There is no excerpt because this is a protected post.

February 19, 2025 - Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

February 19, 2025 - Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

February 19, 2025 - Info stealers are thriving on Mac, with one specific variant accounting for 70% of all info stealer detections at the end of 2024.

February 18, 2025 - A flea market buyer found medical information about hundreds of patients on second hand decommissioned hard drives.

February 17, 2025 - A list of topics we covered in the week of February 10 to February 16 of 2025

 Protected: zQA Content Editing Styles 

### Summary
If there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. 

E.g. have one policy allowing update access to `field_a` if the `id == 1` and one policy allowing update access to `field_b` if the `id == 2`. The user with both these policies is allowed to update both `field_a` and `field_b` for the items with ids `1` and `2`. 

### Details
Before v11, if a user was allowed to update an item they were allowed to update the fields that the single permission, that applied to that item, listed. With overlapping permissions this isn't as clear cut anymore and the union of fields might not be the fields the user is allowed to update for that specific item.

The solution that this PR introduces is to evaluate the permissions for each field that the user tries to update in the validateItemAccess DB query, instead of only verifying access to the item as a whole. This is done by, instead of returning the actual field value, returning a flag that indicates if the user has access to that field. This uses the same case/when mechanism that is used for stripping out non permitted field that is at the core of the permissions engine.

As a result, for every item that the access is validated for, the expected result is an item that has either 1 or null for all the "requested" fields instead of any of the actual field values. These results are not useful for anything other than verifying the field level access permissions.

The final check in validateItemAccess can either fail if the number of items does not match the number of items the access is checked for (ie. the user does not have access to the item at all) or if not all of the passed in fields have access permissions for any of the returned items.

### Impact
This is a vulnerability that allows update access to unintended fields, potentially impacting the password field for user accounts.

**Summary**

If there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies.

E.g. have one policy allowing update access to field_a if the id == 1 and one policy allowing update access to field_b if the id == 2. The user with both these policies is allowed to update both field_a and field_b for the items with ids 1 and 2.

**Details**

Before v11, if a user was allowed to update an item they were allowed to update the fields that the single permission, that applied to that item, listed. With overlapping permissions this isn't as clear cut anymore and the union of fields might not be the fields the user is allowed to update for that specific item.

The solution that this PR introduces is to evaluate the permissions for each field that the user tries to update in the validateItemAccess DB query, instead of only verifying access to the item as a whole. This is done by, instead of returning the actual field value, returning a flag that indicates if the user has access to that field. This uses the same case/when mechanism that is used for stripping out non permitted field that is at the core of the permissions engine.

As a result, for every item that the access is validated for, the expected result is an item that has either 1 or null for all the "requested" fields instead of any of the actual field values. These results are not useful for anything other than verifying the field level access permissions.

The final check in validateItemAccess can either fail if the number of items does not match the number of items the access is checked for (ie. the user does not have access to the item at all) or if not all of the passed in fields have access permissions for any of the returned items.

**Impact**

This is a vulnerability that allows update access to unintended fields, potentially impacting the password field for user accounts.

**References**

*   GHSA-99vm-5v2h-h6r6
*   directus/directus@a7ea677

GHSA-99vm-5v2h-h6r6: Directus allows updates to non-allowed fields due to overlapping policies

Cary, North Carolina, 19th February 2025, CyberNewsWire

**Cary, North Carolina, February 19th, 2025, CyberNewsWire**

2025 marks a time of unprecedented volatility in the technology job market. On one hand, dependence on technology is soaring. The growth of AI and machine learning is propelling a surge in new technologies, tactics, and ideas.

At the same time, organizations are trying to adapt to the changing dynamic. This has led to more job uncertainty, which the technology sector usually avoids. This year alone, roughly 7,000 jobs have been cut across dozens of tech giants, fueling growing concerns among industry professionals. 

As the technology job market weathers this volatility, INE Security, a global leader in networking and cybersecurity training, is highlighting its commitment to equipping IT professionals with the skills they need to thrive. INE focuses on practical training, certifications, and preparation. This helps networking and cybersecurity professionals succeed in a changing job market.

> “Continuous learning and adaptation are more important than ever for individuals hoping to succeed in their networking and cybersecurity career,” said Dara Warn, CEO of INE Security. “It is vital that professionals maintain a continuous cycle of learning. Training gives learners the knowledge and skills they need to succeed. Hands-on practice helps them understand tasks better. Certifications show that they have learned well and prove their skill mastery.”

**Key Benefits of INE’s Training and Certification Programs:**

*   **Enhanced Employability:** Executives, supervisors, and HR professionals are completely aligned in considering industry or professional certifications the most compelling during the hiring process, according to the Society for Human Resource Management (SHRM). 
*   **Practical Experience:** The human element was involved in 68% of cybersecurity breaches in 2023 (Verizon’s 2024 Data Breach Investigations Report). Practical, hands-on experience and industry-recognized certifications validate the skills needed to minimize this risk. 
*   **Flexible Learning Paths:** From foundational courses to advanced certifications, learners can tailor their education to career goals and market needs.

> “With every technological advancement, the skill sets required to manage, secure, and innovate within these systems evolve,” added Warn. “INE Security’s commitment to updating our course materials and labs ensures that our students are always at the forefront of the industry. Our focus is on making them indispensable in their current roles and highly attractive to prospective employers. INE’s training programs are more than just skill-building—they are career lifelines for professionals affected by market disruptions. ”

For more information about how INE can help you stabilize your cybersecurity and networking career goals, users can visit www.ine.com.

For a limited time, access INE Security training and certifications for up to 50% off, including eJPT, eMAPT, eCTHP, eCIR, eCDFP, and ICCA. Bundle certifications with Premium training and save even more. 

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification.

Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for red-team and blue-team security training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security’s Cybersecurity and IT Training Enhances Career Stability in Tech

Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

For the last four years, Malwarebytes has been protecting ARM-based machines running on Apple’s M-series processors. Now, we’ve expanded our protection range to include ARM-based Windows machines such as Copilot+ PCs, including Microsoft Surface Pro, Lenovo Yoga Slim and ThinkPad, and Dell Inspiron, among others. 

ARM-based chips offer advantages such as improved performance, longer battery life, lower costs, and advanced features like on-device AI processing. 

And with ARM processors gaining popularity in the PC market—projections suggest that they could have 25% market share by 2027—there is no doubt that malware creators will expand their reach into this area. 

Malwarebytes helps you get ahead of these threats. With active protection layers that defend against system vulnerabilities, malicious links, and more, Malwarebytes has you covered across your devices. 

**Where can I get it?** 

Go to the Malwarebytes website and hit the Free Download button to try it yourself, or click the button below. Our installer will automatically detect if you have an ARM device.

We recommend Windows 11 or higher for this installation, because Windows 11 has been optimized to run on ARM processors.

 Malwarebytes introduces native ARM support for Windows devices  

Info stealers are thriving on Mac, with one specific variant accounting for 70% of all info stealer detections at the end of 2024.

The latest, major threats to Mac computers can steal passwords and credit card details with delicate precision, targeting victims across the internet based on their device, location, and operating system.

These are the dangers of “infostealers,” which have long plagued Windows devices but, in the past two years, have become a serious threat for Mac owners. And in 2024, one malicious program in particular is responsible for the lion’s share of infostealer activity—racking up 70% of known infostealer detections on Mac.

These findings come from the 2025 State of Malware report. While many of the threats detailed in the report target companies and businesses, this latest wave of infostealers makes no distinction between Mac computers in an office and Mac computers at home. Unlike ransomware, which is deployed against large businesses that cybercriminals hope can pay hefty ransoms, infostealers can deliver illicit gains no matter the target.

With the right cybersecurity practices, everyday Mac users can stay safe from these emerging threats.

****The threat of infostealers****

“Infostealers” are a type of malware that do exactly as they say—they steal information from people’s devices. But the variety of information that these pieces of malware can steal makes them particularly dangerous.

With stolen credit card details, hackers can attempt fraudulent purchases online. With stolen passwords, the impact is even broader; hackers could wire funds from a breached online banking account into their own, or masquerade as someone on social media to ask friends and family for money. Some infostealers don’t even require an additional step—they can take cryptocurrency directly from a victim’s online accounts. 

But there is another threat to infostealers that comes from their recent history. They are wildly adaptable.

In 2016, Malwarebytes first discovered an infostealer called TrickBot that, when implanted on a person’s device, would steal online banking credentials. But over time, the developers behind TrickBot began adding alarming new features, including the capabilities to steal Outlook credentials, disable Windows Defender, and even to download and deliver additional, separate malware onto infected devices.

By 2018, TrickBot was the largest threat to businesses.

Now, in 2025, another infostealer is raising red flags all across cyberspace, and this time, it isn’t interested in Windows devices.

****The next Mac malware****

Malware is “malicious software,” and just like legitimate software, malware has to be developed for specific operating systems. That means that, for instance, ransomware that works on a Windows laptop doesn’t automatically work on a Mac laptop, and likewise, a phishing app developed for Android devices doesn’t work on iPhones.

For years, then, a great deal of malware activity has focused on Windows devices. The common cybercriminal calculus was that, if there were more Windows users in the world, there was more reason to target those users with cyberattacks.

During this time, most Mac threats were bothersome pieces of malware that would hijack a victim’s web browser to deliver annoying ads and wayward links. But as Mac computers have become standard within businesses—and as demand for Windows computers has waned—cybercriminals have readjusted their thinking.

In 2023, a new infostealer on Mac called Atomic Stealer (AMOS) made its debut, and since its launch, it has not only showcased new features—much like TrickBot—it has also been gussied up with some of the markings of a legitimate business.  

For instance, AMOS can be “licensed” out to other cybercriminals, much like how genuine companies offer their own software for a monthly subscription price. For AMOS, that price was initially $1,000 a month, and with that access, cybercriminals didn’t just buy a productivity tool or communications app, they bought access to an information stealer that can crack into Mac computers to steal a variety of sensitive information.

By January 2024, AMOS had increased its price to $3,000 a month. The developers ran a holiday promotion—seriously—and even released an AMOS update that would better obfuscate the infostealer from being detected by cybersecurity software.

But in the world of cybercrime, malware _features_ only mean so much. Another important piece of cybercrime is getting malware _onto_ a device to begin with. And in 2023, malware delivery evolved hand-in-hand with Mac infostealers.

Rather than trying to deliver malware through clumsy email attachments, cybercriminals have recently turned to “malicious advertising” or “malvertising.” This means that cybercriminals will create bogus versions of websites that will rank highly during regular Google searches, tempting victims into clicking the first, ad-supported link they see online, and unknowingly reaching a website controlled entirely by cybercriminals.

On these websites, cybercriminals advertise a piece of high-demand software and trick users into a download. But instead of receiving the desired software, victims receive, in these cases, infostealers.

This one-two punch of malvertising and advanced infostealers paved the way last year for the next, big Mac threat, called Poseidon.

As we warned in the State of Malware report:

> “Poseidon boasts that it can steal cryptocurrency from over 160 different wallets, and passwords from web browsers, the Bitwarden and KeePassXC password managers, the FileZilla file transfer app, and VPN configurations including Fortinet and OpenVPN.”

Poseidon is the most active infostealer on Mac today, and it accounted for 70% of all infostealer detections on Mac in the final months of 2024, an impressive feat considering the malware barely launched last summer.

Interestingly, Poseidon is just another “fork” of AMOS, meaning that another hacker took AMOS, built upon it, and released it in the wild. Already, Malwarebytes has uncovered consumer-targeted campaigns to infect Mac owners with Poseidon, including a malvertising website disguising Poseidon behind a download for a buzzy new web browser called Arc.

Poseidon represents a sea change in Mac malware, and with the type of advanced targeting that cybercriminals can achieve through malvertising—hackers can target malicious ads based on a potential victim’s location, operating system, software, and search terms—Mac users must be on watch.

****How to stay safe****

In 2025, Mac users don’t need to just watch out for infostealers. They also have to watch out for malvertising in general, as cybercriminals use the malware delivery method for all sorts of threats online.

Here’s how you can stay safe:

*   Use cybersecurity software that offers always-on protection against Mac malware including infostealers, adware, and the rare instances of ransomware.
*   Use Malwarebytes Browser Guard to securely browse the web and to be notified when visiting known, malicious websites that are in control of cybercriminals.
*   Beware the first, ad-supported result on Google searches and other search engines. Cybercriminals have successfully placed their own, malicious ads in these top rankings to trick victims into downloading malware.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Macs targeted by infostealers in new era of cyberthreats 

The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.

North Korea-linked threat groups are increasingly using living-off-the-land (LotL) techniques and trusted services to evade detection, with a recent Kimsuky campaign showcasing the use of PowerShell scripts and storing data in Dropbox folders, along with improved operational security.

In the campaign, dubbed "DEEP#DRIVE" by security firm Securonix, the threat group used fake work logs, insurance documents, and crypto-related files to convince users to download and run a zipped shortcut file that gathers system configuration information and then executes PowerShell and .NET scripts. The attack tools upload the system data to Dropbox folders and then download additional commands and capabilities for further compromise.

While the attackers showed some interest in quick financial wins — such as targeting cryptocurrency users — for the most part, the threat group focused on stealing sensitive data from South Korean government agencies and businesses, says Tim Peck, a senior threat researcher at Securonix.

"We observed evidence of both espionage and financial motivation, though leaning more toward espionage," he says. "This aligns with Kimsuky's historical targeting of South Korean government agencies, enterprises, and strategic industries."

North Korean cyber-operations groups have consistently targeted South Korea and the US, with South Korean government agencies and companies among the most popular targets. In September 2024, the FBI warned that North Korean groups planned to launch a surge of attacks against organizations with significant cryptocurrency reserves, and Kimsuky launched a similar multistage attack against South Korean targets last year.

**A Prolific Group**

Kimsuky isn't monolithic, but has five threat groups that have overlap with what other companies consider to be the same group, says threat intelligence firm Recorded Future. One group tends to focus on the healthcare and hospitality sectors, for example, while another focuses on cryptocurrency markets.

By mid-2023, Kimsuky became the most prolific North Korean group. (More recent data not available.) Source: Recorded Future's "North Korea's Cyber Strategy" report

The Kimsuky groups accounted for the most attacks identified as North Korean in origin between 2021 and 2023, according to Recorded Future's "North Korea Cyber Strategy" report. In 2024, the groups continued to account for a high volume of attacks, says Mitch Haszard, senior threat intelligence analyst with Recorded Future.

"These groups conduct high volume phishing campaigns, primarily targeting individuals and organizations in South Korea, while occasionally targeting entities in other countries," he says. "In the activity we see, these groups appear to be going for volume, rather than more time-consuming, tailored spear-phishing operations."

Other well known North Korean groups, such as Lazarus and Andariel, are not as prolific as the Kimsuky threat actors. While some of those groups are more focused on gathering sensitive information, nearly all also have a financial motivation.

**Thousands of Victims?**

In the DEEP#DRIVE campaign, following the compromise of a system, the Kimsuky group's attack scripts upload data on the system configuration to one of several Dropbox folders. While the Securonix researchers were not able to gather intelligence from all the suspected Dropbox locations, they uncovered signs of more than 8,000 configuration files, although some appear to be duplicates, Peck says.

