Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

cross-posted from: https://lemmy.sdf.org/post/41271046

Archived

Dutch intelligence agencies have revealed that the Chinese hacking group Salt Typhoon targeted organizations in the Netherlands.

In a joint statement published August 28 on the Dutch Ministry of Defence’s website, the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) said they have now “independently confirmed parts of the US findings with their own intelligence.”

[...]

While Dutch organizations “most likely were not as heavily targeted as those in the US,” the MIVD and AIVD have identified victims in the Netherlands.

They stated that they observed evidence indicating Salt Typhoon gained access to the routers of Dutch targets, primarily small internet service providers (ISPs) and hosting providers.

However, their probe concluded that there is no evidence that the hackers penetrated deeper into those companies’ internal networks.

[...]

“Chinese cyber operations […] have become so advanced that constant vigilance and proactive measures are required to detect and mitigate threats against Dutch interests,” the statement on the Dutch Ministry of Defence website said.

In this paper, we present a method to identify compromised SSH servers at scale. For this, we use SSH's behavior to only send a challenge during public key authentication, to check if the key is present on the system. Our technique neither allows us to access compromised systems (unlike, e.g., testing known attacker passwords), nor does it require access for auditing.

cross-posted from: https://lemmy.sdf.org/post/41203833

• GCHQ’s [the UK Government Communications Headquarters'] National Cyber Security Centre and international partners link three China-based companies to campaign targeting foreign governments and critical networks.
• Commercial cyber ecosystem with links to the Chinese intelligence services has enabled global malicious activity.
• New advisory supports UK organisations in critical sectors bolster their security against China state-sponsored cyber activity
• Network defenders urged to proactively hunt for activity and take steps to mitigate threat from attackers exploiting avoidable weaknesses

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

We are excited to announce the release of Vulnerability-Lookup 2.15.0!
This version brings new features, performance improvements, and several bug fixes.

What's New

Detecting vulnerabilities known only through sightings

The dashboard now highlights vulnerabilities discovered via our sighting tools, including scraping social networks, MISP, Nuclei templates, Shadowserver, Gist, and more. This gives you better visibility of unpublished advisories.

Batch user deletion for admins

Admins can now delete multiple users at once using checkboxes and a confirmation modal. CSRF protection is included to ensure safe operations.

Changes

• Better logging
  We improved logging for access, warnings, and errors in the web app, including the HTTP status codes returned in unexpected situations.
  Issue #199
  Commits: a6b99bf, 9c37e7e, d2e826f

• Faster vendor/product vulnerability searches
  The search page is now faster thanks to pipelines and pagination. A Bootstrap pagination component has been added when vendor and product are specified.
  Commit aeb6ae0

• New API option
  Added advisory_status parameter to the /sighting endpoint.
  Commit de5873c

• Faster Organization/Product search
  The find_vulnerabilities function now finds matching vulnerabilities for all vendor/product combinations much faster.
  Commit 67d2516

• Search page improvements
  We made several graphical and functional enhancements to the search page.
  Commits: 82c6f2d, 0f249d1, 94e53c0

• About page improvements
  Better handling of GNAs and a link to the recent activity page.
  Commits: 70308f5, 168fcff

• Dashboard updates
  Various improvements related to recently imported vulnerabilities and new filters in the "Evolution for the last month" table.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.15.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

cross-posted from: https://lemmy.sdf.org/post/40764285

Archived

[...]

Anxiety is growing among Chief Information Security Officers (CISOs) in security operation centres, particularly around Chinese AI giant DeepSeek.

AI was heralded as a new dawn for business efficiency and innovation, but for the people on the front lines of corporate defence, it’s casting some very long and dark shadows.

Four in five (81%) UK CISOs believe the Chinese AI chatbot requires urgent regulation from the government. They fear that without swift intervention, the tool could become the catalyst for a full-scale national cyber crisis.

This isn’t speculative unease; it’s a direct response to a technology whose data handling practices and potential for misuse are raising alarm bells at the highest levels of enterprise security.

The findings, commissioned by Absolute Security for its UK Resilience Risk Index Report, are based on a poll of 250 CISOs at large UK organisations. The data suggests that the theoretical threat of AI has now landed firmly on the CISO’s desk, and their reactions have been decisive.

In what would have been almost unthinkable a couple of years ago, over a third (34%) of these security leaders have already implemented outright bans on AI tools due to cybersecurity concerns. A similar number, 30 percent, have already pulled the plug on specific AI deployments within their organisations.

[...]

Three out of five (60%) CISOs predict a direct increase in cyberattacks as a result of DeepSeek’s proliferation. An identical proportion reports that the technology is already tangling their privacy and governance frameworks, making an already difficult job almost impossible.

[...]

Businesses recognise the immense potential of AI and are actively investing to adopt it safely. In fact, 84 percent of organisations are making the hiring of AI specialists a priority for 2025.

This investment extends to the very top of the corporate ladder. 80 percent of companies have committed to AI training at the C-suite level. The strategy appears to be a dual-pronged approach: upskill the workforce to understand and manage the technology, and bring in the specialised talent needed to navigate its complexities.

The hope – and it is a hope, if not a prayer – is that building a strong internal foundation of AI expertise can act as a counterbalance to the escalating external threats.

The message from the UK’s security leadership is clear: they do not want to block AI innovation, but to enable it to proceed safely. To do that, they require a stronger partnership with the government.

The path forward involves establishing clear rules of engagement, government oversight, a pipeline of skilled AI professionals, and a coherent national strategy for managing the potential security risks posed by DeepSeek and the next generation of powerful AI tools that will inevitably follow.

[...]

cross-posted from: https://lemmy.sdf.org/post/40763938

Archived

A new research paper published by the Citizen Lab - “Hidden Links: Analyzing Secret Families of VPN Apps” (opens pdf) - has exposed how some popular Virtual Private Network (VPN) providers intentionally hide their true ownership and share security flaws.

The paper was co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall and published by Citizen Lab. Their study involved a deep analysis of apps from the Google Play Store, looking at everything from code similarities and network communications to business filings.

The companies distribute apps such as Turbo VPN, VPN Monster, and Snap VPN, and are linked to a Chinese national security firm, Qihoo 360 and have gone to great lengths to hide this fact from their 700+ million combined user bases.

Turbo VPN and Snap VPN were also named in the Tech Transparency Project’s June 2025 report, which cited national security concerns related to the possibility of these VPNs transferring data to China.

[...]

In short:

Australian internet provider iiNet has compromised the email addresses or phone numbers of hundreds of thousands of customers.

A third party gained access to its system after stealing account credentials from an employee, early investigations suggest.

What's next?

The telco has hired external IT and cybersecurity experts to assist its response.

cross-posted from: https://lemmy.sdf.org/post/40704783

Archived

In a concerning development on the cyber-espionage front, China-linked threat actor APT41 has been attributed to a new targeted campaign that infiltrates government IT infrastructure across Africa. The attackers used advanced techniques including command execution, credential harvesting, DLL side-loading, and covert command-and-control (C2) communication through internal systems like SharePoint servers.

While APT41 has a long-standing history of cyberattacks against global organizations across sectors such as energy, healthcare, telecom, and education, this is one of the few known large-scale campaigns that focuses on African targets—an area traditionally considered outside their operational focus.

[...]

This espionage campaign [...] represents a sophisticated intrusion that combines both custom-built and publicly available tools. It involves multiple attack stages: from initial access using Impacket modules, to privilege escalation via credential theft, to command execution using a compromised internal SharePoint server.

APT41’s strategy showcases a blend of traditional malware deployment and living-off-the-land (LotL) techniques, where trusted system tools and internal services are repurposed for malicious activities—making detection far more difficult.

The attackers demonstrated advanced knowledge of the victim’s infrastructure by embedding hardcoded IP addresses, internal service names, and proxy servers within their malware. The use of SharePoint as a C2 server is particularly unique, allowing the attackers to remain under the radar within internal network traffic.

[...]

A real estate developer fell victim to a cruise line scam after calling a phone number provided by Google's AI Overview feature. The scammer, impersonating Royal Caribbean customer service, obtained his credit card details by demonstrating knowledge of shuttle costs and pickup locations in Venice[^1].

The Washington Post found the same fraudulent number appearing across multiple cruise lines including Disney and Carnival's Princess line. "Bad guys write on online review sites, message boards and other websites claiming that a number they control belongs to a company's customer service center," the Post reports[^1].

Google and OpenAI's ChatGPT have become new vectors for this classic impostor scam. When these AI systems scan the web for information, they may surface fraudulent numbers that scammers have planted across multiple sites[^1].

"I've seen so many versions of similar trickery targeting Google users that I largely blame the company for not doing enough to safeguard its essential gateway to information," said the Post's reporter[^1].

Google stated they had "taken action" on several impostor numbers and were working on "broader improvements." OpenAI noted that many webpages referencing the bogus cruise number were removed, though their systems take time to update[^1].

[^1]: Slashdot - Google's 'AI Overview' Pointed Him to a Customer Service Number. It Was a Scam