company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Vulnerability

Cloud Security

loading..
loading..
loading..

ownCloud Alert: Severe Vulnerabilities Exposing Admin Credentials

Dive into the code risks of ownCloud's critical vulnerabilities, exposing admin credentials. Learn urgent fixes for robust defense.

25-Nov-2023
4 min read

No content available.

Related Articles

loading..

Debian

Backdoor

Over a year later, 35 Docker Hub images still hide the critical XZ backdoor, ris...

A highly sophisticated backdoor (CVE‑2024‑3094) was discovered in the Linux XZ‑Utils compression library—specifically in the `liblzma.so` component of versions 5.6.0 and 5.6.1. The compromised code was carefully introduced by a contributor known as “Jia Tan,” exploiting the glibc IFUNC mechanism to hijack OpenSSH's `RSA_public_decrypt` function. If triggered—via having the right Ed448 private key—this flaw could grant remote root access over SSH to affected systems. Debian, Fedora, OpenSUSE, Red Hat, and others shipped packages containing this backdoor, though thankfully—due to its early detection—it largely avoided widespread deployment into production systems. ## Discovery of the Compromise ### How the Backdoor Was Detected Andres Freund—a developer at Microsoft and contributor to PostgreSQL—first noticed anomalous SSH behavior on Debian Sid. SSH sessions were triggering unusually high CPU consumption and Valgrind errors, prompting deeper investigation. Freund traced the issue back to `liblzma`, revealing the malicious injection. He promptly reported the issue to the oss‑security mailing list on March 29, 2024. ### How the Injection Unfolded Over roughly two years, a contributor using multiple pseudonyms—including “Jia Tan” and “JiaT75”—slowly gained trust in the XZ‑Utils project. Once granted maintainer privileges, this actor published version 5.6.0 containing the backdoor, followed by 5.6.1, which attempted to conceal test anomalies. The malicious payload resided in specially crafted test files and a manipulated `build-to-host.m4` script, packaged with release tarballs but not present in the source repository, ensuring stealth during builds for x86-64 via dpkg or RPM. Security experts have noted the operation’s sophistication and speculate a possible state‑sponsored effort given its duration, obfuscation tactics, and high operational security, citing parallels to APT29/[Cosy Bear](https://www.secureblink.com/cyber-security-news/how-russian-hackers-leveraged-spyware-exploits-from-nso-group-and-intellexa-in-watering-hole-attacks). ## Docker Hub's Backdoor Persistence ### Transitive Infection in Container Ecosystems Fast forward to August 2025, and the backdoor problem has resurfaced in a new form: Docker Hub images. Binarly researchers uncovered at least 35 publicly accessible Docker images—including Debian base images—that still embed the compromised XZ‑Utils libraries. Even more concerning, derivative images built on these bases are transitively infected. A recent issue raised on GitHub further confirmed this: 10 official Debian base image tags were identified as still containing the backdoor, urging their removal. ### Debian’s Controversial Decision: Retain Rather Than Remove Rather than removing these compromised images, Debian claimed they serve as historical artefacts and advised users to avoid using outdated image tags. Binary criticised this decision, noting that such photos could be unknowingly pulled or used in CI/CD pipelines, continuing the risk. ### A Vulnerability Concealed in Trust and Transparency This incident highlights vulnerabilities that arise when open-source maintenance ecosystems trust contributors implicitly. The backdoor’s insertion relied on a long game: gaining commit and release rights, then hiding malicious code in build artefacts. This strategy eluded typical code review and repository audit mechanisms. ### Container Systems Amplifying the Risk Docker’s popularity and convenience—especially using base images from trusted sources—can inadvertently propagate deep‑rooted supply chain threats. Once an infected base is published, every descendant container becomes compromised, often without scrutiny. ### Immediate Mitigation Steps Security agencies like CISA swiftly recommended downgrading to safe XZ‑Utils versions. Red Hat, SUSE, Debian, and others reverted to pre‑backdoor builds. Canonical delayed Ubuntu 24.04 LTS beta to conduct a full binary rebuild, ensuring no compromised packages slipped through. Scanners from Binarly, Kaspersky, and others were made available to help detect the backdoor in systems and container images.

loading..   13-Aug-2025
loading..   4 min read
loading..

