Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing…

Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing weak practices, malware trends, and security gaps.

Cybersecurity researchers at Specops are delivering a global wake-up call over a major password-related issue: over 1 billion **passwords** were stolen by malware in the past year. According to Specops Software’s 2025 Specops Breached Password Report shared with Hackread.com ahead of its publishing on Tuesday, millions of stolen passwords met standard complexity requirements. The report also highlights the prevalence of malware stolen credentials, with over a billion found in the last 12 months.

The Report’s Key Findings:

*   Despite meeting common complexity requirements (length, uppercase, numbers, symbols), 230 million stolen passwords were still compromised.

*   Common weak passwords like “123456” and “admin” continue to plague systems, revealing a significant gap in user awareness and education.

*   Common base terms like “qwerty,” “guest,” and “student” are frequently used as password foundations.

*   **Redline, Vidar, and Raccoon Stealer** emerged as the top three credential-stealing malware, demonstrating the sophistication and persistence of these threats. These sophisticated malware strains actively target and steal credentials from various sources, including web browsers, email clients, and even VPN clients. Check out Hackread.com’s detailed analysis of these malware **here**.

*   The “malware-as-a-service” model, where cybercriminals rent out these tools, has increased the accessibility and availability of these powerful attack vector.

The **report** highlights the ongoing struggle which unsuspecting users and organizations face in addressing weak password practices, with end users still creating short, weak passwords despite knowing the risks.

Via Specops

Users often employ the same or slightly modified passwords across multiple accounts, including work, personal, and online services, which is a risky practice as reusing work passwords on personal devices and less secure platforms significantly increases the potential for compromise. A single breach on a less secure platform can compromise access to sensitive corporate systems, including Active Directory and **VPNs**.

Moreover, **stolen credentials** provide attackers with direct access to valuable data, including personal information, financial records, and corporate secrets. These credentials can be used to launch further attacks, such as phishing campaigns and more sophisticated breaches, enabling attackers to gain deeper access to organizational systems.  

> _“The amount of passwords being stolen by malware should be a concern for organizations. Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware.”_
> 
> Darren James, Senior Product Manager – Specops Software.

Considering these dangerous implications, security experts recommend organizations implement stronger password policies and regularly scan Active Directory for compromised passwords for immediate remediation. Educating users about weak passwords, and staying updated on threats and vulnerabilities to defend against emerging attacks is essential. Lastly, implement Multi-Factor Authentication (MFA) to add an extra layer of security beyond passwords.

1.  **Google Makes Passkeys Default for All Users**
2.  **Why Browser Security Matters More Than You Think**
3.  **Are We on the Brink of Saying Goodbye to Passwords?**
4.  **Pop Culture Passwords Most Likely to Get You Hacked**
5.  **Nissan source code leaked, it used “admin” as username, password**

Redline, Vidar and Raccoon Malware Stole 1 Billion Passwords in 2024

## Summary
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.

## Background
HashiCorp’s go-slug shared library offers functions for packing and unpacking Terraform Enterprise compatible slugs. Slugs are gzip compressed tar files containing Terraform configuration files.

## Details
When go-slug performs an extraction, the filename/extraction path is taken from the tar entry via the header.Name. It was discovered that the unpacking step improperly validated paths, potentially leading to path traversal, allowing an attacker to write an arbitrary file during extraction.

## Remediation
Consumers of the go-slug shared library should evaluate the risk associated with this issue in the context of their go-slug usage and upgrade go-slug to 0.16.3 or later.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-0377

**HashiCorp go-slug Vulnerable to Zip Slip Attack**

High severity GitHub Reviewed Published Jan 21, 2025 to the GitHub Advisory Database • Updated Jan 21, 2025

**Package**

gomod github.com/hashicorp/go-slug (Go)

**Affected versions**

< 0.16.3

**Summary**

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.

**Background**

HashiCorp’s go-slug shared library offers functions for packing and unpacking Terraform Enterprise compatible slugs. Slugs are gzip compressed tar files containing Terraform configuration files.

**Details**

When go-slug performs an extraction, the filename/extraction path is taken from the tar entry via the header.Name. It was discovered that the unpacking step improperly validated paths, potentially leading to path traversal, allowing an attacker to write an arbitrary file during extraction.

**Remediation**

Consumers of the go-slug shared library should evaluate the risk associated with this issue in the context of their go-slug usage and upgrade go-slug to 0.16.3 or later.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2025-0377
*   https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack

Published to the GitHub Advisory Database

Jan 21, 2025

Last updated

Jan 21, 2025

GHSA-wpfp-cm49-9m9q: HashiCorp go-slug Vulnerable to Zip Slip Attack

Two separate campaigns are targeting flaws in various IoT devices globally, with the goal of compromising them and propagating malware worldwide.

Source: Aleksey Funtap via Alamy Stock Photo

Separate spinoffs of the infamous Mirai botnet are responsible for a fresh wave of distributed denial-of-service (DDoS) attacks globally. One is exploiting specific vulnerabilities in Internet of Things (IoT) devices to establish "expansive" botnet networks, while the other has been targeting organizations in North America, Europe, and Asia with DDoS attacks since the end of 2024, researchers have found.

An ongoing operation within Mirai dubbed "Murdoc\_Botnet" (which began in July and has more than 1,300 active IPs) is targeting Avtech cameras and Huawei HG532 routers, researchers from Qualys revealed in a report posted today.

The researchers uncovered more than 100 distinct sets of servers associated with the Murdoc botnet, "each tasked with deciphering its activities and establishing communication with one of the compromised IPs implicated in this ongoing campaign," Qualys lead security researcher Shilpesh Trivedi wrote in the post.

Meanwhile, a botnet that comprises malware variants derived from both Mirai and Bashlite is exploiting security flaws and weak credentials in IoT devices in DDoS attacks spanning the globe, according to separate research from Trend Micro. "The malware infiltrates the device by exploiting RCE vulnerabilities or weak passwords, then executes a download script on the infected host," the researchers said.

Related:Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

The two campaigns demonstrate the ongoing impact of Mirai, a botnet that has spawned myriad variants since its source code was leaked in 2016 and which remains a significant security threat 10+ years after first appearing on the cyberattack scene.

**Murdoc Botnet Exploits Specific Flaws**

The Murdoc botnet delivering Mirai malware uses existing exploits, including CVE-2024-7029 and CVE-2017-17215, to download next-stage payloads. The former is an Avtech camera flaw that allows for commands to be injected over the network and executed without authentication, while the latter is a remote code execution (RCE) flaw found in Huawei routers.

Most of the IP addresses associated with the Murdoc botnet campaign are found in Malaysia, followed by Thailand, Mexico, and Indonesia.

Qualys researchers discovered more than 500 samples containing ELF files and shell script files associated with the Murdoc botnet. Each shell script "is loaded onto devices such as IP cameras, Network devices, and IoT devices, and, in turn, the C2 server loads the new variant of Mirai botnet, i.e., Murdoc\_Botnet, into the devices," Trivedi wrote in the post.

**An Expansive DDoS Campaign Targets US**

Related:DONOT Group Deploys Malicious Android Apps in India

Meanwhile, researchers at Trend Micro initially detected "large-scale" DDoS botnet attacks against Japanese organizations, including major corporations and banks, starting at the end of 2024, but then tracked the activity to a larger global campaign. Organizations in the US were most affected by the attacks, followed by companies in Bahrain, Poland, and Spain, among various other countries.

The primary devices targeted in the attacks have been wireless routers and IP cameras from well-known brands, including TP-Link and Zyxel routers, and Hikvision IP cameras. As with the Murdoc botnet activity, cyberattackers here targeted flaws in the devices to compromise them, but they also used weak passwords to gain access.

In terms of attack vector, the researchers found two different types of DDoS attacks related to the activity, they said. One type overloads the network by sending a large number of packets, while the other exhausts server resources by establishing a large number of sessions.

"In addition, we observed two or more commands used in combination, making it possible that both network overload attacks and server resource exhaustion attacks occur simultaneously," according to the post.

**How to Defend Against DDoS Cyberattacks**

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

With Mirai variants continuing to spawn new botnets for mounting new and widespread DDoS attacks, it's important that organizations can identify and protect their networks from floods of unwanted traffic, the researchers said.

Qualys researchers recommended that organizations regularly monitor the suspicious processes, events, and network traffic spawned by the execution of any untrusted binary/scripts, as well as exercise caution in executing shell scripts from unknown and untrusted sources.

Meanwhile, Trend Micro analysts recommended different mitigation efforts for the two types of DDoS attacks that they observed. For attacks that flood the network with packets, the researchers recommended organizations use a firewall or router to block specific IP addresses or protocols and restrict traffic; collaborate with communication service providers to filter DDoS traffic at the backbone or edge of the network; and strengthen router hardware to increase the number of packets that can be processed.

For attacks that exhaust resources by establishing a large number of sessions, Trend Micro recommended that organizations limit the number of requests that can be sent by a specific IP address within a certain period of time; use third-party services to separate attack traffic and process clean traffic; and perform real-time monitoring and block IP addresses with a high number of connections, among other mitigations and preventions.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mirai Botnet Spinoffs Unleash Global Wave of DDoS Attacks

Over the past few years, decentralised finance (DeFi) has revolutionised the financial sector. DeFi introduced transparent, permissionless and…

Over the past few years, decentralised finance (DeFi) has revolutionised the financial sector. DeFi introduced transparent, permissionless and efficient payment systems, streamlining international transactions. However, this growth has been accompanied by a rise in security challenges and there have been several notable incidents over the years.

DeFi exchanges have become prime targets for hackers, leading to billions of dollars in losses in recent years. Amidst this turbulent landscape, PARSIQ’s Reactive Network emerges as a promising solution to safeguard DeFi ecosystems. With its innovative cross-chain capability, upcoming mainnet launch and the introduction of the REACT token, Reactive Network is setting the stage for a more secure DeFi future.

****The Escalating Threat of DeFi Exchange Hacks****

The frequency of DeFi hacks has increased tremendously in recent years. This poses a significant threat to the industry. According to Immunify, security breaches in DeFi exchanges accounted for $1.2 billion in financial losses in 2024 alone. Alarmingly, breaches in centralised finance (CeFi) platforms saw a staggering 984% increase in 2024, as reported by BeInCrypto. This trend highlights the vulnerabilities that exist across both centralised and decentralised financial platforms.

High-profile attacks illustrate the scale and sophistication of these exploits. For example, the $625 million Ronin Network hack from 2022 is a stark reminder of the risks associated with weak security protocols. Similarly, the $100 million breach of Atomic Wallet just a year later highlights the vulnerabilities in wallet services. These incidents underscore the urgent need for advanced security measures to protect user funds, maintain trust in DeFi and promote growth in the coming days.

****Introducing Reactive Network: The Future of DeFi Security****

PARSIQ’s Reactive Network is a groundbreaking innovation and the platform has achieved significant milestones in its mission to revolutionise blockchain security. Last year, the platform launched its testnet, providing developers with tools to build more secure and efficient decentralised applications (dApps). In the coming months, PARSIQ plans to launch the Reactive Network mainnet along with the REACT token.

At the core of the Reactive Network lies the concept of Inversion of Control (IoC). This technology empowers smart contracts to operate autonomously, responding dynamically to events across connected blockchains. With Reactive Smart Contracts (RSCs), users can experience seamless and secure cross-chain transactions without manual intervention. This innovation not only simplifies workflow but also enhances overall network security. 

****Enhanced Security Protocols****

Reactive Network’s architecture addresses common vulnerabilities that have traditionally plagued DeFi exchanges. By tackling issues like reentrancy attacks and oracle manipulation, the platform offers robust protection against sophisticated hacking techniques. Automated incident response strategies further strengthen the network’s defence, ensuring timely threat detection and mitigation.

****Autonomous Smart Contract Functionality****

One of Reactive Network’s standout features is its ability to autonomously monitor and respond to suspicious activities. This reduces reliance on manual intervention, minimising human error, which is a major contributing factor in security breaches.

****Cross-Chain Interoperability****

In a DeFi landscape where interoperability is essential, the Reactive Network ensures secure and efficient cross-chain transactions. This minimises the risks associated with bridge exploits, which is a common entry point for attackers. This empowers users to transact across multiple blockchains with confidence, knowing that their assets are protected 24/7.

****The Future of Secure DeFi Exchanges****

As DeFi continues to grow, the need for robust security solutions becomes increasingly critical. Reactive Network stands at the forefront of this evolution, offering advanced tools and technologies to protect users and platforms alike.

The highly anticipated Reactive Network mainnet launch promises enhanced features and capabilities over the testnet. Developers and businesses are preparing to leverage the platform’s tools to create secure, scalable and efficient dApps. The introduction of the REACT token alongside the mainnet launch will further enrich the Reactive Network ecosystem.

The token will play a crucial role in transaction processing and network governance, incentivising participation and fostering a vibrant community. With its carefully designed tokenomics, REACT aims to align the interests of all stakeholders, ensuring long-term growth and sustainability. Additionally, existing PRQ token holders can seamlessly 1:1 swap them for the REACT tokens.

By addressing the common challenges and vulnerabilities plaguing the industry, Reactive Network is paving the way for a safer and more reliable DeFi ecosystem. Developers, businesses and investors can consider exploring the capabilities of Reactive Network by engaging with the testnet and preparing for the mainnet launch.

With the REACT token set to revolutionise transaction and governance processes, now is the time to join this innovative ecosystem. Stay tuned to the official Reactive Network blog and developer documentation to learn more and take the first step toward a more secure DeFi future.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **We Need Smarter Smart Contracts To Prevent DeFi Hacks**
3.  **Top 5 Platforms for Identifying Smart Contract Vulnerabilities** 
4.  **Enhancing Blockchain Randomness To Eliminate Trust Issues**
5.  **5 Ways Smart Contracts Are Making A Real-World Difference**

PARSIQ’s Reactive Network Provides Solution for DeFi Exchange Vulnerabilities

This article explores the recent campaign of Murdoc_Botnet, a malware variant of Mirai targeting vulnerable AVTECH and Huawei…

This article explores the recent campaign of Murdoc\_Botnet, a malware variant of Mirai targeting vulnerable AVTECH and Huawei devices. The Qualys Threat Research team discovered this ongoing campaign in July 2024.

The Qualys Threat Research Unit has discovered a live campaign for the Mirai botnet, which began in July 2024 and deploys a new botnet called Murdoc\_Botnet. It is a large-scale operation within the Mirai campaign, exploiting vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. 

The attackers utilized ELF and shell script execution to deploy the Murdoc\_Botnet botnet sample. This technique leverages existing vulnerabilities (CVE-2024-7029, CVE-2017-17215) to download the next-stage payloads. The research began with the discovery and analysis of Murdoc\_Botnet binaries used for DDOS activities. Using Qualys EDR, threat intelligence data, and open-source intelligence (OSINT), the researchers were able to attribute Murdoc\_Botnet as a Mirai variant.

The researchers discovered around 1300+ active IPs and 100+ distinct servers, each tasked with deciphering its activities and establishing communication with compromised IPs/servers. These servers facilitated the distribution of Mirai malware. These servers played a role in distributing the Mirai malware.

Further analysis revealed the presence of over 100 command-and-control servers tasked with establishing communication with infected devices. These servers also facilitated the distribution of Mirai malware.

As per Qualys Threat Research’s technical blog post, shared exclusively with Hackread.com ahead of its publishing, Murdoc\_Botnet targets \*nix systems, particularly vulnerable AVTECH and Huawei devices. The malware primarily uses bash scripts that leverage GTFOBins to fetch payloads, grant them execution permission using chmod, and then execute and remove them.

Moreover, it fetches the next-stage payloads using existing exploits. The infection process involves exploiting vulnerabilities to download shell scripts. These scripts are then executed on the compromised devices, which in turn download the new variant of Mirai botnet (Murdoc\_Botnet).

Malaysia, Thailand, Mexico, and Indonesia have been identified as the most affected countries in this campaign. To protect against Murdoc\_Botnet attacks, organizations should monitor suspicious processes, avoid executing shell scripts from untrusted sources, and keep systems and firmware updated with the latest patches. These measures can significantly reduce the risk of infection from Murdoc\_Botnet and Mirai variants.

