Attacks & Vulnerabilities |
Kubernetes Remote Code Execution Via Nodes/Proxy GET Permission (11 minute read)
An authorization bypass in Kubernetes allows service accounts with nodes/proxy GET permissions to execute commands in any Pod across the cluster, potentially leading to full cluster compromise. The vulnerability stems from the Kubelet authorizing WebSocket connections based on the initial HTTP GET handshake rather than verifying CREATE permissions for the /exec endpoint, affecting 69 Helm charts, including Prometheus, Datadog, Grafana, and Cilium. Kubernetes Security Team closed this as "Won't Fix (Working as Intended)," recommending migration to KEP-2862's fine-grained authorization when it reaches GA in April. |
NetSupport Manager 0-Day Vulnerabilities Enable Remote Code Execution (3 minute read)
Two critical vulnerabilities in NetSupport Manager (CVE-2025-34164 and CVE-2025-34165) can be chained to achieve unauthenticated remote code execution through the software's undocumented broadcast feature, which operates on TCP port 5405 without requiring authentication. The flaws—a heap-based out-of-bounds write and a stack-based out-of-bounds read—enable attackers to bypass ASLR, perform arbitrary memory writes, and gain remote shell access, posing a significant risk to Operational Technology (OT) environments where the software is commonly deployed. Organizations should upgrade to version 14.12.0000 or later and restrict access to port 5405 as an interim mitigation. |
Canva among ~100 targets of ShinyHunters Okta identity-theft campaign (3 minute read)
ShinyHunters is running an Okta single sign-on credential-stealing campaign against roughly 100 high-value organizations, including Canva, Atlassian, RingCentral, and others. The group uses evolved voice phishing to capture SSO logins, enroll its own devices in MFA, pivot into SaaS apps, exfiltrate data, and then extort victims. There is no confirmation of which named firms were successfully breached. |
|
Who Operates the Badbox 2.0 Botnet? (8 minute read)
A leaked screenshot from Kimwolf botnet operators revealed they had compromised the Badbox 2.0 control panel, exposing seven authorized user email addresses that OSINT investigation traced to Chen Daihai and Zhu Zhiyu of Beijing Astrolink Wireless Digital Technology—individuals whose domains were previously flagged in HUMAN Security's Badbox 2.0 report. The investigation used password reuse across breach databases, domain registration records, and social media pivots to connect qq.com email addresses to multiple Chinese technology companies distributing pre-infected Android TV boxes. This unauthorized access allows Kimwolf to bypass residential proxy mitigations by loading malware directly onto Badbox 2.0's 10+ million compromised devices. |
How to encrypt your PC's disk without giving the keys to Microsoft (8 minute read)
BitLocker encrypts Windows PCs to protect data, but many systems automatically store recovery keys with Microsoft when users sign in with a Microsoft account, creating a potential privacy risk if authorities obtain those keys. By upgrading to Windows 11 Pro, users can fully control BitLocker, decrypt any existing Microsoft-managed setup, and re-encrypt the drive while saving the recovery key locally, such as on paper or an external drive, rather than in the cloud. |
LLM Key Server: Providing Secure and Convenient Access to Internal LLM APIs (5 minute read)
Mercari's AI Security team developed a key server to address the challenge of managing API key-based access to LLMs. The key server uses Google Workspace and Google Cloud for OIDC authentication to LiteLLM, which provides time-limited API access to various models through a unified API. The team also developed an internal CLI, GitHub Action, and Google Apps Script template to support adoption of the LLM key server. |
|
Agent OS (GitHub Repo)
Agent OS applies operating system concepts to AI agent governance, providing kernel-level policy enforcement that intercepts and blocks actions before execution rather than relying on prompt-based safety. The framework includes POSIX-inspired primitives such as signals, a virtual filesystem for agent memory, cross-model verification, inter-agent trust protocols with cryptographic signing, and integrations with LangChain, CrewAI, and OpenAI Assistants. An MCP server enables integration between Claude Desktop and tools for verification and kernel execution. |
Awesome hacking (GitHub Repo)
Awesome hacking is a curated list of hacking tools for hackers, pentesters, and security researchers. Its goal is to collect, classify, and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command. |
ZeroPulse (GitHub Repo)
ZeroPulse is a comprehensive C2 platform that utilizes CloudFlare Tunnel technology. It is designed for secure remote management and monitoring. |
|
Why has Microsoft been routing example.com traffic to a company in Japan? (3 minute read)
Microsoft's autodiscover service was found routing email traffic for example.com—a domain reserved for testing under RFC2606—to subdomains belonging to Sumitomo Electric in Japan, potentially causing test credentials to be sent outside Microsoft's network. The misconfiguration, which may have persisted for five years, has been suppressed, but Microsoft has not explained how the Japanese company's servers were added to its network configuration. The incident raises concerns about other potential misconfigurations following Microsoft's 2024 breach, where forgotten test account privileges enabled Russian state hackers to monitor executive emails. |
Browser-based attacks hit 95% of enterprises — and traditional security tools never saw them coming (8 minute read)
95% of organizations experienced browser-based attacks last year that evaded traditional security tools. Attackers operated inside trusted sessions where web gateways, cloud access brokers, and endpoint protection lose visibility after login. Recent incidents, including ShadyPanda's weaponized extensions and Cyberhaven's supply chain compromise, demonstrate how attackers exploit browser auto-updates and session tokens rather than zero-days. Security leaders recommend inventorying extensions, implementing 48-72 hour auto-update delays, and moving data protection to the browser layer, where 64% of encrypted traffic currently goes uninspected. |
noyb win: Microsoft ordered to stop tracking school children (2 minute read)
Austria's data protection authority ruled that Microsoft illegally placed tracking cookies on a pupil's device through Microsoft 365 Education, using them to analyse behaviour, collect browser data, and support advertising. The authority ordered Microsoft to stop tracking the child within four weeks and rejected Microsoft's attempt to shift responsibility to its Irish subsidiary. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments