Cyber security

Blogs Security Advisory

Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix.

Kaspersky’s Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020.

IntruceptLabs have published the security advisory https://intruceptlabs.com/2025/07/toolshell-zero-day-exploits-in-microsoft-sharepoint-enable-full-remote-takeover/ on 21st July 2025.

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. 

Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

Share point Vulnerabilities a major cyber threat

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid
active exploitation. Kaspersky Security Network showed exploitation attempts worldwide,
including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed.

Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit.

This suggests that the CVE-2025- 53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago.
The connection to CVE-2020-1147 became evident following the discovery of CVE-2025- 49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload.

Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771.

The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come.

“Many high-profile vulnerabilities remain actively exploited years after discovery —
ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today.

We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit
will soon appear in popular penetration testing tools, ensuring prolonged use by attackers,”
said Boris Larin, principal security researcher at Kaspersky GReAT.

Do connect with us for any queries https://intruceptlabs.com/contact/

(Source: Read full report on Read the full report on Securelist.com)

Security Advisory

Critical Vulnerability identified in tj-actions/branch-names’ GitHub Action workflow

Security advisory:  Patch Now! Critical Command Injection in GitHub Action tj-actions/branch-names Affects 5,000+ public repositories. 

Summary:

A critical vulnerability has been identified in the tj-actions/branch-names’ GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags.

Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-54416 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No
Advisory Version 1.0 

Overview 
This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0

The flaw allows attackers to run any command during GitHub Actions workflows by creating specially crafted branch names or tags.  

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Command Injection in branch-names GitHub Action  CVE-2025-54416   tj-actions/branch-names GitHub Action <v8.2.1 9.1  v9.0.0 or later 

Technical Summary 

This Vulnerability puts many CI/CD pipelines at serious risk, including the possibility of stealing secrets or injecting malicious code into releases.

The vulnerability exists due to unsafe usage of the eval command in the action’s script. Although some escaping was done using printf “%q”, developers later used eval printf “%s” to unescaped values, which reintroduced command injection risks.

Any branch name containing malicious shell code can trigger execution during workflows. 

The vulnerability affects GitHub Action workflows that use tj-actions/branch-names. It allows attackers to inject and execute arbitrary shell commands by creating a branch with malicious content. The issue is caused by the unsafe use of eval when handling branch names and tags in output generation. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-54416 GitHub repositories using tj-actions/branch-names < v8.2.1 Unsafe use of eval leads to command injection Attacker can run arbitrary commands, steal secrets, alter source code, or compromise workflows 

Proof of Concept (POC) 


 
Remediation

  • Update immediately to tj-actions/branch-names version v9.0.0 or higher
  • The vulnerable eval code has been replaced with safe printf usage. 
  • Review your workflows to ensure no malicious activity has occurred. 
  • Check logs for strange branch names or unexpected shell activity. 

Conclusion: 
This command injection flaw is extremely dangerous due to its simplicity and the number of projects it affects. GitHub Actions workflows that use branch names or tags from pull requests are especially at risk. Attackers don’t need access to the code just the ability to open a pull request.

All developers and security teams should act now by updating to the latest version and reviewing usage of GitHub Actions in their workflows. 

References

Blogs

Surge in Ransomware attack reveal sophistication of Threat actors that strategically focuses on industries to incentivizes Ransom payment

  • The United States remains the primary target for Ransomware attacks
  • UK is preparing to ban any Ransomware payments  for critical infrastructure companies
  • Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
  • RaaS market growth drivers

There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.

Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.

In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.

Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.

Now UK is preparing to ban any Ransomware payments  for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.

The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.

Surge in ransomware attacks

Zscaler  released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform

The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.

Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.

The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.

The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).

Ransomware and Crypto market

Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.

How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.

The demand was Bitcoin, but its scale and method were more advanced but not the first.

BlackSuit ransomware extortion sites seized in Operation Checkmate

Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.

Yesterday 28 july,  the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.

Key trends Key driving the Ransomware Protection Market


The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.

The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.

This  include technological advancements and increasing cyber threats.

  • Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
  • End-point security segment accounted for 35% of market revenue.
  • BFSI sector generated the most income, with significant ransomware attacks reported.
  • Managed services segment dominated the market, catering to SMEs for enhanced cyber security.

Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.

Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack

Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.

Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.

It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.

Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.

APEC market for Ransomware expected to grow

The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.

This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.

Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.

The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.

Ransomware Protection Industry Developments

Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.

Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

Source:

 BlackSuit ransomware extortion sites seized in Operation Checkmate

Ransomware attacks surge despite international enforcement effort | Cybersecurity Dive

Ransomware Protection Market Size, Growth Analysis – 2032

Blogs

Hackers Weaponizing AI Extension to steal Crypto Assets Through Malicious Packages

The amount of crypto  malware has doubled in the first quarter of 2025 as per research.

Kaspersky GReAT (Global Research and Analysis Team) experts have discovered open-source packages that download the Quasar backdoor and a stealer designed to exfiltrate cryptocurrency. The malicious packages are intended for the Cursor AI development environment, which is based on Visual Studio Code — a tool used for AI-assisted coding.

The fake extension, published under the name “Solidity Language,” had accumulated 54,000 downloads before being detected and removed.

What makes this attack particularly insidious is its exploitation of search ranking algorithms to position the malicious extension above legitimate alternatives.

How the Threat actors deceive the developers

During an incident response, a blockchain developer from Russia reached out to Kaspersky after installing one of these fake extensions on his computer, which allowed attackers to steal approximately $500,000 worth of crypto assets.

The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package’s downloads count to 54,000.

After the malicious extension downloaded by the developer was discovered and removed from the repository, the threat actor republished it and artificially inflated its installation count to a higher number – 2 million, compared to 61,000 for the legitimate package.

The extension was removed from the platform following a request from Kaspersky.

The attackers leveraged the Open VSX registry’s relevance-based ranking system, which considers factors including recency of updates, download counts, and ratings. The attack infrastructure reveals a well-organized operation extending beyond this single incident.

In 2025, threat actors are actively publishing clones of legitimate software packages that, once installed, execute harmful payloads ranging from cryptocurrency theft to full codebase deletion.

The discovery leads us to think how cyber criminals take advantage of the trust inherent in open-source environments by embedding harmful code. All third-party code should be treated as untrusted until proven.

The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package’s downloads count to 54,000.

After installation, the victim gained no actual functionality from the extension. Instead, malicious ScreenConnect software was installed on the computer, granting threat actors remote access to the infected device.

Using this access, they deployed the open-source Quasar backdoor along with a stealer that collects data from browsers, email clients, and crypto wallets. With these tools, the threat actors were able to obtain the developer’s wallet seed phrases and subsequently steal cryptocurrency from the accounts.

Mitigation Strategies from Intruceptlabs

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Source: https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-500k-crypto-heist-through-malicious-packages-targeting-cursor-developers

Blogs

Cyber-Breach on Qantas Airliner re-echo’s Cyber Risk associated with Third Party

Third-party vendors are critical to and business or industry – but they confirm to significant amount of cyber risk. Qanatas airline confirmed of cyber attack where nearly  six million customers data may have been compromised. The airliner issued statement that said credit card details, financial information, and passport details were not part of the breach.

Qantas said in a statement: “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”

The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop.

KPMG, study showed how 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years. 

Qantas Group chief executive Vanessa Hudson said the company was working closely with the National Cyber Security Coordinator and the Australian Cyber Security Centre.

We sincerely apologies to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously,” she said.

In the breach that affected Qantas airliner which is one of the oldest, did not point to any hackers group. This data breach is one of Australia’s biggest breach in years which caused major setback and reputation damage to an airliner.

Last week, FBI said Scattered Spider group  was targeting airlines and that Hawaiian Airlines (HAII.UL) and Canada’s WestJet had already reported breaches. Read more on our blogs:

Key pointer of the Qantas Breach

The Cyber hacker broke into a database containing the personal information of millions of customer.

The breach was executed by hackers who targeted a call center and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.

Third party risk management is complex but neglecting can be fatal for organizations whose data volume is huge such as airliners.

The airline is emailing affected customers and has set up a dedicated support line at 1800 971 541 (or +61 2 8028 0534 from overseas).

If we observe in recent past 2020, the solar Winds attack that happened where Solar winds confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ.

Such is the magnitude of the attack that the malware program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.

The solar winds attack cost to the company amounted to significant loss with Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million). 

How to make sure your vendor don’t create unnecessary risk that pose challenge for organization at large

First ensure your third party vendor’s meet the required robust security posture

Vendor risk assessment must be done holistically by streamlining due diligence

Upon discovery of any vulnerabilities, it is important that customizing and updating security requirements of the newly discovered threats and patch.

As a part of better threat mitigation strategy it is important that to automate vendors onboarding this will provide agility.

Managing Third party risk with Intru360

A research with KPMG found that found 61% of businesses underestimate third party risk management and often also struggle to have a healthy operation model and scale it same time.

KPMG research further found that Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.

With most of the technology investments fail to provide visibility into third-party risk, we at Intercept help you to expand the scope and cover third parties related risk areas by identifying.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

In vendor security and management here are some of the features we offer to make sure cyber health of each and every supplier is checked and alerts are placed to get notification.

Prebuilt playbooks and automated response capabilities.

Over 400 third-party and cloud integrations.

More than 1,100 preconfigured correlation rules.

Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.

Sources: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

https://kpmg.com/us/en/articles/2022/ten-key-regulatory-challenges-2023-risk-governance.html
https://www.sbs.com.au/news/article/qantas-data-breach-everything-we-know-so-far-about-stolen-customer-details/49iggxre0

Blogs

Fintech Cybersecurity; Best Practices to Navigate Risk & Challenges

Fintech apps have gained momentum as Paypal, Mint, Gpay and Stash have transformed the way payment is made in financial service industries in the last few years. Fintech platforms are mostly subject to varying security standards striving the threat landscapes across different regions of geography.

In this blog we will discover how Fintech’s are growing at a pace and scaling up along with rising user base making it difficult for security teams to detect at the same pace and understand the attack surface vastness. As Fintech companies grow at pace, its impossible to keep growing with smaller infrastructure and security practices that may not be sufficient for smaller operations. Also growth in user base, makes it difficult with security teams to have proper visibility over an ever-expanding attack surface. 

IntruceptLabs has a team of certified security experts who conduct manual penetration testing, identifying different business-centric vulnerabilities that an automated scan may not identify. GaarudNode from Intrucept provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

The global aspect of operation in Fintech based organizations gives rise to data sovereignty issues, where some data must be within specific geographic limits. 

The Fintech Service (FaaS) market from past few yrs is experiencing substantial growth and the global market is projected to increase by USD 806.9 billion by 2029. This growth is fueled by increasing demand for digital financial solutions and the adoption of FaaS among businesses of all sizes.FaaS provides agility, flexibility, and seamless integration, making it attractive for businesses. 

Fintech’s mining Ground for cybercriminals

Apart from consumers and legitimate users across the globe, for cyber criminals Fintech’s are mining treasures as they can quiet probably gather or steal valuable personal and financial data.

Money is constantly flowing through various associated apps and we don’t know when and how bad actors will launch clever tactics and spill of money through various associated apps .This is making cyber security posture for fintech’s difficult.

Yes, Organizations can take up cyber skilling and training seriously and help staff to use phishing-resistant multifactor authentication and robust identity-verification measures. Organisation can take up security strategies and devise it keeping uniformity in enforcement practices and incident reporting requirements.

The past decade gave a consistent rise in the number and sophistication of cyberattacks targeting financial institutions as observed.

Now that is posing significant threats to the stability and trust within the financial ecosystem as financial losses increase due to cyber breaches or data hack and causing operational disruptions including reputational damage.

Navigating the risk & challenges affecting Fintech service (FaaS)

Fintech security is directly related to API security as API’s are responsible for smooth functioning of ‘Fintech as a platform’.

It is the same API’s that are prime target of cyber criminals as there has been increase in Cloud computing, mobile apps usage and Internet of Things (IoT) all have accelerated the adoption of APIs. 

API’s are used by developers to integrate third party services ,also increase the functionable features and create solutions that are innovative in nature. Any flaw in API security could substantially damage the endpoints and is a common vulnerabilities. API ‘s can become insecure when endpoints finds failure to validate input, leading to injection attacks.

