r/pwnhub
CISA adds Linux kernel zero-day CVE-2026-43456 to KEV after active exploitation
CISA has added CVE-2026-43456, a Linux kernel local privilege escalation vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation. Here's everything covering the affected kernel versions, the vulnerability itself, which distributions have shipped fixes, and the available mitigations. If you're maintaining Linux systems, it may be worth checking whether your kernel has already been updated by your distro. Patch Now.
GoDaddy Warns of Major Threat to Internet Privacy from New Indian Law
A new ruling by the Delhi High Court in India could dismantle established internet privacy norms, prompting warnings from domain registrar GoDaddy.
Key Points:
- Delhi High Court ruling mandates domain registrars to disclose owner information, ending privacy by default.
- Fraudulent domains have surged in India, leading to increased scrutiny from major companies and the government.
- GoDaddy raises concerns that this law could undermine privacy protections for domain owners globally.
The recent ruling by the Delhi High Court is designed to combat the rising issue of fraudulent domains in India, especially as internet access surges among its vast population. With an increase in connectivity, the volume of phishing and scam sites has escalated dramatically, prompting calls for more stringent measures from major companies concerned about trademark infringement and consumer protection. As a response, the court has mandated that domain registrars can no longer provide privacy options by default. Instead, customers will need to actively opt in for privacy services, which may also come with additional fees.
This ruling has significant implications beyond India, as GoDaddy emphasizes that it could lead to a global shift in internet privacy standards. The new regulations require registrars to adhere to stringent Know Your Customer (KYC) protocols, involving the collection and verification of government-issued identification. If authorities request information regarding a domain owner, registrars must comply within a strict 72-hour timeframe. This alters the landscape of domain registration, making it easier to track and expose personal information; details like names, addresses, and contact numbers could be made publicly available through tools designed to access WHOIS data. As GoDaddy appeals the ruling, the consequences of this case may redefine privacy norms on the internet.
How do you think this ruling will impact online privacy and security for internet users worldwide?
Learn More: Gizmodo
Want to stay updated on the latest cyber threats?
How one GSM-R failure brought Germany's entire rail network to a standstill
Germany's nationwide rail network was temporarily brought to a halt after a failure in Deutsche Bahn's GSM-R railway communications system, which is used for operational and safety-critical communication between trains and control centers. Initial concerns about possible sabotage or a cyberattack were investigated, but Deutsche Bahn later said the outage appears to have been triggered by a software error during a scheduled technical update
SeekYou, unified host intelligence across 15 sources
SeekYou – unified host intelligence across 15 sources, runs free on Cloudflare.
- Built a tool that takes any IP, domain, or ASN and queries 15 sources in parallel: open ports, CVEs, BGP, RDAP, cert history, passive DNS, 5 threat feeds, exposed buckets, Wayback snapshots — all in one report.
- 4-layer parallel execution (total time ≈ slowest source, not sum of all).
- KV caching per source, circuit breakers, per-IP rate limiting.
- Typed diff engine — get alerted when ports open, CVEs appear, or certs expire on monitored hosts.
- Runs entirely on Cloudflare free tier (~5k lookups/day).
Source: https://github.com/Teycir/SeekYou (https://github.com/Teycir/SeekYou)
U.S. Government Pays $1 Million to Extortion Group in Data Theft Case
A U.S. government entity reportedly paid nearly $1 million to the hacking group Kairos to prevent the public release of stolen files.
Key Points:
- A U.S. entity paid around $1 million to Kairos in a data theft case.
- The negotiation initiated at $3 million, but ultimately decreased to $1 million.
- Kairos reportedly stole sensitive files without using traditional ransomware techniques like encryption.
- The victim, linked to Union County, Ohio, faced significant data theft affecting nearly 70,000 individuals.
- Kairos’ operations highlight a shift toward data theft extortion that avoids encryption.
In a troubling development for cybersecurity, a U.S. government entity has allegedly paid nearly $1 million to the group Kairos to prevent the release of sensitive stolen data. This case, detailed in a recent study by Rakesh Krishnan for Ransom-ISAC, indicates a shift in how cybercriminals operate. Instead of using traditional ransomware tactics like encrypting files, Kairos took a straightforward approach by stealing sensitive files and extorting the victim for a payment to avoid public disclosure. The negotiation revealed an alarming escalation, with the initial demand starting at $3 million, dwindling through back-and-forth discussions to a final payment of $1 million, made for the release of over 1.6 million files, including sensitive personal data of local residents. The group leveraged psychological tactics such as countdowns and threats of releasing vital information to maximize pressure during negotiations.
