<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>FHN &#8211; First Hackers News</title>
	<atom:link href="https://firsthackersnews.com/author/fhn/feed/" rel="self" type="application/rss+xml" />
	<link>https://firsthackersnews.com</link>
	<description>Latest cybersecurity news, real attacks, and practical IOCs—made simple and actionable.</description>
	<lastBuildDate>Mon, 06 Jul 2026 22:19:54 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://firsthackersnews.com/wp-content/uploads/2026/03/cropped-FHN_512x512-32x32.png</url>
	<title>FHN &#8211; First Hackers News</title>
	<link>https://firsthackersnews.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Malicious AI Skills Threaten Enterprise Security</title>
		<link>https://firsthackersnews.com/malicious-ai-skills/</link>
					<comments>https://firsthackersnews.com/malicious-ai-skills/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 06 Jul 2026 22:13:01 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malicious extension]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[AI Agents]]></category>
		<category><![CDATA[AI security]]></category>
		<category><![CDATA[AI Threats]]></category>
		<category><![CDATA[artificial intelligence]]></category>
		<category><![CDATA[Backdoors]]></category>
		<category><![CDATA[credential theft]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Developer Security]]></category>
		<category><![CDATA[infosec]]></category>
		<category><![CDATA[Malicious AI Skills]]></category>
		<category><![CDATA[Secure Coding]]></category>
		<category><![CDATA[security research]]></category>
		<category><![CDATA[source code]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11986</guid>

					<description><![CDATA[<p>Security researchers have discovered that malicious AI agent skills can be designed to steal credentials, extract source code,</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/malicious-ai-skills/">Malicious AI Skills Threaten Enterprise Security</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have discovered that <strong>malicious AI agent skills</strong> can be designed to steal credentials, extract source code, and install backdoors while avoiding detection by many existing security scanning tools.</p>



<p>The research highlights a growing risk for AI-powered coding assistants, where seemingly harmless third-party skills can perform malicious actions once executed.</p>



<h2 class="wp-block-heading">How the Attack Works</h2>



<p>Unlike simple text prompts, AI agent skills can contain instructions, scripts, and additional resources that an AI agent may execute automatically.</p>



<p>Researchers developed an evasion technique called <strong>SKILLCLOAK</strong>, which hides malicious behavior using code obfuscation and self-extracting payloads. This allows harmful skills to appear legitimate during security checks while preserving their original functionality.</p>



<p>Tests showed that many cloaked skills successfully bypassed existing scanning tools and continued to work normally in AI coding platforms such as <strong>Claude Code</strong> and <strong>Codex</strong>.</p>



<h2 class="wp-block-heading">Runtime Detection Offers Better Protection</h2>



<p>To address this issue, researchers introduced <strong>SKILLDETONATE</strong>, a runtime security system that analyzes what a skill does while it is running instead of relying only on static code inspection.</p>



<p>The system monitors activities such as:</p>



<ul class="wp-block-list">
<li>File access</li>



<li>Credential usage</li>



<li>Network connections</li>



<li>Data transfers</li>



<li>Process execution</li>
</ul>



<p>By focusing on runtime behavior rather than code appearance, the approach detected most malicious skills, including obfuscated and packed variants, with a high level of accuracy.</p>



<p>The findings suggest that organizations using AI coding assistants should carefully review third-party agent skills and adopt runtime monitoring solutions, as traditional install-time security checks may no longer be sufficient to detect increasingly sophisticated AI-based threats.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong><a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/malicious-ai-skills/">Malicious AI Skills Threaten Enterprise Security</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/malicious-ai-skills/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Opera GX Flaw Allows CSS Injection</title>
		<link>https://firsthackersnews.com/opera-gx-security-flaw/</link>
					<comments>https://firsthackersnews.com/opera-gx-security-flaw/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 06 Jul 2026 21:29:00 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Vulnerability Research]]></category>
		<category><![CDATA[Browser Security]]></category>
		<category><![CDATA[browser vulnerability]]></category>
		<category><![CDATA[CSS Injection]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[GX Mods]]></category>
		<category><![CDATA[infosec]]></category>
		<category><![CDATA[Opera Browser]]></category>
		<category><![CDATA[Opera GX]]></category>
		<category><![CDATA[privacy]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[security vulnerability]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[Web Browsers]]></category>
		<category><![CDATA[Web Security]]></category>
		<category><![CDATA[XS-Leaks]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11982</guid>

					<description><![CDATA[<p>Security researchers have uncovered a critical vulnerability in Opera GX that could allow attackers to inject malicious CSS</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/opera-gx-security-flaw/">Opera GX Flaw Allows CSS Injection</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have uncovered a critical vulnerability in <strong>Opera GX</strong> that could allow attackers to inject malicious CSS across every webpage a victim visits.</p>



<p>The issue affects the browser&#8217;s <strong>GX Mods</strong> feature and could be exploited to leak sensitive information from websites without requiring the victim to install a traditional browser extension.</p>



<p>Researchers demonstrated a <strong>zero-click attack</strong> where simply visiting a malicious webpage could trigger the installation of a harmful browser mod.</p>



<h2 class="wp-block-heading"><strong>How the Attack Works</strong></h2>



<p>GX Mods are designed to let users personalize Opera GX by adding themes, sounds, wallpapers, and CSS-based customizations.</p>



<p>Unlike browser extensions, GX Mods do not require special permissions or JavaScript.</p>



<p>Researchers discovered that malicious GX Mods packaged as <strong>.crx</strong> files can be installed automatically when downloaded through an embedded webpage, requiring little or no user interaction.</p>



<p>After installation, the malicious CSS is applied across every browser tab, allowing attackers to target multiple websites.</p>



<h2 class="wp-block-heading"><strong>Potential Security Risks</strong></h2>



<p>Once the malicious CSS is active, attackers can use <strong>CSS-based XS-Leaks</strong> techniques to infer sensitive information from webpages.</p>



<p>Although CSS cannot directly read confidential data, it can trigger network requests based on specific webpage elements, allowing attackers to gradually leak information.</p>