User identity Theft

Authentication vulnerabilities are issues that affect authentication processes and make websites and applications susceptible to security attacks in which an attacker can masquerade as a legitimate user.

Any flaw in authentication and authorization will give way to account compromises with insecure password that are crackable or single-factor authentication in systems lacking additional verification step. Authentication is a vital part of any website or application since it is simply the process of recognizing user identities.

Having authentication vulnerabilities have serious repercussions — whether it’s because of weak passwords or poor authentication design and implementation.

Threat actors use these vulnerabilities to get access into systems and user accounts to:

  • Steal sensitive information
  • Masquerade as a legitimate user
  • Gain control of the application
  • Destroy the system completely

Supply chain risk or third party integration

Often fintech applications interact with external services or providers. Any weaknesses arising in Supply chain from backdoors are embedded within financial apps via compromised third-party code. So many Vendor fail the risk assessments as they are unable to identify risks well before integration. 

Mostly fintech functions are mobile transfers require Apps interacting with traditional banks having legacy infrastructure to support. Integrating the modern high-tech apps with the legacy systems often used by established financial institutions is a difficult technical challenge. 

Regulatory Compliance

Fintech firms operate under regulatory landscape that is complex and changing and must comply with various frameworks, including GDPR,PCI etc, and few local financial regulations based on geographical points or country wise .

These regulations add up to lot of over head expenses and if something overlaps

The regulations adds massive, unnecessary overhead, as requirements often overlaps creating chaos. Complying with local regulations, requires resources that can be diverted away from other security efforts.

Moreover, if a Fintech platform ventures into multiple markets, it must comply with local regulations, which often requires a race against time and diverts resources away from other security efforts.

Enterprise security can prevent cyber attacks by enforcing account lockouts, rate limiting, IP-based monitoring, application firewalls, and CAPTCHAs.

AI Soft Spot by Cyber criminals

Now cyber criminals are using AI and machine learning to automate the testing process and find zero-day vulnerabilities—especially in APIs. Perhaps the most observed impact AI has had on cybercrime has been an increase in scams, particularly those leveraging deepfake technology. In certain dark web forums where experimentation takes place, few threat actors are claiming to employ AI to bypass facial recognition technology, create deepfake videos and adopt techniques to summaries large amount of data.

Cyber security best practices for Faas

The outputs derived from assessment of security testing must encompass the entire attack surface, including APIs, mobile applications and other interfaces to develop roadmaps to improve security. In any event of security breach any incident response planning by organizations will help to identify, mitigate threat and recover. 

GaarudNode from IntruceptLabs

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

The dashboard presents findings with ratings and remediation steps, allowing developers to easily address critical issues.

What else you get from GaarudNode?

  • Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
  • Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
  • Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
  • Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Sources: https:www.apisec.ai

Blogs

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

In recent times we witnessed many organizations who are facing numerous cyber attacks hold confidential customer, employee and supplier personal data. Such data is attractive to attackers, as they can steal it and demand ransom payments to stop them revealing it out in public. There is a constant fear against threat actors looming and that actually demands organizations to be cyber resilient.

What is the way out to create a cyber resilience culture that are meaningful both for employees and leaders ?

The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners.

The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment.

The principles are based on many factors on what leads to weak or misaligned cultures leading to poor security outcomes so that organizations understand how outcomes have deeper cultural issues and require urgent attention.

Cyber attack on Retail sector

This was followed by multiple cyber-attacks on the retail sector have gathered media attention over the first half of 2025. This included breaches on Co-op, Harrods, Adidas, The North Face, and Cartier.

Notably, a long-term disruption for UK brand Marks and Spencer, whose online sales are still paused seven weeks after the initial attack, was caused by phishing on a third-party supplier.

Over the Easter weekend, customers in M&S stores were unable to make contactless payments, click and collect services were unavailable. M&S has been quick to respond to cyber attacks faced and been applauded for its response to the attack, particularly its handling of external communications. 

