Infosec News
-
Windows 11 Trick Bypasses Microsoft Account Requirement
Microsoft continues pushing users toward Microsoft Accounts in Windows 11 by removing workarounds like the BypassNRO.cmd script. However, a newly discovered method makes bypassing this restriction easier than ever — and it still works as of April 2025.
Discovered by user Wither OrNot and confirmed by BleepingComputer, this method lets you create a local account during installation without modifying the registry or using external scripts.
Here’s how it works:
During setup, when Windows 11 prompts “Let’s connect you to a network,” press Shift+F10 to open Command Prompt.
Run the following command:
start ms-cxh:localonlyThis opens a hidden local user setup screen, allowing you to bypass Microsoft Account requirements entirely.
Complete setup as normal — the system will continue using your new local account.
After setup, you can verify this under the Start menu → account icon — it’ll show a local user, not a connected MS account.
-
ChatGPT Outage: Service Down Worldwide with “Something Went Wrong” Error
Bleeping Computer is reporting that ChatGPT is currently experiencing a global outage, affecting users across the U.S., Europe, Asia, and beyond. Users are reporting repeated "Something went wrong" errors when trying to interact with the AI. The issue persists despite retries and refresh attempts. OpenAI has not yet issued an official statement. This is a developing story — check the source link below for updates.
Downdetector:
https://downdetector.com/status/openai/
OpenAI Status Page:
https://status.openai.com/
-
State Bar of Texas Confirms Data Breach Following INC Ransomware ClaimThe State Bar of Texas has confirmed a data breach after the INC ransomware gang claimed responsibility and began leaking stolen data. The breach, which occurred between January 28 and February 9, 2025, involved unauthorized access to internal systems and the theft of unspecified personal and professional information.
The Bar, which serves over 100,000 licensed attorneys, issued notification letters to affected members and is offering free credit monitoring and identity protection through Experian. The INC gang listed the organization on its dark web leak site on March 9, publishing legal case documents as alleged proof.
While it remains unverified if the leaked data came directly from the Bar's systems, recipients are being urged to remain vigilant, consider a credit freeze or fraud alert, and enroll in protection services before July 31, 2025. The State Bar has yet to comment publicly on the extent of the damage or respond to inquiries about the legitimacy of the leaked documents.
-
Critical RCE Vulnerability Found in Apache Parquet – CVE-2025-30065
A maximum severity remote code execution (RCE) vulnerability has been discovered in Apache Parquet, impacting all versions up to 1.15.0. Tracked as CVE-2025-30065, the flaw has received a CVSS v4 score of 10.0, the highest possible.
The issue stems from unsafe deserialization in the Parquet-Avro module, allowing attackers to execute arbitrary code when a crafted Parquet file is imported into a vulnerable system. While exploitation requires a user to process a malicious file, the widespread use of Parquet across big data platforms like Hadoop, AWS, Azure, and GCP increases the attack surface significantly.
Apache has patched the issue in version 1.15.1, and all users are urged to upgrade immediately. Organizations unable to upgrade should avoid untrusted files, validate inputs rigorously, and increase monitoring around systems processing Parquet data.
This vulnerability was responsibly disclosed by Amazon researcher Keyi Li and highlights the ongoing risks posed by untrusted data ingestion in analytics and data engineering environments.
No active exploitation has been observed yet, but the potential impact is severe. Admins and developers using Parquet in any form should treat this as a high-priority fix.
-
Gmail Is Not a Secure Way to Send Sensitive Comms: A Friendly Reminder
New end-to-end Gmail encryption alone isn't secure enough for an enterprise's most sensitive and prized data, experts say.
On April 1, The Washington Post reported that US National Security advisers were using Gmail for official communications, including "highly technical conversations with colleagues at other government agencies involving sensitive military positions and powerful weapons systems relating to an ongoing conflict."The National Security Council pushed back, stressing Gmail was never used to send any classified materials. However, the news drew scrutiny in light of the recent revelations of the team's Signal leak of classified military information.
The same day, Google announced its email service would implement a new Google Workspace feature and provide end-to-end encryption in Gmail.
-
Coinbase to Fix Confusing 2FA Error Message Causing Security Panic
Coinbase is addressing a misleading error in its account activity logs that has alarmed users into thinking their accounts were under attack. The message — “2-step verification failed” — appears even when someone simply enters an incorrect password, leading many to believe their credentials were compromised.
The confusion escalated after phishing attempts, with users logging in to find failed 2FA entries from unknown locations. This triggered a wave of password resets, malware scans, and concern over a potential breach.