<p>Researchers demonstrated that attackers could reconstruct data such as email addresses by analyzing small pieces of information collected from the browser.</p>



<p>Possible risks include:</p>



<ul class="wp-block-list">
<li>Cross-site data leakage</li>



<li>Exposure of sensitive account information</li>



<li>Privacy violations</li>



<li>Universal CSS injection across browser tabs</li>
</ul>



<h2 class="wp-block-heading"><strong>Browser Crash Issue</strong></h2>



<p>Researchers also identified a separate <strong>denial-of-service (DoS)</strong> issue affecting both Opera GX and the standard Opera browser.</p>



<p>Triggering a malicious <strong>.crx</strong> download while browsing in <strong>Incognito Mode</strong> could cause the browser to crash and restart, resulting in the loss of the current browsing session.</p>



<h2 class="wp-block-heading"><strong>Patch Available</strong></h2>



<p>The vulnerabilities were responsibly disclosed through Opera&#8217;s bug bounty program.</p>



<p>Opera has released fixes to address the reported issues, reducing the risk of automatic mod installation and improving the browser&#8217;s handling of GX Mods.</p>



<p>Users are encouraged to update to the latest version of Opera GX to ensure they are protected against these vulnerabilities.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/opera-gx-security-flaw/">Opera GX Flaw Allows CSS Injection</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/opera-gx-security-flaw/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Critical Veeam Backup Flaw Discovered</title>
		<link>https://firsthackersnews.com/veeam-backup-flaw/</link>
					<comments>https://firsthackersnews.com/veeam-backup-flaw/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 06 Jul 2026 17:10:00 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Backup Security]]></category>
		<category><![CDATA[BinaryFormatter]]></category>
		<category><![CDATA[CVE-2026-44963]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[deserialization]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[infosec]]></category>
		<category><![CDATA[rce]]></category>
		<category><![CDATA[remote code execution]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[Veeam]]></category>
		<category><![CDATA[Veeam Backup]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11978</guid>

					<description><![CDATA[<p>Security researchers have discovered a high-severity vulnerability in Veeam Backup &#38; Replication, tracked as CVE-2026-44963, that could allow</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/veeam-backup-flaw/">Critical Veeam Backup Flaw Discovered</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have discovered a high-severity vulnerability in <strong>Veeam Backup &amp; Replication</strong>, tracked as <strong>CVE-2026-44963</strong>, that could allow authenticated domain users to execute remote code on backup servers.</p>



<p>The flaw is caused by insecure <strong>BinaryFormatter deserialization</strong>, a long-known security risk in .NET applications. According to researchers, the issue continues a pattern of similar vulnerabilities affecting Veeam&#8217;s .NET Remoting components.</p>



<h2 class="wp-block-heading">How the Vulnerability Works</h2>



<p>Veeam Backup &amp; Replication is widely used by organizations to manage backup, disaster recovery, and replication across virtual, physical, and cloud environments.</p>



<p>The vulnerability affects the <strong>Veeam Backup Service</strong>, which exposes a .NET Remoting HTTP endpoint on <strong>TCP port 8000</strong>.</p>



<p>Instead of allowing only trusted object types, the service relies on a <strong>blacklist-based filtering mechanism</strong>. While known dangerous classes are blocked, any unlisted serializable class is still accepted, creating an opportunity for attackers to bypass the protection.</p>



<h2 class="wp-block-heading">Low-Privilege Users Can Exploit the Flaw</h2>



<p>Researchers found that the vulnerability can be exploited by any <strong>authenticated domain user</strong>.</p>



<p>The application only verifies whether a user belongs to the standard Windows <strong>User</strong> group, meaning administrative privileges are not required to reach the vulnerable component.</p>



<p>An attacker can abuse this weakness to execute malicious serialized objects and ultimately run arbitrary commands on the backup server.</p>



<h2 class="wp-block-heading">Exploitation Process</h2>



<p>The attack follows a sequence of interactions with the Veeam service before delivering the malicious payload.</p>



<p>During exploitation, the attacker:</p>



<ul class="wp-block-list">
<li>Creates a restore session.</li>



<li>Initializes the backup session.</li>



<li>Sends a malicious BinaryFormatter payload.</li>



<li>Triggers insecure deserialization.</li>



<li>Executes arbitrary commands on the server.</li>
</ul>



<p>Researchers demonstrated that the exploit abuses <strong>System.Data.DataSet</strong> deserialization to instantiate <strong>ObjectDataProvider</strong>, which can invoke <strong>Process.Start()</strong> and execute attacker-controlled commands.</p>



<p>Because the <strong>Veeam Backup Service</strong> typically runs with <strong>SYSTEM</strong> privileges, successful exploitation can result in full control of the backup server.</p>



<h2 class="wp-block-heading">Why This Vulnerability Exists</h2>



<p>The root cause is Veeam&#8217;s continued use of <strong>BinaryFormatter</strong>, a serialization technology that Microsoft has considered unsafe and deprecated since .NET 5.</p>



<p>Researchers explain that relying on blocklists is not a long-term solution because attackers can continue discovering new classes capable of bypassing the restrictions.</p>



<p>Previous vulnerabilities, including <strong>CVE-2024-40711</strong> and <strong>CVE-2025-23120</strong>, were based on the same underlying weakness.</p>



<h2 class="wp-block-heading">Patch and Mitigation</h2>



<p>Veeam addressed the issue in <strong>version 12.3.2.4854 (KB4696)</strong> by adding the newly discovered gadget class to its BinaryFormatter blacklist.</p>



<p>However, researchers note that the update does <strong>not</strong> remove BinaryFormatter or redesign the underlying deserialization process.</p>



<p>In contrast, <strong>Veeam Backup &amp; Replication 13.x</strong> removes the BinaryFormatter-based implementation entirely, eliminating this class of vulnerabilities.</p>



<h2 class="wp-block-heading">Security Recommendations</h2>



<p>Organizations using <strong>Veeam Backup &amp; Replication 12.x</strong> should take immediate action to reduce the risk of exploitation.</p>



