Blogs

Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode

Atlas’s autofill and form interaction capabilities present potential attack points

As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.

These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.

For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.

Rate of Vulnerability is 90% A Warning for Users

The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.

There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.

Key pointers from research

ChatGPT’s Atlas is not resilient to Phishing attacks

Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate

Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),

ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages

Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.

The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.

Importance of Security by Design for web browsing & How AI is intricately involved

The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.

But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.

Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.

This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.

Is User’s security getting compromised

The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can influence the AI’s behavior if browsing and this can happen across multiple tabs.

In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.

Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.

(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)

Copilot Studio SupplyChain Attack Steals OAuth Tokens via CoPhishing

Summary

The CoPhish attack is a sophisticated phishing technique exploiting Microsoft Copilot Studio to steal OAuth tokens by tricking users into granting attackers unauthorized access to their Microsoft Entra ID accounts.

By Copilot Studio’s customizable AI agents, attackers create chatbots hosted on legitimate Microsoft domains that wrap traditional OAuth consent attacks in an authentic-looking interface, increasing the likelihood of successful deception.

Technical Details

The attackers often use a trial license or compromised tenant to create the agent, backdooring the authentication workflow so that, post-consent, OAuth tokens are exfiltrated via HTTP to attacker infrastructure.

Few Demo links like copilotstudio.microsoft.com add credibility, closely mimicking official Microsoft Copilot services, and victims see familiar branding and login flows.

While Microsoft has implemented consent policy updates including blocking risky permissions by default for most users significant gaps remain: unprivileged users can still approve internal apps and privileged admins retain broad consent authority.

Tokens exfiltrated by CoPhish can be used for impersonation, data theft or sending further phishing emails, often going undetected as the traffic is routed through Microsoft infrastructure.

malicious CopilotStudio page Source: securitylabs.datadoghq.com

Attack Flow

Step	Description
1. Build Malicious Copilot Agent	Attackers create a customized Copilot Studio chatbot, usually on a trial license within their own or a compromised Microsoft tenant, configuring it to appear as a legitimate assistant.
2. Backdoor Authentication Workflow	The agent’s “Login” topic is modified to include an HTTP request that will exfiltrate any OAuth tokens granted by users during authentication.
3. Share Demo Link	Attackers generate and distribute demo website URL (like, copilotstudio.microsoft.com) pointing to the malicious chatbot, mimicking official Copilot Studio services and passing basic domain trust checks.
4. Victim and Trigger Consent	Victims access the link, interact with the familiar interface, and are prompted to login, beginning an OAuth consent flow that requests broad Microsoft Graph permissions.
5. Token Exfiltration	After the victim consents, the agent collects the issued OAuth token and sends it via HTTP to an attacker-controlled server, often relaying through Microsoft IP addresses to avoid detection in standard traffic logs.
6. Abuse Granted Permissions	Attackers use the stolen token to impersonate the victim, accessing emails, calendars, and files or conducting further malicious actions such as sending phishing emails or stealing sensitive data.
7. Persist and Retarget	Due to policy gaps, attackers can repeat the process targeting both internal and privileged users, tailoring requested app permissions and adapting to Microsoft’s evolving security measures.

Source: securitylabs.datadoghq.com

Why It’s Effective

Leverages trusted Microsoft domains and branding with realistic AI chatbot flows, bypassing phishing detection and user suspicion.

Bypasses multi-factor authentication by stealing fully privileged OAuth tokens that persist until revoked.

Targets both regular users and privileged admins by adapting requested permissions, making it scalable and versatile.

Recommendations

Here are some recommendations below

Enforce strict Microsoft Entra ID consent policies to limit user approval of app permissions, especially high-risk scopes.

Restrict or disable user creation and publishing of Copilot Studio agents unless explicitly authorized by admins.

Monitor Entra ID audit logs and Microsoft Purview for suspicious app consent, agent creation or modifications in Copilot workflows.

Apply Azure AD Conditional Access requiring MFA and device compliance for accessing Copilot Studio and related AI services.