The newly released Operational Resilience Report 2025 has found organizations are taking a more integrated approach to resilience. Recognizing that people are vital to cybersecurity,

Cyber security culture The 6 principles laid by  National Cyber Security Centre (NCSC) to build a cyber security culture within an organization.

  • Frame cybersecurity as an enabler, supporting the organization to achieve its goals
  • Build the safety, trust, and processes to encourage openness around security
  • Embrace change to manage new threats and use new opportunities to improve resilience
  • The organization’s social norms promote secure behaviours
  • Leaders take responsibility for the impact they have on security culture
  • Provide well-maintained cybersecurity rules and guidelines, which are accessible and easy to understand.

The first principle identifies that cybersecurity exists to protect the technology and information that keep an organization running.

But when it operates in isolation, its role as an enabler of every other function is often overlooked. This disconnect creates tension. Security may be seen as a blocker, its policies misunderstood or ignored, and controls bypassed, opening the door to further risk.

A shared purpose across the organization changes this dynamic. When everyone understands and works toward common goals, decisions reflect what supports the whole rather than just individual departments. Cybersecurity becomes part of how work gets done, not an obstacle in the way.

An effective culture recognises that secure behaviour is essential to meeting shared goals. Staff understand the value of cybersecurity in protecting systems and information. Controls are designed with an awareness of how people work, and security teams engage directly to reduce friction.

Clarity around purpose, consistent internal messaging, and strong leadership support all help integrate cybersecurity into the wider mission.

When people no longer see security as a separate concern, but as part of their contribution to organizational success, stronger and more resilient practices follow.

No amount of training can replace the value of open dialogue, especially when facing unfamiliar or fast-moving threats. When people are comfortable reporting mistakes, raising concerns, or suggesting improvements, the organization becomes more adaptive and resilient.

The second principle  depends on a culture where people feel safe to speak up.

Without psychological safety, self-protection takes over. People stay silent, avoid reporting errors or tolerate behaviour that undermines security. Fear of blame or punishment blocks the flow of vital information and ideas.

To counter this, organizations need trusted, accessible channels for communication. Whether through help desks, portals, or local experts, these paths must be easy to use and free from friction. When people do reach out, their efforts should be acknowledged and, where possible, acted upon.

Security incidents should be investigated to understand what happened and how to improve, not to assign fault. Fair treatment and transparent processes build trust and make it more likely that people will engage in the future. Psychological safety is not a soft extra. It is a core condition for real-time responsiveness and continuous learning in security. When people trust the system and those behind it, they help protect it.

The third principle On cyber resilient organizations treat change as a constant and improvement as a shared responsibility. In cybersecurity, this mindset is critical.

As threats evolve and technologies shift, staying still is not neutral, it increases exposure and limits growth. Rather than viewing incidents or disruptions as setbacks, forward-looking organizations treat them as signals for refinement. Ignoring these moments in favour of maintaining the status quo leads to blind spots and missed opportunities.

Change must be coordinated across the organization. If one area races ahead or stalls without alignment, the imbalance can cause harm. Cybersecurity teams have a key role in guiding this process. They help ensure that risks are managed by those equipped to handle them, instead of being pushed onto teams lacking the resources or context to respond effectively.

Strong cultures embrace change as a path to better outcomes. They are measured in how and when they implement changes, mindful of fatigue and disruption. People feel supported during transitions and trust that new risks are handled responsibly. To sustain this, organizations need systems in place to identify emerging challenges and bring the right voices into decision-making. Clear roles, timely choices, and shared accountability allow security and resilience to move forward together.

The fourth principle identifies that workplace behaviour is shaped not just by formal rules but by unwritten ones picked up through observation.

These social norms often influence how people approach cybersecurity. When aligned with security goals, they help reinforce good habits and guide new staff toward secure practices.

But not all norms work in favour of security. Some, like cutting corners to be helpful or following senior examples, can quietly encourage risky behaviour. These norms are hard to change if they help people get their work done more easily than formal processes allow. Addressing this requires understanding the values behind these norms. Without doing so, even well-designed policies will be ignored, increasing risk and weakening trust in security measures.

A strong security culture identifies both helpful and harmful social norms and finds ways to align them with formal policies.

This may involve redesigning controls to support productivity or shifting behaviors through influence, incentives, and role models.

