SQL injection vulnerability in Beijing Guoju Information Technology Co., Ltd JeecgBoot v.3.7.2 allows a remote attacker to obtain sensitive information via the getTotalData component.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-wfpm-qchc-6cf9: SQL injection in JeecgBoot

The ABB Cylon FLXeon BACnet controller is vulnerable to an authenticated JSON flooding attack, leading to uncontrolled resource consumption and a denial-of-service (DoS) condition. The /api/serialConfig endpoint allows an authenticated attacker to abuse an unrestricted loop to create a large number of JSON objects by sending specially crafted requests through the ports JSON array. This results in excessive memory and CPU usage, causing resource exhaustion and potential service failure.

Title: ABB Cylon FLXeon 9.3.4 (serialConfig.js) JSON Object Flooding DoS  
Advisory ID: ZSL-2025-5915  
Type: Local/Remote  
Impact: DoS  
Risk: (4/5)  
Release Date: 08.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller is vulnerable to an authenticated JSON flooding attack, leading to uncontrolled resource consumption and a denial-of-service (DoS) condition. The /api/serialConfig endpoint allows an authenticated attacker to abuse an unrestricted loop to create a large number of JSON objects by sending specially crafted requests through the ports JSON array. This results in excessive memory and CPU usage, causing resource exhaustion and potential service failure.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[08.02.2025\] Public security advisory released.

**PoC**

jdos.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[08.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (serialConfig.js) JSON Object Flooding DoS

Microsoft cybersecurity experts have identified a vulnerability flaw affecting ASP.NET applications, putting thousands of web servers at risk.…

Microsoft cybersecurity experts have identified a vulnerability flaw affecting ASP.NET applications, putting thousands of web servers at risk. The issue originates from developers using publicly available ASP.NET machine keys in their configurations; keys that hackers are now exploiting to execute ViewState code injection attacks.

A recent attack in December 2024 used this vulnerability to deliver Godzilla, a dangerous post-exploitation framework capable of executing commands, injecting shellcode, and maintaining persistent access to compromised servers. Microsoft warns that over 3,000 publicly disclosed machine keys could be weaponized for similar attacks.

****Why This Matters****

ASP.NET machine keys are meant to protect web applications by encrypting and validating ViewState data, ensuring that attackers cannot tamper with it. However, some developers have mistakenly copied these keys from online resources, unknowingly allowing hackers to generate and inject malicious ViewState data into their servers.

Once a hacker has access to the right machine key, they can craft a malicious payload and send it to a vulnerable website. The server, trusting the key, decrypts and executes the attacker’s code—leading to full remote code execution.

****What Happened in December 2024?****

An unidentified hacker took advantage of a publicly known ASP.NET machine key to deploy Godzilla, a post-exploitation tool that provides remote access to compromised servers. The attack began with injection, where the attacker sent a malicious ViewState payload using a leaked machine key.

Once received, the server decrypted and executed the code, unknowingly running the attacker’s instructions. This led to Godzilla deployment, where the payload triggered the execution of _assembly.dll_, loading the framework and allowing further exploitation.

Injection chain shows ViewState code leading to Godzilla. (Via Microsoft)

****Microsoft’s Response****

According to Microsoft’s **blog post**, the company has removed machine key samples from public documentation to discourage bad security practices. The company has also issued new detection alerts via Microsoft Defender for Endpoint to flag any usage of publicly disclosed machine keys.

If your system is compromised, simply rotating the machine keys may not be enough. Microsoft advises a full forensic investigation, as attackers may have installed backdoors or additional malware.

**Tim Mackey**, Head of Software Supply Chain Risk Strategy at Black Duck commented on the new development stating, _“_This misconfiguration allows attacks by using ViewState payloads encrypted with publicly available keys, often from demo code. Developers should replace sample keys, but some copy them without understanding the risk. Hardcoded keys in production signal poor configuration. Checking against Microsoft’s public key list helps, but DevOps teams should also use tools to detect and remove hardcoded secrets.”

****Protecting Yourself****

To protect your web servers from attacks, start by replacing any publicly available machine keys if they were copied from online sources. Next, rotate and secure your keys by generating new ones and applying them consistently across all servers in your web farm.

Additionally, encrypting machine keys in the web.config file will help prevent exposure. Monitoring for suspicious activity is also essential. Microsoft Defender now detects publicly disclosed ASP.NET machine keys, and enabling attack surface reduction rules can help block web shell attacks.

Upgrading to ASP.NET 4.8 enhances security by incorporating Antimalware Scan Interface (AMSI) support. Finally, conducting a security audit is important. If a machine key has been exposed, assume a breach, investigate thoroughly, and check for unauthorized access.

