Attacks & Vulnerabilities |
This severe and international iPhone hack is the best reason to update to iOS 26.3 yet (2 minute read)
The "DarkSword" exploit chain, active since at least November 2025, chained six flaws across JavaScriptCore (CVE-2025-31277, CVE-2025-43529), dyld PAC bypass (CVE-2026-20700), WebContent sandbox escape (CVE-2025-14174), GPU sandbox escape (CVE-2025-43810), and a local privilege escalation (CVE-2025-43520) to achieve full kernel control on iOS 18.4 through 18.7 via a malicious Safari webpage. Multiple threat actors reused the same core chain across separate campaigns in Saudi Arabia, Turkey, Malaysia, and Ukraine, with delivery methods ranging from Snapchat-themed lures to compromised watering-hole sites, with PARS Defense linked to the Turkey and Malaysia activity. Apple patched all underlying flaws in stages through iOS 26.3 by February 11. Users should update immediately to close the fully patched chain. |
Aura Statement on Exposure of Limited Customer Information (2 minute read)
Aura, an identity theft protection company, announced that one of its employees was targeted in a vishing attack. The attacker accessed 900,000 records, mostly containing only names and email addresses, with contact details like home addresses and phone numbers also accessed for up to 20,000 active customers and 15,000 former customers. Aura confirmed that no sensitive information such as SSNs or financial details was compromised. |
Millions of Anonymous Crime Tips Exposed in Massive Crime Stoppers Hack (3 minute read)
A hacker going by the alias "THE INTERNET YIFF MACHINE" leaked more than 8.3M highly sensitive records from the tip and intelligence management company P3 Global Intel. The leak contains extensive personal data on those accused by tipsters, including names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, SSNs, and criminal histories. The hacker also disclosed that the company enables clients to collect a wealth of tracking data on "anonymous" tipsters. |
|
Daisy-Chaining Rogue RMM Tools: How Threat Actors Abuse Remote Management Software for Initial Access (10 minute read)
Huntress documented a 277% surge in RMM abuse, with threat actors daisy-chaining tools like Action1 and ScreenConnect via MSI installers, wscript, and LLM-generated infostealer scripts to fragment telemetry, distribute persistence, and complicate attribution across campaigns targeting financial accounts and SSA-themed lures. Post-access tradecraft included pin.exe masquerading as Windows Security to harvest login PINs to ScreenConnect\Temp\output.txt, Sordum's HideUL.exe to conceal RMM installs from Add/Remove Programs, and WebBrowserPassView to harvest credentials, with C2 notifications routed through Telegram bots. Defenders should allowlist approved RMM tools explicitly, treat unrecognized RMM activity as suspicious by default, monitor for unexpected MSI installations from user-writable paths, and reference lolrmm.io for visibility into commonly abused platforms. |
New Malware Highlights Increased Systematic Targeting of Network Infrastructure (5 minute read)
Eclypsium captured two previously undocumented malware variants on March 6: CondiBot, a Mirai-derived multi-architecture DDoS botnet (arm, mips, x86) with 32 registered attack handlers, competitive botnet killing, and C2 beaconing via port 20480 (0x5000) to 65.222.202.53; and Monaco, a Go 1.24.0 SSH scanner and XMRig-based Monero cryptominer attributed to a likely Chinese-speaking actor hosted on Alibaba Cloud (8.222.206.6), brute-forcing ~3.6 billion IPs with 50+ hardcoded credentials and reporting stolen creds back over raw TCP. Both variants exploit the EDR/XDR visibility gap on network appliances by operating below the OS layer. Defenders should monitor for /tmp/monaco, unauthorized chmod 777 operations, unexpected XMRig processes, and apply YARA rules from Eclypsium's full report to detect CondiBot artifacts including the "QTXBOT" string identifier. |
AWS Security Agent - Penetration Testing Overview (6 minute read)
AWS Security Agent allows customers to launch automated, agentic penetration tests on sites that they own. This post walks through the process of setting it up to scan DVWA running on an EC2 instance. The author was impressed by the presentation of the findings, such as including PoCs and verification, and felt that it can definitely augment penetration tests and reduce time to test, but felt that improvements are still needed, such as the ability to export results as a PDF. |
|
Pompelmi (GitHub Repo)
Pompelmi is an open-source Node.js upload security library that performs local, in-process scanning for spoofed files, archive bombs (ZIP traversal and nesting), polyglots, and script-bearing document structures without requiring a cloud API or daemon. It exposes typed verdicts with structured reasons for allow, quarantine, and reject flows, and ships framework adapters for Express, Next.js, NestJS, Koa, and Fastify with optional YARA and ClamAV integration. |
ics-phishing-toolkit (GitHub Repo)
ics-phishing-toolkit is a toolkit for remediating malicious calendar invites for teams using email solutions that don't natively remediate these issues. |
tuxid (GitHub Repo)
tuxid is a lightweight, POSIX-compliant shell script that collects hardware, system, and network signals to generate a unique, reproducible fingerprint for a Linux machine. |
|
OFAC Sanctions DPRK IT Worker Network Funding WMD Programs Through Fake Remote Jobs (4 minute read)
OFAC sanctioned six individuals and two entities tied to the DPRK IT worker scheme (Coral Sleet/Jasper Sleet/Wagemole), which uses stolen identities, AI-generated personas, and Faceswap-altered documents to place North Korean operatives at Western companies, funneling salaries back to fund WMD programs. The operation runs through a multi-tiered structure of recruiters, facilitators, and western collaborators sourced via LinkedIn and GitHub, with operators tunneling traffic through Astrill VPN's US exit nodes from China-based infrastructure to masquerade as domestic employees. Post-access activity included proprietary data theft, extortion, and the use of agentic AI to generate and refine malware components. Microsoft has advised defenders to treat these intrusions as insider-risk scenarios and to monitor for abnormal credential use and low-and-slow access patterns. |
Federal cyber experts called Microsoft's cloud a "pile of shit," approved it anyway (7 minute read)
FedRAMP spent nearly five years, 480 hours of review time, and 18 technical deep-dive sessions attempting to obtain basic data flow diagrams from Microsoft for its Government Community Cloud High (GCC High) offering, used by the Justice and Energy departments to protect information whose exposure "could be expected to have a severe or catastrophic adverse effect" on government operations. Microsoft's third-party assessors, Coalfire and Kratos, privately back-channeled to FedRAMP that it was "difficult to impossible" to obtain sufficient documentation, while a 2024 review team found fundamental issues with vulnerability remediation and scanning in Exchange Online and Teams alone, yet FedRAMP authorized GCC High on December 26, 2024, solely because widespread federal and defense-sector deployment made rejection impractical. DOGE has since gutted FedRAMP to a $10M annual budget with a skeleton staff, effectively reducing the program to a rubber stamp. At the same time, agencies are being pushed to adopt cloud-based AI tools handling reams of sensitive government data. |
Meta is Having Trouble with Rogue AI Agents (2 minute read)
After a Meta employee posted a question on an internal forum, another engineer asked an AI agent to analyze the question, and the agent posted a response without the engineer's approval. The original poster took action on this advice and inadvertently exposed massive amounts of company and user data to engineers who were not authorized to have access to it. This follows a post last month by a safety and alignment director at Meta Superintelligence that an OpenClaw agent deleted her entire inbox despite being instructed to request confirmation before acting. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments