cybersecurity

cross-posted from: https://lemmy.sdf.org/post/38794024

Archived

The U.S. Federal Communications Commission said on Wednesday it plans to adopt rules to bar companies from connecting undersea submarine communication cables to the United States that include Chinese technology or equipment.

"We have seen submarine cable infrastructure threatened in recent years by foreign adversaries, like China," FCC Chair Brendan Carr said in a statement. "We are therefore taking action here to guard our submarine cables against foreign adversary ownership, and access as well as cyber and physical threats."

[...]

The FCC will also seek comment on additional measures to protect submarine cable security against foreign adversary equipment. The cutting of two fiber-optic undersea telecommunication cables in the Baltic Sea prompted investigations of possible sabotage.

In 2023 Taiwan accused two Chinese vessels of cutting the only two cables that support internet access on the Matsu Islands and Houthi attacks in the Red Sea may have been responsible for the cutting of three cables providing internet service to Europe and Asia.

cross-posted from: https://scribe.disroot.org/post/3613886

Archived version

Executive Summary

Events over the last eighteen months indicate that the risk environment for submarine cables has very likely escalated, and the threat of state-sponsored malicious activity targeting submarine cable infrastructure is likely to rise further amid heightened geopolitical tensions. Insikt Group’s assessment of the current risk environment for submarine cables aligns with the findings of our 2023 assessment, which highlighted the convergence of geopolitical, physical, and cyber threats. Based on an analysis of 44 publicly reported cable damages occurring in 32 distinct groupings in 2024 and 2025 (Appendix A), Insikt Group assesses that three factors in the submarine cable ecosystem –– lack of redundancy in cable networks, lack of diversity of cable routes, and limited global repair capacity –– very likely increase the likelihood of significant outages from damages. Regions with low redundancy, such as parts of West and Central Africa, isolated Pacific islands, and certain secondary European routes, are more likely to suffer disproportionate impact from cable damage, especially when geopolitical tensions coincide with infrastructure constraints.

While accidents will very likely continue to cause the majority of day-to-day interruptions, recent incidents in the Baltic Sea and around Taiwan indicate that submarine cable systems remain vulnerable to threats such as anchor dragging, which states can use as a low-sophistication tactic to target adversaries’ critical infrastructure while maintaining plausible deniability. Insikt Group identified four incidents involving eight distinct cable damages in the Baltic Sea and five incidents involving five distinct cable damages around Taiwan in 2024 and 2025. At least five of these nine incidents were attributed to ships dragging their anchors, including four Russia- or China-linked vessels operating under suspicious circumstances or with opaque ownership structures, although the resulting investigations have highlighted the difficulty of attributing cable cuts to state-sponsored sabotage. Such campaigns attributed to Russia in the North Atlantic–Baltic region and China in the western Pacific are likely to increase in frequency as tensions rise, leveraging deniable tactics in both shallow and deep water to apply political pressure without overt escalation.

Without a significant expansion of dedicated repair vessels, repair capacity is very likely to lag behind demand, pushing median restoration times beyond the current 40‑day benchmark. National permitting delays and conflict zone access restrictions will likely extend repair times further, making streamlined diplomatic clearance processes an increasingly critical element of submarine cable resilience. Satellite and microwave links will almost certainly remain partial stop‑gaps, restoring only a fraction of lost bandwidth during major outages. To mitigate these challenges, joint public-private partnerships investing in repair and maintenance capabilities, improving real-time monitoring and security measures around submarine cable infrastructure, and conducting comprehensive stress tests are critical to improving resilience and guarding against a low-probability but high-impact event in which damages to multiple cables cause prolonged connectivity issues.

Key Findings

• Insikt Group identified a total of 44 publicly reported cable damages in 2024 and 2025 occurring in 32 distinct groupings. Unknown causes accounted for the largest number of damages (31%), followed by anchor dragging (25%) and seismic activity or other natural phenomena (16%).
• Of the identified cable damages, three caused significant and prolonged outages. These cases indicate that three factors –– lack of redundancy, lack of diversity of cable routes, and limited repair capacity –– very likely raise the risk of severe impact from damages to submarine cables.
• Insikt Group identified four incidents in the Baltic Sea involving eight distinct submarine cable damages and five incidents around Taiwan involving five distinct submarine cable damages in 2024 and 2025, four of which involved China- or Russia-linked vessels with opaque ownership or suspicious maneuvers near the damaged cables.
• Geopolitical tensions –– namely, Russia’s war against Ukraine and China’s coercive actions toward Taiwan –– very likely remain the primary drivers of state-linked sabotage activity targeting submarine cables.
• Joint public-private partnerships promoting investment in cable repair and maintenance capabilities, enhancing security and surveillance of critical submarine infrastructure, and improving resilience in current and future cable networks will be critical to addressing rising threats to cable infrastructure.

...

cross-posted from: https://lemmy.sdf.org/post/38773576

Archived

A DoD report warns that China-nexus hacking group Salt Typhoon breached a U.S. state’s Army National Guard network from March to December 2024. The APT stole network configs, admin credentials, and data exchanged with units across all U.S. states and several territories. This info could help future hacks and weaken state-level defenses against Chinese cyberattacks during crises, posing serious risks to U.S. critical infrastructure.

“A recent compromise of a US state’s Army National Guard network by People’s Republic of China (PRC)-associated cyber actors—publicly tracked as Salt Typhoon—likely provided Beijing with data that could facilitate thehacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners. If thePRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecuritypartners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.” reads a report first seen by NBC News.

The report includes details on the tactics, techniques and procedures (TTPS) used by Salt Typhoon, along with a guidance to help National Guard and state governments detect, prevent, and mitigate this threat.

cross-posted from: https://lemmy.sdf.org/post/38743139

Op-ed by Dr Ausma Bernot, Lecturer in Criminology at the School of Criminology and Criminal Justice at Griffith University.

[...]

Although security cameras make up only 5 percent of Enterprise Internet of Things (IoT) devices, they account for 33 percent of all security issues. Two Chinese suppliers – Hikvision and Dahua – dominate international markets

[...]

The geopolitical misalignment between China and European countries adds urgency to the need to address these national security risks. This is because large Chinese manufacturers are supported by the Chinese government, and emergent evidence shows that 80 percent of sanctions circumventions against Russia are facilitated by China, with 80 percent of dual-use goods routed through China.

These vulnerabilities are a concern for individuals, enterprises, and government entities alike. Evidence of illegal camera hacking that we have available indicates that individuals are often targeted for personal or for-profit streaming of camera footage. Moreover, when surveillance cameras are installed in critical locations, such as federal or state government buildings, the likelihood of that location becoming a surveillance target increases.

[...]

There are three types of risks associated with surveillance cameras: targeted surveillance of individuals, national security risks, and exploitation of network security vulnerabilities. Unwanted individual surveillance most often occurs in the form of covert or overt hacking of individual cameras. Hacked cameras have been used to record and sell child exploitation material, as well as video recordings from gynecologists’ offices and locker rooms. Individual users should connect cameras to their own private networks and monitor the number of connected devices.

[...]

Numerous cases of surveillance camera exploitation have made it clear that these risks are well-documented. A few particularly alarming incidents highlight how these devices can be weaponized for foreign interference and surveillance of vulnerable populations.

[...]

Although cameras are devices that were created to enhance environmental security, they have now introduced new security concerns due to their technical shortcomings and social applications. Establishing robust security standards is essential for IP cameras used in government buildings, business premises, and individual homes. Against this background, the EU’s Cyber Resilience Act that will place greater responsibility on manufacturers and distributors to produce and supply more secure devices, is a step in the right direction.

Hackers are exploiting DNS records as a covert channel to deliver and control malware while evading security defenses[^1]. In a recent discovery, attackers converted malware into hexadecimal code and split it across hundreds of DNS TXT records, allowing retrieval through seemingly innocent DNS queries[^2].

This technique transforms DNS into an unconventional file storage system, taking advantage of the fact that DNS traffic is rarely monitored closely by security tools[^3]. The malware is broken into chunks and stored in TXT records of subdomains, which are traditionally used for domain verification[^1].

