All news with #disclosure tag

Smashing Security 437: ForcedLeak in Salesforce AgentForce

🔐 Researchers uncovered a security flaw in Salesforce’s new AgentForce platform called ForcedLeak, which let attackers smuggle AI-readable instructions through a Web-to-Lead form and exfiltrate data for as little as five dollars. The hosts discuss the broader implications for AI integration, input validation, and the surprising ease of exploiting customer-facing forms. Episode 437 also critiques typical breach communications and covers ITV’s phone‑hacking drama and the Rosetta Stone story, with Graham Cluley joined by Paul Ducklin.

WireTap Attack Extracts Intel SGX ECDSA Key via DDR4

🔬 Researchers from Georgia Institute of Technology and Purdue University describe WireTap, a physical memory-bus interposer attack that passively inspects DDR4 traffic to recover secrets from Intel SGX enclaves. By exploiting deterministic memory encryption, the team built an oracle enabling a full key-recovery of an SGX ECDSA attestation key from the Quoting Enclave. The prototype uses inexpensive, off-the-shelf equipment (roughly $1,000) and can be introduced via supply-chain compromise or local physical access. Intel says the scenario requires physical access and falls outside its memory-encryption threat model.

OneLogin API Bug Exposed OIDC Client Secrets in 2025

🔒Clutch Security disclosed a high-severity flaw in the One Identity OneLogin IAM platform that could leak OpenID Connect (OIDC) application client_secret values when queried with valid API credentials. The issue, tracked as CVE-2025-59363 with a CVSS score of 7.7, stemmed from the /api/2/apps endpoint returning secrets alongside app metadata. OneLogin remedied the behavior in OneLogin 2025.3.0 after responsible disclosure; administrators should apply the update, rotate exposed API and OIDC credentials, tighten RBAC scopes, and enable network-level protections such as IP allowlisting where available.

Critical WD My Cloud Bug Allows Remote Command Injection

🔒 Western Digital issued firmware 5.31.108 to fix a critical OS command injection (CVE-2025-30247) in the My Cloud web UI that allows remote execution via crafted HTTP POST requests. The update addresses multiple consumer and small-business NAS models, though My Cloud DL2100 and DL4100 have reached end of support and may not receive fixes. WD urges immediate patching; affected owners should apply the firmware or disconnect devices from the internet until updated.

Asahi Suspends Japan Operations After Cyber Attack

🔒 Asahi has halted order, shipment and call center operations across its Japanese group companies after reporting a system failure caused by a cyber-attack in a September 29 press release. The company said the outage is confined to Japan, offered no estimated recovery timeline and apologized to customers and business partners. It also stated there has been no confirmed leakage of personal or customer data at this time, while security experts caution that positions on compromised data may change as investigations continue.

Datzbro Android Trojan Targets Seniors for DTO Fraud

🛡️ThreatFabric disclosed a newly observed Android banking trojan named Datzbro that targets elderly users via Facebook groups promoting senior activities. Attackers lure victims to install purported community apps (Android APKs and placeholder iOS TestFlight links) via Messenger or WhatsApp; payloads either install Datzbro directly or use a Zombinder dropper to bypass Android 13+ protections. Datzbro abuses Android Accessibility services to perform device takeover, overlay attacks, keylogging and remote control, enabling credential theft and fraudulent transactions. The malware is tied to a Chinese-language desktop C2 and contains Chinese debug strings, suggesting origin and potential wider distribution.

New Supermicro BMC Flaws Enable Persistent Backdoors

🔐 Researchers from Binarly disclosed multiple firmware vulnerabilities in Supermicro Baseboard Management Controllers (BMCs) that allow attackers to load unofficial images and install persistent backdoors. A bypass for a previously patched issue (CVE-2024-10237) and a new flaw (CVE-2025-6198) let adversaries manipulate signed regions so digests and signatures still validate. A related confirmed issue is tracked as CVE-2025-7937. Supermicro has released firmware updates; administrators must identify affected models and apply fixes promptly.

Boyd Gaming Reports Cyber Incident Exposing Employee Data

🔒 Boyd Gaming Corporation disclosed a cybersecurity incident in an SEC 8-K filing, saying an unauthorized third party accessed its internal IT systems and removed certain data. The company said the breach involved employee information and a limited number of other individuals, though it did not specify the data types or number affected. Boyd said operations were not impacted and it is working with cybersecurity experts and federal law enforcement while notifying regulators.

Boyd Gaming Reports Data Breach After Cyberattack, SEC Filing

🔒 Boyd Gaming Corporation disclosed it suffered a cyberattack that resulted in unauthorized access to its IT systems and the removal of certain data, including employee information and data for a limited number of other individuals. The company said it engaged external cybersecurity experts and notified law enforcement, and that it is notifying impacted individuals and regulators as required. Boyd Gaming reported operations were not affected, does not expect a material adverse financial impact, and expects its cybersecurity insurance to cover related costs.

Mitsubishi MELSEC-Q CPU Module Denial-of-Service Risk

⚠️ CISA advises that a denial-of-service vulnerability (CVE-2025-8531) affects Mitsubishi Electric MELSEC-Q Series CPU modules when the user authentication function is enabled, due to improper handling of a length parameter (CWE-130). The issue has a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H) and is exploitable remotely but characterized by high attack complexity. Mitsubishi has identified fixed units with serial ranges beginning '27082' or later and recommends migrating to the successor MELSEC iQ-R Series where updates are unavailable; organizations should apply network-access restrictions and defense-in-depth mitigations.

