Application security

Security Advisory

Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schema 

Summary Security Advisory:

A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2. 

OEM Apache 
Severity High 
CVSS Score Not Available 
CVEs CVE-2025-46762 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Remote Code Execution vulnerability  CVE-2025-46762 Apache Parquet Java  High  1.15.2 

Technical Summary 

CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the “specific” or “reflect” Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.

Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer “generic” Avro model. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-46762  Apache Parquet Java ≤1.15.1 Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the “specific” or “reflect” data models, and relies on the presence of pre-approved trusted packages like java.util.  Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution. 

Conditions for Exploitation: 

  • Applications must use parquet-avro to read Parquet files. 
  • The Avro “specific” or “reflect” deserialization models are used (not “generic”). 
  • Attacker-supplied or untrusted Parquet files are processed by the system. 

This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested. 

Remediation

  • Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization. 
  • For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization: 

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=”” 

Conclusion: 
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation. 

References

Blogs

Frequency & Sophistication of DDoS Attack rise to198% in 1stQ 2025

Ways to protect enterprise assets and infrastructure is not only a CISO’s responsibility but a cause of worry for CXO, CTO ‘s as a powerful DDoS attack can cause havoc on revenues, productivity and reputation.

Threat mitigation from any DDoS attack, requires services from secured and trusted partners who can offer expertise and scale whenever required to mitigate the threats that emerge from DDoS attack.

This is also important from cost point of view as large enterprise bear the burnout and it requires expertise to constantly monitor and clean the traffic that get routed to customer network.

It is important organization find service oriented partners who have skilled networking capacity and processing power so that in face of attack, they can automatically respond to DDoS attacks, detect and mitigate.

According to MazeBolt research, even the best DDoS protections leave enterprises highly exposed. Typically, large-scale, global organizations are only 60% protected – leaving the door wide open for cybercriminals to exploit the gaps.

Statistics show from past DDoS attacks have taken down large services like Spotify, GitHub, Microsoft services like Outlook and OneDrive.

According to new data released by Netscout, distributed denial of service (DDoS) attacks are on the rise. There were 17 million such attacks in 2024 – up from 13 million the year before. It’s an astonishing rise that has big implications for your business.

Defining DDoS attack

When a cyber criminal or malicious actor push for a service with additional requests than it can handle, making the resources unavailable and non-functional subsequently bringing it down.

In cases DDoS attack forcefully shuts a website, network, or computer offline by overloading it with requests. We often hear Black Friday sales out in big giant displays, these often drive a lot of internet traffic towards the brand or one destination at once.

A DDoS attack works when several different IP addresses target the same platform at same time that can overwhelm the server in question and bring it down.

Often, this attack is carried botnets which are a collection of devices when infected with malware, they can controlled remotely by cyber criminals. DDoS attack is executed by several different actors at the same time.

Increase in DDoS Attack in 2025

DDoS attacks increased by 198% compared to the last quarter of 2024 and by 358% compared to the same quarter last year.

On April 3 attack targeted an unnamed online betting organization, lasting around 90 minutes, starting at 11:15 with a surge of 67Gbps, before escalating sharply to 217Gbps by 11:23, and peaked just short of 1Tbps at 965Gbps by 11:36.

Research shows A total of 20.5 million DDoS attacks were stopped during the period, of which 6.6 million attacks were directly targeted at Cloudflare’s infrastructure. Gaming servers were the most popular target for DDoS attacks. Attack patterns remains spotted during the 2024 UEFA European Football Championship, held in Germany, where spikes in DDoS activity also targeted online betting sites.

In Geopolitics DDoS has emerged as a tool that is often and can be abused to target attacks.

According to research by NETSCOUT, the second half of 2024 saw almost 9 million DDoS attacks, a 12.75% increase from the first six months. Israel in particular saw a 2,844% increase in attacks, seeing a high of 519 in one day.

The above mentioned Russian hacking group, NoName057(16), focused primarily on government services in the UK, Belgium, and Spain. Georgia also saw a 1,489% increase in attacks in the lead up to the “Russia Bill”, highlighting its use as a political weapon.

Network-layer DDoS attacks were the primary driver of the overall surge. In Q1 2025, 16.8 million of these attacks were blocked, representing a 509% year-over-year rise and a 397% increase from the prior quarter.

Hyper-volumetric attacks, defined as those exceeding 1 terabit per second (Tbps) or one billion packets per second (Bpps), have become increasingly common. Cloudflare reported approximately 700 such attacks during the quarter, averaging about eight per day.

Major targets of DDoS attack

Globally, there have been notable changes in the most-targeted locations. Germany moved up four spots to become the most attacked country in Q1 2025.

Turkey made an 11-place jump to secure second position, while China dropped to third. Hong Kong, India, and Brazil also appeared among the top most-attacked countries, with movements seen across several regions in the rankings. Australia, for its part, remained outside the global top ten.

Industries facing the most pressure have shifted this quarter as well. The Gambling & Casinos sector moved to the top position as the most targeted industry, after climbing four places.

Telecommunications dropped to second, and Information Technology & Services followed in third.

Other industries experiencing notable increases in attacks included Cyber Security, which jumped 37 places, and Airlines, Aviation & Aerospace. In Australia, the industries facing the most attacks were Telecommunications, Information Technology and Services, Human Resources, and Consumer Services.

The report detailed attack vectors and trends, showing that the most common technique at the network layer remains SYN flood attacks, followed by DNS flood and Mirai-launched attacks.

Among HTTP DDoS attacks, more than 60% were identified and blocked as known botnets, with others attributed to suspicious attributes, browser impersonation, and cache busting techniques.

Cloudflare observed significant surges in two emerging attack methods. CLDAP reflection/amplification attacks grew by 3,488% quarter-over-quarter, exploiting the connectionless nature of the protocol to overwhelm victims with reflected traffic.

Similarly, ESP reflection/amplification attacks rose 2,301%, underscoring vulnerabilities in systems using the Encapsulating Security Payload protocol.

Despite the increase in the volume and size of attacks, the report noted that 99% of network-layer DDoS attacks in Q1 2025 were below 1 Gbps and one million packets per second.

Likewise, 94% of HTTP attacks fell below one million requests per second. Most attacks were short-lived, with 89% of network-layer and 75% of HTTP attacks ending within 10 minutes, but the impact can persist much longer due to the resulting service disruptions.

Addressing the rise of DDoS attack & Mitigation solution

DDoS attack intends to disrupt some or all of its target’s services there are variety of DDoS attacks. They are all uniquely different. There are three common types of DDoS attacks:

  • Volumetric (Gbps)
  • Protocol (pps)
  • Application layer (rps) attacks.

An effective DDoS attack is launched when near by network detects easily the cheap IoT devices like toys, small appliances, thermostats, security camera and Wi-Fi routers. These devices makes it easy to launch an effective attack that can have massive impact.

Threat Mitigation of DDoS attack

Application Layer attacks can be detected early with solutions by monitoring visitor behavior, blocking known bad bots and constant testing.

To do this more effectively Intrucept recently launched Cyber Analytics platform

Cyber Analytics platform 𝘀𝗲𝗮𝗺𝗹𝗲𝘀𝘀𝗹𝘆 𝗯𝗿𝗶𝗻𝗴𝘀 𝘁𝗼𝗴𝗲𝘁𝗵𝗲𝗿 𝘁𝗵𝗲 𝗽𝗶𝗹𝗹𝗮𝗿𝘀 𝗼𝗳 𝗺𝗼𝗱𝗲𝗿𝗻 𝗰𝘆𝗯𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻𝘁𝗼 𝗼𝗻𝗲 𝘂𝗻𝗶𝗳𝗶𝗲𝗱 𝗲𝗰𝗼𝘀𝘆𝘀𝘁𝗲𝗺 𝗶.𝗲. 𝗯𝗲𝘀𝘁-𝗶𝗻-𝗰𝗹𝗮𝘀𝘀 𝗮𝘀 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝘀.