The fifth principle recognizes that cybersecurity culture depends on leadership that leads by example.

When leaders align with a shared purpose, model secure behaviors, and foster trust, they help embed security into daily work. Their influence shapes norms and drives change.

Leaders who engage openly and share lessons from past challenges build confidence and inspire action. Those who ignore this responsibility risk undermining progress, as teams often follow their lead. Strong leadership means linking security to business goals, promoting learning, and removing incentives for risky behaviour.

Supporting leaders with the right knowledge and encouraging honest dialogue strengthens a culture where security becomes a collective effort.

The sixth principle calls for creating a cyber-secure workplace that depends on finding the right balance between clear expectations and practical flexibility.

Rules must support people in solving problems locally while setting consistent standards across the organization. When done well, this balance builds trust between staff and leadership.

Overly rigid rules risk becoming outdated and burdensome, while vague guidance leaves teams confused and vulnerable. Both extremes can lead to frustration and disengagement from cybersecurity efforts. A better approach involves understanding where different teams struggle, inviting their input, and refining the rules based on real-world use and ongoing feedback.

Security rules should be integrated into daily workflows and onboarding. They must be easy to find, clearly written, and regularly updated, with changes communicated. Where gaps exist or the rules do not apply, teams must have quick access to experts who can help manage risk at the moment.

In practice, effective cybersecurity guidance is inclusive, tested for usability, and aligned with organizational goals. People should know what is mandatory and what is advisory. Feedback is actively used to improve the rules, and outdated material is removed to prevent confusion.

IntruceptLabs products are influencing cyber culture by promoting proactive security measures, automation, and a focus on user behavior and training.

IntruceptLabs enable organizations to improve their security posture by providing tools for patching vulnerabilities, managing access, and responding to threats, ultimately contributing to a more secure and resilient cyber environment. 

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

The platform offers:

  • Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
  • Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
  • Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
  • Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Conclusion:

The importance of cyber resilience helps set businesses who have a solid response plan and test it regularly so that the organization is prepared for any cyber incidents.

The cyber-security incident plan should be part of a wider business continuity plan, considering the impact of a cyber incident on the business and defining steps to recover and respond.

NCSC emphasized that creating the culture takes time and is not a one-off exercise, but needs a focused and sustained effort from cyber security professionals, innovators and culture specialists, and organisations’ leaders.

Sources: https://www.thebci.org/news/retail-under-attack-the-growing-movement-towards-operational-resilience.html

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Blogs

Ways to combat Cyber Threats; Strengthen your SOC’s readiness involves 3 key strategies

Cyber threats are no longer limited to human attackers, with AI-driven “bad bot” attacks now accounting for 1/3 as per research. These attacks can be automated, allowing attackers to launch more extensive and efficient campaigns

Organizations are now exposed new risks, providing cybercriminals with more entry points and potential “surface areas” to exploit as they go digital and adopt to innovations and wider use of digital technologies.

Some of the types of bad bots are DDoS bots, which disrupt a website or online service by overwhelming it with traffic from multiple sources.

Cybercriminals are using Gen-AI tools to improve the efficiency and yield of their campaigns – with Check Point Research’s recent AI Security Report 2025 flagging the use of the technology for malicious activities like AI-enhanced impersonation and social engineering.

Account takeover bots, which use stolen credentials to access users’ online accounts; web content scraping bots, which copy and reuse website content without permission; and social media bots, which spread fake news and propaganda on social media platforms.

The purpose of Bad Bot is expose critical flaws and vulnerabilities within the security frameworks that IT leaders have established in their architectures and operations.

Unfortunately, traditional security operations centers (SOCs) are built to detect threats based on predefined rules and human-driven logic or characteristics.

 AI-powered bots use automation and adaptive methods to execute more sophisticated and dynamic attacks that can bypass these existing defences.

Vulnerabilities are evolving so SOC team have more responsibilities then before as BOTs are AI powered.

Here we outlined three strategies to strengthen your SOC readiness

1.SOC team an essential or important component of business are in Fatigue Zone:

SOCs continuously monitor your organization’s network, systems, and applications to identify potential vulnerabilities and detect any signs of malicious activity.

