Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

We are excited to announce the release of Vulnerability-Lookup 2.15.0!
This version brings new features, performance improvements, and several bug fixes.

What's New

Detecting vulnerabilities known only through sightings

The dashboard now highlights vulnerabilities discovered via our sighting tools, including scraping social networks, MISP, Nuclei templates, Shadowserver, Gist, and more. This gives you better visibility of unpublished advisories.

Batch user deletion for admins

Admins can now delete multiple users at once using checkboxes and a confirmation modal. CSRF protection is included to ensure safe operations.

Changes

• Better logging
  We improved logging for access, warnings, and errors in the web app, including the HTTP status codes returned in unexpected situations.
  Issue #199
  Commits: a6b99bf, 9c37e7e, d2e826f

• Faster vendor/product vulnerability searches
  The search page is now faster thanks to pipelines and pagination. A Bootstrap pagination component has been added when vendor and product are specified.
  Commit aeb6ae0

• New API option
  Added advisory_status parameter to the /sighting endpoint.
  Commit de5873c

• Faster Organization/Product search
  The find_vulnerabilities function now finds matching vulnerabilities for all vendor/product combinations much faster.
  Commit 67d2516

• Search page improvements
  We made several graphical and functional enhancements to the search page.
  Commits: 82c6f2d, 0f249d1, 94e53c0

• About page improvements
  Better handling of GNAs and a link to the recent activity page.
  Commits: 70308f5, 168fcff

• Dashboard updates
  Various improvements related to recently imported vulnerabilities and new filters in the "Evolution for the last month" table.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.15.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

cross-posted from: https://programming.dev/post/36206744

Comments

• Hackernews.

Currently, when selecting the English language as the language of the post and trying to cross-post here it shows that the language is not allowed.

cross-posted from: https://lemmy.sdf.org/post/40764285

Archived

[...]

Anxiety is growing among Chief Information Security Officers (CISOs) in security operation centres, particularly around Chinese AI giant DeepSeek.

AI was heralded as a new dawn for business efficiency and innovation, but for the people on the front lines of corporate defence, it’s casting some very long and dark shadows.

Four in five (81%) UK CISOs believe the Chinese AI chatbot requires urgent regulation from the government. They fear that without swift intervention, the tool could become the catalyst for a full-scale national cyber crisis.

This isn’t speculative unease; it’s a direct response to a technology whose data handling practices and potential for misuse are raising alarm bells at the highest levels of enterprise security.

The findings, commissioned by Absolute Security for its UK Resilience Risk Index Report, are based on a poll of 250 CISOs at large UK organisations. The data suggests that the theoretical threat of AI has now landed firmly on the CISO’s desk, and their reactions have been decisive.

In what would have been almost unthinkable a couple of years ago, over a third (34%) of these security leaders have already implemented outright bans on AI tools due to cybersecurity concerns. A similar number, 30 percent, have already pulled the plug on specific AI deployments within their organisations.

[...]

Three out of five (60%) CISOs predict a direct increase in cyberattacks as a result of DeepSeek’s proliferation. An identical proportion reports that the technology is already tangling their privacy and governance frameworks, making an already difficult job almost impossible.

[...]

Businesses recognise the immense potential of AI and are actively investing to adopt it safely. In fact, 84 percent of organisations are making the hiring of AI specialists a priority for 2025.

This investment extends to the very top of the corporate ladder. 80 percent of companies have committed to AI training at the C-suite level. The strategy appears to be a dual-pronged approach: upskill the workforce to understand and manage the technology, and bring in the specialised talent needed to navigate its complexities.

The hope – and it is a hope, if not a prayer – is that building a strong internal foundation of AI expertise can act as a counterbalance to the escalating external threats.

The message from the UK’s security leadership is clear: they do not want to block AI innovation, but to enable it to proceed safely. To do that, they require a stronger partnership with the government.

The path forward involves establishing clear rules of engagement, government oversight, a pipeline of skilled AI professionals, and a coherent national strategy for managing the potential security risks posed by DeepSeek and the next generation of powerful AI tools that will inevitably follow.

[...]

cross-posted from: https://lemmy.sdf.org/post/40763938

Archived

A new research paper published by the Citizen Lab - “Hidden Links: Analyzing Secret Families of VPN Apps” (opens pdf) - has exposed how some popular Virtual Private Network (VPN) providers intentionally hide their true ownership and share security flaws.

The paper was co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall and published by Citizen Lab. Their study involved a deep analysis of apps from the Google Play Store, looking at everything from code similarities and network communications to business filings.

The companies distribute apps such as Turbo VPN, VPN Monster, and Snap VPN, and are linked to a Chinese national security firm, Qihoo 360 and have gone to great lengths to hide this fact from their 700+ million combined user bases.

Turbo VPN and Snap VPN were also named in the Tech Transparency Project’s June 2025 report, which cited national security concerns related to the possibility of these VPNs transferring data to China.

[...]

In short:

Australian internet provider iiNet has compromised the email addresses or phone numbers of hundreds of thousands of customers.

A third party gained access to its system after stealing account credentials from an employee, early investigations suggest.

What's next?

The telco has hired external IT and cybersecurity experts to assist its response.

cross-posted from: https://lemmy.sdf.org/post/40704783

Archived

In a concerning development on the cyber-espionage front, China-linked threat actor APT41 has been attributed to a new targeted campaign that infiltrates government IT infrastructure across Africa. The attackers used advanced techniques including command execution, credential harvesting, DLL side-loading, and covert command-and-control (C2) communication through internal systems like SharePoint servers.

While APT41 has a long-standing history of cyberattacks against global organizations across sectors such as energy, healthcare, telecom, and education, this is one of the few known large-scale campaigns that focuses on African targets—an area traditionally considered outside their operational focus.

[...]

This espionage campaign [...] represents a sophisticated intrusion that combines both custom-built and publicly available tools. It involves multiple attack stages: from initial access using Impacket modules, to privilege escalation via credential theft, to command execution using a compromised internal SharePoint server.

APT41’s strategy showcases a blend of traditional malware deployment and living-off-the-land (LotL) techniques, where trusted system tools and internal services are repurposed for malicious activities—making detection far more difficult.

The attackers demonstrated advanced knowledge of the victim’s infrastructure by embedding hardcoded IP addresses, internal service names, and proxy servers within their malware. The use of SharePoint as a C2 server is particularly unique, allowing the attackers to remain under the radar within internal network traffic.

[...]

A real estate developer fell victim to a cruise line scam after calling a phone number provided by Google's AI Overview feature. The scammer, impersonating Royal Caribbean customer service, obtained his credit card details by demonstrating knowledge of shuttle costs and pickup locations in Venice[^1].

The Washington Post found the same fraudulent number appearing across multiple cruise lines including Disney and Carnival's Princess line. "Bad guys write on online review sites, message boards and other websites claiming that a number they control belongs to a company's customer service center," the Post reports[^1].

Google and OpenAI's ChatGPT have become new vectors for this classic impostor scam. When these AI systems scan the web for information, they may surface fraudulent numbers that scammers have planted across multiple sites[^1].

"I've seen so many versions of similar trickery targeting Google users that I largely blame the company for not doing enough to safeguard its essential gateway to information," said the Post's reporter[^1].

Google stated they had "taken action" on several impostor numbers and were working on "broader improvements." OpenAI noted that many webpages referencing the bogus cruise number were removed, though their systems take time to update[^1].

[^1]: Slashdot - Google's 'AI Overview' Pointed Him to a Customer Service Number. It Was a Scam

MadeYouReset: A New HTTP/2 Vulnerability

Security researchers from Tel Aviv University have discovered a critical vulnerability in HTTP/2 implementations that allows attackers to trigger denial-of-service conditions by making servers reset their own connections[^1].

Unlike the 2023 HTTP/2 Rapid Reset attack that relied on clients spamming RST_STREAM frames, MadeYouReset tricks servers into performing the resets themselves through carefully crafted protocol-compliant frames[^1]. The attack exploits four key mechanisms:

• Window-Overflow: Sending WINDOW_UPDATE frames that exceed protocol limits
• Zero-Increment: Using invalid zero-value WINDOW_UPDATE frames
• Half-Closed Stream Abuse: Sending illegal frames on half-closed streams
• Priority-Length Mismatch: Creating malformed PRIORITY frames

The vulnerability (CVE-2025-8671) affects major HTTP/2 implementations including Netty, Jetty, Apache Tomcat, IBM WebSphere, and BIG-IP[^1]. Over 100 vendors required notification during the coordinated disclosure process[^8].

