cybersecurity

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

cross-posted from: https://lemmy.bestiver.se/post/632089

Comments

We’re delighted to announce the release of Vulnerability-Lookup 2.16.0 — packed with exciting new features!

What's New

Backend

• Introduced source-scoped kvrocks counters and source-scoped sorted indexes for vulnerability advisories by state (published, updated, reserved). (#211, PR #215)
  Examples of newly available queries:

  • GET published:count:github:2025-09
  • ZREVRANGE index:csaf_certbund:published 0 9 WITHSCORES
  • ZREVRANGE vendors:ranking:2025-08 0 9 WITHSCORES

• Added feeders for CERT-FR Avis and CERT-FR Alerte. (b99291f)

API

The Stats API endpoint now delivers statistics on CVE publications, with filters available by source, date, and advisory state. These new endpoints leverage the new indexes provided by the kvrocks backend. The result can be returned as JSON (default) or Markdown table. (0d153ed)

Frontend

• Added a new public statistics page displaying various insights on CVE publications. This new page features several interactive charts powered by the new Stats API endpoints. (0d153ed, c842876)

• Added XSLT support for various RSS/Atom feeds. The XSLT is injected immediately after feed generation, before delivery to the user. (241c6ca)

Migration Notes

• To reset the indexes, you can execute bin/index_vulnerabilities.py which is using various reindexing utilities. This will delete indexes and counters! Alternatively, you can rerun the appropriate feeder with the --reimport parameter.

Changes

• Improved search page: (82b9f95, f9f5c58)

  • Filtering on sources, vendors, and products.
  • Sorting based on advisory state (reserved, published, updated) and order (ascending/descending).
  • Displaying all vulnerabilities related to a vendor with pagination (without specifying a product).

• Improved recent page: vulnerabilities from multiple sources can now be sorted by publication or update date. (df1e472c)

• Improved admin dashboard for user management. (#221)

• Improved Vulnerability API endpoint: The GET List endpoint now provides more advanced filtering by source and advisory state. (0d153ed)

• Various improvements related to the vulnerability description pages.

Fixes

• NDJSON data dumps: fixed an issue where dumps did not actually contain newlines. (#218)
• Prevent reimport of already ingested vulnerabilities from flaky CSAF sources. (#1848619)

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.16.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

cross-posted from: https://lemmy.sdf.org/post/42496551

Original report (pdf, only in German language available)

• Damage caused by data theft, industrial espionage and sabotage increases to 289.2 billion euros in Germany in the last 12 months, 9 in 10 companies (87%) were effected
• The largest part of the 289.2 billion euros in damages reported by the 1,002 companies polled came from concrete production losses or theft, but legal and remediation costs were also substantial
• Cyberattacks: Almost three out of four companies register increase in attacks

[...]

The survey by Germany industry group Bitkom found that almost half of all companies that could identify the sources of attacks had traced them to Russia and China, while about a quarter traced them to other European Union countries or the United States.

In detail, of the companies affected, 46 percent have detected at least one attack from Russia (2024: 39 percent), as many from China (2024: 45 percent). Attacks from Eastern Europe outside the EU (31 percent, 2024: 32 percent), from the USA (24 percent, 2024: 25 percent), from EU countries (22 percent, 2024: 21 percent) and Germany (21 percent, 2024: 20 percent).

[...]

cross-posted from: https://lemmy.blahaj.zone/post/31922513

cross-posted from: https://lemmy.blahaj.zone/post/31922512

I recently picked up an older but perfectly adequate HP Z Book Firefly with a built-in smart card reader and I'm wondering what possible use is this little bit of tech? Can I, like, auth with my credit card or whatever? (mostly joking, I briefly looked at the PAM config for that and prefer my current hobbies lol)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

HUMAN Security's Satori team has uncovered "SlopAds," a sophisticated ad fraud operation involving 224 Android apps downloaded over 38 million times across 228 countries[^1]. The apps use steganography to hide malicious code within PNG files and create hidden WebViews to generate fraudulent ad impressions and clicks[^1].

Key findings:

• Generated 2.3 billion daily bid requests at peak
• Heaviest traffic from US (30%), India (10%), and Brazil (7%)
• Only activated fraud for downloads traced to threat actor ad campaigns
• Used attribution tools and multiple layers of obfuscation to avoid detection
• Operated through extensive network of command-and-control servers

Google has removed the identified apps and enabled Google Play Protect warnings to block future installations[^1]. HUMAN's Ad Fraud Defense and Ad Click Defense customers are protected from SlopAds' impact[^1].