Coinbase has confirmed the message is misleading and is working on a fix, though no timeline has been provided. The issue is also being exploited in social engineering scams, reinforcing the need for vigilance. Coinbase reminds users: they will never contact you via call or text about account issues.
-
Hack The Box “Ghost” Challenge Cracked: Technical Walkthrough by 0xdf
Cybersecurity researcher 0xdf has successfully solved the “Ghost” challenge on Hack The Box and published a highly detailed exploit write-up. The post covers each phase of the attack — from initial reconnaissance using Nmap, to exploiting a directory traversal vulnerability, discovering hardcoded credentials, and escalating to root via a misconfigured cron job.
This real-world style scenario highlights serious security missteps like insecure input validation and writable root-level tasks. The challenge and exploit offer practical insights for both pentesters and sysadmins, showcasing how minor oversights can lead to full system compromise. A must-read for anyone interested in offensive security or infrastructure hardening.
Source:
https://gbhackers.com/hack-the-box-ghost-challenge-cracked-a-detailed-technical-exploit/Walkthrough:
https://0xdf.gitlab.io/2025/04/05/htb-ghost.html -
Google Launches "Sec-Gemini" AI to Supercharge Threat Intel and Incident Response
Google has unveiled Sec-Gemini v1, an experimental AI model that blends the power of its Gemini LLM with real-time security intelligence from Mandiant, GTI, and OSV. Designed to elevate threat detection and incident analysis workflows, Sec-Gemini outperforms rivals in benchmarks like CTI-MCQ and CWE mapping by over 10%.
The model can identify threat actors, assess vulnerabilities, and analyze root causes with high accuracy — and it’s being made available to vetted researchers and institutions for testing. A promising leap forward in AI-driven cybersecurity operations.
Source:
https://www.securityweek.com/google-pushing-sec-gemini-ai-model-for-threat-intel-workflows/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
US OCC Alerts Congress to Major Email Breach Exposing Sensitive Financial Oversight Data
On April 8, 2025, the US Office of the Comptroller of the Currency (OCC) reported a major security incident to Congress involving unauthorized access to internal emails and attachments. Discovered in February, the breach exposed sensitive data used in financial institution oversight. Over 100 OCC employees’ inboxes were compromised, affecting more than 150,000 emails. The OCC is collaborating with the Treasury and third-party cybersecurity experts to assess the impact and remediate security weaknesses. No financial sector impact has been reported so far.
-
Fake Microsoft Office Add-in Tools Distribute Cryptocurrency-Stealing Malware via SourceForge
Threat actors are exploiting SourceForge to distribute counterfeit Microsoft Office add-in tools that install malware on victims' computers. This malware is designed to mine and steal cryptocurrency. The malicious project, named "officepackage," mimics legitimate Microsoft development tools, deceiving users into downloading and executing harmful files. The campaign has affected over 4,600 systems, primarily in Russia. Users are advised to download software only from verified sources and to scan all files with up-to-date antivirus tools before execution.
-
Gamaredon Hackers Target Western Military Mission in Ukraine Using Malicious USB Drives
The Russian state-linked APT group Gamaredon (aka Shuckworm) has been attributed to a February–March 2025 cyber attack targeting a foreign military mission based in Ukraine. According to Symantec researchers, initial access was gained via an infected removable drive containing a malicious shortcut file. Once inserted, the attack chain used mshta.exe to launch multiple payloads, including an info-stealing PowerShell malware known as GammaSteel.
The malware established C2 communications through legitimate services (e.g., Teletype, Telegram), propagated to other drives using malicious .lnk files, and executed reconnaissance scripts that collected screenshots, system details, antivirus status, and user documents. The final stage involved a more obfuscated GammaSteel variant that exfiltrated files with specific extensions from the Desktop and Documents folders.
Symantec noted an increase in Gamaredon’s sophistication—while still less advanced than other Russian actors, the group shows persistent improvement in evasion techniques, code obfuscation, and operational focus on Ukrainian targets.
Source:
https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.htmlSysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
CISA Flags Actively Exploited Linux Kernel Zero-Days Linked to Cellebrite Android Unlock Exploit Chain
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert on two actively exploited Linux kernel vulnerabilities—CVE-2024-53197 and CVE-2024-53150—used in a zero-day exploit chain reportedly developed by Cellebrite and deployed by Serbian authorities to unlock Android devices. CVE-2024-53197 targets ALSA USB-audio drivers for local privilege escalation, while CVE-2024-53150 enables kernel memory leaks. Both are now in CISA’s Known Exploited Vulnerabilities (KEV) catalog, with mandatory federal patching required by April 30, 2025.