Three key ways attackers abuse DNS:

1. DNS Tunneling - Packaging malware and commands inside DNS queries to bypass firewalls[^4]
2. Command & Control - Using DNS to establish covert communication channels with infected systems[^5]
3. Data Exfiltration - Stealing sensitive data by encoding it in DNS requests[^4]

The threat is growing more sophisticated with encrypted DNS protocols like DoH (DNS over HTTPS) and DoT (DNS over TLS), which make detection even harder[^1]. According to Ian Campbell of DomainTools, "Even sophisticated organizations with their own in-network DNS resolvers have a hard time delineating authentic DNS traffic from anomalous requests"[^6].

Protection requires:

• DNS traffic inspection and filtering
• Monitoring for suspicious domain patterns
• Analysis of DNS query volumes and behaviors
• Implementation of DNS security extensions (DNSSEC)[^7]

[^1]: Ars Technica - Hackers exploit a blind spot by hiding malware inside DNS records

[^2]: Tom's Hardware - Malware found embedded in DNS

[^3]: Forward Technologies - Hackers Hide Malware in DNS Records

[^4]: APNIC Blog - DNS malware misuse and current countermeasures

[^5]: Palo Alto Networks - Real-world Examples Of Emerging DNS Attacks

[^6]: Techzine - Hackers misuse DNS for malware

[^7]: Control D - What Is DNS in Cybersecurity?

cross-posted from: https://lemmy.sdf.org/post/38677119

Indeed it was stupid for someone to send a large sensitive dataset over email. But what I find annoying is the lack of chatter about which email servers were compromised.

Was it Microsoft, considering probably 90+% of all gov agencies use it?

cross-posted from: https://lemmy.sdf.org/post/38660341

Archived

Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.

The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.

But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.

[...]

“If I were an operative, I would look at that as an avenue for extremely valuable access. We need to be very concerned about that,” said Harry Coker, who was a senior executive at the CIA and the National Security Agency. Coker, who also was national cyber director during the Biden administration, added that he and his former intelligence community colleagues “would love to have had access like that.”

[...]

Over the years, various people involved in the work, including a Microsoft cybersecurity leader, warned the company that the arrangement is inherently risky, those people told ProPublica. Despite the presence of an escort, foreign engineers are privy to granular details about the federal cloud — the kind of information hackers could exploit. Moreover, the U.S. escorts overseeing these workers are ill equipped to spot suspicious activity, two of the people said.

[...]

cross-posted from: https://lemmy.sdf.org/post/38295658

Archived

The Czech Republic has banned the use of any products by the Chinese AI startup DeepSeek in state administration over cybersecurity concerns, authorities said Wednesday.

Czech Prime Minister Petr Fiala said the government acted after receiving a warning from the national cybersecurity watchdog, which noted a threat of unauthorized access to users data because the firm is obliged to cooperate with Chinese state authorities.

The move follows similar steps made by some other countries that aimed to protect users’ data, including Italy, which in January blocked access to the chatbot, and also Australia.

The Czech government in 2018 stopped using the hardware and software made by Chinese telecoms company Huawei and another Chinese telecommunications company, ZTE, after a warning they posed a security threat.

DeepSeek was founded in 2023 in Hangzhou, China, and released its first AI large language model later that year.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for June 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation's honeypot network.

The Month at a Glance

The June 2025 report highlights a mix of long-standing and newly identified high-risk vulnerabilities. Notably, Citrix discloses a critical NetScaler ADC/Gateway flaw (CVE-2025-5777), dubbed “CitrixBleed 2,” which can expose session tokens and bypass multi-factor authentication — echoing last year’s infamous CitrixBleed. Other urgent issues include a PayU India WordPress plugin vulnerability (CVE-2025-31022) that allows full account takeover across thousands of sites, and a Python “tarfile” library bug (CVE-2025-4517) that enables attackers to write files outside intended directories. Among the most sighted vulnerabilities are multiple Microsoft Windows 10 and Google Chrome flaws, as well as several Citrix ADC bugs, many rated “High” or “Critical.” Common web weaknesses like cross-site scripting and SQL injection (CWE-79, CWE-89) remain widespread, highlighting the ongoing need for strong patching hygiene. Some older vulnerabilities — such as the 2015 D-Link DIR-645 flaw and known Confluence or Cisco RCE bugs — also continue to see active exploitation. Organizations should prioritize remediation of these critical and actively targeted vulnerabilities, while reinforcing application security against injection and XSS attacks.

