A new Cisco Talos report reveals critical flaws in Dell Latitude and Precision laptops. Find out how hackers can exploit the ControlVault chip to steal sensitive data.
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
Just recently, within days of each other, Mozilla (the organization behind the Firefox browser) and the team that maintains the Python Package Index (a catalog of software written in Python) published very similar warnings about phishing attacks. Unknown attackers are trying to lure both Python developers with accounts on pypi.org and Firefox plugin creators with addons.mozilla.org accounts to fake sites in order to trick them into giving up their credentials. In this regard, we recommend that opensource developers (not just PyPi and AMO users) be especially careful when clicking on links from emails.
These two attacks are not necessarily related (after all, the phishers’ methods are slightly different). However, taken together, they demonstrate an increased cybercriminal interest in code repositories and app stores. Most likely, their ultimate goal is to organize supply chain attacks, or resell credentials to other criminals who can organize such an attack. After all, having gained access to a developer’s account, attackers can inject malicious code into packages or plugins.
Phishing emails addressed to users of the Python Package Index are sent to addresses specified in the metadata of packages published on the site. The subject line contains the phrase “[PyPI] Email verification”. The emails are sent from addresses on the @pypj.org domain, which differs by only one letter from the real directory domain — @pypi.org — that is, they use a lowercase j instead of a lowercase i.
The email states that developers need to verify their email address by clicking on a link to a site that imitates the design of the legitimate PyPi. Interestingly, the phishing site not only collects the victims’ credentials, but also transmits them to the real site, so that after the “verification” is complete, the victim ends up on a legitimate site logged in, and often doesn’t even realize that their credentials have just been stolen.
The team that maintains the Python Package Index recommends that anyone who clicks on the link in the email immediately change their password, and also check the “Security History” section in their account.
The phishing sent to Firefox add-on developers imitates emails from Mozilla or directly from AMO. The gist of the message boils down to a need to update account data in order to continue using the developer features.
Judging by the example uploaded by one of the recipients of the email, the attackers don’t bother to disguise the sender’s address — the letter was sent from a standard Gmail account. It also follows from the comments that sometimes phishers misspell the name Mozilla, missing one of the l letters.
Developers should be extremely careful with emails containing links to such sites. They should check the domains from which the emails are sent, as well as the links that they’re asked to follow. Even if the email seems legitimate, they should log in to the account on the site reached by manually entering the address, or by following a previously saved bookmark. In addition, we recommend equipping all devices used for work with security solutions that will block the opening of a phishing site even if the link was clicked on.
For companies that employ open source software developers, we recommend using an anti-phishing solution at the mail gateway level. In addition, it’s a good idea to periodically train employees to recognize modern phishers’ tricks. After all, even experienced IT specialists can fall for phishing. This can be done using our online Kaspersky Automated Security Awareness Platform.
Kaspersky official blog – Read More
Cloudflare has accused the AI company of bypassing websites’ no crawl directives. Here’s how the CDN is responding.
Latest news – Read More
Microsoft has unveiled Project Ire, a prototype autonomous AI agent that can analyze any software file to determine if it’s malicious.
The post Microsoft’s Project Ire Autonomously Reverse Engineers Software to Find Malware appeared first on SecurityWeek.
SecurityWeek – Read More
Cisco disclosed a data breach including customer names, organization names, addresses, email addresses, and phone numbers of Cisco.com users.
Security News | TechCrunch – Read More
While the cybercrime underground has professionalized and become more organized in recent years, threat actors are, to a great extent, still using the same attack methods today as they were in 2020.
darkreading – Read More
A combination of phishing lures, a previously spotted infostealer and Telegram bots are fueling a campaign by apparent Vietnamese-speaking hackers to capture and sell sensitive data globally.
The Record from Recorded Future News – Read More
Looking for an alternative to Google Authenticator? Here’s our comprehensive list covering the top competitors and alternatives to help you find your best fit.
Security | TechRepublic – Read More
Dell ControlVault is “a hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware.” A daughter board provides this functionality and performs these security features in firmware. Dell refers to the daughter board as a Unified Security Hub (USH), as it is used as a hub to run ControlVault (CV), connecting various security peripherals such as a fingerprint reader, smart card reader and NFC reader.
Here is a photographic example of a USH board:
This is the board in its natural environment:
The current iterations of the product are called ControlVault3 and ControlVault3+. and can be found in more than 100 different models of actively-supported Dell laptops (see DSA-2025-053), mostly from the business-centric Lattitude and Precision series. These laptop models are widely used in the cybersecurity industry, government settings and challenging environments in their Rugged version. Sensitive industries that require heightened security when logging in (via smartcard or NFC) are more likely to find ControlVault devices in their environment, as they are necessary to enable these security features.
Today, Talos is publishing five CVEs and their associated reports. The vulnerabilities include multiple out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050) an arbitrary free (CVE-2025-25215) and a stack-overflow (CVE-2025-24922), all affecting the CV firmware. We also reported an unsafe-deserialization (CVE-2025-24919) that affects ControlVault’s Windows APIs.
With a lack of common security mitigations and the combination of some of the vulnerabilities mentioned above, the impact of these findings is significant. Let’s highlight two of the most critical attack scenarios we have uncovered.
On the Windows side, a non-administrative user can interact with the CV firmware using its associated APIs and trigger an Arbitrary Code Execution on the CV firmware. From this vantage point, it becomes possible to leak key material essential to the security of the device, thus gaining the ability to permanently modify its firmware. This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a Threat Actor’s post-compromise strategy. The following video shows how a tampered CV firmware can be used to “hack Windows” by leveraging the unsafe deserialization bug mentioned previously.
A local attacker with physical access to a user’s laptop can pry it open and directly access the USH board over USB with a custom connector. From there, all the vulnerabilities described previously become in-scope for the attacker without requiring the ability to log-in into the system or knowing a full-disk encryption password. While chassis-intrusion can be detected, this is a feature that needs to be enabled beforehand to be effective at warning of a potential tampering.
Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint rather than only allowing a legitimate user’s.
To mitigate these attacks, Talos recommends the following:
To detect an attack, consider the following:
These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software. As Talos demonstrated, vulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication. Staying vigilant, patching your systems and proactively assessing risk are essential to safeguard your systems against evolving threats.
Cisco Talos Blog – Read More
Many companies are showcasing their products and services this week at the 2025 edition of the Black Hat conference in Las Vegas.
The post Black Hat USA 2025 – Summary of Vendor Announcements (Part 1) appeared first on SecurityWeek.
SecurityWeek – Read More