The cyber security world moved fast this week, with major discussions around phishing, incident response, malware campaigns, data breaches, cloud forensics, insider threats, and government-led cyber directives. Alongside technical explainers, several important news stories highlighted how attackers are evolving their methods and how defenders need to respond faster than ever.

This week’s updates cover both practical learning topics and important cyber news, making it useful for students, researchers, SOC analysts, and anyone building a career in cyber security.

Training Recommendation

If you are looking for cyber security training with AI-powered learning and AI security-focused concepts at an affordable price, you can check out:

Techonquer Diploma Program
https://techonquer.org/diploma

1. QR Code Hijacking and Quishing

QR-code-based attacks are becoming more common because they feel harmless to users. In quishing attacks, the victim scans a malicious QR code that redirects them to phishing pages, fake payment portals, or credential-harvesting websites. Since people often trust QR codes more than suspicious emails, this method is proving highly effective.

Read more:
https://hacklido.com/blog/1457-qr-code-hijacking-quishing

2. Smart Contract Hacking: Reentrancy Attacks Explained

Reentrancy remains one of the most dangerous smart contract vulnerabilities. This attack happens when a malicious contract repeatedly calls back into a vulnerable contract before the original transaction is completed. The result can be unauthorized fund withdrawals or contract manipulation.

Read more:
https://hacklido.com/blog/1458-smart-contract-hacking-reentrancy-attacks-explained

3. Incident Response: The First Hour After a Cyber Attack

The first hour after a cyber attack is often the most critical. Decisions taken during this phase can impact evidence preservation, containment, communication, and recovery. A good incident response process focuses on identifying the scope of compromise quickly while avoiding panic-driven mistakes.

Read more:
https://hacklido.com/blog/1459-incident-response-what-happens-in-the-first-hour-after-a-cyber-attack

4. Breaking Base64: Understanding the Encoding Logic

A deep technical breakdown explored how Base64 works from the ground up. Rather than treating it as a simple encoding method, the article walks through the 3-to-4 encoding mechanism and highlights hidden implementation pitfalls that many learners overlook.

Read more:
https://hacklido.com/blog/1460-breaking-base64-rebuilding-the-3-to-4-encoding-logic-from-scratch-and-the-hidden-trap-i-found

5. Logs in Cyber Security: Reading Digital Evidence

Logs are one of the most important sources of digital evidence during investigations. Whether it is system logs, application logs, authentication records, or network events, investigators rely on logs to reconstruct attacker behavior and identify suspicious activity timelines.

Read more:
https://hacklido.com/blog/1462-logs-in-cybersecurity-how-investigators-read-digital-evidence

6. Becoming Better at Forensics Challenges

Forensics challenges help build practical investigation skills. They train analysts to examine files, metadata, memory artifacts, deleted records, and hidden traces. The featured guide gives a starting point for anyone who wants to improve in solving digital forensics problems.

Read more:
https://hacklido.com/blog/1461-how-to-become-a-pro-in-solving-forensics-challenges-part-1

7. Brute Force Attacks and How They Are Detected

Brute force attacks remain simple but effective when weak passwords or poor account protections exist. Attackers try repeated credential combinations until they find a match. Investigators usually detect these attacks through abnormal login volumes, repeated failures, source IP patterns, and authentication log anomalies.

Read more:
https://hacklido.com/blog/1463-brute-force-attacks-how-attackers-break-passwords-and-how-investigators-detect-them

8. Insider Threats: Risk from Within

Not all threats come from outside the organization. Insider threats involve employees, contractors, or trusted users misusing access either intentionally or accidentally. These incidents are dangerous because insiders often already have the permissions needed to access sensitive systems and data.

Read more:
https://hacklido.com/blog/1464-insider-threats-when-the-danger-comes-from-within

9. CISA’s SharePoint Deadline for CVE-2026-20963

A major update this week involved CISA’s March 21 directive regarding SharePoint vulnerability CVE-2026-20963. Such orders highlight the urgency with which organizations are expected to patch or mitigate serious flaws, especially when the affected software is widely used in enterprise environments.

Read more:
https://hacklido.com/news/deadline-day-cisa-s-march-21-order-for-sharepoint-cve-2026-20963

10. India’s “3-Hour Rule” for Platforms

India’s digital ecosystem saw attention around the so-called “3-hour rule,” which reportedly places strict expectations on platforms in responding to certain government or compliance-related actions. This reflects the growing intersection between cyber security, digital governance, and platform accountability.

Read more:
https://hacklido.com/news/the-3-hour-rule-india-s-digital-blitz-mandatory-for-platforms

11. Data Breaches: How Investigators Find What Was Stolen

When a breach happens, one of the first major questions is: what exactly was taken? Investigators examine exfiltration paths, logs, cloud activity, endpoint traces, archive files, and attacker tools to determine what data was accessed or stolen. This process is essential for impact assessment and regulatory reporting.

Read more:
https://hacklido.com/blog/1465-data-breaches-how-investigators-find-out-what-was-stolen

12. AstraZeneca Data Breach Claim

Reports surfaced claiming that the LAPSUS$ group may have gained access to internal AstraZeneca data. Incidents like this remind organizations that reputation damage, data theft, and supply-chain concerns can quickly follow public breach allegations, even before all claims are fully verified.

Read more:
https://hacklido.com/news/astrazeneca-data-breach-lapsus-group-allegedly-claims-access-to-internal-data

13. Crunchyroll Data Breach Reported

Another notable report involved Crunchyroll, where cyber security sources claimed a leak of around 100GB of data. Large-scale leaks of this kind can include internal documents, user-related information, operational data, or development assets, depending on the nature of the compromise.

Read more:
https://hacklido.com/news/crunchyroll-data-breach-cybersecurity-sources-report-100gb-leak

14. IDOR Vulnerability: Adding an Attacker into a Victim Team

IDOR, or Insecure Direct Object Reference, remains a common but impactful web security issue. The discussed case shows how an attacker could exploit weak authorization controls to add themselves into another user’s team, demonstrating why access control validation must happen on the server side every time.

Read more:
https://hacklido.com/blog/1466-idor-allow-the-attacker-to-add-the-user-in-the-victim-team

15. Cloud Forensics in Modern Investigations

As organizations shift workloads to cloud environments, investigations also need to adapt. Cloud forensics involves reviewing cloud logs, access records, virtual assets, IAM activity, storage usage, and provider-specific telemetry. It is very different from traditional endpoint-only investigation models.

Read more:
https://hacklido.com/blog/1468-cloud-forensics-how-investigators-analyze-data-in-cloud-environments

16. Digital Evidence Collection and Preservation

Collecting digital evidence is not just about finding files. It is about preserving integrity, maintaining chain of custody, and ensuring the evidence remains admissible and trustworthy. This update focused on how investigators gather and protect digital evidence during cyber investigations.

Read more:
https://hacklido.com/blog/1467-digital-evidence-how-its-collected-and-preserved-in-cyber-investigations

17. North Korean Hackers and VS Code Auto-Run Abuse

A concerning malware development showed how North Korean threat actors reportedly abused VS Code auto-run tasks to deploy malware known as StoatWaffle. This is a reminder that developer environments are increasingly being targeted, especially where trust in tooling and automation is high.

Read more:
https://hacklido.com/news/north-korean-hackers-abuse-vs-code-auto-run-tasks-to-deploy-stoatwaffle-malware

18. Trivy Hack Spreads Infostealer Through Docker

Another major story involved a malicious campaign using a compromised Trivy-related vector to spread an infostealer via Docker, while also triggering worm-like behavior and a Kubernetes wiper. This shows how attacks on cloud-native and DevOps ecosystems are becoming more advanced and destructive.

Read more:
https://hacklido.com/news/trivy-hack-spreads-infostealer-via-docker-triggers-worm-and-kubernetes-wiper

This week’s cyber security updates show a clear pattern: attackers are becoming more creative, while defenders need stronger visibility, faster response, and deeper technical understanding. From quishing and smart contract flaws to malware delivery through developer tools and cloud-native attack chains, the landscape keeps expanding.

At the same time, core fundamentals still matter a lot — proper logging, evidence preservation, access control, incident response, and breach analysis remain the backbone of effective cyber defense.

Staying updated is not optional anymore. In cyber security, awareness is often the first layer of protection.

Writers who contribute more blogs will have higher chances of winning exciting rewards, including cash rewards, TryHackMe vouchers, Hack The Box vouchers, and Techonquer’s OSCP Recorded Course.
All writers are encouraged to start publishing their blogs on Hacklido. Share your cybersecurity knowledge, learning experiences, and research to participate in the WRAP program and increase your chances of winning rewards.
More info :https://hacklido.com/blog/411-writers-reward-program-wrap

If you love writing about cybersecurity, networking, ethical hacking, blue teaming, red teaming, CTFs, or real-world attack & defense scenarios this is your stage.

𝗪𝗵𝗮𝘁’𝘀 𝗶𝗻 𝗶𝘁 𝗳𝗼𝗿 𝘆𝗼𝘂?

𝗧𝗼𝗽 𝘄𝗿𝗶𝘁𝗲𝗿𝘀 𝘄𝗶𝗹𝗹 𝗿𝗲𝗰𝗲𝗶𝘃𝗲:
• 𝗖𝗮𝘀𝗵 𝗥𝗲𝘄𝗮𝗿𝗱𝘀
• 𝗩𝗼𝘂𝗰𝗵𝗲𝗿𝘀 𝗳𝗼𝗿 𝗧𝗿𝘆𝗛𝗮𝗰𝗸𝗠𝗲
• 𝗩𝗼𝘂𝗰𝗵𝗲𝗿𝘀 𝗳𝗼𝗿 𝗛𝗮𝗰𝗸 𝗧𝗵𝗲 𝗕𝗼𝘅
• 𝗧𝗲𝗰𝗵𝗼𝗻𝗾𝘂𝗲𝗿’𝘀 𝗢𝗦𝗖𝗣 𝗥𝗲𝗰𝗼𝗿𝗱𝗲𝗱 𝗖𝗼𝘂𝗿𝘀𝗲

𝗙𝗼𝗿 𝗺𝗼𝗿𝗲 𝗶𝗻𝗳𝗼 : https://hacklido.com/blog/411-writers-reward-program-wrap

𝗪𝗵𝗲𝘁𝗵𝗲𝗿 𝘆𝗼𝘂’𝗿𝗲 𝗮 𝗯𝗲𝗴𝗶𝗻𝗻𝗲𝗿 𝘀𝗵𝗮𝗿𝗶𝗻𝗴 𝗹𝗲𝗮𝗿𝗻𝗶𝗻𝗴 𝗻𝗼𝘁𝗲𝘀 𝗼𝗿 𝗮 𝗽𝗿𝗼𝗳𝗲𝘀𝘀𝗶𝗼𝗻𝗮𝗹 𝗯𝗿𝗲𝗮𝗸𝗶𝗻𝗴 𝗱𝗼𝘄𝗻 𝗮𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗮𝘁𝘁𝗮𝗰𝗸 𝗰𝗵𝗮𝗶𝗻𝘀,
𝗬𝗢𝗨𝗥 𝗞𝗡𝗢𝗪𝗟𝗘𝗗𝗚𝗘 𝗠𝗔𝗧𝗧𝗘𝗥𝗦..

𝗦𝘁𝗮𝗿𝘁 𝘄𝗿𝗶𝘁𝗶𝗻𝗴. 𝗦𝘁𝗮𝗿𝘁 𝘀𝗵𝗮𝗿𝗶𝗻𝗴. 𝗦𝘁𝗮𝗿𝘁 𝗲𝗮𝗿𝗻𝗶𝗻𝗴.

#Hacklido #WRAP #CyberSecurity #EthicalHacking #Blogging #Infosec #WriteToWin

1. Critical DockerDash Vulnerability Discovered

A severe security flaw in DockerDash could allow attackers to compromise containerized environments, raising serious risks for DevOps and cloud infrastructures.
🔗 https://hacklido.com/news/security-alert-critical-flaw-discovered-in-dockerdash

2. MoltBot Malware Escalates Globally

What began as a stealth malware campaign has evolved into a widespread infection, targeting systems with persistence and command-and-control capabilities.
🔗 https://hacklido.com/news/the-rise-and-breach-of-moltbot

3. Qilin Ransomware Targets Tulsa International Airport

The Qilin ransomware group attacked airport infrastructure, highlighting growing ransomware threats against critical aviation and OT environments.
🔗 https://hacklido.com/news/qilin-ransomware-group-targets-tulsa-international-airport-tait

4. Shadow AI & the $670K “Innovation Tax”

Unapproved AI tools inside enterprises are creating silent breaches, compliance failures, and unexpected financial losses.
🔗 https://hacklido.com/news/the-silent-breach-shadow-ai-and-the-670k-innovation-tax

5. Alibaba’s Qwen3-Max-Thinking Challenges GPT-5.2

Alibaba introduced a powerful reasoning-focused AI model, intensifying competition in advanced AI capabilities.
🔗 https://hacklido.com/news/alibaba-s-qwen3-max-thinking-challenges-gpt-5-2-dominance

6. Dutch Telecom Odido Suffers Mega Breach

A massive data breach exposed 6.2 million customer records, once again stressing the need for stronger telecom security controls.
🔗 https://hacklido.com/news/dutch-telecom-giant-odido-hit-by-mega-breach-6-2-million-records-exposed

7. Chrome Zero-Day (CVE-2026-2441) Actively Exploited

CISA issued emergency directives as attackers exploited a Chrome zero-day in the wild. Immediate patching is critical.
🔗 https://hacklido.com/news/0-day-season-begins-chrome-patches-first-actively-exploited-flaw-of-2026-cve-2026-2441

8. OT Infrastructure Under Coordinated Attacks

New threat groups are mapping industrial systems to cause real-world physical effects, putting power grids and factories at risk.
🔗 https://hacklido.com/news/ot-infrastructure-under-fire-new-threat-groups-mapping-physical-effects

9. ShinyHunters’ 2026 Breach Campaign

The notorious hacking group continues leaking data and executing large-scale vishing operations across multiple sectors.
🔗 https://hacklido.com/news/shinyhunters-strikes-again-a-trail-of-high-profile-leaks-and-vishing-chaos-in-2026

10. Fintech Giant Figure Hit by SSO Vishing

Nearly 967,000 accounts were leaked after attackers abused Single Sign-On through social engineering.
🔗 https://hacklido.com/news/fintech-giant-figure-hit-by-shinyhunters-967k-accounts-leaked-after-sso-vishing-attack-2

11. Microsoft Patch Tuesday Aftermath

Microsoft addressed six actively exploited zero-days, including the dangerous “silent click” attack vector.
🔗 https://hacklido.com/news/microsoft-patch-tuesday-aftermath-6-zero-days-under-fire-and-the-silent-click-threat

12. Roundcube Webmail Exploited by State Actors

Emergency patch orders were issued after state-sponsored groups weaponized Roundcube vulnerabilities.
🔗 https://hacklido.com/news/roundcube-under-fire-cisa-issues-emergency-patch-order-for-state-sponsored-exploits

13. Grandstream VoIP Phones Vulnerability

A no-authentication flaw allowed attackers to gain root access on enterprise desk phones (CVE-2026-2329).
🔗 https://hacklido.com/news/the-desk-phone-is-listening-grandstream-voip-no-auth-root-takeover-cve-2026-2329-

14. IDMerit Mega-Leak: 3 Billion Records Exposed

One of the largest identity leaks ever questions the future of centralized digital identity trust models.
🔗 https://hacklido.com/news/3-billion-records-exposed-the-idmerit-mega-leak-and-the-death-of-identity-trust-

15. PayPal Data Exposure Incidents

Multiple disclosures revealed long-term data exposure caused by internal software issues and logging failures.
🔗 https://hacklido.com/news/paypal-discloses-six-month-data-exposure-linked-to-software-glitch
🔗 https://hacklido.com/news/the-ghost-in-the-ledger-paypal-s-165-day-data-leak-exposed

📚 Featured Hacklido Blogs – This Week

1. Cyber Security for Middle-Class Indian Homes

Practical guidance on securing home networks, devices, and digital identities on a budget.
🔗 https://hacklido.com/blog/1410-cyber-security-for-middle-class-indian-homes

2. Complete Guide on Financial Projections

A beginner-friendly breakdown of financial forecasting for startups and professionals.
🔗 https://hacklido.com/blog/1412-a-complete-guide-on-financial-projections

3. Amazon AIF-C01 Career & Job Role Guide

A roadmap for professionals preparing for the Amazon AI Foundational certification exam.
🔗 https://hacklido.com/blog/1411-job-roles-career-path-guide-amazon-aif-c01-exam

4. Broken Link Hijacking Explained

How attackers monetize forgotten URLs — and why this overlooked bug still pays.
🔗 https://hacklido.com/blog/1413-broken-link-hijacking-that-one-bug-everyone-ignores-until-it-pays

5. Blue Teaming Without Illusions

A realistic approach to building cyber defense from infrastructure to threat intelligence.
🔗 https://hacklido.com/blog/1414-blue-teaming-without-illusions-defense-built-from-infrastructure-to-intelligence

6. WordPress XML-RPC: Hidden Power & Risk

Why /xmlrpc.php remains both powerful and dangerous in modern WordPress environments.
🔗 https://share.google/XKvahNTz0rBpUCwaE

7. Evil Twin Attacks Explained

A deep dive into rogue Wi-Fi attacks and how attackers silently hijack users.
🔗 https://hacklido.com/blog/1416-the-phantom-in-the-air-a-guide-to-evil-twin-attacks