✅ XDR (Extended Detection & Response)
✅ Next-Gen SIEM (Security Information & Event Management)
✅ SOAR (Security Orchestration, Automation & Response)
✅ Threat Intelligence
✅ AI-Powered Security Analytics
𝗖𝘆𝗯𝗲𝗿 𝗔𝗻𝗮𝗹𝘆𝘁𝗶𝗰𝘀 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘀:
Real-time threat detection across endpoints, cloud, networks, and apps
Automated incident response to reduce MTTR & human fatigue
AI-driven insights to power proactive, risk-based decision-making
Built for agility, scalability & actionable intelligence; our platform gives security teams the edge required to move from playing catch-up to staying ahead.
𝗖𝘆𝗯𝗲𝗿 𝗔𝗻𝗮𝗹𝘆𝘁𝗶𝗰𝘀 𝗿𝗲𝗽𝗿𝗲𝘀𝗲𝗻𝘁𝘀 𝗮 𝘀𝘁𝗲𝗽 𝗳𝗼𝗿𝘄𝗮𝗿𝗱 𝗶𝗻 𝗮𝗰𝗵𝗶𝗲𝘃𝗶𝗻𝗴 𝗯𝗲𝘁𝘁𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗼𝘂𝘁𝗰𝗼𝗺𝗲𝘀.

Sources; Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report

DDoS attacks have skyrocketed 358% year-over-year, report says

Security Advisory

Spoofing Vulnerability in WhatsApp Desktop for Windows

Summary 

Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .

Overview 

The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
 Spoofing Vulnerability  CVE-2025-30401  WhatsApp Desktop for Windows  Medium  2.2450.6 

Technical Summary 

The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables. 

Example Scenario: 

An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code. 

This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-30401   WhatsApp Desktop for Windows (<2.2450.6)  MIME type used for display, but file extension used for execution.

A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe). 		 Remote Arbitrary code execution 

Remediation

  • Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version. 

Conclusion: 

CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.

Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise. 

Be careful when you click attachments.

References: 

Security Advisory

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Summary 

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Apple backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-24201, CVE-2025-24085, and CVE-2025-24200. 
No. of Vulnerabilities Patched 03 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Apple has released an urgent security advisory concerning three zero-day vulnerabilities currently being actively exploited: CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085. These vulnerabilities affect a range of Apple devices, such as iPhones, iPads, Macs, and other platforms. Users are strongly urged to update to the latest patched versions to reduce security risks. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebKit Out-of-Bounds Write Vulnerability  CVE-2025-24201 iOS, macOS, visionOS, Safari  High  8.8 
Use-After-Free Vulnerability  CVE-2025-24085 iOS, iPasOS, macOS, watchOS, tvOS  High  7.8 
Incorrect Authorization Vulnerability  CVE-2025-24200  iOS, iPadOS  Medium  6.1 

Technical Summary 

Apple’s latest security update patches three Zero-Day vulnerabilities that hackers were actively exploiting. These vulnerabilities could allow attackers to bypass security protections, making devices more vulnerable. One of the vulnerabilities enables remote code execution, letting attackers run malicious programs. Another flaw allows privilege escalation, giving attackers higher-level access to system functions. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24201  iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, Safari 18.3  Out-of-bounds write issue allowing malicious websites to escape the Web Content sandbox   Remote Code Execution 
 CVE-2025-24085 iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, visionOS 2.3 Use-after-free vulnerability in CoreMedia allowing privilege escalation via malicious apps.  Privilege escalation via CoreMedia 
 CVE-2025-24200  iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch, etc.) Authorization bypass vulnerability allowing attackers to disable USB Restricted Mode on locked devices.  Security Bypass USB Restricted Mode 

Remediation

Apply Patches Promptly: Apple has released security updates to address these vulnerabilities. Users should update their devices immediately to mitigate risks 

  • iPhones and iPads: Update to iOS 18.3/iPadOS 18.3 or later. 
  • Macs: Install macOS Sequoia 15.3 or later. 
  • Apple Watch: Upgrade to watchOS 11.3. 
  • Apple TV: Apply tvOS 18.3 updates. 
  • Vision Pro: Install visionOS 2.3 updates. 

