The new red team post-exploitation framework "Specula," released by the cybersecurity company TrustedSec, uses Microsoft Outlook as a Command-and-Control (C2) beacon for Remote Code Execution (RCE). The C2 framework creates a custom Outlook Home Page using WebView by exploiting an Outlook security feature bypass vulnerability patched in October 2017. This article continues to discuss the new Specula tool.

According to Microsoft's threat intelligence team, ransomware groups are exploiting a critical vulnerability in ESXi hypervisors to gain full administrative access on domain-joined systems less than a week after VMware shipped patches for the flaw. Multiple ransomware groups have exploited the vulnerability, tracked as CVE-2024-37085 with a CVSS severity score of 6.8, to deploy data-extortion malware on enterprise networks. This article continues to discuss the exploitation of a recently patched VMware ESXi flaw by ransomware groups.

IBM released its annual "Cost of a Data Breach Report," which revealed that the global average cost of a data breach hit $4.88 million in 2024, as breaches become more disruptive and place additional demands on cyber teams. Breach costs increased 10 percent over the previous year, the largest annual increase since the pandemic, with 70 percent of breached organizations reporting significant or very significant disruption. This article continues to discuss key findings from IBM's report regarding data breach costs.

Cybercriminals are selling stolen Generative Artificial Intelligence (GenAI) platform account credentials on underground markets. According to eSentire's Threat Response Unit (TRU), about 400 GenAI account credentials are sold on dark web platforms, including GPT, Quillbot, Notion, HuggingFace and Replit credentials. These credentials often come from corporate users' computers infected with infostealer malware. This article continues to discuss cybercriminals capitalizing on the growing use of GenAI platforms by selling stolen account credentials on underground markets.

In a massive scam campaign dubbed "EchoSpoofing" by Guardio Labs, an unknown threat actor has sent millions of messages spoofing Best Buy, IBM, Nike, Walt Disney, and other popular companies by exploiting an email routing misconfiguration in email security vendor Proofpoint's defenses. According to Guardio Labs researcher Nati Tal, the emails were echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, dodging security protections. This article continues to discuss findings regarding the EchoSpoofing campaign.

On the 270th day after President Biden's Executive Order (EO) on the Safe, Secure, and Trustworthy Development of Artificial Intelligence (AI), the US Department of Commerce announced the release of new guidance and software to help improve the safety, security, and trustworthiness of AI systems. The department's National Institute of Standards and Technology (NIST) has released three final guidance documents that were first made available for public comment in April, along with a draft guidance document from the US AI Safety Institute to help mitigate risks.

Phishing campaigns involving Microsoft Forms have increased to steal Microsoft 365 login credentials. Threat actors use breached business partners' and vendors' email accounts to send phishing emails. The latest campaigns use emails in the form of fake mail error notifications from Microsoft and bid invitations. This article continues to discuss findings regarding the phishing campaigns leveraging Microsoft Forms to trick targets into sharing their Microsoft 365 login credentials.

Researchers at Salt Labs have discovered and published details of a Cross-Site Scripting (XSS) attack that could affect millions of websites worldwide. It is not a product vulnerability that can be patched centrally, as it is more of an implementation issue between web code and OAuth, a popular app for social logins. This article continues to discuss the vulnerability of millions of websites to an XSS attack due to an OAuth implementation flaw.

Threat actors are abusing a Selenium Grid misconfiguration to deploy a modified XMRig tool for Monero cryptocurrency mining. Selenium Grid is a popular web app testing framework used by developers to automate testing across multiple machines and browsers. Researchers at Wiz discovered that the malicious activity, which they are tracking as "SeleniumGreed," has been running for over a year, exploiting the service's lack of authentication in the default configuration.

According to Binarly, there is a Secure Boot issue affecting hundreds of computer models. The vulnerability, called "PKfail," enables attackers to run malicious code during the device's boot process. It stems from an exposed American Megatrends International (AMI) Platform Key (PK), a Secure Boot private key. The exposed PK was a default key provided by AMI and was not meant for use in production. However, several major computer manufacturers shipped many devices with the untrusted key as they did not change the PK.