AAPB Fixes IDOR Bug That Exposed Restricted Media Files

🔒 A vulnerability in the American Archive of Public Broadcasting allowed protected and private media to be downloaded for years by abusing an IDOR flaw. A simple Tampermonkey script could alter media ID parameters in background fetch/XHR calls and bypass access controls, returning content instead of a '403 Forbidden'. The issue was reported to AAPB, confirmed by a spokesperson, and patched within 48 hours, but the full scope of prior access remains unknown.

EDR-Freeze: WER-based Tool Suspends Windows Security

🔒 A new proof-of-concept named EDR-Freeze shows that Windows Error Reporting can be abused from user mode to suspend antivirus and EDR processes. The method leverages WerFaultSecure and the MiniDumpWriteDump API so the dumper pauses a target process and then the dumper itself is frozen, leaving the security agent inoperative without a kernel driver. Researcher TwoSevenOneThree validated the technique on Windows 11 24H2, describing it as a design weakness rather than a classic vulnerability, and defenders can monitor WER invocations or harden reporting components to mitigate the risk.

Leaked Documents Reveal Business of Chinese Surveillance

🔍 Leaked documents reveal how Chinese companies build and sell censorship, surveillance, and propaganda systems, showing that firms such as Geedge work with universities, tailor offerings to different government clients, and even reuse competitors’ infrastructure. The account draws clear parallels with Western vendors that began as academic projects and commercialized via government contracts. These disclosures complicate the image of a purely top-down Great Firewall, highlighting corporate incentives and market dynamics behind tools of control.

FBI Warns of Threat Actors Spoofing IC3 Reporting Website

⚠️ The FBI has issued a public service announcement warning that threat actors are creating spoofed versions of the IC3 cybercrime reporting site to steal personally identifiable information and facilitate fraud. The agency advises typing www.ic3.gov directly, avoiding sponsored search results and mismatched URLs, and never paying anyone claiming to be IC3 staff. Victims should report impersonation attempts to the legitimate IC3 portal and provide full details.

New Phoenix Rowhammer Bypass Elevates DDR5 Privilege Risk

⚠ The new Phoenix Rowhammer technique reverse-engineers TRR in SK Hynix DDR5 DIMMs to induce controlled bit flips previously believed mitigated. Researchers from ETH Zurich and Google report Phoenix reliably triggers flips across all 15 tested modules, enabling practical exploits such as forged Page Table Entries, RSA-2048 key leakage from co-located VMs, and a sudo-based root escalation. The issue is tracked as CVE-2025-6202.

Smashing Security 435: Casting Lures and School Hacks

🎭 In episode 435 of Smashing Security, host Graham Cluley and guest Jenny Radcliffe discuss a sophisticated phishing campaign that used fake casting calls to lure Israeli performers, illustrating how flattering, opportunity-based lures can be as persuasive as fear-based tactics. They also cover Check Point’s findings on Iran-linked activity, the UK ICO’s warning about students hacking schools, and lighter cultural items including Endeavour and a local “Catman” story. The episode blends practical security analysis with humour and sponsored segments.

Vulnerabilities Found in Securam Prologic Electronic Safes

🔓 Two security researchers, Omo and Rowley, disclosed critical vulnerabilities in Securam Prologic electronic safe locks that can be abused to open many devices without specialized tools. One flaw exploits a legitimate locksmith unlock feature and, according to the researchers, can expose codes remotely or with trivial access. The pair delayed public disclosure after receiving legal threats from Securam and only proceeded after securing pro bono counsel from the EFF’s Coders’ Rights Project. Securam says it will update its locks by year’s end but will not patch units already sold.

Fifteen Ransomware Groups Announce Retirement Plans

🔒 Fifteen prominent ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, posted a collective statement on BreachForums announcing they are ceasing operations and entering a period of “silence.” The announcement framed their activity as exposing systemic vulnerabilities rather than pure extortion and said some members intend to retire on accumulated funds while others will continue studying systems quietly. Analysts and threat intelligence experts cautioned this could be a temporary PR move, noting past groups have rebranded or spawned successors rather than vanishing permanently.

HybridPetya: Petya/NotPetya Copycat Adds UEFI Bypass Threat

🔒 ESET researchers have identified a new ransomware strain named HybridPetya that mimics the Petya/NotPetya family while adding UEFI-targeting capabilities. The malware weaponizes CVE-2024-7344 to bypass UEFI Secure Boot on unpatched systems, enabling persistent bootkit-style compromise. HybridPetya is not currently observed spreading in the wild but represents at least the fourth known bootkit with Secure Boot bypass functionality.

HybridPetya Bootkit Bypasses Secure Boot to Encrypt MFT

🔒 Researchers at ESET have identified HybridPetya, a bootkit-style ransomware that mimics Petya/NotPetya by targeting the NTFS Master File Table (MFT). Unlike destructive predecessors, HybridPetya functions as true ransomware and can reconstruct victim decryption keys from an installation key, with an analyzed sample demanding €850 in Bitcoin. The threat bypasses UEFI Secure Boot by exploiting CVE-2024-7344 in a Microsoft-signed EFI component to load an unsigned cloak.dat, replace the Windows bootloader, crash the system to force a reboot, and run prior to OS startup to encrypt the disk with Salsa20 while displaying a fake CHKDSK message.