The Breach News

Severe Sudo Vulnerabilities Allow Local Users to Escalate to Root Access on Major Linux Distributions

July 4, 2025
By Cybersecurity Insights

Cybersecurity researchers have identified two critical vulnerabilities in the Sudo command-line utility for Linux and Unix-like systems, enabling local attackers to elevate their privileges to root on affected machines. Here’s a summary of the vulnerabilities:

  • CVE-2025-32462 (CVSS Score: 2.8): In versions prior to 1.9.17p1, Sudo, when configured with a sudoers file specifying a host that is neither the current host nor ALL, permits listed users to execute commands on unintended machines.

  • CVE-2025-32463 (CVSS Score: 9.3): In Sudo versions before 1.9.17p1, local users can gain root access as a result of the /etc/nsswitch.conf file being utilized from a user-controlled directory in conjunction with the –chroot option.

Sudo is a command-line tool designed to allow low-privileged users to execute commands as another user, typically the superuser, thereby implementing the principle of least privilege for administrative tasks.

Critical Sudo Vulnerabilities Expose Linux Systems to Root Access Risks On July 4, 2025, cybersecurity experts identified two significant vulnerabilities in the Sudo command-line utility widely used across Linux and Unix-like operating systems. These issues pose a serious threat, allowing local attackers to gain root access on affected systems, heightening…

Read More

Severe Sudo Vulnerabilities Allow Local Users to Escalate to Root Access on Major Linux Distributions

July 4, 2025
By Cybersecurity Insights

Cybersecurity researchers have identified two critical vulnerabilities in the Sudo command-line utility for Linux and Unix-like systems, enabling local attackers to elevate their privileges to root on affected machines. Here’s a summary of the vulnerabilities:

  • CVE-2025-32462 (CVSS Score: 2.8): In versions prior to 1.9.17p1, Sudo, when configured with a sudoers file specifying a host that is neither the current host nor ALL, permits listed users to execute commands on unintended machines.

  • CVE-2025-32463 (CVSS Score: 9.3): In Sudo versions before 1.9.17p1, local users can gain root access as a result of the /etc/nsswitch.conf file being utilized from a user-controlled directory in conjunction with the –chroot option.

Sudo is a command-line tool designed to allow low-privileged users to execute commands as another user, typically the superuser, thereby implementing the principle of least privilege for administrative tasks.

CERT-UA Discovers Malicious RDP Files in Recent Attack on Ukrainian Entities

Oct 26, 2024
Cyber Attack / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new malicious email campaign targeting government agencies, businesses, and military organizations. CERT-UA noted, “The emails leverage the allure of integrating popular services like Amazon or Microsoft while promoting a zero-trust architecture.” These messages include attachments that are Remote Desktop Protocol (‘.rdp’) configuration files. When executed, these RDP files connect to a remote server, allowing threat actors to access compromised systems, steal data, and deploy additional malware for subsequent attacks. The preparation for this infrastructure is believed to have started as early as August 2024, and the agency warns that the campaign may extend beyond Ukraine to other countries. CERT-UA has linked the campaign to a threat actor identified as UAC-0215. Amazon Web Services (AWS) also issued a related advisory…

CERT-UA Uncovers Malicious RDP Files Targeting Ukrainian Entities October 26, 2024 Cyber Attack / Threat Intelligence The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a newly identified malicious email campaign directed at various governmental agencies, private enterprises, and military organizations within the country. This campaign seeks to exploit…

Read More

CERT-UA Discovers Malicious RDP Files in Recent Attack on Ukrainian Entities

Oct 26, 2024
Cyber Attack / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new malicious email campaign targeting government agencies, businesses, and military organizations. CERT-UA noted, “The emails leverage the allure of integrating popular services like Amazon or Microsoft while promoting a zero-trust architecture.” These messages include attachments that are Remote Desktop Protocol (‘.rdp’) configuration files. When executed, these RDP files connect to a remote server, allowing threat actors to access compromised systems, steal data, and deploy additional malware for subsequent attacks. The preparation for this infrastructure is believed to have started as early as August 2024, and the agency warns that the campaign may extend beyond Ukraine to other countries. CERT-UA has linked the campaign to a threat actor identified as UAC-0215. Amazon Web Services (AWS) also issued a related advisory…

“Deceptively Normal Network Traffic: Unmasking Hidden Threats”

Jul 02, 2025
Network Security / Threat Detection

With nearly 80% of cyber threats now imitating legitimate user actions, how can leading Security Operations Centers (SOCs) distinguish between authentic traffic and potential hazards? What options remain when traditional firewalls and endpoint detection and response (EDR) systems fail to identify critical threats facing your organization? Verizon’s latest Data Breach Investigations report reveals a troubling increase in breaches at edge devices and VPN gateways, rising from 3% to 22%. EDR tools are increasingly challenged by zero-day exploits, living-off-the-land tactics, and malware-free attacks. According to CrowdStrike’s 2025 Global Threat Report, almost 80% of identified threats employ malware-free techniques that closely resemble typical user behavior. Conventional detection methods are no longer adequate as threat actors evolve, frequently utilizing sophisticated methods like credential theft or DLL hijacking to evade detection. In light of this, security operations centers (SOCs) are adopting a multi-layered…