ASP.NET Vulnerability Lets Hackers Hijack Servers, Inject Malicious Code

### Impact
 - Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0).
     - Impact by version
         - v1.8.0 ~ v1.8.3: It will be displayed in the text.
         - v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link.
     - Target viewing restriction function
         - Frame publishing function (private, limited publishing)
         - IP Restriction Page
         - Password setting page

### Patches (fixed version)
 - Apply v1.8.4.

### Workarounds
 - Remove the site search (e.g. hide frames).。

### References
none

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2237-5r9w-vm8j: Connect-CMS information that is restricted to viewing is visible

### Impact（影響）

There is an Access control vulnerability on the management system of Connect-CMS.
Affected Version : Connect-CMS v1.8.6, 2.4.6 and earlier

### Patches（修正バージョン）

version v1.8.7, v2.4.7

### Workarounds（運用回避手段）

Upgrade Connect-CMS to latest version

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-5rjc-jc28-cwgg

**Connect-CMS Access control vulnerability**

**Package**

composer opensource-workshop/connect-cms (Composer)

**Affected versions**

< 1.8.7

\>= 2.0.0, < 2.4.7

**Patched versions**

1.8.7

2.4.7

**Description**

**Impact（影響）**

There is an Access control vulnerability on the management system of Connect-CMS.  
Affected Version : Connect-CMS v1.8.6, 2.4.6 and earlier

**Patches（修正バージョン）**

version v1.8.7, v2.4.7

**Workarounds（運用回避手段）**

Upgrade Connect-CMS to latest version

**References**

*   GHSA-5rjc-jc28-cwgg

Published to the GitHub Advisory Database

Feb 7, 2025

**EPSS score**

GHSA-5rjc-jc28-cwgg: Connect-CMS Access control vulnerability

Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in…

Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in identifying potential vulnerabilities to protect data privacy and meet cybersecurity standards. In this article, we will see what is a **security questionnaire** and what is the proper method to create an automated security questionnaire.

****What are Security Questionnaires?****

Security questionnaires are sets of questions designed to assess the ability of an organization to protect data against cybersecurity threats. They help in the evaluation of risks and vulnerabilities to protect their organization’s sensitive information. 

****What is Covered in a Security Questionnaire?****

A Security Questionnaire covers different elements of cybersecurity, including network security, data protection measures, access controls, **incident response**, and compliance requirements. 

Other areas covered include: 

*   Datacenter Security
*   Infrastructure Security
*   Hiring and personnel policies
*   Security Incident Management
*   Application & Interface Security
*   Audit Assurance and Compliance
*   Encryption and Key Management 
*   Identity and Access Management
*   Governance and Risk Management
*   Threat and Vulnerability Management
*   Business Continuity Management & Operational Resilience
*   The program addresses Supply Chain Management and its focus on Transparency and Accountability.

****Best Practices for Security Questionnaire****

The security questionnaire’s difficulties can be controlled using various methods that eliminate these challenges. Below are some of the best practices for preparing security questionnaires:

****Remove irrelevancies:** **

You should eliminate those questions that do not apply to your specific circumstances. The process requires gathering supporting data to prove the non-applicability of those specific questions. You should get clarification about confusing questions before you give full responses to everything. Companies that do not answer all parts of the questionnaire questions put customer business relationships at risk.

****Keep it short and sweet:** **

Text responses should be brief and transparent in their evaluation of weaknesses and strengths. Involve subject matter experts, communicate openly with partners, and ask for clarification to produce accurate assessment data for assessors.

****Have a remediation plan on deck:** **

A detailed remediation strategy should be prepared to address security issues that emerge from questionnaires. Demonstrate ongoing efforts to align security posture with customer expectations. Discuss the potential for another assessment questionnaire after implementing new controls. Taking responsibility for control gaps and providing a remediation plan shows honesty, accountability, and a proactive approach to earning customer trust.

****Limitations of Security Questionnaires** **

While security questionnaires provide valuable insights, they have inherent limitations:

**Self-reported data:** The responses that rely on accuracy may not reflect reality. 

**Point-in-time assessment:** The questionnaires provide static security data that fails to track real-time changes and threats that emerge between assessments.

**Outdated information:** Responses can quickly become obsolete in fast-evolving technology systems.

**Lack of context:** Questionnaire-based data sometimes fails to uncover specific details about an organization’s security situation and its particular risks.

