“`html
During a week that exposed the weaknesses in digital trust, cybersecurity news was dominated by prominent breaches, zero-day vulnerabilities, and audacious nation-state espionage.
Cybercriminals asserted that they had stolen usernames, email addresses, and encrypted passwords from over 1.2 million accounts, highlighting the ongoing threats posed by adult platforms as lucrative targets for credential stuffing and phishing initiatives. As investigators rush to respond, this occurrence reignites discussions regarding third-party risk management and the effectiveness of traditional encryption methods on high-traffic websites.
Simultaneously, Cisco raised alarms over a significant zero-day vulnerability (CVE-2025-20393) within its IOS XE software, which is being actively exploited by APT groups. Named “Storm-1252,” this vulnerability permits remote code execution without authentication on enterprise routers, which could jeopardize global networks.
Cisco’s urgent patches arrived just in the nick of time, but preliminary reports suggest infections have spread throughout North America and Europe. Security teams around the globe are urged to prioritize scanning and remediation efforts, as this vulnerability underscores the vulnerability of network perimeters in light of increasing state-sponsored attacks.
Adding a layer of geopolitical interest, Amazon uncovered a North Korean IT worker embedded deep within its cloud infrastructure. Disguising himself as a U.S.-based freelancer through platforms like Upwork, the individual associated with the infamous Lazarus Group sought to extract sensitive code and credentials.
Amazon’s behavioral analytics and employee reports thwarted the operation, resulting in immediate termination and notification to the FBI. This takedown mirrors ongoing DPRK cyber operations that finance their initiatives through corporate infiltration, sparking demands for more stringent vetting processes in remote employment.
Apart from these major incidents, our recap encompasses Oracle’s urgent WebLogic updates, a rise in LockBit ransomware variants targeting supply chains, and Google’s emergency update for a zero-day exploit allowing sandbox escape. We assess exploitation patterns, CVSS breakdowns, and mitigation strategies to better equip you against future threats.
Cyber Threats
Gentlemen Ransomware Targets Enterprise Networks
Gentlemen ransomware, initially detected in August 2025, is swiftly becoming one of the most prolific emergent ransomware families, targeting medium to large enterprises across at least 17 nations and sectors, including healthcare, manufacturing, and insurance. Utilizing a double-extortion model, the group extracts sensitive information prior to encryption, employing Go-based cross-platform payloads, GPO exploitation, and BYOVD methods to disable defenses and propagate laterally. The encryptor necessitates a valid –password argument for operation and utilizes X25519 for key exchange with XChaCha20 file encryption, strategically encrypting file segments for efficiency while generating README-GENTLEMEN.txt ransom notes in affected folders.
Read more: https://cybersecuritynews.com/new-gentlemen-ransomware-breaching-corporate-networks/
Storm-0249: From Mass Phishing to Stealth IAB
Storm-0249 has transitioned from a blatant mass-phishing entity into a covert initial access broker that sells ransomware-equipped access, fitting into broader trends within the cybercrime-as-a-service industry. The group now exploits trusted EDR executables like SentinelOne’s SentinelAgentWorker.exe for DLL sideloading, employing signed binaries to load harmful libraries and maintain persistence amidst whitelisted, high-trust processes. This evolution, often triggered through ClickFix-powered social engineering and malicious MSI packages, empowers Storm-0249 to conduct reconnaissance, bind encryption to machine identifiers, and bypass command-line detection systems.
Read more: https://cybersecuritynews.com/storm-0249-abusing-edr-process/
ClickFix Campaign Abuses finger.exe and Fake CAPTCHAs
A novel social engineering strategy known as ClickFix weaponizes the legacy Windows finger.exe tool and counterfeit CAPTCHA pages to deploy multi-stage malware. Victims are misled into executing a finger command (e.g., finger gcaptcha@captchaver[.]top) that retrieves a PowerShell command from a remote server, which subsequently executes Base64-encoded payloads to establish a foothold. Campaigns such as KongTuke and SmartApeSG exploit TCP port 79 traffic, which many environments overlook or fail to obstruct, converting a once-forgotten protocol into a potent initial access channel.