1.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
2.  **Mirai-like Botnet Targets Zyxel NAS Devices in Europe**
3.  **Mirai-Inspired Gorilla Botnet Hits Devices in 100 Countries**
4.  **Androxgh0st Botnet Hits IoT Devices with 27 Vulnerabilities**
5.  **Tiny Mantis Launch More Powerful DDoS Attacks Than Mirai**

New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits

Set for release in March, Cisco AI Defense will provide algorithmic red teaming of large language models with technology that came over as part of the Robust Intelligence acquisition last year.

Source: Andriy Popov via Alamy Stock Photo

Cisco is expanding its cloud security platform with new technology that will let developers detect and mitigate vulnerabilities in artificial intelligence (AI) applications and their underlying models.

The new Cisco AI Defense offering, introduced Jan. 15, is also designed to prevent data leakage by employees who use services like ChatGPT, Anthropic, and Copilot. The networking giant already offers AI Defense to early-access customers and plans to release it for general availability in March.

AI Defense is integrated with Cisco Secure Access, the revamped secure service edge (SSE) cloud security portfolio that Cisco launched last year. The software-as-a-service offering includes zero-trust network access, VPN-as-a-service, a secure Web gateway, cloud access security broker, firewall-as-a-service, and digital experience monitoring.

Administrators can view the AI Defense dashboard in the Cisco Cloud Control interface, which hosts all of Cisco's cloud security offerings.

**Gaps in AI Capabilities**

AI Defense is intended to help organizations that are concerned about the security risks associated with AI but are under pressure to implement the technology into their business processes, said Jeetu Patel, Cisco's chief product officer and executive VP, at the launch event.

"You need to have the right level of speed and velocity to keep innovating in this world, but you also need to make sure that you have safety," Patel said. "These are not trade-offs that you want to have. You want to make sure that you have both."

According to Cisco's 2024 AI Readiness Survey, 71% of respondents don't believe they are fully equipped to prevent unauthorized tampering of AI within their organizations. Further, 67% said they have a limited understanding of the threats specific to machine learning. Patel said AI Defense addresses these issues.

"Cisco AI Defense is a product which is a common substrate of safety and security that can be applied across any model, that can be applied across any agent, any application, in any cloud," he said.

**Model Validation at Scale**

Cisco AI Defense is primarily targeted at enterprise AppSecOps organizations. It allows developers to validate AI models before applications and agents are deployed into production.

Patel noted that the challenge with AI models is that they are constantly changing with new data added to them, which changes the behavior of the applications and agents.

"If models are changing continuously, your validation process also has to be continuous," he said.

Seeking a way to offer the equivalent of red teaming, Cisco last year acquired Robust Intelligence, a startup founded in 2019 by Harvard researchers Yaron Singer and Kojin Oshiba, and the core component of AI Defense. The Robust Intelligence Platform uses algorithmic red teaming to scan for vulnerabilities, along with a mechanism Robust Intelligence created called Tree of Attacks with Pruning, an AI-based method of using automation to systematically jailbreak large language models (LLMs).

According to Patel, Cisco AI Defense uses detection models from generative AI (GenAI) platform provider Scale AI and threat intelligence telemetry from Cisco's Talos and its recently acquired Splunk to continuously validate the models and automatically recommend guardrails. Further, he noted that Cisco designed AI Defense to distribute those guardrails through the network fabric.

"This essentially allows us to deliver a purpose-built model and data for going out, allowing us to validate if a model is going to work as per expectations or if it's going to surprise us," said Patel, adding that it typically takes most organizations seven to 10 weeks to validate a model. "We can do it within 30 seconds because this is completely automated," he said.

**An Industry-First?**

Analysts believe Cisco is the first major player to launch technology that can address automated model verification at that scale.

"I don't know anyone else who's done anything close to this," says Frank Dickson, group VP for IDC's security and trust research practice. "I've heard people doing what we might call an LLM firewall, but it's not as intricate and complex as this. The ability to do this kind of automated pen testing in 30 seconds looks pretty slick."

Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence, agrees, noting that a variety of large vendors are approaching security for GenAI in different ways.

"But in Cisco's case, it made the first acquisition of a startup with this focus with its pickup of Robust Intelligence, which is at the heart of this initiative," Crawford says. "There are a range of other startups in this space, any of which could be an acquisition target in this emerging field, but this was the first such acquisition by a major enterprise IT vendor."

Addressing AI security will be a major concern this year, given the rise in attacks against vulnerable models, Crawford says.

"We have already seen examples of LLM exploits, and experts have considered the ways in which it can be manipulated and attacked," he says.

Such incidents, often described as LLMjacking, are waged by exploiting vulnerabilities with prompt injections, supply chain attacks, and data and model poisoning. One notable LLMjacking attack was discovered last year by the Sysdig Threat Research Team, which observed stolen cloud credentials targeting 10 cloud-hosted LLMs. In that incident, the attackers accessed credentials from a system running a vulnerable version of Laravel (CVE-2021-3129).

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Cisco Previews AI Defenses to Cloud Security Platform

Even as the rule book changes, the profession of the CISO remains unchanged: protecting the organization in a world of constant, continually evolving threats.

Source: filmfoto via Alamy Stock Photo

COMMENTARY  
In the high-stakes world of cybersecurity, the ground is shifting beneath the feet of those charged with protecting our digital infrastructure. First came the new Securities and Exchange Commission (SEC) rules and lawsuits related to cybersecurity. More recently, a US Supreme Court ruling promises to reshape the regulatory landscape, compelling federal officials to rethink their approach to cyber governance.  

Yet amid this whirlwind of change that has descended on the industry, it's critical for chief information security officers (CISOs) to remain steadfast and not be deterred — or discouraged — by this shift.  

Therefore, my message, drawn from decades in the security field, resonates with the stiff-upper-lip slogan of Britain in the run-up to World War II: Keep calm and carry on.  

**A Regulatory Tsunami**

The SEC's rules went into effect last December. Under the new rules, public companies must report any cyber incidents within four business days of determining that it was a material event. The SEC also requires that public companies disclose their strategies for handling cybersecurity risks.  

Those in the security world apprehensive about these anticipated changes became downright frightened when the SEC — even before its new rules went into effect — sued a company, SolarWinds, that had been going so far as to single out its CISO in its filings. Just weeks before its new cybersecurity laws were set to go into effect, the agency was sending a clear message to the country's CISOs: Complacency is no longer an option.  

When in July a federal judge dismissed most of the SEC's case against SolarWinds and its CISO, you could almost hear the sigh of relief among security professionals across the land.

But the judge simply confirmed what those of us in the cybersecurity field already understood: Holding a CISO personally liable for a cyberattack won't make systems more secure. While security professionals play a critical role in protecting a company, they cannot do so effectively without the collaboration and support of others. CISOs often have only partial visibility into an organization's attack surface. That, of course, is a serious impediment to conducting a complete risk assessment.  

To be clear, legislation can play a role in helping CISOs enhance an organization's defenses. The Food and Drug Administration's (FDA's) implementation of cybersecurity requirements for medical devices illustrates this well. Those regulations empowered CISOs to join the conversation and secure the resources needed to safeguard additional areas of their organizations. 

The SEC's newest ruling provides a similar opportunity — and long overdue change — for today's CISOs to be more involved in an organization's fuller set of technology decisions. 

**A Collective Responsibility **

At their core, CISOs are truth sayers — akin to an internal audit committee that assesses risks and makes recommendations to improve an organization's defenses and internal controls.  

Ultimately, though, it's the board and a company's top executives who set policy and decide what to disclose in public filings. CISOs can and should be a counselor for this group effort because they have the understanding of security risk. And yet, the advice they can offer is limited if they don't have full visibility into an organization's technology stack. 

"Many oversee a company's IT system, but not the products the company sells. That's crucial when it comes to data-dependent systems and devices that can provide network-access targets to cyber criminals. Those might include medical devices, or sensors and other Internet of Things endpoints used in manufacturing lines, electric grids, and other critical physical infrastructure.  

