lemmydev2

ANY.RUN research identified a large-scale data leak event triggered by a false positive in Microsoft Defender XDR. The security platform incorrectly flagged benign files as malicious, leading to their automatic submission to ANY.RUN’s public sandbox for analysis. As a result, over 1,700 sensitive documents were uploaded and indexed publicly. The leak, which involved corporate data […] The post Microsoft Defender XDR False Positive Leads to Massive Data Leak of 1,700+ Sensitive Documents appeared first on Cyber Security News.

Interesting: The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market. At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors. The problem? Attackers can completely sidestep these monitored calls by leaning on io_uring instead. This clever method could let bad actors quietly make network connections or tamper with files without triggering the usual alarms...

Crooks exploit the death of Pope Francis, using public curiosity and emotion to launch scams and spread malware, an old tactic during global events. On April 24, 2025, after Pope Francis’ death, cybercriminals launched scams and malware attacks, exploiting public curiosity, grief, and confusion. Cybercriminals are ready to exploit any event of global interest, it […]

A new government illuminates the environmental impact of generative AI.

arXiv:2504.16836v1 Announce Type: new Abstract: The Onion Router (Tor) is a controversial network whose utility is constantly under scrutiny. On the one hand, it allows for anonymous interaction and cooperation of users seeking untraceable navigation on the Internet. This freedom also attracts criminals who aim to thwart law enforcement investigations, e.g., trading illegal products or services such as drugs or weapons. Tor allows delivering content without revealing the actual hosting address, by means of .onion (or hidden) services. Different from regular domains, these services can not be resolved by traditional name services, are not indexed by regular search engines, and they frequently change. This generates uncertainty about the extent and size of the Tor network and the type of content offered. In this work, we present a large-scale analysis of the Tor Network. We leverage our crawler, dubbed Mimir, which automatically collects and visits content linked within the pages to collect a dataset of pages from more than 25k sites. We analyze the topology of the Tor Network, including its depth and reachability from the surface web. We define a set of heuristics to detect the presence of replicated content (mirrors) and show that most of the analyzed content in the Dark Web (82% approx.) is a replica of other content. Also, we train a custom Machine Learning classifier to understand the type of content the hidden services offer. Overall, our study provides new[...]

arXiv:2504.16550v1 Announce Type: new Abstract: Intrusion Detection Systems (IDSs) are integral to safeguarding networks by detecting and responding to threats from malicious traffic or compromised devices. However, standalone IDS deployments often fall short when addressing the increasing complexity and scale of modern cyberattacks. This paper proposes a Collaborative Intrusion Detection System (CIDS) that leverages Snort, an open-source network intrusion detection system, to enhance detection accuracy and reduce false positives. The proposed architecture connects multiple Snort IDS nodes to a centralised node and integrates with a Security Information and Event Management (SIEM) platform to facilitate real-time data sharing, correlation, and analysis. The CIDS design includes a scalable configuration of Snort sensors, a centralised database for log storage, and LogScale SIEM for advanced analytics and visualisation. By aggregating and analysing intrusion data from multiple nodes, the system enables improved detection of distributed and sophisticated attack patterns that standalone IDSs may miss. Performance evaluation against simulated attacks, including Nmap port scans and ICMP flood attacks, demonstrates our CIDS's ability to efficiently process large-scale network traffic, detect threats with higher accuracy, and reduce alert fatigue. This paper highlights the potential of CIDS in modern network environments and explores future enhancements, such as integrating[...]

While AI adoption is widespread, its impact on productivity, trust, and team structure varies sharply by role and region, according to Exabeam. The findings confirm a critical divide: 71% of executives believe AI has significantly improved productivity across their security teams, yet only 22% of analysts — those closest to the tools — agree. This perception gap reveals more than a difference in opinion; it underscores a deeper issue with operational effectiveness and trust. Executives … More → The post One in three security teams trust AI to act autonomously appeared first on Help Net Security.

MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hypervisors. About MITRE ATT&CK MITRE ATT&CK is a regularly updated public knowledge base that charts how real-world threat actors behave. It also lists known/documented threat actor groups, malware, and (some) past high-profile campaigns. It’s used by cyber defenders and vendors for threat modeling and … More → The post Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs appeared first on Help Net Security.

Blue Shield of California disclosed it suffered a data breach after exposing protected health information of 4.7 million members to Google's analytics and advertisement platforms. [...]

arXiv:2504.15395v1 Announce Type: new Abstract: In cybersecurity risk is commonly measured by impact and probability, the former is objectively measured based on the consequences from the use of technology to obtain business gains, or by achieving business objectives. The latter has been measured, in sectors such as financial or insurance, based on historical data because there is vast information, and many other fields have applied the same approach. Although in cybersecurity, as a new discipline, there is not always historical data to support an objective measure of probability, the data available is not public and there is no consistent formatting to store and share it, so a new approach is required to measure cybersecurity events incidence. Through a comprehensive analysis of the state of the art, including current methodologies, frameworks, and incident data, considering tactics, techniques, and procedures (TTP) used by attackers, indicators of compromise (IOC), and defence controls, this work proposes a data model that describes a cyber exposure profile that provides an indirect but objective measure for likelihood, including different sources and metrics to update the model if needed. We further propose a set of practical, quantifiable metrics for risk assessment, enabling cybersecurity practitioners to measure likelihood without relying solely on historical incident data. By combining these metrics with our data model, organizations gain an actionable framework[...]

Cybercriminals continued to shift to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined, according to IBM. Researchers observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. 70% of attacks in 2024 involved critical infrastructure. In this subset, the use of valid accounts made up 31% of initial access vectors, followed by phishing and … More → The post Phishing emails delivering infostealers surge 84% appeared first on Help Net Security.

There are now several public proof-of-concept (PoC) exploits for a maximum-severity vulnerability in the Erlang/OTP SSH server (CVE-2025-32433) unveiled last week. “All users running an SSH server based on the Erlang/OTP SSH library are likely to be affected by this vulnerability. If your application uses Erlang/OTP SSH to provide remote access, assume you are affected,” Ruhr University Bochum researchers, who discovered and reported the flaw, said. About CVE-2025-32433 Erlang/OTP SSH is a set of libraries … More → The post PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) appeared first on Help Net Security.