threats Archives

Winsage

August 13, 2025

August Patch Tuesday: Authentication hole in Windows Server 2025 now has a fix

A second hole in AI systems has been discovered, raising concerns among cybersecurity experts about command injection vulnerabilities. Multiple AI-related vulnerabilities have emerged, including those linked to GitHub Copilot and Azure OpenAI, prompting organizations to reassess their AI strategies. It is important for organizations to understand their AI usage, the specific services they employ, and their responses to vulnerabilities. Discussions often focus on data residency, retention, and ownership, but security measures and policies of AI service providers are also crucial. Chief Security Officers are encouraged to reevaluate risk assessment methods, as vulnerabilities are categorized by severity, leading to questions about the reliability of these ratings. Organizations are urged to establish an internal framework for effective risk measurement.

Winsage

August 13, 2025

Microsoft Vulnerabilities Exposed by Check Point Research

Check Point Research identified six new vulnerabilities in Microsoft Windows, including one classified as critical. These vulnerabilities could lead to system crashes, arbitrary code execution, or expose sensitive data. Check Point reported these issues to Microsoft, resulting in patches released on August 12th. One significant vulnerability is in a Rust-based Windows kernel component, which can cause total system crashes. Two other vulnerabilities, CVE-2025-30388 and CVE-2025-53766, allow for arbitrary code execution when users interact with specially crafted files. Additionally, CVE-2025-47984 can leak memory contents over the network, posing risks of sensitive information exposure. Check Point's security solutions already protect its customers from these threats, and users are encouraged to apply the August Patch Tuesday updates promptly.

AppWizard

August 12, 2025

This so-called Android ‘antivirus’ is just a front for spyware

LunaSpy is an Android spyware that has been circulating since February 2025, primarily infiltrating devices through messaging platforms like Telegram. It disguises itself as a legitimate antivirus or banking protection app, tricking users into granting extensive permissions by initiating a fake virus scan and presenting false notifications of threats. Once installed, LunaSpy can steal passwords from browsers and messaging apps, record audio and video, access text messages, track geographical location, and execute commands on the device. The spyware also contains dormant code that may allow it to steal photos in future updates. Data collected by LunaSpy is sent to attackers via around 150 servers. Users are advised against downloading APKs from links shared through messaging apps and should uninstall any unfamiliar antivirus applications that request extensive access to their devices.

Winsage

August 12, 2025

Windows DoS Flaws Enable DDoS Attacks on Domain Controllers

Researchers from SafeBreach Labs have identified four denial-of-service (DoS) vulnerabilities in Microsoft’s Windows operating system that could allow attackers to use publicly accessible Windows domain controllers in distributed denial-of-service (DDoS) attacks. These vulnerabilities exploit protocols such as Remote Procedure Call (RPC) and Lightweight Directory Access Protocol (LDAP), enabling the creation of stealthy botnets without authentication. The flaws arise from improper handling of RPC and LDAP requests in Windows Server environments, including versions up to 2025. One flaw allows unauthenticated users to trigger infinite loops, consuming system resources and facilitating reflection attacks. Microsoft released patches for these vulnerabilities in August 2025, but unpatched systems remain at risk. The vulnerabilities were disclosed at DEF CON 33, where proof-of-concept attacks were demonstrated. SafeBreach has labeled these flaws as “Win-DoS” due to their widespread applicability. Organizations are advised to audit network exposures and isolate domain controllers to mitigate risks. The increase in hyper-volumetric DDoS attacks highlights the urgency for proactive defenses, including automated mitigation tools and regular vulnerability scans. Experts recommend implementing stringent firewall rules to restrict RPC and LDAP exposure and using behavioral analytics to detect anomalous traffic.

Tech Optimizer

August 12, 2025

Why SMEs can’t afford to ignore cybersecurity

Small and medium-sized enterprises (SMEs) are crucial to the Indian economy and are increasingly adopting digital tools for growth. However, they face significant cybersecurity risks due to misconceptions about their vulnerability. SMEs often have limited IT resources, outdated systems, and poor security practices, making them attractive targets for cybercriminals. The World Economic Forum's Global Cybersecurity Outlook 2025 indicates that 60% of organizations consider geopolitical tensions in their security strategies, highlighting the risks for digitizing economies like India. Cyber incidents can have severe consequences for SMEs, including operational disruptions and damage to customer trust. Cybersecurity should be viewed as a strategic investment rather than a discretionary expense, with practical measures such as firewalls, antivirus software, strong password policies, and employee training recommended. Additionally, having recovery plans and incident response procedures in place is essential for minimizing downtime and protecting business reputation. As India aims for Viksit Bharat 2047, robust cybersecurity measures are critical for sustainable growth.

