Aggregator
Critical Argo CD Flaw Exposes Kubernetes Clusters to Full Resource Manipulation
A critical cross-site scripting (XSS) vulnerability, officially tracked as CVE-2025-47933 and GHSA-2hj5-g64g-fp6p, has been identified in Argo CD, a widely used open-source GitOps tool for Kubernetes. This flaw affects the repository URL handling mechanism in the Argo CD user interface, specifically due to improper validation of URL protocols in the ui/src/app/shared/components/urls.ts file. Attackers can exploit […]
The post Critical Argo CD Flaw Exposes Kubernetes Clusters to Full Resource Manipulation appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Hackers Exploit Cloudflare Tunnels to Launch Stealthy Cyberattacks
The cybersecurity landscape, malicious actors, including notorious ransomware groups like BlackSuit, Royal, Akira, Scattered Spider, Medusa, and Hunters International, have been exploiting Cloudflared, a legitimate tunneling tool by Cloudflare, to orchestrate stealthy cyberattacks. Originally known as “Argo,” Cloudflared is designed to enable secure communication between remote endpoints over untrusted networks by encapsulating data in proprietary […]
The post Hackers Exploit Cloudflare Tunnels to Launch Stealthy Cyberattacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Fake Bitdefender website used to spread infostealer malware
Unmasking ECH: Why DNS-at-the-Root-of-Trust Holds the Key to Secure Connectivity
Encrypted Client Hello (ECH) has been in the news a lot lately. For some background and relevant and recent content, see:
- IETF Proposed Standard
- Cloudflare Blog from 2023 announcing ECH support
- RSA 2025 talk: ECH: Hello to Enhanced Privacy or Goodbye to Visibility?
- Corrata White Paper “Living with ECH”
- Security Now podcast coverage of the above in Episode 1027
The push for ECH primarily is of interest to privacy-seeking end users using an untrusted transit. The dynamics are at odds with security professionals responsible for their users and endpoints, regardless of transit. This blog article is written for the latter group.
There are enough motivations for ECH adoption that it is bound to happen since ECH client support is already present in modern browsers. In my own lab network, I just checked my ech logs over the last few hours. These domains have been contacted, all via ECH:
api.ecomsend.com app.backinstock.org cdn.discordapp.com discordapp.com oidc.iam.cfapi.net textify-cdn.com ublockorigin.pages.dev vector.imAs articulated in Corrata’s White Paper titled “Living with ECH”, the following statement caught our attention:
"A rapid increase in the use of Encrypted Client Hello would mean that it would no longer be possible to directly detect the destination of much internet traffic. Security tools designed to keep enterprises safe would lose some of the visibility they rely on.”
In a world where security operators have good reasons to be concerned about the destination of any connection made over the internet, this is a legitimate concern, especially considering these two trends that the paper points out:
- Phishing use:
"Our analysis of phishing detections shows that over 90% use Cloudflare infrastructure”
- Spike in ECH adoption:
“The spike in detections of the cloudflare-ech.com domain observed in the latter part of 2024 was the catalyst for this research.”
How SNI has traditionally been used for lightweight target domain detectionEven encrypted traffic still offers the Server Name Identification in clear-text. This can be seen with a simple packet capture on any gateway, for example:
gateway#: tcpdump -i eth1 port 443 -w capture.pcap
(where eth1 is the LAN interface)
For any device on the LAN of such a gateway, can attempt to make a browser connection to www.google.com and the packet capture will contain the domain as can be extracted like this:
% tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name www.google.comThe visited domain is available in plain text. At this point, it is trivial for the gateway security appliance to map the destination FQDN and allow (or deny) by policy. Most security appliances rely on this mechanism for detection, with or without a protective DNS resolver in play.
How SNI fails when ECH is usedIf we repeat the same exercise as above for a domain where ECH is enabled, the packet capture does not include the actual visited domain, let’s use one of my visited domains from above, vector.im and we see the ech= response when making a TYPE65 query:
endpoint$ kdig @1.1.1.1 +https TYPE65 vector.im +short 1 . alpn=h3,h2 ipv4hint=172.64.80.1 ech=AEX+DQBB3gAgACCtcqyZIqDPl/JQduQQfIk5c+oiXxPWNUECS9qO7zLoIwAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700:130:436c:6f75:6466:6c61:7265 gateway#: tcpdump -i eth1 port 443 -w captureECH.pcap endpoint$ curl -v -k --ech true --doh-url https://cloudflare-doh/dns-query https://vector.im % tshark -r captureECH.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name cloudflare-ech.comNote that there’s no vector.im showing up anywhere in cleartext. Only cloudflare-ech.com is visible. This is the loss of visibility that concerns the security community.
