Daily Security Review

Daily Security Review

Daily Security Review, the premier source for news and information on security threats, Ransomware and vulnerabilities

  1. Palo Alto Networks Uncovers 194,000-Domain Smishing Campaign Linked to “Smishing Triad”

    29 OCT.

    Palo Alto Networks Uncovers 194,000-Domain Smishing Campaign Linked to “Smishing Triad”

    A global smishing campaign of unprecedented scale has been uncovered by Palo Alto Networks, revealing the vast operations of a Chinese-speaking threat actor known as the Smishing Triad. Since January 2024, the group has deployed more than 194,000 malicious domains, impersonating legitimate organizations ranging from toll and postal services to banks, cryptocurrency exchanges, and delivery companies. This campaign, active across the U.S., Europe, Asia, and the Middle East, leverages personalized SMS messages designed to trick recipients into divulging sensitive personal or financial information. Palo Alto Networks’ threat intelligence analysis describes the Smishing Triad as operating under a Phishing-as-a-Service (PhaaS) model—a decentralized criminal ecosystem in which specialized actors handle everything from domain registration and hosting to SMS distribution and phishing kit development. The infrastructure churns through thousands of new domains weekly, with most lasting less than two weeks, making detection and takedown efforts nearly impossible to sustain. Impersonating legitimate entities such as the U.S. Postal Service, India Post, and major financial institutions, the attackers craft highly convincing lures that exploit urgency and trust. Victims are redirected to counterfeit login portals where they unknowingly hand over credentials, Social Security numbers, or banking information. According to Palo Alto Networks, this high-volume, low-lifespan domain model allows the Smishing Triad to evade signature-based defenses and continuously scale their attacks. Beyond its scale, what distinguishes this campaign is its professionalization—an industrialized cybercrime model where phishing capabilities are outsourced and sold as services. As a result, even novice criminals can launch large-scale smishing attacks with minimal technical skill. The report warns that this trend marks a dangerous evolution of the cybercrime economy, merging automation, deception, and distributed infrastructure to sustain a global fraud operation. Palo Alto Networks recommends heightened vigilance, staff awareness training, and strict verification protocols for unsolicited messages, particularly those claiming to be from official entities demanding immediate action. As the Smishing Triad continues to evolve, it stands as a clear reminder that the boundaries between state-linked actors and organized cybercriminal enterprises are increasingly blurred—and that mobile-based phishing remains one of the fastest-growing global threats to individual and enterprise security alike. #SmishingTriad #PaloAltoNetworks #Smishing #PhishingAsAService #Cybercrime #MobileSecurity #SMSPhishing #PhishingCampaign #OpenSourceIntelligence #ThreatIntelligence #Cybersecurity #InformationSecurity #GlobalThreats #PhishingAttack #Infosec #PhaaS #CyberDefense #DarkWeb

    27 min
  2. Operation ForumTroll: Chrome Zero-Day Tied to Italian Spyware Developer Memento Labs

    29 OCT.

    Operation ForumTroll: Chrome Zero-Day Tied to Italian Spyware Developer Memento Labs

