**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?**

The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

CVE-2025-49698: Microsoft Word Remote Code Execution Vulnerability

Researchers observed North Korean threat actors targeting cryptocurrency and Web3 platforms on Telegram using malicious Zoom meeting requests.

DPRK macOS 'NimDoor' Malware Targets Web3, Crypto Platforms

AT&T's $177M data breach settlement. Check eligibility for payouts from 2019 and 2024 incidents. Get claim details here.

Telecom giant AT&T has agreed to a $177 million settlement to resolve two major lawsuits stemming from widespread data breaches that impacted millions of its current and former customers in 2019 and 2024.

A US District Judge, Ada Brown, granted preliminary approval for the settlement terms on Friday, June 20 . While the company denies responsibility for these “criminal acts,” it opted for the settlement to avoid lengthy legal battles.

AT&T confirmed these two data security incidents last year. The first breach, which began in 2019, exposed personal information for about 7.6 million current and 65.4 million former account holders. This data, including names, Social Security numbers, dates of birth, and passcodes, was found on the dark web, a hidden part of the internet. Hackread.com previously covered AT&T’s eventual confirmation of this breach affecting roughly 73 million users after initial speculation.

The second incident, confirmed in July last year, began in April 2024. A hacker accessed call and text records from 2022 for nearly all of AT&T’s 109 million US customers through its cloud storage provider, Snowflake. AT&T clarified that no names were linked to these stolen call records, and two individuals have been arrested in connection with this breach.

Both incidents led to multiple class-action lawsuits (legal actions brought by a group of people) alleging corporate neglect on AT&T’s part in failing to properly protect customer data. The settlement funds are split into two parts: $149 million for one breach and $28 million for the other.

****How to Qualify for Payments****

Current or former AT&T customers whose data was exposed in either breach may be eligible for a payout. Higher payments will go to those who can show clear proof of losses directly caused by the data leaks.

For the 2019 breach, affected individuals with documented damages could receive up to $5,000, while the maximum for the 2024 Snowflake breach is $2,500. After these prioritized payments, any remaining funds from the $177 million will be shared among other impacted customers, even those without specific proof of harm.

Notifications about eligibility are expected to be sent via email or mail between August 4 and October 17, 2025. The official process for submitting claims is set to begin on August 4, 2025, with a deadline of November 18, 2025, to submit a claim. A final court hearing for the settlement is scheduled for December 3, 2025. If approved, AT&T anticipates that payments to customers will start in early 2026.

AT&T Reaches $177M Deal Over 2019 and 2024 Data Breaches

Cybersecurity researchers have disclosed a malicious campaign that leverages search engine optimization (SEO) poisoning techniques to deliver a known malware loader called Oyster (aka Broomstick or CleanUpLoader).
The malvertising activity, per Arctic Wolf, promotes fake websites hosting trojanized versions of legitimate tools like PuTTY and WinSCP, aiming to trick software professionals

SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools

Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.10 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot ('.').

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-q93c-p2mw-p23f: Dagster vulnerable to Path Traversal attack through its /logs endpoint

A color picker for Google's browser with more than 100,000 downloads hijacks sessions every time a user navigates to a new webpage and also redirects them to malicious sites.

Chrome Store Features Extension Poisoned With Sophisticated Spyware

SatanLock ransomware gang shuts down after weeks of attacks and plans to leak stolen victim data. Group linked to Babuk-Bjorka and GD Lockersec families.

The newly formed SatanLock ransomware group has announced it is shutting down. Before disappearing, however, the group says it will leak all the data stolen from its victims later today. The announcement was made on the gang’s official Telegram channel and dark web leak site.

It’s also worth noting that the group has deleted all victim listings that were visible just hours ago. Now, anyone visiting their .onion site sees a message reading, “SatanLock project will be shut down – The files will all be leaked today.”

SatanLock Ransomware’s announcement (Image credit: Hackread.com)

SatanLock has been active since early April 2025 and is known for its aggressive tactics. The group quickly gained attention, posting details of 67 victims on its dark web leak site within just a few weeks.

