Can You Really Trust That Permission Pop-Up On macOS? (CVE-2025-31250)

,

macOS vulnerability CVE-2025-31250 allows apps to spoof permission prompts, misleading users into granting access to the wrong application. Correctly patched in macOS Sequoia 15.5, earlier versions like Ventura and Sonoma remain unaddressed. The flaw arises from incorrect handling in the TCC framework's request logic, permitting consent responses for one app while displaying prompts for another. While exploiting this requires user interaction, it poses significant risks, particularly for high-access applications like Microphone and Camera. Apple has responded slowly to the issue, but recent updates appear to address the vulnerability, enhancing overall security.

https://wts.dev/posts/tcc-who/

Google Chrome to Block Admin-level Browser Launches for Better Security

Google Chrome will prevent admin-level launches to enhance security, similar to a feature Microsoft implemented in Edge. This change ensures that the browser doesn't run with elevated permissions, reducing risks like unauthorized access through malicious downloads. A command-line switch will be added to manage this behavior in automation mode.

https://www.bleepingcomputer.com/news/google/google-chrome-to-block-admin-level-browser-launches-for-better-security/

What Are BYOVD Attacks?

BYOVD (Bring Your Own Vulnerable Driver) attacks exploit vulnerabilities in legitimate drivers to bypass security measures, allowing attackers to manipulate kernel-level resources directly. These attacks can disable security systems and enable encryption or data theft, notably used by the Cuba ransomware group, which has caused significant financial damage. Effective mitigation strategies include updating old operating systems, auditing kernel drivers, implementing strict permissions for driver loading, and using behavioral monitoring tools. Regular simulations of such attacks can help organizations validate their defenses.

https://cymulate.com/blog/defending-against-bring-your-own-vulnerable-driver-byovd-attacks/

Phishing Attack Uses Blob URIs to Show Fake Login Pages in Your Browser

Cofense Intelligence reports a phishing technique using blob URIs to create fake login pages in browsers, evading email security and stealing credentials. Blob URIs, which store data temporarily on local machines, make it difficult for security systems to detect malicious activity since external checks cannot see them. Attackers often redirect users from trustworthy sites to fake pages, posing a serious challenge for email security systems.

https://hackread.com/phishing-attack-blob-uri-fake-login-pages-browser/

How Signal, WhatsApp, Apple, and Google Handle Encrypted Chat Backups

Comparing encrypted chat apps, Signal has no cloud backup, prioritizing privacy; WhatsApp allows backups with optional end-to-end encryption; Apple's iMessages are encrypted but not in backups by default, unless users enable Advanced Data Protection; Google Messages provides encrypted backups with passcodes. Users must ensure all chat participants enable encryption for maximal security, and weigh the necessity of saving conversations against potential privacy risks.

https://www.eff.org/deeplinks/2025/05/back-it-back-it-let-us-begin-explain-encrypted-chat-backups

Catching a Phish With Many Faces

Summary: Phishing attacks are evolving, utilizing phishing-as-a-service toolkits to create dynamic, customizable fake login pages in real-time. These pages appear legitimate by using logos and branding from legitimate sources, making detection difficult. Attackers leverage urgency-inducing messages to entice victims to click links, often sending login credentials directly via AJAX. To protect against these threats, users should verify link authenticity, use strong passwords, enable two-factor authentication, and employ robust security measures. Cybercriminals continue to adapt their tactics, making awareness and technological defenses crucial.

https://www.welivesecurity.com/en/scams/spotting-phish-many-faces/

Multilayered Email Attack: How a PDF Invoice and Geo-Fencing Led to RAT Malware

Email campaign distributing Ratty RAT malware exploits legitimate invoicing tactics and geofencing to bypass security. Attackers use a trusted email service and file-sharing platforms, manipulate recipients through social engineering, and employ Ngrok for covert links. Targeting mainly Italy, the campaign exemplifies advanced evasion strategies and challenges conventional detection systems. Fortinet provides protections, urging users to stay vigilant against such phishing threats.

https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware

LockBit Ransomware Gang Hacked, Victim Negotiations Exposed

LockBit ransomware gang hacked; admin panels defaced, revealing a database containing over 59,000 bitcoin addresses and 4,442 victim negotiation messages. Passwords stored in plaintext for 75 affiliates exposed. Breach occurred April 29, 2025, with uncertain perpetrators. This incident follows previous law enforcement disruptions, further damaging LockBit's reputation.

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/

Backdoor Found in Popular Ecommerce Components

Backdoor discovered in 21 ecommerce applications from breached vendors Tigren, Magesolution (MGS), and Meetanshi. Malware active since Apr 20, affecting 500-1000 stores. Fake license checks enable unauthorized access. Users advised to scan for backdoors, especially those from these vendors. Vendor responses vary; backdoored packages are still available for download. Recommendations include using eComscan for detection and removing infected files.

https://sansec.io/research/license-backdoor

Why MFA Is Getting Easier to Bypass and What to Do About It

MFA is increasingly bypassed due to phishing attacks using “adversary-in-the-middle” techniques. Criminals utilize phishing-as-a-service toolkits that allow anyone, even non-technical users, to create fake login pages that capture credentials and MFA codes. Traditional MFA, relying on one-time passwords or push notifications, can still be compromised since attackers can capture these codes. WebAuthn offers better security as it ties credentials to specific URLs and devices, making it resistant to such attacks. Organizations are encouraged to adopt WebAuthn to enhance security against phishing threats.

https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-are-easier-than-ever-so-what-are-we-to-do/

Hackers Ramp up Scans for Leaked Git Tokens and Secrets

,

Hackers are increasing scans for leaked Git configuration files, which can expose sensitive data like tokens and credentials. A report by GreyNoise highlighted a surge in scans from April 20-21, 2025, with nearly 4,800 unique IPs detected, predominantly from Singapore, the U.S., and Germany. These exposed Git files often lead to significant security breaches, allowing unauthorized access to cloud services and repositories. To mitigate risks, experts recommend blocking access to .git/ directories and monitoring logs for suspicious activity.

https://www.bleepingcomputer.com/news/security/hackers-ramp-up-scans-for-leaked-git-tokens-and-secrets/

Hello 0-Days, My Old Friend: a 2024 Zero-Day Exploitation Analysis

, ,

Google's Threat Intelligence Group reported 75 zero-day vulnerabilities exploited in 2024, down from 98 in 2023 but up from 63 in 2022. This year's exploitation continued a trend towards targeting enterprise technologies over end-user products. Key findings included:

  1. Trends in Exploitation: 44% of vulnerabilities targeted enterprise software, up from 37% in 2023. Vendors are improving security, reducing exploits on popular targets like browsers.
  2. Notable Targets: Security and networking products saw increased exploitation, with a significant focus on Ivanti and Palo Alto. Attackers' focus is shifting from end-user devices to critical enterprise infrastructures.
  3. Actor Analysis: State-sponsored espionage actors, particularly from China and North Korea, accounted for the majority of attributable exploitation, often blending espionage with financial motives.
  4. Exploited Vulnerability Types: The most common were remote code execution and privilege escalation vulnerabilities, often resulting from software coding errors.

Overall, while detection and vendor defenses improve, zero-day vulnerabilities remain appealing to threat actors, necessitating stronger vendor security practices.

https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends/

Cybersecurity Vendors Are Themselves Under Attack by Hackers, SentinelOne Says

Cybersecurity firms like SentinelOne face significant threats from hackers, including ransomware and state-sponsored attacks from China and North Korea. Despite their role in protecting clients, they are prime targets due to their access and insights into many systems. A recent report highlighted the taboo around discussing such attacks within the industry, as companies feel uncomfortable admitting vulnerabilities.

https://cyberscoop.com/cybersecurity-vendors-are-under-attack-sentinelone-says/

Three Ways AI Can Weaken Your Cybersecurity

AI can weaken cybersecurity through three main methods:

  1. Slopsquatting – Spreading malware via hallucinated software libraries recommended by AI, often targeting users who mistype URLs.
  2. Prompt Injection – Attackers inject malicious prompts into AI applications, potentially leading to unauthorized information access or code execution.
  3. Data Poisoning – Manipulating training data to skew AI model outputs, which poses risks for various industries.

These tactics exploit the vulnerabilities of AI systems, emphasizing the need for increased vigilance and adapted security measures.

https://www.bigdatawire.com/2025/04/25/three-ways-ai-can-weaken-your-cybersecurity/

DragonForce Expands Ransomware Model With White-label Branding Scheme

DragonForce expands ransomware model by forming a cartel structure, allowing affiliates to use its malware and branding without managing infrastructure. Affiliates pay a 20% fee on ransoms and must adhere to specific rules. The group, claiming to avoid targeting certain healthcare entities, aims to attract less technical actors and increase profits through flexibility in deploying ransomware under various brands.

https://www.bleepingcomputer.com/news/security/dragonforce-expands-ransomware-model-with-white-label-branding-scheme/

Scroll to Top