Winsage

August 11, 2025

‘Win-DDoS’: Researchers unveil botnet technique exploiting Windows domain controllers

SafeBreach researchers have identified several vulnerabilities in Windows environments that could lead to denial of service (DoS) attacks. These include: 1. CVE-2025-26673: A flaw in the Netlogon service that allows remote crashes via crafted Remote Procedure Call (RPC) requests without authentication, potentially locking users out of domain resources until a reboot. 2. CVE-2025-49716: A vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) that enables remote attackers to destabilize the service through specially crafted Lightweight Directory Access Protocol (LDAP) queries, causing immediate DoS. 3. CVE-2025-49722: A DoS vulnerability in the Windows Print Spooler that can be triggered by malformed RPC requests, disrupting printing operations and system stability. Microsoft has addressed some vulnerabilities but has not yet resolved the three identified by SafeBreach, and there has been no response to inquiries about these issues. SafeBreach recommends organizations apply the latest patches, limit exposure of Domain Controller services, segment critical systems, and monitor for unusual LDAP or RPC traffic for early attack detection.

Winsage

August 11, 2025

Win-DDoS: Attackers can turn public domain controllers into DDoS agents

SafeBreach researchers have identified critical vulnerabilities in Windows Active Directory domain controllers (DCs), particularly CVE-2025-32724, which can be exploited for distributed denial-of-service (DDoS) attacks using a method called Win-DDoS. This vulnerability allows attackers to manipulate public DCs into connecting to a controlled Lightweight Directory Access Protocol (LDAP) server, directing them to flood a target server with requests. The researchers also highlighted additional vulnerabilities: - CVE-2025-26673 and CVE-2025-49716 enable uncontrolled resource consumption in Windows LDAP and Windows Netlogon, respectively. - CVE-2025-49722 affects Windows Print Spooler Components, potentially crashing DCs and other Windows machines. The first three vulnerabilities can be triggered remotely by unauthenticated attackers, while the last one requires minimal privileges. Microsoft has released security updates for all four vulnerabilities in 2025, and organizations are advised to implement these patches and strengthen their defenses against potential DDoS attacks.

AppWizard

August 11, 2025

Fake Android Banking Apps Are Hijacking Devices and Draining Accounts in Malware Campaign

A wave of mobile malware is targeting Android users in India, posing as legitimate banking applications. This malware can fully compromise infected devices, stealing sensitive data, intercepting communications, and conducting unauthorized financial transactions. It typically spreads through deceptive "dropper" apps via phishing messages on platforms like WhatsApp, SMS, or email, often disguised as system updates or official banking apps. The malware requests extensive Android permissions, allowing it to read and send SMS messages and intercept two-factor authentication codes. It operates stealthily, bypassing Android’s battery optimization features, and can manipulate notification content. All captured data is transmitted to attackers, enabling potential financial fraud and identity theft. Users are advised to install apps only from trusted sources, be skeptical of unexpected installation prompts, and review permission requests carefully.

Tech Optimizer

August 8, 2025

Cyberattackers Leverage Trusted Drivers to Disable Antivirus Software and Bypass Security Protocols

A cyberattack on a Brazilian enterprise involved the use of legitimate, digitally signed drivers to disable antivirus solutions and deploy MedusaLocker ransomware. The attackers executed a Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting the ThrottleStop.sys driver, which has a critical vulnerability (CVE-2025-7771) allowing unauthorized memory access. They compromised an SMTP server using valid RDP credentials, extracted user credentials with Mimikatz, and moved laterally across the network. The attackers uploaded and executed an AV killer program and a renamed version of the driver, terminating antivirus processes to facilitate ransomware deployment. The malware targeted major antivirus vendors and employed kernel-level commands to eliminate security processes. Recommendations for defense include multi-factor authentication, hardening RDP access, and implementing layered security measures.

Tech Optimizer

August 8, 2025

Understanding polymorphic malware: A comprehensive guide

Polymorphic malware is a type of malicious software that can change its code structure while maintaining its core functionality, making it difficult for traditional signature-based antivirus solutions to detect. It uses a mutation engine to create new variants by altering its code through techniques like code obfuscation, encryption, and junk code insertion. There are several categories of polymorphic malware, including polymorphic viruses, trojans, rootkits, and ransomware, each with unique characteristics. Detection of polymorphic malware is challenging due to its ability to evade conventional methods, prompting the use of behavioral analysis and machine learning for identification. To protect against such threats, a multi-layered security approach is recommended, including regular software updates, network segmentation, and employee training. Real-world examples like the Storm Worm and Conficker worm illustrate the significant impact of polymorphic malware, which has caused substantial financial losses. As cybersecurity measures advance, polymorphic malware continues to evolve, incorporating artificial intelligence and machine learning, leading to new challenges for security professionals. Cloud-based security solutions are emerging as effective tools to combat these threats.