<p>Recommended security measures include:</p>



<ul class="wp-block-list">
<li>Apply the latest Veeam security updates.</li>



<li>Restrict access to <strong>TCP port 8000</strong>.</li>



<li>Limit network exposure of backup servers.</li>



<li>Consider deploying backup servers in <strong>workgroup mode</strong> instead of domain-joined environments where appropriate.</li>



<li>Monitor backup servers for suspicious deserialization or remote execution activity.</li>
</ul>



<p>Because backup infrastructure is frequently targeted by ransomware groups, organizations should prioritize patching this vulnerability to prevent attackers from gaining control over critical backup systems.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/veeam-backup-flaw/">Critical Veeam Backup Flaw Discovered</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/veeam-backup-flaw/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Parrot 7.3 Launches with New Features</title>
		<link>https://firsthackersnews.com/parrot-7-3/</link>
					<comments>https://firsthackersnews.com/parrot-7-3/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Sun, 05 Jul 2026 17:42:17 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Bettercap]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Ethical Hacking]]></category>
		<category><![CDATA[Ghidra]]></category>
		<category><![CDATA[infosec]]></category>
		<category><![CDATA[Linux]]></category>
		<category><![CDATA[Linux Update]]></category>
		<category><![CDATA[Metasploit]]></category>
		<category><![CDATA[open source]]></category>
		<category><![CDATA[Parrot 7.3]]></category>
		<category><![CDATA[Parrot OS]]></category>
		<category><![CDATA[penetration testing]]></category>
		<category><![CDATA[Security Tools]]></category>
		<category><![CDATA[SQLMap]]></category>
		<category><![CDATA[Vagrant]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11974</guid>

					<description><![CDATA[<p>The Parrot Security team has released Parrot 7.3, focusing on performance, usability, and overall system improvements instead of</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/parrot-7-3/">Parrot 7.3 Launches with New Features</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The <strong>Parrot Security</strong> team has released <strong>Parrot 7.3</strong>, focusing on performance, usability, and overall system improvements instead of adding a large number of new security tools.</p>



<p>The update introduces a redesigned menu system, faster package handling, optimized builds for modern processors, official Vagrant support, and several quality-of-life improvements aimed at making Parrot OS easier to use for both security professionals and everyday users.</p>



<h2 class="wp-block-heading"><strong>Parrot 7.3 -Performance Improvements</strong></h2>



<p>One of the biggest highlights of Parrot 7.3 is improved performance on newer hardware.</p>



<p>The release includes optional packages optimized for modern <strong>x86-64-v3</strong> and <strong>ARMv8.2-A</strong> processors, allowing supported systems to achieve noticeable performance gains during resource-intensive tasks.</p>



<p>These optimizations benefit applications such as:</p>



<ul class="wp-block-list">
<li>FFmpeg</li>



<li>Inkscape</li>



<li>NumPy</li>



<li>Shared libraries</li>



<li>Programming language runtimes</li>
</ul>



<p>To maintain compatibility, core system components continue using standard builds, while hardware compatibility checks ensure optimized packages are installed only on supported processors.</p>



<h2 class="wp-block-heading"><strong>Redesigned Menu System</strong></h2>



<p>Parrot 7.3 replaces its previous shell-based launcher with a new menu system written in <strong>Go</strong>.</p>



<p>The updated launcher simplifies application management and allows users to install supported tools directly from the desktop menu without opening the terminal.</p>



<p>The new menu also offers:</p>



<ul class="wp-block-list">
<li>Faster application launching</li>



<li>Automatic menu updates</li>



<li>Removal of duplicate launcher entries</li>



<li>Cleaner navigation across installed and available tools</li>
</ul>



<p>The goal is to provide a smoother experience for both new users and experienced penetration testers.</p>



<h2 class="wp-block-heading"><strong>Official Vagrant Support</strong></h2>



<p>Another major addition is official <strong>Vagrant</strong> support for the Home and Security editions.</p>



<p>The preconfigured Vagrant boxes allow users to quickly deploy consistent Parrot environments for:</p>



<ul class="wp-block-list">
<li>Security testing</li>



<li>Training labs</li>



<li>Development</li>



<li>CI/CD environments</li>



<li>Team collaboration</li>
</ul>



<p>This makes it easier to reproduce testing environments across different systems.</p>



<h2 class="wp-block-heading"><strong>Improved Privacy and Smaller Images</strong></h2>



<p>Parrot 7.3 also introduces a redesigned Firefox start page that respects user privacy.</p>



<p>Users can choose their preferred search engine, including:</p>



<ul class="wp-block-list">
<li>DuckDuckGo</li>



<li>Qwant</li>



<li>Google</li>
</ul>



<p>According to the Parrot team, the new page does not collect user data, reflecting the project&#8217;s privacy-focused approach.</p>



<p>The release also reduces the number of preinstalled packages in the Home and Security editions, resulting in smaller installation images and a lighter operating system.</p>



<h2 class="wp-block-heading"><strong>Updated Security Tools</strong></h2>



<p>Parrot 7.3 ships with updated software packages to keep security professionals working with the latest tools.</p>



