Cyber Security Trends 2026; Cloud Environments, Identity systems & Third-Party Tools Key Area’s of Threat
Cyber Security Trends 2026; Cloud Environments, Identity systems & Third-Party Tools Key Area’s of Threat
Continue ReadingCloud security
Critical Vulnerabilities Identified in React Server Components & Next.js; Due to the high severity Patching is Required
Critical React & Next.js RCE Vulnerabilities identified; Patches released .Attackers can craft malicious requests to trigger arbitrary server-side code execution in unpatched environments using default configurations.
Continue Reading
Critical Fluent Bit Vulnerabilities Allow RCE & Cloud Infrastructure at Risk
Summary : Fluent Bit is a widely used opensource tool for collecting and forwarding logs in cloud and containers like Kubernetes environments. A chain of 5 critical vulnerabilities discovered by Oligo Security team and findings reveal that attackers can misuse via Remote code execution putting cloud and container at risk.
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-12969, CVE-2025-12970, CVE-2025-12972, CVE-2025-12977, CVE-2025-12978 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities are CVE-2025-12977 CVE-2025-12970, CVE-2025-12969, CVE-2025-12978 , CVE-2025-12972. The vulnerabilities allow attackers to bypass authentication, manipulate log routing, achieve remote code execution, potentially leading to full compromise of cloud and Kubernetes environments using Fluent Bit for logging and observability.
Organizations relying on Fluent Bit must upgrade to the fixed versions and harden configurations to prevent remote takeover and log tampering.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
| Fluent Bit Tag_Key Input Validation Bypass | CVE-2025-12977 | Fluent Bit | Critical | 9.1 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Docker Input Stack Buffer Overflow | CVE-2025-12970 | Fluent Bit | High | 8.8 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Forward Input Authentication Bypass | CVE-2025-12969 | Fluent Bit | Medium | 6.5 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Tag Spoofing via Partial Tag_Key Match | CVE-2025-12978 | Fluent Bit | Medium | 5.4 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit File Output Path Traversal | CVE-2025-12972 | Fluent Bit | Medium | 5.3 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
Technical Summary
Fluent Bit vulnerabilities center around unsafe handling of tags and inputs, enabling attackers to manipulate routing, file paths and memory in ways that directly impact host systems and downstream security tooling.
These flaws can allow path traversal and arbitrary file writes, which in many real-world setups may escalate to remote code execution and persistent node compromise.
Additional vulnerabilities include stack buffer overflows and missing authentication checks that let attackers crash agents, execute code and inject false telemetry into trusted logging pipelines.
Source: Oligo.security
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-12977 | Improper input validation allows injection of control chars, newlines, and path traversal sequences in tag values. | Log corruption and output injection. |
| CVE-2025-12970 | Stack buffer overflow on container name copy due to lack of length check. | Crash or RCE. |
| CVE-2025-12969 | Authentication bypass disables user-based auth, allowing unauthenticated log injection. | Unauthorized log injection. |
| CVE-2025-12978 | Partial string comparison on Tag_Key lets attacker spoof tags by guessing first char. | Manipulation of log routing and filtering. |
| CVE-2025-12972 | Path traversal via unsanitized tags causes arbitrary file write and possible remote code execution. | Arbitrary file write and RCE. |
Remediation:
- Upgrade all Fluent Bit deployments to v4.2.0 / v4.1.1 / v4.0.12 or latest version.
Here are some recommendations below
- Avoid using dynamic or untrusted tags in configuration for routing or file naming.
- Always set explicit fixed Path or File parameters in out_file outputs to prevent path traversal.
- Ensure forward inputs use both Shared_Key and Security.Users for proper authentication enforcement.
- Limit network access to Fluent Bit instances to trusted sources only.
- Run Fluent Bit with least privilege and restrict filesystem and configuration file write permissions.
- Monitor logs and telemetry for abnormal tag values or unexpected log routing changes.
Conclusion:
The Fluent Bit vulnerabilities enable attackers to hide activity, corrupt evidence and even gain direct control of cloud workloads.
This puts cloud systems at risk because security teams may not see the real activity happening inside their environment.
Organizations using Fluent Bit should patch immediately, restrict network access and enforcing strong authentication and least‑privilege deployment as urgent priorities to reduce the risk of remote takeover and systemic observability compromise.
References:
Advanced eBPF Rootkit LinkPro Evade Detection in Linux Systems via Magic TCP Packets
Overview: LinkPro rootkit targets GNU/Linux systems: LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.
This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel.
Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”
Source: www.synacktiv.com
Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments.
The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.
It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.
If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly.
LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems.
