Just in time for the end of the year, we’re happy to share our final release before the holidays: Vulnerability-Lookup 2.20.0 🎄

What's New

GCVE (Global CVE Allocation System): Relationships

We’ve updated the bundled Vulnogram interface to better support the GCVE ecosystem. Vulnerability-Lookup now allows you to define and manage relationships between vulnerabilities, in line with the GCVE BCP-05 specification.

Commit: 2f39bf8

This is a first step toward implementing full GCVE BCP-05 compliance.

Displaying relationships of a vulnerability

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0032

In this case, opposes indicates that the GNA does not agree with the status or validity of the referenced vulnerability. This can be used when a GCVE published by another GNA is considered not to be a vulnerability for the product in question (e.g., the behavior is expected, or the scenario describes a discouraged or unsupported configuration).

Editing relationships with the Vulnogram UI

Sightings Visualization

Understanding how vulnerabilities are observed in the wild just got easier. We’ve added a new Heat Map to visualize vulnerability sightings over time, featuring built-in filters for dates and sighting types.

Commit: 56a66e0

Examples

https://vulnerability.circl.lu/vuln/CVE-2025-61757#sightings

https://vulnerability.circl.lu/vuln/CVE-2018-13379#sightings

Sighting correlations

https://vulnerability.circl.lu/vuln/CVE-2025-59718#sightingsCorrelations

Changes

• Authentication: Allowed password recovery triggers based on case-insensitive usernames. #290
• Vulnerability Disclosure: A guidance message is now displayed to unauthenticated users when attempting to submit a new disclosure. (90787db)
• Product API: product.find_vulnerabilities now returns more comprehensive results. (a31f6c3)

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0041

Fixes

• Data Ingestion: Fixed an issue to ignore temporary files in ossf/malicious-packages. (6bc93b1)
• Website: Fixed the routing path used to delete vulnerability disclosures. (e2ecb2a)
• Website: Updated vulnerability ID requirements to be optional for disclosures. (5bd5353)

Changelog

For the full list of changes, check the GitHub release:
v2.20.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Spectre V1 mitigations in the Linux kernel are coming for RISC-V with newer RISC-V core designs being vulnerable to Spectre Variant One style attacks.

Spectre V1 as a reminder is the variant for Bounds Check Bypass with CPU speculative execution in conditional branches. The Linux kernel RISC-V code hasn't seen Spectre V1 protections since earlier more basic RISC-V core designs have been immune to Variant One and other Spectre vulnerabilities. But newer more complex RISC-V core designs are bringing some of the same challenges exhibited on x86_64 and AArch64 architectures.

cross-posted from: https://mander.xyz/post/43813312

Chinese espionage crew 'Ink Dragon' expands its snooping activities into European government servers

In the last few months, the China-linked threat Ink Dragon's activities show increased focus on government targets in Europe in addition to continued activities in Southeast Asia and South America.

Web archive link

Here is the original (technical) report: Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

...

These attacks begin with Ink Dragon probing security weaknesses, such as misconfigured Microsoft IIS and SharePoint servers, to gain access to victims' environments. This tactic, as opposed to abusing zero-days or other high-profile vulnerabilities, helps attackers fly under the radar and reduces their chances of being caught.

Ink Dragon then scoops up credentials and uses existing accounts to infiltrate targets, tactics that help the gang blend in with normal network traffic.

"This stage is typically characterized by low noise and spreads through infrastructure that shares the same credentials or management patterns," Check Point's researchers said in a Tuesday blog.

Once Ink Dragon finds an account with domain-level access, the spies set to work establishing long-term access across high-value systems, installing backdoors and implants that store credentials and other sensitive data.

...

In addition to their new targets and relay node activity, Check Point says the cyber spies have also updated their FinalDraft backdoor so that it blends in with common Microsoft cloud activity, hiding its command traffic inside mailbox drafts.

The new version also lets the malware check in during business hours - so as not to draw unwanted after-hour attention - and can more efficiently transfer large files with minimal noise.

...

The threat hunters' investigation into Ink Dragon also uncovered similar, stealth activity by another China-linked espionage crew RudePanda, which "had quietly entered several of the same government networks," they wrote.

