Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day.
Hackers don’t need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough.
This week,
from The Hacker News https://ift.tt/uiReNYF
via IFTTT
Ivanti customers are confronting another string of attacks linked to an actively exploited vulnerability in the company’s VPN products. Mandiant said a nation-state backed espionage group linked to China has been exploiting the critical vulnerability, CVE-2025-22457, since mid-March.
The threat group, which Google Threat Intelligence Group tracks as UNC5221, has a knack for exploiting Ivanti products and has successfully — and repeatedly — attacked the vendor’s customers since 2023. UNC5221 previously exploited a trio of zero-day vulnerabilities, including CVE-2025-0282, CVE-2023-46805 and CVE-2024-21887.
Actively exploited software defects in Ivanti products are a consistent and recurring problem for the vendor’s customers, which have been subject to multiple attack sprees from various threat groups. Ivanti has made 15 appearances in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since early 2024, not including CVE-2025-22457.
“This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Mandiant Consulting CTO Charles Carmakal said in a statement. “The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever.”
The latest attacks involve a vulnerability in Ivanti Connect Secure that the vendor released a patch for Feb. 11, but the company didn’t disclose the vulnerability until Thursday.
The software defect was considered low risk at the time, but UNC5221 studied the patch and found a way to exploit CVE-2025-22457 in earlier versions of the product, Mandiant said in a blog post Thursday.
“Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild,” Ivanti said in a security advisory. “We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”
A “limited number of customers” using Ivanti Connect Secure 22.7R2.5 or earlier versions and Pulse Connect Secure 9.1x appliances, which are no longer supported or receiving code changes, have been exploited, Ivanti said. The stack-based overflow vulnerability allows attackers to achieve remote code execution.
The vulnerability also affects Ivanti Policy Secure and Ivanti ZTA Gateways, though the vendor said it’s not aware of any exploitation in those products. Ivanti said patches for those products are in development and expected to be released later this month.
“Network security devices and edge devices are a focus of sophisticated and highly persistent threat actors,” an Ivanti spokesperson said in an email.
“We seek to go above and beyond in providing detailed information to defenders to ensure they can take every possible step to secure their environments,” the spokesperson added. “We have continued to meaningfully expand and enhance the Ivanti Security team with highly skilled security specialists to meet the evolving needs of this landscape.”
During its investigation of post-exploitation activity, Mandiant observed UNC5221 deploying two newly identified malware families: the Trailblaze in-memory only dropper and the Brushfire passive backdoor. Researchers also observed various Spawn malware and UNC5221’s use of a modified version of Ivanti’s Integrity Checker Tool, which allowed the group to evade detection.
“China-nexus espionage actors regularly surge their exploitation activity once they are discovered and publicly outed,” Carmakal said in a LinkedIn post. “We expect they will likely try to compromise more victims in the coming days before organizations have the opportunity to patch.”
The post China-backed espionage group hits Ivanti customers again appeared first on CyberScoop.
from CyberScoop https://ift.tt/Y3ULqMV
via IFTTT
International intelligence and cybersecurity agencies jointly issued a warning Thursday about “fast flux,” an advanced technique used by cybercriminals and state-sponsored actors to evade detection and maintain resilient command and control infrastructure.
Fast flux involves rapidly changing or swapping out IP addresses linked to a particular domain. These quick changes render malicious activity nearly invisible to defensive measures. When fast flux is used, the domain names associated with these ever-changing IP addresses act as proxies, facilitating a wide array of cybercriminal activities.
The advisory was issued by the NSA along with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ).
“Fast flux is an ongoing, serious threat to national security, and this guidance shares important insight we’ve gathered about the threat,” said NSA Cybersecurity Director Dave Luber.
The sheer number of IP addresses used in fast flux operations makes it a formidable challenge for cybersecurity professionals. Often reaching into the hundreds of thousands, these IP addresses are connected to a DNS record for minutes before being swapped out for another. This rapid turnover creates a scenario akin to searching for needles in a constantly shifting haystack, where both human observers and automated systems struggle to keep up with the changes.
Furthermore, malicious actors make it harder to detect by using legitimate cloud service providers as a front to their operations. By blending malicious traffic with legitimate-looking data, these actors make it exceedingly tough for defenders to distinguish between harmful and benign activities.
While the speed and sophistication of fast flux tactics make real-time interception nearly impossible, certain behavioral indicators can serve as warnings of malicious intent. These include the bulk procurement of domain names, the use of fake registration details for nameservers, and the rapid alteration of IP addresses associated with these domains.
Intelligence agencies have observed fast flux being used across multiple threat vectors. Bulletproof hosting services, which disregard law enforcement requests and abuse notices, often offer fast flux as a service differentiator to help clients evade blocking.
The technique has been documented in ransomware attacks, including those by Hive and Nefilim. Nation-state actors such as Gamaredon have employed fast flux to limit the effectiveness of IP blocking during their operations.
The advisory advocates for the implementation of a multi-layered detection and mitigation approach among protective DNS (PDNS) providers to close network defense gaps.
“Service providers, especially Protective DNS providers, should track, share information about, and block fast flux as part of their provided cybersecurity services,” an advisory from CISA reads. “Government and critical infrastructure organizations should close this ongoing gap in network defenses by using cybersecurity and PDNS services that block malicious fast flux activity.”
You can read the full advisory here.
The post International intelligence agencies raise the alarm on fast flux appeared first on CyberScoop.
from CyberScoop https://ift.tt/3HARNpo
via IFTTT
Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code.
“The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact
from The Hacker News https://ift.tt/VXluFZh
via IFTTT
Businesses don’t always get what they pay for in cybersecurity. Some of the most expensive cloud network firewall vendors are among the worst performers against exploits and evasions, according to the most comprehensive, independent testing CyberRatings.org has conducted to date.
Cisco, by far the most expensive cloud network firewall offering across the top 10 vendors on price per megabits per second, ranked seventh with an overall security effectiveness score of 53.5%, according to CyberRatings.org research released Wednesday.
The trio of big cloud providers — Amazon Web Services, Microsoft Azure and Google Cloud Platform — fared even worse, each landing at the bottom of the pack with a 0% security effectiveness score.
“We’ve been told to use cloud-native technologies, that they’re better suited than using bolt-ons. Well, that’s clearly not the case here,” CyberRatings.org CEO Vikram Phatak told CyberScoop.
“Any of the third-party firewalls you pick are going to be better at protecting you than what you have today with the AWS firewall, but also frankly Azure and GCP today as well,” he said.
Fortinet and Check Point earned the highest rating of 100%, followed by Versa Networks, Palo Alto Networks and Juniper Networks — each landing in the upper end of the 99th percentile, according to CyberRatings.org’s tests. Forcepoint’s security effectiveness score was 96.6%.
CyberRatings.org tested cloud network firewalls against more than 2,000 widely exploited vulnerabilities. The nonprofit, which paid for the tests and research in Q1 2025 without any vendor involvement, then applied 2,500 attacks spanning 27 evasion techniques across multiple network layers to bypass firewall defenses.
“This is what I consider to be the equivalent of an open-book test. It’s not super hard stuff,” Phatak said.
“We want to know what a buyer, purchaser of the technology can count on in an adversarial situation where things are not always going their way,” he said. “This is not a Category 5 hurricane, and it’s also not a sunny day on the beach.”
CyberRatings.org’s tests showed wide disparities in cloud network firewalls’ ability to defend against publicly available exploits. Protecting organizations against exploits is the first line of defense, a core selling point and purpose of firewalls.
AWS performed the worst on this front, blocking only 0.59% of exploits. The big problem for AWS is that its signature set for exploits is mismatched, Phatak said.
“If you put all your eggs in the AWS basket, you’re going to end up regretting it from a cybersecurity perspective at least,” Phatak said.
Rounding out the bottom of the field, Microsoft Azure blocked 55.28%, Cisco blocked 90.68%, GCP blocked 96.6% and Forecepoint blocked 97.63% of exploits. Fortinet and Check Point blocked all of the exploits CyberRatings.org threw at their cloud network firewalls. Versa Networks, Juniper Networks and Palo Alto Networks each scored in the high 99th percentile on exploit prevention.
The overall results and rankings diverged further when CyberRatings.org measured cloud network firewalls’ performance against evasions.
Cisco, AWS, GCP and Microsoft Azure each failed to defend against evasion tactics between layer 3 and layer 7, network traffic originating from IP addresses and the content of application data.
Ultimately, the 0% security effectiveness score applied to AWS and GCP was due to the ease with which CyberRatings.org bypassed their firewalls with evasions. Both vendors earned a 0% score in preventing evasions.