Attack Flow
IOCs
| IOC Type | Indicator | Description |
| Network | /api/client/file/download?Path=… | URL used to download tools/payloads onto the compromised host. |
| /reverse/handshake /reverse/heartbeat /reverse/operation | Endpoints the implant calls in reverse mode to receive operator commands. | |
| 18.199.101.111 | Destination IP used by LinkPro in forward (active) mode. | |
| File | /etc/systemd/system/systemd-resolveld.service | Malicious systemd service file named to look like systemd-resolved. |
| /root/.tmp~data.ok | Location/name of the LinkPro binary, disguised as a system file. | |
| /usr/lib/.system/.tmp~data.resolveld | Alternate disguised location for the LinkPro binary. | |
| /etc/libld.so | Malicious library loaded via /etc/ld.so.preload as a fallback concealment method. | |
| Host | Systemd-resolveld | Fake service name intended to be mistaken for systemd-resolved. |
| Conf_map | eBPF map holding the internal port used by the Knock module. | |
| Knock_map | eBPF map containing authorized IP addresses for the Knock module. | |
| Main_ebpf_progs | eBPF map listing programs that the Hide module manages. | |
| Pids_to_hide_map | eBPF map listing process IDs the rootkit hides. | |
| Hashes | D5b2202b7308b25bda8e106552dafb8b6e739ca62287ee33ec77abe4016e698b | Passive linkpro backdoor |
| 1368f3a8a8254feea14af7dc928af6847cab8fcceec4f21e0166843a75e81964 | Active linkpro backdoor | |
| B11a1aa2809708101b0e2067bd40549fac4880522f7086eb15b71bfb322ff5e7 | Ld_Preload module (libld.so) | |
| B8c8f9888a8764df73442ea78393fe12464e160d840c0e7e573f5d9ea226e164 | Hide ebpf module | |
| 364c680f0cab651bb119aa1cd82fefda9384853b1e8f467bcad91c9bdef097d3 | Knock ebpf module | |
| 0da5a7d302ca5bc15341f9350a130ce46e18b7f06ca0ecf4a1c37b4029667dbb | Vget downloader |
Recommendations:
Here are some recommendations below
- Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access.
- Restrict public exposure of CI/CD tools and enforce strict network segmentation.
- Monitor for suspicious Docker container deployments and unexpected host filesystem mounts.
- Watch for unusual or unauthorized eBPF program activity using kernel auditing tools.
- Regularly update Linux kernels and apply available security patches.
Conclusion:
The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.
It spreads through Jenkins vulnerabilities, container escapes and remote activation, highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.
To protect against it, companies should focus on timely patching and monitoring suspicious activities.
References:
Scattered Spider Group Target Aviation Sector; Third Party Providers to Vendors at Risk. Solutions to Improve Security Posture
Recently the Scattered Spider Hacker group or cybercriminals are targeting the airline industry at large and keen interest on aviation sector.
The Scattered Spider group relies mostly on social engineering techniques that can impersonate employees or contractors to deceive IT help desks into granting access” and frequently involves methods to bypass multifactor authentication (MFA), as per observation by FBI.
Earlier the group breached at least two major US airlines in June, bypassed security protocols by exploiting remote access tools and manipulating support staff as reported by CNN .
There is a growing cyber risk on aviation sector and how the air traffic control is managed during attack which makes subsequent aviation systems vulnerable to cyberattacks due to outdated technology in many cases.
And cyber criminals are resorting to advanced techniques by which they can halt operations via cyberattacks that have the ability to take over or invade technology systems which in turn disrupt information flow from the aircraft to pilots to the airlines’ operations center resulting in chaos and delay in flight operations.
Every operation and service delivered by airlines is supported by technology and once that is not responding ,subsequent operations are halted i.e. flight management software, air traffic control communications, baggage handling systems and in-flight entertainment platforms will fail inevitability.
Recently the Scattered Spider group was behind a big data breach potentially exposing Social Security numbers, insurance claims and health information of tens of millions of customers.
Repercussions of Data Breaches Impacting Third parties
Cybercriminals often take advantage of fragile cyber security posture linked to smaller third parties that provide services to larger, well-established enterprises or industry. In-fact many vendors dont have cybersecurity protection and proper cybersecurity awareness in place to mitigate against attacks.
Cyber attacks have evolved to become increasingly complex, making vendor risk management critical. With rise in digital transformation, cloud services and AI technology has given cyber criminals greater potential to penetrate unsecured networks and systems more then ever.
Address the Threat Landscape with Best Practices
Data breaches that originate from third-party vendors cause big fines and legal consequences are huge and affect primary organization. Along with these challenges, organizations often rely on third parties for critical services and cyber criminals take advantage of these vulnerability.
Organizations can still take steps to mitigate and defend against these attacks even as they onboard new vendors or service providers.
Let us see the emerging threats across third-party vendors:
- Supply chain attacks by cybercriminals often target companies that supply services to many different companies (e.g. MSPs, IT) they cause great impact as IoT and other hardware devices manufactured by third parties can be infected malicious firmware .These malware can steal sensitive data.
- Ransomware-as-a-Service (RaaS)The dark web often sells kits (RaaS) and now it is combined with generative AI making attractive for cyber criminals to launch attacks. RaaS can disrupt critical services of organizations.
- Threat from third parties Unintentional human error occur where providers misconfigure not so accurate data or data deletion happens or poor cybersecurity practices of easy passwords circulating among users. There could also be vendors with financial motives who don’t go through the same security process known as insider threat and don’t pass security test laid for regular employees.