Interestingly, as highlighted in a **May 2025 report**, by Check Point, more than 65% of these victims had already appeared on leak sites run by other ransomware gangs. This suggests the group may have used shared infrastructure or deliberately tried to “re-claim” already compromised networks.

According to an **analysis** by Lockbit Decryptor, a cybersecurity firm that helps victims remove Lockbit ransomware, SatanLock is linked to several other notorious ransomware families, including Babuk-Bjorka and GD Lockersec. These connections suggest the group is part of a much larger cybercriminal network.

SatanLock Ransomware’s victims by countries and industries (Image via Lockbit Decryptor)

The exact reason for SatanLock’s shutdown remains unclear. Just last week, news broke that Hunters International, another ransomware group, was shutting down too. However, it was later clarified that the group is only rebranding, moving its focus to data breaches and leaks instead of ransom demands.

Hunters International now operates under the name **WORLD LEAKS**. Is the SatanLock ransomware gang following the same modus operandi? Maybe we’ll never know, or maybe we will.

Even so, the shutdown of the SatanLock group is good news for victims. It’s one less cybercriminal gang out there extorting unsuspecting individuals and businesses with ransom demands.

SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked

Let's Encrypt has started rolling out certificates for IP addresses. Although it's a security solution it also offers cybercriminals opportunities.

Let’s Encrypt has announced its issued its first certificate for an IP address. Why that’s significant deserves a little explanation.

You may have run into Let’s Encrypt certificates many times without realizing it. When you see a padlock icon in your browser’s address bar, it means the site is using a certificate to secure your connection. These certificates are “digital passports” that websites use to prove their identity and to encrypt the data sent between your browser and the website.

Traditionally, these certificates have only been issued for domain names (like malwarebytes.com). Now, Let’s Encrypt has started issuing certificates for IP addresses, which are the numerical labels (like 192.0.66.233) that computers use to find each other on the internet.

Let’s Encrypt is a very popular provider of certificates, and you can find its certificates on hundreds of millions of websites. That’s because:

*   Let’s Encrypt certificates are free.
*   Hosting companies and content delivery networks often provide Let’s Encrypt by default as a service to their customers.
*   Let’s Encrypt is a mission-driven nonprofit aiming to make the web safer and more private for everyone.

The advantages of providing certificates for IP addresses are clear. Since some browsers will refuse to open sites without a certificate, it provides a safer way to access your website if you don’t have a domain name at all. It also allows you to use your browser to remotely access home devices like network-attached storage (NAS) servers and Internet-of-things (IoT) devices.

But most home users are unlikely to access a site by using the IP address. Domain names are much easier to remember (most of them anyway) and Domain Name System (DNS) translates domain names to IP addresses for us without a lot of problems.

And while IP addresses can change, DNS will make sure that our browser can still find the domain we want to visit. This is one reason why Let’s Encrypt will only issue short-term certificates for IP addresses: The certificates will be valid for just six days, a move designed to minimize the risk window in the event of a key compromise and to encourage automated certificate renewal practices.

Domain certificates can be compromised and abused. For example, in 2011, DigiNotar, a Dutch certificate authority, was breached, resulting in the issue of at least 500 fraudulent certificates for high-profile domains such as Gmail, Facebook, and the CIA.

And while you may have never heard of this breach, it spurred some much-needed improvements in the security of our online trust infrastructure.

**Here’s the problem**

If I post a URL online or send it by email, there is a visible part and a part that’s actually where you will be taken. For example <a href="https://malwarebytes.com/blog">example.com</a> will not take you to the displayed example.com, but to our blog’s landing page.

But let’s say that a cybercriminal can get a free certificate for the IP address of a server under their control, they could construct links that look like this <a href=”the server IP address”>payment provider X</a>. Should you click that link, you could end up on a specially crafted copy of the payment provider’s site set up by the cybercriminal which asks for your login credentials. Those credentials would then fall in the hands of the criminals if you entered them.

For an unsuspecting user, who potentially might have noticed the wrong domain in the address bar, an IP address might not raise any red flags, especially since they’ll see the padlock and assume it’s legitimate. But encrypted traffic doesn’t make it trustworthy. It is encrypted between the user and the website, so the receiver can read the credentials the visitor sent them.