Read more: https://cybersecuritynews.com/new-clickfix-attack-exploits-finger-exe-tool/
PCPcat React2Shell Exploitation Hits 59,000+ Next.js Servers
The PCPcat malware operation has compromised over 59,000 servers in less than 48 hours by exploiting critical unauthenticated RCE vulnerabilities in Next.js and React (CVE-2025-29927 and CVE-2025-66478). The attacks employ prototype pollution and command injection through specially crafted JSON payloads to hijack the Node.js child process execution chain, followed by exfiltration of environment files, cloud keys, SSH credentials, and histories, ultimately deploying GOST and FRP for persistent tunneling infrastructure. PCPcat’s C2, centered around 67.217.57.240 using ports 666, 888, and 5656, orchestrates high-frequency scanning batches and installs redundant systemd services to maintain compromised servers within the botnet.
Read more: https://cybersecuritynews.com/new-pcpcat-exploiting-react2shell-vulnerability/
Weaponized SVGs, Office Docs, and Multi-Stage Loaders
Researchers have outlined a complex phishing campaign targeting manufacturing and governmental entities in Italy, Finland, and Saudi Arabia, utilizing weaponized Office documents, malicious SVGs, and ZIP/LNK chains to deliver a shared commodity loader. This multi-stage pipeline relies on obfuscated JavaScript, WMI-launched PowerShell, PNG-based steganography for .NET assemblies, trojanized TaskScheduler libraries, and process hollowing into RegAsm.exe, eventually deploying stealers and RATs such as PureLog, Katz Stealer, DC Rat, Async Rat, and Remcos. Defensive guidance stresses disabling the outdated Equation Editor (CVE-2017-11882), tightening email filters, examining image attachments, and monitoring suspicious PowerShell execution trends.
Read
“““html
more: https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/
BlueDelta Targets Ukrainian UKR.NET Users
Russian state-sponsored faction BlueDelta (APT28/Fancy Bear/Forest Blizzard) is conducting a credential-harvesting operation aimed at users of the widely-used Ukrainian webmail and news platform UKR.NET. The adversaries disseminate PDFs that direct to counterfeit login portals hosted on platforms like Mocky and DNS EXIT, subsequently linking shorteners, ngrok/Serveo tunnels, and multi-tier infrastructures to capture usernames, passwords, 2FA tokens, and IP addresses while concealing the actual C2 locations. Updated JavaScript even circumvents ngrok’s browser alerts by embedding the ngrok-skip-browser-warning header, accommodating at least 42 unique credential-harvesting chains noted throughout the operation phase.
Read more: https://cybersecuritynews.com/bluedelta-hackers-attacking-users/
Solar Panel Systems at Risk of Remote Manipulation
Recent studies indicate that Internet-connected solar and energy management systems can be remotely manipulated, allowing attackers to disturb power production, modify reported metrics, or exploit access for lateral movement into operational settings. Misconfigurations, default credentials, and publicly accessible management interfaces create a vulnerability surface where adversaries could potentially orchestrate large-scale grid-impacting maneuvers or monetize control via extortion. Operators are advised to secure remote access, segregate OT from IT networks, and enforce rigorous authentication on all cloud and web interfaces associated with power infrastructure.
Read more: https://cybersecuritynews.com/hackers-can-manipulate-internet-based-solar-panel-systems/
Qilin–Allied Operations and RaaS Ecosystem Shifts
New findings regarding the Qilin ransomware ecosystem illuminate a growing alliance framework that incorporates access brokers, infrastructure suppliers, and data-leak facilitators around the core RaaS operation. These collaborations streamline end-to-end attack workflows—from initial compromise and privilege escalation to data theft, extortion site hosting, and negotiation facilitation—lowering barriers for less experienced affiliates while amplifying campaign volume. Organizations are recommended to concentrate on upstream controls such as brokered access detection, surveillance of emerging leak domains, and enhanced visibility into interconnected infrastructure reuse.