SOC team quickly takes action to contain the threat and minimize damage, ultimately reducing the overall impact on your business.

Ponemon institute research say SOC teams are fatigued and one research pointed that 65% has fatigue and burn out issues.

That means Cyber security need to support the SOC teams and research found highlight that a lack of visibility and having to perform repetitive tasks are major contributors to analyst burnout.

Threat hunting teams have a difficult time identifying threats because they have too many IOCs to track, too much internal traffic to compare against IOCs.

Sometimes organizations have lack internal resources and expertise and too many false positives. 

Bringing out SOC team from fatigue issue is as important as investing on training, upskilling on cyber skills and development to keep your team’s spirit high.

Establish Key Performance Indicators (KPIs) to measure the effectiveness of your SOC. Monitor these KPIs closely and use them to identify areas for improvement.

2. How do Organization harness Nex-gen technology to combat cyber Threats

Staying abreast of industry trends and best practices to ensure your SOC teams remains at the forefront of cyber security or ahead of the curve with Nex-gen technologies.

So that SOC teams can detect and respond to threats more quickly and efficiently, get holistic view of organizations security posture, AI and ML can augment the SOC team by automating routine task.

Many organizations are adopting hybrid cloud infrastructure and SaaS applications for productivity and cost efficiency reasons. But organizations face difficulty of managing and securing the data on those platforms, which is again leading to higher breach costs.

Darktrace report says 78% of the more than 1,500 security executives responding to a recent survey said that AI-powered threats are having a significant impact on their organizations – with many admitting they lack the knowledge, skills, and personnel to successfully defend against those threats.

Many organizations are already leveraging AI as a cyber-security tool.

Now more IT leaders say they are integrating AI into their cloud strategies for use in advanced security and threat detection.

Organizations can encounter several challenges when integrating AI into their cloud strategies.

Along with SOC team who seamlessly integrate across the organization, same is for AI. Seamless integrations of AI will make it easier for AI-assisted threat detection, notification, enrichment and remediation.

The purpose is AI should focus on tuning models that is organization specific environment. Once done AI will integrate threat intelligence and filtering will be done based on specific context.  This will help reinforcing trust with customers and stakeholders.

3. Investing in Predictive Threat Modelling priority  for Nex-gen SOC Teams

In this era where AI is being leveraged by organisation to derive accuracy, SOC teams who are evolving will prefer investing in intelligence predictive threat models that are proactive in nature to anticipate risks and refine their response strategies.

When organizations have a Threat Intelligence-Driven SOC  it is easier to transform security operations from reactive to proactive defence. Most of the organization builds and operates its own SOC. That is done by employing a dedicated team of cyber security professionals who offers to take complete control over security operations but can be resource-intensive.

AI makes the process easier, as having AI-driven analytics will assist detect anomalous behaviours and zero-day threats.

Further with implementing predictive threat modelling to anticipate emerging attack patterns and leveraging the right frameworks, tools and best practices will help organizations build an intelligence-driven SOC. And with an intelligence-driven SOC team, anticipating any cyber threats can be dealt with efficiency.

IntruceptLabs now offers Mirage Cloak and to summarise Mirage Cloak offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints.

 This is executed by setting up lures with intentionally misconfigured or vulnerable services or applications.

The flexible framework also lets customers add new deception methods as needed.

Conclusion: Organizations can better protect their digital assets and ensure business continuity by understanding the key components and best practices for building a successful SOC.

At the end  we must accept that to defend against any sort of AI attack, SOC teams must evolve with right collaborations and effective communication between partners seamlessly to evaluate information to stay ahead of attackers.

Sources: What is SOC (Security Operations Center)?

Security Advisory

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEMD-link
SeverityMedium
CVSS Score6.5
CVEsCVE-2025-46176
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Hardcoded Telnet Credentials vulnerability  CVE-2025-46176D-Link Router  MediumNo official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-46176D-Link DIR-605L v2.13B01, DIR-816L v2.06B01Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.      RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

  • Disable Telnet access via the router’s web interface.
  • Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

  • Restrict WAN access to management interfaces.
  • Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users. 

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Scroll to top