Top 10 vulnerabilities of the Month

Vulnerability	Vendor	Product	VLAI Severity
CVE-2025-33053	Microsoft	Windows 10 Version 1809	High
CVE-2025-49113	Roundcube	Webmail	High
CVE-2025-5777	NetScaler	ADC	Critical
CVE-2025-5419	Google	Chrome	High
CVE-2025-2783	Google	Chrome	High
CVE-2025-6019	Red Hat	Red Hat Enterprise Linux 10	Medium
CVE-2025-33073	Microsoft	Windows 10 Version 1809	High
CVE-2025-6543	NetScaler	ADC	Critical
CVE-2015-2051	D-Link	DIR-645	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	Critical

Evolution of sightings per week

Top 10 Weaknesses of the Month

| CWE | Number of vulnerabilities | |

| -------------------------------------------------------- |

| CWE-79 | 659 | | CWE-89 | 411 | | CWE-74 | 342 | | CWE-119 | 190 | | CWE-862 | 157 | | CWE-352 | 157 | | CWE-120 | 105 | | CWE-94 | 94 | | CWE-22 | 86 | | CWE-98 | 74 |

Insights from Contributors

CitrixBleed 2
Citrix patched a critical vulnerability in its NetScaler ADC and NetScaler Gateway products that is already being compared to the infamous CitrixBleed flaw exploited by ransomware gangs and other cyber scum, although there haven't been any reports of active exploitation. Yet.

Security analyst Kevin Beaumont dubbed the vulnerability "CitrixBleed 2." As The Register's readers likely remember, that earlier flaw (CVE-2023-4966) allowed attackers to access a device's memory, find session tokens, and then use those to impersonate an authenticated user while bypassing multi-factor authentication — which is also possible with this new bug.

GCVE-1-2025-0002: Cl0p Ransomware Data Exfiltration Vulnerable to RCE Attacks A newly identified security vulnerability in the Cl0p ransomware group’s data exfiltration utility has exposed a critical remote code execution (RCE) flaw that security researchers and rival threat actors could potentially exploit.

The vulnerability, designated as GCVE-1-2025-0002, was published on July 1, 2025, and carries a high severity rating of 8.9 on the CVSS:4.0 scale.

Stuxnet-related CVEs

• CVE-2010-2568 MS10-046 Windows
• CVE-2010-2729 MS10-061 Windows
• CVE-2008-4250 MS08-067 Windows
• CVE-2010-2772 Not Available Siemens SIMATIC WinCC

CVE-2025-31022: More details about PayU wordpress extension
"This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website."

CVE-2025-4517: Additional information
RISK : Multiple vulnerabilities affect the standard TarFile library for CPython. Currently, there is no indication that the vulnerability is actively exploited, but because it is a zero-day with a substantial install base, attackers can exploit it at any moment. An attacker could exploit flaws to bypass safety checks when extracting compressed files, allowing them to write files outside intended directories, create malicious links, or tamper with system files even when protections are supposedly enabled. Successful exploitation could lead to unauthorised access, data corruption, or malware installation, especially if your systems or third-party tools handle untrusted file uploads or archives RECOMMENDED ACTION: Patch Source: ccb.be

Continuous Exploitation

• CVE-2025-32433 - erlang / otp
• CVE-2015-2051 - D-Link / DIR-645
• CVE-2022-26134 - Atlassian / Confluence Data Center
• CVE-2019-1653 - Cisco / Cisco Small Business RV Series Router Firmware

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

cross-posted from: https://lemmy.sdf.org/post/37950350

Archived

• [Security firm] Silent Push Threat Analysts followed a tip from Mexican journalist Ignacio Gómez Villaseñor about a threat actor targeting “Hot Sale 2025,” an annual sales event similar to “Black Friday” in the U.S.
• The team pivoted from that Mexico-centric campaign into thousands of websites that broadly targeted a more global audience with abundant waves of fake marketplace scams.
• We identified a private technical fingerprint associated with this infrastructure, which contains Chinese words and characters to strongly indicate that the developers of this network are from China.
• Our analysts observed this threat actor group building multiple phishing websites with pages spoofing well-known retailers, including Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans.
• The threat actor has also been caught abusing online payment services, including MasterCard, PayPal, and Visa, as well as payment security techniques such as Google Pay, across the campaign’s network of scam websites.

[...]