Protective DNS to the rescue (partially)Any available Protective DNS Resolver can block by policy on a per-FQDN basis, whether known-bad or untrusted by another assessment. However, it is only a partial solution because of the ease of the endpoint using an alternate DNS resolver, including widely-available DoH providers such as 1.1.1.1. This is a common circumvention strategy used by browsers/applications as well as by malware. In such a case, the designated Protective DNS server isn’t even in use, so it offers no protection.
The complete FIX: DNS at the root of trustThe way this is accomplished is with Don’t Talk To Strangers (DTTS) which is a default-deny-all approach for every connection, unless first permitted by policy, and subsequently looked up by adam:ONE’s caching resolver. Each destination allow-rule is permits a single source and a single destination for the period of the Time To Live (TTL) offered to the query source. This includes well-known as well as unknown DoH servers. Note that it isn’t a list of known DoH servers to block. Here’s a logical flow of the DTTS approach:
When DNS is treated as the root of trust for all network connections, every destination IP network connection is necessarily mapped back to a fully qualified domain name. The only exception to this would be for IPs that are not discovered by DNS, and are explicitly trusted.
Closing other DNS vulnerabilities- Hijack Do53 traffic destined anywhere except as authorized - this approach allows simultaneous convenience for any legacy endpoints using another DNS server (such as commonly hard-coded 8.8.8.8 operational devices), while still offering answers by policy
- Offer DNS encryption internally as well as upstream via DDR and DNR standards - this approach makes the DNS environment immediately compliant with CISA DNS Security standards
The biggest gains with this approach can be summarized as:
- ECH adoption no longer a security risk
- Security-focused: from before the connection begins, security is the proactive model, not a reactive one
- Lightweight - the replacement of the middle box now requires less horsepower, offers a faster experience with lower latency
- Future-proofed, when DNS is treated as the root of network trust
1 post - 1 participant
The post Unmasking ECH: Why DNS-at-the-Root-of-Trust Holds the Key to Secure Connectivity appeared first on Security Boulevard.
GPT-4o сам себе внушил, что Путин ему нравится. Теперь у него когнитивный кризис
UserGate показал экосистему российской кибербезопасности на PHDays 2025
被黑分析|Cork Protocol 遭攻击,损失超千万美元
Thousands of ASUS Routers Hijacked in Stealthy Backdoor Campaign
20250529 | 黄金3500点调整浪形
Nvidia CEO Huang Warns Export Bans Empower Chinese AI Firms
CEO Jensen Huang says new U.S. chip restrictions on China forced Nvidia to write down $4.5 billion in AI inventory and will hurt American leadership in global infrastructure as Chinese firms gain momentum. The rules fuel China’s rise and jeopardize U.S. infrastructure dominance, according to Huang.
CISA Releases Five Industrial Control Systems Advisories
CISA released five Industrial Control Systems (ICS) advisories on May 29, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
- ICSA-25-148-01 Siemens SiPass
- ICSA-25-148-02 Siemens SiPass Integrated
- ICSA-25-148-03 Consilium Safety CS5000 Fire Panel
- ICSA-25-148-04 Instantel Micromate
- ICSMA-25-148-01 Santesoft Sante DICOM Viewer Pro
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
UK military to establish new Cyber and Electromagnetic Command
Microsoft unveils “centralized” software update tool for Windows
Microsoft is looking to streamline the software updating process for IT admins and users by providing a Windows-native update orchestration platform, and to help organizations upgrade their computer fleet to Windows 11 with the help of Windows Backup for Organizations. The software update orchestration platform “Today, line-of-business apps, Windows components, Visual Studio, and other products are updated independently,” says Microsoft Product Manager Angie Chen. “Updates across the Windows ecosystem can feel like a fragmented experience … More →
The post Microsoft unveils “centralized” software update tool for Windows appeared first on Help Net Security.
Your IT Infrastructure is Hybrid. So Why Not Your Security Model?
A hybrid security model provides the ability to deploy a variety of rule sets for specific applications while providing a single, centralized way to manage it all.
The post Your IT Infrastructure is Hybrid. So Why Not Your Security Model? appeared first on Security Boulevard.
Medusa Locker
You must login to view this content