8. IDOR to Arbitrary File Access (Critical)

A real-world exploitation guide showing how IDOR can lead to full file compromise.
🔗 https://hacklido.com/blog/1417-idor-to-arbitrary-file-access-copy-any-users-files-critical

👉 Join our Telegram channel: https://t.me/hacklido
👉 Follow us: @hacklido
👉 Hack News Portal: https://hacklido.com/news

This Week’s Key Updates

1. iOS Pentesting Introduction

A beginner-friendly guide covering fundamentals of iOS pentesting, tools, and attack surface.
🔗 https://hacklido.com/blog/1405-ios-pentesting-introduction

2. Ultimate Cybersecurity Roadmap for 2026

Complete roadmap covering skills, certifications, career paths, and future trends in cybersecurity.
🔗 https://hacklido.com/blog/1408-ultimate-cybersecurity-roadmap-for-2026

3. Directory Traversal via Source Code Review

Deep dive into how a directory traversal vulnerability was discovered through source code analysis.
🔗 https://hacklido.com/blog/1409-breaking-file-security-a-directory-traversal-found-through-source-code-review

4. Cyber Security for Middle-Class Indian Homes

Practical cybersecurity guidance tailored for Indian households and everyday users.
🔗 https://hacklido.com/blog/1410-cyber-security-for-middle-class-indian-homes

Hack News Highlights

5. Critical Flaw Discovered in DockerDash

A serious vulnerability exposed in DockerDash that could put systems at risk.
🔗 https://hacklido.com/news/security-alert-critical-flaw-discovered-in-dockerdash

6. The Rise and Breach of MoltBot Malware

Analysis of MoltBot malware and how it’s rapidly spreading across systems.
🔗 https://hacklido.com/news/the-rise-and-breach-of-moltbot

7. Hack News Launch Special

• Microsoft Zero-Day Playbook (Feb 2026)

• India–Israel collaboration on next-gen security tech

• AI security race and what lies ahead

🔗 https://hacklido.com/news

Stay updated with weekly insights, real-world vulnerabilities, and practical security knowledge.
Join the community and never miss an update.

Hacklido | Learn • Break • Secure

Subscribe now

🎉 Milestone Update:
We’ve crossed 11,000+ followers on our X (Twitter) platform — thank you for the amazing support!

👉 Follow us on X (Twitter):
https://x.com/hacklido

👉 Join our Telegram channel for fastest updates:
https://t.me/hacklido

📚 This Week’s Published Blogs

1️⃣ IDOR Allow the Attacker to Add Our User in Any One Organization as Admin

🔗 https://hacklido.com/blog/1376-idor-allow-the-attacker-to-add-our-user-in-any-one-organzaition-as-admin-and-takoever-any-one-organization

2️⃣ Malware Categories in Android | Malware Analysis Series – Day 3

🔗 https://hacklido.com/blog/1378-malware-categories-in-android-malware-analysis-series-day-3

3️⃣ HAR Files – What They Are and How They’re Used

🔗 https://hacklido.com/blog/1380-har-files

4️⃣ Android Phases Throughout the Years | Malware Analysis Series – Day 4

🔗 https://hacklido.com/blog/1381-android-phas-throughout-the-years-malware-analysis-series-day-4

5️⃣ Critical IDOR: Attacker Can Take Over All Users’ Organizations

🔗 https://hacklido.com/blog/1384-critical-idor-allow-the-attacker-to-takeover-all-users-organizations

6️⃣ Steganography: How Malware Hides Inside Images

🔗 https://hacklido.com/blog/1387-steganography-how-malware-hides-inside-images

7️⃣ Android Ransomwares | Malware Analysis Series – Day 4

🔗 https://hacklido.com/blog/1390-android-ransomwares-malware-analysis-series-day-4

8️⃣ Critical IDOR: Attacker Can Add Collaborator in Victim Jobs

🔗 https://hacklido.com/blog/1391-critical-idor-allow-the-attacker-to-add-the-collabrator-in-the-victim-jobs

9️⃣ Android Trojans | Malware Analysis Series – Day 5

🔗 https://hacklido.com/blog/1392-android-trojans-malware-analysis-series-day-5

🔟 IDOR: Fixed Terminal Creation in Another Organization

🔗 https://hacklido.com/blog/1394-idor-fixed-terminal-creation-in-another-organization

1️⃣1️⃣ Phishing | Malware Analysis Series – Day 6

🔗 https://hacklido.com/blog/1395-phishing-malware-analysis-series-day-6

1️⃣2️⃣ Android Reverse Engineering: Android Internals & Environment Setup

🔗 https://hacklido.com/blog/1396-android-reverse-engineering-android-internals-review-setup-environments

1️⃣3️⃣ WebView Abuses, Hybrid Malware & Cloaking | Malware Analysis Series – Day 7

🔗 https://hacklido.com/blog/1397-webview-abuses-hybrid-malwares-cloaking-malware-analysis-series-day-7

1️⃣4️⃣ Android Reverse Engineering: Developer Options & Android Debug Bridge (ADB)

🔗 https://hacklido.com/blog/1398-android-reverse-engineering-developer-options-android-debug-bridge

A deep dive into how agent-based AI is reshaping SOC workflows, decision-making, and autonomous threat response.
👉

🧠 Complete Agentic SOC Roadmap (Beginner → Advanced)

Structured roadmap covering tools, architectures, and skills needed to build and run an Agentic SOC.
👉 https://hacklido.com/blog/1355-agentic-soc-roadmap-from-beginner-to-advanced

🐧 Package Management & Repositories – Advanced Linux Mastery (Day 9)

Level up your Linux skills with package management and repository workflows.
👉 https://hacklido.com/blog/1356-package-management-and-repositories-system-administration-advanced-linux-mastery-from-zero-to-hero-day-9

📺 How I Hacked My Smart TV

A real IoT hacking story showing practical device exploitation paths.
👉 https://hacklido.com/blog/1357-how-i-hacked-my-smart-tv

🕵️ My Complete Recon Workflow for Bug Bounty (2025 Edition)

Updated reconnaissance methodology combining automation and manual discovery.
👉 https://hacklido.com/blog/1359-my-complete-recon-workflow-for-bug-bounty-hunting-2025-edition

🐙 GitHub Recon – Where the Real Bugs Quietly Begin

How exposure on GitHub leads to vulnerability discoveries.
👉 https://hacklido.com/blog/1361-github-recon-where-the-real-bugs-quietly-begin

🔓 IDOR: Access Any Server Through Broken Authorization

Explains IDOR vulnerabilities enabling unauthorized backend access.
👉 https://hacklido.com/blog/1362-idor-allow-the-attacker-to-get-the-access-of-any-one-server

🎥 Real-World Security Exploit Walkthrough

Detailed video walkthrough demonstrating active exploitation techniques.
👉

🚨 Critical IDOR – Demoting All Users on the Platform

Case study of a severe IDOR that allowed demotion of every user.
👉 https://hacklido.com/blog/1364-critical-idor-allow-the-attacker-to-demote-the-all-users-exist-on-the-platform

🥪 Check Out Today’s Sandwich 🙌🏻

Light-heart break; fun food content from the creator’s day.
👉

🦠 The Invisible Virus: Understanding OAuth Worms

Explores OAuth misconfigurations and self-propagating compromise attacks.
👉 https://hacklido.com/blog/1366-the-invisible-virus-understanding-oauth-worms

🔑 Privilege Escalation: Admin Can Delete the Owner

Shows how a privilege escalation flaw lets admin delete the platform owner.
👉 https://hacklido.com/blog/1367-privilege-escalation-allow-the-admin-to-delete-the-owner

🧪 Malware Analysis Series – Environment Setup (Day 1)

Guide to creating a safe malware analysis environment from scratch.
👉 https://hacklido.com/blog/1369-setup-environment-for-malware-analysis-malware-analysis-series-day-1

Subscribe now

🔗 https://hacklido.com/blog/1312-letsdefend-walkthrough-password-management
This walkthrough explains how to investigate and analyze password-related security alerts using the LetsDefend platform. It covers practical incident response steps, account compromise detection, and password security best practices for SOC analysts.

2. IDOR – Allow the Attacker to Swap the Victim File Content

🔗 https://hacklido.com/blog/1311-idor-allow-the-attacker-swap-the-victim-file-content
A practical demonstration of an insecure direct object reference (IDOR) vulnerability that allows an attacker to modify another user’s file content. The blog explains how the vulnerability occurs, exploitation steps, and methods to mitigate such attacks.

3. Email Analysis / Phishing Investigation

🔗 https://hacklido.com/blog/1310-email-analysis-phishing-investigation
Learn how to perform real-world phishing email analysis including header inspection, URL verification, attachment examination, and threat hunting techniques to identify malicious emails.

4. How to Find XSS and Its Types – Complete Guide

🔗 https://hacklido.com/blog/1314-how-to-find-xss-and-its-types-complete-guide
A complete guide to Cross-Site Scripting (XSS) vulnerabilities, including stored, reflected, and DOM-based attacks. It also includes payload examples, detection methods, and how to prevent XSS in applications.

5. How to Find Information Using a Mobile Number – Complete Guide (2025)

🔗 https://hacklido.com/blog/1313-how-to-find-information-using-a-mobile-number-complete-guide-2025
This OSINT tutorial teaches how to collect publicly available information using a phone number. It includes legal investigation techniques, tools, lookup methods, and cyber investigation tips.

6. What is Blockchain Technology?

🔗 https://hacklido.com/blog/1315-what-is-blockchain-technology
A beginner-friendly explanation of blockchain, decentralization, smart contracts, consensus mechanisms, and how blockchain is transforming cybersecurity and digital systems.

7. User and Process Management – Linux Mastery Day 5

🔗 https://hacklido.com/blog/1320-user-and-process-management-linux-mastery-from-zero-to-hero-day-5
A detailed guide on Linux user and process management including user creation, privileges, process control, signals, and system monitoring—ideal for beginners and administrators.

8. OSINT: Open Source Intelligence and OSINT Life Cycle

🔗 https://hacklido.com/blog/1321-osint-open-source-intelligence-and-osint-life-cycle
Learn the fundamentals of OSINT, data collection phases, analysis workflow, and real-world intelligence gathering techniques used by investigators, cybersecurity professionals, and ethical hackers.

9. Continuous Pentesting in 2026

🔗 https://hacklido.com/blog/1325-continuous-pentesting-in-2026-why-on-demand-ai-driven-testing-is-a-must
An insight into the future of penetration testing, focusing on automation, AI-based security testing, real-time threat detection, and how companies are shifting from traditional pentesting to continuous security cycles.

10. Free VAPT Learning Resources (With Certificates)

🔗 https://hacklido.com/blog/1326-free-vapt-penetration-testing-learning-resources-with-certificates
A curated list of high-quality free courses, labs, platforms, and certifications for learning vulnerability assessment & penetration testing.

11. Bash Scripting Fundamentals – Linux Mastery Day 6

🔗 https://hacklido.com/blog/1328-bash-scripting-fundamentals-linux-mastery-from-zero-to-hero-day-6
Covers Bash scripting basics, variables, loops, automation, and practical examples to improve technical troubleshooting and system automation skills.

12. Remote Code Execution – Full Server Takeover via Web Cron Jobs

🔗 https://hacklido.com/blog/1327-remote-code-execution-full-server-takeover-viaweb-cron-jobs
Explains how insecure cron job configurations can lead to remote code execution and complete server compromise. Includes exploitation flow and mitigation strategies.

13. Azure Arsenal – Fundamentals Track: Cloud Basics

🔗 https://hacklido.com/blog/1329-azure-arsenal-fundamentals-track-cloud-basics
Introduction to Azure Cloud services for cybersecurity and cloud engineers. Covers core concepts, infrastructure components, and security management fundamentals.

Subscribe now

HACKLIDO | Cyber Security:
Linux Mastery: From Zero to Hero || Day 1

https://hacklido.com/blog/1287-linux-mastery-from-zero-to-hero-day-1

Linux filesystem hierarchy standard (FHS) Linux Mastery: From Zero to Hero Day 2

https://hacklido.com/blog/1287-linux-mastery-from-zero-to-hero-day-1

AD Pentest Blog 1 - Foundation & Basic Enumeration Through DNS and SMB

https://hacklido.com/blog/1293-ad-pentest-blog-1-foundation-basic-enumeration-through-dns-and-smb#1-Introduc

https://hacklido.com/blog/1294-ernst-young-ey-exposes-4tb-database-online-what-went-wrong

Onion.run: Bridging the Surface Web and the Dark Web

https://hacklido.com/blog/1296-onionrun-bridging-the-surface-web-and-the-dark-web

https://hacklido.com/blog/1295-aspnet-core-kestrel-vulnerability

*ASP.NET Core Kestrel Vulnerability
No voters*

https://hacklido.com/blog/1298-idor-allow-the-attacker-to-restrict-the-victim-access-on-the-editorsite

Idor allow the attacker to restrict the victim site access

Hands-On SIEM Alert Triage with LetsDefend

https://hacklido.com/blog/1300-hands-on-siem-alert-triage-with-letsdefend

🚨 Hacklido × LetsDefend: The Ultimate Writers Challenge is Live! 💥

Are you passionate about cybersecurity, DFIR, or ethical hacking?
This is your chance to showcase your skills, share your knowledge, and get rewarded for it!

📝 Write in-depth walkthroughs, insightful blogs, or practical guides that help the community learn — and stand a chance to win exciting cash prizes and VIP vouchers!

Whether you’re a beginner trying to build your name or a pro looking to inspire others, this is your stage. 🌍

📅 Challenge Duration: November 1 – 30
🔗 Register Now: https://forms.gle/hwGRxFgKercFp17z7

🔥 Don’t just read about cybersecurity — become the one others learn from.
Join the #HacklidoWritersChallenge and let your words make an impact!

Kickstart your Linux journey from scratch! Learn what Linux is, its history, key features, and the best beginner-friendly distributions in our Linux Mastery: From Zero to Hero series.
📖 Read more: https://hacklido.com/blog/1287-linux-mastery-from-zero-to-hero-day-1
🌐 Visit us: https://hacklido.com

TL;DR

Another day, another set of cyber shenanigans. From fake CAPTCHAs tricking people into compromising their own machines to a decade-old Windows shortcut exploit still being used by state-sponsored hackers, it’s clear that cybercriminals don’t take a day off. And in the world of software development, GitHub just got another wake-up call about the fragility of supply chains. Let’s dive in.

Attackers Use Fake CAPTCHA to Lure Victims

CAPTCHAs are supposed to keep bots out, but attackers have found a way to use them as bait. Researchers at HP Wolf Security have uncovered a new phishing technique called "ClickFix," which lures users into copying and running a malicious PowerShell script. The trick? A fake CAPTCHA that exploits user complacency.

Here’s how it works: A victim lands on a phishing site that looks convincingly real, often impersonating trusted brands like Booking.com. Before proceeding, they are presented with what appears to be a standard CAPTCHA verification — something most users complete without a second thought. But unlike a real CAPTCHA, this one doesn’t just verify human presence — it tricks users into copying and pasting a malicious PowerShell command into the Windows "Run" prompt.

Once executed, the script downloads malware directly onto the system, often from a legitimate cloud hosting service. This clever move helps attackers bypass traditional security defenses, as many security tools trust traffic coming from reputable cloud providers.

The scam has already hit major platforms, with Microsoft spotting a fake CAPTCHA overlay on a counterfeit Booking.com site. Sekoia’s research found similar attacks using Google reCAPTCHA and Cloudflare Turnstile as disguises, while Arctic Wolf warned that a widely used physical therapy site, HEP2go, was compromised to target the healthcare sector.

The malware, often downloaded from legitimate cloud hosting services, bypasses security alerts by leveraging trusted IP addresses. Suggested defenses? User awareness training, restricting clipboard access, and locking down the Windows "Run" command. Because if a CAPTCHA asks you to copy and paste something into your terminal, it’s not security — it’s a trap.

The 8-Year-Old Windows Shortcut Vulnerability That Won’t Die

A vulnerability in Windows shortcut (.LNK) files has been silently exploited for nearly a decade by hacking groups tied to North Korea, Russia, Iran, and China. Trend Micro’s Zero Day Initiative (ZDI) found that this flaw, tracked as ZDI-CAN-25373, allows attackers to hide malicious commands inside .LNK files, making them appear harmless.

The exploit has been used to target governments, financial institutions, telecom providers, and defense agencies, with nearly 70% of attacks focused on espionage. The catch? Microsoft doesn’t see it as a security issue, so don’t expect an emergency patch anytime soon.

Defenders are advised to scan for indicators of compromise (IOCs) and be wary of unexpected shortcut files. Meanwhile, security researchers are left shaking their heads, as this is just another example of an old technique being repurposed for modern attacks.

Supply Chain Attack through GitHub Actions

Developers relying on GitHub Actions may want to double-check their security settings. Security firm Wiz has uncovered a second attack on GitHub’s CI/CD workflows, potentially part of a cascading supply chain compromise. The attack impacted the popular tj-actions/changed-files action, leaking CI/CD secrets from up to 23,000 repositories.

It all started with the compromise of reviewdog/action-setup, which was then used as a stepping stone to infect other repositories. The attack was severe enough to catch the attention of the US Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw (CVE-2025-30066) to its Known Exploited Vulnerabilities catalog.

