a security feature that requires a phone code in addition to a password to add another layer of security.

SlashNext’s research, shared exclusively with Hackread.com, revealed that online advertisements for SessionShark were found on secret cybercrime networks, indicating the tool was designed to steal session tokens, which are special keys that allow users to stay logged in without having to enter their password every time. Once a criminal has this token, they can get into your Office 365 account even if you have MFA turned on, because the key proves you’ve logged in.

Researchers explained that by stealing this session cookie” attackers can bypass MFA controls and access the account without needing the one-time passcode.” This makes the extra security of MFA useless in this type of attack.

The creators of SessionShark are trying to sell it to other criminals by saying it’s “for educational purposes,” but security experts say this is just a way to hide what it’s really for. It is designed to aid criminals’ success.

Source: SlashNext

For example, it can pretend to be a real Office 365 login page fooling users easily. It operates as an “adversary-in-the-middle” (AiTM) phishing kit. This means that when a victim tries to log in to Office 365 through a fake website created by SessionShark. It offers a logging panel for operators and integrates with a Telegram bot for real-time “Instant Session Capturing.” This allows threat actors to receive real-time alerts with the victim’s email, password, and session cookie the attacker secretly intercepts their username, password, and importantly, the session token, in real time.

Moreover, it works well with Cloudflare, a service that hides the real location of a website, making it harder for security teams to track down and shut down criminal operations. The tool also tries to avoid being noticed by threat intelligence systems, which are databases of known malicious websites and activities. SessionShark also allows criminals to quickly send stolen data directly to the attacker’s phone using Telegram allowing instant access.

According to SlashNext’s blog post, the way SessionShark is being sold shows a growing trend in cybercrime. Instead of just creating and using these tools themselves, criminals are now selling them to others as a service, complete with support and updates. This makes it easier for more people to carry out these kinds of attacks.

Security teams are now working to find ways to detect and block tools like SessionShark to protect users. Meanwhile, it is crucial to be very careful online, especially when entering your login information. Even with extra security like MFA, make sure you are on the real website before typing in your username and password.

Tag

#intel