All news with #disclosure tag

Fraudulent Account Created in Google's LERS Portal

🔒 Google has confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) and has been disabled. The company says no requests were made and no data was accessed. The claim was posted by a group calling itself Scattered Lapsus$ Hunters, which also alleged access to the FBI's eCheck system; the FBI declined to comment. The group has a history of high-profile Salesforce-related thefts and has publicly taunted law enforcement and security researchers.

Google: Fraudulent Account Created in Law Enforcement Portal

🔒 Google confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) portal and has been disabled. The company said no requests were made with the account and no data was accessed. The claim follows posts by a group calling itself "Scattered Lapsus$ Hunters", which also asserted access to the FBI's eCheck system. The actors have previously targeted Salesforce-related infrastructure and taunted security teams.

Supporting Rowhammer Research to Strengthen DDR5 Mitigations

🔬 Google funded and collaborated on open-source DDR5 Rowhammer test platforms and academic research to evaluate current in-DRAM mitigations. Working with Antmicro and ETH Zurich, the team produced FPGA-based RDIMM and SO‑DIMM testers and used them to discover the Phoenix attack family, which includes a self-correcting refresh synchronization technique that can bypass enhanced TRR on some DDR5 modules. Google also led JEDEC standardization work on PRAC to enable deterministic row-activation counting and continues to share tools and findings to improve defenses.

HybridPetya Resembles NotPetya and Adds UEFI Bootkit

🔒 ESET Research identified HybridPetya on VirusTotal in February 2025, with filenames implying a connection to the destructive NotPetya outbreak. The strain encrypts the NTFS Master File Table using Salsa20 and deploys a UEFI bootkit on the EFI System Partition to ensure firmware‑level persistence. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot via a signed but vulnerable Microsoft component, yet retains a working decryption mechanism for victims. Analysts found no signs of self-propagation like NotPetya, but the combination of pre-boot compromise and MFT encryption raises significant concern.

OIG: CISA Wasted Millions and Mismanaged Incentives

🔍 The DHS Office of Inspector General (OIG) audit found that CISA misused federal funds and undermined its mission by broadly administering the Cyber Incentive program. The review identified 240 recipients in non-cyber support roles, poor record-keeping in OCHCO, and $1.4m in undocumented back pay among more than $138m disbursed since 2020. Payments typically ranged from $21,000 to $25,000 annually per person, more than 40% of staff received incentives, and the OIG issued eight recommendations to tighten eligibility, tracking, governance and recovery procedures; CISA has concurred with all recommendations.

HybridPetya: Petya-like Ransomware Targets UEFI Secure Boot

🛡️ ESET researchers identified HybridPetya in late July 2025 after suspicious samples were uploaded to VirusTotal. The malware resembles Petya/NotPetya and encrypts the NTFS Master File Table (MFT), while also capable of installing a malicious EFI application on the EFI System Partition to persist on UEFI systems. One analyzed variant exploits CVE-2024-7344 using a crafted cloak.dat to bypass UEFI Secure Boot on outdated systems. ESET telemetry shows no evidence of active, widespread deployments.

Cursor Code Editor Flaw Enables Silent Code Execution

⚠ Cursor, an AI-powered fork of Visual Studio Code, ships with Workspace Trust disabled by default, enabling VS Code-style tasks configured with runOptions.runOn: 'folderOpen' to auto-execute when a folder is opened. Oasis Security showed a malicious .vscode/tasks.json can convert a casual repository browse into silent arbitrary code execution with the user's privileges. Users should enable Workspace Trust, audit untrusted projects, or open suspicious repos in other editors to mitigate risk.

VMScape: Spectre-like VM-to-host data leak on CPUs

🔓 Researchers at ETH Zurich disclosed VMScape, a Spectre-like speculative-execution attack that lets a malicious VM extract secrets from an unmodified QEMU hypervisor running on many modern AMD and some Intel CPUs. The exploit abuses shared branch-prediction structures and a FLUSH+RELOAD side channel to induce speculative disclosure. It works without host compromise and bypasses default mitigations; vendors and Linux developers released advisories and kernel patches to mitigate the issue.

Siemens Apogee PXC/Talon TC Sensitive Data Exposure

🔒 Siemens reported a vulnerability in Apogee PXC and Talon TC devices that allows unauthorized actors to download device database files via BACnet. Affected devices permit unauthenticated access to encrypted .db files that can contain passwords; the issue is tracked as CVE-2025-40757 with a CVSS v4 base score of 6.3. Siemens and CISA recommend changing default passwords, hardening network access, and isolating control networks. Exploitation is remotely feasible with low complexity; no public exploitation has been reported to CISA.

CISA Adds One Vulnerability to KEV Catalog (2025-09-11)

🔔 CISA added CVE-2025-5086 — a Dassault Systèmes DELMIA Apriso deserialization of untrusted data vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog on September 11, 2025, based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed issues by required due dates. CISA urges all organizations to prioritize timely remediation as part of vulnerability management and will continue updating the catalog with vulnerabilities that meet its criteria.

Schneider Electric Modicon M340: Files Accessible Issue

🔒 Schneider Electric disclosed a Files or Directories Accessible to External Parties vulnerability affecting Modicon M340 devices and the BMXNOE0100/BMXNOE0110 Ethernet modules that could allow remote actors to remove files, block firmware updates, and disrupt the device webserver. The issue is tracked as CVE-2024-5056 with a CVSS v4 base score of 6.9. Schneider released firmware fixes for BMXNOE0100 (SV3.60) and BMXNOE0110 (SV6.80) and recommends immediate mitigations including network segmentation, disabling FTP when not required, and configuring Access Control Lists per the device manual. CISA also advises isolating control networks, minimizing internet exposure, and using VPNs for remote access.

