admin

admin

  • Joined: September 10, 2024
  • Articles: 4778

9% of Microsoft Entra SaaS Apps Still Vulnerable to nOAuth Exploits Two Years Post-Discovery

June 25, 2025
SaaS Security / Vulnerability

Recent findings highlight ongoing risks associated with a known security flaw in Microsoft Entra ID, which may allow malicious actors to execute account takeovers in certain software-as-a-service (SaaS) applications. Identity security firm Semperis analyzed 104 SaaS applications and discovered that nine remain vulnerable to Entra ID cross-tenant nOAuth abuse. Initially revealed by Descope in June 2023, nOAuth pertains to a flaw in the implementation of OpenID Connect (OIDC) by SaaS applications, which is an authentication layer built on OAuth for verifying user identities. This implementation flaw allows attackers to alter the mail attribute in an Entra ID account to that of a target, leveraging the app’s “Log in with Microsoft” feature to hijack the account. The attack is straightforward, exacerbated by Entra ID’s allowance for unverified email addresses, paving the way for user impersonation.

nOAuth Vulnerability Persists in 9% of Microsoft Entra SaaS Applications Two Years After Initial Identification June 25, 2025 Recent findings have revealed that a previously identified security vulnerability within Microsoft Entra ID continues to pose risks for certain software-as-a-service (SaaS)…

North Korean Hackers Unleash New KLogEXE and FPSpy Malware in Targeted Assaults

Date: Sep 26, 2024
Category: Cyber Attack / Malware

Cybercriminals linked to North Korea have been detected deploying two new malware variants, KLogEXE and FPSpy. These activities have been connected to the threat group known as Kimsuky, also referred to as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. “These new samples expand Sparkling Pisces’ already extensive toolkit and highlight the group’s ongoing evolution and enhanced capabilities,” stated Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger. Active since at least 2012, this group has earned the moniker “king of spear-phishing” for its skill in deceiving victims into downloading malware via emails that appear to originate from trusted sources. Unit 42’s investigation into Sparkling Pisces’ infrastructure has revealed the emergence of two new portable executables, KLogEXE and FPSpy. “These malware strains are known to be…

N. Korean Hackers Unleash New KLogEXE and FPSpy Malware in Targeted Campaigns On September 26, 2024, cybersecurity experts revealed that threat actors associated with North Korea have introduced two new malware strains, KLogEXE and FPSpy, into their cyber offensive toolkit.…

Czech Republic Accuses China-Linked APT31 Hackers in 2022 Cyberattack on Foreign Ministry

May 28, 2025
Cybersecurity / Cyber Espionage

On Wednesday, the Czech Republic officially charged a threat actor connected to the People’s Republic of China (PRC) with a cyber intrusion targeting its Ministry of Foreign Affairs. In a public announcement, the government revealed that it identified China as responsible for a malicious campaign affecting one of the Ministry’s unclassified networks. The full scope of the breach remains unclear. “The malicious activity […] began in 2022 and impacted an institution designated as critical infrastructure in the Czech Republic,” the statement said. The attack has been linked to the state-sponsored group APT31, which overlaps with threat clusters known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium). This hacking group, publicly associated with the Ministry of State Security (MSS) and the Hubei State Security Department, has been active since at least 2010, according to the U.S. Department of…

Czech Republic Accuses China-Linked APT31 of 2022 Cyberattack On May 28, 2025, the Czech Republic’s government officially attributed a cyberattack that took place in 2022 to a state-sponsored actor linked to the People’s Republic of China (PRC). The targeted entity…

CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.

CISA Updates KEV Catalog with Three Critical Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog to include three significant security flaws. These…

New HTML Smuggling Scheme Distributes DCRat Malware to Russian-Speaking Users

On September 27, 2024

GenAI / Cybercrime

A recent campaign is specifically targeting Russian-speaking users by spreading the DCRat malware (also known as DarkCrystal RAT) through a method known as HTML smuggling. This marks the first instance of this malware being delivered via this technique, shifting away from traditional methods such as compromised websites or phishing emails that included malicious PDF attachments or Excel documents with macros. “HTML smuggling serves primarily as a means of delivering the payload,” explained Netskope researcher Nikhil Hegde in an analysis released Thursday. “The payload can either be embedded directly within the HTML or fetched from an external source.” The HTML files can be distributed via fake websites or malicious spam emails. When victims open the file in their web browser, the hidden payload is decoded and downloaded to their system. The success of this attack relies significantly on social engineering tactics to persuade the victim to execute the file.

New HTML Smuggling Campaign Targets Russian-Speaking Users with DCRat Malware September 27, 2024 GenAI / Cybercrime A recent cybersecurity development highlights a targeted campaign aimed at Russian-speaking users, delivering the commodity trojan known as DCRat, also referred to as DarkCrystal…