Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

Scammers Are Creating Fake News Videos to Blackmail Victims

“Yahoo Boy” scammers are impersonating CNN and other news organizations to create videos that pressure victims into making blackmail payments.

Wired
#web#mac#sap
GamaCopy Mimics Gamaredon Tactics in Cyber Espionage Targeting Russian Entities

A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The campaign has been attributed to a threat cluster dubbed GamaCopy, which is assessed to share overlaps with another hacking group named Core Werewolf, also tracked as Awaken Likho and PseudoGamaredon.

Three privacy rules for 2025 (Lock and Code S06E02)

This week on the Lock and Code podcast, host David Ruiz shares three privacy rules for 2025, and they're all about taking back control.

MITRE's Latest ATT&CK Simulations Tackle Cloud Defenses

The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

GHSA-3wwr-3g9f-9gc7: ASTEVAL Allows Maliciously Crafted Format Strings Lead to Sandbox Escape

### Summary If an attacker can control the input to the `asteval` library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. ### Details The vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the [`on_formattedvalue`](https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507) value uses the [dangerous format method of the str class](https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/), as shown in the vulnerable code snippet below: ```py def on_formattedvalue(self, node): # ('value', 'conversion', 'format_spec') "formatting used in f-strings" val = self.run(node.value) fstring_converters = {115: str, 114: repr, 97: ascii} if node.conversion in fstring_converters: val = fstring_converters[node.conversion](val) fmt = '{__fstring__}' if node.f...

US Charges Five in North Korean IT Worker Hiring Scam

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to…

Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…

Seasoning email threats with hidden text salting

Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting.

GHSA-vp47-9734-prjw: ASTEVAL Allows Malicious Tampering of Exposed AST Nodes Leads to Sandbox Escape

### Summary If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context. ### Details The vulnerability is rooted in how `asteval` performs attribute access verification. In particular, the [`on_attribute`](https://github.com/lmfit/asteval/blob/8d7326df8015cf6a57506b1c2c167a1c3763e090/asteval/asteval.py#L565) node handler prevents access to attributes that are either present in the `UNSAFE_ATTRS` list or are formed by names starting and ending with `__`, as shown in the code snippet below: ```py def on_attribute(self, node): # ('value', 'attr', 'ctx') """Extract attribute.""" ctx = node.ctx.__class__ if ctx == ast.Store: msg = "attribute for storage: shouldn't be here!" self.raise_exception(node, exc=RuntimeError, msg=msg) sym = self.run(node.value) if ctx == ast.Del: return delattr(sym, node.at...