Read more: https://cybersecuritynews.com/new-research-uncovers-the-alliance-between-qilin/
Vulnerability
CISA Flags Legacy Sierra Wireless Routers
CISA has listed a legacy Sierra Wireless AirLink ALEOS vulnerability (CVE-2018-4063) in its catalog of Known Exploited Vulnerabilities after discovering evidence of active exploitation. This vulnerability is an unrestricted file upload issue within the web interface that enables authenticated attackers (often using default or weak credentials) to upload harmful files and achieve remote code execution on the router, facilitating persistent access and lateral movement into internal networks. As the affected hardware is End-of-Life without any security patches available, CISA encourages federal agencies and enterprises to completely decommission and eliminate these devices rather than attempting to secure them in place.
Read more: https://cybersecuritynews.com/cisa-adds-sierra-router-vulnerability/
Critical Plesk Bug Gives Users Root Access
A critical local privilege escalation flaw in Plesk for Linux (CVE-2025-66430) allows any authenticated Plesk user with access to the “Password-Protected Directories” feature to escalate privileges to root on affected servers. The vulnerability arises from improper handling of user input, allowing attackers to inject arbitrary data into the Apache configuration and execute commands with root permissions, leading to complete server takeover, data exfiltration, malware installation, and lateral movement. Plesk has issued patches and micro-updates for versions 18.0.70 through 18.0.74 (including Onyx), and administrators are advised to implement the fixes without delay, restrict access to the feature, and monitor logs for any suspicious configuration alterations.
Read more: https://cybersecuritynews.com/plesk-vulnerability/
NVIDIA Merlin Deserialization Flaws Threaten AI Workloads
Two high-severity deserialization vulnerabilities in NVIDIA’s Merlin framework (CVE-2025-33213 and CVE-2025-33214) affect NVTabular’s Workflow and Transformers4Rec’s Trainer components on Linux. Insecure deserialization (CWE-502) may permit remote attackers with network access and minimal user interaction to execute malicious code, generate denial-of-service conditions, extract sensitive data, and manipulate recommendation system workflows used in extensive AI deployments. NVIDIA has deployed security updates through the official Merlin and NVTabular repositories, and organizations operating Merlin in production environments should promptly download the latest versions, review deserialization practices, and restrict untrusted data pathways in ML workflows.
Read more: https://cybersecuritynews.com/nvidia-merlin-vulnerabilities/
JumpCloud Remote Assist Vulnerability Enables SYSTEM-Level Takeover
A high-severity local privilege escalation issue in JumpCloud Remote Assist for Windows (CVE-2025-34352) allows low-privileged users to acquire NT AUTHORITYSYSTEM privileges or crash endpoints. The agent’s uninstaller, which runs as SYSTEM, conducts file creation, writing, deletion, and execution operations within the user-controlled %TEMP% directory without adequate validation, facilitating race-condition and file-redirect attacks that culminate in full endpoint compromise. JumpCloud has addressed this flaw in Remote Assist agent version 0.317.0 and later, and organizations should ensure all Windows endpoints are updated, audit for privileged actions in user-writable paths, and watch for unusual uninstall triggers or DoS attempts.
Read more: https://cybersecuritynews.com/jumpcloud-remote-assist-for-windows-agent-flaw/
FortiGate SSO Flaws Under Active Exploitation
Threat actors are actively taking advantage of two critical Fortinet authentication bypass flaws (CVE-2025-59718 and CVE-2025-59719) found in FortiGate firewalls and associated products’ FortiCloud SSO login. Manipulated SAML messages allow unauthenticated attackers to circumvent FortiCloud SSO and gain administrative access to FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager appliances when the feature is enabled, creating a direct pathway to configuration theft and network compromise. Fortinet has issued patches and urges customers to promptly update, temporarily disable FortiCloud SSO where practical, restrict management interfaces to trusted networks, and reset stored credentials as well as review logs if any signs of malicious SSO logins are detected.
Read more: https://cybersecuritynews.com/fortigate-devices-sso-vulnerabilities/
ScreenConnect Server Bug Exposes Config Data and Extensions
ConnectWise
“““html
The ScreenConnect server is impacted by a severe vulnerability (CVE-2025-14265) that can allow attackers to unveil sensitive configuration information and install untrusted extensions. The defect, originating from absent or inadequate code integrity checks during extension installation (CWE-494), influences ScreenConnect server versions prior to 25.8; however, host and guest clients are unaffected. ConnectWise’s 25.8 update strengthens server-side validation and integrity verification for extensions, and on-prem administrators should update without delay, review installed extensions, and evaluate logs for unusual extension activities, while cloud-hosted instances have been automatically patched.
Read more: https://cybersecuritynews.com/screenconnect-vulnerability/
Windows Admin Center LPE through Writable ProgramData Paths
A recently unveiled local privilege escalation vulnerability in Windows Admin Center (CVE-2025-64669) affects versions up to 2.4.2.1 and environments utilizing WAC 2411 and older. Inadequate permissions on folders such as C:ProgramDataWindowsAdminCenter and C:ProgramDataWindowsAdminCenterUpdater—modifiable by regular users but employed by elevated services—enable attackers to commandeer the uninstall and updater processes, introduce harmful DLLs, and load them as SYSTEM. Microsoft classified the issue as Important and released fixes during the December Patch Tuesday cycle; defenders should promptly update WAC gateways, verify directory ACLs, and conduct exposure testing using vendor-supplied validation scenarios to confirm mitigations.
Read more: https://cybersecuritynews.com/windows-admin-center-vulnerability/
Chrome December Security Update Resolves Critical RCE Vulnerabilities
Google has launched Chrome version 143.0.7499.146/.147 for Windows and Mac, and 143.0.7499.146 for Linux, addressing critical weaknesses that could facilitate remote code execution. The update encompasses at least two high-severity resolutions, including CVE-2025-14765, a use-after-free in WebGPU that puts users at risk of drive-by attacks via harmful web content. Enterprises should expedite browser patch implementations, enforce automatic updates, and contemplate tightening policies surrounding WebGPU and high-risk APIs, while keeping an eye out for exploitation of Chrome zero-days that remain particularly enticing to sophisticated threat actors.
Read more: https://cybersecuritynews.com/chrome-security-update-dec/
Cisco AsyncOS Zero-Day Exploited via AquaShell Backdoor
Cisco is monitoring active exploitation of an unpatched zero-day vulnerability (CVE-2025-20393) in AsyncOS which powers Cisco Secure Email Gateway and Secure Email and Web Manager appliances. Attackers exploit inadequate input validation to execute system-level commands from afar and deploy “AquaShell,” a Python-based backdoor embedded within AsyncOS web components that listens for unauthenticated HTTP POST requests and executes encoded payloads. With no official patch available yet, organizations must urgently implement Cisco’s hardening recommendations, including configuration alterations, network segmentation of email security devices, stringent access controls, and utilizing detection tools to identify AquaShell indicators of compromise.
Read more: https://cybersecuritynews.com/cisco-asyncos-0-day-vulnerability/
Apache Commons Text RCE via Unsafe Text Interpolation
A severe remote code execution vulnerability in Apache Commons Text (CVE-2025-46295) affects versions earlier than 1.10.0 and stems from unsafe text interpolation functionalities. When applications relay untrusted user input through Commons Text’s interpolation mechanism, attackers can create payloads and other lookups to execute arbitrary code or initiate malicious external interactions, affecting a broad spectrum of Java applications that depend on the library for string processing. Organizations should catalog applications utilizing Commons Text, update to at least version 1.10.0 (or 1.14.0 as advised by certain vendors), implement solid input validation for interpolated data, and incorporate dependency-scanning measures to detect vulnerable versions early in the lifecycle.
Read more: https://cybersecuritynews.com/apache-commons-text-vulnerability/
Cyberattack
Android Banking Trojan “Frogblight”
A novel Android banking Trojan named Frogblight is targeting Turkish users by disguising itself as official government and popular applications (including court portals and Chrome) to extract banking credentials and personal data. Victims are enticed via SMS about fictitious court cases that redirect to cloned government websites, from where they download the harmful APK.