In short: A company's defenses are only as strong as the board and its top executives allow it to be. 

And if there is a breach, as in the case of SolarWinds? CISOs do not determine the materiality of a cybersecurity incident; a company's top executives and its board make that call. The CISO's responsibilities in that scenario involves responding to the incident and conducting the follow-up forensics required to help minimize or avoid future incidents.  

Even before the SEC got involved, though, liability was an underlying concern among security officers. Those whose job it is to protect our data systems invariably feel responsible when something goes wrong, whatever a federal agency might say.  

Ours is a business in which thwarting a bad actor 99 times will not make any difference if an intruder manages to breach defenses on the 100th try. That's the burden that comes with the CISO title, and that's why I've always recommended — long before the SEC's new transparency rules — that a CISO understand the complex threat landscape as well as the evolving regulatory environment.  

**The Chevron Decision: A New Layer of Complexity**

For cybersecurity professionals, the legal move potentially more significant than the dismissal of the SolarWinds suit was the Supreme Court's decision in June to reverse the so-called Chevron doctrine. The Chevron doctrine, established by a previous case in 1984, required the courts to defer to a federal agency's reasonable interpretation of ambiguous statutes.  

Now, the wisdom of agencies — whether the SEC or other bodies — is no longer assumed. The overturning of this decades-old Chevron precedent has created uncertainty around the enforcement of cybersecurity regulations, making it even potentially harder for CISOs to navigate the regulatory landscape.  

Even as the rule book may be in flux, though, the professional mission of the CISO remains unchanged: protecting their organization in a world of constant, continually evolving threats. That requires clear thinking and the ability to keep one's head amid chaos. 

In other words: Keep calm and carry on. 

**About the Author**

Nozomi Networks Advisory Board Member

Marene Allison is the former vice president and chief information security officer (CISO) for Johnson & Johnson, where she was responsible for protecting the company’s IT and OT systems worldwide. She is a member of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee and is a founding member of West Point Women, currently serving on its board of directors. In addition to serving as an adviser for Nozomi Networks, she served on the board of directors for H-ISAC (Health Information Sharing and Analysis Center) and ASIS International. Allison has received numerous awards, including being inducted into the CSO Hall of Fame in 2022 and named a 2023 Distinguished Graduate by the West Point Association of Graduates.

Why CISOs Must Think Clearly Amid Regulatory Chaos

Forget OSINT, AI-supported tool GeoSpy can determine a person's location based on their surroundings in a picture.

It’s just become even more important to be conscious about the pictures we post online.

GeoSpy is an Artificial Intelligence (AI) supported tool that can derive a person’s location by analyzing features in a photo like vegetation, buildings, and other landmarks. And it can do so in seconds based on one picture.

Graylark Technologies who makes GeoSpy says it’s been developed for government and law enforcement. But the investigative journalists from 404 Media report that the tool has also been used for months by members of the public, with many making videos marveling at the technology, and some asking for help with stalking specific women.

404 Media says the company trained GeoSpy on millions of images from around the world and can recognize distinct geographical markers such as architectural styles, soil characteristics, and their spatial relationships.

Using the tool to determine anyone’s location requires virtually no training, so anybody can do it. Normally, it would take open source intelligence (OSINT) professionals quite some time of training and experience to reach the level of speed and accuracy that GeoSpy delivers to an untrained individual.

This means that even the most non tech-savvy individual could find a person of interest based on pictures posted on social media, despite the fact that social media strips the metadata—which could include GPS coordinates or other useful information—from these pictures.

Based on its testing and conversations with users, 404 Media concluded:

> “GeoSpy could radically change what information can be learned from photos posted online, and by whom.”

Even if the tool is unable to narrow down the location to an exact street address or block, based on vegetation it can bring down the search area to a few square miles.

The company’s founder says he has pushed back against requests from people asking to track particular women. Now GeoSpy has closed off public access to the tool, after 404 Media asked him for a comment.