[^1]: HUMAN Security - Satori Threat Intelligence Alert: SlopAds Covers Fraud with Layers of Obfuscation

App list Domain list

cross-posted from: https://lemmy.sdf.org/post/42362500

Archived

• Poland is increasing its cyber security budget to a record €1bn this year, after Russian sabotage attempts targeted hospitals and urban water supplies

• Dariusz Standerski, deputy minister for digital affairs, told the Financial Times that #Poland was facing between 20 and 50 attempts to damage critical infrastructure every day, most of which are thwarted

• In those cases, attackers reportedly managed to breach digital records and gain access to sensitive medical data. Analysts warned that even short-term disruptions in healthcare could have dangerous consequences for patient safety, while data theft raised questions about long-term privacy risks.

cross-posted from: https://lemmy.sdf.org/post/42301965

Archived

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads. The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger.

[Edit typo.]

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for August 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The Month at a Glance

August 2025 saw continued activity across a range of products and vendors, with WinRAR, Microsoft Exchange (the previous month highlighted Microsoft SharePoint), and NetScaler ADC leading the sightings. Notably, several critical vulnerabilities were actively exploited, including NetScaler ADC (CVE-2025-6543 and CVE-2025-5777) and FortiSIEM (CVE-2025-25256).

Web applications remain a frequent target, with cross-site scripting (CWE-79) and SQL injection (CWE-89) dominating the weakness landscape. The report also highlights unpublished vulnerabilities that attracted attention, suggesting ongoing targeted exploitation and zero-day activity.

Overall, the month emphasizes the importance of timely patching, monitoring for continuous exploitation, and vigilance against both well-known and emerging threats.

Top 10 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-8088	193	win.rar GmbH	WinRAR	High (confidence: 0.9824)
CVE-2025-53786	175	Microsoft	Microsoft Exchange Server Subscription Edition RTM	High (confidence: 0.8193)
CVE-2025-43300	128	Apple	macOS	Medium (confidence: 0.4233)
CVE-2025-6543	111	NetScaler	ADC	Critical (confidence: 0.9614)
CVE-2025-25256	79	Fortinet	FortiSIEM	Critical (confidence: 0.6508)
CVE-2025-9074	65	Docker	Docker Desktop	Critical (confidence: 0.8172)
CVE-2015-2051	62	dlink	dir-645	Critical (confidence: 0.54)
CVE-2017-18368	61	zyxel	p660hn-t1a_v2	Critical (confidence: 0.9298)
CVE-2025-31324	59	SAP_SE	SAP NetWeaver (Visual Composer development server)	Critical (confidence: 0.9607)
CVE-2025-5777	52	NetScaler	ADC	Critical (confidence: 0.964)

Top 10 Weaknesses of the Month

| CWE | Count | |

| ----- |

| CWE-79 | 639 | | CWE-89 | 374 | | CWE-74 | 282 | | CWE-94 | 236 | | CWE-121 | 206 | | CWE-78 | 165 | | CWE-416 | 157 | | CWE-122 | 157 | | CWE-119 | 150 | | CWE-22 | 140 |

Most wanted vulnerabilities

Sightings detected between 2025-08-01 and 2025-08-31 that are associated with unpublished vulnerabilities.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	8	OpenCMS
CVE-2024-28080	4	Gitblit
GHSA-42m8-jxr4-976p	2	Wildermyth
CVE-2025-9040	2	Workhorse - bundle
CVE-2025-9037	2	Workhorse - bundle

Unpublished vulnerabilities with limited sightings:

Vulnerability ID	Occurrences
CVE-2023-34918	1
CVE-2025-55117	1
CVE-2025-14553	1
CVE-2024-55177	1
GHSA-5pm9-r2m8-rcmj	1
GHSA-m42g-xg4c-5f3h	1
GHSA-64qc-9x89-rx5j	1
CVE-2025-7719	1
GHSA-c2gv-xgf5-5cc2	1
CVE-2025-55616	1
CVE-2025-57497	1
CVE-2025-25964	1
CVE-2024-545078	1
CVE-2025-25987	1
CVE-2025-1272	1
CVE-2025-21589	1
CVE-2025-26517	1
CVE-2025-9141	1
GHSA-wrh9-463x-7wvv	1
CVE-2024-46507	1
CVE-2025-54321	1
CVE-2025-31143	1
CVE-2025-31646	1
CVE-2025-27564	1
GHSA-r4mf-mr9h-f27m	1

Continuous Exploitation

• CVE-2023-42344 - OpenCMS (also in the "Most wanted vulnerabilities" section)
• CVE-2015-2051 - D-Link DIR-645 - Sightings from MISP and Shadowserver
• CVE-2025-5777 - NetScaler ADC - Sightings from Shadowserver and many more.