General Recommendations: 

  • Prioritize Zero-Day Fixes: Focus on patching actively exploited vulnerabilities, especially those affecting USB Restricted Mode, WebKit, and CoreMedia.  
  • Enable Lockdown Mode: On supported devices, Lockdown Mode can provide additional security against targeted attacks.  
  • Be Cautious with USB Devices: Avoid connecting untrusted accessories to Apple devices to mitigate USB-based attack vectors. 
  • Stay Alert for Malicious Websites: Since WebKit vulnerabilities are actively exploited, avoid suspicious links and untrusted web content. 
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity. 

Conclusion: 

The discovery and active exploitation of these zero-day vulnerabilities underscore the increasing sophistication of cyberattacks targeting Apple’s ecosystem.

While Apple has responded swiftly with patches, users must remain vigilant by keeping their devices updated and adhering to cybersecurity best practices, such as avoiding untrusted applications and enabling Lockdown Mode where applicable. 

Apple fixed all the vulnerability with improved state management.

References


 

Security Advisory

Phishing Crusade Targeted approx 12,000 GitHub Repositories; Victims directed to “gitsecurityapp”

A large-scale phishing campaign has targeted nearly 12,000 GitHub repositories with phony security alerts, reported BleepingComputers.

The alerts, opened as issues on the repositories, inform users of unauthorized login attempts and provide links to change their passwords, review active sessions, or set up MFA.

If a user clicks any of these links, they’ll be taken to a GitHub authorization page for an OAuth app that will grant the attacker control of the account.

The campaign is ongoing, though GitHub appears to be responding to the attacks.

Users were directed to all links within the message to a GitHub authorization page for a malicious OAuth application called “gitsecurityapp.” If authorized, the app grants attackers full control over the user’s account and repositories, including the ability to delete repositories, modify workflows, and read or write organization data.

This consistent messaging across all affected repositories aims to create a sense of urgency and panic, prompting developers to take immediate action.

The fraudulent alert directs users to update their passwords, review active sessions, and enable two-factor authentication. However, these links lead to a GitHub authorization page for a malicious OAuth app named “gitsecurityapp.”

Upon authorization, an access token is generated and sent to various web pages hosted on onrender.com, granting the attacker full control.

(Image courtesy: Bleeping Computers)

The attack, which was first detected on March 16, remains active, though GitHub appears to be removing affected repositories.

Pointers Developers to take key inputs from this incident.

Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories.

If those logs had been public, then the attacker would have been able to steal the secrets.

The tj-actions developers cannot pinpoint exactly how the attackers compromised a GitHub personal access token (PAT) used by a bot to perform malicious code changes as per threat researchers.

Key pointers for User saftey:

  • For users who have mistakenly authorized the malicious OAuth app revoking access to suspicious OAuth apps through GitHub’s settings.
  • Affected users should review their repository workflows, check for unauthorized private gists, and rotate their credentials to prevent further damage.
  • This attack highlights the increasing threat of phishing campaigns targeting GitHub users.
  • As GitHub continues to investigate and respond, developers must remain vigilant and verify any security alerts before taking action.
  • Rotate your credentials and authorization tokens.

 Wiz suggests that potentially impacted projects run this GitHub query to check for references to reviewdog/action-setup@v1 in repositories.

If double-encoded base64 payloads are found in workflow logs, this should be taken as a confirmation their secrets were leaked.

Developers should immediately remove all references to affected actions across branches, delete workflow logs, and rotate any potentially exposed secrets.

(Sourece: Bleeping computers)

Security Advisory

Multiple High-Severity Vulnerabilities Patched in Zoom  

Summary 

Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.

The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).

All rated high severity with CVSS scores ranging from 7.1 to 8.5. 

