Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: cybercrime/malcode – Page 5

CISA warns of five-year-old GitLab flaw exploited in attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems against a five-year-old GitLab vulnerability that is actively being exploited in attacks.

GitLab patched this server-side request forgery (SSRF) flaw (tracked as CVE-2021–39935) in December 2021, saying it could allow unauthenticated attackers with no privileges to access the CI Lint API, which is used to simulate pipelines and validate CI/CD configurations.

“When user registration is limited, external users that aren’t developers shouldn’t have access to the CI Lint API,” the company said at the time.

New Amaranth Dragon cyberespionage group exploits WinRAR flaw

A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, exploited the CVE-2025–8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies.

The hackers combined legitimate tools with the custom Amaranth Loader to deliver encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure, for more accurate targeting and increased stealth.

According to researchers at cybersecurity company Check Point, Amaranth Dragon targeted organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.

Pushback Works: Adobe Animate Is Not Shutting Down

According to the company’s new announcement, the earlier warning stating that March 1, 2027, would be the application’s final day should now be disregarded, as Adobe is neither discontinuing nor removing access to Adobe Animate, and there is no longer any deadline or date set for when Animate will stop being available.

Going forward, the software will remain accessible to both new and existing users, although Adobe has confirmed that users shouldn’t expect the addition of any new features. Instead, the program will remain in a perpetual “maintenance mode,” meaning Adobe will continue supporting the application and providing regular security updates and bug fixes.

Microsoft to disable NTLM by default in future Windows releases

Microsoft announced that it will disable the 30-year-old NTLM authentication protocol by default in upcoming Windows releases due to security vulnerabilities that expose organizations to cyberattacks.

NTLM (short for New Technology LAN Manager) is a challenge-response authentication protocol introduced in 1993 with Windows NT 3.1 and is the successor to the LAN Manager (LM) protocol.

Kerberos has superseded NTLM and is now the current default protocol for domain-connected devices running Windows 2000 or later. While it was the default protocol in older Windows versions, NTLM is still used today as a fallback authentication method when Kerberos is unavailable, even though it uses weak cryptography and is vulnerable to attacks.

Microsoft: January update shutdown bug affects more Windows PCs

Microsoft has confirmed that a known issue preventing some Windows 11 devices from shutting down also affects Windows 10 systems with Virtual Secure Mode (VSM) enabled.

VSM is a Windows security feature that creates an isolated, protected memory region separate from the normal operating system (known as the “secure kernel”), using hardware virtualization that is extremely difficult for malware to access, even after a system compromise.

It protects sensitive credentials, encryption keys, and security tokens from kernel-level malware and pass-the-hash attacks, and it enables security features such as Credential Guard, Device Guard, and Hypervisor-Protected Code Integrity in Windows 10/11 Enterprise editions.

New GlassWorm attack targets macOS via compromised OpenVSX extensions

A new GlassWorm malware attack through compromised OpenVSX extensions focuses on stealing passwords, crypto-wallet data, and developer credentials and configurations from macOS systems.

The threat actor gained access to the account of a legitimate developer (oorzc) and pushed malicious updates with the GlassWorm payload to four extensions that had been downloaded 22,000 times.

GlassWorm attacks first appeared in late October, hiding the malicious code using “invisible” Unicode characters to steal cryptocurrency wallet and developer account details. The malware also supports VNC-based remote access and SOCKS proxying.

/* */