Infosec News

cyclone

Citrix Netscaler Hit with Critical Actively Exploited CVEs

A newly discovered critical vulnerability in Citrix NetScaler, CVE-2025-5777, is raising serious alarms. The flaw stems from insufficient input validation when NetScaler is configured as a Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability carries a CVSS score of 9.3 and may allow memory overread, potentially exposing sensitive data such as session tokens.

In parallel, Google researchers confirmed a second critical flaw, CVE-2025-6543, is actively being exploited as a zero-day. This is a memory overflow vulnerability (CVSS 9.2) that can lead to unintended control flow and denial of service. Like CVE-2025-5777, it affects NetScaler appliances configured as a Gateway or AAA vServer.

Both vulnerabilities impact the following NetScaler ADC and Gateway builds:

NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Note: 12.1 and 13.0 are End-of-Life (EOL) and are vulnerable

Citrix warns that Secure Private Access on-prem and hybrid deployments using vulnerable NetScaler instances are also at risk.

Cloud Software Group, alongside multiple national security agencies, are urging all customers to immediately patch or upgrade to supported builds. For EOL versions (12.1, 13.0), upgrades are mandatory to eliminate exposure.

Sources:

cyclone

Fake SonicWall NetExtender Targets VPN Credentials

A new remote access malware campaign is distributing a trojanized version of SonicWall’s NetExtender VPN client, named SilentRoute, to harvest VPN credentials and other sensitive configuration data from unsuspecting users.

SonicWall NetExtender Trojan (SilentRoute):

The trojan impersonates NetExtender v10.3.2.27, hosted on a spoofed website (now taken down).
It was digitally signed by CITYLIGHT MEDIA PRIVATE LIMITED, possibly a compromised certificate authority or abuse of a legitimate cert.
The threat targets users searching for VPN downloads via:
- SEO poisoning
- Phishing
- Malvertising
- Social engineering on platforms like Facebook

Technical Behavior:

Modifies NeService.exe and NetExtender.exe
Bypasses normal digital signature validation checks.
Exfiltrates VPN config data including username, password, and domain to 132.196.198.163 using port 8080.
Malicious behavior triggered upon clicking "Connect" inside the fake VPN client.

Sources:

cyclone

CISA & NSA Double Down on Memory-Safe Languages for Secure-by-Design Software

The latest joint guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) elevates memory-safe languages (MSLs) such as Rust, Go, Java, Python, and C# from “best practice” to a national-security baseline. The agencies cite fresh data showing that 70–75 percent of exploited CVEs in the wild are rooted in memory bugs; Google’s Android team, for example, slashed that figure from 76 percent in 2019 to 24 percent in 2024 after mandating Rust/Java for all new code.

CISA and NSA stress that C and C++ can never be fully secured against buffer overflows, use-after-free, data races, and similar flaws because developers, not the compiler, must enforce safety. MSLs collapse whole vulnerability classes by enforcing bounds checking, lifetime/ownership rules, or automatic garbage collection at compile or run time.

Recommended first steps:

Inventory legacy C/C++ components handling untrusted input.
Mandate MSLs for all new repositories and features.
Add Rust clippy, Go govulncheck, or equivalent linters to CI/CD.
Track % unsafe code (Rust) or % legacy LOC to measure progress.
Provide developers a focused “borrow-checker / GC” bootcamp to shorten the learning curve.

For those who have been following along, check my post from April 2025 concerning "Systems Programming: Memory Safety":

https://forum.hashpwn.net/post/549

Sources:

cyclone

Canada Orders Hikvision Canada to Shut Down Over National Security Concerns

On June 28, 2025, Canada’s Industry Minister Mélanie Joly publicly announced that Hikvision Canada Inc. must cease all operations across the country, citing a comprehensive national security review under the Investment Canada Act. The government determined that “continued operations in Canada would be injurious to Canada’s national security,” following a “multi-step review” relying on information from Canada’s security and intelligence services.

Key aspects of the decision include:

A complete ban on Hikvision Canada’s operations and device use within federal departments and Crown corporations; officials are auditing legacy systems to ensure removal.
The move reflects a growing trend of Western governments including the U.S., U.K., Australia, Denmark, and EU institutions restricting Hikvision over concerns relating to surveillance technologies, cyber vulnerabilities, and its ties to the Chinese state.
Hikvision responded sharply, denouncing the ruling as politically motivated and lacking transparency or evidence, arguing the decision unfairly hinges on their Chinese origin rather than cybersecurity assessments.
Beijing reacted defensively with China’s commerce ministry urging Canada to reverse the action, branding it as “misuse” of national security, and warned it could harm Sino–Canadian trade relations.

While the ban applies exclusively to Hikvision’s Canadian subsidiary and government usage, the federal government strongly advises Canadian businesses and citizens to reconsider using any Hikvision equipment.