Network Traffic May Seem Innocuous, Yet It Could Conceal Significant Threats July 02, 2025 Network Security / Threat Detection As cyber threats increasingly adopt tactics that mimic legitimate user behavior, discerning between legitimate traffic and potentially harmful activity poses a substantial challenge for Security Operations Centers (SOCs). With the rise…

Read More

“Deceptively Normal Network Traffic: Unmasking Hidden Threats”

Jul 02, 2025
Network Security / Threat Detection

With nearly 80% of cyber threats now imitating legitimate user actions, how can leading Security Operations Centers (SOCs) distinguish between authentic traffic and potential hazards? What options remain when traditional firewalls and endpoint detection and response (EDR) systems fail to identify critical threats facing your organization? Verizon’s latest Data Breach Investigations report reveals a troubling increase in breaches at edge devices and VPN gateways, rising from 3% to 22%. EDR tools are increasingly challenged by zero-day exploits, living-off-the-land tactics, and malware-free attacks. According to CrowdStrike’s 2025 Global Threat Report, almost 80% of identified threats employ malware-free techniques that closely resemble typical user behavior. Conventional detection methods are no longer adequate as threat actors evolve, frequently utilizing sophisticated methods like credential theft or DLL hijacking to evade detection. In light of this, security operations centers (SOCs) are adopting a multi-layered…

Kimsuky Hackers from North Korea Face Data Breach After Insider Leaks Information Online

A notable breach has emerged from North Korea’s Kimsuky espionage group, with insiders leaking hundreds of gigabytes of sensitive internal files and tools to the public. This incident, which surfaced in early June 2025, reveals critical backdoors, phishing mechanisms, and reconnaissance strategies employed by the state-sponsored threat actor—marking an unusual…

Read MoreKimsuky Hackers from North Korea Face Data Breach After Insider Leaks Information Online

Warning: Exposed JDWP Interfaces are Being Exploited for Crypto Mining; Hpingbot Targets SSH for DDoS

Date: July 5, 2025
Category: Vulnerability / Botnet

Cybercriminals are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain code execution access and deploy cryptocurrency miners on compromised systems. According to Wiz researchers Yaara Shriki and Gili Tikochinski, “The attacker utilized a modified version of XMRig with a hard-coded configuration, allowing them to evade detection from suspicious command-line arguments that security measures often flag.” They added that the mining payload employed proxies to obscure the cryptocurrency wallet address, complicating investigations. The cloud security firm, recently acquired by Google Cloud, reported observing this activity on its honeypot servers running TeamCity, a well-known continuous integration and delivery (CI/CD) tool. JDWP, a debugging communication protocol for Java, enables users to manage Java applications in separate processes.

Alert: Exposed JDWP Interfaces Facilitate Cryptocurrency Mining Attacks; Hpingbot Targets SSH for DDoS July 5, 2025 In a troubling development within the cybersecurity landscape, threat actors are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain unauthorized code execution capabilities, subsequently deploying cryptocurrency miners on affected systems. Researchers from…

Read More

Warning: Exposed JDWP Interfaces are Being Exploited for Crypto Mining; Hpingbot Targets SSH for DDoS

Date: July 5, 2025
Category: Vulnerability / Botnet

Cybercriminals are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces to gain code execution access and deploy cryptocurrency miners on compromised systems. According to Wiz researchers Yaara Shriki and Gili Tikochinski, “The attacker utilized a modified version of XMRig with a hard-coded configuration, allowing them to evade detection from suspicious command-line arguments that security measures often flag.” They added that the mining payload employed proxies to obscure the cryptocurrency wallet address, complicating investigations. The cloud security firm, recently acquired by Google Cloud, reported observing this activity on its honeypot servers running TeamCity, a well-known continuous integration and delivery (CI/CD) tool. JDWP, a debugging communication protocol for Java, enables users to manage Java applications in separate processes.

Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.

Chinese Hackers Exploit CloudScout Toolset to Steal Session Cookies from Cloud Services On October 28, 2024, reports surfaced highlighting the cyber operations of a China-linked threat actor known as Evasive Panda. This group targeted a governmental entity and a religious organization in Taiwan, deploying a previously undocumented post-compromise toolset identified…

Read More

Chinese Hackers Utilize CloudScout Toolset to Harvest Session Cookies from Cloud Services

Oct 28, 2024
Cloud Security / Cyber Attack

A Taiwan-based government entity and a religious organization have fallen victim to the China-linked threat actor known as Evasive Panda. This group employed an undocumented post-compromise toolset called CloudScout. According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud services by exploiting stolen web session cookies.” Integrated through a plugin, CloudScout operates in conjunction with MgBot, Evasive Panda’s primary malware framework. The .NET-based malware was detected between May 2022 and February 2023 and comprises 10 C# modules, three of which are specifically designed to steal data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules are still unknown. Evasive Panda, also referred to as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group with a history of targeting various entities.

Unsolved Crime Wave Hits National Guard Equipment Locations

A series of previously unreported break-ins at Tennessee National Guard armories last fall highlights escalating security vulnerabilities across U.S. military facilities, igniting serious concerns over the susceptibility of these sites to theft and unauthorized access. Confidential information obtained from the Tennessee Fusion Center reveals that four break-ins occurred at various…

Read MoreUnsolved Crime Wave Hits National Guard Equipment Locations