****Conclusion****

Companies understand that security questionnaires have become indispensable for protecting their valuable assets and data against emerging digital threats in the modern digital era. The questionnaires serve their purpose as **essential assessment tools** that allow stakeholders to determine how well threats are guarded and where security holes might exist. The answers to security questions become complicated when businesses operate without established plans.

This article has recommended practices for security questionnaire development and automation approaches that help businesses improve security protection and shorten compliance time

Image via Freepik

Best Practices for Preparing and Automating Security Questionnaires

PRESS RELEASE

A five-count criminal indictment was unsealed today in federal court in New York charging a Canadian man with exploiting vulnerabilities in two decentralized finance protocols to fraudulently obtain about $65 million from the protocols’ investors.

According to court documents, from 2021 to 2023, Andean Medjedovic, 22, allegedly exploited vulnerabilities in the automated smart contracts used by the KyberSwap and Indexed Finance decentralized finance protocols. Medjedovic borrowed hundreds of millions of dollars in digital tokens, which he used to engage in deceptive trading that he knew would cause the protocols’ smart contracts to falsely calculate key variables. Through his deceptive trades, Medjedovic was able to, and ultimately did, withdraw millions of dollars of investor funds from the protocols at artificial prices, rendering the victims’ investments essentially worthless.

Medjedovic also allegedly laundered the proceeds of his fraudulent schemes through a series of transactions designed to conceal the source and ownership of the funds, including through swap transactions, “bridging transactions,” and the use of a digital assets “mixer.” With others, Medjedovic also allegedly schemed to open accounts with digital assets exchanges using false and borrowed identifying information to conceal the source and true ownership of the proceeds. In around November 2023, after executing the KyberSwap exploit, Medjedovic also allegedly attempted to extort the victims of the KyberSwap exploit through a sham settlement proposal, in which he demanded complete control of the KyberSwap protocol and the decentralized autonomous organization that oversaw the KyberSwap protocol in exchange for returning 50 percent of the digital assets that he fraudulently obtained through his scheme.

Medjedovic is charged with one count of wire fraud, one count of unauthorized damage to a protected computer, one count of attempted Hobbs Act extortion, one count of money laundering conspiracy, and one count of money laundering. If convicted, he faces a maximum penalty of 10 years in prison on the unauthorized damage to a protected computer count and 20 years in prison on each of the other counts. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, U.S. Attorney John J. Durham for the Eastern District of New York, Chief Guy Ficco of IRS Criminal Investigation (IRS-CI), Special Agent in Charge William S. Walker of Homeland Security Investigations (HSI) New York, and Assistant Director in Charge James E. Dennehy of the FBI New York Field Office made the announcement.

IRS-CI, HSI, and the FBI New York Field Office are investigating the case, with valuable assistance provided by U.S. Customs and Border Protection’s New York Field Office and the Justice Department’s Office of International Affairs. The Justice Department also thanks the Netherlands’ Public Prosecution Service and Cybercrime Unit — the Hague of the Dutch National Police for their significant assistance with the investigation.

Trial Attorney Tian Huang of the Criminal Division’s Fraud Section, who is a member of the National Cryptocurrency Enforcement Team (NCET), and Assistant U.S. Attorneys Nicholas Axelrod and Andrew Reich for the Eastern District of New York are prosecuting the case. SEC Enforcement Attorney Daphna A. Waxman, formerly a member of the NCET, provided significant assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Canadian Man Charged in $65M Cryptocurrency Hacking Schemes

PRESS RELEASE

With a staggering 5263 attacks, 2024 saw the highest volume of ransomware attacks observed since 2021, according to a new report from cybersecurity consulting firm, NCC Group.

In a turbulent year for the cyber landscape, with high-impact attacks on sophisticated nation-state espionage campaigns, attack volume continued to rise. 

LockBit remains top threat actor despite takedown

The infamous threat group LockBit was the top actor of 2024, accounting for 10% (526) of all attacks. However, it’s overall activity declined compared to 2023, with LockBit’s takedown earlier in 2024.

RansomHub followed closely behind. Accountable for 501 attacks, it became the most dominant threat actor in the second half of the year.

Uptick in most regions

North America experienced over half of all attacks in 2024 (55%). Overall, most regions witnessed a rise in attacks, including Asia, South America, and Oceania. Rising global geopolitical tensions and high payouts for ransomware attacks are likely to have attributed to increase across regions. 

Industrials remains a top target

With its crucial role in the global economy, Industrials experienced 27% (1424) of all ransomware attacks in 2024, increasing 15% from 2023. Attacks in the sector have caused mass disruption, affecting critical infrastructure and services and causing material downtime.

Law enforcement whack-a-mole 

There are some encouraging signs that the international community has stepped up efforts to recognise and address the threats posed by cyber adversaries. Notable examples include coordinated law enforcement actions against cybercriminal networks such as Operations Cronos, Magnus, Destabilise, and Serengeti.

Despite short term law enforcement crack downs, threat actors continued to emerge quickly after intervention - LockBit was operating again only five days after its takedown. And with warnings from the group that it will be back in full force by February 2025, it’s evident that governments and law enforcement need to do more to prevent the reemergence of these groups.

Matt Hull, global head of Threat Intelligence at NCC Group said: “The cyber security landscape in 2024 presented unprecedented challenges. The scale and complexity of cyber incidents tested the resilience of businesses and institutions globally. Looking ahead, these challenges are set to escalate as cyber criminals and nation-state actors increasingly exploit the growing integration of technology into all aspects of life.

“Key concerns such as third-party compromises, cloud vulnerabilities, and insecure APIs remain critical. We also can’t ignore the rapid advances in artificial intelligence (AI) that are giving rise to new cybercriminal tactics. And the geopolitical dimension of cyber security adds to the ever-changing threat landscape, with nation-states posing significant risks to critical infrastructure.

“In the face of these challenges, businesses, governments, and individuals must stay vigilant and proactive. By understanding the risks and acting today, we can collectively work towards a more secure digital future.”

2024 Breaks Records With Highest Ever Ransomware Attacks

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

Source: Tapati Rinchumrus via Shutterstock

A year after Google and Yahoo forced bulk email senders to implement the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard, the rate of the adoption of DMARC among domains has doubled, although many of the same email threats continue to successfully deliver payloads or redirect unwary users to phishing sites.

The increase in adoption started in February 2024, when Google and Yahoo started requiring bulk email senders — defined as any company sending more than 5,000 email messages daily — to use DMARC. The email authentication standard uses two authentication specifications — Sender Policy Framework (SPF) and DomainsKeys Identified Mail (DKIM) — to confirm that an email comes from an authorized email server and on behalf of the purported sender. The technology makes it much more difficult to spoof email from a legitimate company or brand.

In the past year, adoption has increased by about 2.3 million domains, but that still leaves about 87% of domains without a DMARC record, according to data published by cyber-resilience firm Red Sift on Feb 5. Adoption is also uneven, with organizations in Austria, Japan, and Indonesia seeing some of the highest growth and publicly traded companies making the most significant gains.

Related:Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

While doubling the adoption rate of DMARC is a significant success, the private sector needs to do better, says Sean Costigan, managing director of resilience strategy at Red Sift.

"DMARC is considered an indicator of cyber maturity in many sectors, and we are still in the early days — healthcare, for example, is struggling to surpass 40% to 50% adoption," he says, adding that "widely, properly managed DMARC adoption will reduce spoofing, phishing and other forms of cybercrime."

Source: Red Sift

Google, for example, has seen a significant reduction in questionable email. In 2024, Gmail users saw 265 billion fewer unauthenticated emails, or about 65% less. During the 2024 holidays, a season that typically sees a massive spike in phishing attacks, users encountered 35% fewer scams, says Neil Kumaran, group product manager at Google.

"We think these improvements represent a huge boost in the health of the email ecosystem overall," he says. "We are actually seeing the industry embrace these requirements, seeing how important they are to increase the healthy ecosystem for everybody."

**DMARC Adoption Likely to Accelerate**

Large email senders are not the only groups quickening the pace of DMARC adoption. The latest Payment Card Industry Data Security Standard (PCI DSS) version 4.0 requires DMARC for all organizations that handle credit card information, while the European Union's Digital Operational Resilience Act (DORA) makes DMARC a necessity for its ability to report on and block email impersonation, Red Sift's Costigan says.

Related:Abandoned AWS Cloud Storage: A Major Cyberattack Vector

"Mandatory regulations and legislation often serve as the tipping point for most organizations," he says. "Failures to do reasonable, proactive cybersecurity — of which email security and DMARC is obviously a part — are likely to meet with costly regulatory actions and the prospect of class action lawsuits."

Overall, the authentication specification is working as intended, which explains its arguably rapid adoption, says Roger Grimes, a data-driven-defense evangelist at security awareness and training firm KnowBe4. Other cybersecurity standards, such as DNSSEC and IPSEC, have been around longer, but DMARC adoption has outpaced them, he maintains.

"DMARC stands alone as the singular success as the most widely implemented cybersecurity standard introduced in the last decade," Grimes says.

**Subdomain Attacks Exploit Gaps**

Yet that does not mean that threats have diminished. Attackers have adapted, Grimes says. Typically, attackers will just use lookalike domains — or use creative punctuation to create confusion — and fool the end user while still sending messages from an authenticated domain.

Related:Name That Toon: Incentives

"Since the creation and wide-scale adoption of DMARC, the percentage and number of phishing emails claiming to be from a particular legitimate domain are significantly less, perhaps just a few percent of what they used to be," Grimes says. "Unfortunately, phishers just created new illegitimate domains, often with lookalike names, that they then applied DMARC on so that the new, illegitimate domains passed DMARC inspection."

One technique used to dodge DMARC is "subdomail," where attackers seek out SPF records that include unregistered domains, and then take control of the orphaned domains as a way to conduct massive spamming campaigns. In one case, an SPF record for msnmarthastewartsweeps.com "included" two domains, allowing any authorized mail servers listed in those domain records to send authenticated email. In the Sender Policy Framework, the "include" keyword allows on domain to specify that those domains' lists of authenticated email servers should be trusted. For msnmarthastewartsweeps.com, that resulted in nearly 18,000 domains being authorized to send email on behalf of the domain.

Because the email messages make it past DMARC checks, they are more likely to successfully impersonate other companies, says Red Sift's Costigan.

"SubdoMailing exploits gaps in DMARC safeguards, allowing attackers to send emails from subdomains that pass both SPF and DMARC checks," he says. "These messages appear legitimate and are incredibly deceptive."

**BIMI on Deck for Email Security**

Still, companies gain much more visibility into their email by using DMARC, as the standard includes a reporting function that allows companies — or service providers on their behalf — to track email failures. Thus, companies should rapidly move from "none" to "quarantine" to "reject" as their policy, experts say.

In addition, companies should also look to take the next step, moving to Brand Indicators for Message Identification or BIMI, which allows companies to present a logo to email recipients. BIMI requires strict DMARC, however, and only about a third of domains currently comply, according to Red Sift's data.

While none of these technologies solve the problem of malicious emails, they all give companies and their email service providers more reliable signals to use to filter out unwanted messages and potential attacks, says Google's Kumaran. DMARC adoption does not boil down to "authenticated mail is good, and unauthenticated email is bad," he says.

"The idea is that authentication gives you confidence of the source of the message, and then you can start to do a better job of classification and actually providing protections to users," Kumaran says. "So I think it's a very desirable behavior if 100% of attacks are actually authenticated, because it makes the job of protecting people — and gives those the folks working in defending — stronger signals on which to operate."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Google's DMARC Push Pays Off, but Email Security Challenges Remain

A cybercriminal calling themselves emirking is offering 20 million OpenAI accounts for sale on a Dark Web forum

A cybercriminal acting under the monicker “emirking” offered 20 million OpenAI user login credentials this week, sharing what appeared to be samples of the stolen data itself.

Post by emirking

A translation of the Russian statement by the poster says:

> “When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldn’t stay hidden. I have more than 20 million access codes to OpenAI accounts. If you want, you can contact me—this is a treasure.”

The statement suggests that the cybercriminal found access codes which could be used to bypass the platform’s authentication systems. It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the _auth0.openai.com_ subdomain by exploiting a vulnerability or by obtaining administrator credentials.

While emirking looks like a relatively new user of the forums (they joined in January 2025), that doesn’t necessarily mean anything. They could have posted under another handle previously and switched because of security reasons.

Millions of users around the world rely on OpenAI platforms like ChatGPT and other GPT integrations.

With the allegedly stolen credentials, cybercriminals could possibly access sensitive information provided during conversations and queries with OpenAI. This stolen data could prove useful in targeted phishing campaigns and financial fraud. But the stolen credentials could also be used to abuse the OpenAI API and have the victims pay for their usage of OpenAI’s “Plus” or “Pro” features. However, other users of the same dark web forum claimed that the posted credentials did not provide access to the ChatGPT conversations of the leaked accounts.

True or not, this comes at a bad time for OpenAI after Microsoft recently investigated accusations that DeepSeek used OpenAI’s ChatGPT model to train DeepSeek’s AI chatbot.

**What can users do?**

If you fear that this breach might include your credentials you should:

*   Change your password.
*   Enable multi-factor authentication (MFA).
*   Monitor your account for any unusual activity or unauthorized usage.
*   Beware of phishing attempts using the information that might be stolen as part of this breach.

BreachForums, the Dark Web forum where the accounts were offered for sale was offline at the time of writing, so we were unable to verify any claims ourselves. We will do so when the opportunity arises and keep you posted, so stay tuned.

Tag

#vulnerability