-
Fortinet Reveals Persistent Post-Patch Access via SSL-VPN Symlink Exploit
Fortinet has disclosed that attackers are maintaining read-only access to FortiGate devices even after patching, by abusing symbolic links (symlinks) in SSL-VPN language file directories. The exploit, tied to previously patched CVEs (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762), enables stealthy persistence across firmware updates. Fortinet has updated FortiOS (versions 6.4.16 to 7.6.2) to detect and remove the symlinks and prevent further abuse. CISA and CERT-FR have issued alerts, with recommendations to patch, review configurations, reset credentials, and consider disabling SSL-VPN temporarily. The compromise dates back to early 2023 and has impacted critical infrastructure targets.
Source:
https://thehackernews.com/2025/04/fortinet-warns-attackers-retain.html -
Windows CLFS Kernel Driver Zero-Day Exploited by Storm-2460 in Ransomware Attacks
On April 9, 2025, Microsoft reported that a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, is being actively exploited by the threat actor Storm-2460. The group utilizes the PipeMagic malware to escalate privileges and deploy ransomware, primarily targeting IT and real estate sectors in the U.S., as well as organizations in Venezuela, Saudi Arabia, and Spain. PipeMagic, initially discovered in 2022, functions as both a backdoor and a gateway, and has been linked to previous attacks involving fake ChatGPT applications. Microsoft has released security updates to address this vulnerability, and the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-29824 to its Known Exploited Vulnerabilities catalog.
Source:
https://www.cybersecuritydive.com/news/windows-clfs-zero-day-exploited-ransomware/744878/ -
China-Linked UNC5174 Targets Linux and macOS Systems Using SNOWLIGHT Malware and VShell RAT
Threat actor UNC5174 (aka Uteus), linked to the Chinese government, has launched a new cyber campaign targeting Linux and macOS systems. The group uses an updated version of the SNOWLIGHT malware and the open-source VShell RAT to establish persistent, fileless remote access. Initial access is achieved via an unknown vector, followed by a malicious bash script that deploys SNOWLIGHT and Sliver implants. These tools leverage WebSockets-based C2 channels and memory-resident payloads for stealth. The campaign echoes tactics seen in previous exploits against Ivanti and F5 products, and aligns with broader Chinese cyber-espionage operations across nearly 20 countries.
Related CVEs:
CVE-2024-8963
CVE-2024-9380
CVE-2024-8190
CVE-2025-0282
CVE-2025-22457Source:
https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html -
EU's "ProtectEU" Plan Threatens End-to-End Encryption Across VPNs, Messaging Apps, and Secure Email Services
The EU Commission has launched ProtectEU, a broad internal security strategy aimed at giving law enforcement lawful access to encrypted communications. While still in its early stages, the proposal is already raising red flags across the cybersecurity industry for potentially undermining end-to-end encryption.
ProtectEU is part of a growing global trend where governments push for backdoors under the guise of national security. While aimed at combating crime, these proposals risk eroding digital privacy, weakening cybersecurity, and potentially driving privacy-focused services out of EU jurisdictions altogether.
Key Affected Services:
- VPN Providers: Proton, Mullvad, Surfshark, NordVPN, and others have expressed concern. Backdoors and data retention laws could force no-log VPNs to exit the EU market.
- Encrypted Messaging Apps: Platforms like Signal, WhatsApp, and Threema are primary targets for surveillance, as they use strong E2EE to protect user privacy.
- Secure Email Providers: Proton Mail and similar services could also be impacted due to their encrypted architecture.
- Secure File Sharing & VoIP Tools: Any service enabling private, encrypted communications or file transfers may be at risk if required to implement surveillance capabilities.
Industry Response:
- Proton: Warns weakening encryption would "make European security worse", not better.
- Mullvad: Criticizes ProtectEU as a rebrand of prior mass surveillance proposals ("Chat Control").
- NordVPN & Surfshark: Express cautious optimism but emphasize that privacy and security are inseparable.
- AdGuard VPN: Warns that enforced data retention would make no-log services "untenable".
European Commission Press Release:
https://ec.europa.eu/commission/presscorner/detail/en/ip_25_920 -
4chan Hit by Major Breach: Alleged Hacker Leaks Source Code, Moderator Identities, and Disrupts Site
In mid-April 2025, the notorious imageboard 4chan suffered a significant cybersecurity incident that has left the site offline and raised serious concerns over its internal security. Multiple sources report that a hacker, allegedly with long-term access to the platform's backend, exfiltrated and leaked sensitive data including source code, moderation tools, and a full list of site moderators and janitors.
The breach was first hinted at when a previously defunct board on 4chan unexpectedly came back online, displaying the message “U GOT HACKED.” Following this, screenshots began circulating on social media and cybercrime forums, purportedly showing access to backend infrastructure, admin panels, and internal templates. Cybersecurity analyst Alon Gal noted that these materials appear legitimate, and at least one 4chan moderator, speaking anonymously, did not dispute their authenticity.
Further reporting claims the attacker had access to 4chan’s systems for over a year before initiating the leak. The incident not only exposed internal systems and personnel data but also disrupted the platform’s availability, with 4chan remaining inaccessible at the time of writing.
TechRadar and TechCrunch both received confirmation from individuals tied to 4chan’s moderation team, expressing concern that this breach may be worse than previous DDoS attacks or takedowns, given that the attacker may have had — or still has — full control over the platform’s infrastructure.
The incident has prompted a wave of reaction across rival forums and social platforms. Some users, particularly from historically antagonistic communities like 8chan and remnants of eBaum’s World, have openly celebrated what they’ve labeled as 4chan’s “downfall.”
4chan, known for minimal moderation and a culture steeped in anonymity and chaos, has long served as a hub for internet subcultures, memes, and coordinated online raids. However, it has also faced widespread criticism for hosting extreme content, including harassment, disinformation campaigns, and more recently, AI-generated explicit material.
-
CISA Warns: 2021 SonicWall SMA 100 VPN Bug (CVE‑2021‑20035) Now Weaponized for Remote Code Execution
A four‑year‑old command‑injection bug in SonicWall’s SMA 100 series VPN gateways (CVE‑2021‑20035) has moved from “theoretical DoS” to confirmed remote‑code‑execution and is now actively exploited in the wild. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) list on 16 April 2025 and gave U.S. federal agencies until 7 May 2025 to patch. SonicWall updated its original 2021 advisory the same day, raising the CVSS score from 6.5 (Medium) to 7.2 (High) and warning customers that exploitation allows code execution as the low‑privilege nobody user.
Affected models – SMA 200, 210, 400, 410 and virtual SMA 500v on ESX, KVM, AWS & Azure.
Sources:
https://thehackernews.com/2025/04/cisa-flags-actively-exploited.html -
Sophisticated Multi-Stage Malware Campaign Uses .JSE and PowerShell to Deploy Agent Tesla, XLoader, and Remcos RAT
A recently uncovered malware campaign observed by Palo Alto Networks Unit 42 reveals a complex, multi-stage attack chain using deceptive emails and layered execution tactics to evade detection and deploy potent remote access trojans (RATs), including Agent Tesla, XLoader, and Remcos RAT.
The infection begins with a phishing email masquerading as a legitimate payment confirmation, urging recipients to open an attached 7-zip archive containing a .JSE (JavaScript Encoded) file. When executed, this script fetches a PowerShell command from an external server. This script contains a Base64-encoded payload, which is decoded, dropped into the temp directory, and executed.
Depending on the variant, the next-stage payload is either:
- A .NET binary: containing an encrypted Agent Tesla payload, injected into RegAsm.exe, often linked with Snake Keylogger or XLoader.
- An AutoIt-compiled binary: designed to obscure analysis, which decrypts and loads shellcode that injects a .NET payload into RegSvcs.exe, again delivering Agent Tesla.
Key traits of the attack:
- Multi-layered execution paths increase resilience and hinder static or dynamic detection.
- Minimal obfuscation is used; instead, the attackers favor simple but chained techniques to achieve stealth and modular delivery.
- Execution via legitimate system processes (like RegAsm.exe and RegSvcs.exe) is employed for evasion and persistence.
The discovery highlights a trend toward stacked execution stages as a means of defense evasion rather than using heavily obfuscated or exotic malware techniques.
The report also coincides with new activity from the IronHusky APT group, targeting Mongolian and Russian government entities using a new version of MysterySnail RAT, further reflecting a broader increase in multi-stage, phishing-driven malware campaigns.
Sources:
https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.htmlhttps://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain
-
Infostealer Surge: Phishing Emails Delivering Credential-Theft Malware Soar 84% Year-over-Year
According to IBM Security’s 2025 X-Force Threat Intelligence Index, phishing emails containing infostealers rose by 84% in 2024, signaling a shift toward stealthier cyberattack methods focused on data theft rather than encryption. Early 2025 data shows this trend accelerating, with a staggering 180% increase already recorded. The report highlights that credential theft now outpaces ransomware, with stolen data involved in nearly half of all cyberattacks. The underground market for infostealers remains robust, with 8 million listings for just the top five tools, contributing to the theft of 1.6 billion credentials. Critical infrastructure is increasingly targeted, often through vulnerabilities linked to nation-state actors.
