Information Security News | AI Aggregator

A major vulnerability in the End-of-Train (EoT) protocol, identified as CVE-2025-1727, allows attackers to send commands that can abruptly engage train brakes across North America. Discovered by Neil Smith in 2012, the issue involves weak authentication using a BCH checksum. The Association of American Railroads plans to replace over 75,000 EoT devices with a more secure protocol, expected to take 5-7 years and cost $7-10 billion. CISA has issued an advisory on the vulnerability.

A vulnerability in Google Gemini for Workspace allows attackers to exploit email summaries, generating seemingly legitimate content that includes malicious instructions directing users to phishing sites. This prompt-injection technique, disclosed by researcher Marco Figueroa through Mozilla's bug bounty program, utilizes hidden directives in emails. Recommendations for mitigation include removing hidden content and implementing filters for urgent messages. Google stated they are enhancing defenses against such attacks but reported no incidents exploiting this flaw.

NVIDIA warns users to enable System Level Error-Correcting Code (ECC) to protect GDDR6 GPUs against Rowhammer attacks, following research demonstrating such an attack on the A6000 GPU. Rowhammer can cause data corruption or privilege escalation by flipping adjacent memory bits. ECC is crucial for data integrity in GPUs handling large datasets. Affected products include various models from Ampere, Ada, Hopper, Blackwell, Turing, and Volta series. Newer GPUs have built-in ECC protection.

A critical vulnerability in Wing FTP Server, tracked as CVE-2025-47812 (CVSS score: 10.0), allows remote code execution due to improper handling of null bytes in the web interface. Exploited via anonymous FTP accounts, attackers can inject arbitrary Lua code, enabling them to execute system commands with high privileges. Active exploitation was first observed on July 1, 2025. Users are urged to update to version 7.4.4 or later to mitigate risks.

Security updates are being distributed to mobile operators globally to address vulnerabilities in over two billion eSIMs, specifically affecting Kigen's eUICC software. Discovered by Security Explorations, these vulnerabilities allow attackers with physical access to extract a default secret key, enabling malicious applet deployment and potential data interception. Kigen issued a patch with two mitigations, while Oracle has not addressed a related 2019 vulnerability. Kigen rewarded Security Explorations with $30,000 for their findings.

Four vulnerabilities, named PerfektBlue, in the OpenSynergy BlueSDK Bluetooth stack can lead to remote code execution in vehicles from Mercedes-Benz, Volkswagen, and Skoda. Discovered by PCA Cyber Security, the flaws allow attackers to exploit infotainment systems, potentially accessing sensitive data. OpenSynergy issued patches in September 2024, but many automakers have not yet implemented them. The vulnerabilities require user interaction for exploitation, with specific conditions for successful attacks.

French police arrested Russian basketball player Daniil Kasatkin in Paris at the request of the U.S. over allegations of involvement in a ransomware ring that targeted 900 institutions, including two U.S. federal entities, from 2020 to 2022. He reportedly negotiated ransomware payments for the group. His lawyer claims he is innocent, stating he is not skilled with computers and may have unknowingly purchased a compromised device. Kasatkin has been in extradition custody since June 21.

Four individuals have been arrested in connection with cyber-attacks on M&S and the Co-op, which began in mid-April. The arrests, made by the National Crime Agency, include a 20-year-old woman and three males aged 17 to 19, suspected of offences under the Computer Misuse Act, blackmail, and money laundering. The attacks caused significant operational disruptions, with M&S estimating £300 million in lost profits. Electronic devices were seized during the arrests.

An AI hiring bot used by McDonald's, developed by Paradox.ai, exposed personal data of up to 64 million applicants due to basic security flaws, including the use of the password "123456." Security researchers Ian Carroll and Sam Curry accessed the backend of the chatbot platform, revealing vulnerabilities that allowed them to query sensitive data. Paradox.ai confirmed the findings and announced a bug bounty program to enhance security. McDonald's expressed disappointment in Paradox.ai's oversight and mandated immediate remediation.

AMD has identified a new side-channel attack, the Transient Scheduler Attack (TSA), affecting various AMD processors, including 3rd and 4th gen EPYC chips. The TSA comprises four vulnerabilities, with two rated medium-severity and two low-severity. Successful exploitation requires local access and arbitrary code execution. The vulnerabilities could lead to information leakage from the OS kernel and other applications. AMD recommends updating to the latest Windows builds for mitigation, though performance may be impacted.

A new vulnerability in ServiceNow, identified as CVE-2025-3648, allows low-privileged users to extract sensitive data due to misconfigured Access Control Lists (ACLs). Discovered by Varonis Threat Labs in February 2025, the flaw enables users to enumerate restricted data by manipulating URL filters. ServiceNow has introduced 'Deny Unless' ACLs and Query ACLs to mitigate the issue. Customers are advised to review their ACL configurations to prevent exploitation. No evidence of active exploitation has been reported.