- Software supply chain attacks As we witnessed outsourcing third-party SaaS services and cloud technology makes it easy to target vulnerabilities in software code. This impacting hundreds of well-established organizations using the same software and same chain of malware flows.
- Cloud vulnerabilities The provider or cloud service is responsible for securing the cloud infrastructure while the customer or vendor is responsible for securing their data and applications. A lack of proper security measures by the customer or third party can result in data breaches, data loss or supply chain attacks. Since cloud service or data center is all outsources so security lapse may happen
- Advanced Persistent Threats (APTs) is linked to State-sponsored attacks who generally target third parties to penetrate into systems over an extended period of time. For example, they might compromise a third-party network to gain lateral access to the main organization’s IT infrastructure, making it difficult to detect in time.
- Deepfake and social engineering attacks. Emerging AI-technology can manipulate employee or C-level executives to trick users into divulging information to execute identity fraud, phishing attacks, sign fraudulent contracts, or gain unauthorized access to restricted systems and networks.
- Zero-day exploits exploited by cyber criminals before they are identified by developers and third-party providers and patched. At times if patch is slow process attackers launch attacks during this delay.
Solutions that will improve Security Posture with Intru360 from Intruceptlabs
The new business environment demands IT support for a wider range of monitoring, security and compliance requirements. This creates significant burdens on network performance and network security as more appliances need access to incoming data.
Intrucept platform (Intru360) cover overall risk, detection, prevention, correlation, investigation, and response across endpoints, users, networks, and SaaS applications, offering end-to-end visibility.
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
Sources: https://www.darkreading.com/cyberattacks-data-breaches/scattered-spider-hacking-spree-airline-sector
Identity Based Attacks, the Growing Risk; How do Orgs’ Navigate
In 2025 identity based attacks have surged up and research reveals how identity based attacks have affected identities, endpoints and cloud assets over 4 million past year as reported by threat detection report 2025 by Red Canary.
As organizations grow and continue to harness technology, identity based attacks grow to and risk associated with them. And this brings us to understand he urgent need for strong identity protection as adversaries explore new techniques.
The Threat landscape is vast and have variety to support the attack includes evolving ransomware tactics, supply chain weaponization and attacks on non-human identities.
In this blog we take a look at what rate identity based attacks are growing and what is required to strengthen organizational strategies for resilience.
Of late the type of attacks that are taking center stage are Social engineering based attacks that has gained popularity as per CrowdStrike report.
Voice phishing (vishing) attacks surged by 442% between the first and second half of 2024 as groups like CURLY SPIDER trick employees into handing over login details.
Those who don’t steal credentials can buy them — access broker activity was up nearly 50% in 2024, reflecting the growing market for illicit access.
Further, more than half (52%) of observed vulnerabilities in 2024 were tied to initial access.
The weakest link in Identity threats
With the usage of cloud most of the enterprises are shifting workload to cloud or hybrid cloud environment and now cloud infrastructure remains one of the points where frequency of attack has increased to achieve initial access.
This also includes increases in macOS threats, info stealers and business email compromise. VPN based abuse is hard to detect so a easy gateway for criminals to launch ransomware based attacks and these products are actually leveraging identity based attacks including insider threats.
Threat researchers from Sygnia have noticed misconfigured Identity and Access Management (IAM) policies are one of the biggest culprits in creating openings for lateral movement and privilege escalation by attackers.
Popular social media websites and apps are breeding grounds for identity based attack that started from social engineering tactics being deployed by state sponsored threat groups to deliver their harmful intentions.
Example: Hackers gained access to Microsoft 365 tenant and authenticated against Entra ID using captured session tokens. This technique not only bypassed multi-factor authentication (MFA), but also circumvented other security controls that were in place.
AWS access keys were discovered on the compromised devices as well, giving the attackers two ways into the AWS environment—through direct API access and the web console via compromised Entra ID users.
Now business are looking to move beyond passwords and weak MFA. Passkeys, Biometric authentication, Risk-based access, and Continuous identity verification will become non-negotiable.
Bolstering organizations identity governance, adopting zero trust principles and participating in identity-focused red team assessments will be the need of the hour.
What can security leaders do to Stay Ahead of Identity-Based Attacks in 2025?
Passwords aren’t enough these day nor are MFA as attackers are advanced in techniques and wont wait to break authentication when they can bypass, manipulate, or socially engineer their way in.
- Go passwordless: FIDO2, Passkeys, Biometrics are not required or eliminate them
- Enforce phishing-resistant authentication: No SMS, no email-based resets, no security questions.
- Implement real-time identity monitoring: Spot privilege escalations before attackers use them.
- Require device trust: If a device isn’t secure you are not secured.
Organizations can stay ahead of this growing threat by leveraging GaarudNode which seamlessly integrate to detect and mitigate exposed credentials in real time.
GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
GaarudNode Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
Detects third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.
Do connect or DM for queries
Source: https://www.crowdstrike.com/en-us/blog/how-to-navigate-2025-identity-threat-landscape/
Recent Comments