cybersecurity

Koi Security researchers warned that the NPM package ‘Lotusbail’, a WhatsApp Web API library and fork of ‘Baileys’, has been stealing users’ credentials and data.

The package has been available for six months and has had over 56,000 downloads. Lotusbail supports sending and receiving WhatsApp messages, wrapping the legitimate WebSocket client so all messages pass through it first, enabling the malicious capture of information.

The Lotusbail npm package works as a fully functional WhatsApp API, making it hard to detect because it is based on the legitimate Baileys library. It wraps WhatsApp’s WebSocket client, intercepting credentials, messages, contacts, and media while continuing normal operations.

cross-posted from: https://lemmy.radio/post/10939156

Dear colleagues,

In short, the atomic ensemble time scale at our Boulder campus has failed due to a prolonged utility power outage. One impact is that the Boulder Internet Time Services no longer have an accurate time reference. At time of writing the Boulder servers are still available due a standby power generator, but I will attempt to disable them to avoid disseminating incorrect time.

The affected servers are:

• time-a-b.nist.gov
• time-b-b.nist.gov
• time-c-b.nist.gov
• time-d-b.nist.gov
• time-e-b.nist.gov
• ntp-b.nist.gov (authenticated NTP)

No time to repair estimate is available until we regain staff access and power. Efforts are currently focused on obtaining an alternate source of power so the hydrogen maser clocks survive beyond their battery backups.

More details follow.

Due to prolonged high wind gusts there have been a combination of utility power line damage and preemptive utility shutdowns (in the interest of wildfire prevention) in the Boulder, CO area. NIST's campus lost utility power Wednesday (Dec. 17 2025) around 22:23 UTC. At time of writing utility power is still off to the campus. Facility operators anticipated needing to shutdown the heat-exchange infrastructure providing air cooling to many parts of the building, including some internal networking closets. As a result, many of these too were preemptively shutdown with the result that our group lacks much of the monitoring and control capabilities we ordinarily have. Also, the site has been closed to all but emergency personnel Thursday and Friday, and at time of writing remains closed.

At initial power loss, there was no immediate impact to the NIST atomic time scale or distribution services because the projects are afforded standby power generators. However, we now have strong evidence one of the crucial generators has failed. In the downstream path is the primary signal distribution chain, including to the Boulder Internet Time Service. Another campus building houses additional clocks backed up by a different power generator; if these survive it will allow us to re-align the primary time scale when site stability returns without making use of external clocks or reference signals.

Best wishes, -Jeff Sherman

cross-posted from: https://scribe.disroot.org/post/6219559

Archived link

China-linked hackers have been using misconfigured Cisco security products to deploy backdoors on target networks for at least the past several weeks.

The hacker group, which Cisco tracks as UAT-9686, has been taking advantage of an insecure setting in Cisco’s AsyncOS software, which powers the company’s email and web security devices and virtual platforms, Cisco said in a ... security advisory.

...

Just in time for the end of the year, we’re happy to share our final release before the holidays: Vulnerability-Lookup 2.20.0 🎄

What's New

GCVE (Global CVE Allocation System): Relationships

We’ve updated the bundled Vulnogram interface to better support the GCVE ecosystem. Vulnerability-Lookup now allows you to define and manage relationships between vulnerabilities, in line with the GCVE BCP-05 specification.

Commit: 2f39bf8

This is a first step toward implementing full GCVE BCP-05 compliance.

Displaying relationships of a vulnerability

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0032

In this case, opposes indicates that the GNA does not agree with the status or validity of the referenced vulnerability. This can be used when a GCVE published by another GNA is considered not to be a vulnerability for the product in question (e.g., the behavior is expected, or the scenario describes a discouraged or unsupported configuration).

Editing relationships with the Vulnogram UI

Sightings Visualization

Understanding how vulnerabilities are observed in the wild just got easier. We’ve added a new Heat Map to visualize vulnerability sightings over time, featuring built-in filters for dates and sighting types.

Commit: 56a66e0

Examples

https://vulnerability.circl.lu/vuln/CVE-2025-61757#sightings

https://vulnerability.circl.lu/vuln/CVE-2018-13379#sightings

Sighting correlations

https://vulnerability.circl.lu/vuln/CVE-2025-59718#sightingsCorrelations

Changes

• Authentication: Allowed password recovery triggers based on case-insensitive usernames. #290
• Vulnerability Disclosure: A guidance message is now displayed to unauthenticated users when attempting to submit a new disclosure. (90787db)
• Product API: product.find_vulnerabilities now returns more comprehensive results. (a31f6c3)

https://vulnerability.circl.lu/vuln/GCVE-1-2025-0041

Fixes

• Data Ingestion: Fixed an issue to ignore temporary files in ossf/malicious-packages. (6bc93b1)
• Website: Fixed the routing path used to delete vulnerability disclosures. (e2ecb2a)
• Website: Updated vulnerability ID requirements to be optional for disclosures. (5bd5353)

Changelog

For the full list of changes, check the GitHub release:
v2.20.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

Spectre V1 mitigations in the Linux kernel are coming for RISC-V with newer RISC-V core designs being vulnerable to Spectre Variant One style attacks.