    A newly uncovered cyber-espionage operation known as Operation ForumTroll has revealed the resurgence of commercial spyware in state-sponsored surveillance campaigns. According to new research from Kaspersky, the campaign exploited a Google Chrome zero-day vulnerability (CVE-2025-2783) and targeted Russian and Belarusian organizations in government, research, and media sectors. The attacks were traced to tools developed by Memento Labs, the Italian surveillance vendor formerly known as the Hacking Team, whose legacy spyware once sparked global controversy for being sold to authoritarian regimes. The operation began with highly tailored phishing emails disguised as invitations to the “Primakov Readings” — a major international policy forum — luring recipients into visiting short-lived malicious links. Once clicked, victims were redirected to a drive-by exploit that leveraged the Chrome sandbox escape vulnerability, allowing attackers to execute code on the underlying operating system. Kaspersky’s researchers later identified a similar flaw in Firefox (CVE-2025-2857), broadening the attack surface for the same threat actors. Once inside, the attackers deployed a dual-implant structure: a custom spyware loader named LeetAgent, and a far more advanced commercial implant called Dante, developed by Memento Labs. Both tools shared identical persistence mechanisms, specifically COM hijacking, a telltale indicator linking the two. While LeetAgent operated as a modular espionage platform capable of keylogging, code injection, and document theft, the Dante implant exhibited industrial-grade sophistication. Protected by VMProtect obfuscation, Dante was found to contain a central orchestrator module that decrypts and loads AES-encrypted payloads, all bound cryptographically to a specific victim machine—ensuring the spyware could not run elsewhere. Forensic analysis uncovered unmistakable evidence connecting Dante to Hacking Team’s legacy Remote Control Systems (RCS) spyware. Once researchers removed the VMProtect layer, the name “Dante” appeared directly in the code, confirming its lineage. This finding completes a technological chain linking Memento Labs’ “rebooted” surveillance suite to the same underlying codebase once used by Hacking Team—a company whose previous exposure in 2015 caused international uproar. The technical core of Operation ForumTroll rested on CVE-2025-2783, a flaw in Chrome’s Inter-Process Communication (IPC) framework that mishandled Windows pseudo-handles. This allowed attackers to exploit a logic error and execute arbitrary code outside the browser’s sandbox, achieving full system compromise. Before triggering the exploit, the attackers ran an intricate validation process using WebGPU-based hardware checks and ECDH encryption to ensure the victim was a genuine human target, not a researcher or sandbox system—a sophisticated evasion method rarely seen in commercial spyware delivery. Kaspersky’s attribution of Operation ForumTroll to Memento Labs represents one of the clearest connections yet between a commercial surveillance vendor and a state-backed cyber operation. The exposure carries significant implications for the spyware industry, signaling that tools developed under the guise of “lawful interception” continue to reappear in covert geopolitical campaigns. Analysts believe this revelation may force Memento Labs to re-engineer its flagship Dante suite, much as it did when rebranding from Hacking Team years earlier. This operation serves as a powerful reminder of the blurred boundaries between private surveillance companies and state cyber operations—and how vulnerabilities in everyday software can be weaponized through the global spyware market. A full list of Indicators of Compromise (IoCs) from the campaign has been released by Kaspersky to help defenders detect and mitigate related threats. #OperationForumTroll #MementoLabs #HackingTeam #DanteSpyware #LeetAgent #CVE20252783 #ChromeZeroDay #CyberEspionage #Kaspersky #CommercialSpyware #CVE20252857 #Cybersecurity #SpywareMarket #ThreatIntelligence #ZeroDayExploit #APT #SurveillanceTechnology #CyberDefense #Infosec

    37 min
  3. Coveware Reports Historic Drop in Ransomware Payments: Only 23% of Victims Paid in Q3 2025

    28 OCT.

    Coveware Reports Historic Drop in Ransomware Payments: Only 23% of Victims Paid in Q3 2025

    The global ransomware economy is collapsing under growing resistance from its targets. According to new data from cybersecurity firm Coveware, the third quarter of 2025 saw ransomware payments drop to a historic low, with just 23% of victims paying attackers—a continuation of a six-year downward trend. Even when ransoms were paid, the average payment plunged by 66%, marking one of the most dramatic contractions in cyber extortion profitability to date. This shift is not coincidental. Companies have learned that paying the ransom rarely prevents data leaks, and law enforcement guidance increasingly supports a strict no-payment stance. Privacy attorneys are also advising organizations to refuse payment, particularly in cases of data exfiltration-only attacks, where victims gain little to nothing by complying. As a result, the ransomware “business model” is faltering, with fewer payouts starving the criminal ecosystem that depends on steady Bitcoin inflows. Facing these headwinds, threat groups like Akira and Qilin have pivoted to a high-volume, low-demand strategy. Rather than chasing multi-million-dollar payouts from major enterprises, these gangs are now flooding mid-sized companies with smaller ransom demands—an approach that exploits limited budgets and weaker security postures. The data shows that the median victim size rose to 362 employees, suggesting that attackers are deliberately targeting organizations large enough to pay something, but small enough to lack enterprise-level defenses. Despite these strategic shifts, attackers continue to rely on basic entry points rather than sophisticated exploits. Over half of all ransomware incidents still begin with compromised remote access services, weak passwords, and misconfigured systems. Meanwhile, phishing campaigns and unpatched software vulnerabilities—most of them years old—remain the easiest paths for compromise. This underscores that ransomware operations thrive on poor hygiene, not innovation. Experts view this decline in ransom payments as an encouraging milestone. With fewer victims paying, the economics of ransomware are becoming unsustainable, forcing groups to fragment or lower their demands to stay operational. The Coveware report concludes that this trend represents meaningful progress: the more organizations refuse to pay, the less incentive attackers have to continue. However, the industry must remain vigilant—especially mid-sized companies, which now face a rising tide of smaller but more frequent attacks. As the ransomware economy contracts, the message is clear: resilience and refusal work. By focusing on foundational defenses—multi-factor authentication, strict patching, and secure remote access—organizations can help starve the cyber extortion ecosystem and push ransomware further toward collapse. #Ransomware #Coveware #CyberExtortion #AkiraRansomware #QilinRansomware #Cybersecurity #ThreatIntelligence #RansomwarePayments #Phishing #RemoteAccessSecurity #VulnerabilityManagement #InfoSec #DataBreach #CyberCrime #NoRansomPolicy #CyberDefense #IncidentResponse #Q32025 #CyberThreatReport