NetScaler

Netherlands’ NCSC: active CVE-2025-6543 exploits on NetScaler—zero-day since May...

The Netherlands’ National Cyber Security Centre (NCSC-NL) confirmed that a critical Citrix NetScaler flaw, **CVE-2025-6543**, is being exploited to break into multiple Dutch critical-sector organizations. The agency’s investigation found **malicious web shells on compromised NetScaler appliances** and evidence that attackers **deliberately erased traces** to hinder forensics. ## How the attacks work * **The bug:** CVE-2025-6543 is a **memory overflow** leading to **unintended control flow** and potential **DoS** when NetScaler ADC/Gateway is configured as a **Gateway or AAA virtual server**. In practice, steering execution flow enables post-exploitation actions on the device. * **Zero-day window:** NCSC-NL assesses exploitation **began in early May 2025**—weeks **before public disclosure (June 25)**—making it a true **zero-day**. * **Post-exploitation:** Investigators found **web shells** placed on NetScaler systems—lightweight backdoors that give remote command execution—consistent with attackers first gaining a foothold via the flaw and then **establishing persistence** while **wiping logs/artifacts** to evade detection. ## Why it’s happening * **Edge exposure:** NetScaler ADC/Gateway often sits **internet-facing** to broker VPN/remote access; compromise can become an **enterprise entry point**. * **High impact, high reward:** A CVSS 9.2 gateway-context flaw is attractive to capable actors; NCSC-NL characterizes the activity as **sophisticated** with **operational security** * **Patch/response gaps:** Appliances may be **slow to patch** and, critically, **patching alone does not evict intruders** if sessions/backdoors persist—hence the emphasis on **session invalidation** and **IOC hunting**. ## How it surfaced * **May 2025:** Earliest attacker activity inferred from forensics at victim orgs. ([ncsc.nl][2]) * **June 25, 2025:** Vendor advisory published for CVE-2025-6543. ([support.citrix.com][4]) * **June 30, 2025:** CISA adds CVE-2025-6543 to the **Known Exploited Vulnerabilities (KEV)** catalog, confirming in-the-wild exploitation. ([cisa.gov][5]) * **July 16, 2025:** NCSC-NL **detects exploitation** at Dutch organizations; multiple entities later confirm compromise indicators. ([ncsc.nl][2]) * **Aug 11, 2025:** NCSC-NL issues an updated case report; **Aug 12** reporting underscores active exploitation and sectoral impact. ## Current status & what defenders must do now **Investigations are ongoing; scope and impact are still being mapped.** Meanwhile, both NCSC-NL and Citrix/NetScaler urge immediate remediation and compromise checks: **1) Patch to fixed builds (or later):** * **14.1-47.46** (ADC/Gateway) * **13.1-59.19** (ADC/Gateway) * **13.1-37.236** (**FIPS** / **NDcPP**) > Note: 12.1 and 13.0 are EOL; upgrade to supported releases. ([support.citrix.com][4]) **2) Invalidate potentially hijacked sessions after patching:** Run on the appliance to wipe live/”sticky” sessions: * `kill icaconnection -all` * `kill pcoipConnection -all` * `kill aaa session -all` * `kill rdp connection -all` * `clear lb persistentSessions` ([The Hacker News][1]) **3) Hunt for persistence/IOCs:** * Look for **anomalous `.php` files** in NetScaler system folders, **new/high-privilege accounts**, and other tampering. ([ncsc.nl][2]) * Use the **NCSC-NL detection script** (`TLPCLEAR_check_script_cve-2025-6543`); export and review `/var/log/custom_checks.log`. ([GitHub][6]) **4) Assume breach; go layered:** NCSC-NL stresses **defense-in-depth**, robust **logging/forensic readiness**, and **network segmentation** so a single edge device bypass doesn’t become a full network compromise. ## The bottom line This is a **live, stealthy campaign** against widely deployed edge gateways. Treat patched devices as **potentially compromised until proven otherwise**: upgrade, **kill sessions**, comb for IOCs, and harden your edge. ([The Hacker News][1], [ncsc.nl][2])

loading..   12-Aug-2025
loading..   3 min read
loading..

Bouygues

Bouygues Telecom confirms a massive cyberattack affecting 6.4 million customers,...

Bouygues Telecom announced that on **August 4, 2025**, its cybersecurity team detected **unauthorized access to a customer database**. An internal review revealed **6.4 million customer accounts** were compromised — a scale that **eclipses the 2020 Orange Spain breach** (5.1M) and is comparable to **[T-Mobile’s](https://www.secureblink.com/cyber-security-news/25-million-illegal-scheme-pulled-off-compromising-t-mobile-employees) 2021 incident** (7.8M). ### What Was Stolen? * **Personal Identifiers:** Names, phone numbers, emails, postal addresses * **Contractual Data:** Plan types, subscription dates, and service terms * **Business Client Data:** Company names, registration details * **Financial Info:** **IBANs** — a key risk factor for targeted fraud > 💡 *No payment card numbers, passwords, or direct debit authorizations were accessed.* #### Summary * **Date Detected:** August 4, 2025 * **Operator:** Bouygues Telecom, France’s third-largest telecom provider * **Impact:** 6.4M customer accounts — largest French telecom breach in the last 10 years * **Data Exposed:** Names, contact info, contractual details, IBANs (no card numbers/passwords) * **Risk:** High for phishing, invoice scams, and identity fraud * **Authorities Involved:** CNIL & ANSSI * **Global Context:** Second major French telecom attack in 30 days; follows an incident at Orange in July ## How Did This Happen? *Official details are limited, but cybersecurity analysts outline possible scenarios.* * **Third-Party Vendor Breach:** Common in telecom due to outsourced billing & CRM systems * **Credential Compromise:** Phishing or brute force targeting employee admin accounts * **API Vulnerability:** Unpatched APIs exposing customer data endpoints * **Insider Threat:** Disgruntled employees with privileged access Jean-Luc Moreau, a Paris-based cybersecurity consultant, warns: > “In 80% of telecom breaches, attackers exploit human error or third-party weaknesses. Bouygues will need to prove they closed those gaps.” ## Official Statements **Bouygues Telecom Spokesperson:** > “We immediately blocked the intrusion, notified all affected customers, and strengthened our system monitoring. We are cooperating fully with CNIL and ANSSI to ensure transparency.” **CNIL Representative:** > “Our role is to determine whether adequate security measures were in place under GDPR Article 32. The presence of financial identifiers like IBANs raises compliance concerns.” ## Why This Breach Is a Big Deal for France & the EU This is **the largest telecom breach in France in a decade** and **the second in a month** after Orange’s July incident. The timing and sector targeting raise concerns about: * **Coordinated Cyber Campaigns:** Possible state-linked or organized crime operations * **GDPR Enforcement Risks:** Fines up to 4% of annual turnover * **EU-Wide Telecom Vulnerability:** Could trigger NIS2 Directive-driven reforms in telecom cybersecurity Marie Dubois, telecom risk analyst, notes: > “The EU’s NIS2 Directive, coming into force in 2025, mandates higher resilience standards. This breach will accelerate compliance pressure on operators.” **Global telecom breaches (last 5 years):** * T-Mobile (2021, USA): 7.8M accounts * Optus (2022, Australia): 9.8M accounts * Orange Spain (2020): 5.1M accounts * Bouygues Telecom (2025, France): 6.4M accounts This shows **telecoms are prime targets** due to: * Massive customer datasets * Financial and identity information * Critical infrastructure importance The Bouygues breach is more than a corporate crisis — it’s a **wake-up call for France’s telecom sector** and a **case study for EU-wide cyber resilience**. With regulators already engaged, the fallout will likely influence policy, corporate governance, and consumer trust for years to come.

loading..   09-Aug-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.