Implement tenant-level Data Loss Prevention (DLP) and sensitivity labeling

Educate users on phishing risks and regularly reviewing/revoking app permissions and tokens.

Conclusion:
CoPhish highlights how AI-powered low-code platforms like Microsoft Copilot Studio can be exploited for advanced phishing attacks targeting identity systems.

Despite Microsoft’s improvements to consent policies, significant risks remain, requiring organizations to enforce strict consent controls, limit app creation, and monitor Entra ID logs vigilantly. As AI-driven tools grow, proactive security measures are essential to defend against these evolving hybrid threats leveraging trusted cloud services.

References:

https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/

https://cybersecuritynews.com/cophish-attack-exploits-copilot-studio/

Hashtags

#Infosec #CyberSecurity #Microsoft #Copilot #Vulnerabilitymanagement # Patch Management #ThreatIntel CISO #CXO #Intrucept

Samsung Galaxy S25 Zero-Day Exploit Exposes Camera & Location

Summary

At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.

This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries.

The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.

Vulnerability Details

The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.

The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation.

Key characteristics:

The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows:

Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.

Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.

Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.

Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.

Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.

Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks.

Attack Flow

Step	Description
1. Craft Malicious Input	Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw.
2. Deliver Payload	The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards.
3. Bypass Security Measures	The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system.
4. Gain Persistent Control	Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly.
5. Exploit Device Capabilities	Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly.
6. Maintain Stealth & Avoid Detection	The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications.
7. Exploit and Monetize	The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized.

Proof-of-Concept

The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.

The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.

This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.

Source: https://x.com/thezdi/status/1981316237897396298

Why It’s Effective

Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes.

Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling.

Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms.

Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user.

Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections.

High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access.

Remediation:

Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043.

Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly.

Enable automatic security updates on Samsung devices for timely future patching without delay.

For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints.

Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise.

Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing.

Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise.

Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching.

This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits.

Conclusion:

This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.

In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks.

References:

https://cybersecuritynews.com/samsung-galaxy-s25-0-day-vulnerability/

https://cyberpress.org/samsung-galaxy-s25-0-day/

https://gbhackers.com/hackers-exploit-galaxy-s25-0-day/amp/

AWS Recent Outage, Effects What we need to know

The recent disruption that sparked world wide impact and effect is the AWS outage. The AWS (Amazon web services) disruption happened on October 20, 2025, centered on its “US‑EAST‑1” cloud region . The disruption triggered a series of failures and disrupted normal working of number of consumer apps, finance, government portals and parts of Amazon’s own services.

The AWS outage a case of internet outage, impacted over disruptions at over 3,500 companies across more than 60 countries, placing this among the largest internet outages on record for Downdetector.

Now the crucial question that hovers the mind is how the disruption affected digital services and what does this means to organizations relying on third party cloud service providers, to developers and other who are in the ecosystem and rely on AWS service that run uptime.

AWS covers 30% of the global cloud infrastructure market and such a kind of disruption is hard for the world relying on AWS infra. Many global apps and websites rely heavily on AWS for cloud hosting and data processing, which means the disruption can rapidly become widespread and create a knock out effect to many services and businesses to return to normal may witness challenege.

Origin of the AWS incident:

The incident originated in the US-EAST-1 (Northern Virginia) region one of AWS’s oldest and most heavily utilized hubs — and impacted key services such as DynamoDB, EC2, Lambda, and SQS.

As services in all these started failing the spread was wide and impacted AWS’s internal infrastructure and external applications, affecting end-user experiences who were on Snapchat, Pinterest, Fortnite, Signal etc.
Earlier it happened in the same region US-East-1. If we go by history (2017, 2021 & 2023).

The outage echoes shed light on the most crucial point, i.e. over reliance on single point of cloud infrastructure. AWS pointed on DNS issues and admitted global services or features that rely on US-EAST-1 endpoints, such as IAM updates and DynamoDB Global tables, “may also be experiencing issues.”

DNS Issue resolved as per AWS:

After the disruption and AWS says the DNS issue has “been fully mitigated”, and most AWS Service operations are succeeding normally now. However, it added that some requests may be throttled “while we work toward full resolution.”

Technical Analysis AWS Disruption:

The investigation revealed how a control plane failure in the US-EAST-1 region, triggered by an unexpected behavior within AWS’s internal load balancing and routing layer. So a configuration change happened in the service responsible for metadata and service discovery propagated inconsistently.

This lead to authentication and routing failures for dependent instances and services which further expanded and caused choke and resource exhaustion across interdependent services like EC2, Lambda, and S3, all of which rely on low-latency internal communication.

The largest hit services

The heaviest‑hit services by report count included Snapchat (~3M), AWS itself (~2.5M), Roblox (~716k), Amazon retail (~698k), Reddit (~397k), Ring (~357k) and Instructure (~265k). The UK alone generated more than 1.5M reports, far exceeding a typical day’s ~1M global baseline across all markets, highlighting both the unique intensity and breadth of this event.

Country wise bifurcation on AWS outage & results

(Image sources: Revealing the Cascading Impacts of the AWS Outage | Ookla®)

What amplified the disruption of AWS

All apps we are using are mostly chain together managed services like storage, queues, and serverless functions. If DNS cannot reliably resolve a critical endpoint (for example, the DynamoDB API involved here), errors cascade through upstream APIs and cause visible failures in apps users do not associate with AWS. That is precisely what Downdetector recorded across Snapchat, Roblox, Signal, Ring, HMRC, and others.

Cloud infrastructure should be of national importance

The AWS outage/ disruption highlighted how cloud infrastructures are not risk free and over dependence eon single point. Any fault in the infrastructure stack on which everything else depends and from which failures can trigger and subsequent redundancy.

The need of the hour is to recognize that Cloud infrastructure should be of national importance and any failure on the entire stack can be overcome with systematic approach. This will require by pulling down or dismantling each part and diversify the route so that on event of outage , the rest of the part of can be recovered by not depending on single point of the platform.

Organizations relying solely on a single AWS region or without robust multi-region, multi-cloud, or hybrid failover mechanisms faced significant downtime and operational risk, a wake up call for governments.

Various government across Europe recognized the risk associated with cloud infrastructure introduced policy’s for e.g., EU’s flagship Digital Operational Resilience Act (DORA) introduces EU-level oversight of critical ICT third-party providers, while the UK’s Critical Third Parties act for finance. These tool kits will act as balancers when it comes to reporting, stress management, incident reporting and adhering to transparency that is required as mandate.

Why Network resilience is important ?

The AWS disruption highlighted importance of network resilience. The reason being network resilience prevents single points of failure with backup systems and alternative pathways. Further this helps to adapt to sudden increases in demand without degrading performance. At the same time efficiently reallocates resources and adapts to changing conditions.

Vulnerability Tracked in Oracle is being Exploited; CISA

CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

Vulnerability CVE-2025-61884

Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.

The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”

Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.

In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.

Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.

As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.

To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack

Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.

July campaign: Used an exploit that targeted an SSRF flaw in the “/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884.
August campaign: Used a different exploit against the “/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.

Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.

Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.

CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.

These are

Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
The SMB flaw enables lateral movement inside networks.
The Kentico pair lets attackers take over CMS environments used for staging and publishing.
The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators

• Look for weird patterns in Oracle EBS requests – could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Oracle released critical patch for a wide range of products and this include

The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

October 2025 Critical Patch Update Released | security

Unpatched Systems, Software’s Exposes Business to Cyber Threats

Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.

Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.

Unpatched Systems, Software’s exposes Business to Cyber Threats

The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.

Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.

The above case are all about software vulnerabilities when left unpatched. Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.

Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:

CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system

(Source: Kaspersky: Unpatched Systems Expose Malaysian Businesses To Exploits – TechTRP)

The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.

Key findings from Kaspersky reports to secure your unpatched systems

Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day

“Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.

What Businesses can do to remain Secure from Cyber threats when systems are unpatched?

For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.

How to Fix:

Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.

Follow more below recommendations

Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.

Utilize solutions for vulnerability assessment, patch management
Prioritize defense strategies & threat detection like phishing emails and web threats
Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
Implement a robust patch management process

Cyber Threats in Maritime Domain; National Security in Focus at Delhi Seminar

Seminar Titled ‘Impact of Cyber Attacks on Maritime Sector and its Effects on National Security and International Relations’

The event in Delhi organized by Indian Navy and address cyber threat on the Maritime domain and how the threats are aligned to national security and their impact.

The event organized at a time when geo -politics is evolving and the seminar aims to deepen understanding of cyber threats in the maritime domain and foster collaboration amongst key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.

Cyber threats evolving and looming above the maritime sector as the Maritime industry steps into the world of cyber risk. The cyber risk is vast and includes array of ransomware capable of shutting down port operations to GPS, halting steering vessels as hackers are get more creative.

Any cyberthreat on maritime sector also involves national security and is not isolated and target of cyber criminals. Maritime security involves trade, global logistics, oil and gas, defense which are major reasons to map maritime cyber threat to national security.

With an aim to deepen understanding of cyber threats in the maritime domain, the Indian Navy is organized the seminar.

The seminar, titled ‘Impact of Cyber Attacks on Maritime Sector and Its Effects on National Security and International Relations’, aims to foster collaboration among key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.

Minister of State for IT Ministry, Jitin Prasada, deliver the keynote address during the inaugural session. The seminar will feature panel discussions each led by distinguished experts from the ministries and organizations.

The seminar aims to advance Hon’ble PM’s vision of MAHASAGAR (Mutual and Holistic Advancement for Security and Growth Across the Regions) by reinforcing a safe, secure cyberspace, and echoes the call for ‘Aatmanirbhar Bharat’ through indigenous, secure-by-design digital systems and robust public-private partnership.

Aligned with Maritime India Vision 2030 and the Amrit Kaal Vision 2047, the seminar positions cybersecurity as a core enabler of port-led growth, smart logistics, offshore energy security, and mission critical naval operations.

These include the Ministry of Ports, Shipping and Waterways, the Ministry of Petroleum and Natural Gas (MoPNG), the National Security Council Secretariat (NSCS), the Gas Authority of India Limited (GAIL), the Directorate General of Hydrocarbons (DGH), the Indian Computer Emergency Response Team (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the National Maritime Foundation (NMF) as well as leaders from private organisations.

The topics for panel discussions are ‘Global Cyber Threats to Maritime Infrastructure,’ ‘Civil and Military Partnership,’ and ‘Maritime Sector as Critical Information Infrastructure’.

New Stealit Malware Campaign Leveraged VPN installers to Exploit Node.js as per Fortinet

Cyber criminals are installing Stealit malware campaign that leverages VPN installers to exploit Node.js’ Single Executable Application (SEA) features and distribute its payloads. In the past Stealit campaigns were built using Electron, an open-source framework that packages Node.js scripts as NSIS installers for distribution.

As per Fortinet cyber criminals deployed a new active Stealit malware campaign deploying via disguised applications.

Malware campaign are now designed and placed in such a way are mostly AI-generated, legitimate-looking code to infiltrate systems. These malwares can evade detection and gain persistent access to maximize disruption worldwide.

Researchers observed that filenames this malware is used and distributed as disguised installers for games and VPN applications. This was same as observed in previous campaigns.

How the campaign was devised?

First the cyber criminals gained initial access is gained via fake game and VPN installers bundled in PyInstaller and common compressed archives. Then uploaded to file-sharing sites such as Mediafire and Discord.

The threat actor then employed heavy obfuscation and numerous anti-analysis techniques to evade detection and complicate analysis.

Purpose of Stealit Campaign

The present situation are making attackers more desperate try to integrate these malware in games, demo s to make them appear legitimate. In some situations, the game might be real but one cannot deny presence of malware.

These files look safe, but they are designed to run code that steals credentials, drains cryptocurrency wallets, or takes over accounts.