    26 min
  4. Firefox Add-Ons Must Declare Data Collection—or Be Rejected

    28 OCT.

    Firefox Add-Ons Must Declare Data Collection—or Be Rejected

    Mozilla is taking a decisive step toward transparency and user control by requiring all Firefox extensions to disclose how they collect and handle personal data. The new mandate introduces a dedicated key—browser_specific_settings.gecko.data_collection_permissions—that every extension must include in its manifest file. Whether or not an extension collects data, developers must explicitly declare their practices, ensuring there is no room for ambiguity. This policy introduces what many are calling a “privacy nutrition label” for browser add-ons, allowing users to see data collection details before installation. The information will be prominently displayed both on the addons.mozilla.org extension listing pages and within Firefox’s about:addons management interface. By placing this information front and center, Mozilla is giving users the ability to make more informed decisions about which extensions they trust with their data. For developers, compliance isn’t optional. Any extension that fails to properly declare its data collection policies will be rejected during the signing process, blocking it from distribution through Mozilla’s add-on store. Even extensions that support older Firefox versions must still offer an immediate, built-in method for users to control data collection after installation. This ensures that all users, regardless of which version they run, retain meaningful privacy controls. Mozilla’s phased rollout begins immediately for new extension submissions and will expand to include all existing extensions by next year. The initiative represents one of the most significant shifts in browser extension policy since Mozilla first opened its add-on ecosystem. By enforcing these clear, structured disclosures, Firefox is setting a new precedent in digital transparency—one that could pressure other browser vendors to follow suit. As privacy concerns continue to grow across the web, this move underscores Mozilla’s longstanding commitment to open, user-first design. For everyday users, it means fewer hidden data practices. For developers, it establishes a clear framework for ethical software distribution. And for the broader tech landscape, it signals a new era where trust and transparency are not optional, but expected. #Mozilla #Firefox #PrivacyUpdate #BrowserExtensions #DataTransparency #UserPrivacy #ManifestV3 #FirefoxAddons #Cybersecurity #OnlinePrivacy #ExtensionPolicy #DataCollection #AppTransparency #TechNews

    29 min
  5. Chainguard’s $3.5 Billion Valuation Signals Massive Investor Confidence in Secure-by-Default Software

    28 OCT.

    Chainguard’s $3.5 Billion Valuation Signals Massive Investor Confidence in Secure-by-Default Software

    Chainguard, the Kirkland, Washington-based cybersecurity company, has announced a landmark $280 million growth funding round led by General Catalyst’s Customer Value Fund (CVF), pushing its total capital raised to nearly $900 million and valuing the firm at $3.5 billion. This new round marks a pivotal phase for Chainguard as it shifts from product-focused development to large-scale go-to-market execution, all while maintaining an ironclad focus on product innovation and security. Founded on the mission to secure the open source software supply chain, Chainguard provides over 1,700 secure-by-default container images, curated language libraries, and purpose-built VM images designed to eliminate known vulnerabilities before they reach production environments. The company’s “secure-by-default” approach has become its defining market differentiator, drastically reducing security and compliance risks for developers and enterprises worldwide. According to CFO Eyal Bar, the funding model is designed to “scale go-to-market investment without diluting ownership or slowing innovation.” This strategic partnership with General Catalyst’s CVF enables Chainguard’s commercial operations to fund their own growth, while preserving capital for research, product engineering, and the next wave of secure software infrastructure development. The infusion of capital also reflects unprecedented investor confidence in Chainguard’s disciplined financial model, rapid scaling capabilities, and unique position within the cybersecurity ecosystem. As enterprise dependence on open source continues to expand, Chainguard’s mission to secure foundational components of modern software development is more critical than ever. With a strong capital structure, a mature go-to-market plan, and a product suite trusted by developers globally, Chainguard is now poised to cement its leadership in the secure software supply chain sector. #Chainguard #OpenSourceSecurity #SoftwareSupplyChain #Cybersecurity #GrowthFunding #GeneralCatalyst #SecureByDefault #DevSecOps #VulnerabilityManagement #InvestmentNews #CloudSecurity #SoftwareEngineering #TechFunding #ContainerSecurity