OEM Zoom 
Severity High 
CVSS 8.5  
CVEs CVE-2025-27440, CVE-2025-27439, CVE-2025-0151,  CVE-2025-0150, CVE-2025-0149 
Publicly POC Available No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Heap-Based Buffer Overflow Vulnerability  CVE-2025-27440  ZOOM High 8.5 
Buffer Underflow Vulnerability  CVE-2025-27439  ZOOM High 8.5 
Use-After-Free Vulnerability CVE-2025-0151 ZOOM High  8.5 
Incorrect Behavior Order Vulnerability CVE-2025-0150 ZOOM High 7.1 
Insufficient Data Verification Vulnerability  CVE-2025-0149 ZOOM Medium 6.5 

Technical Summary 

These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-27440  Zoom Workplace Apps ( Windows, macOS, and Linux, as well as mobile apps for iOS and Android.)  Heap-based buffer overflow, allowing attackers to inject malicious code   Privilege Escalation 
 CVE-2025-27439  Zoom Workplace Apps Buffer underflow, leading to unexpected crashes or data leakage   Denial of Service, Data Exposure 
CVE-2025-0151    Zoom Workplace Apps  Use-after-free issue leading to memory corruption and arbitrary code execution   Privilege Escalation 
CVE-2025-0150  Zoom Workplace Apps (iOS) Incorrect behavior order allowing unauthorized access to authentication tokens   Information Disclosure 
CVE-2025-0149 Zoom Workplace Apps  Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks Denial of Service 

Remediation

  • Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.

Conclusion: 

The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.

Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data. 

Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.

References

Blogs

AI Reshaping Roadmap for Cyber security

Can Gen AI Transform Organizations Cyber Posture

Continue Reading
Blogs

Users of WhatsApp Exposed to Sophisticated Spyware Attack

The recent Spyware attack on WhatsApp users is linked to Israeli surveillance firm Paragon Solutions that targets journalists, activists, and civil society members using sophisticated “zero-click” hacking methods that require no user interaction.

Attack Confirmed By Meta

Meta, the parent company of WhatsApp, has officially acknowledged the attack, stating that the messaging platform was compromised by hackers deploying spyware. Following multiple reports of breaches, Meta informed Italy’s National Cybersecurity Agency, confirming that about 90 users across 24 countries were targeted.

The spyware attack came to light when Luca Casarini, a migrant rescue activist and co-founder of Mediterranea Saving Humans, and investigative journalist Francesco Cancellato, received an alert from WhatsApp, notifying their device had been infiltrated by spyware.

What is Spyware and what makes Spyware attack special?

Spyware is one of the most commonly used cyberattack methods used by hackers and makes it difficult to trace and identify by users and does some serious harm to networks. These data are used to track, steal, and sell user data, such as internet usage, credit card, and bank account details, or steal user credentials to spoof their identities.

As per Fortinet, Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to access and damage a device without the user’s consent. 

How Zero-Click Hacking affect our Online Digital device

The Zero click hacking techniques was stunning for users which is not traceable

Unlike any other phishing attacks that require users to click on malicious links. In this method attackers infect a device without any action from the user. Such advanced tactics enable surveillance on a large scale, posing severe risks to privacy and security worldwide.

The revelation has reignited global concerns over digital espionage and unauthorized surveillance. Cybersecurity experts warn that the attack on WhatsApp underscores the vulnerabilities present in even the most widely used communication platforms. As investigations continue, users are urged to update their software regularly and remain vigilant against potential cyber threats.

Mobile spyware typically attacks mobile devices through three methods:

  • Flaws in operating systems: Attackers can exploit flaws in mobile operating systems that are typically opened up by holes in updates. 
  • Malicious applications: These typically lurk within legitimate applications that users download from websites rather than app stores.
  • Unsecured free Wi-Fi networks: Wi-Fi networks in public places like airports and cafes are often free and simple to sign in to, which makes them a serious security risk. Attackers can use these networks to spy on what connected users are doing.

Significant Cyber threat of Spyware

The Spyware attack left users fall prey to online digital attack and question on govt. surveillance which was taken seriously by Italy.Over the years Spyware  infected millions of devices, stealing sensitive information.

Some of the most devastating spyware cases helps us understand how serious this threat can be.

  • Pegasus — Spyware Behind Global Surveillance Scandals

Pegasus — developed by Israeli tech firm NSO Group — is the most high-profile spyware ever created. While it was originally marketed as a tool for governments to combat terrorism and criminal activities, it has become infamous for its misuse.

Reports have revealed that Pegasus has been used to monitor journalists, activists, and political figures, raising serious concerns about privacy and human rights violations. Its ability to infect devices without any user interaction makes it especially dangerous and difficult to detect.