At the same time, Let’s Encrypt’s move supports legitimate technical needs for IP-based certificates, so the challenge will be balancing security with accessibility. Defenders should monitor certificate transparency logs for suspicious IP certificates and combine this with other threat intelligence to identify abuse.

In essence, this new capability is a double-edged sword, both offering convenience and security benefits, but also new opportunities for cybercriminals.

**Tips for users**

The tips are basically the same as for any unsolicited link you encounter. The difference is that you should keep in mind that these URLs can now include IP addresses.

*   Don’t click on links in unsolicited emails, messages or on social media.
*   Hover over the link. A mismatch between the displayed domain and the target URL is a red flag.
*   The padlock does not mean the website is safe. It just means the traffic between you and the site is encrypted, so nobody in between can eavesdrop.
*   Enable multi-factor authentication (MFA) so criminals will not have access to your accounts with the credentials alone.
*   Keep your device and the software on it up to date, especially your security software and your browser.
*   Use a security solution that provides active protection, including against malicious domains and IPs.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Free certificates for IP addresses: security problem or solution? 

Dr.Web reports Android malware surge in Q2 with adware, banking trojans and crypto theft hidden in fake apps, firmware and spyware targeting users.

A series of malicious apps and stealthy spyware is targeting Android users worldwide, with new data showing how cybercriminals keep finding ways to slip threats onto devices and even official app stores.

According to new findings from Dr.Web Security Space, adware is still the most common threat on mobile devices, but what is noticeable this time is how attackers keep finding new tricks to spread it.

****Adware Still Tops the Charts****

Adware Trojans continued to dominate, led by the Android.HiddenAds family. Although detections dropped by just over 80%, HiddenAds variants are still the most active group, often masquerading as harmless apps and vanishing from home screens once installed. Android.MobiDash adware trojans saw a jump of over 11%, proving that intrusive ads are still a reliable money maker for threat actors, revealed Dr.Web’s **report**.

****Fake Apps Fraud****

Android.FakeApp malware ranked third on the threat list, with activity dropping by a quarter. These malicious apps frequently pose as **finance tools, games or utilities** but instead, redirect users to gambling or phishing sites. Fake finance apps tricked Turkish and French-speaking users, promising easy income control or investment advice while silently pushing them to fraudulent sites.

****Banking Trojans Make a Comeback****

While some banking trojans like Android.BankBot and Android.SpyMax declined, Android.Banker surged by over 70% compared to the previous quarter. This spike highlights how cybercriminals keep targeting financial data with new variants, despite global awareness campaigns urging users to stick to official app stores.

****Crypto Theft Hidden in Firmware****

One of the most alarming revelations is a large-scale crypto theft campaign discovered in April. Attackers slipped a trojan named Android.Clipper.31 into a modified version of WhatsApp and even embedded it in the firmware of low-cost Android phones.

This trojan secretly **swaps legitimate crypto wallet addresses** for the attackers’ own and sends user images to a remote server, hunting for wallet seed phrases hidden in screenshots or photos.

****Spyware Targets Military Personnel****

Another concerning discovery made by Dr.Web and **reported by Hackread.com** in April 2025, was spyware hidden inside a fake version of Alpine Quest, a mapping app. Distributed through a bogus Telegram channel and a local app catalogue, Android.Spy.1292.origin was designed to gather sensitive data from Russian military personnel, including location files, messages and phone book contacts.

****Threats Found on Google Play****

Despite tighter controls, Dr.Web’s researchers continue to find dozens of **malicious or unwanted apps on Google Play** (Apple App Store is **not** a secure place either). Recent finds include adware modules disguised in cryptocurrency news apps and finance-themed fake apps that redirect users to shady sites instead of offering any real service.

This new wave of cybersecurity threats simply goes on to show that Android’s open nature still makes it a favourite target for criminals pushing ads, spyware and banking malware. Even official app stores are not completely safe, therefore, users must keep their devices protected with up-to-date security software and stay cautious with any new app, no matter how harmless it appears.