Sources:

cyclone

Xfinity’s Wi‑Fi Motion: Turning Your Router Into a Living Room Spy

Comcast's Xfinity has launched Wi‑Fi Motion, a feature that transforms xFi Gateway routers into motion detectors using only signatures from Wi‑Fi signal interference, no cameras or motion sensors needed. If enabled, the router senses movement (even minor gestures such as a raised arm) between connected devices and can send alerts via the Xfinity app. Users can adjust sensitivity, exclude pets, and link up to three devices for monitoring.

However, buried in the terms of service, Comcast reserves the right to collect, log, and sell this motion data to advertisers once you opt in. More alarmingly, Comcast also states that logs may be shared with law enforcement, in legal disputes, or under subpoena, without further consent or notification.

Critics point out this isn’t just passive data collection, it’s a detailed log of when and where people or pets are moving in your home, tied directly to your account.

Sources:

cyclone

Malicious "Solidity" VSCode Extension Steals Over $500K in Crypto

A polished VSCode-compatible extension targeting Cursor AI users named “Solidity Language” sneaked into Open VSX, masquerading as a legit Solidity syntax helper. Instead, it executed a PowerShell payload, installed ScreenConnect for remote access, and rolled out VBScript-based downloaders that deployed Quasar RAT and PureLogs stealer. The result: capture of crypto wallet seed phrases and a $500,000 loss for one Russian Ethereum dev.

Key attack highlights:

Fake vs. real: The malicious plugin (54,000+ downloads) was ranked higher than the official “solidity” (61,000) by gaming Open VSX’s ranking with inflated download counts.
Quick re-upload: Removed on July 2, but republished the next day as “solidity” with around 2 million fake installs, using near-identical naming (“juanbIanco” vs “juanblanco”).
Supply-chain risk hub: This campaign isn’t an isolated case; variants like “solaibot”, “among-eth” and malicious npm package “solsafe” have similarly used Open VSX or VS Code as vectors.

Sources:

cyclone

Abacus Market: Darknet Domination Turns Into Disappearing Act

Abacus Market, once the largest Western darknet marketplace accepting Bitcoin (and Monero), abruptly shut down in early July 2025 in what analysts believe is a classic exit scam, likely funded by hundreds of millions in cryptocurrency.

Launched in September 2021 (originally as Alphabet Market), Abacus surged holding about 70% of the Bitcoin-enabled darknet market in 2024. In June 2025 it peaked at $6.3 million/month in brokered sales, with daily deposits about $230K across 1,400 transactions. Over the 4+ years, Abacus processed around $100 million in Bitcoin, adding Monero brings estimated total sales to $300–$400 million.

The platform went completely offline without any legal takedown notification, pointing to disappearance with funds. TRM Labs and analysts lean toward an exit scam, though a covert law enforcement operation can't be entirely ruled out.

Sources:

freeroute

Cloudflare 1.1.1.1 incident on July 14, 2025
On 14 July 2025, Cloudflare made a change to our service topologies that caused an outage for 1.1.1.1 on the edge, resulting in downtime for 62 minutes for customers using the 1.1.1.1 public DNS Resolver as well as intermittent degradation of service for Gateway DNS.

Cloudflare's 1.1.1.1 Resolver service became unavailable to the Internet starting at 21:52 UTC and ending at 22:54 UTC. The majority of 1.1.1.1 users globally were affected. For many users, not being able to resolve names using the 1.1.1.1 Resolver meant that basically all Internet services were unavailable. This outage can be observed on Cloudflare Radar.

The outage occurred because of a misconfiguration of legacy systems used to maintain the infrastructure that advertises Cloudflare’s IP addresses to the Internet.

This was a global outage. During the outage, Cloudflare's 1.1.1.1 Resolver was unavailable worldwide.

We’re very sorry for this outage. The root cause was an internal configuration error and not the result of an attack or a BGP hijack. In this blog, we’re going to talk about what the failure was, why it occurred, and what we’re doing to make sure this doesn’t happen again.

Source: https://blog.cloudflare.com/cloudflare-1-1-1-1-incident-on-july-14-2025/

cyclone

Salt Typhoon Hackers Breaches U.S. National Guard

Chinese state-sponsored APT Salt Typhoon pulled off a major breach, infiltrating a U.S. Army National Guard network for 9 months throughout 2024. They quietly exfiltrated network configs, admin creds, and inter-state comms data, potentially laying groundwork for lateral movement across other government networks.

Exploited vulnerabilities:
- CVE-2018-0171 – Cisco Smart Install RCE
- CVE-2023-20198 + 20273 – Cisco IOS XE chain
- CVE-2024-3400 – PAN-OS GlobalProtect injection
Stolen data:
- Network diagrams
- Admin credentials
- Interconnected traffic logs with other U.S. states & 4 territories
- PII of service members

Source:

https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-national-guard-to-steal-network-configurations/

cyclone

Global SharePoint Zero-Day Attack Hits Thousands: Microsoft Warns of Ongoing Exploitation

A critical zero-day vulnerability in Microsoft SharePoint Server is being actively exploited by unknown threat actors, prompting urgent alerts from Microsoft, U.S. federal agencies, and international cybersecurity experts. The vulnerability affects only on-premises SharePoint servers. SharePoint Online (cloud) is not impacted.

This is one of the most significant post-SolarWinds-era attacks on enterprise infrastructure. Analysts warn that patching alone may not fully secure already compromised environments. Forensic investigation and credential auditing are essential.

Details:

Exploit Type: Zero-day vulnerability allowing spoofing and remote exploitation.
Affected Systems: Only on-prem SharePoint 2016/2019 installations; Microsoft 365 SharePoint Online is unaffected.
Threat Actor: Likely a single coordinated actor, based on identical payloads and attack patterns across victims.
Initial Exploits Detected: July 19–20, 2025, rapidly expanding globally.
Targets: U.S. federal and state agencies, banks, energy companies, telecom, and universities. Over 8,000 vulnerable servers detected online (via Shodan).

Response:

Microsoft released emergency security updates.
FBI and CISA are involved in mitigation and investigation.
Customers are urged to patch immediately or disconnect unpatched servers from the internet.
Experts recommend an “assume breach” posture and full incident response.

Sources:

cyclone

Starlink Suffers Global Outage on July 24, 2025

On July 24, 2025, at approximately 19:13 UTC, SpaceX’s Starlink network experienced a worldwide outage, resulting in a complete service blackout for thousands of users. By 20:54 UTC, platforms like Downdetector recorded 36k+ incident reports.

The outage extended across every major region including the US, Europe, Asia, Africa, and Australia, and severely impacted critical users, such as Ukrainian military terminals and T-Mobile’s newly launched satellite messaging service.

Starlink acknowledged the disruption via a website banner and posts on X, stating they were “actively implementing a solution”. CEO Elon Musk apologized, promising to rectify the underlying issue and restore service “shortly”.

Sources:

cyclone

Announced on 8/1/2025 by jsteube:

hashcat v7.0.0

Repository: hashcat/hashcat · Tag: v7.0.0 · Commit: 483efe2 · Released by: jsteube

Welcome to hashcat v7.0.0!

We're proud to announce the release of hashcat v7.0.0, the result of over two years of development, hundreds of features and fixes, and a complete refactor of several key components. This version also includes all accumulated changes from the v6.2.x minor releases.

This release is huge. The full write-up is nearly 10 000 words, which exceeds what MyBB supports in a single post.

If you have 30 minutes, here's the write-up (PDF):
https://github.com/hashcat/hashcat/blob/master/docs/release_notes_v7.0.0.pdf

Quick summary

Over 900 000 lines of code changed
Contributions from 105 developers, including 74 first-time contributors
Merged and documented all previously unannounced 6.2.x features

This release has 2 assets:

Source code (zip)
Source code (tar.gz)

Visit the release page to download them.

cyclone

WinRAR Zero-Day Exploit (CVE-2025-8088)

A critical zero‑day vulnerability, CVE‑2025‑8088, affecting Windows versions of WinRAR (and related tools such as UnRAR.dll and portable UnRAR) has been actively exploited in targeted spear‑phishing attacks by the Russian‑linked threat group RomCom (also known as Storm‑0978, Tropical Scorpius, UNC2596).

A path traversal flaw using alternate data streams (ADSes) allows attackers to embed malicious files in RAR archives, which WinRAR may extract to sensitive system locations such as the Startup folder, enabling automatic code execution on system boot.

Between July 18–21, 2025, spear‑phishing emails carrying booby‑trapped RAR attachments disguised as job applications or CVs were sent to financial, manufacturing, defense, and logistics organizations across Europe and Canada. The payloads included stealth delivery of backdoors such as Mythic Agent, SnipBot, and RustyClaw.

BI.ZONE reports that another group, Paper Werewolf, also exploited this same vulnerability in separate phishing campaigns targeting Russian organizations. Evidence suggests the exploit may have been sold on dark‑web forums for approximately $80,000.

WinRAR acknowledged the vulnerability following ESET’s disclosure on July 24, 2025, releasing a patched version (7.13) by July 30, 2025. Users must manually update, as WinRAR lacks an auto‑update feature.

Sources:

cyclone

OpenAI GPT-5 - Mixed User Reception

GPT-5 is now the default in ChatGPT with selectable “thinking” modes and an auto-router. After user backlash, OpenAI restored legacy 4 models behind a toggle and promised better deprecation hygiene. “Thinking” usage now has a 3,000 per week cap for paid Plus users.

