As we look at the remainder of 2025 and beyond, the pace and sophistication of cyber attacks targeting the financial sector show no signs of slowing. In fact, based on research from Check Point’s Q2 Ransomware Report, the financial cybersecurity threat landscape is only intensifying. Gone are the days when the average hacker was a..

The post How Financial Institutions Can Future-Proof Their Security Against a New Breed of Cyber Attackers appeared first on Security Boulevard.

According to the Thales Consumer Digital Trust Index 2025, global confidence in digital services is slipping fast. After surveying more than 14,000 consumers across 15 countries, the findings are clear: no sector earned high trust ratings from even half its users. Most industries are seeing trust erode — or, at best, stagnate. In an era..

The post The Trust Crisis: Why Digital Services Are Losing Consumer Confidence appeared first on Security Boulevard.

Alan reflects on a turbulent year in DevSecOps, highlighting the rise of AI-driven security, the maturing of hybrid work culture, the growing influence of platform engineering, and the incredible strength of the DevSecOps community — while calling out the talent crunch, tool sprawl and security theater the industry must still overcome.

The post What I’m Thankful for in DevSecOps This Year: Living Through Interesting Times appeared first on Security Boulevard.

Security is reaching a breaking point as growing technical complexity becomes a major risk vector. Learn why modern systems amplify threats—and how to stay ahead.

The post Security is at a Tipping Point: Why Complexity is the New Risk Vector  appeared first on Security Boulevard.

You may have noticed that large pieces of the Internet were down on Tuesday. It was a problem at Cloudflare, and for once, it wasn’t DNS. This time it was database management, combined with a safety limit that failed unsafe when exceeded.

Cloudflare’s blog post on the matter has the gritty details. It started with an update to how Cloudflare’s ClickHouse distributed database was responding to queries. A query of system columns was previously only returning data from the default database. As a part of related work, that system was changed so that this query now returned all the databases the given user had access to. In retrospect it seems obvious that this could cause problems, but it wasn’t predicted to cause problems. The result was that a database query to look up bot-management features returned the same features multiple times.

That featurelist is used to feed the Cloudflare bot classification system. That system uses some AI smarts, and runs in the core proxy system. There are actually two versions of the core proxy, and they behaved a bit differently when the featurelist exceeded the 200 item limit. When the older version failed, it classified all traffic as a bot. The real trouble was the newer Rust code. That version of the core proxy threw an error in response, leading to 5XX HTTP errors, and the Internet-wide fallout.

Dangling Azure

There’s a weird pitfall with cloud storage when a storage name is used and then abandoned. It’s very much like what happens when a domain name is used and then allowed to expire: Someone else can come along and register it. Microsoft Azure has its own variation on this, in the form of Azure blob storage. And the folks at Eye Security’s research team found one of these floating blobs in an unexpected place: In Microsoft’s own Update Health Service.

The 1.0 version of this tool was indeed exploitable. A simple payload hosted on one of these claimed blob endpoints could trigger an explorer.exe execution with an arbitrary parameter, meaning trivial code execution. The 1.1 version of the Update Health Service isn’t vulnerable by default, requiring a registry change before reaching out to the vulnerable blob locations. That said, there are thousands of machines looking to these endpoints that would be vulnerable to takeover. After the problem was reported, Microsoft took over the blob names to prevent any future misuse.

BADAUDIO

There’s a new malware strain from APT24, going by the name BADAUDIO. Though “new” is a bit of a misnomer here, as the first signs of this particular malware were seen back in 2022. What is new is that Google Threat Intelligence reporting on it. The campaign uses multiple techniques, like compromising existing websites to serve the malware in “watering hole” attacks, to spam and spearphishing.

Notable here is how obfuscated the BADAUDIO malware loader is, using control flow flattening to resist analysis. First consider how good code uses functions to group code into logical blocks. This technique does the opposite, putting code into blocks randomly. The primary mechanism for execution is DLL sideloading, where a legitimate application is run with a malicious DLL in its search path, again primarily to avoid detection. It’s an extraordinarily sneaky bit of malware.

Don’t Leave The Defaults

There’s an RCE (Remote Code Execution) in the W3 Total Cache WordPress plugin. The vulnerability is an eval() that can be reached by putting code in a page to be cached. So if a WordPress site allows untrusted comments, and has caching enabled, there’s just one more hurdle to clear. And that is the W3TC_DYNAMIC_SECURITY value, which seems to be intended to stave off exactly this sort of weakness. So here’s the lesson, don’t leave this sort of security feature default.

