Two significant vulnerabilities have been uncovered in the Sudo command-line tool, widely used across Linux and Unix-like operating systems, that could allow local users to escalate privileges and gain root access on affected systems.

Here’s a summary of the issues:

• CVE-2025-32462 (CVSS score: 2.8) — A flaw in Sudo versions before 1.9.17p1 allows users listed in a sudoers file referencing a specific host (other than the current host or “ALL”) to run commands on unintended machines. This primarily impacts setups where a common sudoers file is shared across multiple systems.

• CVE-2025-32463 (CVSS score: 9.3) — A critical vulnerability in Sudo versions before 1.9.17p1 that lets any local user gain root access. This is due to improper handling of /etc/nsswitch.conf from a user-controlled directory when using Sudo’s --chroot option. The flaw allows attackers to load arbitrary shared libraries and execute malicious commands with elevated privileges.

Sudo is designed to let low-privileged users execute commands as another user, typically the superuser, while enforcing least-privilege principles. It’s configured via the /etc/sudoers file, which defines who can run what commands, as which users, and on which systems.

The first flaw (CVE-2025-32462) arises from the -h (host) option introduced in 2013. The bug allows commands authorized for a remote host to be mistakenly executed locally, affecting environments that share sudoers files across machines, including those using LDAP-based configurations.

The second flaw (CVE-2025-32463) is especially severe because it impacts default Sudo configurations. It requires no special sudoers rules and can be exploited by any unprivileged local user to achieve root access. The maintainers of Sudo plan to remove the --chroot option in future releases due to its complexity and risk.

Both issues were responsibly disclosed in April 2025 and have been patched in Sudo version 1.9.17p1. Major Linux distributions, including AlmaLinux, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, and Ubuntu, have issued advisories. All users are urged to update to the latest Sudo packages to mitigate these risks.

The post Severe Sudo Security Flaws Let Local Users Gain Root Privileges on Linux Systems appeared first on Owlysec - Cyber Security News.

Cyber attackers are increasingly abusing exposed Java Debug Wire Protocol (JDWP) interfaces to gain remote code execution and deploy cryptocurrency miners on vulnerable systems. By leveraging a customized version of XMRig with hardcoded settings, these campaigns avoid suspicious command-line arguments that defenders typically monitor. The miners also utilize proxy servers to hide the actual wallet addresses, complicating forensic analysis.

Recent activity observed on honeypot systems running popular CI/CD tools like TeamCity highlights how JDWP exposure can serve as a gateway for attackers. JDWP, commonly used for debugging Java applications locally or remotely, lacks built-in authentication. This makes improperly secured deployments an attractive target, enabling attackers to execute arbitrary commands and plant persistent malicious payloads.

Common software that may launch JDWP servers in debug mode includes Jenkins, Selenium Grid, Elasticsearch, Quarkus, Spring Boot, Apache Tomcat, and TeamCity. Misconfigurations can easily arise, as developers may not be aware of the associated risks.

Recent scans revealed over 2,600 IP addresses searching for JDWP endpoints, with significant activity originating from China, the U.S., Germany, Singapore, and Hong Kong. Once JDWP services are identified, attackers typically download and execute a shell script that terminates competing miners, installs their mining payload, establishes cron jobs for persistence, and cleans up traces.

Emerging Threat: Hpingbot Botnet Targets Weak SSH Setups for DDoS

A new malware strain, dubbed Hpingbot, is assembling botnets capable of launching distributed denial-of-service (DDoS) attacks against systems running both Windows and Linux. Unlike botnets derived from known families like Mirai, Hpingbot appears to be built from scratch and uses legitimate tools like hping3 to generate malicious traffic, making detection harder and reducing development costs.

The botnet spreads through weak SSH configurations by conducting password spraying attacks. Once access is gained, a shell script is downloaded, which identifies system architecture, terminates previous malware instances, and retrieves the main DDoS payload. Persistence mechanisms and history-clearing tactics help the malware remain hidden.