Upon installation, Frogblight exploits extensive permissions (SMS read/write, storage, device info) and displays genuine government pages in an embedded WebView to seem authentic. The malware injects JavaScript into the WebView to capture user input, forces banking login processes, communicates with C2 via Retrofit/REST and subsequently WebSockets, and maintains persistence with multiple Android services, while evading analysis through emulator checks and geofencing.
Read more: https://cybersecuritynews.com/new-android-malware-frogblight-mimics-as-official-government-websites/
GhostPairing: WhatsApp Device-Link Hijacking
The GhostPairing attack is an account-takeover campaign that exploits WhatsApp’s legitimate device linking process, necessitating no password theft or software exploit. Attackers dispatch lures from compromised or spoofed contacts with a “photo” link that leads to a counterfeit Facebook-themed verification page.
When victims enter their phone number, the backend requests a real WhatsApp pairing code and displays it along with instructions to input it in the genuine app, misleading users into approving the attacker’s browser as a linked device. This provides persistent, invisible access to all chats and media, transforming compromised accounts into propagation bots, and can only be mitigated by reviewing linked devices, distrusting unsolicited pairing requests, and enabling WhatsApp’s Two-Step Verification.
Read more: https://cybersecuritynews.com/new-ghostpairing-attack-let-attackers-gain-full-access/
Russian GRU Hackers Targeting Network Edge
A Russian state-sponsored entity associated with the GRU’s Sandworm/APT44 cluster is executing a prolonged campaign against Western essential infrastructure by exploiting improperly configured network edge devices rather than concentrating on zero-day exploits. The operators aim at exposed management interfaces on user-managed appliances hosted on cloud platforms like AWS EC2, thereby sustaining persistent interactive access.
Once they seize control of an edge device, they capture passing authentication traffic to extract credentials for cloud consoles, collaboration tools, and source repositories, later replaying them against victim services across the energy, telecom, and managed security sectors. The campaign highlights that poor configuration and monitoring of routers, VPNs, and virtual appliances now rival patchable vulnerabilities as primary initial-access vectors.
Read more: https://cybersecuritynews.com/russian-hackers-attacking-network-edge-devices/
“““html
BlindEagle is exploiting internal email trust
The BlindEagle threat actor has initiated a new wave of cyber‑espionage targeting Colombian government organizations, this time by infiltrating an internal email account to circumvent SPF, DKIM, and DMARC protections. Leveraging this access, the attackers dispatched phishing emails that appeared as authentic internal alerts regarding a fabricated labor lawsuit, armed with SVG attachments.
Engagement with the SVG guides victims through a convoluted, multi‑step infection pathway that employs extensive obfuscation and legitimate online services to obscure payload delivery and C2 communication. By transitioning from external to internal trust exploitation, BlindEagle greatly enhances email deliverability and user engagement rates, posing challenges for organizations that depend exclusively on perimeter email safeguards.
Read more: https://cybersecuritynews.com/blindeagle-hackers-attacking-organization/
Chinese ShadowPad IIS Listener C2 mesh
A Chinese state-aligned collective (tracked as Earth Alux/REF7707) is utilizing a tailored ShadowPad IIS Listener module to convert compromised web servers into a decentralized relay network. The operation initiates with the exploitation of ASP.NET ViewState deserialization and SharePoint vulnerabilities (often via exposed machine keys or unpatched endpoints) to achieve remote code execution and complete system takeover.
The custom IIS module sets up dynamic URL listeners through the HttpAddUrl API, decrypts specifically crafted HTTP requests, and discreetly manages C2 communication, forwarding all other requests to the standard IIS worker, thereby blending into legitimate web traffic. This architecture transforms victim infrastructure into resilient C2 nodes, prioritizing long-term stealth and operational redundancy over disruptive implants or standalone C2 servers.
Read more: https://cybersecuritynews.com/chinese-hackers-using-custom-shadowpad-iis-listener-module/
Data Breach
Jaguar Land Rover Employee Data Breach
Jaguar Land Rover has confirmed that an August cyberattack revealed sensitive information pertaining to current and former employees and contractors, including data utilized for payroll, benefits, and employee programs that may also encompass dependents. While JLR has not specified the precise attack method, the incident paralyzed UK manufacturing facilities for over a month, resulting in losses exceeding $890 million and magnifying quarterly losses to £342 million ($442 million).