While that means they likely came from the same victim organizations, the campaign appears to be quite successful, he says.

"There were two factors which contributed to the 'uniqueness' of the configuration file, the username, and IP address," Peck says. "Some usernames were associated with dozens of similar IP addresses, which could indicate lateral movement by the attacker — \[that is\], infecting dozens of machines from the same entity."

The data from a compromised system includes the host IP address, the system uptime, details about the OS type and version, any installed security software, and a list of running processes.

**Kimsuky Improves Its OpSec**

The campaign also highlighted North Korean cyber-operations groups' improvements to operational security. The group used OAuth-based authentication on its Dropbox folders, preventing traditional URL-blocking or network-based defenses from following the links. The threat actors also quickly took down components of their infrastructure soon after the Securonix researchers began investigating, Securonix's Peck says.

"This level of operational awareness is not always present in phishing-driven malware campaigns," he says.

For companies, the threat group's tactics underscore that the hidden file extensions should be disabled, shortcut files should be blocked from executing in user folders, and only signed PowerShell scripts be allowed to execute. Those three countermeasures make the attackers' activity much easier to detect, Peck says.

In addition, companies in targeted industries — such as cryptocurrency exchanges and government agencies — should bolster their email security and regularly train employees on how to spot phishing threats, says Recorded Future's Haszard.

"Most North Korean cyberattacks still start with social engineering and a phish," he says. "Companies should ensure that they have an email security solution in place and regularly train employees on phishing threats, as well as conduct simulated phishing tests."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

North Korea's Kimsuky Taps Trusted Platforms to Attack South Korea

A flea market buyer found medical information about hundreds of patients on second hand decommissioned hard drives.

Somebody bought a batch of 15 GB hard drives from a flea market, and during a routine check of the contents they found medical data about hundreds of patients.

After some more investigation in the Netherlands, it turned out the data came from a software provider in the medical industry which had gone bankrupt.

Under Dutch law, storage media with medical data must be professionally erased with certification. The normal procedure is to have them destroyed by a professional company, but that costs money and by selling the hard drives off the company would have brought in a small amount of cash.

This incident reminded me of two important security measures that we sometimes overlook.

The first is obvious. Computers are very bad at “forgetting” things. When you delete a file, the system doesn’t actually remove the file from your hard drive. Only the location of the file is set to “unused” so it may be overwritten at some point, but it often can be recovered. So you need to be careful how you decommission your old hard drives or any devices that have data on them.

One method is to overwrite the present data with zeroes or random numbers. There are several levels of overwriting hard drives:

*   **Single-pass overwrite**: Writing zeros or random data once across the entire disk is often sufficient for traditional hard drives.
*   **Multi-pass overwriting**: More secure methods involve multiple passes (e.g., 3-pass or 7-pass), which can further reduce the chance of data recovery.
*   **NIST 800-88 method**: A recognized standard that includes overwriting with random data followed by zeros and verification. This is the type of method we would like to see when it comes to sensitive data like medical information.

Some modern drives come with a **secure erase** command embedded in the firmware, but you need special software to execute the command, and it may require several rounds of overwrite.

Users that have a Windows computer with UEFI can use the secure erase option in their computer’s BIOS or UEFI settings. The exact steps depend on your computer’s manufacturer and model. Unless you’re afraid of law enforcement or a very skilled attacker that should be enough. For computers pre-dating UEFI you will need specialized software. To find out whether your computer has UEFI:

*   Right-click the Start button
*   Select Run
*   Type msinfo32 and press OK
*   Click System Summary
*   Scroll down to the BIOS Mode value to check whether it says UEFI  
      
    

Non-SSD drives can be degaussed, a method which uses a strong magnetic field to disrupt the magnetic storage on traditional hard drives. However, it is ineffective for SSDs and flash storage.