Developers are urged to pin GitHub Actions to specific commit hashes, rotate exposed credentials, and audit logs for any suspicious activity. The attack highlights just how vulnerable the modern software supply chain can be — and why organizations need to treat third-party integrations as potential security risks.

TL;DR

Microsoft warns that US rural hospitals need at least $75 million to meet basic cybersecurity standards, as cyberattacks on these facilities have been linked to increased patient mortality. Apple is taking the UK government to court over a reported order demanding encryption backdoors, arguing that such a move would weaken global digital security. Meanwhile, US financial organizations are pushing back against CISA’s proposed cyber incident reporting rule, claiming it would place undue burdens on companies without improving security. Across industries, the battle between regulation, security, and financial constraints is heating up.

Microsoft Sounds the Alarm on Rural Hospital Cybersecurity

Microsoft has revealed a stark cybersecurity gap in US rural hospitals, estimating that at least $75 million is needed to bring these facilities up to basic security standards. Of the 2,100 rural hospitals nationwide, nearly 1,000 operate independently, without the financial support of larger networks. These hospitals struggle to implement even the most fundamental cybersecurity measures, such as multi-factor authentication (MFA) and unified identity management, leaving them vulnerable to attacks.

Last year, Microsoft launched its Cybersecurity for Rural Hospitals Program, offering free security assessments, training, and discounts on Microsoft security products. A recent report from the company highlights a dire consequence of cyberattacks: a 20% increase in patient mortality rates when hospitals experience system disruptions. Beyond the immediate dangers of ransomware and data breaches, these attacks force patients to travel farther for care, increasing risks for those in critical condition. While Microsoft’s initiative is a step forward, the funding gap remains staggering. The proposed $75 million investment amounts to less than three hours of Microsoft’s annual revenue, raising questions about whether major tech firms and policymakers will step up to protect these vital healthcare institutions before another crisis hits.

Apple Challenges UK’s Encryption Backdoor Order

Apple is taking the UK government to court over a reported demand that would force the company to weaken its end-to-end encryption protections. The case, filed with the UK’s Investigatory Powers Tribunal (IPT), follows Apple’s recent decision to withdraw its Advanced Data Protection (ADP) feature from the UK market. While the UK government has not officially acknowledged the existence of such an order, it is widely suspected to be a Technical Capability Notice (TCN) issued under the Investigatory Powers Act of 2016—often called the “Snooper’s Charter.”

Apple’s legal battle highlights a broader concern over digital privacy. If forced to comply, Apple would not only have to provide UK authorities with access to encrypted iCloud data but could also set a precedent that other governments might follow. Critics argue that any encryption backdoor—regardless of intent—creates a systemic weakness that could be exploited by malicious actors. Security experts warn that such a move would break encryption in a fundamental way, as no government can guarantee exclusive access to these vulnerabilities. Apple’s fight isn’t just about the UK; it’s about defending encryption standards worldwide. Whether the IPT will rule in Apple’s favor remains uncertain, but the case is shaping up to be a critical test for global digital security.

US Financial Sector Pushes Back on CISA Cyber Incident Rule

Leading financial organizations are urging the Cybersecurity and Infrastructure Security Agency (CISA) to rethink its proposed cyber incident reporting rule, arguing that it could create unnecessary burdens without improving security. The rule, part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), would require financial institutions to report significant cyber incidents within 72 hours and ransomware payments within 24. With CIRCIA set to take effect in October 2025, industry leaders warn that the regulation could force companies to divert critical resources away from responding to attacks and toward compliance paperwork.

While regulators argue that real-time reporting will improve national cybersecurity resilience, financial institutions see it differently. Some claim the rule exceeds its intended scope, creating overlapping obligations with existing SEC regulations. Others suggest that the 24-hour ransomware payment reporting requirement could inadvertently expose companies to scrutiny under the Treasury Department’s Office of Foreign Assets Control (OFAC), which prohibits payments to sanctioned entities. At its core, this debate pits regulatory oversight against corporate autonomy, with financial firms seeking to minimize government intervention while CISA pushes for greater transparency. With time running out before the rule takes effect, negotiations between industry and regulators could determine whether CISA adjusts its approach or doubles down on enforcement.

Without the community partners, hacklido wouldn't be where it is now, So we would like to thank them.

• Cyber Security News

• Sysxplore

If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via maalolan@hacklido.com / discord / telegram group / Author’s LinkedIn to discuss with us!

TL;DR

Sweden is pushing for an encryption backdoor law, but Signal refuses to comply and may exit the country rather than compromise user privacy. Meanwhile, a critical vulnerability in MITRE Caldera—a widely used cybersecurity tool—has been exposed, allowing remote code execution with a severity score of 10.0. And in Maryland, a cyberattack forced Anne Arundel County offices to shut down for a day, highlighting the ongoing threats facing local governments.

Signal vs. Sweden – A Battle Over Privacy

Sweden is pushing forward with a legislative proposal that has sent shockwaves through the cybersecurity and privacy communities. The proposed law would require messaging services using end-to-end encryption (E2EE), including Signal and WhatsApp, to store user messages for up to two years and make them accessible to law enforcement upon request. The reaction from Signal has been swift and unequivocal: it will leave the Swedish market before complying with any regulation that undermines its core mission of providing secure and private communication.

Meredith Whittaker, president of the Signal Foundation, has been a vocal advocate for privacy and strongly opposed to any form of encryption backdoor. Speaking to Swedish media outlet SVT Nyheter, she characterized the proposed legislation as a “catastrophic” attack on fundamental rights. Her concerns are well-founded. The essence of E2EE is that only the sender and recipient can access a message—service providers themselves do not hold the keys. Any attempt to create an exception, even for law enforcement, inherently weakens encryption for all users and opens the door to exploitation by malicious actors.

Interestingly, the Swedish military has also raised alarms about the proposal, warning the government that weakening encrypted communication would pose national security risks. This highlights a paradox: governments seek access to encrypted messages for investigative purposes, yet their own security agencies rely on the same encryption to protect sensitive information. If Signal follows through on its threat to exit Sweden, it won’t be the first company to take such a stand. Apple recently withdrew key services from the UK rather than comply with similar legal demands.

The larger concern is that this isn’t an isolated case. Governments around the world are increasingly demanding backdoor access to encrypted communications, often citing crime prevention and national security as justifications. But history has shown that such measures don’t deter criminals—they adapt. If mainstream platforms like Signal and WhatsApp are forced to compromise their encryption, sophisticated threat actors will simply migrate to private, decentralized alternatives, leaving ordinary users exposed to government surveillance and cybercriminal threats alike.

The coming months will determine whether Sweden backs down in the face of mounting resistance or pushes forward, potentially setting a precedent that other nations might follow. If the law is passed, Sweden may not only lose access to Signal but could also trigger a wider exodus of secure communication providers—leaving citizens and even government agencies with fewer reliable options for privacy-focused messaging.

MITRE Caldera’s Critical Vulnerability

In an unsettling turn of events, a critical vulnerability has been discovered in MITRE Caldera, an open-source adversary emulation platform widely used by security teams to test defenses and simulate cyberattacks. This isn’t just another routine bug—it’s a command injection vulnerability with a CVSS score of 10.0, the highest possible severity rating.

The issue, identified by security researcher Dawid Kulikowski, allows remote code execution under default configurations. This means an attacker can gain full control over the system running Caldera, executing arbitrary commands with potentially devastating consequences. The vulnerability affects all versions of the software and is particularly dangerous because its exploitation requires no special conditions—just the presence of Go, Python, and GCC, which are already required for Caldera’s normal operation.

The discovery raises serious concerns about security practices even within organizations dedicated to cybersecurity research. How did such a severe flaw go undetected before release? Was it a failure of automated security testing, a gap in manual code reviews, or an oversight in QA processes? These are the kinds of questions the cybersecurity community is asking. While a patch has been released, the incident highlights a troubling reality: even the tools designed to strengthen security can themselves become attack vectors if vulnerabilities are not properly managed.

The fact that proof-of-concept exploits have already been made public only adds urgency to the situation. Organizations using Caldera must immediately update their installations and ensure their instances are not exposed to the internet. While the overall impact may seem limited—after all, Caldera is not a mainstream consumer product—it serves as a stark reminder that security teams must continuously scrutinize their own tools just as they would any other potential attack surface. The irony here is undeniable: in the process of simulating threats, security professionals may have unwittingly introduced an actual threat into their own environments.

Cyberattack Shuts Down Maryland County Offices

Anne Arundel County, Maryland, was forced to temporarily shut down its government offices after a cyberattack disrupted its systems. While officials have provided few details, early reports suggest that internet access was deliberately restricted as a precautionary measure—an indication that the county may have been dealing with ransomware or another form of malicious intrusion.

