An anonymous reader quotes a report from Ars Technica: Researchers have discovered a never-before-seen framework that infects Linux machines with a wide assortment of modules that are notable for the range of advanced capabilities they provide to attackers. The framework, referred to as VoidLink by its source code, features more than 30 modules that can be used to customize capabilities to meet attackers' needs for each infected machine. These modules can provide additional stealth and specific tools for reconnaissance, privilege escalation, and lateral movement inside a compromised network. The components can be easily added or removed as objectives change over the course of a campaign. VoidLink can target machines within popular cloud services by detecting if an infected machine is hosted inside AWS, GCP, Azure, Alibaba, and Tencent, and there are indications that developers plan to add detections for Huawei, DigitalOcean, and Vultr in future releases. To detect which cloud service hosts the machine, VoidLink examines metadata using the respective vendor's API. Similar frameworks targeting Windows servers have flourished for years. They are less common on Linux machines. The feature set is unusually broad and is "far more advanced than typical Linux malware," said researchers from Checkpoint, the security firm that discovered VoidLink. Its creation may indicate that the attacker's focus is increasingly expanding to include Linux systems, cloud infrastructure, and application deployment environments, as organizations increasingly move workloads to these environments. "VoidLink is a comprehensive ecosystem designed to maintain long-term, stealthy access to compromised Linux systems, particularly those running on public cloud platforms and in containerized environments," the researchers said in a separate post. "Its design reflects a level of planning and investment typically associated with professional threat actors rather than opportunistic attackers, raising the stakes for defenders who may never realize their infrastructure has been quietly taken over." The researchers note that VoidLink poses no immediate threat or required action since it's not actively targeting systems. However, defenders should remain vigilant.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Verge: Betterment, a financial app, sent a sketchy-looking notification on Friday asking users to send $10,000 to Bitcoin and Ethereum crypto wallets and promising to "triple your crypto," according to a thread on Reddit. The Betterment account says in an X thread that this was an "unauthorized message" that was sent via a "third-party system." TechCrunch has since confirmed that an undisclosed number of Betterment's customers have had their personal information accessed. "The company said customer names, email and postal addresses, phone numbers, and dates of birth were compromised in the attack," reports TechCrunch. Betterment said it detected the attack on the same day and "immediately revoked the unauthorized access and launched a comprehensive investigation, which is ongoing." The fintech firm also said it has reached out to the customers targeted by the hackers and "advised them to disregard the message." "Our ongoing investigation has continued to demonstrate that no customer accounts were accessed and that no passwords or other log-in credentials were compromised," Betterment wrote in the email.

Read more of this story at Slashdot.

The European Space Agency has acknowledged yet another security incident after a cybercriminal posted an offer on BreachForums the day after Christmas claiming to have stolen over 20GB of data including source code, confidential documents, API tokens and credentials. The attacker claims they gained access to ESA-linked external servers on December 18 and remained connected for about a week, during which they allegedly exfiltrated private Bitbucket repositories, CI/CD pipelines, Terraform files and hardcoded credentials. ESA said that the breach may have affected only "a very small number of external servers" used for unclassified engineering and scientific collaboration, and that it has initiated a forensic security analysis.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Cyber Press: A newly uncovered Chinese threat group, DarkSpectre, has been linked to one of the most widespread browser-extension malware operations to date, compromising more than 8.8 million users of Chrome, Edge, Firefox, and Opera over the past seven years. According to research by Koi.ai, the group operates three interconnected campaigns: ShadyPanda, GhostPoster, and a newly identified one named The Zoom Stealer, forming a single, strategically organized operation. DarkSpectre's structure differs from that of ordinary cybercrime operations. The group runs separate but interconnected malware clusters, each with distinct goals. The ShadyPanda campaign, responsible for 5.6 million infections, focuses on long-term user surveillance and e-commerce affiliate fraud. Its extensions have appeared legitimate for years, offering new tab pages and translation utilities, before secretly downloading malicious configurations from command-and-control servers such as jt2x.com and infinitynewtab.com. Once activated, they inject remote scripts, hijack search results, and track browsing activity. The second campaign, GhostPoster, spreads via Firefox and Opera extensions that conceal malicious payloads in PNG images via steganography. After lying dormant for several days, the extensions extract and execute JavaScript hidden within images, enabling stealthy remote code execution. This campaign has affected over one million users and relies on domains like gmzdaily.com and mitarchive.info for payload delivery. The most recent discovery, The Zoom Stealer, exposes around 2.2 million users to corporate espionage. These extensions masquerade as productivity tools or video downloaders while secretly harvesting corporate meeting links, credentials, and speaker profiles from more than 28 video conferencing platforms, including Zoom, Microsoft Teams, and Google Meet. The extensions use real-time WebSocket connections to exfiltrate data to Firebase databases, such as zoocorder.firebaseio.com, and to Google Cloud functions, such as webinarstvus.cloudfunctions.net.