Aside from the contribution towards a surveillance society, the risks of such a tool are obvious. It poses several significant dangers, particularly concerning privacy, security, and potential abuse if a stalker can access it. Another worry concerns the security of the storage for the data that is used and found by this tool. When involved in a breach, a host of information could become available to cybercriminals.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 AI tool GeoSpy analyzes images and identifies locations in seconds 

Cybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc_Botnet.
The ongoing activity "demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks," Qualys security researcher Shilpesh

Mirai Variant Murdoc_Botnet Exploits AVTECH IP Cameras and Huawei Routers

Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws…

Millions of devices, including home routers, VPN servers, and CDNs are vulnerable to exploitation due to critical flaws in common tunnelling protocols like IPIP, GRE, and 6in4/4in6. Learn how these vulnerabilities can be exploited for malicious attacks and how to protect your devices.

New vulnerabilities in multiple tunnelling protocols (IPIP/IP6IP6, GRE/GRE6, 4in6, 6in4) have been discovered by Top10VPN in collaboration with security researcher Mathy Vanhoef. These vulnerabilities allow attackers to hijack affected internet hosts to perform anonymous attacks and gain unauthorized network access. 

A large-scale internet scan identified 4.2 million open tunnelling hosts. This includes critical infrastructure such as VPN servers, home routers, core internet routers, mobile network gateways, and even content delivery networks (CDNs) operated by major players like Facebook and Tencent. Vulnerable hosts can enable a range of attacks, including new DoS techniques and DNS spoofing. The identified vulnerabilities include CVE-2024-7595, CVE-2025-23018/23019, and CVE-2024-7596.

The most affected countries are China, France, Japan, the U.S., and Brazil. Over 11,000 autonomous systems (AS) have been impacted, with Softbank, Eircom, Telmex, and China Mobile being the most affected.

The vulnerabilities stem from many internet hosts accepting tunneling traffic without verifying the sender’s identity. This lack of authentication allows attackers to exploit these hosts as proxies for malicious activities. 

“These hosts accept unauthenticated tunneling traffic from any source. This means they can be abused as one-way proxies to perform a range of anonymous attacks. Vulnerable hosts can also potentially be abused to gain access to victims’ private networks,” Top10VPN’s researcher and report author Simon Migliano noted.

Specifically, attackers can manipulate these hosts to send traffic on their behalf, concealing their true origin and making it difficult to trace attacks back to them. In some cases, attackers might be able to exploit these vulnerabilities to gain access to private networks connected to the hijacked host.

Tunneling protocols, such as IPIP, GRE, and 6in4/4in6, play a crucial role in modern networking, enabling seamless communication across diverse networks. However, many devices utilizing these protocols lack proper authentication and encryption, leaving them vulnerable to exploitation. 

According to Top10VPN’s report, at least 1,365 vulnerable VPN servers were identified, including consumer VPNs, routers with remote access features, and business VPNs. AoxVPN, a service with over a million users, was among those with vulnerabilities.

Additionally, around 1,200 vulnerable dynamic DNS routers, primarily Synology models offering remote access via VPN Plus Server, were detected. And, 171 company VPN servers were exposed, mainly using the GRE protocol, belonging to businesses and organizations in 33 countries, with the United States, China, and Hong Kong being the most affected. Over 17% of vulnerable devices were Free ISP’s home routers in France, which accepted unauthenticated traffic.

Furthermore, researchers discovered novel attack methods, such as “Ping-pong Amplification” and “Tunneled-Temporal Lensing,” which leverage these vulnerabilities to launch powerful Denial-of-Service (DoS) attacks. These vulnerabilities can also amplify the impact of existing attacks, such as DNS spoofing, traditional amplification DoS attacks, off-path TCP hijacking, SYN floods, and certain WiFi attacks.

The research highlights the need for enhanced security measures in these protocols to mitigate risks and ensure the reliability of our interconnected world. Proactive measures, including regular security audits, software updates, and increased awareness among system administrators and end-users, are also important for identifying and patching vulnerable devices.

1.  **Millions of websites using CDNs at risk of CPDoS attack**
2.  **DNS Tunneling Used for Stealthy Scans and Email Tracking**
3.  **GoogleUserContent CDN Hosting Images Infected with Malware**
4.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**
5.  **Millions of Email Servers Exposed Due to Missing TLS Encryption**

Latest News