  • FinSpy (FinFisher) — Government Tool for Full Device Control

FinSpy, also known as FinFisher, is a spyware tool developed by Gamma Group, a company based in Germany. Initially marketed to governments and law enforcement agencies as a way to combat crime and terrorism, FinSpy has been linked to unauthorized surveillance and there is concern about its use by oppressive regimes. The spyware is capable of targeting multiple platforms, including Windows, macOS, and Linux, making it versatile and difficult to escape.

  • GravityRAT — Cross-Border Espionage Targeting India

GravityRAT spyware was initially designed to target individuals in India. It’s believed to be linked to cyber espionage efforts originating from Pakistan. Its primary goal is to steal sensitive information, including files, contact lists, and user data.

GravityRAT typically spreads through phishing emails that trick users into downloading malicious attachments. Once the victim opens the file, the spyware silently installs itself, granting attackers control over the infected device.

  • DarkHotel — Targeting Business Travelers Through Hotel Wi-Fi

DarkHotel is a sophisticated spyware campaign that’s been active for over a decade, primarily targeting business travelers staying in luxury hotels. Discovered in 2007, this Advanced Persistent Threat (APT) has affected high-profile executives, government officials, and corporate leaders. The attackers aim to steal sensitive business information, like trade secrets and confidential documents, while victims are connected to hotel Wi-Fi networks.

  • Agent Tesla — Password and Keystroke Thief for Hire

Agent Tesla is technically classified as a Remote Access Trojan (RAT) and keylogger, though it has spyware-like functionalities. First discovered in 2014, Agent Tesla has gained notoriety for its ability to steal sensitive information, such as login credentials, keystrokes, and clipboard data. It can also take screenshots and extract information from email clients, web browsers, and other applications, making it a powerful tool for cybercriminals.

Security Advisory

Zero-Day Vulnerability in Microsoft Sysinternals Tools  

Summary 

A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.

OEM Microsoft 
Severity High 
Date of Announcement 2025-02-05 
CVEs Not Yet Assigned 
Exploited in Wild No 
Patch/Remediation Available No 
Advisory Version 1.0 
Vulnerability Name Zero-Day  

Overview 

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw. 

Vulnerability Name CVE ID Product Affected Severity Impact 
            zero-day  Not Yet Assigned Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others)          High Arbitrary Code Execution, Privilege Escalation, Malware Deployment 

Technical Summary 

The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories. 

The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as: 

  • The Current Working Directory (CWD) 
  • Network locations (e.g., shared drives) 
  • User-writable paths over secure system directories 

This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL. 

Exploit Workflow 

  1. Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan. 
  1. The DLL is placed in the same directory as a vulnerable Sysinternals tool. 
  1. The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory. 
  1. The malicious DLL is loaded instead of the legitimate system DLL. 
  1. Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights). 

Recommendations 

  1. Avoid Running Sysinternals Tools from Network Locations 
  • Always copy tools to a local trusted directory before execution. 
  • Disable execution of .exe files from network drives if feasible. 
  1. Restrict DLL Search Paths 
  • Use SafeDLLSearchMode to prioritize secure directories. 
  • Implement DLL redirection to force tools to load DLLs from trusted paths. 
  1. Implement Application Control Policies 
  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading. 
  • Restrict execution of Sysinternals tools to trusted admin-only directories. 
  1. Verify DLL Integrity Before Execution 
  • Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed. 
  • Block execution of unsigned or suspicious DLLs in sensitive directories. 
  1. Monitor for Suspicious DLL Loading Behavior 
  • Enable Sysmon logging to detect anomalous DLL loads (Event ID 7). 
  • Monitor for executions of Sysinternals tools from network shares (Event ID 4688). 

Conclusion 

Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.

The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. 

References

Blogs Cybersecurity News

Codefinger Ransomware attack encrypts Amazon S3 buckets

  • Ransomware crew dubbed Codefinger targets AWS S3 buckets
  • Sets data-destruct timer for 7 days
  • Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it

Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.

The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.

The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.

“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.

According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.

In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it. 

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.

Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.

As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.

Sources:

https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/

www.Bleeping computers.com

Scroll to top