Early writeups and reporting show jailbreakability remains (narrative/multi-turn attacks still work).

Backlash on removals/personality: Users complained about 4o being pulled and GPT-5 feeling “colder.” OpenAI rolled 4o back (opt-in) and pledged advance notice before removing models next time; personality tweaks inbound.

Media/dev takes: Coverage spans “smarter coding/agents, messier lineup.” BleepingComputer called the new menu “a mess (again)” after OpenAI added options while saying GPT-5 would simplify things.

OpenAI’s claims: Fewer hallucinations, better instruction-following, less sycophancy; strongest coding model to date.

Sources:

cyclone

Storm0501 Ransomware Gang Wipes Data and Backups in Azure

A financially motivated threat group known as Storm0501 has executed one of the most destructive cloud ransomware attacks seen to date. According to Microsoft Threat Intelligence, the group infiltrated a large enterprise operating multiple subsidiaries and successfully pivoted from on premises systems into Microsoft Azure.

Once inside, Storm0501 exfiltrated large volumes of data using the AzCopy CLI tool before deleting backups and encrypting what remained. The attackers exploited weaknesses in Microsoft Entra ID by compromising synchronization servers and abusing a non human global administrator account that lacked multifactor authentication. With full global admin access, the group granted itself ownership of Azure subscriptions, stole storage account keys, and ultimately wiped or encrypted critical resources.

This tactic prevented the victim from restoring operations, forcing them into a difficult recovery scenario. The incident shows how ransomware actors are evolving beyond traditional malware and now weaponizing cloud features to maximize damage.

Microsoft has warned that other threat groups are likely to adopt these same methods and recommends several defensive measures. Organizations should enforce least privilege across Azure environments, enable blob and VM backups, log activity in Key Vault, and harden hybrid cloud attack paths.

Storm0501 has previously targeted schools and healthcare organizations, and with this latest pivot to cloud only operations the group has raised the stakes for enterprises everywhere.

Sources:

cyclone

RAID Failure Causes Matrix.org Outage - Sep 2–3, 2025

What happened: On Sep 2, a RAID failure took out Matrix.org’s DB secondary (11:17 UTC), and later the primary failed (17:26 UTC). Engineers abandoned an unsafe filesystem recovery and instead restored a full 55 TB PostgreSQL snapshot from the previous night, rebuilt the DB, and replayed queued traffic. The homeserver came back online around 17:00 UTC on Sep 3 and was then monitored as it caught up.

Who was affected: Users on the matrix.org homeserver (e.g., @user:matrix.org) lost service during the restore/catch-up window. Folks running their own homeservers were not impacted.

Timeline (UTC):

Sep 2, 11:17 — DB secondary lost its filesystem due to a RAID failure.
Sep 2, 17:26 — DB primary failed.
Sep 2, 17:39 — Incident acknowledged on the status page (“identified an issue with the matrix.org database”).
Sep 2, 19:02 — Public post confirms RAID failure + plan (point-in-time restore).
Sep 2, 19:42 — Begin restoring from backup; matrix.org homeserver kept offline.
Sep 2, 21:41 — “Bad news”: switching to full 55 TB snapshot restore.
Sep 3, 07:13 — Progress: 47 TB/55 TB restored; still need DB rebuild + ~17 h traffic replay.
Sep 3, 08:49 — Status page: restoration ongoing; live-updates link shared.
Sep 3, 10:56 — “Snapshot + incrementals restored; about to replay remaining traffic” (ETA 3–4 h if all goes well).
Sep 3, 17:00 — matrix.org back online (reported).
Sep 3, 17:03 — Status: “Database restored; verification complete; Synapse started” — monitoring.
Sep 3, 17:37 — Continued monitoring.

Sources:

Incident history timestamps: https://status.matrix.org/incidents/mm9hdm78svgv
Matrix.org Mastodon updates (Sep 2–3, 2025):
- https://mastodon.matrix.org/@matrix/115136866878237078
- https://mastodon.matrix.org/@matrix
Live update link shared by Matrix.org: https://bsky.app/profile/matrix.org/post/3lxuslbzjuc2t

cyclone

Plex Breached... Again - Reset Your Passwords Now

Plex breached again, change your password and sign out everywhere.

Plex says an attacker got into one of its databases and pulled a limited set of user data, email, username, hashed passwords, authentication data. No payment info was stored. Plex is telling all users to reset their password, tick “Sign out connected devices” during the reset, then re-enable 2FA. If you use SSO, sign out of all devices from your account security page. Expect phishing around this, Plex won’t ask for your password or card details by email.

This mirrors the 2022 incident, so treat it seriously.

Sources:

hashpwn

Infosec News

hashcat v7.0.0

Quick summary

Who's Online [Full List]

Board Statistics