All news with #disclosure tag

Mozilla Ends Partnership with Onerep After Investigation

🛡️ Mozilla announced it will end its partnership with Onerep and discontinue Monitor Plus on Dec. 17, 2025. Current subscribers will retain access through the wind-down period and receive prorated refunds for any unused portion of their subscriptions. Mozilla said it will continue to offer its free Monitor breach service integrated with Firefox’s credential manager and is focusing on integrating more privacy and security features, including its VPN. The company cited high vendor standards and the realities of the data broker ecosystem as reasons for ending the collaboration after reporting revealed Onerep’s founder maintained ties to other people-search services.

Google Says Chinese Group Sells Phishing 'Lighthouse' Kits

🔍 Google filed a court complaint alleging a "cybercriminal group in China" sold branded "Lighthouse" phishing kits that let unsophisticated fraudsters run large-scale SMS and e-commerce scams. The kits bundle hundreds of fake-website templates, domain setup tools, and subscription licenses offered weekly, monthly, seasonal, annual, or permanent. Campaigns often begin with texts about overdue tolls or package redelivery and sometimes appear as ads (including ads that persisted until Google suspended accounts). Victims who click are redirected to fraudulent sites that solicit passwords, credit card numbers, or payments purportedly accepted via wallets such as Google Pay.

Festo MSE6 Devices: Hidden Test-Mode Vulnerability

⚠️ Festo disclosed a hidden test‑mode vulnerability in the MSE6 product family that could be abused by a remote, authenticated low‑privileged attacker. The issue, tracked as CVE-2023-3634, carries a CVSS v3.1 score of 8.8 and may permit complete loss of confidentiality, integrity, and availability. Festo plans documentation updates in the next product release; CISA recommends isolating devices, minimizing network exposure, and using firewalls and secured VPNs as mitigations.

Legal Limits on Vulnerability Disclosure and Research Rights

🔒 Kendra Albert's USENIX talk, highlighted by Bruce Schneier, argues that modern managed bug bounty programs often impose contractual confidentiality that prevents researchers from publicly sharing vulnerabilities. These restrictions can flip the original bargain of coordinated vulnerability disclosure, silencing researchers while allowing vendors to delay or avoid fixes. Schneier urges platforms and companies to prohibit mandatory non‑disclosure terms and restore the balance between researcher reporting and vendor remediation.

Checkout.com Apologizes After Breach, Donates Ransom

🔒 Checkout.com publicly disclosed a breach after the ShinyHunters group accessed data from a legacy third‑party cloud storage system used prior to 2020, and issued an apology taking responsibility for the error. The company said fewer than 25% of current merchants were affected, confirmed no payment card data was taken, and refused the ransom demand. Instead of paying, it donated the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to support research into cybercrime.

DoorDash Email Spoofing Bug and Disclosure Dispute

✉️ A vulnerability in DoorDash's DoorDash for Business platform allowed an attacker to create a free account, add an 'Employee' entry containing arbitrary HTML in a budget name field, and send emails that appeared to originate from no-reply@doordash.com using official templates. The researcher known as doublezero7 supplied a proof-of-concept showing stored HTML rendered in outgoing messages, enabling persuasive phishing. DoorDash patched the flaw after public pressure, and a dispute over disclosure and alleged extortion followed.

Android Memory Bugs Drop as Google Expands Rust Use

🛡️ Google reports that adopting Rust across Android has reduced memory-safety vulnerabilities to under 20% for the first time and claims a 1000x lower vulnerability density versus legacy C and C++ code. The company says Rust changes have a 4x lower rollback rate, require about 20% fewer revisions, and cut code review time by roughly 25%, improving overall delivery speed. Google plans to extend Rust to kernel, firmware and critical first-party apps while maintaining layered defenses.

IndonesianFoods Worm Floods npm with 100,000 Packages

🪲 A self-replicating campaign named IndonesianFoods is spamming the npm registry by creating new packages roughly every seven seconds, with Sonatype reporting more than 100,000 published components. The packages use random Indonesian names and food terms and currently contain no known data-stealing payloads, but researchers warn a future update could introduce malware. Some packages appear to exploit the TEA Protocol to inflate contribution scores and earn tokens, pointing to a financial motive. Developers are urged to lock dependencies, monitor unusual publishing patterns, and enforce strict signature validation.

AVEVA Edge cryptographic weakness enables password recovery

🔒 AVEVA has released advisory ICSA-25-317-03 addressing a cryptographic weakness in AVEVA Edge (formerly InduSoft Web Studio) that could allow a local actor with read access to project or offline cache files to brute-force user or Active Directory passwords. The issue is tracked as CVE-2025-9317 and carries a CVSS v4 base score of 8.3. AVEVA provides a 2023 R2 P01 Security Update and recommends project migration, password resets, and tightened file access controls. This vulnerability is not remotely exploitable according to CISA.

65% of Top Private AI Firms Exposed Secrets on GitHub

🔒 A Wiz analysis of 50 private companies from the Forbes AI 50 found that 65% had exposed verified secrets such as API keys, tokens and credentials across GitHub and related repositories. Researchers employed a Depth, Perimeter and Coverage approach to examine commit histories, deleted forks, gists and contributors' personal repos, revealing secrets standard scanners often miss. Affected firms are collectively valued at over $400bn.

