Security

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

• AI media generation is a significant trend in how we use the Internet in 2025. Kling AI is a widely used platform, with 6 million users since its launch in June 2024.
• A threat actor mimicked Kling AI and drove traffic to a convincing fake website via counterfeit Facebook pages and paid ads.
• User submissions of a text prompt or image on this fake site produce a seemingly innocent media file whose filename uses Hangul Filler characters to conceal an executable.
• In some cases, the executable’s loader used .NET Native AOT compilation for stealth. Executing it installs an infostealer with monitoring capabilities.
• This campaign has a global reach, with victims reported across multiple regions, most notably in Asia.

Check Point Research uncovered a sophisticated phishing campaign that abuses Discord and targets crypto users. Attackers redirects users from a legitimate Web3 website to a fake Collab.Land bot and then to a phishing site, tricking them into signing malicious transactions. The drainer script deployed on that site was directly linked to Inferno Drainer. Despite publicly shutting down in late 2023, Inferno Drainer remained fully operational. Smart contracts deployed in 2023 continued to be used into 2025. Recent campaigns show notable technical upgrades and infrastructure improvements. Inferno Drainer employs advanced anti-detection tactics — including single-use and short-lived smart contracts, on-chain encrypted configurations, and proxy-based communication — successfully bypassing wallet security mechanisms and anti-phishing blacklists. In just the last six months, more than 30,000 wallets were victimized by Inferno Drainer, resulting in at least $9 million in losses. The combination of evolving technical sophistication and convincing social engineering continues to drive the success of these attacks.

Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.

Source: Oligo Security

Abstract:

When a website is accessed, a connection is made using HTTPS to ensure that it ends with the website owner and that subsequent data traffic is secured. However, no further assurances can be given to a user. It is therefore a matter of trust that the site is secure and treats the information exchanged faithfully. This puts users at risk of interacting with insecure or even fraudulent systems. With the availability of confidential computing, which makes execution contexts secure from external access and remotely attestable, this situation can be fundamentally improved.

In this paper, we propose browser-based site attestation that allows users to validate advanced security properties when accessing a website secured by confidential computing. This includes data handling policies such as the data provided being processed only during the visit and not stored or forwarded. Or informs the user that the accessed site has been audited by a security company and that the audited state is still intact. This is achieved by integrating remote attestation capabilities directly into a commodity browser and enforcing user-managed attestation rules.

Some excerpts:

Such a secured context is encrypted at all times, but is decrypted within the CPU only when the context is about to be executed. Thus, code and data are now also protected from unwanted access during execution. In order to validate that confidential computing applies to a secured context, remote attestation must be performed. During this process, a request is sent to a secured context, which in turn requests an attestation report from a Hardware Root of Trust (HRoT) local to the platform.

We argue that end users could also benefit greatly from the extended guarantees of confidential computing when accessing a secured website. However, there are two main obstacles: First, there is no standardized way for users to detect a secured context and perform remote attestation. Second, if remote attestation is enabled, users must be able to interpret an attestation result to decide whether the remote site is trustworthy.

In this paper, we present site attestation, which takes advantage of confidential computing to improve trust and security when surfing the Web.

7 CONCLUSION

Today, when accessing websites, users have to trust that the remote system is secure, respects data protection laws, and is benevolent. With the availability of confidential computing, remote execution contexts can be secured from external access and become attestable. Site attestation proposes to secure websites through confidential computing and perform remote attestation with trustworthiness policies while surfing the Web, reducing the need to blindly rely on the website’s reputation.

GitHub repo with Nginx, httperf, and Firefox code

Long live Julian Assange.

Microsoft is creating new capabilities that will let security vendors operate outside of the root of Windows operating systems.

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

cross-posted from: https://lemmy.ml/post/18512730

DroidFS is an Android application providing rootless support for gocryptfs and CryFS encrypted file systems. It features an encrypted camera, biometric unlocking, integrated secure file viewers and allows decrypted files to be exposed to other applications. It is 100% FLOSS and developed voluntarily.

This new version...

• aims to improve the user interface
• implements a foreground service to keep volumes open in the background
• allows tweaking the file export method used for sharing content with other apps
• adds new Turkish, Simplified Chinese and Hebrew translations
• and of course, fixes a few bugs

Official APKs are available for download now. It should land on F-Droid very soon, with a new per-ABI APKs split which will reduce quite a bit the download as well as the installed app size.

Feel free to give some feedback, open bug reports, ask for help, contribute, or just discuss about the project!

Hey Community, I figured that I could strengthen existing automated unit test generation quality by integrating mutation testing results as a metric to determine the quality of my unit tests. Figured everyone should be unit testing their code now especially after the recent Crowdstrike fiasco.

Check it out here https://github.com/codeintegrity-ai/mutahunter

Please star if you like it :)

Caused by security firm CrowdStrike that issued an update.

Regression in signal handler.

This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges.