Tuesday, July 7, 2026

Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots

A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one chatbot take over every chatbot in the same Google Cloud project.

From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password.

Security firm Varonis found it and named it Rogue Agent. The flaw affected only organizations that built agents with Dialogflow's Playbooks and custom Code Blocks, which let developers add their own Python. And it was not a remote, unauthenticated attack.

Pulling it off needed the dialogflow.playbooks.update permission on one such agent, which limits the realistic attacker to a malicious insider or a compromised developer account, not a stranger on the internet. From that one foothold, though, the reach extended to every agent in the project.

Google has fixed it, and both Varonis and Google say there is no sign the flaw was ever used in a real attack.

One writable file ran every agent's Code Blocks

Dialogflow's Code Blocks let developers add custom Python to a chatbot's conversation flow, to check user input or call an API. That code runs in a Google-managed Cloud Run environment, and every agent that uses Code Blocks in the same Google Cloud project shares one instance of it.

Google runs that environment, the customer cannot see or control it, and Varonis found no real isolation between the agents inside it.

When an agent runs a Code Block, the developer's code is appended to internal setup code and passed to Python's exec() function. That setup code defines the variables and functions the block can touch. Variables include history for the full conversation and state for session details like the session ID. Functions include respond(), which makes the bot reply with a given string.

Varonis found the file that does this wrapping, code_execution_env.py, sitting in the shared environment with write access.

Because that file was writable, a single Code Block could replace it. That block downloads a modified code_execution_env.py from an attacker-controlled server and overwrites the original inside the running container.

From then on, the attacker's version runs for every Code Block execution across every agent sharing that environment. It sits in the same scope as legitimate code, with the same access to history, state, and respond().

That lets it read each conversation, quietly send it to the attacker's server, and make the bot post attacker-written messages. One example is phishing: the bot asks the user to re-verify a login, and the attacker collects whatever they type.

To cover the tracks, the attacker restores the original Code Block in the Dialogflow console. That changes only what the console displays; the overwritten file is already running in the container and keeps executing underneath.

The sandbox leaked two more ways

Varonis reported two related issues, and neither needed the file overwrite. First, the Code Block environment had unrestricted outbound internet access. Using the built-in urllib library, the researchers sent data straight to an external server and could receive commands back.

Varonis says this bypasses VPC Service Controls, the Google Cloud perimeter meant to stop data from leaving protected services. The environment sits outside that perimeter and can reach the open internet, which turns it into a channel for both data theft and remote control.

Second, and less serious, the environment exposed the Instance Metadata Service (IMDS), a normally internal endpoint that hands out cloud credentials. Querying it returned a token for a Google-managed service account.

That account was low-privilege, so the direct risk was limited; the real point is that a code-execution sandbox should not be able to reach IMDS at all.

Almost nothing reached the logs

The overwrite happened inside Google's environment, where customers have no visibility, and Cloud Logging did not record the file change or the injected code.

That makes it hard, though not impossible, to catch from the customer side. The setup actions still leave traces, which the checks below rely on.

Varonis disclosed the flaw through Google's Vulnerability Reward Program in November 2025. Google shipped an initial fix in April 2026 and fully resolved it in June 2026, about seven months from report to resolution. No CVE was assigned.

What to check if you used Code Blocks

If you ran Dialogflow CX agents with Code Block Playbooks before the fix and want to confirm you were not targeted, start with access.

The dialogflow.playbooks.update permission is the whole entry point, so audit which roles and accounts hold it.

Then:

  • Review your DATA_WRITE audit logs for the Dialogflow API for unexpected playbook updates, and correlate them with unusual users, IP addresses, or access times.
  • Run a Cloud Logging query for failed user requests, where the error messages can reveal exceptions thrown by malicious Code Blocks.
  • In the Dialogflow console, open Playbooks for each agent and confirm every Code Block is one you approved.

A different kind of AI flaw

Many recent AI security flaws have worked by fooling the model.

Varonis's own Reprompt and SearchLeak turned a single click into data theft in Microsoft's Copilot. Noma Security's ForcedLeak hid instructions in a Salesforce web form to pull out CRM data.

Microsoft's researchers showed prompt injection turning into code execution in the Semantic Kernel framework. Rogue Agent did not touch the model at all. It abused a normal developer feature and a shared, invisible runtime, reachable with one ordinary edit permission.

In a setup like this, a permission that looks like a content-edit right is actually a code-execution right. Anyone who can add a Code Block can run arbitrary Python inside a shared environment that the customer cannot inspect.

Treat agent-edit permissions as the runtime controls they are. Even when the provider says nothing needs fixing, customers still have no way to look inside that runtime themselves.



from The Hacker News https://ift.tt/JRFQK93
via IFTTT

The ‘Ghost’ in the Database: Recovering Active ADFS Signing Keys via Machine DPAPI

Written by: Shebin Mathew


Introduction 

The "Golden SAML" technique, first described by CyberArk researchers in 2017, and further detailed by Mandiant researchers in 2021, remains one of the most effective methods for threat actors to forge identity assertions in the Microsoft ecosystem. By obtaining the private key of an ADFS token-signing certificate, an attacker can authenticate as any user to any SAML-federated application, bypassing multifactor authentication (MFA), conditional access, and all identity-based controls.

However, during a recent red team engagement, Mandiant discovered that when ADFS certificates are manually rotated, configuration drift can silently leave active signing keys exposed in Machine DPAPI. Specifically, Mandiant discovered that in environments where AutoCertificateRollover is disabled and certificates are manually rotated, the database often becomes a 'ghost'—a record that still exists, still decrypts successfully, but references a certificate no longer used for token signing by the ADFS service. This attack vector warrants attention because the underlying configuration is commonly deployed in enterprise environments. The technique avoids direct interaction with components such as LSASS and the live ADFS service process, which are often subject to enhanced monitoring in enterprise environments, and may therefore result in lower visibility depending on the organization’s telemetry coverage. This post details how adversaries may exploit this TTP to forge high-privilege SAML tokens and provides the blueprint to defend against it.

Technical Insight: Encountering the ‘Ghost Certificate’

Analysts followed the standard DKM extraction path, retrieving the encrypted blob from the WID database and decrypting it using the DKM material stored in Active Directory. The extraction succeeded, but the recovered certificate was no longer valid for token signing, and Entra ID rejected the resulting tokens with AADSTS500172 due to invalid signing material. Although structurally correct, the artifact is not usable for authentication, as the active signing key resides in the system’s machine-scoped cryptographic store, protected by Windows Machine DPAPI and managed through the operating system’s cryptographic subsystem. Successfully obtaining this active key allows an attacker to forge valid SAML assertions for any user, bypassing the need for user credentials and multi-factor authentication, and granting unauthorized access to any SAML-federated application including Microsoft 365 and Entra ID within the organization's environment.

Analysis revealed that AutoCertificateRollover had been disabled and a manual rotation had been performed. Confirmation was obtained directly via Get-AdfsProperties, which returned AutoCertificateRollover: False, indicating that certificate lifecycle management had been delegated to manual administrative processes. While the ADFS service used a new valid key for signing, the WID configuration database was never updated to reflect the new certificate—leaving an expired "ghost" entry as the only record. This drift condition surfaces via Microsoft Event ID 385, which indicates certificate validity warnings in the ADFS service. Notably, this event self-resolves when AutoCertificateRollover is re-enabled and a subsequent certificate rollover is performed; in environments where it is disabled and manual rotation is performed without a corresponding database update, it is the observable symptom of this drift condition.

ADFS certificate enumeration output showing configuration drift between the WID database and the active host certificate

Figure 1: ADFS certificate enumeration output showing configuration drift between the WID database and the active host certificate

ADFS maintains private keys in two protection contexts. In Location 1 (User DPAPI), encrypted key blobs may exist on disk, but the DPAPI protection is tied to the service account's SID and associated DPAPI masterkey material. In the assessed environment, the domain DPAPI backup key approach successfully decrypted masterkey material for interactive user profiles, but returned no decryptable material associated with the ADFS service account profile. All subsequent offline decryption attempts similarly failed, consistent with the masterkey not being recoverable through the evaluated on-disk recovery approach in this environment—though this observation is bounded to the assessed environment and does not represent a universal architectural property of all ADFS deployments.

Location 2 (Machine RSA) does not rely on a user-specific logon session. Instead, the key material is protected using Machine DPAPI, leveraging the DPAPI_SYSTEM LSA secret together with machine masterkeys available to sufficiently privileged SYSTEM-level contexts.

Why the WID Path Misses This Key

In ADFS environments experiencing configuration drift—commonly arising during manual certificate rotations where AutoCertificateRollover is disabled—the ADFS service host can successfully bind to a newly provisioned signing certificate at the operating-system level, ensuring continued service operation. However, the WID configuration database may not reflect the current signing certificate, resulting in stale certificate metadata.

This divergence between configuration and runtime state is the condition that ADFS Event ID 385 is designed to flag. As a consequence, extraction techniques that rely solely on the WID database and DKM material may return certificates that are no longer used for active signing, leading to rejected assertions in downstream federation scenarios.

Understanding How the Machine DPAPI Store Becomes Populated

Understanding how the Machine DPAPI store becomes populated requires examining how ADFS persists its token-signing key material. During initial deployment, automatic certificate rollover, or manual certificate rotation, ADFS persists its RSA private key material in the machine-scoped CAPI key store at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\, protected using machine DPAPI context rather than a user-bound DPAPI context. SharpDPAPI /machine enumeration in the assessed environment confirmed that the active machine key material resided under this path, while the CNG Crypto\Keys store was not observed in use in the assessed environment.

The protection chain relies on the DPAPI_SYSTEM LSA secret together with machine masterkeys associated with the S-1-5-18 security context, stored in C:\Windows\System32\Microsoft\Protect\S-1-5-18\ as DPAPI-protected key material—both components ultimately resolvable only within highly privileged SYSTEM-level contexts on the host. The corresponding certificate is enrolled into the LocalMachine\My certificate store, from which ADFS retrieves the associated private key during token-signing operations.

The architectural rationale for machine-scoped key storage is operational resilience. A machine-scoped key remains usable across service account password changes, gMSA rotations, system reboots, and service restarts without requiring key reprovisioning or dependency on a specific interactive logon session. This design ensures that the ADFS service can consistently access the signing key regardless of changes to the underlying service account credentials.

However, this same design choice has important security implications. Because the private key is protected using Machine DPAPI rather than a user-bound DPAPI context, a sufficiently privileged local process capable of accessing the machine key store and associated DPAPI artifacts may be able to recover the key material independently of the original service logon session. As a result, under certain conditions, recovery of the active ADFS token-signing private key may be achievable without direct interaction with LSASS memory or the live ADFS service process itself, potentially reducing visibility to defenses primarily focused on credential dumping or process-memory access behaviors.

KEY DESIGN IMPLICATION

ADFS persists its token-signing private key material in the machine-scoped key store, protected using Machine DPAPI semantics. This is a documented behavior enabling machine-scoped key persistence that survives service account changes, credential rotations, and service restarts.

However, this design introduces an operational security implication that is not commonly emphasized in standard ADFS hardening guidance: private keys stored within the machine key store are protected using this protection model and may be recoverable by a sufficiently privileged SYSTEM-level context through access to the DPAPI_SYSTEM LSA secret and machine masterkeys available locally on the host.

As a result, recovery of the active ADFS token-signing private key may be achievable without direct interaction with LSASS memory or the live ADFS service process itself, potentially reducing visibility to security controls primarily focused on credential dumping or process-memory access behaviors.

Attack Flow: Machine DPAPI Key Recovery to SAML Forgery

Machine DPAPI extraction flow—five-step process from SYSTEM execution to SAML assertion

Figure 2: Machine DPAPI extraction flow—five-step process from SYSTEM execution to SAML assertion

‘SharpDPAPI /machine’ output confirming successful recovery of the active ADFS token-signing private key from the machine DPAPI store

Figure 3: ‘SharpDPAPI /machine’ output confirming successful recovery of the active ADFS token-signing private key from the machine DPAPI store

The recovered key was used to forge a SAML assertion impersonating a Global Administrator identity, which Entra ID accepted as a valid authentication assertion, resulting in authenticated access at Global Administrator privilege level within the federated Microsoft 365 tenant.

Detection and Hunting

Defenders should prioritize visibility into operating system-level cryptographic operations and identity issuance behavior, rather than relying solely on application-layer configuration stores.

  • SACL-Based Object Access Monitoring: Configure object access auditing via SACLs on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ and C:\Windows\System32\Microsoft\Protect\S-1-5-18\. When configured correctly, this generates Security Event ID 4663 for file access attempts. Coverage depends on SACL configuration and access paths; treat this as supporting evidence in correlation-based detection rather than a stand-alone signal.

  • ADFS Token Issuance Consistency: Monitor for inconsistencies between primary authentication events and token issuance events in ADFS audit logs. Relevant events include token issuance and claims processing records (Event IDs 299, 1200-series, depending on ADFS version and audit configuration). The objective is to identify token issuance that cannot be clearly correlated to a preceding authentication context. This is most effective when normal authentication patterns per relying party trust are baselined.

  • Federated Identity Monitoring in Entra ID: Entra ID sign-in logs will record an accepted forged assertion as a standard federated sign-in event. Detection requires cross-correlating Entra ID sign-in records against ADFS-side issuance logs—neither source in isolation is sufficient. For privileged accounts, focus on unexpected Internet Protocol (IP) ranges, claim set deviations,and user-agent inconsistencies.

Mitigation and Remediation

ADFS infrastructure should be treated as Tier 0 identity infrastructure, equivalent in criticality to Domain Controllers. If SYSTEM access is achieved on an ADFS host, the signing key must be considered compromised.

  • Hardware-Backed Key Protection: Migrate token-signing certificates to a Hardware Security Module (HSM). HSM-backed keys ensure private key material does not exist in software-accessible storage on the host, eliminating the Machine DPAPI extraction path entirely.

  • gMSA Service Identity: Run ADFS services using Group Managed Service Accounts to automate credential rotation and reduce operational drift in service identity management. While this does not directly address machine-scoped key protection, it eliminates manual credential management as a contributing factor to configuration drift.

  • Tier 0 Administrative Controls: Govern ADFS servers with strict Tier 0 controls: restricted administrative access pathways, dedicated Privileged Access Workstations (PAWs), separation from general server administration domains, and enhanced privileged access monitoring.

  • Certificate Rotation and Configuration Validation: If compromise is suspected, rotate the token-signing certificate and validate consistency across ADFS configuration, the  LocalMachine\My store, and federation metadata. Do not rely on a single source of truth. For environments with AutoCertificateRollover disabled, manual rotation must include updating ADFS via Set-AdfsCertificate—installing the certificate alone is insufficient. Validate using Get-AdfsCertificate after rotation. If Event ID 385 appears afterward, investigate for configuration inconsistency. 

  • Multicloud Scope Awareness: A compromised ADFS token-signing key affects all SAML relying party trusts, not just Microsoft services. Organizations using ADFS for identity federation across other software-as-a-service (SaaS) platforms should treat ADFS as Tier 0 infrastructure and audit all relying party trusts. Migrating away from ADFS-based federation (e.g., to native OIDC federation) removes this specific attack path.



from Threat Intelligence https://ift.tt/W5Q8PYb
via IFTTT

DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts

A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC.

"The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience, while a backend broker generated and polled Microsoft Authentication Broker device-code tokens," the email security company said in a report shared with The Hacker News.

The activity is assessed to share "strong" overlaps with a campaign documented by Microsoft in February 2025 under the moniker Storm-2372, including the use of messaging or Teams-style lures to trick unsuspecting victims into entering an attacker-provided device code, along with their credentials, effectively allowing the threat actor to recover the token and hijack their account.

Despite these similarities, it's assessed that the threat actors are employing Storm-2372-style tradecraft through what has been described as a reusable tooling layer called DEBULL.

Device code phishing refers to an identity theft technique where attackers exploit a legitimate OAuth 2.0 authentication mechanism, specifically the Device Authorization Grant flow, to bypass multi-factor authentication (MFA) and gain persistent account access without having to steal user passwords.

Unlike traditional phishing attacks that require the operators to set up bogus adversary-in-the-middle (AitM) login pages, device code phishing relies on manipulating a user into completing a real, trusted authentication prompt.

Device code authentication, per Microsoft, is a legitimate OAuth flow designed for devices with limited interfaces, such as smart TVs or printers, that cannot support a traditional interactive login. In this scenario, a user is presented with a short code on the device they are trying to sign in from and is prompted to input that code into a web browser on a separate device to complete the authentication.

Threat actors have abused this separation to insert themselves and initiate the authentication flow. Then, they share that code with the target through a phishing lure. Thus, when the user enters the code, they authorize the threat actor's session without their knowledge, granting them access to the account.

"Device code phishing doesn't hack its way in," Huntress notes. "It uses a legitimate authentication flow to walk right through the front door, with no password required, MFA bypassed, and session tokens handed straight to the attacker."

Successful device code phishing attacks can facilitate full account takeover, theft of valuable information, fraud, business email compromise (BEC), lateral movement within a compromised environment, and even disruptive attacks like ransomware.

"In most current device code phishing attacks, the code is generated dynamically when a user clicks on the initial phishing link. This seemingly small change allows the user to view the email at any time to kickstart the attack chain," Proofpoint said in an analysis published in May 2026. "These new implementations of the device code attack chains can be purchased via phishing-as-a-service (PhaaS) offerings, like EvilTokens or Tycoon, or created and owned by the threat actor conducting the campaigns. "

These campaigns are also known to leverage account takeover (ATO) jumping, a technique where an attacker compromises an initial email account and then abuses it to send phishing links to a broader set of contacts in the form of a button, hyperlinked text, embedded within a document, or a QR code. The links, when visited by the recipient, initiate an attack sequence that employs the Microsoft device authorization process.

ZeroBEC said the campaign it observed involves using payment and shared-folder pretexts in phishing emails to deceive victims into clicking on a URL that takes them to a legitimate-but-compromised Croatian rental website, which, in turn, acts as a device code orchestrator used to initiate the Microsoft device code challenge chain.

The workflow is characterized by the presence of Turkish-language developer markers, although the clues aren't enough to definitively attribute the campaign's provenance. Further analysis of the infrastructure has revealed that DEBULL is likely a phishing-as-a-service (PhaaS) platform that uses GraphSpy or a GraphSpy-derived workflow for Microsoft 365 and Entra post-exploitation.

"Operators can define a page name and slug, edit HTML, CSS, and JavaScript directly, then choose how the lure is published," ZeroBEC said. "The embedded templates included a Microsoft 365 device-code authentication page, an OAuth callback page, and a modern landing page. The Microsoft 365 template is especially important because it exposes the exact building block used by the campaign: a user-code display, copy-code behavior, and a link to Microsoft device login."

"The more useful conclusion is that Storm-2372-style identity tradecraft is now being packaged into reusable broker infrastructure. DEBULL provides the campaign-facing and operator-facing layer. GraphSpy or GraphSpy-derived code likely handles the post-authentication layer. The lure can be changed without changing the backend identity stack."

The disclosure comes as Cisco Talos said it identified a fully-featured PhaaS operator panel branded ARToken that shares infrastructure, API contracts, and operational patterns with the EvilTokens device code phishing platform and is made available to affiliates.

"The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint exfiltration - all accessible to operators through a React-based dashboard," Talos said.

EvilTokens, like DEBULL, enable attackers to weaponise harvested tokens to exfiltrate emails, files, and other sensitive data from compromised Microsoft accounts, carry out reconnaissance via Microsoft Graph API, and establish persistence access. In addition, it incorporates artificial intelligence (AI)-powered features to automate and scale BEC workflows, such as sifting through thousands of harvested emails, identifying finance-related email threads, and drafting BEC emails.

ARToken functions as a complete post-compromise toolkit that allows operators to leverage the captured access token recovered following successful device code authentication to maintain access, perform email operations, access OneDrive and SharePoint, and browse victim Microsoft 365 sessions outside the panel using a dedicated tool known as ARTBrowser.

"These features indicate the platform is more mature than a simple device code phishing kit - it is a complete BEC operations environment," Talos researcher Michael Kelley said.

The surge in device code phishing attacks has also led to other PhaaS kits like Tycoon 2FA to adopt the technique to hijack Microsoft 365 accounts in its rebound following a law enforcement operation, signaling a broader shift within the threat landscape.

"Tycoon 2FA operators have repurposed their existing PhaaS kit as the delivery framework for OAuth device code grant phishing," eSentire noted in May 2026. "The attack begins when a victim clicks a Trustifi click-tracking URL in a lure email and culminates in the victim unknowingly granting OAuth tokens to an attacker-controlled device through Microsoft's legitimate device-login flow at microsoft.com/devicelogin."



from The Hacker News https://ift.tt/Jlsfmw2
via IFTTT

CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware

Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday.

"An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials," the CERT/CC said in an alert.

The vulnerability impacts multiple versions of the firmware -

  • US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
  • US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
  • US_AC10V1.0re_V15.03.06.46_multi_TDE01
  • US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
  • US_AC6V2.0RTL_V15.03.06.51_multi_T

The backdoor functionality is present within the "login()" function of the "/bin/httpd" web server binary. While the method initially follows a normal authentication path using MD5-based password verification, it activates an alternate code path if the authentication fails.

Specifically, this involves calling "GetValue("sys.rzadmin.password")" to fetch an alternate password value from the device configuration, and performing a direct plaintext comparison between the user-supplied password and the configuration-stored value. Should these values match, the application grants admin-level access (role=2) and creates a valid session with elevated privileges.

"The associated ["rzadmin"] username is not validated, so any provided username will succeed when paired with the backdoor password," the CERT/CC said. "This backdoor authentication mechanism is not documented or visible through any administrative interface."

Successful exploitation of this standard username validation override allows full administrative access to the device's web interface regardless of the administrator account credentials. It can permit an attacker to make unauthorized remote modification of settings, disable security features, or reconfigure the device, potentially leading to a complete device takeover.

The vulnerability, reported by an anonymous researcher, remains unpatched as of writing. The Hacker News has contacted Tenda for comment, and we will update the story if we hear back.

In the interim, users are advised to disable remote management on the device and change the default LAN IP address to prevent bad actors from reaching it and reduce opportunistic discovery by automated scanners that target known default IP ranges.



from The Hacker News https://ift.tt/cr3K8qL
via IFTTT

BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA

BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices.

The vulnerabilities are listed below -

  • CVE-2026-40138 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access stemming from improper validation of authentication data that could allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges.
  • CVE-2026-40139 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support stemming from improper processing of authentication requests that could allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges.
  • CVE-2026-40140 (CVSS score: 8.7) - A pre-authentication vulnerability in the network communication subsystem stemming from insufficient validation of client-supplied input that could allow an unauthenticated remote attacker to trigger a denial-of-service condition, affecting appliance availability.
  • CVE-2026-40141 (CVSS score: 8.5) - A vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access stemming from insufficient validation of user-supplied input that could allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope.

It's worth noting that the successful exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled. In the case of CVE-2026-40141, exploitation, should it occur, is restricted to accounts with specific permissions.

BeyondTrust said all the identified internally as part of ongoing security assessments, with assistance using publicly available artificial intelligence (AI) models like Anthropic Claude Opus 4.8 and its own proprietary research tooling.

"The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations," it said. "Additional vulnerabilities may allow service disruption, unintended data access, and, under distinct configurations, elevated access by an authenticated user that may impact system integrity."

The issues have been addressed in the following versions -

  • Remote Support RS 25.3.2 or lower (Fixed in RS 25.3.3 and above)
  • Privileged Remote Access PRA 25.3.2 or lower (Fixed in PRA 25.3.3 and above)

BeyondTrust makes no mention of the vulnerabilities being exploited in the wild. However, security flaws in RS and PRA products (CVE-2024-12356 and CVE-2026-1731) have come under repeated exploitation in the past to deploy web shells and backdoors, making it essential that users move quickly to apply the fixes.



from The Hacker News https://ift.tt/CY8mZ3d
via IFTTT

Monday, July 6, 2026

Possible Software RAID Issue With Recent mdadm Package

We identified an issue with mdadm version "mdadm - v4.4 - 2024-11-07 - 4" that can cause software RAID issues after a reboot. We have removed this version and pushed a downgraded version "mdadm - v4.4 - 2024-11-07 - 2" to the Security Onion repo.


If you are not running software RAID, then you should not be affected at all.


If you are running software RAID, then you should check to see what version of the mdadm package is installed on all of your grid members to see if they need to be downgraded.


Please note that the following instructions assume that you installed using our official Security Onion ISO image. If you are using some other unsupported installation method, then your mileage may vary.


Check the existing mdadm version on all grid nodes:

sudo salt \* cmd.run 'mdadm --version'


If all grid nodes show version "mdadm - v4.4 - 2024-11-07 - 2", then you are running the correct version.


If one or more grid nodes have version "mdadm - v4.4 - 2024-11-07 - 4" then you need to downgrade mdadm:

sudo salt \* cmd.run 'echo y | dnf downgrade mdadm'


Once that completes, then verify the downgraded version on all nodes:

sudo salt \* cmd.run 'mdadm --version'




from Security Onion https://ift.tt/Oy4Yxk9
via IFTTT

Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations

An Iranian hacking group affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been wielding a previously undocumented modular command-and-control (C2) framework dubbed Cavern (aka Cav3rn) targeting Israeli organizations.

The activity, which has primarily singled out IT providers and government sectors, has been attributed to a threat cluster tracked by Check Point Research under the moniker Cavern Manticore, which it said shares some level of tactical overlaps with MuddyWater and Lyceum, the latter of which is assessed to be a subgroup within OilRig.

"The framework reflects a mature and adaptable toolset built around a shared .NET foundation, while using multiple compilation formats across different components, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT," the cybersecurity company said.

"The compilation format itself becomes the anti-analysis layer that forces reverse engineers into multiple toolsets and metadata-reconstruction workflows."

The components of the C2 framework are used as Cavern Agent and Cavern modules, demonstrating a clear division of responsibilities between core communication capabilities and mission-specific post-exploitation functionality. This architecture has inherent advantages as it allows the operators to tailor deployments based on the victim profile, reduce forensic visibility, and ensure persistent access through bespoke modules for reconnaissance, data theft, tunneling, and lateral movement.

The attack chain documented by Check Point Research commences with SysAid's software update feature, which is leveraged by the adversary to initiate a DLL side-loading chain that leads to the execution of a trojanized DLL ("uxtheme.dll") containing the Cavern Agent. The agent, for its part, loads a standalone communication DLL module ("n-HTCommp.dll") to contact the C2 server ("hospitalinstallation[.]com") and fetch additional post-exploitation modules on the fly over HTTPS or WebSocket.

As many as five DLL modules have been uncovered -

  • mhm.dll, for file operations, enumeration, recursive file search, archive handling, and bidirectional file transfer
  • db.dll, for SQL database enumeration, query, export, and manipulation
  • ode.dll, for Active Directory reconnaissance, user/group enumeration, and LDAP brute-force attempts
  • n-ten.dll, for network reconnaissance, port scanning, share enumeration, and SMB brute-force attempts
  • n-sws.dll, for SOCKS5 proxy and WebSocket tunneling

A defining trait of the framework is its use of three different .NET compilation targets spanning its components: while mhm.dll, db.dll, and ode.dll are pure .NET Framework modules, n-HTCommp.dll, n-ten.dll, and n-sws.dll make use of Native AOT (Ahead-of-Time) compilation. The main agent, uxtheme.dll, combines managed .NET code with native C++ in a single portable executable.

Embedded within the agent is a unified module dispatcher that treats components whose names start with n- as native DLLs and loaded via the LoadLibraryA Windows API, while the rest is interpreted as managed .NET assemblies and loaded through a mechanism known as AppDomain isolation.

"The framework's anti-analysis posture relies on uncommon .NET compilation formats (Mixed-Mode C++/CLI and Native AOT) that force reverse engineers into multiple toolsets and metadata-reconstruction workflows, together with per-module AppDomain isolation as an anti-forensics measure," Check Point explained.

Attacks orchestrated by Cavern Manticore have involved the threat actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization, indicating their ability to weaponize trusted relationships in the software supply chain to their advantage.

"This activity highlights the operational value of trusted service-provider relationships, particularly where Remote Monitoring and Management (RMM) solutions are deployed," the company noted.

"By abusing these tools, the actor can move laterally between victims and deliver malicious software disguised as legitimate updates. The actor also appears to leverage browser-based remote desktop technologies to access targets of interest and, in some cases, abuse built-in features such as remote printing to exfiltrate data when clipboard-based copy-paste or file-transfer capabilities are restricted."

The development unfolds against the backdrop of the ongoing joint military operation launched by Israel and the U.S. against Iran. In recent months, the Iranian state-sponsored threat actor tracked as MuddyWater has been observed conducting a broad reconnaissance campaign across more than 12,000 internet-exposed systems by exploiting known security flaws in internet-exposed SmarterMail, n8n, N-central, Langflow, and Laravel Livewire systems.

The list of exploited vulnerabilities is as follows -

The operation is said to have pivoted from broad reconnaissance to targeted credential harvesting and data exfiltration attacks against aviation, energy, and government sectors in the Middle East, including aviation, energy, and public sector entities in Egypt, Israel, and the United Arab Emirates.

"The operation leveraged a combination of vulnerability exploitation, Outlook Web Access (OWA) brute-force attacks, and newly identified command-and-control (C2) controllers supporting multi-protocol communication," Oasis Security said. "The activity progressed beyond reconnaissance and access attempts, resulting in confirmed exfiltration of sensitive data from compromised environments."



from The Hacker News https://ift.tt/QNgabpH
via IFTTT

16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it.

Dubbed 'Januscape' and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit turns the same bug into full host code execution.

Security researcher Hyunwoo Kim (@v4bel) found and reported the bug. He described Januscape as the first guest-to-host exploit triggerable on both Intel and AMD, to the best of public knowledge. The flaw went unnoticed for roughly 16 years.

According to Kim, the exploit was used as a zero-day submission in Google's kvmCTF, the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes.

How It Works

To run a virtual machine, KVM keeps its own private set of page tables that mirror the guest's memory layout. When it needs one of these tracking pages, it looks for an existing one to reuse.

The problem: it matched them by memory address alone and ignored what type of tracking page it was grabbing. Two different types can share the same address but do completely different jobs, so KVM would sometimes reuse the wrong kind.

That mix-up scrambles KVM's internal records of which page belongs where, and once those records are wrong, something has to give.

Most of the time, the kernel notices the mess and shuts itself down on the spot to avoid doing damage. That crash is what the public demonstration triggers: a guest can knock over the whole host, taking every other VM on that machine down with it.

The rarer, worse case happens when the freed tracking page gets handed out for another use before the kernel cleans up. The cleanup then scribbles a value into memory it no longer owns. An attacker only controls where that write lands, not what gets written, but even that limited foothold can be worked up into running code on the host.

The flaw behaves the same on Intel and AMD chips; only the final, hardest step of turning it into full control takes different work on each.

Who Is Affected

The vulnerable code has been present since commit 2032a93d66fa in August 2010 (kernel 2.6.36 era) and was fixed by commit 81ccda30b4e8, merged into mainline on June 19, 2026.

The attack requires two things from the guest side: root inside the VM, a common condition on rented cloud instances, and nested virtualization exposed by the host. Even on hosts that run hardware EPT or NPT by default, nested virtualization forces KVM back through the legacy shadow MMU, which is where the bug sits.

The exploit needs no cooperation from QEMU or any userspace VMM. It is purely an in-kernel KVM bug.

The practical concern is any x86 environment that hosts untrusted guests with nested virtualization enabled. An attacker who rents a single such instance can panic the host, taking down every other tenant VM on the same physical machine.

Kim said the withheld full exploit runs code as root on the host, which would expose other guests on the same machine to that root access. On distributions like RHEL, where /dev/kvm is world-writable (0666), Kim noted the same bug could also serve as a local privilege escalation to root, though the guest-to-host path is the higher-impact use.

A Busy Few Months for One Researcher

Januscape is Kim's third Linux kernel exploit disclosure in roughly two months. In May 2026, he disclosed Dirty Frag (CVE-2026-43284 / CVE-2026-43500), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail.

In June, he published ITScape (CVE-2026-46316), the first publicly demonstrated guest-to-host escape on KVM/arm64, exploiting a race condition in the virtual interrupt controller. Januscape now adds the x86 side; the same trigger fires on both Intel and AMD, with the PoC carrying a separate code path for each vendor.

Google launched kvmCTF in 2024 specifically because KVM underpins both Android and Google Cloud. A separate KVM x86 shadow paging use-after-free (CVE-2026-46113) involving a related but distinct rmap mismatch was fixed in May 2026.

That makes two shadow MMU use-after-frees in the same legacy code path within two months.

What to Do

The fix is a one-line addition to kvm_mmu_get_child_sp(): the reuse condition now checks role.word alongside the gfn, so a shadow page is only reused when both the frame number and the role match. KVM maintainer Paolo Bonzini wrote the patch.

Fixed stable versions shipped on July 4, 2026: 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, and 5.10.260. NVD has not yet assigned a CVSS score; do not wait for one.

If you operate an x86 KVM host that accepts multi-tenant guests with nested virtualization, confirm that your kernel includes commit 81ccda30b4e8. Distribution backports may carry the fix under a different version number, so check the package changelog rather than relying on uname -r alone.

If you cannot patch immediately, disabling nested virtualization (kvm_intel.nested=0 or kvm_amd.nested=0) removes the attack path for untrusted guests. ARM64 hosts are not affected by Januscape; ITScape (CVE-2026-46316) is a separate KVM/arm64 issue.

The public PoC demonstrates a reliable host panic from a guest with a loadable kernel module and seconds to minutes of racing. Treat exposed x86 KVM hosts with nested virtualization as high-priority patch targets.



from The Hacker News https://ift.tt/KAXIgqo
via IFTTT

5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management

Cloud security posture management (CSPM) is being redefined as two forces collide: Cloud environments are becoming more interconnected—spanning workloads, identities, data, APIs, and development pipelines—while security teams must reduce risk faster with fewer tools and less time.

Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management points to a structural shift: CSPM is no longer a periodic compliance exercise. It’s a continuous, risk‑based governance layer inside modern cloud native application protection platforms (CNAPPs). Frost & Sullivan projects the CSPM market will grow from $2.82 billion in 2025 to $6.96 billion by 2030 at a 19.8% compound annual growth rate (CAGR)—reflecting the growing shift from standalone posture tools to integrated, platform‑based approaches.

A cloud native application protection platform (CNAPP) brings together posture, workload protection, identity and entitlement management, and related controls to secure applications across the full lifecycle—from development through runtime operations.

Frost & Sullivan’s analysis also reinforces Microsoft’s position among leading CSPM providers, with strong performance across innovation and growth. This reflects Microsoft’s approach to unifying posture management with workload protection, identity, and data security as part of a broader CNAPP platform—aligning directly with how CSPM is evolving from point-in-time compliance to continuous risk management.

Below are five key insights from the Frost Radar and what they mean for security leaders navigating today’s cloud threat landscape.

1. CSPM is becoming the governance layer for CNAPP 

Frost & Sullivan research suggests CSPM is evolving beyond a standalone tool focused on configuration hygiene. Instead, it increasingly serves as the entry point and governance backbone for CNAPP—integrating posture signals with workload protection, identity, data security, and security operations center (SOC) workflows.

Modern CSPM solutions are expected to:

  • Provide continuous visibility across infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
  • Correlate misconfigurations, identities, vulnerabilities, and data exposure.
  • Feed high‑fidelity posture context into runtime protection and incident response workflows.

What to look for

Unified visibility that connects posture findings with workload, identity, and data signals—so investigations don’t begin from scratch when posture risk turns into an incident.

Frost notes that by 2030, CSPM is expected to become less a standalone market and more a foundational governance layer inside CNAPP platforms—unifying code‑to‑cloud policy and feeding posture context into runtime and SOC workflows

2. The market is moving beyond compliance to riskbased prioritization

Compliance coverage is now table stakes. Frost highlights that for organizations to differentiate they need solutions that continuously assess risk, reduce noise, and guide remediation—helping teams focus on the “toxic combinations” that create real exposure.

Leading solutions need to:

  • Continuously assess risk rather than rely on point‑in‑time scans.
  • Reduce alert fatigue through contextual correlation.
  • Prioritize remediation based on exploitability and business impact.

Organizations are increasingly using CSPM to drive ongoing risk reduction—with compliance reporting treated as an outcome of stronger controls.

What to look for

Prioritization that highlights likely cyberattack paths—not just severity scores—so teams can fix what’s exploitable first and minimize false positives.

Security leaders are adjusting how they evaluate CSPM vendors in response to these shifts. Rather than asking how many compliance frameworks a solution supports, they’re looking at whether posture insights can be correlated with identity, workload, and runtime signals to expose exploitable attack paths and guide remediation across developer and SOC workflows. Frost & Sullivan’s evaluation framework reflects this transition—placing greater emphasis on integrated, code to cloud risk management capabilities inside broader CNAPP platforms.

3. Codetocloud visibility is now required

Another major theme in the Frost Radar report is how organizations can embed posture management earlier in the application lifecycle to prevent misconfigurations before deployment—and continuously detect drift as environments change.

The report emphasizes:

  • Infrastructure‑as‑code (IaC) scanning and policy‑as‑code enforcement
  • Continuous integration and continuous delivery (CI/CD) pipeline integration
  • Ownership mapping so issues are routed to the right developer or team

By extending posture management into DevSecOps workflows, organizations can reduce remediation costs and prevent risk from reaching production.

What to look for

Security guardrails embedded in CI/CD pipelines—with clear ownership routing—so remediation happens earlier and doesn’t bounce between teams.

4. Multicloud complexity is driving platform consolidation

Fragmented tools and siloed data continue to create blind spots across posture, identity, and workload risk—overwhelming SOC teams and reducing operational effectiveness.

As a result, buyers are consolidating point products into integrated CNAPP platforms that correlate posture, workload, identity, and runtime signals.

Platform convergence is reshaping CSPM investment and deployment models:

  • A growing share of CSPM capability is delivered as part of a broader platform.
  • Shared dashboards improve visibility across hybrid and multicloud environments.

Consolidation reduces tool sprawl and improves SecOps efficiency.

What to look for

A platform approach that standardizes policies across clouds and carries posture insights into security operations (SecOps) workflows—improving both signal quality and remediation speed.

5. AI is reshaping CSPM—from operations to new workloads

Frost highlights AI as both an operational enabler and a new security domain for CSPM.

AI is being used to:

  • Reduce alert fatigue through contextual prioritization.
  • Generate compliance evidence.
  • Deliver guided remediation for developers and security teams.

At the same time, CSPM capabilities are expanding into AI workload posture management—covering models, pipelines, and related infrastructure.

What to look for

AI assisted prioritization and guided remediation—plus posture coverage for AI workloads—so emerging risks such as prompt injection or data leakage are managed alongside traditional cloud risk.

What this means for security leaders

Frost & Sullivan’s analysis underscores that CSPM is no longer about checking compliance boxes—it’s becoming a strategic control layer for managing cloud risk across the entire application lifecycle.

If you’re evaluating CSPM capabilities in 2025–2026, ask:

  • Can posture findings be correlated with identity, workload, and data context to expose exploitable cyberattack paths?
  • Can security guardrails be embedded earlier in CI/CD pipelines through IaC and policy‑as‑code?
  • Can posture insights flow into SOC workflows for faster investigation and response?
  • Can risk be continuously prioritized across multicloud environments—not just reported periodically?

How Microsoft aligns with CSPM’s next phase

Frost & Sullivan attributes Microsoft’s leadership in CSPM to its ability to operationalize posture management as part of a broader cloud security platform—aligning with the report’s emphasis on integrating posture with runtime protection, identity, data security, and SecOps workflows across the application lifecycle. These capabilities align with the same governance, prioritization, DevSecOps integration, and lifecycle visibility themes highlighted across the Frost Radar insights above.

Rather than operating as a standalone compliance layer, Microsoft correlates posture data with runtime telemetry and identity signals—integrating findings into developer pipelines and SOC workflows through GitHub, Azure DevOps, and Microsoft Defender XDR. Frost highlights Microsoft’s multicloud visibility across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP); policy‑as‑code enforcement and CI/CD integration to strengthen shift‑left security; and unified dashboards that carry posture context into investigations and response.

The Frost report also notes Microsoft’s expansion into emerging posture domains—including AI and API posture management—to continuously manage cloud and AI workload risk across the application lifecycle.

Learn more

  • Explore Microsoft cloud security solutions to see how unified posture management, risk prioritization, and protection across the application lifecycle can help reduce cloud risk.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post 5 insights from Frost & Sullivan’s 2025 Frost Radar™ for Cloud Security Posture Management appeared first on Microsoft Security Blog.



from Microsoft Security Blog https://ift.tt/Ma0dnIG
via IFTTT

Open banking opened the door. Here’s how you control who walks through it—with NetScaler.

Open banking has steadily increased competition, accelerated innovation, and given consumers more control over their financial data. But for most banks and financial institutions, the reason to participate isn’t the regulation — it’s the customer. People now expect account aggregation dashboards that pull every account into one view, the ability to pay directly from their bank, loan decisions in minutes instead of days, and savings tools that move money on autopilot. The institutions that can’t deliver these experiences lose customers to the ones that can.

For risk and technology executives, that customer mandate creates a tension that doesn’t resolve itself: delivering these experiences means opening your most sensitive systems to a growing ecosystem of third parties (such as fintechs, aggregators, payment processors, and developers); and the more connected your institution becomes, the more exposure you carry. The regulatory environment only intensifies the pressure created by rising customer expectations. In the EU, PSD2 has formalized open banking as a compliance requirement. In the US, the CFPB’s Section 1033 rule was intended to create a similar federal framework for consumer-permissioned data sharing, including recognition of Financial Data Exchange (FDX) as a standard-setting body. But that framework is now effectively on hold: the rule is enjoined and under reconsideration, leaving institutions to advance open banking programs without a settled federal compliance baseline. What hasn’t paused is the threat landscape: API attack vectors keep evolving, and adversaries are increasingly using AI to find and exploit them faster than defenders can close the gaps.

In mature markets, this isn’t a new problem. First-generation deployments were often stitched together under time pressure, and years later they’ve hardened into fragmented, costly estates: multiple point products, per-instance licensing that penalizes broad coverage, and forced upgrade cycles that keep the bill climbing. The opportunity now is to reassess that approach and the cost that came with it.

That API security gap, between what open banking requires you to expose and what you can actually defend, is where institutions are most vulnerable, and where the decisions you make about infrastructure matter most.

The attack surface you’re required to have

In traditional application security, reducing the attack surface is a primary objective. In open banking, you cannot reduce it; you can only manage it. PSD2 mandates that qualifying Third-Party Providers (TPPs) be granted API access to customer account data. FDX defines how those APIs should be structured. Neither tells you how to prevent that access from being exploited.

The most common exploit patterns in open finance APIs are instructive. Broken Object Level Authorization (BOLA)—where an authenticated but unauthorized party manipulates an API request to access data belonging to another account holder—is consistently ranked as the top API security risk by OWASP. It is particularly dangerous in open banking because the APIs are purpose-built to return sensitive financial data. The question is not whether an attacker can reach the API. They can, and in many cases, they are supposed to be able to. The question is whether your infrastructure can tell the difference between a legitimate TPP request and a malicious one.

Injection attacks, improper authentication, and over-permissioned TPP access round out the top risk categories. That last one deserves particular attention. Institutions frequently grant third-party developers broader access than their use case requires. That is because scoping access is operationally difficult, onboarding timelines are compressed, or the initial integration was designed before the full risk implications were understood. That over-permissioning compounds across dozens or hundreds of TPP relationships, creating an exposure profile that grows quietly alongside your open banking program — especially as deprecated zombie APIs and undocumented shadow APIs accumulate outside the company’s known and governed API estate.

Why infrastructure is the right place to solve this

Open banking security is sometimes framed as an API governance problem, or a vendor management problem, or a compliance program problem. It is all of those things. But at the transaction level—where an API call is made, authenticated, routed, and responded to—the control point is infrastructure.

The institutions that manage open banking risk most effectively are not the ones with the most security tools. They are the ones that have consolidated security enforcement into the layer where traffic actually flows. That starts with API discovery that surfaces every endpoint actually receiving traffic—including the undocumented shadow and zombie APIs—so nothing operates unseen. From there: WAF and injection protection at the API layer. OAuth 2.0 and mutual TLS (mTLS) enforcement at the authentication boundary. Rate limiting to detect and contain abuse before it escalates. And granular access controls that allow institutions to define, enforce, and audit exactly what each TPP integration is permitted to access without relying on the TPP to self-limit.

When these controls are distributed across multiple point products, they create seams. Policies defined in one tool don’t automatically apply in another. Visibility is fragmented. Audit trails are incomplete. In a regulatory environment where you may be asked to demonstrate exactly what data was accessed, by whom, and under what authorization, fragmented visibility is a compliance liability, not just an operational inconvenience.

The case for a unified control plane

Citrix NetScaler’s position in open banking security starts with the same architecture that has made it the application delivery infrastructure of choice for major financial institutions for decades: a single platform, a single codebase, and a single control plane that spans on-premises data centers and multi-cloud environments.

For open banking specifically, this means that WAF, API protection, OAuth 2.0/mTLS enforcement, rate limiting, and access control policies are all defined once and enforced consistently across every API endpoint, in every environment, for every TPP integration. There is no synchronization problem between security tools because there is only one security layer. There is no visibility gap between environments because observability runs through a single control plane.

The operational implications are significant. As open banking API estates grow—more TPP integrations, more endpoints, more environments—the complexity of managing security across a fragmented toolset grows with it. A unified platform scales without adding operational overhead proportionally.

Unlike per-instance or per-application licensing models that make comprehensive coverage progressively more expensive, NetScaler’s enterprise licensing carries no per-instance limits, so institutions can extend consistent security across their full estate without the cost structure that typically discourages thorough deployment or the forced upgrade cycles that turn a security requirement into a recurring negotiation.

There is also a performance dimension that risk executives sometimes underestimate. Security controls that introduce latency into API transactions create pressure to reduce coverage (fewer inspection rules, lighter enforcement) in the interest of maintaining the transaction speeds that open banking users expect. NetScaler’s one-pass architecture processes security and delivery functions simultaneously, minimizing the latency impact of comprehensive API protection. You do not have to choose between thorough security, acceptable performance, and the operations cost of scaling both.

What governance actually requires

The JPMorganChase CISO’s public letter to third-party suppliers—calling on vendors to treat security as equal to or above launching new products—reflects a shift that is underway across the industry. Major institutions are raising their expectations for TPP security posture, and regulators are raising theirs for the institutions themselves.

Meeting those expectations requires more than policy. It requires infrastructure that enforces policy consistently, generates audit-ready records automatically, and gives security and compliance teams a single place to review, adjust, and demonstrate their controls. The institutions that will manage open banking risk most effectively over the next several years are those that treat their API security infrastructure as a strategic asset—not a collection of point solutions assembled to meet last year’s requirements.

Open banking opened the door. The question is not whether to let people through it. The question is whether you can see everyone who’s walking through, verify they are who they say they are, and make sure they only go where they’re supposed to go.

That is an infrastructure problem. And it has an infrastructure answer.

Learn more about how NetScaler secures financial services application delivery and open banking API infrastructure here.



from Citrix Blogs https://ift.tt/roESkvV
via IFTTT

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts.

The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country.

"It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem," security researchers Dixit Panchal and Soumen Burma said.

The end goal of the campaign is assessed to be the deployment of malware for financial gain or sensitive data theft.

The attack chains begin with phishing messages masquerading as India's income tax department, using tax violations and penalty lures to induce a false sense of urgency and trick users into clicking on a malicious link ("govtop[.]one/incometax") embedded within PDF attachments.

The bogus landing page, for its part, instructs users to download a ZIP archive containing what appears to be a common offline utility provided by the department to file tax returns, but, in reality, is engineered to sideload a malicious DLL ("nvdaHelperRemote.dll"), which, in turn, injects another payload into memory.

This payload ensures it's running with administrative privileges, and if not, triggers a User Account Control (UAC) prompt to get the user to run it with elevated permissions. Once launched, it performs checks to avoid executing within analysis and sandboxed environments, and then retrieves a JPG image ("lllyd.jpg") from a hard-coded server ("204.194.48[.]250") and stores it as "C:\Windows\background.jpg."

"This image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to 'C:\Program Files\Windows Media Player\nvdaHelperRemote.dll,'" Seqrite Labs explained. "After extracting the payload, the malware copies itself as 'Mixed Reality.exe' and establishes persistence by creating a Windows service named MixedSvc, configured to start automatically on system boot."

"This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system."

The "Mixed Reality.exe" binary is responsible for deploying two different payloads, one of which is a .NET malware loader that carries out anti-analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the infected machine. The second payload features capabilities to take screenshots and exfiltrate data to a remote server ("kkxqbh[.]top").

Exactly who is behind the activity is unclear, but infrastructure analysis indicates the use of IP addresses belonging to ChinaNet, as well as a Chinese-language web management panel exposed by the DCRat command-and-control (C2) server ("223.26.63[.]40"). In addition, Seqrite said it identified infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously attributed to tax-themed phishing campaigns that deliver ValleyRAT.

Based on these similarities, it's suspected that the campaign is the work of a China-aligned threat actor conducted with an aim to establish covert access for intelligence collection, credential theft, and systematic data exfiltration, Seqrite concluded.

The disclosure comes as LevelBlue said it detected two distinct campaigns that employ fake installers for LINE and phishing emails with salary adjustment lures to distribute ValleyRAT targeting Chinese- and Japanese-speaking users.

The email-driven campaign begins with a malicious email containing a URL link that, when accessed by the recipient, triggers the download of a ZIP archive. The archive acts as a foundation for a DLL side-loading chain, with the DLL ultimately downloading and executing ValleyRAT, a remote access trojan that allows operators to seize control of an infected system.

The fake installer attack chain, in contrast, employs bogus installers for popular software to deliver the malware using techniques like PoolParty Variant 7, while simultaneously focusing on anti-analysis and detection evasion, per Cybereason.

Interestingly, the use of PoolParty Variant 7 to inject shellcode into "explorer.exe" has been previously observed in connection with a custom malware loader dubbed SADBRIDGE, which is designed to deploy a Golang-based reimplementation of Quasar RAT known as GOSAR. The intrusion set, which targeted Chinese-speaking regions with malicious installers for Telegram and Opera, was attributed by Elastic Security Labs to REF3864.

"While we don't have conclusive proof, these commonalities suggest they may have been created by the same threat actor," Cybereason researcher Hajime Takai noted back in February 2026.



from The Hacker News https://ift.tt/PR3v1ne
via IFTTT

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that's capable of targeting Windows, Linux, and macOS environments.

According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for three months, $500 for six months, and $700 for twelve months.

"Built around a modular architecture, the RAT supports dynamic capability expansion through encrypted plugins that can be delivered, loaded, unloaded, and updated directly from its command-and-control (C2) infrastructure," the cybersecurity company said in an analysis of the malware.

The malware author also advertises a builder capable of generating multiple output formats, including JAR, EXE, APP, SH, BAT, and VBS, indicating an attempt to help prospective customers package the client tailored for different environments and delivery scenarios.

The seller's post guarantees complete stealth on Windows and Linux, noting there are no visible user interface elements or desktop entries. On macOS, however, the threat actor includes a caveat that certain features like screen capture and input control require "user-granted admin permissions."

Visiting their website, users are greeted by a pop-up message that states the platform "provides offensive security tooling intended exclusively for professional security research, authorized penetration testing, and controlled educational environments," warning them against using it for "malicious, unauthorized, or illegal purposes."

In all, the threat actor offers four tools -

  • Quima Control (aka QuimaRAT), a remote administration tool with 74 Windows and 46 macOS and Linux modules
  • Quima Builder, a modular builder and launcher toolkit with support for XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM file formats
  • Quima Loader, a browser-cache payload delivery service to stage and deliver the malware payload
  • Quima Dropper, an HTML/SVG payload generator

Quima Loader, particularly, is noteworthy, as it allows an operator to upload an EXE file through a dedicated panel and select a delivery format (e.g., HTA or LNK) and a landing page template (e.g., fake CAPTCHA check or software update alerts), after which the tool generates a stager link that, when opened by the victim in the browser, initiates the following sequence of actions, per the malware developer -

  • The landing page is loaded, and the payload is fetched and held in the browser cache.
  • A Download button appears on the page.
  • Clicking it saves a "small, clean loader file" that's trusted by the browser.
  • Target runs the loader, which reads the cached payload.
  • The main payload gets executed on the system, while bypassing SmartScreen protections on Windows.

"A RAT, a builder suite, a web loader, and an HTML dropper — each built around what Windows already trusts," the author behind the Quima suite claims on their website. "Native execution paths, system-owned resources, clean outputs. AV [antivirus] sees nothing unusual. Neither does the user."

LevelBlue's analysis suggests that QuimaRAT is organized as a modular Java project built using Apache Maven, while containing embedded Java Native Access (JNA) native libraries for Windows, Linux, and macOS across various architectures. It also decodes and parses an internal configuration file necessary for environment validation, persistence installation, and C2 initialisation.

"These native components allow the RAT to interact directly with low-level operating system APIs through C/C++ code, indicating intentional support for broad multi-platform deployment," researchers Chen Aviani and Nikita Kazymirskyi said.

Before execution, the malware ensures only one instance of the trojan is running on the infected machine at any given point in time. It achieves this by creating a lock file within the operating system's temporary directory and preventing other processes from using it simultaneously. If it detects that another RAT instance is already holding the lock to the file, it terminates execution.

QuimaRAT is designed to determine the current operating system name, using it to dictate the next course of action, including evading sandboxed and virtual environments, establishing persistence, and serving the main payload. Furthermore, it supports the ability to execute an additional embedded payload or decoy application along with the main RAT process if the functionality, named Binder, is enabled through the configuration.

The malware sets up persistence using a variety of operating system-specific methods: Registry Run keys, Scheduled tasks, and the Startup folder for Windows, .desktop autostart entries and crontab reboot tasks for Linux, and a LaunchAgent plist file for macOS.

What's more, the Trojan incorporates an optional Pastebin-based C2 host update mechanism that is controlled via the configuration. This approach allows the operator to dynamically rotate or replace the C2 infrastructure without having to rebuild and redistribute the payload.

The end goal of the QuimaRAT is to establish communication with the C2 server over TCP (or alternately via WebSocket, TLS, and HTTPS) to receive and execute commands. A watchdog component built into the malware ensures that the channel remains active and reconnects to it, if contact is lost with the C2 server.

"QuimaRAT maintains an internal shutdown state flag used to control whether the RAT should continue performing networking, reconnect, watchdog, and recovery operations," the researchers said. "This mechanism allows QuimaRAT to stop reconnecting, watchdog, and communication recovery operations after shutdown mode is activated."

The malware supports a wide range of capabilities, including remote command execution, remote payload and plugin delivery, credential theft, persistence, file transfer, clipboard manipulation, and webcam surveillance, granting the attacker comprehensive control over an infected system.

Besides these conventional features present in most RAT malware, QuimaRAT facilitates fileless shellcode execution on Windows hosts and a resilient communication framework that enables persistent access to compromised hosts.

"QuimaRAT should be viewed as a modular Java RAT platform rather than a single static implant," LevelBlue said. "ProGuard-class obfuscation indicators, Maven Shade relocation, preserved runtime symbols, and synthetic string decryptors further support the assessment that QuimaRAT is designed to rotate static fingerprints without changing its core behavior."



from The Hacker News https://ift.tt/7dK3Oi8
via IFTTT

Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

Researchers found a flaw in Opera GX, the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits.

In a proof of concept, they reconstructed a signed-in user's full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that it was ever used in the wild.

The fix shipped in Opera GX version 130.0.5847.89, so anyone on a current build is already covered; you can confirm yours at opera://about. There is no CVE.

Because the attack needed no clicks or approvals, there was no workaround short of the patch. Opera's bug bounty team rated the issue P1, its top severity, and paid the maximum $5,000 award for a critical bug.

How the attack works

GX Mods let you reskin Opera GX with custom sounds, themes, wallpapers, and CSS that restyles the sites you visit. They ship as .crx files, like browser extensions, but they cannot run JavaScript and hold no permissions.

The weakness is in how they install: Opera's mod pipeline downloads and enables a mod automatically, with no approval prompt. So a malicious page can install one silently, for instance by loading a hidden iframe pointed at a .crx file.

The only sign is a notification bar below the address bar telling you a mod was added, with a Remove button.

This auto-install behavior is not new. The researcher Renwa identified it back in 2023 and, by escalating an installed mod into a full extension, used it to spoof the browser's address bar. Opera patched that specific attack in March 2023 but left the underlying auto-install in place, which is what this new research builds on.

A silent look-and-feel mod sounds harmless on its own. But a mod's CSS is applied to every page you visit, not just one. Ordinary CSS injection is confined to the page it lands on; here, the attacker's styling reaches every site the browser opens, a technique the researchers call a universal CSS injection.

CSS cannot read a page and send it off on its own. But it can be coaxed into leaking a value one piece at a time. The trick relies on attribute selectors: a rule can test whether an element's attribute value, like an email tucked into a hidden field, begins with a given letter, and fetch a background image from the attacker's server only when it does. Fire enough of these, and you learn the value character by character.

Researchers call this an XS-Leak, short for cross-site leak. To pull a Gmail address, the researchers aimed this at a Google account page, myaccount.google.com/contactemail, that carries the address inside three of its HTML attributes.

They packed a mod with roughly 150,000 CSS rules, one set for every possible three-letter piece of the address, and let a reconstruction script stitch the matches back together. They first tried four-letter pieces, which needed 5.6 million rules and about 880 MB of CSS. The browser choked, so they scaled down to three-letter chunks that overlap just enough to reassemble.

Chaining it together took only a nudge. The victim lands on the attacker's page, the mod installs within seconds, and a few lines of JavaScript then redirect the browser to the Google account page. The mod's CSS is already loaded there, so it fires the requests and leaks the address as the page renders, before the victim can reach the notice's Remove button.

The Gmail address was just the proof of concept; the same approach can lift other values a page exposes in its markup, like a username.

The same auto-install path has a second, cruder use the researchers documented: loading a .crx while in private (Incognito) mode crashes the browser and dumps every open tab. This one hits regular Opera too, not just Opera GX, since any .crx trips the extension-install pipeline, whatever it contains. Opera's advisory addresses the data-theft fix and does not mention the crash.

Severity and the bigger picture

The report almost did not get its due. Opera runs its bounty program on Bugcrowd, and the triage analysts struggled to grasp what the bug did, first rating it a middling P3.

The researchers made their case in an unusually direct way: while an analyst was reproducing the attack, they caught the analyst's own trigrams, rebuilt the analyst's Gmail address, and pasted it into the report. Opera's team then raised the severity to P1 and paid the $5,000 critical-tier maximum.

Opera's own account is more measured. In its advisory, the company says it is "quite confident" the flaw was never exploited in the wild, and frames the attack as complicated to pull off: the victim had to land on a malicious site, end up with a fresh mod, and ignore the removal notice long enough for the redirect to fire.

The researchers' demo is the counterweight. Their redirect runs in the seconds before a user can even read the notice, let alone click Remove. It was a narrow, fiddly attack that Opera found no trace of in the wild, and it still worked with zero clicks once it was set up.

The risk here was never the cosmetic feature by itself. It was reach. Once a mod's CSS could follow you from one site to the next, "just styling" turned out to be plenty.

That is the twist on a familiar idea: CSS-only theft usually stays trapped on the page where it is injected, as in PortSwigger's Blind CSS Exfiltration research, but here it rode along on every site the victim opened.

It is also not the first Opera feature turned against its users; The Hacker News covered the 2024 MyFlaw bug in Opera's My Flow, and Opera had been warned about this very auto-install behavior since 2023.



from The Hacker News https://ift.tt/BHZiWjY
via IFTTT