Infosec News
-
IngressNightmare: 9.8 Critical RCE in Ingress NGINX Affects 40%+ of Cloud EnvironmentsWiz Research has disclosed a set of unauthenticated Remote Code Execution (RCE) vulnerabilities in Ingress NGINX Controller for Kubernetes, dubbed #IngressNightmare. These flaws (CVE-2025-1097, 1098, 24514, 1974) allow attackers to inject arbitrary NGINX configs via malicious admission requests, leading to code execution, cluster takeover, and full access to Kubernetes secrets across namespaces.
The vulnerable admission controller runs with high privileges and is often exposed without authentication. Exploits combine config injection, shared library tricks, and NGINX client-body buffer abuse to gain persistent RCE on pods, affecting over 6,500 clusters, including those from Fortune 500s.
Patch immediately:
- Upgrade to Ingress NGINX v1.12.1 or v1.11.5
- Lock down admission webhooks
- Apply Wiz or Nuclei-based scans for exposure
- Disable admissionWebhooks if patching isn't yet possible
This is a cluster-critical issue for Kubernetes users relying on Ingress-NGINX, especially those exposing controllers to the public internet.
Source:
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities -
Rhysida Ransomware Hits PA Education Union – 500K+ ImpactedThe Pennsylvania State Education Association (PSEA), representing over 178,000 public-sector education professionals, confirmed a major data breach affecting 517,487 individuals. Attackers exfiltrated sensitive data including SSNs, financial info, driver’s licenses, passports, health data, and login credentials during a July 2024 intrusion, later attributed to the Rhysida ransomware gang.
Rhysida demanded 20 BTC in ransom and briefly listed the stolen data on its dark web leak site. Though the listing has since been removed, it's unclear if PSEA paid. Victims are being offered free IDX credit monitoring and are urged to monitor for identity fraud.
Rhysida continues its aggressive ransomware campaigns, having also hit major healthcare, government, and corporate targets globally, including Lurie Children’s Hospital, Insomniac Games, and the City of Columbus.
-
New StilachiRAT Malware Surfaces with Crypto Theft & RDP Monitoring CapabilitiesMicrosoft researchers have identified a new Remote Access Trojan (RAT) in the wild dubbed StilachiRAT — a stealthy malware tool capable of system reconnaissance, credential and crypto wallet theft, RDP session monitoring, clipboard scraping, and more. Though not yet tied to a specific threat group, the RAT shows signs of being built for persistent, multi-stage intrusions.
StilachiRAT includes watchdog persistence, anti-forensics features, and the ability to reinstall itself as a Windows service via SCM and registry manipulation. While currently not widespread, its advanced capabilities suggest it may become more common in targeted recon and exfiltration campaigns.
Microsoft has released IoCs and mitigation guidance, urging defenders to update signatures and monitor for anomalous DLL/service behavior.
Source:
https://www.bitdefender.com/en-us/blog/hotforsecurity/researchers-discover-new-stilachirat-malware -
CVE-2025-24813 – Apache Tomcat PUT Flaw Enables RCE, Data CorruptionA critical Apache Tomcat vulnerability (CVE-2025-24813) allows Remote Code Execution (RCE), data corruption, and information disclosure via improper handling of partial HTTP PUT requests. Affected versions include:
- Tomcat 11.0.0-M1 to 11.0.2
- Tomcat 10.1.0-M1 to 10.1.34
- Tomcat 9.0.0-M1 to 9.0.98
Exploitation requires non-default write-enabled servlets, partial PUT support (enabled by default), and deserialization-vulnerable libraries. Attackers can upload malicious JSPs, overwrite session files, or read server configs.
Mitigations:
- Upgrade to Tomcat 11.0.3, 10.1.35, or 9.0.98
- Disable allowPartialPut or ensure readonly="true" in DefaultServlet
- Remove unsafe deserialization libraries
- For Java 17, set -Dsun.io.useCanonCaches=false
Delay in patching = high risk of full server compromise.
Source:
https://cybersecuritynews.com/apache-tomcat-vulnerability-rce-attacks/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Google confirms cyber "espionage" attacks on Chrome users from "highly sophisticated malware"Google has confirmed a zero-click vulnerability in Chrome (CVE-2025-2783) actively exploited in the wild. Discovered by Kaspersky, the flaw was leveraged in a targeted cyber espionage campaign called Operation ForumTroll, infecting victims via phishing emails with malicious links — no user interaction required beyond viewing the message.
The exploit bypassed Chrome's sandbox protections entirely and infected systems upon launch. Targets included media, education, and government sectors. A security patch has been released, and all users are urged to update Chrome immediately and remain vigilant with email hygiene.
-
Active Exploit CVE-2024-4577 still in the wild: PHP RCE Vulnerability Targets Windows ServersSecurity researchers at Bitdefender have observed widespread exploitation of a critical PHP vulnerability (CVE-2024-4577), which affects Windows systems running PHP in CGI mode. The flaw allows remote code execution via argument injection, and attackers are using it to deploy cryptocurrency miners (like XMRig) and remote access tools such as Quasar RAT. Attack patterns include system reconnaissance, use of native Windows tools, and even cryptojacking rivalries, with attackers blocking each other’s IPs to maintain control. While Taiwan and Hong Kong are hit hardest, systems worldwide are at risk. The PHP team has released patches in versions 8.3.8, 8.2.20, and 8.1.29. Organizations using older or unsupported PHP versions are urged to upgrade immediately and move away from CGI configurations to safer alternatives like PHP-FPM or FastCGI.
Source:
https://cybersecuritynews.com/php-rce-vulnerability-actively-exploited-in-wild/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Windows 11 Trick Bypasses Microsoft Account Requirement
Microsoft continues pushing users toward Microsoft Accounts in Windows 11 by removing workarounds like the BypassNRO.cmd script. However, a newly discovered method makes bypassing this restriction easier than ever — and it still works as of April 2025.
Discovered by user Wither OrNot and confirmed by BleepingComputer, this method lets you create a local account during installation without modifying the registry or using external scripts.
Here’s how it works:
During setup, when Windows 11 prompts “Let’s connect you to a network,” press Shift+F10 to open Command Prompt.
Run the following command:
start ms-cxh:localonlyThis opens a hidden local user setup screen, allowing you to bypass Microsoft Account requirements entirely.
Complete setup as normal — the system will continue using your new local account.
After setup, you can verify this under the Start menu → account icon — it’ll show a local user, not a connected MS account.
-
ChatGPT Outage: Service Down Worldwide with “Something Went Wrong” Error
Bleeping Computer is reporting that ChatGPT is currently experiencing a global outage, affecting users across the U.S., Europe, Asia, and beyond. Users are reporting repeated "Something went wrong" errors when trying to interact with the AI. The issue persists despite retries and refresh attempts. OpenAI has not yet issued an official statement. This is a developing story — check the source link below for updates.
Downdetector:
https://downdetector.com/status/openai/
OpenAI Status Page:
https://status.openai.com/
-
State Bar of Texas Confirms Data Breach Following INC Ransomware ClaimThe State Bar of Texas has confirmed a data breach after the INC ransomware gang claimed responsibility and began leaking stolen data. The breach, which occurred between January 28 and February 9, 2025, involved unauthorized access to internal systems and the theft of unspecified personal and professional information.
The Bar, which serves over 100,000 licensed attorneys, issued notification letters to affected members and is offering free credit monitoring and identity protection through Experian. The INC gang listed the organization on its dark web leak site on March 9, publishing legal case documents as alleged proof.
While it remains unverified if the leaked data came directly from the Bar's systems, recipients are being urged to remain vigilant, consider a credit freeze or fraud alert, and enroll in protection services before July 31, 2025. The State Bar has yet to comment publicly on the extent of the damage or respond to inquiries about the legitimacy of the leaked documents.
-
Critical RCE Vulnerability Found in Apache Parquet – CVE-2025-30065
A maximum severity remote code execution (RCE) vulnerability has been discovered in Apache Parquet, impacting all versions up to 1.15.0. Tracked as CVE-2025-30065, the flaw has received a CVSS v4 score of 10.0, the highest possible.