<p>Some notable updates include:</p>



<ul class="wp-block-list">
<li>Linux Kernel 7.0.9</li>



<li>Metasploit 6.4.136</li>



<li>Ghidra 12.0.4</li>



<li>SQLMap 1.10.4</li>



<li>Bettercap 2.41.5</li>
</ul>



<p>Rather than introducing dozens of new tools, <strong>Parrot 7.3</strong> focuses on refining the overall user experience. With improved performance, a redesigned menu system, official Vagrant support, updated security tools, and a lighter installation, the release delivers meaningful improvements for penetration testers, security researchers, and Linux enthusiasts alike.<audio autoplay=""></audio></p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/parrot-7-3/">Parrot 7.3 Launches with New Features</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/parrot-7-3/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>India Bans Apps Used to Stop E-Rickshaws Remotely</title>
		<link>https://firsthackersnews.com/e-rickshaw-apps/</link>
					<comments>https://firsthackersnews.com/e-rickshaw-apps/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Sun, 05 Jul 2026 17:32:53 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[App Ban]]></category>
		<category><![CDATA[Battery Management System]]></category>
		<category><![CDATA[BMS]]></category>
		<category><![CDATA[Connected Vehicles]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[E-Rickshaw]]></category>
		<category><![CDATA[Electric Vehicles]]></category>
		<category><![CDATA[government]]></category>
		<category><![CDATA[India]]></category>
		<category><![CDATA[IoT Security]]></category>
		<category><![CDATA[mobile apps]]></category>
		<category><![CDATA[Passenger Safety]]></category>
		<category><![CDATA[Transportation Security]]></category>
		<category><![CDATA[Vehicle Security]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11970</guid>

					<description><![CDATA[<p>The Indian government has directed Google and Apple to remove three mobile applications—BAT-BMS, Lossigy, and Epoch-i-ion—after they were</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/e-rickshaw-apps/">India Bans Apps Used to Stop E-Rickshaws Remotely</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The Indian government has directed <strong>Google</strong> and <strong>Apple</strong> to remove three mobile applications—<strong>BAT-BMS</strong>, <strong>Lossigy</strong>, and <strong>Epoch-i-ion</strong>—after they were allegedly misused to remotely disable e-rickshaws while they were carrying passengers.</p>



<p>The decision comes after videos circulated online showing users remotely shutting down battery-powered three-wheelers, raising serious concerns about passenger and road safety.</p>



<p>Authorities have also warned that any other apps offering similar unsafe remote-control capabilities could face similar action.</p>



<h2 class="wp-block-heading"><strong>Why Were These Apps Removed?</strong></h2>



<p>The apps were originally developed as <strong>Battery Management System (BMS)</strong> tools for electric vehicles.</p>



<p>Their intended purpose was to help:</p>



<ul class="wp-block-list">
<li>Monitor battery health and charging status</li>



<li>Track vehicle location</li>



<li>Manage fleet operations</li>



<li>Disable vehicles in cases of theft or loan default</li>
</ul>



<p>However, authorities found that the remote shutdown feature was allegedly being misused to stop vehicles without the driver&#8217;s permission.</p>



<h2 class="wp-block-heading"><strong>How the Apps Were Misused</strong></h2>



<p>According to reports, some users were able to remotely disable nearby e-rickshaws using the connected battery management system.</p>



<p>Researchers believe the issue was caused by weak access controls, allowing unauthorized users with access credentials to send remote shutdown commands.</p>



<p>This meant that features designed for fleet management could potentially be misused by:</p>



<ul class="wp-block-list">
<li>Unauthorized individuals</li>



<li>Rival financiers</li>



<li>Disgruntled employees</li>



<li>Malicious actors</li>



<li>Pranksters</li>
</ul>



<p>Such actions could interrupt journeys and create serious safety risks for both drivers and passengers.</p>



<h2 class="wp-block-heading"><strong>Security Concerns</strong></h2>



<p>The incident highlights growing security challenges within Internet of Things (IoT)-enabled electric vehicles.</p>



<p>Researchers note that many low-cost electric vehicle platforms prioritize functionality over security, leaving connected systems vulnerable to misuse.</p>



<p>Some of the reported concerns include:</p>



<ul class="wp-block-list">
<li>Weak authentication mechanisms</li>



<li>Shared or leaked login credentials</li>



<li>Insufficient access controls</li>



<li>Lack of driver authorization</li>



<li>Remote shutdown without safety checks</li>
</ul>



<p>Without proper safeguards, features intended to improve vehicle management can become potential security risks.</p>



<h2 class="wp-block-heading"><strong>Government Response</strong></h2>



<p>Following reports of misuse, the government instructed Google and Apple to remove the affected applications from their respective app stores.</p>



<p>Officials also indicated that additional apps found enabling similar remote vehicle shutdown capabilities could face the same action.</p>



<p>The move reflects increasing efforts to improve the security of connected transportation technologies and protect public safety.</p>



<h2 class="wp-block-heading"><strong>Recommendations for Fleet Operators</strong></h2>



<p>Organizations using connected Battery Management Systems should strengthen their security by:</p>



<ul class="wp-block-list">
<li>Enabling multi-factor authentication (MFA)</li>



<li>Restricting access to authorized users only</li>



<li>Preventing remote shutdown while vehicles are moving</li>



<li>Maintaining audit logs for remote commands</li>



<li>Conducting regular security assessments of BMS platforms</li>



<li>Securing backend APIs and user credentials</li>
</ul>



<p>As connected electric vehicles become more common, securing remote management features will be essential to prevent misuse and ensure passenger safety.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/e-rickshaw-apps/">India Bans Apps Used to Stop E-Rickshaws Remotely</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/e-rickshaw-apps/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Claude Cowork Sandbox Flaw Allows Root Access</title>
		<link>https://firsthackersnews.com/claude-cowork-sandbox/</link>
					<comments>https://firsthackersnews.com/claude-cowork-sandbox/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 20:36:41 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11966</guid>

					<description><![CDATA[<p>Security researchers have uncovered a vulnerability chain in Anthropic&#8217;s Claude Cowork Sandbox that allows a local attacker to</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/claude-cowork-sandbox/">Claude Cowork Sandbox Flaw Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have uncovered a vulnerability chain in <strong>Anthropic&#8217;s Claude Cowork Sandbox</strong> that allows a local attacker to bypass multiple security protections and execute arbitrary commands as <strong>root</strong> inside the product&#8217;s isolated Linux sandbox.</p>



<p>Although the attack requires local code execution on the host system, the research demonstrates that several built-in security mechanisms can be bypassed, ultimately leading to full administrative control within the sandbox.</p>



<h2 class="wp-block-heading"><strong>How Claude Cowork Protects Its Sandbox</strong></h2>



<p>Claude Cowork Sandbox is designed to help users build applications and automate tasks using Claude Code within an isolated environment.</p>