Read more of this story at Slashdot.

An anonymous reader quotes a report from SecurityWeek: Insurance giant Aflac is notifying roughly 22.65 million people that their personal information was stolen from its systems in June 2025. The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group. The company said it immediately contained the attack and engaged with third-party cybersecurity experts to help with incident response. Aflac's operations were not affected, as file-encrypting ransomware was not deployed. [...] The compromised information, the insurance giant says, includes names, addresses, Social Security numbers, dates of birth, driver's license numbers, government ID numbers, medical and health insurance information, and other data. "The review of the potentially impacted files determined personal information associated with customers, beneficiaries, employees, agents, and other individuals related to Aflac was involved," Aflac said in a notification (PDF) on its website. The company is providing the affected individuals with 24 months of free credit monitoring, identity theft protection, and medical fraud protection services.

Read more of this story at Slashdot.

An anonymous reader shares a report: A typosquatted domain impersonating the Microsoft Activation Scripts (MAS) tool was used to distribute malicious PowerShell scripts that infect Windows systems with the 'Cosmali Loader'. BleepingComputer has found that multiple MAS users began reporting on Reddit yesterday that they received pop-up warnings on their systems about a Cosmali Loader infection. Based on the reports, attackers have set up a look-alike domain, "get[dot]activate[dot]win," which closely resembles the legitimate one listed in the official MAS activation instructions, "get[dot]activated[dot]win." Given that the difference between the two is a single character ("d"), the attackers bet on users mistyping the domain.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Associated Press: With just three days to go before Christmas, a cyberattack knocked France's national postal service offline Monday, blocking and delaying package deliveries and online payments. The timing was miserable for millions of people at the height of the Christmas season, as frazzled postal workers fended off frustrated customers. No one immediately claimed responsibility, but suspicions abounded. What the postal service La Poste called a ''major network incident'' remained unresolved by Monday evening, more than eight hours after it was first reported. For a company that delivered 2.6 billion packages last year and employs more than 200,000 people, that's a big hit. La Poste said in a statement that a distributed denial of service incident, or DDoS, "rendered its online services inaccessible." It said the incident had no impact on customer data, but disrupted package delivery. Letters, including holiday greeting cards, could still be mailed and delivered. But transactions requiring tracking or access to the postal service internal computer systems were impossible. The cyberattack also hurt online banking. Customers of the company's banking arm, La Banque Postale, were blocked from using the application to approve payments or conduct other banking services. The bank redirected approvals to text messages instead. "Our teams are mobilized to resolve the situation quickly," the bank said in messages posted on social networks. The disruption came a week after France's government was targeted by a cyberattack that targeted the Interior Ministry, in charge of national security.

Read more of this story at Slashdot.