Insights from Contributors

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424.
Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.

More information

Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025

Back in late June, Citrix posted a patch for CVE-2025–6543, which they described as “Memory overflow vulnerability leading to unintended control flow and Denial of Service”. Denial of service? Piff the magic dragon, who cares.

No technical details were ever published about the vulnerability. That changes today.

What they forgot to tell you: it allows remote code execution, it was used to widespread compromise Netscaler remote access systems and maintain network access even after patching, webshells have been deployed, and Citrix knew this and just didn’t mention it.

More information

Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE)

The vulnerability affects Sitecore Experience Platform, a widely used Content Management System (CMS). The issue is a cache poisoning attack, which means an attacker can trick the system into storing malicious data in its cache. Later, when the system serves cached content, it unknowingly executes this malicious content.

In this specific case, the cache poisoning can escalate to remote code execution (RCE), meaning the attacker could run arbitrary code on the server, potentially taking full control of the website and the underlying system.

More information

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

cross-posted from: https://scribe.disroot.org/post/4501921

China has exported its village surveillance model to the Solomon Islands in the Pacific, where Chinese police are piloting fingerprint and data collection to curb social unrest, officials and locals confirmed.

...

China's "Fengqiao" monitoring model -- started under Mao Zedong in the 1960s to help communities mobilise against reactionary "class enemies" -- has been reinvigorated by Chinese President Xi Jinping to ensure stability in local communities.

In the Solomon Islands, a security partner of Beijing, Chinese police have visited several villages this year promoting the Fengqiao concept, familiarising children with surveillance drones by playing games, pictures posted to social media by Solomon Islands police show.

...

A community leader in the Solomon Islands, Andrew Nihopara, confirmed to Reuters that the village of Fighter 1 on the fringe of the capital Honiara had begun working with the Chinese police on a Fengqiao pilot, but declined to comment further.

The Royal Solomon Islands Police Force said in a statement this month the Fengqiao model of "grassroots governance" in Fighter 1 would collect population data to improve security.

Chinese police had introduced residents to population management, household registration, community mapping, and the collection of fingerprints and palm prints, the statement said.

“The Fighter One community is the first attempt, and it will be expanded to a larger area across the country in the future,” the statement quoted Chinese police inspector Lin Jiamu as saying, explaining the initiative would enhance safety.

The move has stirred human rights concerns.

...

cross-posted from: https://lemmy.sdf.org/post/42077068

• Nokia CEO urges Europe to consider banning Huawei and ZTE amid over security reasons and a shrinking China market share for European vendors
• Nokia, along with Ericsson, has faced significant barriers in China, where authorities have reportedly told Nordic vendors that they will be excluded on national security grounds
• European operators still rely heavily on Huawei, raising geopolitical and security concerns
• Huawei has already been banned or restricted from supplying 5G equipment to 10 European Union (EU) countries, as well as the U.K.
• Most recently, both Huawei and ZTE components were barred from 5G networks in Germany

Archived

“Why do we [Europeans] allow high-risk vendors in Europe when we have less than 3% of the market share in China?” Hotard questioned. “European operators should provide European vendors with the same opportunities that Chinese companies receive at home," Nokia CEO Justin Hotard.

[...]

The CEO’s remarks come amid mounting geopolitical tensions and growing scrutiny of Chinese telecom equipment in Europe, where several countries have already imposed partial or full bans on Huawei and ZTE products.

[...]

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could quickly lead to a disruptive malware outbreak that is far more difficult to detect and restrain.

⁨https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/

The story includes perspectives from ⁨@GossiTheDog⁩ who has been following this saga all day today w/ updates here:

⁨https://cyberplace.social/@GossiTheDog/115169881407789957

Also comment and information from Josh Junon, who quickly replied that he was aware of having just been phished:

https://news.ycombinator.com/item?id=45169794

For an impact assessment, consider that 2 billion downloads per week translates to 24 million downloads in two hours.