In some cases, attackers slip the malware into an update after release so it’s not suspicious from the get-go. Other times, they redirect players off a storefront to an external download that evades platform checks.

When the malware binary was updated, Stealit has relocated its panel website to new domains. When reserachers first observed this campaign, the panel—also functioning as the Command-and-Control (C2) server—was hosted at stealituptaded[.]lol. As per researchers the domain quickly became inaccessible as the C2 server was moved to iloveanimals[.]shop.

Accessing the panel leads to a commercial website for Stealit, which promotes itself as offering “professional data extraction solutions” through various subscription plans.

A dedicated features page outlines its capabilities, highlighting typical remote access trojan (RAT) functionalities such as file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Microsoft Windows systems. The site also features instructional videos that demonstrate how the service operates on each platform.

The website offers payment plans for the Windows and Android versions of the stealer, with lifetime subscriptions available for approximately $ 500 and $ 2,000, respectively.

The service also has a Telegram channel named StealitPublic, where they post updates and promotions to possible clients. The main contact person is a Telegram user with the handle @deceptacle.

Operators of the malware have also imbued the latest Stealit variant with heavily obfuscated code and comprehensive anti-analysis checks. Such findings were regarded by Bugcrowd Chief Strategy and Trust Officer Trey Ford as indicative of an evolving focused cyber campaign.

At the end we should remember that threat actors can time their campaigns for maximum effect and any time new content could appear and any hype paves way for “early access” invites much more believable.

We often or might encounter weather On Discord or Telegram, attackers rely on social engineering and compromise accounts by sending messages as ‘try our game” and subsequently that messages also reach friends.

Victims often trust the sender and install the file this extends the scam’s reach.

(Reference: https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application)

Cyber Campaign by Hacker’s on Microsoft teams invites to execute “device code phishing” attacks

Microsoft Teams have been on top of prime targets by threat actors and this time a Cyber campaign by Storm-2372 a hacking group targeted Microsoft Teams, a platform where collaboration and meeting is most sought after while inviting for meeting and executing “device code phishing” attacks.

The cyber campaign targets governments, NGOs, IT services, defense, telecommunications, health, education, and energy sectors across Europe, North America, Africa, and the Middle East. Microsoft Threat Intelligence team has rounded up and hardened the Teams environment, with countermeasures and controls across identity, endpoints, and network layers.

“It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains and branding, especially if it can lend credibility to impersonating internal help desk, admin, or IT support,” Microsoft explains.

Prime Target of Hackers

The attack pattern reveal type of social engineering campaign, which often combines a traditional email spam campaign with Microsoft Teams-based manipulation.

The primary target of hackers is to use convincing pretexts to compromise targets through chat messaging or phone calls. But for actual compromise and initial access on Teams, hackers will need to deliver information-stealing malware, which leads to credential theft, extortion, and ransomware.

As Microsoft Team is popular it is also a carrier of Malware which are mostly information stealing. Microsoft noted the rise in email bombing (sending large volumes of emails) to create a sense of urgency.

Not one but many hacking groups have previously targeted Microsoft teams of which Russian hackers from Midnight Blizzard have been imitating security and tech support teams. The hackers urging targets to “verify their identities under the pretext of protecting their accounts by entering authentication codes.”

Microsoft noted the rise in email bombing (sending large volumes of emails) to create a sense of urgency. These emails prompt recipients to authenticate using the provided device code on Microsoft’s legitimate login page.

The threat actor targets the victim, allows him to complete authentication then intercepts the access and refresh tokens generated during the process.

(Image courtesy: Cybersecuritynews.com)

Threat Mitigation strategies:

Any suspicious activity if detected, revoke user refresh tokens using revokeSignInSessions.
Important to Enforce MFA and block risky sign-ins based on user behavior.
FIDO tokens or passkeys instead of SMS-based MFA must be adopted
Integrate streamlined monitoring and response with on-premises directories .

The attackers’ intent was to convince users to download the remote monitoring and management (RMM) tool, AnyDesk, which would give them initial access to the target environment with the ultimate aim of deploying ransomware.

DoW Announced Implementation of CSRMC to Deliver Real Time Cyber Defense, Address Legacy Shortcomming’s

Managing cyber risk across the cyber security set up of an enterprise is harder than ever and keeping architectures and systems secure also compliant can be challenging and over whelming.

DoW (Deprtament of war) recently announced implementing of a groundbreaking Cybersecurity Risk Management Construct (CSRMC).

This is a transformative framework to deliver real-time cyber defense at operational speed and its five-phase construct that ensures a hardened, verifiable, continuously monitored and actively defended environment to ensure that U.S. warfighters maintain technological superiority against rapidly evolving cyber threats.

In comparison the previous Risk management framework dependent on static checklists and manual processes . The framework failed to account for operational needs and cyber survivability requirements.

How (CSRMC) is going to address legacy infrastructure shortcoming?

CSRMC addresses these gaps by shifting from “snapshot in time” assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.

The construct is composed of a five-phase lifecycle and ten foundational tenets.

The Five-Phase Lifecycle

The new construct organizes cybersecurity into five phases aligned to system development and operations:

Design Phase – Security is embedded at the outset, ensuring resilience is built into system architecture.
Build Phase – Secure designs are implemented as systems achieve Initial Operating Capability (IOC).
Test Phase – Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC).
Onboard Phase – Automated continuous monitoring is activated at deployment to sustain system visibility.
Operations Phase – Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.

Ten Foundational Tenets

The CSRMC has 10 core principal

Automation – driving efficiency and scale
Critical Controls – identifying and tracking the controls that matter most to cybersecurity
Continuous Monitoring and ATO – enabling real-time situational awareness to achieve constant ATO posture
DevSecOps – supporting secure, agile development and deployment
Cyber Survivability – enabling operations in contested environments
Training – upskilling personnel to meet evolving challenges
Enterprise Services & Inheritance – reducing duplication and compliance burdens
Operationalization – ensuring stakeholders near real-time visibility of cybersecurity risk posture
Reciprocity – reuse assessments across systems
Cybersecurity Assessments – integrating threat-informed testing to validate security

“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” said Kattie Arrington, performing the duties of the DoW CIO. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”

With the above tenants DoW is ensuring cyber survivability and mission assurance in every domain,air, land, sea, space, and cyberspace.

Addressing Cyber security risk management

Cybersecurity risk management isn’t simply the job of the security team; everyone in the organization has a role to play. Often siloed, employees and business unit leaders view risk management from their business function.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Mirage Cloak offers various deception methods to detect and stop threats before they cause damage. These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

BISO Analytics stands out as the pioneering security analytics platform designed to assist enterprises in effectively handling their first-party, third-party, and emerging risks, all within a single platform. This comprehensive solution facilitates a quicker and safer progression for your business.

By adopting a groundbreaking approach, BISO Analytics integrates open, data-centric cyber risk management practices, offering organizations a consolidated view of their cyber risk landscape across the entire attack surface.

BISO Analytics empowers CXO, mid-management, and operational teams with real-time, reliable, and defensible data that not only complies with regulatory standards but also aligns with the expectations of the board regarding safeguarding shareholder value and fortifying the business.

Why it is important to implement cybersecurity risk management at organisational level

Having an effective cybersecurity risk management program can only be implemented in an organization through a structured process. This requires careful planning, resource allocation and commitment to improving security framework.

Registering documents that assess risk related activities include high asset inventories like all systems and data. When risk are registered it contain records of determined risk, data theft or results of assessment and planned treatments.

Organizations that possess all documentation involving controls and their implementation level. In this scenario organizations actually understands what exactly is risk assessment and identifying what can go wrong in an organization’s system either anything that is via threats, vulnerabilities and their possible impact.

As the saying goes we can’t protect what you don’t understand and one can’t manage what they don’t assess.

Visit our website for more informed details on our products.

(Source: www.miragenews.com/war-dept-unveils-new-cybersecurity-risk-1540279/)