Of note, attackers have recently expanded Hpingbot’s capabilities, introducing a variant that forgoes Pastebin-based configuration and external tools in favor of built-in TCP and UDP flood functions. While Windows versions can’t leverage hping3, their activity suggests a shift towards broader malicious payload distribution beyond mere service disruption.

The post Alert: Misconfigured JDWP Interfaces Fuel Crypto Mining Attacks, New Hpingbot Botnet Exploits SSH for DDoS appeared first on Owlysec - Cyber Security News.

A recent cyber espionage operation has been linked to Mustang Panda, a threat group associated with China, as it intensifies efforts to spy on the Tibetan community. The campaign, observed in June 2025, employs spear-phishing emails themed around Tibetan issues to deliver custom malware strains designed to provide covert access to targeted systems.

The attack lures make use of subjects tied to Tibet, including the 9th World Parliamentarians’ Convention on Tibet, discussions on China’s education policy in the Tibet Autonomous Region, and publications related to the 14th Dalai Lama. These tailored messages are crafted to appeal directly to individuals with ties to Tibetan affairs, increasing the likelihood of success.

Victims are enticed to open malicious archives that contain both harmless-looking Word documents and content sourced from legitimate Tibetan websites. Hidden among these files is an executable disguised as a document, which initiates the infection process.

Technical Details of the Attack Chain

Once executed, the malware leverages DLL side-loading to deploy Claimloader, a stager responsible for launching the first-stage downloader known as PUBLOAD. PUBLOAD contacts an attacker-controlled server to retrieve the next payload: Pubshell. Pubshell is a lightweight backdoor that establishes a reverse shell, allowing adversaries direct access to the compromised system for command execution.

Analysts note that Pubshell bears similarities to another Mustang Panda tool, TONESHELL. While both malware types are used to create reverse shells, Pubshell features a simplified design and requires specific commands to return results from executed tasks.

Broader Campaign Patterns

This activity is consistent with Mustang Panda’s known tactics, techniques, and procedures (TTPs). Similar operations have been observed targeting government, diplomatic, and military entities in regions including Taiwan, the United States, the Philippines, and Pakistan. These campaigns often rely on spear-phishing emails with links to Google Drive-hosted malicious archives (ZIP or RAR files), which ultimately deliver payloads like TONESHELL or PUBLOAD.

One variant of the campaign aimed at Taiwan included the use of a USB worm called HIUPAN, which spreads the malware components via removable drives, further aiding lateral movement and persistence within target environments.

Ongoing Threat

Security researchers emphasize that Mustang Panda, and specifically the sub-group referred to as Hive0154, continues to evolve its malware arsenal and operational techniques. The group’s focus remains heavily concentrated on East Asia, targeting both private and public sector organizations. Their sophisticated tooling, rapid development cycles, and use of USB worms highlight the ongoing threat they pose in the cyber espionage arena.

Organizations operating in the region, particularly those linked to sensitive political or diplomatic matters, are urged to maintain heightened vigilance, implement advanced phishing defenses, and monitor for indicators of compromise related to PUBLOAD, Pubshell, and associated tooling.

The post Mustang Panda Targets Tibetan Community with PUBLOAD and Pubshell Malware in Espionage Campaign appeared first on Owlysec - Cyber Security News.

Continuous Threat Exposure Management (CTEM) has emerged as a critical focus for organizations aiming to stay ahead of today’s dynamic cyber risks. While the concept promises enhanced resilience and reduced breach likelihood, the path from theory to execution is filled with challenges that security leaders must navigate.

In a recent expert discussion at Xposure Summit 2025, cybersecurity leaders from diverse industries came together to share their real-world experiences in operationalizing CTEM. The panel featured security executives representing banking, healthcare, and hospitality sectors—each offering unique perspectives on how to apply CTEM in production environments.

The Reality Behind the CTEM Promise

CTEM became a major topic after predictions that organizations adopting it effectively could see a threefold reduction in breach risk by 2026. But as practitioners emphasized, achieving that benefit depends entirely on the ability to operationalize CTEM, not just adopt it as a concept.