Malware Surge Hits Android: Adware, Trojans and Crypto Theft Lead Q2 Threats

Cybersecurity threats have emerged so quickly that most companies struggle to keep up and executives are often the…

Cybersecurity threats have emerged so quickly that most companies struggle to keep up and executives are often the first targets. These individuals are known to the public and hold access to sensitive company data with valuable personal and financial information.

Keeping them safe from cyber attacks takes more than standard security measures. That is why Digital Executive Protection (DEP) is becoming an important part of how companies handle cybersecurity today

This article explores how Digital Executive Protection works, why it matters, and how platforms are setting the standard in safeguarding organizational leadership from online threats.

****Why Executives Are High-Value Targets****

Executives are ideal targets for cybercriminals for several reasons:

*   **Access to Sensitive Information:** C-level executives often have the highest level of access to proprietary corporate data, including strategic plans, customer databases, and financial records.

*   **Public Visibility:** Their names and roles are publicly known, making it easy for attackers to impersonate them in phishing and business email compromise (BEC) attacks.

*   **Insufficient Personal Cyber Hygiene:** Despite high professional stakes, many executives do not practice strong personal cybersecurity, leaving their personal devices and social media vulnerable.

These factors make executives not just victims but potential attack vectors that can lead to broader organizational breaches.

****What Is Digital Executive Protection?****

Digital Executive Protection (DEP) refers to the practice of securing executives’ digital identities across both personal and professional spheres. Unlike traditional cybersecurity measures that focus on networks or endpoints, DEP concentrates on the individual’s entire digital footprint, including:

*   Dark web monitoring

*   Social media impersonation

*   Public and private data exposure

*   Data broker tracking and removals DEP is both proactive and continuous, often delivered as a managed service that includes automated scans, real-time alerts, and expert remediation.

****Modern Threat Landscape for Executives****

The range of threats facing executives today includes:

*   **Social Media Impersonation:** Fake profiles are used to scam followers or damage reputations.

*   **Data Broker Exposure:** Personal information such as home addresses, phone numbers, and family data are sold online, increasing risk.

*   **Credential Stuffing and Account Takeovers**: Breached credentials reused across accounts can grant access to sensitive platforms.

*   **Ransomware Targeting:** Some ransomware groups target specific high-profile individuals.

*   **Location Tracking:** Publicly available metadata or broker data can expose executives’ real-time locations, creating safety concerns.

****Key Components of Effective DEP****

A robust Digital Executive Protection strategy should include:

1.  **Automated Monitoring:** Continuous scanning of the web, social platforms, and dark web for threats.
2.  **Data Broker Remediation:** Regular removal of PII from broker sites.
3.  **Dark Web Intelligence:** Alerts on credential leaks and sensitive information.
4.  **Impersonation Takedowns**: Rapid response to social media and web impersonations.
5.  **Concierge Support:** A human team for white-glove onboarding and threat remediation.

****How Digital Executive Protection Works in Practice****

According to VanishID, an effective DEP program should combine automation with expert support. Their approach includes features like:

*   Regular privacy reports with actionable insights

*   The option to extend protection to spouses and children

*   Proactive removal of personal data from brokers and exposed sources

*   Quick response to impersonation threats on social media or fake websites

*   Personal privacy monitoring that tracks exposure across data broker sites, breached databases and search engines

Rather than reacting after an incident, VanishID says its focus is on minimizing the attack surface before it can be exploited.

****Why Digital Executive Protection Matters for Businesses****

Strong executive protection can help companies maintain brand integrity by preventing damage from impersonation or breaches. It can also align with requirements from some cyber insurance providers that expect proactive risk management.

Reducing risks like BEC scams or ransomware targeting high-profile individuals supports overall security. Finally, showing top leaders that their privacy and safety are priorities can help build trust and confidence at the highest levels.

****In Conclusion****

Executives play a critical role in an organization’s security and reputation, making their personal online safety impossible to overlook. Digital Executive Protection adds an extra layer to cybersecurity by reducing risks that traditional tools often miss.

If companies prioritise this protection, they can protect their and customer data, leadership, and long-term stability in an environment where cybersecurity threats continue to grow.

Tag

#web