<p>On Windows, the platform runs workloads inside a <strong>Hyper-V-based Ubuntu virtual machine</strong> protected by several security layers, including:</p>



<ul class="wp-block-list">
<li>Hyper-V isolated Ubuntu VM</li>



<li>Authenticode-based named pipe authentication</li>



<li>Bubblewrap sandbox namespaces</li>



<li>Per-session unprivileged Linux users</li>



<li>Seccomp filtering</li>



<li>Domain-restricted outbound network access</li>
</ul>



<p>These protections are intended to isolate workloads and prevent unauthorized access to the underlying environment.</p>



<h2 class="wp-block-heading"><strong>Researchers Found a Way Around the Protections</strong></h2>



<p>According to research published by <strong>Armadin</strong>, the attack targeted the <strong>CoworkVMService</strong>, a Local System service responsible for managing communication between Windows and the Ubuntu virtual machine.</p>



<p>The service uses a named pipe and validates that only applications digitally signed by <strong>Anthropic</strong> can communicate with it.</p>



<p>Researchers attempted to bypass the signature validation but found that the authentication checks correctly rejected forged signatures and invalid trust chains.</p>



<p>Instead, they identified another attack path.</p>



<h2 class="wp-block-heading"><strong>DLL Sideloading Enabled Code Execution</strong></h2>



<p>Researchers discovered that <strong>claude.exe</strong> loads <strong>USERENV.dll</strong> from its application directory before loading the legitimate Windows system library.</p>



<p>By placing a malicious <strong>USERENV.dll</strong> alongside the application, they successfully performed <strong>DLL sideloading</strong>, allowing arbitrary code to execute inside the trusted Anthropic process.</p>



<p>Because the malicious code was running within the signed application, it successfully passed the service&#8217;s identity verification.</p>



<h2 class="wp-block-heading"><strong>Root Access Achieved Through RPC Manipulation</strong></h2>



<p>After gaining code execution, researchers analyzed the application&#8217;s JSON-based RPC protocol used to communicate with the virtual machine.</p>



<p>The protocol exposed several methods, including:</p>



<ul class="wp-block-list">
<li>configure</li>



<li>startVM</li>



<li>isGuestConnected</li>



<li>spawn</li>
</ul>



<p>While most security controls continued to function correctly, researchers discovered that two parameters—<strong>isResume</strong> and <strong>allowedDomains</strong>—were forwarded directly to the sandbox daemon without sufficient validation.</p>



<p>By fuzzing the RPC interface, they reconstructed the parameter structure and identified a logic flaw.</p>



<p>Normally, setting <strong>isResume</strong> to <strong>false</strong> creates a new unprivileged Linux user.</p>



<p>However, when <strong>isResume</strong> was set to <strong>true</strong>, the existing user validation was skipped entirely.</p>



<p>This allowed researchers to specify any username, including <strong>root</strong>, and execute commands with root privileges inside the sandbox.</p>



<h2 class="wp-block-heading"><strong>Security Impact</strong></h2>



<p>The vulnerability demonstrates that multiple security boundaries can be bypassed once an attacker gains local code execution.</p>



<p>Although Anthropic&#8217;s threat model assumes local access is already required, the research highlights how privilege escalation can occur even inside heavily sandboxed AI environments.</p>



<p>Successful exploitation could allow an attacker to:</p>



<ul class="wp-block-list">
<li>Execute commands as root inside the Linux sandbox.</li>



<li>Bypass intended privilege restrictions.</li>



<li>Gain unrestricted administrative access within the virtual machine.</li>



<li>Circumvent multiple sandbox security controls.</li>
</ul>



<p>The issue was successfully demonstrated against <strong>Claude Desktop for Windows version 1.9255.2.0</strong>.</p>



<p>As AI-powered development environments continue to evolve, this research serves as a reminder that sandbox implementations should be regularly reviewed to ensure privilege boundaries cannot be bypassed through chained vulnerabilities.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/claude-cowork-sandbox/">Claude Cowork Sandbox Flaw Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/claude-cowork-sandbox/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Fake Installers Spread AsyncRAT Using ScreenConnect</title>
		<link>https://firsthackersnews.com/asyncrat-screenconnect/</link>
					<comments>https://firsthackersnews.com/asyncrat-screenconnect/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 20:21:57 +0000</pubDate>
				<category><![CDATA[Android malware]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[AsyncRAT]]></category>
		<category><![CDATA[cyber attack]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[DLL Sideloading]]></category>
		<category><![CDATA[endpoint security]]></category>
		<category><![CDATA[Fake Installers]]></category>
		<category><![CDATA[kaspersky]]></category>
		<category><![CDATA[malware analysis]]></category>
		<category><![CDATA[malware campaign]]></category>
		<category><![CDATA[powershell]]></category>
		<category><![CDATA[Process Hollowing]]></category>
		<category><![CDATA[RAT]]></category>
		<category><![CDATA[Reflective Loading]]></category>
		<category><![CDATA[remote access]]></category>
		<category><![CDATA[remote access tool]]></category>
		<category><![CDATA[screenconnect]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[windows security]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11962</guid>

					<description><![CDATA[<p>Cybersecurity researchers have uncovered a large-scale malware campaign in which threat actors are abusing the legitimate ScreenConnect remote</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/asyncrat-screenconnect/">Fake Installers Spread AsyncRAT Using ScreenConnect</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a large-scale malware campaign in which threat actors are abusing the legitimate <strong>ScreenConnect</strong> remote access software to deliver <strong>AsyncRAT</strong> through fake software installers.</p>



<p>Instead of relying on traditional malware downloaders, the attackers combine trusted applications, DLL sideloading, reflective loading, and process hollowing to quietly install remote access malware while avoiding detection.</p>



<h2 class="wp-block-heading"><strong>Fake Software Websites Used as Lures</strong></h2>



<p>The attackers created numerous fake download websites designed to imitate popular software applications.</p>