On Tuesday, the Treasury Department sanctioned North Korean national Song Kum Hyok, linked to the hacking group Andariel, for facilitating an IT worker scheme that generates revenue for the DPRK. This scheme involved recruiting DPRK nationals with falsified identities to work at companies, sometimes introducing malware into networks. Sanctions were also placed on Russian national Gayk Asatryan and four companies involved in employing these workers. This action highlights ongoing efforts to counter DPRK's funding for WMD programs.

Microsoft's July 2025 Patch Tuesday addressed 130 CVEs, including 41 Remote Code Execution (RCE) vulnerabilities. Key critical vulnerabilities include CVE-2025-47981 (CVSS 9.8) affecting Windows SPNEGO and CVE-2025-49717 (CVSS 8.5) for SQL Server. Other affected products include Windows Kernel, Microsoft Office, and Azure services. No zero-day or actively exploited vulnerabilities were reported. Recommendations include applying patches promptly to mitigate risks associated with these vulnerabilities.

The Anatsa banking trojan infiltrated Google Play via a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, tracking users of North American banking apps and displaying a fake maintenance message to obscure its activities. Threat Fabric reported this campaign, noting previous infiltrations with significant downloads. The malicious app was removed by Google, and users are advised to uninstall it, run a full system scan, and reset banking credentials. Caution is urged when downloading apps.

Marks & Spencer's chairman, Archie Norman, did not confirm whether the company paid a ransom to the hacking group DragonForce following a ransomware attack earlier this year. The attack resulted in the theft of customer data, including names, addresses, and order histories, and disrupted operations for weeks. Recovery efforts are ongoing and expected to continue until October or November. Norman emphasized that discussing ransom details is not in the public interest due to law enforcement considerations.

Researchers at Koi Security identified nearly a dozen malicious Chrome extensions with 1.7 million downloads that can track users and redirect them to unsafe sites. Many extensions masquerade as legitimate tools and were found to have malicious code introduced via updates. Users are advised to remove specific extensions, clear browsing data, check for malware, and monitor accounts for suspicious activity. Similar malicious extensions were also found in the Microsoft Edge store, affecting over 2.3 million users combined.

A Chinese national, Xu Zewei, was arrested in Milan on July 3rd, linked to the state-sponsored Silk Typhoon hacking group, also known as Hafnium. He is accused of involvement in cyberespionage attacks against U.S. organizations, particularly targeting COVID-19 vaccine research in 2020. The group has also been linked to attacks on the U.S. Treasury's OFAC. Xu is currently held in prison as the U.S. seeks his extradition for trial.

The PC version of Call of Duty: World War 2 was taken offline following reports of a remote code execution (RCE) vulnerability allowing hackers to take control of players' computers during multiplayer matches. The game was removed from the Microsoft Store on July 5 for investigation. Players reported incidents of their PCs being compromised, including unauthorized command executions and system disruptions. The issue is linked to the transition from dedicated servers to peer-to-peer networking in older games.

A new version of the Atomic macOS info-stealer (AMOS) has been discovered, featuring a backdoor that allows attackers persistent access to compromised systems. Analyzed by Moonlock, this malware can execute remote commands, survive reboots, and maintain control indefinitely. It targets macOS files and user passwords, with campaigns affecting over 120 countries. The backdoor uses LaunchDaemons for persistence and can log keystrokes or introduce additional payloads, indicating a shift towards more sophisticated attacks on macOS users.

A spyware campaign named 'Batavia' is targeting numerous Russian industrial organizations through phishing emails disguised as contract attachments. Active since at least July 2022, the campaign intensified in early 2025. The attack begins with a malicious Visual Basic Encoded script that profiles the system and downloads further payloads, including a Delphi-based malware for data collection and a C++ data stealer. The operation may indicate espionage focused on Russia's industrial sector.

Hackers have exploited a leaked copy of Shellter Elite, a commercial AV/EDR evasion loader, to deploy infostealer malware. The misuse began in April 2023, with threat actors using YouTube comments and phishing emails for distribution. Shellter confirmed the leak originated from a customer who purchased licenses. An update (version 11.1) has been released for vetted customers, while Elastic Security Labs developed detections for the exploited version. Shellter criticized Elastic for not notifying them earlier about the abuse.

On June 17 and 25, 2025, Citrix disclosed three critical vulnerabilities in NetScaler ADC and Gateway: CVE-2025-5349 (Improper Access Control, CVSS 8.7), CVE-2025-5777 (Memory Overread, CVSS 9.3), and CVE-2025-6543 (Memory Overflow, CVSS 9.2). CVE-2025-5777 has been exploited in the wild, with a proof-of-concept available. Affected versions include 12.1, 13.1, and 14.1. Organizations are urged to upgrade to patched versions and terminate active sessions post-upgrade.

Cybercriminals accessed Qantas' systems via an offshore IT call center, compromising personal data of up to 6 million customers. This breach highlights vulnerabilities in human factors, particularly through social engineering techniques like vishing. The Australian Information Commissioner reported a rise in breaches from social engineering, with finance and health sectors most affected. The Australian Prudential Regulation Authority warned of increasing cyber threats to superannuation funds, emphasizing the need for improved cybersecurity measures.