Spectre V1 as a reminder is the variant for Bounds Check Bypass with CPU speculative execution in conditional branches. The Linux kernel RISC-V code hasn't seen Spectre V1 protections since earlier more basic RISC-V core designs have been immune to Variant One and other Spectre vulnerabilities. But newer more complex RISC-V core designs are bringing some of the same challenges exhibited on x86_64 and AArch64 architectures.

cross-posted from: https://mander.xyz/post/43813312

Chinese espionage crew 'Ink Dragon' expands its snooping activities into European government servers

In the last few months, the China-linked threat Ink Dragon's activities show increased focus on government targets in Europe in addition to continued activities in Southeast Asia and South America.

Web archive link

Here is the original (technical) report: Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

...

These attacks begin with Ink Dragon probing security weaknesses, such as misconfigured Microsoft IIS and SharePoint servers, to gain access to victims' environments. This tactic, as opposed to abusing zero-days or other high-profile vulnerabilities, helps attackers fly under the radar and reduces their chances of being caught.

Ink Dragon then scoops up credentials and uses existing accounts to infiltrate targets, tactics that help the gang blend in with normal network traffic.

"This stage is typically characterized by low noise and spreads through infrastructure that shares the same credentials or management patterns," Check Point's researchers said in a Tuesday blog.

Once Ink Dragon finds an account with domain-level access, the spies set to work establishing long-term access across high-value systems, installing backdoors and implants that store credentials and other sensitive data.

...

In addition to their new targets and relay node activity, Check Point says the cyber spies have also updated their FinalDraft backdoor so that it blends in with common Microsoft cloud activity, hiding its command traffic inside mailbox drafts.

The new version also lets the malware check in during business hours - so as not to draw unwanted after-hour attention - and can more efficiently transfer large files with minimal noise.

...

The threat hunters' investigation into Ink Dragon also uncovered similar, stealth activity by another China-linked espionage crew RudePanda, which "had quietly entered several of the same government networks," they wrote.

While the two groups are unrelated, they both abused the same server vulnerability to gain access to the same IT environments. This also illustrates the changing tactics among other government-sponsored cyber squads, including not only Beijing-backed crews, but also those from Russia.

...

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Dozens of government and university websites belonging to cities, towns, and public agencies across the country are hosting PDFs promoting AI porn apps, porn sites, and cryptocurrency scams; dozens more have been hit with a website redirection attacks which lead to animal vagina sex toy ecommerce pages, penis enlargement treatments, automatically-downloading Windows program files, and porn.

“Sex xxx video sexy Xvideo bf porn XXX xnxx Sex XXX porn XXX blue film Sex Video xxx sex videos Porn Hub XVideos XXX sexy bf videos blue film Videos Oficial on Instagram New Viral Video The latest original video has taken the internet by storm and left viewers in on various social media platforms ex Videos Hot Sex Video Hot Porn viral video,” reads the beginning of a three-page PDF uploaded to the website of the Irvington, New Jersey city government’s website.

Archive: http://archive.today/tgD57

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

cross-posted from: https://scribe.disroot.org/post/5953090

Archived version

Here is the original Cisa report: BRICKSTORM Backdoor

...

Chinese hackers are using a strain of malware to attack governments in several countries and maintain long-term access, according to U.S. and Canadian cybersecurity officials.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security published an advisory on Thursday outlining the BRICKSTORM malware based off an analysis of eight samples taken from victim organizations.

...

“BRICKSTORM is a sophisticated and stealthy backdoor malware linked to PRC state-sponsored cyber actors,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen.

The advisory includes indicators of compromise and detections organizations can use to tell if they have been impacted by the campaign involving the malware. The malware is used “for long-term persistence on victim systems,” according to U.S. agencies.

...

The goal of the campaign is to steal valuable intellectual property and sensitive data — with a particular focus on the email inboxes of senior company leaders, according to Mandiant. The company attributed the campaign to a threat actor they previously accused of abusing vulnerabilities in firewall products from tech company Ivanti.

...