Panelists agreed on the essentials of building a strong CTEM program: begin with mastering asset inventory and identity management. Weak service accounts, excessive user permissions, and outdated logins represent significant security gaps. Addressing these exposures requires continuous vigilance—weekly checks for internal assets and daily scrutiny of external-facing systems.

A key distinction highlighted was that CTEM is not vulnerability management. Instead of just patching software flaws, CTEM is about validating whether existing controls effectively block real-world attack techniques. Threat intelligence, therefore, becomes central to CTEM efforts, enabling security teams to simulate adversary behavior and test defenses under realistic conditions.

Translating Security Efforts Into Risk Language

Panelists shared how CTEM practices are reshaping how security leaders communicate with boards and regulators. The focus is shifting away from technical jargon, like CVSS scores, toward meaningful discussions about business risk. Boards want to know: Is the company’s exposure increasing or decreasing? Where is the risk concentrated? What mitigation steps are underway?

Especially in regulated industries, leaders emphasized the importance of being prepared to provide clear answers on exposure, remediation timelines, and risk treatments—turning regulatory scrutiny into an opportunity for accountability and clarity.

Measuring What Truly Matters

CTEM success is not measured by the number of vulnerabilities patched. Instead, it’s about closing exploited attack paths and reducing exploitable risk in the environment. Security leaders shared how attack path validation has uncovered hidden risks, such as forgotten assets and over-permissioned accounts, making risk visible and actionable.

Others described the value of conducting tabletop exercises that walk executives through simulated attack scenarios. The goal is to shift from focusing on technical metrics to enabling informed decisions about real risk and its potential business impact.

From Strategy to Action

The conversation concluded with practical advice on implementing CTEM without getting lost in alert noise. The key takeaways: stay focused on what’s exploitable, use threat intelligence to guide testing, and continuously align security priorities with business risk.

Organizations adopting CTEM are finding that the journey requires more than technology—it demands cultural change, clear communication, and relentless focus on what matters most: reducing exposure to real threats.

The post CTEM in Practice: Turning Continuous Threat Exposure Management From Concept to Operational Reality appeared first on Owlysec - Cyber Security News.

Security operations centers (SOCs) today face a dual challenge: the threat landscape is becoming increasingly complex and relentless, while budget constraints and workforce shortages make scaling defenses harder than ever. Security leaders are tasked with reducing risk, improving response times, and safeguarding business continuity—often without the luxury of growing their teams or investing in costly new tools.

At the same time, inefficiencies within many SOCs are draining valuable resources. Studies indicate that a significant portion of security alerts are false positives, with some reports estimating false positive rates as high as 99%. This flood of irrelevant alerts consumes analyst time, fuels burnout, and increases the risk of overlooking genuine threats that could harm the business.

In this environment, security teams need solutions that enable them to do more with what they already have—enhancing productivity, improving precision, and aligning security efforts with core business goals.

Agentic AI SOC Analysts: A New Model for Security Operations

Agentic AI SOC Analysts represent a transformative shift in how organizations can approach security operations. By introducing intelligent automation that mimics the decision-making processes of skilled analysts, these AI-driven systems allow teams to focus human expertise on what matters most. The result is faster, smarter, and more effective security without increasing headcount or budget.

Addressing the Talent Shortage

The global shortage of cybersecurity professionals is well-documented, with estimates of a gap exceeding 4 million skilled workers worldwide. More critically, organizations struggle to find experienced analysts capable of managing complex investigations, responding to modern threats, and fine-tuning security processes.

Agentic AI offers a solution by automating repetitive Tier 1 tasks—triage, initial investigations, data gathering—and by filtering out noise. This means that experienced analysts can direct their attention to high-impact threats and strategic initiatives, rather than getting bogged down by false positives or low-priority alerts. This approach not only improves efficiency but also helps retain top talent by reducing fatigue and enabling more meaningful work.

Reducing Noise and Enhancing Focus

Agentic AI applies contextual analysis, behavioral insights, and advanced correlation techniques to evaluate the true risk behind an alert. By suppressing low-value or redundant signals and prioritizing high-risk activity, these AI systems help SOC teams reduce alert fatigue and focus on genuine threats. Organizations that implement such solutions often see a reduction in false positives requiring analyst review by as much as 90%.