<p>Some of the impersonated software includes:</p>



<ul class="wp-block-list">
<li>OBS Studio</li>



<li>DNS Jumper</li>



<li>DS4Windows</li>



<li>Bandicam</li>



<li>Other widely used freeware applications</li>
</ul>



<p>Many of these websites were translated into more than ten languages, allowing the campaign to target users across multiple regions.</p>



<p>Researchers also found that search engine optimization (SEO) techniques helped these malicious websites appear higher in search results, increasing the likelihood that users would download the infected installers.</p>



<h2 class="wp-block-heading"><strong>How the Infection Works</strong></h2>



<p>Each downloaded archive contains a mix of legitimate and malicious files.</p>



<p>The package typically includes:</p>



<ul class="wp-block-list">
<li>A legitimate Microsoft-signed <strong>install.exe</strong></li>



<li>A malicious <strong>install.res.1033.dll</strong></li>



<li>An <strong>Assets</strong> folder containing the legitimate software</li>



<li>A renamed ScreenConnect MSI installer disguised as a trusted file, such as <strong>vcredist_x64.dll</strong></li>
</ul>



<p>When the user launches the installer, the signed executable automatically loads the malicious DLL through <strong>DLL sideloading</strong>.</p>



<p>The DLL silently installs the ScreenConnect service and registers it under names that appear legitimate, such as <strong>Microsoft Update Service</strong>, before connecting the infected system to attacker-controlled servers.</p>



<h2 class="wp-block-heading"><strong>Multiple Techniques Used to Evade Detection</strong></h2>



<p>Once ScreenConnect is installed, attackers execute PowerShell and VBScript commands to strengthen their foothold on the system.</p>



<p>The scripts perform several actions, including:</p>



<ul class="wp-block-list">
<li>Adding Microsoft Defender exclusions for entire drives and important processes.</li>



<li>Disabling User Account Control (UAC) prompts.</li>



<li>Dropping additional malware components into the <strong>C:\Users\Public</strong> directory.</li>
</ul>



<p>The malware then decrypts an encrypted payload stored in <strong>secret_bytes.txt</strong>. A PowerShell script named <strong>cap.ps1</strong> reconstructs the payload by decoding hexadecimal data, applying XOR decryption, and rebuilding the executable entirely in memory.</p>



<p>The recovered .NET assembly is loaded directly into memory using <strong>reflective loading</strong>, avoiding the need to write the malware to disk.</p>



<h2 class="wp-block-heading"><strong>AsyncRAT Deployed Through Process Hollowing</strong></h2>



<p>To further reduce detection, the malware launches <strong>RegAsm.exe</strong> in a suspended state before replacing its memory with the AsyncRAT payload using <strong>process hollowing</strong>.</p>



<p>Running the malware inside a legitimate Windows process helps it blend in with normal system activity and bypass some security tools that rely on process reputation.</p>



<h2 class="wp-block-heading"><strong>Persistence and Infrastructure</strong></h2>



<p>To maintain long-term access, the attackers create a scheduled task named <strong>MasterPackager.Updater</strong>.</p>



<p>The task runs every <strong>two minutes</strong>, allowing the malware to restart automatically after reboots or if its processes are terminated.</p>



<p>Kaspersky researchers also identified two major infrastructure clusters supporting the campaign.</p>



<p>The operation used:</p>



<ul class="wp-block-list">
<li>Multiple command-and-control (C2) servers</li>



<li>Numerous spoofed domains</li>



<li>Separate download servers for malware archives</li>



<li>ScreenConnect configuration files pointing to attacker infrastructure</li>
</ul>



<p>Based on domain registration data, researchers believe the campaign has been active since <strong>October 2025</strong> and continued operating through <strong>March 2026</strong>, with several fake download websites still accessible online.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations</strong></h2>



<p>Because this campaign abuses trusted software and legitimate administrative tools, organizations should strengthen their defenses against both malware and software supply chain attacks.</p>



<p>Security teams should consider the following measures:</p>



<ul class="wp-block-list">
<li>Download software only from official vendor websites.</li>



<li>Block MSI installers from untrusted locations.</li>



<li>Monitor for newly created Windows services and scheduled tasks.</li>



<li>Detect unusual DLL sideloading activity.</li>



<li>Watch for suspicious use of PowerShell, VBScript, and signed Windows binaries.</li>



<li>Monitor outbound connections to unknown remote management servers.</li>



<li>Keep endpoint protection enabled and regularly updated.</li>



<li>Educate users to verify download sources before installing software.</li>
</ul>



<p>This campaign demonstrates how attackers continue to blend legitimate administration tools with advanced malware techniques. By combining trusted software, stealthy execution methods, and fake software distribution sites, threat actors can significantly increase the chances of compromising both individual users and enterprise environments.</p>



<h2 class="wp-block-heading" id="h-iocs"><strong>IOCs</strong></h2>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">Type</th><th class="has-text-align-left" data-align="left">Indicator</th><th class="has-text-align-left" data-align="left">Description</th></tr></thead><tbody><tr><td>Domain</td><td>mora1987[.]work[.]gd</td><td>AsyncRAT C2 server domain</td></tr><tr><td>URL</td><td>hxxps[:]//fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM</td><td>Malicious OBS Studio installer download link</td></tr><tr><td>URL</td><td>hxxps[:]//direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j</td><td>Malicious DNS Jumper installer download link</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/asyncrat-screenconnect/">Fake Installers Spread AsyncRAT Using ScreenConnect</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/asyncrat-screenconnect/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Attackers Target Oracle E-Business Suite Flaw</title>
		<link>https://firsthackersnews.com/oracle-ebs-flaw/</link>
					<comments>https://firsthackersnews.com/oracle-ebs-flaw/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 17:23:48 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Vulnerability Research]]></category>
		<category><![CDATA[Active Exploitation]]></category>
		<category><![CDATA[CVE-2026-46817]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[oracle]]></category>
		<category><![CDATA[Oracle EBS]]></category>
		<category><![CDATA[Oracle Security]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11958</guid>