While the two groups are unrelated, they both abused the same server vulnerability to gain access to the same IT environments. This also illustrates the changing tactics among other government-sponsored cyber squads, including not only Beijing-backed crews, but also those from Russia.

...

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Dozens of government and university websites belonging to cities, towns, and public agencies across the country are hosting PDFs promoting AI porn apps, porn sites, and cryptocurrency scams; dozens more have been hit with a website redirection attacks which lead to animal vagina sex toy ecommerce pages, penis enlargement treatments, automatically-downloading Windows program files, and porn.

“Sex xxx video sexy Xvideo bf porn XXX xnxx Sex XXX porn XXX blue film Sex Video xxx sex videos Porn Hub XVideos XXX sexy bf videos blue film Videos Oficial on Instagram New Viral Video The latest original video has taken the internet by storm and left viewers in on various social media platforms ex Videos Hot Sex Video Hot Porn viral video,” reads the beginning of a three-page PDF uploaded to the website of the Irvington, New Jersey city government’s website.

Archive: http://archive.today/tgD57

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

cross-posted from: https://scribe.disroot.org/post/5953090

Archived version

Here is the original Cisa report: BRICKSTORM Backdoor

...

Chinese hackers are using a strain of malware to attack governments in several countries and maintain long-term access, according to U.S. and Canadian cybersecurity officials.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security published an advisory on Thursday outlining the BRICKSTORM malware based off an analysis of eight samples taken from victim organizations.

...

“BRICKSTORM is a sophisticated and stealthy backdoor malware linked to PRC state-sponsored cyber actors,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen.

The advisory includes indicators of compromise and detections organizations can use to tell if they have been impacted by the campaign involving the malware. The malware is used “for long-term persistence on victim systems,” according to U.S. agencies.

...

The goal of the campaign is to steal valuable intellectual property and sensitive data — with a particular focus on the email inboxes of senior company leaders, according to Mandiant. The company attributed the campaign to a threat actor they previously accused of abusing vulnerabilities in firewall products from tech company Ivanti.

...

Record-Breaking DDoS Attacks Mark 2025 Q3 as Aisuru Botnet Emerges

The Aisuru botnet dominated the DDoS threat landscape in Q3 2025, commanding an army of 1-4 million infected devices and launching unprecedented attacks that peaked at 29.7 Tbps and 14.1 billion packets per second[^1]. Cloudflare's autonomous systems blocked 8.3 million DDoS attacks during the quarter, averaging 3,780 attacks per hour - a 15% increase from Q2 and 40% year-over-year[^1].

The Rise of Aisuru

The botnet targeted telecommunications providers, gaming companies, hosting providers, and financial services, causing widespread Internet disruption even when organizations weren't direct targets[^1]. Parts of Aisuru are now offered as botnets-for-hire, enabling attackers to "inflict chaos on entire nations" for just hundreds to thousands of dollars[^1].

Attack Statistics

• 1,304 hyper-volumetric attacks in Q3 alone (54% increase from Q2)
• Attacks over 100 million packets per second up 189%
• Attacks exceeding 1 Tbps increased 227%
• 4% of HTTP attacks exceeded 1 million requests per second[^15]

Industry Impacts

DDoS attacks against AI companies surged 347% month-over-month in September 2025, coinciding with increased public concern over AI risks[^1]. The Mining, Minerals & Metals industry jumped 24 spots in target rankings amid EU-China tensions over rare earth minerals and EV tariffs[^1].

Geographic Trends

Indonesia maintained its position as the leading source of DDoS attacks globally, holding the top spot for a full year. The country's share of HTTP DDoS attack traffic has grown by 31,900% since 2021[^1].

Attack Types

UDP floods led network-layer attacks with a 231% quarterly increase, followed by DNS floods, SYN floods, and ICMP floods[^1]. Nearly 70% of HTTP DDoS attacks came from known botnets, with 20% originating from fake or headless browsers[^1].

[^1]: Cloudflare - Cloudflare's 2025 Q3 DDoS threat report
[^15]: Security Affairs - Cloudflare mitigates record 29.7 Tbps DDoS attack by the AISURU botnet

cross-posted from: https://lemmy.zip/post/54305624

Open source React executes malicious code with malformed HTML—no authentication needed.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also.