County buildings reopened the next day, but online services remained partially limited, and employees were encouraged to work remotely if possible. This highlights a crucial issue: even as some organizations scale back remote work policies, the ability to shift quickly to secure telework remains vital during unexpected disruptions. Whether due to cyberattacks, natural disasters, or other emergencies, organizations must maintain reliable and resilient IT infrastructure that allows for operational continuity.

The incident also underscores the ongoing vulnerability of local governments to cyber threats. Municipalities often lack the robust cybersecurity budgets of large corporations, making them attractive targets for ransomware groups and other attackers. While Anne Arundel County appears to have mitigated the immediate impact, the attack serves as a reminder that proactive defense strategies—including strong network segmentation, regular security audits, and comprehensive incident response plans—are non-negotiable in today’s threat landscape.

One question that remains unanswered is the scope of the attack. Was this a targeted effort, or part of a larger campaign affecting multiple local governments? In recent years, we’ve seen cybercriminal groups increasingly targeting state and municipal agencies, knowing that they provide essential services and may feel pressured to pay ransoms quickly.

For now, county officials have promised updates as they assess the damage and restore full functionality. But the bigger lesson here is clear: preparedness isn’t optional. Cyber resilience must be built into every organization’s DNA, because the next attack is only a matter of time.

Without the community partners, hacklido wouldn't be where it is now, So we would like to thank them.

• Cyber Security News

• Sysxplore

If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via maalolan@hacklido.com / discord / telegram group / Author’s LinkedIn to discuss with us!

TL;DR

Microsoft has unveiled Majorana 1, a breakthrough quantum processor leveraging topoconductors to create scalable, error-resistant qubits, pushing quantum computing closer to real-world applications. Meanwhile, Russian hackers are exploiting Signal’s "Linked Devices" feature through phishing attacks, prompting Signal to introduce new security measures. Lastly, OpenSSH has patched two critical vulnerabilities that could enable Man-in-the-Middle (MitM) and Denial-of-Service (DoS) attacks, urging users to update immediately.

Microsoft’s Quantum Leap - Majorana 1 Chip Breakthrough

Microsoft has just made a bold move in the quantum computing race with the unveiling of its Majorana 1 chip, a potential game-changer that could bring quantum computing out of the lab and into real-world applications. The key to this breakthrough? Topoconductors—a new class of materials that form the foundation for Microsoft’s topological qubits, which aim to be more stable and scalable than existing quantum bits.

At the heart of the challenge with quantum computing lies error correction. Qubits, unlike classical bits, are highly sensitive to environmental noise, leading to computational errors. Microsoft’s new design, leveraging tetrons as logical qubits for error correction, claims to drastically reduce these errors—bringing the error rate down to a manageable 1%. If successful, this would make quantum computing truly viable for real-world applications, from cryptography to AI and complex simulations.

Perhaps most impressive is the scale Microsoft is aiming for: a million-qubit quantum processor—all within a chip roughly the size of a standard CPU. That’s a staggering leap from today’s state-of-the-art quantum machines, which operate with only a few hundred qubits. If realized, this could put Microsoft ahead in the race toward practical, large-scale quantum computing.

The implications? Enormous. The U.S. government’s "Quantum Crypto Deadline" of 2035 suddenly seems much more realistic. Organizations must start preparing for a post-quantum world, ensuring cryptographic agility and adopting flexible security measures that can adapt to quantum-resistant algorithms.

While Majorana 1 is still in development and requires absolute zero temperatures to function, the roadmap for scalable quantum computing has never looked clearer. Keep your eyes on this space—because when this tech matures, the computing world as we know it will change forever.

Signal’s Linked Devices Feature Hijacked by Russian Hackers

Encrypted messaging apps like Signal are often hailed as the last bastion of privacy—but even the best security measures can be undermined by social engineering. Google’s Threat Intelligence Group (GTIG) has flagged a Russian state-backed phishing campaign exploiting Signal’s "Linked Devices" feature, allowing attackers to silently eavesdrop on messages in real-time.

Here’s how it works: Victims are tricked into scanning a malicious QR code or clicking a phishing link, believing it to be a legitimate security alert or group invite. Instead, they unknowingly grant attackers access to their Signal account, syncing their conversations across devices controlled by the threat actor. This means every message sent and received is intercepted without the user realizing it.

In response, Signal has rolled out new security measures, requiring additional authentication when linking devices and implementing real-time warnings for suspicious connections. But the attack underscores a deeper issue: user interface vulnerabilities can be just as dangerous as traditional software exploits. Many users struggle to distinguish between benign QR codes and phishing traps, making them easy targets for sophisticated cyberattacks.

Security experts warn that these tactics aren’t limited to Signal—other messaging platforms like WhatsApp and Telegram are also in the crosshairs. The best defenses? Use complex passwords, enable Lockdown Mode on iPhones, check your "linked devices" list regularly, and never scan QR codes from untrusted sources. As threats against encrypted communication intensify, vigilance is key.

OpenSSH Patches Flaws That Could Expose Millions to MitM and DoS Attacks

If your systems rely on OpenSSH, it’s time to patch—now. Researchers at Qualys Threat Research Unit (TRU) have uncovered two critical vulnerabilities that could put millions of SSH servers at risk, including those used by tech giants like Facebook, Netflix, and Morgan Stanley.

The first flaw, CVE-2025-26465, allows attackers to launch Man-in-the-Middle (MitM) attacks by exploiting OpenSSH’s VerifyHostKeysDNS option. Ironically, this setting—designed to verify a server’s authenticity—has been found to actually compromise security, leaving connections vulnerable to interception. What’s worse? This flaw has been present in OpenSSH since 2014 and was enabled by default in FreeBSD until 2023.

The second flaw, CVE-2025-26466, enables pre-authentication Denial-of-Service (DoS) attacks, which could allow malicious actors to crash OpenSSH servers before authentication even takes place.

Both issues have been patched in OpenSSH 9.9p2, and if your organization uses OpenSSH, updating immediately is non-negotiable. Beyond patching, tighten access controls—exposing SSH services unnecessarily can lead to massive security headaches. And if you’re still relying on DNS-based host key verification, it’s time to rethink your security strategy.

The bigger picture? OpenSSH underpins secure remote access for millions of systems worldwide. These flaws, while now patched, serve as a stark reminder that even foundational security tools can harbor vulnerabilities for years before they’re discovered. Regular updates and proactive security measures aren’t optional—they’re essential.

Without the community partners, hacklido wouldn't be where it is now, So we would like to thank them.

• Cyber Security News

• Sysxplore

If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via maalolan@hacklido.com / discord / telegram group / Author’s LinkedIn to discuss with us!

TL;DR

Cybersecurity never takes a break, and neither should your defenses. This week, Microsoft’s Patch Tuesday reveals actively exploited vulnerabilities, a global law enforcement effort takes down a major ransomware gang, and China-linked hackers target unpatched Cisco devices. Let’s break it all down.

Microsoft Patch Tuesday: Two Zero-Days Actively Exploited

Microsoft’s February 2025 Patch Tuesday fixes 63 vulnerabilities, including four critical flaws and four zero-days, two of which are already being exploited in the wild.

The Actively Exploited Zero-Days

🚨 CVE-2025-21418 (CVSS 7.8) – WinSock Elevation of Privilege Vulnerability

• Affects the Windows Ancillary Function Driver for WinSock - primarily responsible for handling network-related functions..

• Allows an attacker to gain SYSTEM-level privileges—giving them full control over the affected machine via heap-based buffer overflow.

• No user interaction required, making exploitation relatively simple.

• Context: This is the ninth WinSock-related privilege escalation vulnerability since 2022. A similar flaw (CVE-2024-38193) was previously exploited by North Korea’s Lazarus Group to deploy rootkits.

🚨 CVE-2025-21391 (CVSS 7.1) – Windows Storage Elevation of Privilege Vulnerability - Lets attackers delete specific files, which could be used to disrupt services or erase evidence of other malicious activity.

The Other Zero-Days (Not Yet Exploited)

🔸 CVE-2025-21194 (CVSS 7.1) – Microsoft Surface Security Feature Bypass

• A high-complexity attack targeting Microsoft Surface devices.

• Could allow an attacker to circumvent security controls, though details remain scarce.

🔸 CVE-2025-21377 (CVSS 6.5) – NTLM Hash Disclosure Spoofing Vulnerability

• Could result in a total loss of confidentiality with minimal user interaction.

• NTLM-related vulnerabilities are especially concerning because they enable credential theft, which can be used for lateral movement within networks.

8Base Ransomware Takedown: Four Russian Nationals Arrested

A massive international law enforcement operation has led to the arrest of four Russian nationals in Thailand, suspected of running the 8Base ransomware gang. The operation spanned 14 countries, and authorities seized the group’s dark web leak site, replacing it with a law enforcement notice.

Who is 8Base?

• 8Base specializes in double extortion ransomware, encrypting victims’ data and threatening to publish it unless a ransom is paid.

• The group uses a variant of Phobos ransomware, a Ransomware-as-a-Service (RaaS) model.

• Victims: Over 1,000 organizations worldwide.

• Estimated ransom profits: At least $16 million.

Legal Consequences for the Arrested Individuals

📌 U.S. extradition request - They face charges of wire fraud and conspiracy to commit cybercrime.
📌 Swiss extradition request - They allegedly attacked 17 Swiss companies, laundering ransom payments through cryptocurrency mixing services.

Why This Matters

✅ Tactical win for law enforcement - Cybercriminals can no longer travel freely without fearing arrest.
✅ Will this stop 8Base? The Phobos ransomware family is still active, meaning new operators could step in.
✅ 8Base victims may still be at risk - Stolen data may be resurfacing on other leak sites.

Chinese Hackers Exploiting Unpatched Cisco Devices

A Chinese state-sponsored hacking group, Salt Typhoon (aka RedMike), has been exploiting unpatched Cisco routers belonging to telecommunications providers and universities worldwide.

How the Attack Worked

• Target: Internet-facing Cisco network devices.

• Vulnerability: Allowed attackers to gain elevated privileges and alter device configurations.

• Goal: Likely cyber-espionage and persistent access for long-term surveillance.

The Bigger Problem is Unpatched Critical Infrastructure

🚨 Unpatched, internet-facing network devices are a prime target for hackers.
🚨 Telnet-enabled Cisco routers remain shockingly common, making remote exploitation easier.

Who’s Responsible?

📌 Many of the affected organizations failed to patch their routers, despite known vulnerabilities.
📌 This represents a “standard duty of care” failure—large enterprises must prioritize security updates.

How to Protect Your Network

✔ Patch immediately: Keeping Cisco devices up to date is non-negotiable.
✔ Lock down remote access: Disable Telnet and enable SSH-only administration.
✔ Deploy network monitoring: Watch for unauthorized configuration changes.

Why It Matters

📌 This isn’t just about Cisco—every organization with internet-facing network appliances should take this as a warning.
📌 Nation-state actors are getting more aggressive, and defenders need to step up their game.

Without the community partners, hacklido wouldn't be where it is now, So we would like to thank them.

• Cyber Security News

• Sysxplore

If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via maalolan@hacklido.com / discord / telegram group / Author’s LinkedIn to discuss with us!

TL;DR

This week, tech security took some major hits. Researchers discovered that abandoned AWS storage buckets could’ve led to one of the biggest cyberattacks ever, Microsoft had to fix a huge facial recognition flaw, and the EU officially banned AI practices that cross ethical lines (think social scoring and real-time biometric tracking). The takeaway? Tech is advancing fast, but security and regulation are still playing catch-up.

Hackers Could’ve Stolen the Internet for $420

Imagine waking up to find out that some random person has taken control of your entire software update system. Your network is now downloading fake updates, your security has been completely bypassed, and worst of all—you don’t even know it’s happening. That’s exactly the kind of catastrophe that nearly unfolded in the cloud.

Cybersecurity researchers at Watchtowr Labs discovered that over 150 abandoned AWS S3 buckets—essentially cloud storage lockers used by companies, software providers, and government agencies—were still actively receiving update requests. These buckets were once critical for deploying software updates, distributing security patches, and managing cloud infrastructure, but when the original owners stopped using them, nobody shut down the pipelines still feeding into them.

So what did the researchers do? They bought these abandoned buckets for just $420.85 and sat back as 8 million requests flooded in over two months. These weren’t just random pings—requests were coming from:

• Government agencies (yep, state secrets could’ve been at risk)

• Military networks (national security, anyone?)

• Financial institutions (nothing to worry about—just your bank’s security updates!)

• Fortune 500 companies (hello, corporate espionage)

• Universities, casinos, and cybersecurity firms (basically, the entire internet)

If cybercriminals had gotten there first, they could’ve hijacked these requests to send out malicious updates—installing malware, stealing sensitive data, or launching large-scale cyberattacks. Experts say this could’ve been worse than SolarWinds, the 2020 attack that compromised U.S. government agencies and major companies.

AWS has since sinkholed the affected buckets to prevent attacks, but there’s still one major problem: Amazon allows old bucket names to be reused. That means this isn’t just a one-time fluke—it’s an ongoing risk.

🔍 The takeaway: If your company ever shuts down an AWS bucket, make sure its name can’t be reused—otherwise, someone else might pick it up, along with all your sensitive traffic.

The EU Just Declared War on Creepy AI

Artificial intelligence has been advancing at breakneck speed, but who’s keeping it in check? In Europe, the answer is now the law.

The EU AI Act, which officially took effect in August 2024, just reached its first major enforcement milestone: banning AI practices deemed “unacceptably risky.” The goal? To prevent AI from crossing ethical and societal red lines.

What’s now 100% illegal in the EU?
🚫 Social scoring—No, governments can’t rate you based on your behavior like in a Black Mirror episode.
🚫 Predicting crime based on appearance—Because profiling people before they commit a crime is some real dystopian nonsense.
🚫 Emotion detection in workplaces and schools—Your boss won’t be able to track how “engaged” you look during meetings.
🚫 Real-time biometric tracking in public spaces—Law enforcement can’t just scan crowds and build facial recognition databases without consent.
🚫 Manipulating people subliminally—AI ads can be creepy, but they can’t hijack your subconscious.

Companies that break these rules? They’re looking at fines of up to €35 million or 7% of global revenue (whichever hurts more).

The law is already making waves. Some companies are rethinking their AI strategies, while others argue the regulations are too broad and will be difficult to enforce. Tech leaders are also watching closely—if this law influences regulations in the U.S. or elsewhere, it could change the way AI is developed globally.

📌 What this means for you: The AI industry just hit a regulatory speed bump, but for consumers, this could be a win—especially if you’re tired of AI being used in ways that feel more like sci-fi horror than progress.

Microsoft’s Facial Recognition Flaw Could’ve Been a Hacker’s Dream

Facial recognition technology is supposed to be the gold standard for security—after all, your face is unique, right? Well, Microsoft just learned the hard way that uniqueness doesn’t mean invincibility.

The company recently patched a CVSS 9.9 vulnerability (for context, 10 is the worst possible score) in its Azure AI Face Service, a tool used for:
✔️ Verifying identity (think airport check-ins or secure logins)
✔️ Detecting “liveness” (making sure a real person is present, not a photo or deepfake)
✔️ Redacting faces in media (for privacy protection)

The flaw allowed attackers to bypass authentication and gain unauthorized access to sensitive data. That’s the cybersecurity equivalent of finding out that your house’s high-tech fingerprint lock opens for literally anyone.

Microsoft insists there’s no evidence that hackers exploited the flaw before it was patched, but security experts aren’t convinced. Given how valuable facial recognition data is, this kind of vulnerability could have been a gold mine for cybercriminals.

🔍 The lesson here? AI-powered security isn’t foolproof—and if your company relies on facial recognition, you should be asking:
❓ How is my provider handling deepfake threats?
❓ What security measures are in place to prevent future exploits?
❓ What happens if facial recognition gets bypassed?

With AI-driven authentication becoming the norm, these aren’t just theoretical questions—they’re the difference between security and disaster.

Without the community partners, hacklido wouldn't be where it is now, So we would like to thank them.

• Cyber Security News

• Sysxplore

If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via maalolan@hacklido.com / discord / telegram group / Author’s LinkedIn to discuss with us!

TL;DR

China’s DeepSeek R1 AI model launched with strong reasoning abilities but zero security guardrails, letting researchers easily jailbreak it for ransomware development and misinformation, all while sending user data to Chinese servers. Meanwhile, Texas-based ENGlobal suffered a ransomware attack that shut down critical systems for six weeks, highlighting the growing impact of prolonged cyber incidents. Over in the UK, the National Cyber Security Centre (NCSC) is cracking down on “unforgivable” software vulnerabilities, calling for vendors to eliminate preventable security flaws. AI risks, ransomware resilience, and software accountability—the cybersecurity landscape is heating up fast.

DeepSeek R1: The Open-Source AI That Talks... Maybe Too Much

When DeepSeek R1 launched on January 20, it was supposed to be China’s answer to OpenAI’s models—an affordable, powerful, and open-source chatbot with enhanced reasoning capabilities. But while the model is impressive in its ability to "think out loud" (aka time test scaling), it’s proving just as impressive at leaking sensitive information and generating illegal content.

Security researchers wasted no time jailbreaking DeepSeek R1, finding that it eagerly offered instructions on making explosives, creating ransomware, and even dishing out personal details of OpenAI employees—though the info turned out to be false. Still, the fact that it even attempted such a response is a major red flag. If that wasn’t enough, DeepSeek’s data collection policies reveal that anything typed into the chatbot is stored and processed on servers in China, making it a potential goldmine for state surveillance under China’s National Intelligence Law.

Adding to the chaos, on January 27, DeepSeek announced a “large-scale malicious attack” had forced them to limit new signups. While it sounds like a DDoS attack, some speculate it could just be an overwhelming flood of users rushing to test the controversial AI. After all, OpenAI experienced similar outages when ChatGPT first launched. Either way, the platform is struggling to keep up with demand—and security concerns are mounting.

What This Means for You:

• If you care about privacy, know that DeepSeek R1 collects a lot more than just your prompts. Your chat history, device info, and even keystroke patterns could be stored indefinitely.

• If you're using AI models in your company, make sure they align with your organization’s data security policies—especially when the servers are in a country with strict government oversight.

• Open-source AI models are great for transparency—but also great for attackers looking to exploit vulnerabilities. DeepSeek is proof that security needs to be a top priority, not an afterthought.

Would you trust an AI model that accidentally doxes people and gives out bomb-making tips? Yeah, me neither.

ENGlobal’s Ransomware Nightmare: Six Weeks of Silence

Imagine your company gets hit with ransomware. Your critical systems are locked down for six weeks. Your financial and operational reporting tools are useless. And worst of all? You have no idea who has access to sensitive personal data.

That’s exactly what happened to ENGlobal, a Texas-based engineering and automation company that provides services to major U.S. federal agencies and private firms. On January 28, the company revealed in an SEC filing that a ransomware attack in November 2024 had crippled their operations. For a month and a half, they had no access to key systems—and yet, they claim the attack will have “no material impact” on their business.

Really? Because security experts aren’t buying it.

Why This Attack Matters:

• Ransomware recovery is taking longer than ever. A recent study found that the average recovery time is 132 hours (over 17 workdays)—and that 58% of companies hit by ransomware are forced to shut down some or all of their operations.

• Reputation damage > regulatory fines. Even if ENGlobal avoids hefty penalties, trust is harder to repair than a compromised server.

• Delayed breach notifications help the attackers, not the victims. The company still hasn’t disclosed who was affected or the full extent of the data breach—leaving potential victims in the dark.

One cybersecurity expert put it bluntly: If your systems can be offline for six weeks without "material impact," maybe they weren’t essential to begin with.

Lesson learned? Ransomware attacks aren’t just about data theft anymore—they’re about business survival. If your organization still doesn’t have a tested recovery plan, now’s the time to make one.

The UK Declares War on "Unforgivable" Software Bugs

Software developers, take note: The UK’s National Cyber Security Centre (NCSC) is officially done with vendors who ship insecure-by-design products.

In a new report, the agency proposes a system to classify security flaws as "forgivable" or "unforgivable", depending on how easy they are to prevent. The idea is simple: Some vulnerabilities should never make it into production—ever.

These “unforgivable” bugs include things like:

• Lack of input validation (which allows hackers to inject malicious code)

• Poor privilege separation (making it easier for attackers to escalate access)

• Not sandboxing risky processes (letting a simple breach become catastrophic)

The key takeaway? If a security flaw is well-known, easy to fix, and still present in a product, it's not an accident—it's negligence.

Why This Matters:

• Software vulnerabilities are getting worse, not better. Despite decades of warnings, many developers still prioritize speed and features over security.

• Companies that buy insecure software are just as responsible. If businesses keep purchasing products with major security flaws, vendors will never feel pressured to change.

• Regulations may be next. If the tech industry won’t clean up its act, expect governments to step in with legal consequences—just like we do for defective consumer products.

If we can ban TikTok over national security concerns, maybe it’s time to ban software with "unforgivable" security holes. Just a thought.

Without the community partners, hacklido wouldn't be where it is now, So we would like to thank them.

• Cyber Security News

• Sysxplore

If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via maalolan@hacklido.com / discord / telegram group / Author’s LinkedIn to discuss with us!

TL;DR

Microsoft’s AI Red Team shared insights on securing generative AI systems, emphasizing the need for technical expertise and human insight, while raising questions about evolving practices, cultural diversity, and standardization. Meanwhile, the Department of Homeland Security disbanded the Cyber Safety Review Board (CSRB), halting investigations like the Salt Typhoon breach, sparking concerns about weakened cybersecurity oversight. CISA and the FBI updated their "Product Security Bad Practices" guide, focusing on addressing hardcoded credentials, SQL injection, memory safety, and phishing-resistant MFA. Additionally, a cd00r malware variant targeting Juniper routers uses memory-resident tactics and “magic packets,” while a vulnerability in 7-Zip’s handling of nested archives bypasses the Mark of the Web (MotW), necessitating immediate updates to version 24.09.

Microsoft AI Red Teamers Share Takeaways

Microsoft’s AI Red Team (AIRT) has shared insights from their extensive testing of generative AI products. Their findings emphasize that securing AI systems is an ongoing challenge, necessitating a blend of technical expertise and human insight. The team highlighted that while some attack techniques may appear straightforward, they require a nuanced understanding of both technology and human behavior. This reveals a broader truth about cybersecurity: as systems grow more complex, so too must our approaches to securing them.

AIRT looks ahead to three "open questions":

1. How will operators keep practices current and probe for new dangers as LLM purposes and capabilities continue to evolve?

2. How can AI red teamers apply and incorporate multilingual and culturally-diverse expertise?

3. How can AI red teaming practices and communication move toward standardization?

DHS Fires Advisory Committees, Including Cyber Safety Board (CSRB)

The Department of Homeland Security (DHS) issued an internal memo on January 20, 2025, terminating all advisory committee positions, including the Cyber Safety Review Board (CSRB). This decision has halted CSRB’s investigation into critical incidents such as the Salt Typhoon breach in 2024, where a Chinese state-sponsored hacking group targeted US telecommunications networks. Since its establishment in 2022 by President Biden’s executive order, the CSRB has studied incidents like the Log4Shell vulnerability, the Lapsus$ group attacks, and the Microsoft Exchange breach.

The CSRB's role mirrored the National Transportation Safety Board (NTSB) in aviation, aiming to investigate major cyber incidents and recommend preventive measures. Critics argue that dissolving the board compromises national cybersecurity efforts, as the CSRB provided actionable insights into systemic vulnerabilities. However, others suggest its tangible impact on policy and security improvements has been limited. Moving forward, the challenge will be ensuring such investigations are continued effectively by Congress or other entities.

Revisions to Product Security Bad Practices

CISA and the FBI have released an updated version (2.0) of the "Product Security Bad Practices" guide. This revision incorporates feedback from 78 public comments collected since October 2024. The updated document addresses security gaps in software development and operational environments. Key technical updates include:

• Expanded Examples: Highlighting risks of hardcoded credentials and outdated or insecure cryptographic functions.

• Injection Prevention: Enhanced guidance for mitigating SQL injection and command injection vulnerabilities.

• Known Exploited Vulnerabilities (KEVs): Stricter recommendations for prioritizing KEV patching.

• Phishing-Resistant MFA: Mandates for manufacturers to adopt phishing-resistant multi-factor authentication in both IT and operational technology (OT) environments.

• Memory Safety: Greater emphasis on using memory-safe programming languages to prevent common vulnerabilities like buffer overflows.

cd00r Variant Targets Juniper Enterprise Routers

A sophisticated variant of the cd00r backdoor malware is targeting Juniper enterprise routers, exploiting their high uptime and critical network positioning. This attack uses a "magic packet" in TCP traffic to trigger a response from the infected device. After receiving the packet, the backdoor initiates a secondary challenge before establishing a reverse shell connection to the attacker's specified IP and port.

Key observations from Black Lotus Labs include:

• Memory-Resident Malware: The backdoor exclusively resides in memory, reducing the likelihood of detection.

• Targets: The campaign impacted sectors such as manufacturing, energy, and IT, where routers often serve as VPN gateways or network edge devices.

• Recommendations: Organizations should review logs, monitor for unusual TCP traffic, and apply software updates to affected devices. Periodic rebooting of routers is advised to disrupt memory-resident malware.

Patch 7-Zip Archiver Against MotW Bypass

The open-source 7-Zip archive software has been found vulnerable to a Mark of the Web (MotW) bypass. MotW is a Windows security feature that flags files downloaded from the internet as untrusted, prompting additional security checks. In 7-Zip versions prior to 24.09, this mechanism fails when processing nested archive files. Specifically:

• Files extracted from a nested archive lose the Zone.Identifier data stream, bypassing MotW safeguards.

• Exploitation can enable attackers to execute arbitrary code in the context of the current user.

Technical mitigation includes:

• Update Software: Users must manually update to 7-Zip version 24.09 or later, as the software does not update automatically.

• Fake Installers: Users should verify downloads from official sources to avoid malware disguised as legitimate updates.

Without the community partners, hacklido wouldn't be where it is now, So we would like to thank them.

• Cyber Security News

• Sysxplore

If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via email@hacklido.com / discord / telegram group / Author’s LinkedIn to discuss with us!