Not a Vulnerability

We have a trio of stories that aren’t technically vulnerabilities. The first two are in the mPDF library, that takes HTML code and generates PDFs — great for packaging documentation. The first item of interest in mPDF is the handling of @import css rules. Interestingly, these statements seem to be evaluated even outside of valid CSS, and are handled by passing the URL off to curl to actually fetch the remote content. Those URLs must end in .css, but there’s no checking whether that is in a parameter or not. So evil.org/?.css is totally valid. The use of curl is interesting for another reason, that the Gopher protocol allows for essentially unrestricted TCP connections.

The next quirk in mPDF is in how .svg files are handled. Specifically, how an image xlink inside an svg behaves, when it uses the phar:// or php:// prefixes. These are PHP Archive links, or a raw php link, and the mPDF codebase already guards against such shenanigans, matching links starting with either prefix. The problem here is that there’s path mangling that happens after that guard code. To skip straight to the punchline, :/phar:// and :/php:// will bypass that filter, and potentially run code or leak information.

Now the big question: Why are neither of those vulnerabilities? Even when one is a bypass for a CVE fix from 2019? Because mPDF is only to be used with sanitized input, and does not do that sanitization as part of its processing. And that does check out. It’s probably the majority of tools and libraries that will do something malicious if fed malicious input.

There’s one more “vulnerable” library, esbuild, that has an XSS (Cross Site Scripting) potential. It comes down to the use of escapeForHTML(), and the fact that function doesn’t sanitize quotation marks. Feed that malicious text, and the unescaped quotation mark allows for plenty of havoc. So why isn’t this one a vulnerability? Because the text strings getting parsed are folder names. And if you can upload an arbitrary folder to the server where esbuild runs, you already have plenty of other ways to run code.

Bits and Bytes

There’s another Fortinet bug being exploited in the wild, though this one was patched with FortiWeb 8.0.2. This one gets the WatchTowr treatment. It’s a path traversal that bypasses any real authentication. There are a couple of validation checks that are straightforward to meet, and then the cgi_process() API can be manipulated as any user without authentication. Ouch.

The Lite XL text editor seems pretty nifty, running on Windows, Linux, and macOS, and supporting lua plugins for extensibility. That Lua code support was quite a problem, as opening a project would automatically run the .lua configuration files, allowing direct use of os.execute(). Open a malicious project, run malicious code.

And finally, sometimes it’s the easy approach that works the best. [Eaton] discovered A Cracker Barrel administrative panel built in React JS, and all it took to bypass authentication was to set isAuthenticated = true in the local browser. [Eaton] started a disclosure process, and noticed the bug had already been fixed, apparently discovered independently.

Dogfooding is usually a good thing: That’s when a company uses their own code internally. It’s not so great when it’s a cloud company, and that code has problems. Oracle had this exact problem, running the Oracle Identity Governance Suite. It had a few authentication bypasses, like the presence of ?WSDL or ;.wadl at the end of a URL. Ah, Java is magical.

Venture funds have longer timelines than anyone planned for, compelling LPs to rip up and rebuild their allocation models.

Let’s talk about LANDFALL. That was an Android spyware campaign specifically targeted at Samsung devices. The discovery story is interesting, and possibly an important clue to understanding this particular bit of commercial malware. Earlier this year Apple’s iOS was patched for a flaw in the handling of DNG (Digital NeGative) images, and WhatsApp issued an advisory with a second iOS vulnerability, that together may have been used in attacks in the wild.

Researchers at Unit 42 went looking for real-world examples of this iOS threat campaign, and instead found DNG images that exploited a similar-yet-distinct vulnerability in a Samsung image handling library. These images had a zip file appended to the end of these malicious DNG files. The attack seems to be launched via WhatsApp messaging, just like the iOS attack. That .zip contains a pair of .so shared object files, that are loaded to manipulate the system’s SELinux protections and install the long term spyware payload.

The earliest known sample of this spyware dates to July of 2024, and Samsung patched the DNG handling vulnerability in April 2025. Apple patched the similar DNG problem in August of 2025. The timing and similarities do suggest that these two spyware campaigns may have been related. Unit 42 has a brief accounting of the known threat actors that could have been behind LANDFALL, and concludes that there just isn’t enough solid evidence to make a determination.

Not as Bad as it Looks

Watchtowr is back with a couple more of their unique vulnerability write-ups. The first is a real tease, as they found a way to leak a healthy chunk of memory from Citrix NetScaler machines. The catch is that the memory leak is a part of an error message, complaining that user authentication is disabled. This configuration is already not appropriate for deployment, and the memory leak wasn’t assigned a CVE.

There was a second issue in the NetScaler system, an open redirect in the login system. This is where an attacker can craft a malicious link that points to a trusted NetScaler machine, and if a user follows the link, the NetScaler will redirect the user to a location specified in the malicious link. It’s not a high severity vulnerability, but still got a CVE and a fix.

Worse than it Looks

And then there’s the other WatchTowr write-up, on Monsta FTP. Here, old vulnerabilities continue to work in versions released after the fix. The worst one here is an unauthenticated RCE (Remote Code Execution) that can be pulled off by asking the server nicely to connect to a remote SFTP server and download a file. In this case, the specified path for saving that file isn’t validated, and can be written anywhere to the Monsta FTP filesystem. Instant webshell. This time it did get fixed, within a couple weeks of WatchTowr sending in the vulnerability disclosure.

Imunify AV

Antivirus software Imunify just fixed an issue that threatened a few million servers. Imunify is an antivirus product that scans for malicious code. It sounds great. The problem is that it worked to deobfuscate PHP code, by calling an executeWrapper helper function. The short explanation is that this approach wasn’t as safe as had been hoped, and this deobfuscation step can be manipulated into running malicious code itself. Whoops.

Patchstack reported on this issue, and indicated that it had been publicly known since November 4th. Patches have since been issued, and a simple message has been published that a critical security vulnerability has been fixed. There is a PoC (Proof of Concept) for this vulnerability, that would be trivial to develop into a full webshell. The only challenge is actually getting the file on a server to be scanned. Either way, if your servers run Imunify, be sure to update!

IndonesianFoods

There’s another NPM worm on the loose, and this one has quietly been around for a couple years. This one is a bit different, and the “malicious” packages aren’t doing anything malicious, at least not by default.

[Paul McCarty] first spotted this campaign, and gave it the name “IndonesianFoods”, inspired by the unique names the fake packages were using. It appears that a handful of malicious accounts have spent time running a script that generates these fake packages with unique names, and uploads them to NPM. Downloading one of these packages doesn’t run the script on the victim machine, and in fact doesn’t seem to do anything malicious. So what’s the point?

Endor Labs picked up this thread and continued to pull. The point seems to be TEA theft. That’s the Blockchain tech that’s intended to reward Open Source project and contributions. It’s yet another abuse of NPM, which has had a rough year.

Rusty Sudo

Canonical made a bold decision with Ubuntu 25.04, shipping the uutils Rust rewrite of coreutils and sudo-rs. That decision was controversial, and has proven to be a cause of a few issues. Most recently, the sudo-rs utility has made news due to security vulnerabilities. We know the details on a few of the issues fixed in this update of those, CVE-2025-64170. It’s a quirk when a user types a password into the prompt, but never presses return. The prompt times out, and the typed characters are echoed back to the terminal.

Another issue doesn’t have a CVE assigned yet, but is available as a GitHub Security Advisory, and the patch is published. This one has the potential to be an authentication bypass. Sudo has the feature that tracks how long it has been since the user has last authenticated. The flaw was that this state was leaking between different users, allowing a login by one user to count as a login for other users, allowing that password skip.

Bits and Bytes

And finally, there’s a bit of good news, even if it is temporary. Google has taken action against one of the larger SMS scam providers. The group operates under the name Lighthouse, and seems to use normal cloud infrastructure to run the scams, simply flying under the radar for now. Google has combined legal action with technical, and with any luck, law enforcement can join in on the fun.

Cyber adversaries aren’t standing still, and our defenses can’t either. In an environment where government networks face relentless, increasingly sophisticated attacks, it’s evident that perimeter-based security models belong in the past. A zero trust framework redefines the approach: Every user, device, and connection is treated as unverified until proven otherwise, or “trust but verify.” By assuming breach, zero trust delivers what today’s government missions demand: speed, resilience and the ability to contain damage before it spreads.

To truly operationalize zero trust, agencies must look beyond theory and embrace emerging technologies. Many federal organizations are already turning to artificial intelligence and digital twins to get there. A digital twin — a software-based replica of a real-world network — creates an invaluable proving ground. Rather than waiting for an adversary to strike live systems, agencies can safely simulate cyberattacks, test and refine policies, and validate updates before deployment. In my view, this marks a fundamental shift: Digital twins aren’t just a tool, they represent the future of proactive cyber defense, where learning, adaptation and resilience happen before a crisis, not after.

This approach doesn’t just strengthen agency defenses; it also streamlines operations. Instead of maintaining expensive, outdated physical labs, agencies can rely on digital twins to keep pace with evolving cyber threats. Most recently, a large government agency demonstrated the power of this approach by overcoming years of technical debt, rapidly reconfiguring critical systems, and building a testing environment that delivered greater speed, precision and efficiency that advanced their mission and operational goals.

Strategies for anticipating compromise while ensuring operational resilience

Digital twins offer significant potential for enhancing cybersecurity, yet their widespread adoption remains nascent due to several challenges, including budget constraints and agency inertia. Agencies can reference established frameworks such as the National Institute of Standards and Technology SP 800-207 and the Cybersecurity Infrastructure and Security Agency Zero Trust Maturity Model, to guide their zero trust journeys. However, with various legacy systems, cloud services and devices, agencies require zero trust capabilities for their specific needs. The core challenge for government then becomes how to proactively implement effective zero trust strategies that anticipate compromises while ensuring continued operations.

To address these challenges and effectively implement zero trust, here are key actions for agency leaders to consider that include people, process and tools:

• People

Embrace change management

Zero trust implementation is as much about people and process as it is about technology. To foster cross-team buy-in, agencies must clearly articulate the “why” behind zero trust. Instead of just a technical mandate, zero trust should be framed as a strategy to improve security and efficiency. This involves creating a shared understanding of the framework’s benefits and how it impacts each team member.

Quantify and communicate value

Measuring the ROI of zero trust is complex, as preventing incidents yields invisible benefits. How will you define success: reduced risk, faster compliance, operational consistency? Agencies should set milestones for measuring security posture improvements and regulatory progress while recognizing the limitations of conventional ROI calculations.

• Process

Adopt zero trust as a damage-limitation strategy

Rather than asking, “How do we stop every breach?” agencies should take steps to shift from prevention-only thinking to dynamic containment and defense, such as:

• Developing an incident response plan that outlines roles, responsibilities and communication protocols for cyberattack stages.
• Conducting regular tabletop exercises and simulations to test the plan’s effectiveness and find improvement areas.
• Automating security workflows to accelerate response times and reduce human error.

Be thorough with zero trust planning

According to public sector best practices, projects with 90% planning and 10% execution are far more likely to succeed. Agency technology and information leaders should take an active role in driving zero trust transformation, ensuring comprehensive planning, stakeholder engagement, and organizational buy-in are prioritized from the outset.

• Tools

Leverage digital twins

Agencies are turning to emerging technology, including AI and digital twins, to keep pace with threat actors. Government IT and SecOps teams can deploy digital twins to simulate attacks, validate controls and reduce costly physical testing environments. Digital twins should also be considered a safe space for agencies to experiment, identify vulnerabilities, and optimize policies before deployment — an invaluable asset for agencies navigating mixed legacy and cloud ecosystems. Moreover, model-based systems engineering and agile approaches, paired with digital twins, can empower agencies to “rehearse” security incidents and fine-tune architectures.

Tackle tool sprawl using informed consolidation

The sheer volume of disparate vendors and tools can undermine even the best zero trust architecture. Utilizing digital twins to map and simulate your IT environment allows for thoughtful consolidation without sacrificing security or compliance. Lastly, agencies should identify where they are duplicating capabilities and envision a streamlined, mission-focused toolset.

Accelerating zero trust at scale

To address the pace and complexity of future threats, government agencies must act boldly by embracing zero trust not only as a framework but also as a fundamental mindset for continual adaptation and resilience.

By harnessing the power of technologies like AI and digital twins, modernizing planning and response strategies, and committing to cross-team collaboration, agencies can outmaneuver adversaries and protect their most critical missions.

The path forward is clear: Operational resilience is achieved by investing today in future-ready strategies that anticipate compromise, ensure continuity and empower every stakeholder to play a proactive role in defense.

 

 

John Fair is vice president of Air Force sales and account management at Akima.

The post Merging zero trust with digital twins: The next frontier in government cyber resilience first appeared on Federal News Network.

© Getty Images/Alexander Sikov

Bitcoin Magazine

Btrust Names Bitcoin Core Contributor Abubakar Nur Khalil as New CEO

Bitcoin development nonprofit Btrust has named Nigerian Bitcoin Core contributor Abubakar Nur Khalil as its new chief executive officer, the organization announced today. 

Khalil had previously served as interim CEO while sitting on the board as a non-voting member. Khalil will step down from his board position and report directly to the organization’s directors in the full-time role. 

His three-year term is renewable once.

Founded to support open-source Bitcoin development in the Global South, Btrust has expanded its footprint across Africa, Latin America, and India over the past year. The non-profit received initial funding from Jay-Z and Jack Dorsey.

During his interim leadership, the group increased partnerships with organizations including Bitshala, Vinteum and 2140, and reported record grant distribution. 

Since mid-2024, Btrust says it has issued more than $1.7 million in funding, with over half going directly to developers.

Khalil co-founded Btrust Builders, an initiative focused on growing the open-source developer pipeline in emerging markets. He is recognized as a prominent advocate for Bitcoin development in Africa.

“I’m honored to have led Btrust as interim CEO over the past year,” Khalil said in a statement, adding that he aims to strengthen the organization’s systems and scale its impact in 2026 and beyond. “Ensuring that Bitcoin continues to be a money that works for everyone worldwide.”

Board member Obi Nwosu said Khalil is well-positioned to guide Btrust through its next phase as it builds out long-term programs and developer support infrastructure. 

The organization said continuity will be a major focus as it transitions from early-stage growth to broader execution.

Btrust’s board launched the CEO search in July, citing the need for dedicated leadership as its programming expands globally. The organization said the appointment marks “a meaningful next chapter” in its mission to strengthen decentralized Bitcoin development.

Abubakar Nur Khalil will also be speaking at Bitcoin MENA, happening December 8–9, 2025, at the ADNEC Center in Abu Dhabi.

"BITCOIN IS MONEY."

We're thrilled to announce Btrust CEO, Abubakar Nur Khalil, to speak at Bitcoin MENA! pic.twitter.com/1ozbQyNBoK

— Bitcoin MENA Conference (@bitcoinmenaconf) October 30, 2025

This post Btrust Names Bitcoin Core Contributor Abubakar Nur Khalil as New CEO first appeared on Bitcoin Magazine and is written by Micah Zimmerman.

Serverless architectures have fundamentally altered the cybersecurity landscape, creating attack vectors that traditional security models cannot address. After…

Discover why lateral movement is a key tactic in cyber breaches and how defenders can strengthen security by focusing on this critical threat vector.

Varun Uppal, founder and CEO of Shinobi Security Over the weekend, airports across Europe were thrown into chaos after a cyber-attack on one of their technology suppliers rippled through airline...

The post When Airports Go Dark: What The Weekend’s Cyber-attacks Tell Us About Business Risk appeared first on Cyber Defense Magazine.

Reinventing Browser Security for the Enterprise The Browser: Enterprise’s Biggest Blind Spot On any given day, the humble web browser is where business happens – email, SaaS apps, file sharing,...

The post Innovator Spotlight: Seraphic appeared first on Cyber Defense Magazine.

AI agents use the same networking infrastructure as users and apps. So security solutions like zero trust should evolve to protect agentic AI communications.

Zero Trust: The Unsung Hero of Cybersecurity Cybersecurity professionals are drowning in complexity. Acronyms fly like digital confetti, vendors promise silver bullets, and CISOs find themselves perpetually playing catch-up with...

The post Innovator Spotlight: OPSWAT appeared first on Cyber Defense Magazine.

The Silent Threat: Why Your AI Could Be Your Biggest Security Vulnerability Imagine a digital Trojan horse sitting right in the heart of your organization’s most valuable asset – your...

The post Innovator Spotlight: DataKrypto appeared first on Cyber Defense Magazine.

Cisco Secure Workload is foundational for organizations seeking to implement an effective microsegmentation strategy. It empowers orgs to safeguard assets.

Phishing isn’t what it used to be. It’s no longer fake emails with bad grammar and sketchy links. With AI, modern phishing attacks have become slicker, more convincing, and dangerously...

The post Why Enterprises Need Preemptive Cybersecurity to Combat Modern Phishing appeared first on Cyber Defense Magazine.