Aggregator
CVE-2024-13879 | xwp Stream Plugin up to 4.0.2 on WordPress server-side request forgery
[Meachines] [Easy] Codify Express-Nodejs-Vm2-Bypass-RCE+SH == * Bypass权限提升
Project Waterworth: самая масштабная подводная сеть в истории
G.O.S.S.I.P 阅读推荐 2025-02-17 IllusionCAPTCHA: 基于视觉错觉的验证码
ChatGPT Operator: Prompt Injection Exploits & Defenses
Ransomware Gangs Encrypt Systems After 17hrs From Initial Infection
New research reveals ransomware gangs are accelerating encryption timelines while adopting advanced evasion techniques and data extortion strategies. A 2025 threat report by cybersecurity firm Huntress reveals ransomware gangs now take just 17 hours on average to encrypt systems after initial network intrusion, with some groups like Akira and RansomHub operating in as little as […]
The post Ransomware Gangs Encrypt Systems After 17hrs From Initial Infection appeared first on Cyber Security News.
How Slashing the SAT Budget Is Appreciated By Hackers
The Growing Need for Cybersecurity Awareness Training (SAT) In today’s rapidly evolving cyber threat landscape, organizations are increasingly recognizing the critical importance of Cyber Security Awareness Training (SAT) as a fundamental defense strategy. Regulatory changes like NIS2 and DORA further emphasize this need for robust cybersecurity initiatives. However, despite this acknowledgment, many organizations are still […]
The post How Slashing the SAT Budget Is Appreciated By Hackers appeared first on CybeReady.
The post How Slashing the SAT Budget Is Appreciated By Hackers appeared first on Security Boulevard.
Privacy Roundup: Week 7 of Year 2025
This is a news item roundup of privacy or privacy-related news items for 9 FEB 2025 - 15 FEB 2025. Information and summaries provided here are as-is for warranty purposes.
Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.
Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.
TABLE OF CONTENTS
- Privacy Tip of the Week
- Surveillance Tech in the News
- Privacy Tools and Services
- Vulnerabilities and Malware
- Phishing and Scams
- Service Providers' Privacy Practices
- Legislation/Regulations/Lawsuits
- Data Breaches and Leaks
Try to remember deleting accounts you no longer need or use. The more accounts you have, the bigger your attack surface and potential exposure to data breaches. Tips for finding old accounts.
Surveillance Tech in the NewsThis section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.
Google's reCAPTCHA is not only useless, it's also basically spyware
Techspot
This study demonstrates Google's reCAPTCHA v2 and v3 are flawed and don't actually keep out bots. The research also shows that reCAPTCHA relies on fingerprinting (collecting "user agent data and other identifying information") and shares this data with advertisers.
The Murky Ad-Tech World Powering Surveillance of US Military Personnel
WIRED
This is mostly a continuation of another WIRED article where they detailed how Ad-Tech got the personal information and location data of US military members stationed in Germany. This article reveals that a Lithuania-based business acquired this information but would not disclose how they obtained it specifically.
Revealed: gambling firms secretly sharing users’ data with Facebook without permission
The Guardian
The Meta Pixel strikes again. Gambling sites - that users visit - have the Meta Pixel embedded in their code, sending data on users to Meta, who then displays targeted ads to users. The users claimed to have never opted into tracking; but the Meta Pixel automatically captured their information and pushed it to Meta.
This primarily centers on the UK. However, given the prevalence of the Meta Pixel on many of the world's most popular websites, it's relevant enough to include here.
Privacy Tools and ServicesPrimarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy ToolsProton Wallet brings safe Bitcoin self-custody to everyone
Proton
Proton has publicly released its self-custody Bitcoin wallet.
Introducing Bitwarden Cupid Vault to securely share (and unshare) passwords with loved ones
Bitwarden
Bitwarden has already had the ability to securely share passwords. The Cupid Vault Configuration follows a similar approach.
Privacy ServicesMullvad has partnered with Obscura VPN
Mullvad
Mullvad announces its partnership with ObscuraVPN; Mullvad WireGuard VPN servers can be used as the exit hop for the two-party VPN service offered by ObscuraVPN.
Single sign-on (SSO) and password generator rules are now available for Proton Pass
Proton
Proton Pass now supports single sign-on and allows setting of password generator rules.
Kagi Search introduces Privacy Pass and Tor onion service for enhanced privacy & anonymity
AlternativeTo
Kagi launched a Tor onion service. Kagi also introduces Privacy Pass, which allows users to authenticate to servers (like Kagi's) without revealing their identity; this should ensure searches are unlinkable to accounts.
Vulnerabilities and MalwarePrimarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.
This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
VulnerabilitiesMicrosoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)
Tenable
This week was a Patch Tuesday (11 FEB) from Microsoft. According to Tenable, Microsoft patched 55 CVEs.
CVE-2025-21418. Escalation of privilege in the Ancillary Function Driver for WinSock on Windows. When exploited, an authenticated attacker could elevate to SYSTEM level privileges. This has been exploited in the wild as a zero-day.
CVE-2025-21391. Another privilege escalation vulnerability, but in Windows Storage. When exploited, a local authenticated attacker could delete (but not necessarily read) files from a system, which could result in data loss. This has been exploited in the wild as a zero-day.
CVE-2025-21194. Publicly disclosed security feature bypass affecting the Microsoft Surface. Successful exploitation requires an attacker getting access to the same network as the device and convincing the user to reboot their device.
Apple Patches 'Extremely Sophisticated Attack' That Can Hit iPhones
PCMag
Apple released an emergency update (18.3.1) to iOS. This patch fixes a vulnerability where USB Restricted Mode can be disabled on iPhones; this vulnerability has reportedly been exploited by law enforcement to access a locked iPhone. Tracked as CVE-2025-24200.
Apple describes the zero-day as a highly sophisticated attack against a targeted individual.
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale
GreyNoise
Threat actors are attempting to exploit a local file inclusion vulnerability (tracked as CVE-2022-47945) in ThinkPHP and an information disclosure vulnerability (tracked as CVE-2023-49103) in ownCloud. While these are "old" vulnerabilities, there has been a recent notable wave of active exploitation looking to exploit vulnerable instances.
Google fixes flaw that could unmask YouTube users' email addresses
Bleeping Computer
A vulnerability in internal APIs; specifically, the API leaked a user's "Gaia ID," which is meant for internal-to-Google use only for identification between Google's services and sites. This could be use to identify users on YouTube.
MalwareValve removes Steam game that contained malware
TechCrunch
A game (PirateFi) on Steam was actually malware in disguise. It was removed by Valve; Valve sent a message to users who downloaded the game, telling them to "consider fully reformatting your operating system" and to "run a full-system scan using an antivirus product..."
The post Privacy Roundup: Week 7 of Year 2025 appeared first on Security Boulevard.
揭秘 “Astaroth”:复杂网络钓鱼工具如何绕过 2FA,危及在线账户安全
Microsoft Detects New XCSSET MacOS Malware Variant
CISA 与 FBI 联合警告:缓冲区溢出漏洞威胁严重,制造商需践行安全设计
CVE-2025-21103 | Dell NetWorker Management Console up to 19.10.0.6/19.11.0.3 neutralization of directives (dsa-2025-095)
CVE-2025-21103 | Dell NetWorker Management Console up to 19.10.0.6/19.11.0.3 neutralization of directives (dsa-2025-095)
Meta 是如何做数据安全的:PAI 隐私意识基础设施
Fintech giant Finastra notifies victims of October data breach
PostgreSQL security advisory (AV25-084)
Helping civil society monitor cyber attacks with the CyberPeaceTracer and Cloudflare Email Security
Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection
Ransomware gangs are accelerating their operations, with the average time-to-ransom (TTR), the period between initial system compromise and the deployment of encryption, now standing at just 17 hours, according to recent cybersecurity analyses. This marks a significant shift from earlier tactics, where attackers often lurked in networks for days or weeks to maximize reconnaissance and […]
The post Ransomware Gangs Encrypt Systems 17 Hours After Initial Infection appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094)
The suspected Chinese state-sponsored hackers who breached workstations of several US Treasury employees in December 2024 did so by leveraging not one, but two zero-days, according to Rapid7 researchers. It was initially reported that the attackers compromised the Treasury’s BeyondTrust Remote Support SaaS instances via CVE-2024-12356, a previously unknown unauthenticated command injection vulnerability. But, as Rapid7 researchers discovered (and confirmed by testing), “a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order … More →
The post A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094) appeared first on Help Net Security.