Boosting Productivity and Speed

AI SOC Analysts automate many of the repetitive steps involved in security investigations, including gathering evidence, pulling logs, correlating data, and drafting reports. This mirrors the workflows of experienced human analysts, allowing teams to resolve more incidents in less time. In turn, this frees up resources for proactive tasks like threat hunting and detection tuning.

Continuous Learning and Improvement

Unlike static automation playbooks, agentic AI evolves over time. These systems learn from analyst feedback, historical incident data, and new threat intelligence, continuously refining their accuracy and decision-making. This means your SOC gets smarter with use, turning automation into a long-term strategic asset.

Driving Business-Aligned Metrics

By deploying agentic AI SOC Analysts, organizations can improve key operational metrics, such as:

• Mean time to investigate (MTTI) and mean time to respond (MTTR) – Faster triage and automation-driven investigations help reduce exposure time.

• Dwell time – Quicker detection and response shrink the window available to attackers.

• Analyst productivity – Reduced manual work allows analysts to deliver higher value without expanding team size.

• Alert closure rates – A higher percentage of alerts are fully resolved, strengthening the organization’s overall security posture.

Maximizing Value from Existing Investments

Agentic AI solutions enhance the return on investment (ROI) from existing security infrastructure, integrating with tools like SIEM, EDR, cloud platforms, and identity systems. By ensuring every alert is investigated and no signal is ignored, organizations can get more from their current technology stack while closing coverage gaps.

Moreover, AI-driven investigations act as a valuable training tool for junior analysts, helping them build skills more quickly and cost-effectively.

The post Building a Business Case for Agentic AI SOC Analysts: Transforming Security Operations for Efficiency and Impact appeared first on Owlysec - Cyber Security News.

Organizations using Progress MOVEit Transfer are facing renewed security concerns as threat actors ramp up scanning efforts in search of vulnerable systems. Recent data shows a significant and sustained increase in reconnaissance activity targeting MOVEit Transfer deployments, raising fears of an impending wave of exploitation attempts.

MOVEit Transfer is widely adopted by businesses and government agencies as a secure managed file transfer solution for sharing sensitive data. Its popularity and role in handling high-value information make it a prime target for cybercriminals seeking to breach enterprise environments.

According to recent threat intelligence reports, scanning activity targeting MOVEit Transfer systems began surging on May 27, 2025, with over 100 unique IP addresses recorded in a single day—up from fewer than 10 per day prior to that date. The trend escalated further, reaching 319 unique IPs the following day. Since then, scanning has continued at elevated levels, fluctuating between 200 and 300 unique IPs daily.

In total, 682 unique IP addresses have been linked to these scanning activities over the past 90 days. Alarmingly, 449 of these IPs were recorded within the past 24 hours alone. Among them, 344 IPs were deemed suspicious, while 77 were classified as malicious based on observed behavior. The majority of the scanning activity originates from the United States, with other hotspots including Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.

In addition to increased reconnaissance, there have been low-volume attempts to exploit two previously disclosed critical MOVEit Transfer vulnerabilities: CVE-2023-34362 and CVE-2023-36934. The former was infamously leveraged by Cl0p ransomware affiliates in 2023 as part of a widespread campaign that compromised over 2,700 organizations worldwide.

Security experts warn that this surge in scanning could precede new mass exploitation efforts, as attackers search for unpatched systems to compromise. Administrators are strongly advised to:

• Ensure MOVEit Transfer systems are updated to the latest patched versions.

• Remove public exposure of MOVEit servers where not strictly necessary.

• Block suspicious IPs engaging in reconnaissance activity.

• Closely monitor network traffic for signs of exploitation attempts.

The renewed attention on MOVEit Transfer highlights the persistent risk of supply chain and third-party software exploitation. Organizations are urged to adopt a proactive security posture to protect sensitive data and critical operations.

The post Spike in MOVEit Transfer Scanning Signals Renewed Threat of Mass Exploitation Campaigns appeared first on Owlysec - Cyber Security News.