Which leaves physical destruction as the last option. The usual method to do this, called shredding, involves cutting up hard drives into small pieces and then burning them in an incinerator or shredding machine to destroy their magnetic properties.

The second security measure that is important is to have your data removed from publicly available records. In the Dutch case it’s remarkable and painful that such a company would have this type of information stored on their drives. First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the date should have been encrypted, and of course the hard drives should have been decommissioned responsibly.

Depending on the type of information and the origin it seems unlikely that someone would consider to ask for removal of the data. After all, often it’s important that medical information is shared among care providers.

On the other hand, there is a ton of information about everyone in publicly accessible places that we can keep under control by using data removal services. Using a data removal service increases online anonymity, which makes it harder for stalkers, phishers, other attackers, or advertisers to find personal details.

 Hard drives containing sensitive medical data found in flea market 

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and…

Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and DoS. Upgrade to 9.9p2 now to protect your systems.

Qualys Threat Research Unit (TRU) has discovered two security weaknesses in OpenSSH, a widely used tool across various operating systems for secure remote login, file transfers, and other critical functions. 

The first vulnerability, identified as CVE-2025-26465, exposes the OpenSSH client to machine-in-the-middle attacks. This flaw “allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled” and set or ‘yes’ or ‘ask,’ the blog post read.

Further probing revealed that this vulnerability exists regardless of the VerifyHostKeyDNS setting and does not require any user interaction or specific DNS records. It was introduced in OpenSSH version 6.8p1 and affects versions up to 9.9p1.

Moreover, this flaw allows an attacker to impersonate a legitimate server, potentially compromising the integrity of the SSH connection and enabling data interception or manipulation. This can lead to compromised SSH sessions, allowing hackers to view or manipulate sensitive data, move across critical servers, and exfiltrate valuable information. It is worth noting that while VerifyHostKeyDNS is typically disabled, it was enabled by default on FreeBSD systems for nearly a decade, increasing the potential impact of this flaw.

The second vulnerability, tracked as CVE-2025-26466, affects both the OpenSSH client and server. This flaw allows a pre-authentication denial-of-service attack, consuming excessive memory and CPU resources.  This can lead to system outages and prevent legitimate users, including administrators, from accessing critical servers. Repeated exploitation can lead to prolonged outages and server management issues, potentially affecting an enterprise’s operations and maintenance tasks.  

This vulnerability was introduced more recently, in OpenSSH version 9.5p1, and also affects versions up to 9.9p1. Fortunately, several existing OpenSSH server configurations, such as LoginGraceTime, MaxStartups, and PerSourcePenalties, can mitigate this denial-of-service attack.

The Qualys TRU responsibly disclosed these vulnerabilities to the OpenSSH developers, and a fix is available in OpenSSH version 9.9p2. Users and administrators must immediately upgrade to this latest version to protect their systems from these newly identified threats. Any delay could leave systems vulnerable to data breaches, unauthorized access, and denial-of-service attacks, potentially disrupting operations and leading to dangerous consequences.

It must be noted that OpenSSH has faced security challenges in the past, such as Hackread.com reporting the regreSSHion vulnerability (CVE-2024-6387) also discovered by Qualys in 2024. This flaw could have allowed unauthenticated remote code execution with root privileges on Linux systems using glibc, emphasizing the need for thorough testing and potential regressions in security-sensitive software. 

These flaws in OpenSSH highlight that even widely trusted and well-maintained software like OpenSSH can be susceptible to vulnerabilities, making regular software updates, monitoring for suspicious activity, and implementing security best practices essential to protect systems.

Critical OpenSSH Vulnerabilities Expose Users to MITM and DoS Attacks

Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions.
The vulnerabilities, detailed by the Qualys Threat Research Unit (TRU), are listed below -

CVE-2025-26465 - The OpenSSH client

Tag

#mac