Ludwigshafen City Administration Faces Extended IT Outage

🚨 Ludwigshafen's city administration shut down its IT systems on 6 November after monitoring tools flagged serious anomalies, leaving online services and phone and email communications unavailable. A specialist internet-forensics firm was engaged overnight and reported a cyberattack could not be ruled out; officials say indicators have since intensified. There is currently no evidence of citizen data exfiltration, and backups and emergency plans operated as intended while investigations continue.

New hardware attack (TEE.fail) breaks modern secure enclaves

🔒 A new low-cost hardware-assisted attack called TEE.fail undermines current trusted execution environments from major chipmakers. The method inserts a tiny device between a memory module and the motherboard and requires a compromised OS kernel to extract secrets, defeating protections in Confidential Compute, SEV-SNP, and TDX/SDX. The attack completes in roughly three minutes and works against DDR5 memory, meaning the physical-access threats TEEs are designed to defend against are no longer reliably mitigated.

DOJ Indicts 31 in High-Tech Rigging of Poker Games

🃏 The Department of Justice has indicted 31 people for using altered shuffling machines and other covert devices to rig high-stakes poker games. The modified shuffling machines read every card and relayed which player would win to off-site conspirators, who then communicated via cellphone to a table “Quarterback” who signaled accomplices. Victims lost tens to hundreds of thousands of dollars, and conspirators also used a chip-tray analyzer, an x-ray table, and special contact lenses or eyeglasses to read cards.

Microsoft Teams Vulnerabilities Expose Trust Abuse Today

🔒 Check Point Research identified multiple vulnerabilities in Microsoft Teams that could let attackers impersonate executives, manipulate message content, and spoof in-app notifications. The flaws exploit trust mechanisms built into real-time collaboration features used by more than 320 million monthly active users, turning expectations of authenticity into an attack vector. Researchers emphasize that trust alone isn’t a security strategy and urge rapid remediation by vendors and mitigations by organizations. Administrators should prioritize updates, review messaging policies, and increase user awareness to reduce exposure.

Radiometrics VizAir: Critical Authentication Flaws

⚠️ CISA warns that Radiometrics VizAir systems (versions prior to 08/2025) contain multiple critical vulnerabilities — including missing authentication for admin functions and an exposed REST API key — assigned CVE-2025-61945, CVE-2025-54863, and CVE-2025-61956 and rated CVSS v4 10.0. Remote attackers could alter weather parameters, disable alerts, manipulate runway settings, and extract sensitive meteorological data, potentially disrupting airport operations. Radiometrics has deployed updates to affected systems; CISA recommends minimizing network exposure, isolating control networks, and using secure remote access methods.

Google AI 'Big Sleep' Finds Five WebKit Flaws in Safari

🔒 Google’s AI agent Big Sleep reported five vulnerabilities in Apple’s WebKit used by Safari, including a buffer overflow, two memory-corruption issues, an unspecified crash flaw, and a use-after-free (CVE-2025-43429 through CVE-2025-43434). Apple issued patches across iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1 and Safari 26.1. Users are advised to install the updates promptly to mitigate crash and memory-corruption risks.

GDI Vulnerabilities in Windows Enable RCE and Data Leak

🔒 Microsoft has issued updates to address three previously unknown flaws in the Windows Graphics Device Interface (GDI) that could permit remote code execution and information disclosure. The issues, rooted in malformed EMF/EMF+ records, cause out-of-bounds memory access in GdiPlus.dll and gdi32full.dll during image rendering, thumbnailing and print initialization. Patches were released across the May, July and August 2025 Patch Tuesdays (KB5058411, KB5062553, KB5063878); administrators should apply updates promptly and avoid opening untrusted EMF files.

HttpTroy Backdoor Poses as VPN Invoice in Kimsuky Attack

🔒 Security researchers at Gen Digital disclosed a targeted Kimsuky campaign that delivered a previously undocumented backdoor called HttpTroy, hidden inside a ZIP attachment masquerading as a VPN invoice. The multi-stage chain used a Golang dropper, a loader dubbed MemLoad and a DLL backdoor executed via a scheduled task named "AhnlabUpdate" to achieve persistence. HttpTroy provides extensive remote-control capabilities and communicates with a C2 server over HTTP, while employing layered obfuscation to hinder analysis and detection.

OpenAI Aardvark: GPT-5 Agent to Find and Fix Code Bugs

🛡️ OpenAI has introduced Aardvark, a GPT-5-powered autonomous agent designed to scan, reason about, and patch code with the judgment of a human security researcher. Announced in private beta, Aardvark maps repositories, builds contextual threat models, continuously monitors commits, and validates exploitability in sandboxed environments before reporting findings. When vulnerabilities are confirmed, it proposes fixes via Codex and re-analyzes patches to avoid regressions. OpenAI reports a 92% detection rate in benchmark tests and has already identified real-world flaws in open-source projects, including ten issues assigned CVE identifiers.

Russian Ransomware Gangs Adopt Open-Source AdaptixC2

🔒 AdaptixC2, an open-source command-and-control framework, has been adopted by multiple threat actors, including groups tied to Russian ransomware operations, prompting warnings about its dual-use nature. The tool offers encrypted communications, credential and screenshot managers, remote terminal capabilities, a Golang server, and a cross-platform C++ QT GUI client. Security firms Palo Alto Networks Unit 42 and Silent Push have analyzed its modular capabilities and traced marketing activity to a developer using the handle RalfHacker. Observed abuse includes fake Microsoft Teams help-desk scams and an AI-generated PowerShell loader used to deliver post-exploitation payloads.