					<description><![CDATA[<p>Security researchers have identified around 950 internet-facing Oracle EBS Flaw instances following expanded internet scanning, while attackers have</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/oracle-ebs-flaw/">Attackers Target Oracle E-Business Suite Flaw</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have identified around <strong>950 internet-facing Oracle EBS Flaw</strong> instances following expanded internet scanning, while attackers have already begun exploiting <strong>CVE-2026-46817</strong> in real-world attacks.</p>



<p>The findings were shared by <strong>The Shadowserver Foundation</strong>, which recently enhanced its scanning capabilities through domain-based fingerprinting in collaboration with <strong>Validin</strong>. Although the scan did not verify whether every exposed system is vulnerable, it highlights a large number of publicly accessible Oracle EBS deployments that could become potential targets.</p>



<h2 class="wp-block-heading"><strong>Active Exploitation Detected</strong></h2>



<p>Researchers at <strong>DefusedCyber</strong> have observed active exploitation attempts targeting <strong>CVE-2026-46817</strong>, indicating that threat actors are already scanning for vulnerable Oracle E-Business Suite servers.</p>



<p>The vulnerability was addressed in Oracle&#8217;s <strong>May 2026 Critical Patch Update (CPU)</strong>. While Oracle has released limited technical details, the flaw is considered serious because Oracle EBS often manages sensitive business information, including financial, HR, and operational data.</p>



<p>Compromising these systems could allow attackers to gain unauthorized access, steal sensitive information, or move laterally across enterprise networks.</p>



<h2 class="wp-block-heading"><strong>Exposure and Security Recommendations</strong></h2>



<p>Shadowserver&#8217;s public dashboard provides visibility into exposed Oracle EBS systems worldwide, while its <strong>Device ID</strong> reporting service helps organizations identify internet-facing Oracle E-Business Suite instances within their environments.</p>



<p>To reduce the risk of compromise, organizations should:</p>



<ul class="wp-block-list">
<li>Apply Oracle&#8217;s latest security patches immediately.</li>



<li>Restrict public access to Oracle EBS servers.</li>



<li>Enable strong authentication and access controls.</li>



<li>Monitor logs for suspicious activity.</li>



<li>Deploy Web Application Firewall (WAF) protections.</li>



<li>Segment Oracle EBS servers from critical internal networks.</li>
</ul>



<p>With hundreds of Oracle E-Business Suite instances exposed and attackers actively exploiting <strong>CVE-2026-46817</strong>, organizations should prioritize patching and review externally accessible systems before they become targets of compromise.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/oracle-ebs-flaw/">Attackers Target Oracle E-Business Suite Flaw</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/oracle-ebs-flaw/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>New ARToken Panel Targets Microsoft 365 Tokens</title>
		<link>https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/</link>
					<comments>https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 16:32:22 +0000</pubDate>
				<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Microsoft]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[ARToken]]></category>
		<category><![CDATA[business email compromise]]></category>
		<category><![CDATA[Cisco Talos]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Device Code Phishing]]></category>
		<category><![CDATA[EvilTokens]]></category>
		<category><![CDATA[microsoft 365]]></category>
		<category><![CDATA[PhaaS]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[Token Theft]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11954</guid>

					<description><![CDATA[<p>Security researchers at Cisco Talos have uncovered a phishing-as-a-service (PhaaS) platform called ARToken that appears to be closely</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/">New ARToken Panel Targets Microsoft 365 Tokens</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers at <strong>Cisco Talos</strong> have uncovered a phishing-as-a-service (PhaaS) platform called <strong>ARToken</strong> that appears to be closely linked to the previously identified <strong>EvilTokens</strong> infrastructure.</p>



<p>The platform provides cybercriminals with an advanced web-based dashboard that simplifies Microsoft 365 account compromise. It supports device code phishing, Primary Refresh Token (PRT) persistence, mailbox takeover, Business Email Compromise (BEC), and SharePoint data theft through an easy-to-use interface.</p>



<p>Researchers found that ARToken contains more than <strong>80 API endpoints</strong>, giving attackers a wide range of tools to manage phishing campaigns and compromised accounts.</p>



<h2 class="wp-block-heading"><strong>What Makes ARToken Dangerous?</strong></h2>



<p>ARToken offers a complete post-compromise toolkit that allows attackers to maintain access to Microsoft 365 accounts even after credentials have been changed.</p>



<p>Some of its key capabilities include:</p>



<ul class="wp-block-list">
<li>Device code phishing attacks</li>



<li>Primary Refresh Token (PRT) setup and renewal</li>



<li>Token import and export</li>



<li>Mailbox takeover</li>



<li>Business Email Compromise (BEC) operations</li>



<li>SharePoint and OneDrive file access</li>



<li>Cloudflare Workers integration for phishing pages</li>



<li>Automated inbox rule creation</li>



<li>Mass BCC email campaigns</li>
</ul>



<p>Researchers discovered these features after analyzing the platform&#8217;s <strong>1.7 MB React JavaScript bundle</strong>, which exposed the application&#8217;s client-side logic and API endpoints without requiring authentication.</p>



<h2 class="wp-block-heading"><strong>Similarities to EvilTokens</strong></h2>



<p>Cisco Talos found multiple technical similarities between ARToken and the EvilTokens platform.</p>



<p>Both platforms:</p>



<ul class="wp-block-list">
<li>Use Microsoft device code authentication phishing.</li>



<li>Return similar device authentication parameters such as <strong>device_code</strong>, <strong>user_code</strong>, <strong>verification_uri</strong>, and <strong>expires_in</strong>.</li>



<li>Support the <strong>clientMode: &#8220;broker&#8221;</strong> parameter, which uses Microsoft&#8217;s Windows Authentication Manager (WAM) to obtain Primary Refresh Tokens (PRTs).</li>



<li>Follow similar deployment methods using Cloudflare Workers.</li>



<li>Operate as multi-tenant phishing-as-a-service platforms with subscription-based access and affiliate dashboards.</li>
</ul>



<p>These similarities strongly suggest that ARToken is built on, or heavily inspired by, the EvilTokens infrastructure.</p>



<h2 class="wp-block-heading"><strong>Advanced Anti-Analysis Techniques</strong></h2>



<p>ARToken also includes several techniques designed to prevent automated analysis and security research.</p>



<p>These include:</p>



<ul class="wp-block-list">
<li>User-Agent verification</li>



<li>Detection of browser automation tools</li>



<li>Browser feature fingerprinting</li>



<li>Screen size and window validation</li>



<li>Mouse and touch interaction checks</li>



<li>Runtime payload decryption using XOR encryption</li>
</ul>



<p>These protections make the platform more difficult for automated security tools and sandboxes to analyze.</p>



<h2 class="wp-block-heading"><strong>How the Phishing Campaign Works</strong></h2>



<p>Researchers observed phishing emails impersonating a legitimate contractor to target accounts payable employees.</p>



<p>The emails contained SharePoint links that appeared legitimate but redirected victims to attacker-controlled Microsoft 365 environments.</p>



<p>Other characteristics of the campaign included:</p>



<ul class="wp-block-list">
<li>Cloudflare Workers hosting phishing pages</li>



<li>Reply-chain hijacking techniques</li>



<li>Unique email variations to bypass detection</li>



<li>Failed SPF, DKIM, and DMARC authentication</li>



<li>Victims directed to <strong>microsoft.com/devicelogin</strong> and instructed to enter a device code supplied by the attacker</li>
</ul>



<p>Once the device code is entered, attackers obtain access tokens without requiring the victim&#8217;s password.</p>



<h2 class="wp-block-heading"><strong>Additional Post-Compromise Features</strong></h2>



<p>Beyond stealing tokens, ARToken provides attackers with several tools to manage compromised accounts.</p>



<p>These include:</p>



<ul class="wp-block-list">
<li>Continuous mailbox monitoring</li>



<li>Automated inbox rule creation</li>



<li>Bulk token import and export</li>



<li>Shared token management with role-based permissions</li>



<li>Dynamic phishing lure customization</li>



<li>SharePoint site management</li>



<li>Cloudflare Workers deployment directly from the dashboard</li>
</ul>



<p>These features allow attackers to maintain long-term access and streamline Business Email Compromise operations.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations</strong></h2>



<p>Organizations using Microsoft 365 should take immediate steps to reduce the risk of device code phishing attacks.</p>



<p>Recommended security measures include:</p>



<ul class="wp-block-list">
<li>Monitor for unusual device registration activity.</li>



<li>Audit Primary Refresh Token (PRT) creation and renewal.</li>



<li>Revoke active sessions if compromise is suspected.</li>



<li>Enforce Conditional Access policies.</li>



<li>Monitor mailbox rule creation and suspicious email forwarding.</li>



<li>Be cautious of unexpected SharePoint links, even if they appear legitimate.</li>



<li>Train users to recognize device code phishing attempts.</li>
</ul>



<p>Because <strong>Primary Refresh Tokens (PRTs)</strong> can remain valid even after a password change, organizations should immediately revoke active sessions and tokens whenever a compromise is detected to prevent attackers from maintaining persistent access.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/">New ARToken Panel Targets Microsoft 365 Tokens</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>CISA Flags SimpleHelp Flaw as Actively Exploited</title>
		<link>https://firsthackersnews.com/simplehelp-vulnerability/</link>
					<comments>https://firsthackersnews.com/simplehelp-vulnerability/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 18:02:20 +0000</pubDate>
				<category><![CDATA[CISA]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Exploitation]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[security vulnerability]]></category>
		<category><![CDATA[vulnerability impact]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11950</guid>

					<description><![CDATA[<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48558, a critical vulnerability affecting SimpleHelp remote support</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/simplehelp-vulnerability/">CISA Flags SimpleHelp Flaw as Actively Exploited</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added <strong>CVE-2026-48558</strong>, a critical vulnerability affecting <strong>SimpleHelp</strong> remote support software, to its <strong>Known Exploited Vulnerabilities (KEV)</strong> catalog. The listing confirms that the flaw is being actively exploited, and organizations are urged to apply security updates without delay.</p>



<p>The vulnerability affects environments where <strong>OpenID Connect (OIDC)</strong> authentication is enabled. Due to improper verification of cryptographic signatures, attackers can bypass authentication and gain unauthorized access to affected systems.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerability Works</strong></h2>



<p>According to CISA, the issue occurs because SimpleHelp does not properly validate identity tokens during the OIDC authentication process. As a result, a remote attacker can create forged identity tokens and have them accepted as legitimate.</p>



<p>This allows attackers to impersonate authorized users without valid credentials and gain technician-level access to the application. In some environments, the vulnerability may also allow attackers to bypass multi-factor authentication (MFA), significantly increasing the risk of unauthorized access.</p>



<p>Because SimpleHelp is widely used for remote IT support, successful exploitation could provide attackers with direct access to managed devices, creating opportunities for privilege escalation and lateral movement across enterprise networks.</p>



<h2 class="wp-block-heading"><strong>Immediate Action Required</strong></h2>



<p>CISA has instructed federal agencies to remediate the vulnerability under <strong>Binding Operational Directive (BOD) 26-04</strong>, with a deadline of <strong>July 2, 2026</strong>. The agency also recommends that organizations follow vendor guidance, prioritize patching internet-facing systems, and review affected environments for signs of compromise.</p>



<p>If patches cannot be applied immediately, organizations should consider temporarily removing vulnerable SimpleHelp servers from public access until security updates are in place.</p>



<p>Although CISA has not linked the vulnerability to ransomware attacks, its inclusion in the KEV catalog confirms that threat actors are actively exploiting the flaw. Organizations using SimpleHelp should treat this issue as a high priority and apply the latest security updates as soon as possible to reduce the risk of unauthorized access.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/simplehelp-vulnerability/">CISA Flags SimpleHelp Flaw as Actively Exploited</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/simplehelp-vulnerability/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