Regulatory bodies such as the UK ICO have been informed, and JLR is reaching out to impacted individuals, providing a dedicated helpline and complimentary credit/identity monitoring services. The company asserts that no customer or vehicle data was compromised; however, experts caution that exposed employee PII—likely including names, addresses, salaries, and National Insurance numbers—could facilitate identity theft, targeted fraud, and extortion.
Read more: https://cybersecuritynews.com/jaguar-land-rover-employee-data-stolen/
Pornhub Premium Data Exposed via Mixpanel
ShinyHunters has claimed responsibility for breaching Mixpanel, which exposed a limited array of analytics events linked to Pornhub Premium users rather than Pornhub’s core infrastructure. The compromised information seems to involve legacy session and behavioral analytics events from before Pornhub ceased using Mixpanel in 2021, with no passwords, payment data, or government IDs reported as compromised.
Pornhub has initiated an internal investigation, engaged cybersecurity specialists, and advised users to be cautious of phishing, enable MFA, and refrain from engaging with unsolicited communications claiming to be from the platform. Security experts highlight that if claims of extensive exposure of detailed viewing histories are substantiated, the consequences could rival or surpass the 2016 Adult Friend Finder incident, particularly due to the potential for triple extortion and misuse of sensitive data to “poison” AI models.
Read more: https://cybersecuritynews.com/pornhub-breached/
Windows & Linux
MSMQ Patch Disrupts IIS Queues (KB5071546)
Microsoft’s December 2025 security update KB5071546 (OS Build 19045.6691) is disrupting Message Queuing (MSMQ) functionality for Windows 10 22H2 and Windows Server 2016/2019, particularly in high-load clustered setups. Affected systems experience MSMQ queues becoming inactive and IIS sites crashing with “Insufficient resources to perform operation” despite sufficient RAM and storage.
The issue derives from tightened NTFS permissions on the MSMQ storage path C:WindowsSystem32MSMQstorage, which removes write access for non-admin MSMQ users, causing failures in message file creation. Until Microsoft provides a patch, administrators are advised to refrain from implementing KB5071546 in MSMQ-heavy environments or conduct careful tests in staging while keeping an eye on Microsoft’s advisories for updates.
Read more: https://cybersecuritynews.com/message-queuing-functionality-iis-sites/
WSL Update Disrupts Enterprise VPS Access (KB5067036)
The October 28, 2025 non-security update KB5067036 (builds 26200.7019 and 26100.7019 preview) is causing VPS access issues for Windows Subsystem for Linux users who depend on enterprise VPNs in mirrored networking mode. Users encounter “No route to host” errors within WSL, even though connectivity from the Windows host remains established, interrupting access to corporate VPS resources and remote systems.
The underlying issue is linked to third-party VPN virtual interfaces failing to respond to ARP requests, impacting clients like Cisco Secure Client (AnyConnect) and OpenVPN in enterprise environments. Microsoft is currently investigating without a patch ETA yet, and administrators are temporarily circumventing the issue by disabling mirrored networking or switching WSL to bridged networking while testing updates in staging.
Read more: https://cybersecuritynews.com/windows-update-breaks-vps-access/
Global Microsoft Teams Messaging Outage
Microsoft Teams experienced a significant global outage on Friday, leading to widespread messaging delays, undelivered messages, and reduced functionality across numerous regions during business hours. Reports surged around 2:30 PM ET (7:30 PM GMT), with users in the US, Europe, Australia, and Asia facing considerable latency, issues with file sharing, and service instability.
Microsoft confirmed the incident via its official status channels, directing administrators to incident ID TM1200517 in the Microsoft 365 admin center, and indicated that telemetry suggested signs of recovery as root cause analysis continued. The outage aligned with reported impacts on other Microsoft 365 services such as Outlook and OneDrive in certain regions, emphasizing the necessity for robust continuity plans when core collaboration platforms fail.