    25 min
  6. $1 Million WhatsApp Exploit Withdrawn—Researcher Silent, Meta Calls It “Low-Risk”

    28 OCT.

    $1 Million WhatsApp Exploit Withdrawn—Researcher Silent, Meta Calls It “Low-Risk”

    The Pwn2Own Ireland 2025 hacking competition was set to feature one of its most anticipated moments — a $1 million zero-click remote code execution exploit against WhatsApp — but the demonstration never happened. Scheduled to be showcased by researcher Eugene of Team Z3, the exploit’s abrupt withdrawal stunned attendees and quickly became the most controversial event of the competition. Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own had validated the exploit’s entry, fueling expectations that WhatsApp would face a serious zero-day challenge in front of a live audience. Yet when the researcher pulled out hours before the demo, official explanations shifted, and a clash of narratives began to unfold between ZDI, the researcher, and WhatsApp’s parent company, Meta. ZDI initially cited travel issues as the reason for the cancellation, later updating its statement to say the exploit was “not sufficiently prepared for public demonstration.” By evening, ZDI announced that Team Z3 had agreed to a private disclosure, promising to share details confidentially with Meta. Researcher Eugene confirmed the arrangement the following day, explaining that a signed non-disclosure agreement (NDA) prevented him from revealing more and that he wished to maintain anonymity. That silence created a vacuum—one that Meta quickly filled. In a pointed public statement, WhatsApp claimed the researcher’s submission was not viable, describing it instead as two “low-risk bugs” and expressing disappointment that the team withdrew. The language was notably firm, designed to reassure users and minimize perception of risk. Yet, to many in the cybersecurity community, this reframing directly contradicted the exploit’s prior $1 million valuation and ZDI’s validation, raising doubts about whether the exploit had been downplayed for public-relations reasons. Analysts observed that ZDI’s evolving messaging — from travel delays to incomplete preparation — suggested an effort to contain reputational fallout while preserving its credibility as an impartial coordinator. Meanwhile, Meta’s decisive tone allowed it to reclaim control of the narrative, portraying its platform as secure and the withdrawn exploit as exaggerated. For researchers, however, the episode highlighted the power imbalance between independent security experts and major tech vendors, where NDAs and corporate messaging can quickly shape public understanding of an exploit’s true impact. This controversy underscores the fragile relationship between vendors, event organizers, and security researchers. WhatsApp’s choice to publicly downplay the exploit may have protected its image in the short term but risks alienating researchers wary of being discredited after disclosure. The incident serves as a cautionary tale for both sides: that in today’s vulnerability economy, the battle for truth is often fought not in code, but in public communication. #Pwn2Own #WhatsApp #ZeroDay #ZDI #Meta #ExploitWithdrawal #BugBounty #SecurityResearch #CyberSecurity #RCE #Eugene #TeamZ3 #TrendMicro #VulnerabilityDisclosure #HackerCommunity #WhiteHat #InfoSec #Pwn2OwnIreland2025 #NDAs #CyberEvent

