Attacks & Vulnerabilities |
CyberStrikeAI Tool Adapted By Attackers for AI-Powered Attacks (2 minute read)
Security researchers are warning that attackers are using AI-powered tools to hunt for and exploit vulnerable Fortinet FortiGate firewalls. The researchers note that the attackers are using the security orchestration tool CyberStrikeAI, which features a full security platform with over 100 tools that AI agents can use for hunting. The developer behind the tool is believed to have ties to China and possibly other Chinese security organizations. |
A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets (21 minute read)
CVE-2025-38617 is a 20-year-old use-after-free in the Linux kernel's AF_PACKET subsystem (net/packet/af_packet.c), present since Linux 2.6.12 and fixed in 6.16, exploitable by any unprivileged user with CAP_NET_RAW (obtainable via user namespaces) to achieve full privilege escalation and container escape. The root cause is a conditional WRITE_ONCE(po->num, 0) that only zeroes the protocol number when the socket was already running, leaving a window where a NETDEV_UP event can re-register the protocol hook while packet_set_ring() is mid-free. The exploit stretches this nanosecond race to a deterministic one-second window by pre-acquiring pg_vec_lock via a sleeping tpacket_snd() call, then uses a BPF filter delay and a 720,000-entry timerfd wait queue interrupt to win the second race. The resulting five-stage exploit chains a page overflow into simple_xattr corruption, heap read/write via pgv array overlap, arbitrary page read/write through a master-puppet ring buffer pair, KASLR bypass via anon_pipe_buf_ops pointer recovery, and final privilege escalation via syscall patching, defeating both CONFIG_RANDOM_KMALLOC_CACHES and CONFIG_SLAB_VIRTUAL mitigations. |
|
Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT (9 minute read)
Three Packagist packages published by the threat actor nhattuanbl deliver a fully functional PHP RAT via src/helper.php, encrypted with AES-128-CTR and sent to a C2 at helper[.]leuleu[.]net:2096, with commands supporting remote shell execution, file upload/download, and screen capture across Windows, macOS, and Linux. A third package, lara-swagger, carries no malicious code itself but pulls in the RAT as a hard Composer dependency pinned to dev-master, allowing the operator to update the payload at any time without modifying the clean-looking package. Laravel teams should audit transitive Composer dependencies, treat dev-master constraints as high-risk in production, rotate all secrets accessible from affected application environments, and block outbound traffic to the C2 host. |
How to Avoid Confidentiality Gaps in Early-Stage Startups (5 minute read)
Early-stage startups routinely expose proprietary information during funding, hiring, and partnership discussions by delaying legal protections until sensitive details have already been shared, a pattern that contributes to the 61% breach rate cited in the 2025 Panaseer Security Leaders Report. Startups should deploy NDAs and confidentiality agreements selectively but proactively: before contractor access to code or design assets, during deep technical diligence with non-standard investors, and via a two-deck pitch strategy that gates the confidential technical appendix behind a signed NDA. Lightweight tooling with e-signature audit trails, a single document owner, and quarterly reviews is sufficient for pre-seed teams. Complexity should scale with contract volume, not be front-loaded. |
Carelessness vs Craftsmanship in Cryptography (6 minute read)
Trail of Bits researchers discovered that the widely used pyaes and aes-js packages used default IVs in their documentation, which can lead to vulnerable applications. The team contacted both projects and received no response, but found that the maintainers behind pyaes had dismissed a ticket raised about the vulnerability in 2022. The team contrasted this with StrongMan VPN's response to the team contacting them about their use of the vulnerable pyaes library. The maintainer fully replaced the library and migrated to the more secure GCM-SIV mode of AES. |
|
IRFlow Timeline (GitHub Repo)
IRFlow Timeline is a native macOS DFIR timeline analysis app built on Electron and SQLite designed to ingest large forensic artifacts, including CSV, TSV, XLSX, EVTX, and Plaso output, without performance degradation. Inspired by Eric Zimmerman's Timeline Explorer for Windows, it fills the gap for macOS-native incident responders. |
SonarQube CLI (GitHub Repo)
SonarQube CLI is a beta command-line tool for interacting with SonarQube Cloud and self-hosted SonarQube instances. It supports secrets scanning, issue querying, project listing, and Claude Code integration via MCP server hooks installable globally or per-project. |
Evervault (Product Launch)
Evervault provides a developer-first platform to encrypt and orchestrate sensitive data - especially payment card data - so companies can process, share, and route it end-to-end without handling it in plaintext, simplifying PCI compliance and reducing breach risk. |
|
Seedworm: Iranian APT on Networks of US Bank, Airport, Software Company (12 minute read)
Symantec's Threat Hunter Team has detected Seedworm (MuddyWater) activity on networks of a US bank, airport, defense-adjacent software company, and NGOs in the US and Canada since February, deploying two newly identified backdoors: Dindoor, a Deno-based JavaScript/TypeScript backdoor, and Fakeset, a Python backdoor, both signed with certificates previously linked to the group. The intrusions follow US and Israeli military strikes on Iran and coincide with escalating activity from aligned hacktivist groups, including Handala and DieNet, raising the threat of destructive wiper attacks, DDoS campaigns, and hack-and-leak operations against critical infrastructure. Defenders should prioritize MFA enforcement, Rclone/cloud-exfiltration monitoring, DDoS protection for public-facing services, and immutable offline backups, given Iran's demonstrated history of deploying destructive payloads, such as Shamoon, during geopolitical escalation windows. |
Hardening Firefox with Anthropic's Red Team (3 minute read)
Anthropic's Frontier Red Team applied AI-assisted vulnerability detection to the Firefox codebase, surfacing 14 high-severity bugs and 22 CVEs, plus 90 additional lower-severity issues, all shipped with reproducible test cases that allowed Mozilla engineers to validate and patch the findings within hours ahead of Firefox 148. Notably, the model identified distinct classes of logic errors that decades of fuzzing and static analysis had not previously uncovered, suggesting a significant backlog of latent bugs across mature, well-audited codebases. As a result, Mozilla has begun integrating AI-assisted analysis into its internal security workflows. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments