As the summer event season kicks off, venue managers and security firms aim to make AI part of the solution for keeping control of crowds and protecting against cyber-physical threats.
darkreading – Read More
Russian national Rustam Gallyamov was indicted in the US for his leading role in the development and distribution of Qakbot malware.
The post Russian Qakbot Gang Leader Indicted in US appeared first on SecurityWeek.
SecurityWeek – Read More
A Chrome zero-day bug, CVE-2025-4664, exposes login tokens on Windows and Linux. Google has issued a fix, users should update immediately.
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
From zero-day exploits to large-scale bot attacks — the demand for a powerful, self-hosted, and user-friendly web application security solution has never been greater.
SafeLine is currently the most starred open-source Web Application Firewall (WAF) on GitHub, with over 16.4K stars and a rapidly growing global user base.
This walkthrough covers what SafeLine is, how it works, and why it’s
The Hacker News – Read More
CISA warns companies of a widespread campaign targeting a Commvault vulnerability to hack Azure environments.
The post Companies Warned of Commvault Vulnerability Exploitation appeared first on SecurityWeek.
SecurityWeek – Read More
ESET Research shares its findings on the workings of Danabot, an infostealer recently disrupted in a multinational law enforcement operation
WeLiveSecurity – Read More
A Chinese threat actor exploited a zero-day vulnerability in Trimble Cityworks to hack local government entities in the US.
The post Cityworks Zero-Day Exploited by Chinese Hackers in US Local Government Attacks appeared first on SecurityWeek.
SecurityWeek – Read More
The elusive hacking group Careto was never publicly linked to a specific government, but TechCrunch has learned researchers concluded privately that the Spanish government was behind the group.
Security News | TechCrunch – Read More
By Darin Smith and John Arneson
At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module.
Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.
Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).
Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.
The distribution of contacts was heavily skewed:
The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.
Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis:
These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.
When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.
Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.
This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.
Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.
Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.
Cisco Talos Blog – Read More
Smart homes today are nothing like the science fiction in late-90s movies. They’re a reality for almost everyone living in a major city. You’d be hard-pressed to find a modern apartment without smart electricity outlets, speaker, or TV. In new construction, you’ll sometimes see homes built smart right from the get-go, which results in entire smart residential complexes. Residents can manage not just their in-apartment devices, but also external systems like intercoms, cameras, gates, utility meters, and fire alarms – all through a single app.
But what happens if there’s a security hole in an app like that? Our experts in the Global Research and Analysis Team (GReAT) know the answer. They’ve uncovered a vulnerability in the Rubetek Home app and explored the potential security risks for smart-home owners, which, thankfully, didn’t materialize.
This vulnerability stemmed from the app sending sensitive data during its logging process. The developers used the Telegram Bot API to collect analytics and send debug information files from users to a private development-team chat via a Telegram bot.
The problem was that these files, in addition to system information, contained users’ personal data and, more critically, refresh tokens needed to authorize access to the user’s account. Potential attackers could have forwarded all these files to themselves using the same Telegram bot. To do this, they could obtain its Telegram token and the chat ID from the app code, and then iterate through the sequential numbers of messages containing the files.
Recently, logging events via Telegram has become increasingly popular. It’s convenient and fast to receive important notifications in messenger. However, this approach requires caution: we recommend not to forward sensitive data in the application logs, and, in addition, to prohibit copying and forwarding content from the group in Telegram settings or use the protect_content parameter when sending a message through a Telegram bot.
Important note: we contacted Rubetek immediately upon discovering the vulnerability. At the time of this post, the issue had been fixed.
Potential attackers could have gained access to data that all of the user’s apps were sending to the developer. The list of this data is mind-boggling:
Users of both Android and iOS apps were at risk.
This wide range of data could have allowed for comprehensive surveillance – permitting knowing who lives where and on which days they aren’t home. Criminals could have learned someone’s schedule and, during those empty hours, enter any apartment after remotely disabling cameras and other security systems through the app.
While such a blatant break-in would certainly have been noticed, there are other, more subtle possibilities. For example, by exploiting the vulnerability, attackers could have remotely changed the colors of smart lightbulbs and floor temperatures, endlessly turning lights on and off, causing the homeowners a noticeable financial loss.
What’s even more unsettling was the potential for an attacker to target not just one apartment or house, but thousands of residents in an entire complex. Of course, simultaneously disabling access-control systems wouldn’t have gone unnoticed by the building management, but how quickly would they work out what was happening, and what damage could residents suffer in the meantime?
Keep in mind that the type of vulnerabilities we’re discussing could be present in other smart-home apps as well. Being one of millions of customers, you have virtually no way of knowing if an app has been compromised. Therefore, if you notice even the slightest kinds of suspicious activity, such as new people on your guest list, unauthorized opening and closing of gates and doors, and so on, we recommend contacting the app administrator and vendor as soon as possible.
Back in a more common scenario, like using smart devices within your own apartment with no network administrator to turn to, we recommend following these rules:
Check out these links to explore other potential risks of a hacked smart home and ways to protect your property.
Kaspersky official blog – Read More