Siemens RUGGEDCOM RST2428P: Security Advisory and Mitigations

🛡️ CISA republished information from Siemens ProductCERT regarding two vulnerabilities affecting the RUGGEDCOM RST2428P (6GK6242-6PA00). The issues — uncontrolled resource consumption (CVE-2025-40802) and exposure of sensitive information (CVE-2025-40803) — are exploitable from an adjacent network and have low CVSS scores (v3.1=3.1; v4=2.3). Siemens recommends firewalling UDP discovery ports and following industrial security guidance; CISA advises minimizing network exposure and isolating control networks.

Adobe Patches Critical 'SessionReaper' Flaw in Magento

🔒 Adobe warns of a critical unauthenticated vulnerability, CVE-2025-54236 (SessionReaper), affecting Commerce and Magento Open Source. A patch has been released to remediate a flaw that can allow account takeover via the Commerce REST API without authentication. Adobe deployed a temporary WAF rule for Commerce on Cloud customers and says it is unaware of in-the-wild exploitation, though a leaked hotfix may accelerate attacks. Administrators are urged to test and apply the update immediately; the fix may disable some internal Magento functionality and break custom or external integrations.

CISA Releases Fourteen ICS Advisories — September 9, 2025

🔔 CISA released fourteen Industrial Control Systems (ICS) advisories on September 9, 2025, providing timely information on security issues, vulnerabilities, and potential exploits affecting critical industrial products. The set includes advisories for Rockwell Automation (ThinManager, Stratix IOS, FactoryTalk families, CompactLogix, ControlLogix, Analytics LogixAI, 1783-NATR), Mitsubishi Electric, Schneider Electric, ABB, and others. Administrators are urged to review the advisories for technical details, CVE references, and recommended mitigations, and to prioritize patching, configuration changes, and compensating controls to reduce operational risk.

Experts: AI-Orchestrated Autonomous Ransomware Looms

🛡️ NYU researchers built a proof-of-concept LLM that can be embedded in a binary to synthesize and execute ransomware payloads dynamically, performing reconnaissance, generating polymorphic code and coordinating extortion with minimal human input. ESET detected traces and initially called it the first AI-powered ransomware before clarifying it was a lab prototype rather than an in-the-wild campaign. Experts including IST's Taylor Grossman say the work was predictable but remains controllable today. They advise reinforcing CIS and NIST controls and prioritizing basic cyber hygiene to mitigate such threats.

Bridgestone Confirms Limited Cyber Incident at Plants

⚠️ Bridgestone has confirmed a limited cyber incident affecting several North American manufacturing facilities, including plants in Aiken County, South Carolina, and Joliette, Quebec. Some sites remained operational while others halted or adjusted shifts, and employees were given differing pay options depending on local decisions. Bridgestone Americas says forensic analysis is ongoing and that containment measures were implemented quickly. The company stated it does not believe any customer data or interfaces were compromised.

Critical SAP S/4HANA Command Injection (CVE-2025-42957)

⚠️ SAP patched a critical command injection in SAP S/4HANA tracked as CVE-2025-42957 (CVSS 9.9) that allows low-privileged users to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks. SecurityBridge and NVD report active exploitation affecting both on-premise and Private Cloud editions, with potential for full system compromise. Organizations are urged to apply SAP's monthly fixes immediately, monitor for suspicious RFC calls or new admin accounts, implement network segmentation and backups, adopt SAP UCON to restrict RFC usage, and review access to authorization object S_DMIS activity 02.

Unauthorized TLS Certificates Issued for 1.1.1.1 by Fina CA

🔒 Cloudflare reported that Fina CA issued twelve unauthorized TLS certificates for the public DNS IP 1.1.1.1 between February 2024 and August 2025. All certificates have been revoked and Cloudflare found no evidence they were used maliciously, noting that successful impersonation would also require client trust in Fina and interception of traffic. The misissuance was detected via Certificate Transparency logs, and Cloudflare is improving alerts, monitoring, and triage to prevent similar lapses.

SNI5GECT: 5G Downgrade Attack Enables 4G Tracking Now

🔒 Researchers demonstrated SNI5GECT, an over‑the‑air injection attack targeting unencrypted initial exchanges in 5G that can crash device modems or force a fallback to 4G. By observing the plain‑text handshake and injecting a crafted information block at precise timing, an attacker within roughly 20 meters can trigger a reboot or downgrade. The technique enabled 4G‑based tracking and spoofing on multiple handsets across different modem vendors, and arises from protocol characteristics rather than a single vendor implementation.

Pressure Grows on CISOs to Conceal Security Incidents

🔒 A growing majority of CISOs report being pressured to hide breaches, with a Bitdefender survey finding 69% instructed to keep incidents confidential, up from 42% two years earlier. Security leaders say attackers increasingly prioritize stealthy data theft rather than disruptive encryption, making breaches less visible to the public. Regulatory regimes such as GDPR, NIS2 and DORA complicate disclosure decisions, while experts warn that concealment multiplies legal, financial and reputational risk and recommend robust, transparent incident response plans.