The issue stems from unsafe deserialization in the Parquet-Avro module, allowing attackers to execute arbitrary code when a crafted Parquet file is imported into a vulnerable system. While exploitation requires a user to process a malicious file, the widespread use of Parquet across big data platforms like Hadoop, AWS, Azure, and GCP increases the attack surface significantly.
Apache has patched the issue in version 1.15.1, and all users are urged to upgrade immediately. Organizations unable to upgrade should avoid untrusted files, validate inputs rigorously, and increase monitoring around systems processing Parquet data.
This vulnerability was responsibly disclosed by Amazon researcher Keyi Li and highlights the ongoing risks posed by untrusted data ingestion in analytics and data engineering environments.
No active exploitation has been observed yet, but the potential impact is severe. Admins and developers using Parquet in any form should treat this as a high-priority fix.
-
Gmail Is Not a Secure Way to Send Sensitive Comms: A Friendly Reminder
New end-to-end Gmail encryption alone isn't secure enough for an enterprise's most sensitive and prized data, experts say.
On April 1, The Washington Post reported that US National Security advisers were using Gmail for official communications, including "highly technical conversations with colleagues at other government agencies involving sensitive military positions and powerful weapons systems relating to an ongoing conflict."The National Security Council pushed back, stressing Gmail was never used to send any classified materials. However, the news drew scrutiny in light of the recent revelations of the team's Signal leak of classified military information.
The same day, Google announced its email service would implement a new Google Workspace feature and provide end-to-end encryption in Gmail.
-
Coinbase to Fix Confusing 2FA Error Message Causing Security Panic
Coinbase is addressing a misleading error in its account activity logs that has alarmed users into thinking their accounts were under attack. The message — “2-step verification failed” — appears even when someone simply enters an incorrect password, leading many to believe their credentials were compromised.
The confusion escalated after phishing attempts, with users logging in to find failed 2FA entries from unknown locations. This triggered a wave of password resets, malware scans, and concern over a potential breach.
Coinbase has confirmed the message is misleading and is working on a fix, though no timeline has been provided. The issue is also being exploited in social engineering scams, reinforcing the need for vigilance. Coinbase reminds users: they will never contact you via call or text about account issues.
-
Hack The Box “Ghost” Challenge Cracked: Technical Walkthrough by 0xdf
Cybersecurity researcher 0xdf has successfully solved the “Ghost” challenge on Hack The Box and published a highly detailed exploit write-up. The post covers each phase of the attack — from initial reconnaissance using Nmap, to exploiting a directory traversal vulnerability, discovering hardcoded credentials, and escalating to root via a misconfigured cron job.
This real-world style scenario highlights serious security missteps like insecure input validation and writable root-level tasks. The challenge and exploit offer practical insights for both pentesters and sysadmins, showcasing how minor oversights can lead to full system compromise. A must-read for anyone interested in offensive security or infrastructure hardening.
Source:
https://gbhackers.com/hack-the-box-ghost-challenge-cracked-a-detailed-technical-exploit/Walkthrough:
https://0xdf.gitlab.io/2025/04/05/htb-ghost.html -
Google Launches "Sec-Gemini" AI to Supercharge Threat Intel and Incident Response
Google has unveiled Sec-Gemini v1, an experimental AI model that blends the power of its Gemini LLM with real-time security intelligence from Mandiant, GTI, and OSV. Designed to elevate threat detection and incident analysis workflows, Sec-Gemini outperforms rivals in benchmarks like CTI-MCQ and CWE mapping by over 10%.
The model can identify threat actors, assess vulnerabilities, and analyze root causes with high accuracy — and it’s being made available to vetted researchers and institutions for testing. A promising leap forward in AI-driven cybersecurity operations.
Source:
https://www.securityweek.com/google-pushing-sec-gemini-ai-model-for-threat-intel-workflows/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
US OCC Alerts Congress to Major Email Breach Exposing Sensitive Financial Oversight Data
On April 8, 2025, the US Office of the Comptroller of the Currency (OCC) reported a major security incident to Congress involving unauthorized access to internal emails and attachments. Discovered in February, the breach exposed sensitive data used in financial institution oversight. Over 100 OCC employees’ inboxes were compromised, affecting more than 150,000 emails. The OCC is collaborating with the Treasury and third-party cybersecurity experts to assess the impact and remediate security weaknesses. No financial sector impact has been reported so far.