    20 min
  7. OpenAI Atlas Omnibox Jailbreak Exposes New AI Security Flaw

    27 OCT.

    OpenAI Atlas Omnibox Jailbreak Exposes New AI Security Flaw

    A serious vulnerability has been discovered in the OpenAI Atlas omnibox, a hybrid interface designed to handle both URLs and user prompts. Researchers at NeuralTrust revealed that attackers can disguise malicious instructions as URLs to jailbreak the omnibox, taking advantage of how Atlas interprets malformed input. Unlike traditional browsers, Atlas sometimes misclassifies malformed URLs as trusted instructions after a failed inspection, leading the system to execute the embedded commands with elevated trust and fewer safety checks. This parsing flaw allows attackers to effectively hijack the agent’s behavior, transforming a simple navigation request into an opportunity for exploitation. Through this vulnerability, threat actors can use a so-called copy-link trap — embedding the malicious string behind a “Copy Link” button or message. When a user pastes the disguised input into the omnibox, Atlas treats it as a legitimate prompt rather than a web address, potentially directing the user to a phishing site or executing commands within their authenticated session. The exploit could even be used to instruct the AI to delete files from connected cloud accounts, leveraging the user’s session tokens and bypassing normal confirmation checks. The underlying issue is not just a coding oversight but a logical failure in trust boundaries — a design-level problem where the system cannot reliably distinguish between a URL to visit and a command to obey. The result is a dangerous breakdown in user control, allowing a malicious prompt to override user intent, perform cross-domain actions, and sidestep the very safety layers meant to protect against prompt injection. Experts warn that this flaw represents a new class of process-based exploit for agentic AI systems. Because it abuses the underlying methodology of how the omnibox interprets input, the vulnerability could be adapted for countless malicious purposes beyond phishing or file deletion. Defending against it will require architectural changes, including stricter input validation, stronger provenance tracking, and clearer separation of trusted and untrusted instructions. The Atlas omnibox jailbreak shows that as AI interfaces evolve, attackers are learning to weaponize ambiguity — turning text meant to navigate into text that commands, and exploiting the blurred line between user input and system execution. #OpenAI #Atlas #OmniboxJailbreak #NeuralTrust #AIJailbreak #CyberSecurity #PromptInjection #URLExploit #CrossDomainAttack #AgentSecurity #Phishing #ClipboardAttack #AITrust #SafetyByDesign #InfoSec #AIThreats #InputValidation #OmniboxVulnerability #AtlasExploit #AIIntegrity

    35 min
  8. Microsoft Rushes Emergency Fix for WSUS Remote Code Execution Flaw (CVE-2025-59287)

    27 OCT.

    Microsoft Rushes Emergency Fix for WSUS Remote Code Execution Flaw (CVE-2025-59287)

    A critical remote code execution (RCE) flaw, tracked as CVE-2025-59287, has put thousands of enterprise networks at risk by exposing the Windows Server Update Service (WSUS) to active exploitation. The vulnerability, rooted in unsafe object deserialization, allows unauthenticated remote attackers to execute arbitrary code with System-level privileges — effectively granting full administrative control over targeted Windows servers. Because WSUS manages how updates are distributed across enterprise networks, a compromised instance can give attackers the ability to manipulate software updates, deploy malware, or hijack patch pipelines at scale. Following the discovery of in-the-wild attacks, Microsoft released out-of-band security updates, emphasizing the urgency of immediate patch deployment. Despite this, researchers from Eye Security and the Dutch National Cyber Security Centre (NCSC) have confirmed active exploitation shortly after a Proof-of-Concept (PoC) exploit was made public. The vulnerability impacts multiple Windows Server versions — including 2012, 2016, 2019, 2022, and 2025 — and requires only that the WSUS Server Role be enabled for successful compromise. Security firm HawkTrace was the first to publish detailed technical analysis and a working PoC, demonstrating how attackers can trigger the deserialization flaw by sending a crafted event to a vulnerable WSUS instance. Within hours of these details going public, threat actors began leveraging the exploit in real-world attacks, highlighting the alarming speed of vulnerability weaponization in modern threat landscapes. As of Eye Security’s latest findings, more than 2,500 WSUS servers worldwide remain exposed and unpatched. Microsoft’s official guidance urges immediate installation of both the initial and follow-up out-of-band patches, while administrators unable to patch immediately are advised to disable the WSUS Server Role as a temporary mitigation to close the attack vector. This incident underscores the critical importance of rapid patch management, proactive monitoring, and layered defenses for infrastructure components that underpin enterprise security ecosystems. The exploitation of CVE-2025-59287 is a stark reminder that attackers move faster than ever — and that every hour between disclosure and patching can mean the difference between defense and disaster. #Microsoft #CVE202559287 #WSUS #WindowsServer #RemoteCodeExecution #PatchNow #CyberSecurity #RCE #Exploit #Vulnerability #HawkTrace #EyeSecurity #DutchNCSC #ZeroDay #MicrosoftPatch #CriticalFlaw #InfoSec #EnterpriseSecurity #SystemPrivileges #WindowsExploit

    20 min
Tout afficher (410)

À propos

Daily Security Review, the premier source for news and information on security threats, Ransomware and vulnerabilities

Informations

  • Créateur
    Daily Security Review
  • Années d’activité
    2 k
  • Épisodes
    410
  • Classement
    Tout public
  • Copyright
    © 2025 Daily Security Review
  • Site Web de l’émission
    Daily Security Review

Vous aimerez peut-être aussi