"Most servers are susceptible to a complete DoS, with a significant number also susceptible to an out-of-memory crash," said researcher Gal Bar Nahum[^8].

Recommended mitigations include:

• Stricter protocol validation
• Enhanced stream state tracking
• Connection-level rate controls
• Behavioral monitoring for protocol violations[^1]

[^1]: Imperva - MadeYouReset: Turning HTTP/2 Server Against Itself [^8]: The Register - 'MadeYouReset' HTTP/2 flaw lets attackers DoS servers

cross-posted from: https://scribe.disroot.org/post/4016991

Archived

...

Confidential documents ... reveal that Serbia is procuring equipment to expand China's eLTE network system, increasing the capacity of the "Safe City" by another 3.500 cameras, despite domestic public opposition and criticism from the EU.

...

[New] documents contain details of the purchase of components to expand the protected eLTE network, which is based on Chinese Huawei technology and connects video surveillance cameras, police terminals and command centers of the Ministry of Internal Affairs (MUP).

It is the first written clue about the development of the network on which the "Safe City" project relies, a program that was launched back in 2017, when the Ministry of Interior of Serbia and the Chinese company Huawei signed the "Strategic Partnership Agreement for the introduction of eLTE technologies and solutions for the Safe City in the field of public security".

While the core of the Safe City project is the introduction of an intelligent video surveillance system, the eLTE network represents a platform for protected communication and data transfer within such a system.

The procurement of equipment, software and services for the expansion of the eLTE communication network was carried out in March 2024, marked as confidential.

Among the order items is a significant increase in the dispatch system using the eLTE network, including GIS software for resource access that expands the ability to view footage from cameras at specific locations.

...

cross-posted from: https://lemmy.sdf.org/post/40359316

Archived

Taiwan’s approach is also notable for its emphasis on transparency and civil society involvement..

[...]

Rather than adopting censorship-heavy models, Taiwan relies on openness, public trust and participatory defences to combat cognitive warfare."

[...]

China’s cyber activities against Taiwan are extensive and strategically coordinated. Prominent Chinese intruder groups capable of lurking in networks have conducted long-term cyber operations against Taiwanese government agencies, critical infrastructure and private sector entities. These campaigns are not solely intelligence-gathering exercises; many implant malware and establish persistent access that could be exploited in the event of a military contingency.

Taiwan’s National Security Bureau reported more than 2.4 million intrusion attempts per day targeting government networks in 2024—more than double the previous year. Many of these are attributed to Chinese actors seeking to exfiltrate sensitive data and prepare for potential sabotage of communications, energy systems and military infrastructure. US officials have described this activity as the ‘preparation of the battlefield’, whereby China positions itself to disrupt Taiwan’s command-and-control, logistics and public services at the outset of any conflict.

[...]

The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.

[...]

Many CI/CD pipelines, developers, and production systems pull images directly from Docker Hub as base layers for their own containers, and if those images are compromised, the new build inherits the flaw or malicious code.

A new malware campaign discovered in August 2025 uses adult websites to spread a clickjack Trojan that secretly makes users "Like" Facebook posts without their knowledge[^1]. The scheme works by having users download what appears to be an SVG image file while browsing adult content sites, but the file contains malicious JavaScript code that executes a "LikeJack Trojan"[^1].

The campaign specifically targets users seeking adult content, taking advantage of increased restrictions around age verification on legitimate adult websites. When users click through links on these malicious sites, some visitors receive a downloaded SVG file that opens an empty Edge browser tab titled "Process Monitor"[^1].

The SVG file uses an obfuscation technique called "hybrid JSFuck" to hide its true purpose - downloading additional malicious code from crhammerstein[.]de that automatically clicks Facebook Like buttons on adult content posts. This artificially inflates the Like counts, helping the posts appear more prominently in Facebook feeds[^1].

Malwarebytes researchers found "a huge amount" of blogspot[.]com pages participating in this campaign. The criminals appear to be exploiting recent government age verification requirements that are pushing users away from legitimate adult sites toward shadier alternatives[^1].

[^1]: Malwarebytes - Adult sites trick users into Liking Facebook posts using a clickjack Trojan