-
Fake Microsoft Office Add-in Tools Distribute Cryptocurrency-Stealing Malware via SourceForge
Threat actors are exploiting SourceForge to distribute counterfeit Microsoft Office add-in tools that install malware on victims' computers. This malware is designed to mine and steal cryptocurrency. The malicious project, named "officepackage," mimics legitimate Microsoft development tools, deceiving users into downloading and executing harmful files. The campaign has affected over 4,600 systems, primarily in Russia. Users are advised to download software only from verified sources and to scan all files with up-to-date antivirus tools before execution.
-
Gamaredon Hackers Target Western Military Mission in Ukraine Using Malicious USB Drives
The Russian state-linked APT group Gamaredon (aka Shuckworm) has been attributed to a February–March 2025 cyber attack targeting a foreign military mission based in Ukraine. According to Symantec researchers, initial access was gained via an infected removable drive containing a malicious shortcut file. Once inserted, the attack chain used mshta.exe to launch multiple payloads, including an info-stealing PowerShell malware known as GammaSteel.
The malware established C2 communications through legitimate services (e.g., Teletype, Telegram), propagated to other drives using malicious .lnk files, and executed reconnaissance scripts that collected screenshots, system details, antivirus status, and user documents. The final stage involved a more obfuscated GammaSteel variant that exfiltrated files with specific extensions from the Desktop and Documents folders.
Symantec noted an increase in Gamaredon’s sophistication—while still less advanced than other Russian actors, the group shows persistent improvement in evasion techniques, code obfuscation, and operational focus on Ukrainian targets.
Source:
https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.htmlSysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
CISA Flags Actively Exploited Linux Kernel Zero-Days Linked to Cellebrite Android Unlock Exploit Chain
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert on two actively exploited Linux kernel vulnerabilities—CVE-2024-53197 and CVE-2024-53150—used in a zero-day exploit chain reportedly developed by Cellebrite and deployed by Serbian authorities to unlock Android devices. CVE-2024-53197 targets ALSA USB-audio drivers for local privilege escalation, while CVE-2024-53150 enables kernel memory leaks. Both are now in CISA’s Known Exploited Vulnerabilities (KEV) catalog, with mandatory federal patching required by April 30, 2025.
-
Fortinet Reveals Persistent Post-Patch Access via SSL-VPN Symlink Exploit
Fortinet has disclosed that attackers are maintaining read-only access to FortiGate devices even after patching, by abusing symbolic links (symlinks) in SSL-VPN language file directories. The exploit, tied to previously patched CVEs (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762), enables stealthy persistence across firmware updates. Fortinet has updated FortiOS (versions 6.4.16 to 7.6.2) to detect and remove the symlinks and prevent further abuse. CISA and CERT-FR have issued alerts, with recommendations to patch, review configurations, reset credentials, and consider disabling SSL-VPN temporarily. The compromise dates back to early 2023 and has impacted critical infrastructure targets.
Source:
https://thehackernews.com/2025/04/fortinet-warns-attackers-retain.html -
Windows CLFS Kernel Driver Zero-Day Exploited by Storm-2460 in Ransomware Attacks
On April 9, 2025, Microsoft reported that a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, is being actively exploited by the threat actor Storm-2460. The group utilizes the PipeMagic malware to escalate privileges and deploy ransomware, primarily targeting IT and real estate sectors in the U.S., as well as organizations in Venezuela, Saudi Arabia, and Spain. PipeMagic, initially discovered in 2022, functions as both a backdoor and a gateway, and has been linked to previous attacks involving fake ChatGPT applications. Microsoft has released security updates to address this vulnerability, and the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-29824 to its Known Exploited Vulnerabilities catalog.
Source:
https://www.cybersecuritydive.com/news/windows-clfs-zero-day-exploited-ransomware/744878/