Read more: https://cybersecuritynews.com/microsoft-teams-down/
Microsoft 365 Baseline Security Mode Rolls Out
Microsoft has initiated the rollout of Baseline Security Mode across Microsoft 365 tenants,
“““html
unveiling a unified dashboard in the M365 Admin Center to implement Microsoft-recommended security standards for Office, SharePoint, Exchange, Teams, and Entra. Announced at Ignite 2025, this voluntary feature can be found under Org Settings → Security & Privacy and is anticipated to roll out to most tenants worldwide by late January 2026, with government clouds following suit by March 2026.
Baseline Security Mode consolidates 18–20 policies into three fundamental areas, including 12 authentication measures that deactivate outdated protocols such as basic authentication and EWS while mandating phishing-resistant MFA for administrators via FIDO2 or passkeys. Additional file-protection measures limit hazardous practices like accessing documents over unsecured HTTP/FTP, utilizing ActiveX or DDE, and ensure that vulnerable applications like Publisher remain disabled prior to deprecation, all accompanied by simulation and reporting features so that administrators can evaluate impact prior to enforcement.
Read more: https://cybersecuritynews.com/microsoft-baseline-security-mode/
Others
CISA & NSA Encourage UEFI Secure Boot Audits
CISA and NSA have issued a new Cybersecurity Information Sheet urging organizations to verify and actively oversee UEFI Secure Boot settings to protect against contemporary bootkits like PKFail, BlackLotus (CVE-2023-24932), and BootHole. The advisement emphasizes that improperly configured keys, leftover testing certificates, or deactivated Secure Boot modes may allow cybercriminals to circumvent boot-time checks and install stealthy firmware-level malware.
Administrators are encouraged to verify whether Secure Boot is genuinely enforced (for instance, using Confirm‑SecureBootUEFI on Windows or mokutil on Linux), export and examine PK/KEK/DB/DBX variables, and benchmark them against known-good standards utilizing NSA tools. Suggested configurations involve vendor PK/KEK, Microsoft 2011/2023 CAs in DB, and a DBX that contains solely revocation hashes—not test keys or permissive entries—with remediation through firmware resets, capsule updates, and stricter supply chain scrutiny.
Read more: https://cybersecuritynews.com/cisa-guidance-uefi-secure-boot/
Let’s Encrypt’s “Generation Y” Roots & 45-Day Certificates
Let’s Encrypt has unveiled a new “Generation Y” root structure, accompanied by a multi‑year strategy to shorten certificate durations and phase out TLS client authentication from its public issuance profiles. The new framework presents two Root CAs and six Intermediates cross-signed by current X1 and X2 roots, preserving widespread trust while removing TLS Client Authentication EKU in accordance with forthcoming browser and root program requirements.
Deployment is profile-driven: traditional users transition to Generation Y by May 13, 2026, while tlsserver and short-lived profiles begin utilizing Gen Y earlier and gain access to short-lived certificates with IP address support. Let’s Encrypt envisions an opt-in 45-day validity for early adopters in 2026, with default durations dropping to 64 days in 2027 and 45 days in 2028 to mitigate key compromise risk and better align with CA/Browser Forum Baseline Requirements.
Read more: https://cybersecuritynews.com/lets-encrypt-unveils-new-generation-y-root/
Amazon Captures North Korean IT Intruder through Keystroke Delay
Amazon recently detected a North Korean agent masquerading as a U.S.-based systems administrator for a contractor after security measures highlighted a slight but concerning lag in keystroke transmissions. Commands that should have traversed the network in under 100 milliseconds consistently arrived at over 110 milliseconds, indicating that the laptop—located in Arizona—was being remotely manipulated from abroad.
Further analysis connected the activity to wider DPRK “remote IT worker” operations that exploit false identities, resume formats, and U.S. proxies (or “laptop farms”) to evade sanctions and direct income into weapon programs. Amazon’s CSO revealed that since April 2024, the firm has blocked over 1,800 suspected North Korean job attempts, with these infiltration efforts increasing by about 27% each quarter, highlighting the necessity for more rigorous vetting and telemetry-based location checks beyond mere IP validation.
Read more: https://cybersecuritynews.com/amazon-catches-north-korean-it-worker/
“`