Microsoft performed better than its cloud counterparts on evasions, scoring 78%. Yet, Microsoft’s “big issue is that if anything comes across encrypted with HTTPS, they’re blind. [It’s] the only firewall that doesn’t have HTTPS decryption built in,” Phatak said.
Microsoft’s lack of transport layer security (TLS) and secure sockets layer (SSL) support resulted in its overall 0% security effectiveness score, according to CyberRatings.org’s benchmarks. Cisco prevented 59% of CyberRatings.org’s evasion tests.
Forcepoint blocked 99% of evasions while Palo Alto Networks, Check Point, Juniper Networks and Versa Networks all blocked 100%, according to CyberRatings.org’s tests.
CyberRatings.org explained its testing framework, including why and the extent to which it deducted points from firewall vendors’ score across all categories tested. In many cases, it was the combination of exploit and evasion prevention tests, and other factors unique to specific factors that resulted in low security effectiveness scores.
In the case of AWS, its firewall didn’t block any live attacks, so CyberRatings.org couldn’t test it against evasions. With Microsoft’s firewall, CyberRatings.org evaded defenses by encrypting traffic or targeting a web server that’s encrypted.
Phatak directed his harshest criticism at AWS, which has consistently performed poorly in CyberRatings.org exploit prevention tests since 2014. “Amazon’s lack of improvement was shocking to us,” he said. “It just says that it’s not taking this seriously.”
The post Independent tests show why orgs should use third-party cloud security services appeared first on CyberScoop.
from CyberScoop https://ift.tt/v3tXHLj
via IFTTT
Now that Jeff Barr has retired from the AWS News Blog as of December last year, the AWS News Blog team will keep sharing the most important and impactful AWS product launches the moment they become available. I want to quote Jeff’s last comment on the future of the News Blog again:
Going forward, the team will continue to grow and the goal remains the same: to provide our customers with carefully chosen, high-quality information about the latest and most meaningful AWS launches. The blog is in great hands and this team will continue to keep you informed even as the AWS pace of innovation continues to accelerate.
Since 2016, Jeff has been building the AWS News Blog as a team. Currently, we’re a group of 11 bloggers working in North America, South America, Asia, Europe, and Africa. We co-work with AWS product teams, testing new features firsthand on behalf of customers, and delivering key details in the News Blog the way Jeff has always done.
The Leadership Principles for AWS News Bloggers that Jeff shared on LinkedIn are a textbook for anyone writing for customers in tech companies. They’re the fundamentals that can help you understand and get started blogging quickly, and we’ll continue to stick to these principles with our team. This is why the AWS News Blog is different from other tech companies’ product news channels.
Voices from blog writers
You may be familiar with the names of News Blog writers, but you may not have had the chance to hear about them. Let us introduce ourselves!
I’m honored to continue Jeff’s legacy as a new lead blogger of the News Blog team; he is my role model. When I joined AWS in 2014, the first thing I did was to create the AWS Korea Blog and I started translating Jeff’s blog posts into the Korean language. During the journey, I learned how to write accurate, honest, and powerful guides to help customers get started with new AWS products and features.
Since my first News Blog post in 2018, I have learned so much by being part of this team. Working with product managers and service teams is always an amazing experience. I am interested in serverless, event-driven architectures, and AI/ML. It’s incredible how technologies like generative AI are becoming part of software development implicitly (through AI-enabled development tools) and explicitly (by using models in code).
I’m fortunate to have been a part of this team since 2019. When I don’t write posts, I produce episodes of the AWS Developers Podcast and le podcast AWS en français. I also work with the teams for Amazon EC2 Mac, AWS SDK for Swift, and the CodeBuild and CodeArtifact teams trying to make the AWS Cloud easier to use for Apple developers. My pet project is the Swift Runtime for AWS Lambda.
The Amazon Leadership Principles (LPs) guide all that we do here at AWS, including the work we do as authors of the News Blog. As a developer advocate, I’ve taken the guidance of the LPs and used it to guide members of the AWS community who are looking to create technical content, especially those new in their technical content creation journey.
Just like brewing coffee, being a blog author has been a mix of fun, challenge, and reward. I’ve been particularly fortunate to observe how customer obsession is built into AWS teams. I’ve seen how they work backwards, transforming your feedback into services or features. I genuinely hope that you enjoy reading our articles and look forward to the next chapter of the News Blog team.
As an author, I’m committed to delivering timely information about the latest AWS innovations and launches to our global audience of builders, developers, and technology enthusiasts. I understand the importance of providing clear, accurate, and actionable content that helps you use AWS services effectively. Happy reading everyone!
My specialties are .NET development and microservices, but I’ve always been a jack-of-all-trades and writing for this blog helps me to keep my knife sharp across all corners of modern technology, while also helping others do the same. Thousands of people read the AWS News Blog and use it as a go-to source to keep up with what’s new and to help them make decisions, so I know that what we are doing is meaningful work with huge impact.
Through my blogs, I strive to highlight not just the “what” of new services, but also the “why” and “how” they can transform businesses and user experiences. As a solutions architect specializing in Microsoft Workloads on AWS, I help customers migrate and modernize their workloads and build scalable architecture on AWS. I also mentor diverse people to excel in their cloud careers.
Every time I start writing a new blog, I feel honored to be part of this team, to be able to experiment with something new before it’s released, and to be able to share my experience with the reader. This team is made up of specialists of all levels and from multiple countries and together, we are a multicultural and multi-specialty team. Thank you, reader, for being here.
Joining the News Blog team has transformed how I communicate about technology. With an ever-curious mindset, I approach each new announcement aiming to make innovative services accessible and engaging. By bringing my unique and diverse perspective to technical content, I strive to help developers truly enjoy exploring our latest technologies.
Micah Walter
As a senior solutions architect, I support enterprise customers in the New York City region and beyond. I advise executives, engineers, and architects at every step along their journey to the cloud, with a deep focus on sustainability and practical design.
I also want to give credit to our behind-the-scenes editor-in-chief, Jane Watson, and program manager, Jane Scolieri, who play an essential role in helping us get product launch news to you as soon as it happens, including the 60 launches we announced in one week at re:Invent 2024!
Share your feedback
At AWS, we are customer obsessed. We’re always focused on improving and providing a better customer experience, and we need your feedback to do so. Take our survey to share insights about your experience with the AWS News Blog and suggestion for how we can serve you even better.
This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.
— Channy
from AWS News Blog https://ift.tt/OnRFCgz
via IFTTT
Exposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners.
Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM. The campaign has been attributed to a threat actor Wiz tracks as
from The Hacker News https://ift.tt/RY7wOtE
via IFTTT
The cybersecurity artificial intelligence (AI) model and agent will help organizations improve threat detection and incident response.
from darkreading https://ift.tt/TF4z9Cd
via IFTTT
Today, I’m happy to announce Amazon Q Developer support for Amazon OpenSearch Service, providing AI-assisted capabilities to help you investigate and visualize operational data. Amazon Q Developer enhances the OpenSearch Service experience by reducing the learning curve for query languages, visualization tools, and alerting features. The new capabilities complement existing dashboards and visualizations by enabling natural language exploration and pattern detection. After incidents, you can rapidly create additional visualizations to strengthen your monitoring infrastructure. This enhanced workflow accelerates incident resolution and optimizes engineering resource usage, helping you focus more time on innovation rather than troubleshooting.
Amazon Q Developer in Amazon OpenSearch Service improves operational analytics by integrating natural language exploration and generative AI capabilities directly into OpenSearch workflows. During incident response, you can now quickly gain context on alerts and log data, leading to faster analysis and resolution times. When alert monitors trigger, Amazon Q Developer provides summaries and insights directly in the alerts interface, helping you understand the situation quickly without waiting for specialists or consulting documentation. From there, you can use Amazon Q Developer to explore the underlying data, build visualizations using natural language, and identify patterns to determine root causes. For example, you can create visualizations that break down errors by dimensions such as Region, data center, or endpoint. Additionally, Amazon Q Developer assists with dashboard configuration and recommends anomaly detectors for proactive alerting, improving both initial monitoring setup and troubleshooting efficiency.
Get started with Amazon Q Developer in OpenSearch Service
To get started, I go to my OpenSearch user interface and sign in. From the home page, I choose a workspace to test Amazon Q Developer in OpenSearch Service. For this demonstration, I use a preconfigured environment with the sample logs dataset available on the user interface.
This feature is on by default through the Amazon Q Developer Free tier, which is also on by default. You can disable the feature by unselecting the Enable natural language query generation checkbox under the Artificial Intelligence (AI) and Machine Learning (ML) section during domain creation or by editing the cluster configuration in console.
In OpenSearch Dashboards, I navigate to Discover from the left navigation pane. To use natural language to explore the data, I switch to PPL language in order to show the prompt box.
I choose the Amazon Q icon in the main navigation bar to open the Amazon Q panel. You can use this panel to create recommended anomaly detectors to drive alerting and use natural language to generate visualization.
I enter the following prompt in the Ask a natural language question text box:
Show me a breakdown of HTTP response codes for the last 24 hours
When results appear, Amazon Q automatically generates a summary of these results. You can control the summary display using the Show result summarization option under the Amazon Q panel to hide or show the summary. You can use the thumbs up or thumbs down buttons to provide feedback, and you can copy the summary to your clipboard using the copy button.
Other capabilities of Amazon Q Developer in OpenSearch Service are generating visualizations directly from natural language descriptions, providing conversational assistance for OpenSearch related queries, providing AI-generated summaries and insights for your OpenSearch alerts, and analyzing your data, and suggesting appropriate anomaly detectors.
Let’s look into how to generate visualizations directly from natural language descriptions. I choose Generate visualization from Amazon Q panel. I enter Create a bar chart showing the number of requests by HTTP status code in the input field and choose generate.
To refine the visualization, you can choose Edit visual and add style instructions such as Show me a pie chart or Use a light gray background with a white grid.
Now available
You can now use Amazon Q Developer in OpenSearch Service to reduce mean time to resolution, enable more self-service troubleshooting, and help teams extract greater value from your observability data.
The service is available today in US East (N. Virginia), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (London), Europe (Paris), and South America (São Paulo) AWS Regions.
To learn more, visit the Amazon Q Developer documentation and start using Amazon Q Developer in your OpenSearch Service domain today.
How is the News Blog doing? Take this 1 minute survey!
(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)
from AWS News Blog https://ift.tt/05vuw1Z
via IFTTT
Today, we are launching IPv6 support for Amazon API Gateway across all endpoint types, custom domains, and management APIs, in all commercial and AWS GovCloud (US) Regions. You can now configure REST, HTTP, and WebSocket APIs, and custom domains, to accept calls from IPv6 clients alongside the existing IPv4 support. You can also call API Gateway management APIs from dual-stack (IPv6 and IPv4) clients. As organizations globally confront growing IPv4 address scarcity and increasing costs, implementing IPv6 becomes critical for future-proofing network infrastructure. This dual-stack approach helps organizations maintain future network compatibility and expand global reach. To learn more about dualstack in the Amazon Web Services (AWS) environment, see the IPv6 on AWS documentation.
Creating new dual-stack resources
This post focuses on two ways to create an API or a domain name with a dualstack IP address type: AWS Management Console and AWS Cloud Development Kit (CDK).
AWS Console
When creating a new API or domain name in the console, select IPv4 only or dualstack (IPv4 and IPv6) for the IP address type.
As shown in the following image, you can select the dualstack option when creating a new REST API.
For custom domain names, you can similarly configure dualstack as shown in the next image.
If you need to revert to IPv4-only for any reason, you can modify the IP address type setting, with no need to redeploy your API for the update to take effect.
REST APIs of all endpoint types (EDGE, REGIONAL and PRIVATE) support dualstack. Private REST APIs only support dualstack configuration.
AWS CDK
With AWS CDK, start by configuring a dual-stack REST API and domain name.
IPv6 Source IP and authorization
When your API begins receiving IPv6 traffic, client source IPs will be in IPv6 format. If you use resource policies, Lambda authorizers, or AWS Identity and Access Management (IAM) policies that reference source IP addresses, make sure they’re updated to accommodate IPv6 address formats.
For example, to permit traffic from a specific IPv6 range in a resource policy.
Summary
API Gateway dual-stack support helps manage IPv4 address scarcity and costs, comply with government and industry mandates, and prepare for the future of networking. The dualstack implementation provides a smooth transition path by supporting both IPv4 and IPv6 clients simultaneously.
To get started with API Gateway dual-stack support, visit the Amazon API Gateway documentation. You can configure dualstack for new APIs or update existing APIs with minimal configuration changes.
Special thanks to Ellie Frank (elliesf), Anjali Gola (anjaligl), and Pranika Kakkar (pranika) for providing resources, answering questions, and offering valuable feedback during the writing process. This blog post was made possible through the collaborative support of the service and product management teams.
How is the News Blog doing? Take this 1 minute survey!
(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)
from AWS News Blog https://ift.tt/FaSB19N
via IFTTT