Magneto Stores Attacked 🧲, Transitioning Static Secrets 🤫, Canada Fines Cryptomus $176M 💰

Threat actors are actively exploiting CVE-2025-54236, a critical nested deserialization vulnerability in Adobe Commerce and Magento ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-10-24 On the hunt for a new job? Scammers have you in their sights. (Sponsor) Scammers increase their odds by going after people are at their most vulnerable. This makes job seekers a perfect target for offers that are too good to be true. The easiest way to keep yourself safe is by knowing the signs of a scam and having an email security solution – like Sublime – that keeps them out of your inbox. You can't be fooled by a message you never see. Learn about a recent Google Careers scam with convincing brand imitation and indications of attack iteration, both signals of cutting edge attacks. Read more on the Sublime Security blog 🔓 Attacks & Vulnerabilities Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw (2 minute read) Threat actors are actively exploiting CVE-2025-54236 (SessionReaper, CVSS 9.1), a critical nested deserialization vulnerability in Adobe Commerce and Magento that enables remote code execution and customer account takeover via the Commerce REST API, with over 250 attacks recorded in 24 hours. Attackers from five known IP addresses are deploying PHP webshells through '/customer/address_file/upload' and probing phpinfo, while 62% of Magento stores remain unpatched six weeks after Adobe's fix was released. Security teams must immediately patch all Adobe Commerce and Magento instances, block the listed attacker IPs (34.227.25.4, 44.212.43.34, 54.205.171.35, 155.117.84.134, and 159.89.12.166), and monitor for unauthorized file uploads, as this is the second critical deserialization flaw in these platforms within two years following CosmicSting (CVE-2024-34102). Critical MCP Server Flaw Exposes Over 3K Servers and Thousands of API Keys (2 minute read) Security researchers discovered a critical path traversal vulnerability in Smithery.ai, a popular MCP server hosting service. The researchers discovered that they could exploit a path traversal vulnerability in the dockerBuildPath configuration value to read files outside of their project. The researchers used this vulnerability to find a fly.io API token that granted root access to more than 3k applications. LG Uplus Reports Suspected Data Breach, Claims Active Response to "Hacking" (1 minute read) LG Uplus, one of South Korea's major mobile carriers, reported a data breach. The announcement follows a report from Phrack that a threat actor infiltrated LG Uplus' internal network and seized data from nearly 9k servers, including data of 42,256 accounts and 167 employees. 🧠 Strategies & Tactics Why Organizations Are Abandoning Static Secrets for Managed Identities (3 minute read) Organizations are transitioning from static secrets (API keys, passwords, and tokens) to managed identities, achieving a 95% reduction in credential management time and a 75% reduction in learning platform-specific authentication. Major cloud providers (AWS IAM Roles, Azure Managed Identities, and GCP Service Accounts) now offer automated, short-lived credential provisioning that eliminates manual rotation and leakage risks. However, legacy systems and third-party APIs still require traditional secret management. Security teams should prioritize discovering existing credentials using NHI (Non-Human Identity) platforms before migration, aiming to reduce their secret footprint by 70-80% while maintaining robust secret management for remaining use cases. Modding And Distributing Mobile Apps with Frida (6 minute read) Frida enables powerful mobile app modifications by injecting custom agents into running processes. However, distributing these modifications for use by others—especially on non-rooted Android devices—requires embedding Frida's gadget library directly inside the APK. Using a demo app, this post walks through preparing an agent script that always rolls a 'one' in a dice app, compiling it, and patching the APK to include Frida's gadget for autonomous script execution. Collecting iPhone Unified Logs Via MacOS (4 minute read) Unified logs are a forensic resource for iOS that includes granular background activity that can't be obtained in any other forensic artifact. The logs can be collected manually on a Mac via libimobiledevice or automatically using a script written by the author. The author provides suggestions for commercial and open-source tools to read the .logarchive, a structured bundle containing binary .tracev3 files. 🧑‍💻 Launches & Tools Save $345 on Gartner IAM Summit 2025 (Sponsor) Join IAM and cyber experts at Gartner IAM Summit 2025. With 80+ expert-led sessions on everything from agentic AI to IAM data management, this is your chance to make career-building connections with global pros. Plus, secure a 1:1 with a Gartner expert to get guidance tailored to your challenges. >> Use code IAM20P3 to save $345 on the standard rate. ssh-audit (GitHub Repo) ssh-audit is an open-source Python tool that audits SSH server and client configurations by analyzing cryptographic algorithms, key exchanges, host keys, ciphers, and MACs against security best practices, with support for policy compliance testing and vulnerability detection, including Terrapin (CVE-2023-48795) and DHEat (CVE-2002-20001). The tool provides comprehensive analysis, including RSA/DH key length testing, algorithm recommendations, multi-threaded scanning, and built-in hardening guides for OpenSSH, Ubuntu, Debian, and Rocky Linux platforms. It now flags SHA-1 algorithms as failures, warns about quantum computing resistance, and includes built-in policies accessible via -L/--list-policies with custom policy creation via -M/--make-policy. Keycard (Product Launch) Keycard provides an identity and access management platform for AI agents, enabling organizations to assign, track, and control AI agent permissions using cryptography, dynamic tokens, and runtime contextual access policies for secure, scalable agent deployment and visibility. SafeLine (GitHub Repo) SafeLine is a self-hosted Web Application Firewall(WAF)/reverse proxy that protects web apps from attacks and exploits. 🎁 Miscellaneous Meta boosts scam protection on WhatsApp and Messenger (2 minute read) Meta introduced enhanced scam protections for WhatsApp and Messenger, including screen-sharing warnings during video calls with unknown contacts and on-device behavioral analysis to flag suspicious messages, with optional cloud-based AI review that breaks end-to-end encryption. The company removed over 21,000 fake customer support Facebook pages targeting users through comment monitoring on legitimate airline, travel agency, and bank accounts, part of broader scam trends targeting seniors with fake home remodeling and government debt relief schemes. Security teams should educate users, especially vulnerable populations, about enabling these protections, including Passkeys and Security Checkup features, while noting that cloud-based AI analysis compromises message encryption. Google and Check Point nuke massive YouTube malware network (4 minute read) A coordinated malware campaign on YouTube, known as the Ghost Network, exploited hijacked accounts to post fake tutorials promising cracked software and gaming cheats. These videos lured users into downloading infostealers, which stole credentials and crypto wallets. The operation relied on fake engagement and resilient tactics, leading Google and Check Point to remove over 3,000 malicious videos in a major crackdown. Vibe Coding's Real Problem Isn't Bugs—It's Judgment (3 minute read) AI code generation enables rapid, large-scale software creation, but speed and flawed judgment are the real risks. While AI-made code has vulnerability rates similar to human work, issues like ineffective coding practices and skipped reviews mean more exposure to breaches, so experts urge integrating security directly into AI workflows and cultivating best usage practices. ⚡ Quick Links What DoD subcontractors need to know about the CMMC final rule (Sponsor) You can think of CMMC as the DoD's new standard cybersecurity background check for its supply chain. The new rule will require stricter verification for contractor security standards. Read the Huntress blog Microsoft builds on Recall with Gaming Copilot — fails basic privacy tests (3 minute read) Microsoft's new Gaming Copilot, built on Recall-like Copilot Vision technology, is being silently deployed to Windows 11 PCs without user consent or onboarding. Canada Fines Cybercrime Friendly Cryptomus $176M (2 minute read) Canada's FINTRAC imposed an unprecedented $176 million penalty on cryptocurrency payments platform Cryptomus (Xeltox Enterprises Ltd.) for failing to report suspicious transactions connected to child sexual abuse material trafficking, fraud, ransomware payments, and sanctions evasion. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.