An anonymous reader quotes a report from KrebsOnSecurity: Direct navigation -- the act of visiting a website by manually typing a domain name in a web browser -- has never been riskier: A new study finds the vast majority of "parked" domains -- mostly expired or dormant domain names, or common misspellings of popular websites -- are now configured to redirect visitors to sites that foist scams and malware. When Internet users try to visit expired domain names or accidentally navigate to a lookalike "typosquatting" domain, they are typically brought to a placeholder page at a domain parking company that tries to monetize the wayward traffic by displaying links to a number of third-party websites that have paid to have their links shown. A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time -- regardless of whether the visitor clicked on any links at the parked page. But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites. "In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the 'click' was sold from the parking company to advertisers, who often resold that traffic to yet another party," Infoblox researchers wrote in a paper published today.

Read more of this story at Slashdot.

Longtime Linux developer Greg Kroah-Hartman announced that the Linux kernel has received its first CVE tied to Rust code. Phoronix reports: This first CVE (CVE-2025-68260) for Rust code in the Linux kernel pertains to the Android Binder rewrite in Rust. There is a race condition that can occur due to some noted unsafe Rust code. That code can lead to memory corruption of the previous/next pointers and in turn cause a crash. This CVE for the possible system crash is for Linux 6.18 and newer since the introduction of the Rust Binder driver. At least though it's just a possible system crash and not any more serious system compromise with remote code execution or other more severe issues.

Read more of this story at Slashdot.

An anonymous reader quotes a report from BleepingComputer: Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 "forbidden" errors. In a statement shared with BleepingComputer, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures. SoundCloud acknowledged that a threat actor accessed some of its data but said the exposure was limited in scope. [...] BleepingComputer has learned that the breach affects 20% of SoundCloud's users, which, based on publicly reported user figures, could impact roughly 28 million accounts. The company said it is confident that all unauthorized access to SoundCloud systems has been blocked and that there is no ongoing risk to the platform. "We understand that a purported threat actor group accessed certain limited data that we hold," SoundCloud told BleepingComputer. "We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed. The data involved consisted only of email addresses and information already visible on public SoundCloud profiles."

Read more of this story at Slashdot.

A critical React vulnerability (CVE-2025-55182) is being actively exploited at scale by Chinese, Iranian, North Korean, and criminal groups to gain remote code execution, deploy backdoors, and mine crypto. The Register reports: React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw. Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.

Read more of this story at Slashdot.

The Black Hat Europe hacker conference in London included a session titled "Don't Judge an Audiobook by Its Cover" about a two critical (and now fixed) flaws in Amazon's Kindle. The Times reports both flaws were discovered by engineering analyst Valentino Ricotta (from the cybersecurity research division of Thales), who was awarded a "bug bounty" of $20,000 (£15,000 ). He said: "What especially struck me with this device, that's been sitting on my bedside table for years, is that it's connected to the internet. It's constantly running because the battery lasts a long time and it has access to my Amazon account. It can even pay for books from the store with my credit card in a single click. Once an attacker gets a foothold inside a Kindle, it could access personal data, your credit card information, pivot to your local network or even to other devices that are registered with your Amazon account." Ricotta discovered flaws in the Kindle software that scans and extracts information from audiobooks... He also identified a vulnerability in the onscreen keyboard. Through both of these, he tricked the Kindle into loading malicious code, which enabled him to take the user's Amazon session cookies — tokens that give access to the account. Ricotta said that people could be exposed to this type of hack if they "side-load" books on to the Kindle through non-Amazon stores. Ricotta donated his bug bounties to charity...

Read more of this story at Slashdot.

Stanford researchers spent much of the past year building an AI bot called Artemis that scans networks for software vulnerabilities, and when they pitted it against ten professional penetration testers on the university's own engineering network, the bot outperformed nine of them. The experiment offers a window into how rapidly AI hacking tools have improved after years of underwhelming performance. "We thought it would probably be below average," said Justin Lin, a Stanford cybersecurity researcher. Artemis found bugs at a fraction of human cost -- just under $60 per hour compared to the $2,000 to $2,500 per day that professional pen testers typically charge. But its performance wasn't flawless. About 18% of its bug reports were false positives, and it completely missed an obvious vulnerability on a webpage that most human testers caught. In one case, Artemis found a bug on an outdated page that didn't render in standard browsers; it used a command-line tool called Curl instead of Chrome or Firefox. Dan Boneh, a Stanford computer science professor who advised the researchers, noted that vast amounts of software shipped without being vetted by LLMs could now be at risk. "We're in this moment of time where many actors can increase their productivity to find bugs at an extreme scale," said Jacob Klein, head of threat intelligence at Anthropic.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Axios: OpenAI says the cyber capabilities of its frontier AI models are accelerating and warns Wednesday that upcoming models are likely to pose a "high" risk, according to a report shared first with Axios. The models' growing capabilities could significantly expand the number of people able to carry out cyberattacks. OpenAI said it has already seen a significant increase in capabilities in recent releases, particularly as models are able to operate longer autonomously, paving the way for brute force attacks. The company notes that GPT-5 scored a 27% on a capture-the-flag exercise in August, GPT-5.1-Codex-Max was able to score 76% last month. "We expect that upcoming AI models will continue on this trajectory," the company says in the report. "In preparation, we are planning and evaluating as though each new model could reach 'high' levels of cybersecurity capability as measured by our Preparedness Framework." "High" is the second-highest level, below the "critical" level at which models are unsafe to be released publicly. "What I would explicitly call out as the forcing function for this is the model's ability to work for extended periods of time," said OpenAI's Fouad Matin.

Read more of this story at Slashdot.

joshuark shares a report from BleepingComputer: Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Thus some element of social engineering, and user technically naive and gullibility such as thinking Windows is secure is required. [...] As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others. Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing." ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260. As the movie the Ninth Gate stated: "silentium est aurum"

Read more of this story at Slashdot.

An anonymous reader shares a report: India's telecoms ministry has privately asked all smartphone makers to preload all new devices with a state-owned cyber security app, a government order showed, a move set to spark a tussle with Apple, which typically dislikes such directives. [...] The November 28 order, seen by Reuters, gives major smartphone companies 90 days to ensure that the government's Sanchar Saathi app is pre-installed on new mobile phones, with a provision that users cannot disable it. [...] In the order, the government said the app was essential to combat "serious endangerment" of telecom cyber security from duplicate or spoofed IMEI numbers, which enable scams and network misuse.

Read more of this story at Slashdot.

Apple's Podcasts app on both iOS and Mac has been exhibiting strange behavior for months, spontaneously launching and presenting users with obscure religion, spirituality and education podcasts they never subscribed to -- and at least one of these podcasts contains a link attempting a cross-site scripting attack, 404 Media reports. Joseph Cox, a journalist at the outlet, documented the issue after repeatedly finding his Mac had launched the Podcasts app on its own, presenting bizarre podcasts with titles containing garbled code, external URLs to Spotify and Google Play, and in one case, what appears to be XSS attack code embedded directly in the podcast title itself. Patrick Wardle, a macOS security expert and creator of Objective-See, confirmed he could replicate similar behavior: simply visiting a website can trigger the Podcasts app to open and load an attacker-chosen podcast without any user prompt or approval. Wardle said this creates "a very effective delivery mechanism" if a vulnerability exists in the Podcasts app, and the level of probing suggests adversaries are actively evaluating it as a potential target. The XSS-attempting podcast dates from around 2019. A recent review in the app asked "How does Apple allow this attempted XSS attack?" Asked for comment five times by 404 Media, Apple did not respond.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: Several U.S. banking giants and mortgage lenders are reportedly scrambling to assess how much of their customers' data was stolen during a cyberattack on a New York financial technology company earlier this month. SitusAMC, which provides technology for over a thousand commercial and real estate financiers, confirmed in a statement over the weekend that it had identified a data breach on November 12. The company said that unspecified hackers had stolen corporate data associated with its banking customers' relationship with SitusAMC, as well as "accounting records and legal agreements" during the cyberattack. The statement added that the scope and nature of the cyberattack "remains under investigation." SitusAMC said that the incident is "now contained," and that its systems are operational. The company said that no encrypting malware was used, suggesting that the hackers were focused on exfiltrating data from the company's systems rather than causing destruction. According to Bloomberg and CNN, citing sources, SitusAMC sent data breach notifications to several financial giants, including JPMorgan Chase, Citigroup, and Morgan Stanley. SitusAMC also counts pension funds and state governments as customers, according to its website. It's unclear how much data was taken, or how many U.S. banking consumers may be affected by the breach. Companies like SitusAMC may not be widely known outside of the financial world, but provide the mechanisms and technologies for its banking and real estate customers to comply with state and federal rules and regulations. In its role as a middleman for financial clients, the company handles vast amounts of non-public banking information on behalf of its customers. According to SitusAMC's website, the company processes billions of documents related to loans annually.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: Hacker conferences -- like all conventions -- are notorious for giving attendees a parting gift of mystery illness. To combat "con crud," New Zealand's premier hacker conference, Kawaiicon, quietly launched a real-time, room-by-room carbon dioxide monitoring system for attendees. To get the system up and running, event organizers installed DIY CO2 monitors throughout the Michael Fowler Centre venue before conference doors opened on November 6. Attendees were able to check a public online dashboard for clean air readings for session rooms, kids' areas, the front desk, and more, all before even showing up. "It's ALMOST like we are all nerds in a risk-based industry," the organizers wrote on the convention's website. "What they did is fantastic," Jeff Moss, founder of the Defcon and Black Hat security conferences, told WIRED. "CO2 is being used as an approximation for so many things, but there are no easy, inexpensive network monitoring solutions available. Kawaiicon building something to do this is the true spirit of hacking." [...] Kawaiicon's work began one month before the conference. In early October, organizers deployed a small fleet of 13 RGB Matrix Portal Room CO2 Monitors, an ambient carbon dioxide monitor DIY project adapted from US electronics and kit company Adafruit Industries. The monitors were connected to an Internet-accessible dashboard with live readings, daily highs and lows, and data history that showed attendees in-room CO2 trends. Kawaiicon tested its CO2 monitors in collaboration with researchers from the University of Otago's public health department. The Michael Fowler Centre is a spectacular blend of Scandinavian brutalism and interior woodwork designed to enhance sound and air, including two grand pou -- carved Mori totems -- next to the main entrance that rise through to the upper foyers. Its cathedral-like acoustics posed a challenge to Kawaiicon's air-hacking crew, which they solved by placing the RGB monitors in stereo. There were two on each level of the Main Auditorium (four total), two in the Renouf session space on level 1, plus monitors in the daycare and Kuracon (kids' hacker conference) areas. To top it off, monitors were placed in the Quiet Room, at the Registration Desk, and in the Green Room. Kawaiicon's attendees could quickly check the conditions before they arrived and decide how to protect themselves accordingly. At the event, WIRED observed attendees checking CO2 levels on their phones, masking and unmasking in different conference areas, and watching a display of all room readings on a dashboard at the registration desk. In each conference session room, small wall-mounted monitors displayed stoplight colors showing immediate conditions: green for safe, orange for risky, and red to show the room had high CO2 levels, the top level for risk. Colorful custom-made Kawaiicon posters by New Zealand artist Pepper Raccoon placed throughout the Michael Fowler Centre displayed a QR code, making the CO2 dashboard a tap away, no matter where they were at the conference. Resources, parts lists, and assembly guides can be found here.

Read more of this story at Slashdot.

Google confirmed in a statement Friday that hackers have stolen the Salesforce-stored data of more than 200 companies in a large-scale supply chain hack. TechCrunch reports: On Thursday, Salesforce disclosed a breach of "certain customers' Salesforce data" -- without naming affected companies -- that was stolen via apps published by Gainsight, which provides a customer support platform to other companies. In a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group, said that the company "is aware of more than 200 potentially affected Salesforce instances." After Salesforce announced the breach, the notorious and somewhat-nebulous hacking group known as Scattered Lapsus$ Hunters, which includes the ShinyHunters gang, claimed responsibility for the hacks in a Telegram channel, which TechCrunch has seen.

Read more of this story at Slashdot.