Random in Security is a summary of the cybersecurity news.
Vulnerabilities#
IngressNightmare#
Wiz Research discovered four critical Remote Code Execution (RCE) vulnerabilities in Ingress NGINX Controller for Kubernetes, collectively dubbed “IngressNightmare” (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974). These vulnerabilities, with a CVSS v3.1 base score of 9.8, allow attackers to inject malicious NGINX configurations and potentially execute arbitrary code, potentially leading to complete cluster takeover. According to the research, approximately 43% of cloud environments are vulnerable, with over 6,500 clusters exposed, including those of Fortune 500 companies. The Kubernetes team provided guidance on CVE-2025-1974, with security researchers sharing detection templates and additional analysis.
Interesting Reads#
Typosquatted Go Packages#
Cybercriminals have been targeting Go developers through sophisticated typosquatting campaigns that deliver malware loaders and ransomware, often by copying legitimate repositories and enhancing their credibility with fake stars and user engagement. These attacks involve creating packages with names similar to popular Go modules, then injecting malicious code at runtime to compromise developer systems and potentially infiltrate supply chains. The campaigns have evolved to include advanced social engineering techniques, such as creating fake GitHub profiles and manipulating repository metrics to appear more trustworthy to unsuspecting developers. Security researchers documented additional ransomware campaigns and developers shared experiences of repository impersonation attacks with extensive lists of affected repositories.
A Technical Deep Dive into Modern Phishing Methodologies#
Modern phishing techniques have evolved far beyond simple HTML pages, now employing sophisticated methods like Browser-in-the-Browser (BITB), Attacker-in-the-Middle (AITM), and WebRTC-based approaches that can bypass multi-factor authentication. These advanced techniques leverage cloud provider domains, complex infrastructure, and psychological manipulation to create highly convincing phishing campaigns that exploit human biases and technical vulnerabilities. The methodologies range from creating fake login pages with realistic animations to using open redirects on trusted domains, demonstrating an increasingly technical and nuanced approach to social engineering.
Password reuse is rampant: nearly half of observed user logins are compromised#
According to Cloudflare’s analysis of authentication traffic between September and November 2024, 41% of successful human login attempts involved compromised passwords, with bots driving 95% of these leaked credential login attempts. The research reveals that password reuse remains a critical security vulnerability, with attackers systematically exploiting stolen credentials across multiple platforms, particularly targeting Content Management Systems like WordPress.
Bounty Hunter: A Hacker Origin Story#
The Bounty Hunter is a novel Caldera plugin that enhances cyber adversary emulation by introducing weighted-random attack behavior, supporting initial access and privilege escalation, and enabling more sophisticated and realistic attack chains. Unlike traditional tools that rely on predefined playbooks, the Bounty Hunter autonomously selects attack methods, demonstrating the ability to emulate complex scenarios like APT29 campaigns by dynamically gathering necessary information and executing multi-step attacks. Its key innovations include introducing uncertainty into attack planning, extending Caldera’s capabilities beyond post-compromise methods, and providing configurable options to customize emulated attack behaviors.
Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor#
In Operation AkaiRyū, the China-aligned MirrorFace APT group expanded its targeting beyond Japan, attacking a Central European diplomatic institute using a spearphishing campaign related to Expo 2025. The group revived the ANEL backdoor, which was previously thought abandoned, and deployed a customized AsyncRAT to infiltrate the target, marking the first known European targeting by this threat actor. This campaign demonstrates MirrorFace’s evolving tactics, including the use of sophisticated tools like Windows Sandbox and Visual Studio Code remote tunnels to maintain stealthy access.