Union County, Ohio, thought to be the victim in this case, reported detecting ransomware earlier but did not recover data through traditional means. Their experience demonstrates the evolving landscape of cyber threats, where extortion can take the form of direct data theft rather than locking files. The move towards extortion based on data alone is echoed in reports indicating that many ransomware attacks no longer involve encryption. As cybersecurity experts note, this trend aligns with findings that encryption use in ransomware has dropped, revealing a pattern in which attackers exploit the threat of data exposure itself to extort victims, leading to hefty payments without any guarantee of data deletion.
How can organizations better prepare themselves to defend against data theft extortion tactics?
Learn More: The Hacker News
Want to stay updated on the latest cyber threats?
Anthropic accuses Alibaba of the largest known Claude AI distillation attack
Anthropic has accused Alibaba and its Qwen AI lab of orchestrating what it describes as the largest known AI model distillation campaign to date. According to the company, operators allegedly used nearly 25,000 fake accounts to generate 28.8 million interactions with Claude between April and June 2026, with the goal of extracting the model's capabilities to train competing systems. Alibaba has not publicly responded to the allegations, and they have not been independently verified
LLMNR Poisoning Threat Demonstrated in Active Directory Environment
A demonstration of LLMNR poisoning highlights the risks of NTLM password hash exposure in Active Directory networks.
Key Points:
- LLMNR acts as a fallback for DNS lookups, resolving hostnames on a local network.
- An attacker can exploit LLMNR by impersonating resources, capturing user authentication attempts.
- The captured NTLM password hashes can be cracked using tools like Hashcat, leading to credential exposure.
- This type of attack is categorized as a Man-in-the-Middle (MITM) attack where the attacker has initial network access.
Link Local Multicast Name Resolution (LLMNR) is a protocol that allows devices to resolve hostnames when DNS queries fail. However, this protocol poses a significant security risk by enabling attackers within the network to impersonate legitimate resources. If a user attempts to access a nonexistent hostname, LLMNR broadcasts a request across the subnet. An attacker receiving this request can respond as if they are the actual resource, prompting the user to authenticate, which in turn reveals the NTLM password hash.
Once the attacker captures the NTLM password hash, they can utilize cracking tools such as Hashcat or John The Ripper. The complexity of the user's password influences the time required for the attack to succeed. Successfully cracking the password allows the attacker to access sensitive resources and may facilitate further unauthorized actions within the domain. This method of attack can be particularly damaging because it exploits the trust users place in their network, creating a deceptive and dangerous environment for sensitive data.
What strategies can organizations implement to mitigate the risks associated with LLMNR poisoning?
Learn More: InfoSec Write-ups
Want to stay updated on the latest cyber threats?
Klue OAuth supply-chain breach hits LastPass, Huntress, Recorded Future, and others
The Icarus threat group exploited a compromise of Klue's Salesforce integration, stealing OAuth tokens that were then used to access customer Salesforce environments. Victims disclosed so far include LastPass, Huntress, Recorded Future, Tanium, Jamf, and others. Exposed data primarily consists of CRM information, customer contacts, support records, and sales communications—not passwords or production systems. The incident is another reminder that OAuth tokens and third-party SaaS integrations are high-value attack paths that often outlive the integrations they're meant to support.
CVE Daily Brief — 2026-07-04
This post contains content not supported on old Reddit. Click here to view the full post
The AI Information War: Navigating Fake News, Deepfakes, and Competing Narratives
realnarrativenews.comHackers shoveled snow for company, were rewarded with network admin access
theregister.comGoogle and FBI disrupt NetNut, the 2-million-node residential proxy network used by APTs
Google Threat Intelligence Group (GTIG) has coordinated with the FBI and Lumen to dismantle the infrastructure behind NetNut (Popa), a massive commercial residential proxy botnet controlling over 2 million compromised devices.
Technical Highlights:
- The Scale: Over 300 distinct cybercriminal and cyberespionage threat clusters were caught routing malicious payloads, credential stuffing attacks, and Mirai DDoS variants through NetNut exit nodes in a single week.
- The Mechanism: NetNut populated its network by covertly embedding malicious Software Development Kits (SDKs) into third-party Android apps, targeting smart TVs, streaming setups, and IoT devices to quietly hijack their residential ISP bandwidth.
- The Infrastructure: The botnet acted as a massive white-label engine, leasing its proxy pool out to other prominent proxy reseller brands.
Google has blocked the associated backend C2 accounts and updated Play Protect to flag the hidden SDKs, striking a major blow against one of the largest automated traffic-obfuscation networks currently operating on the web.
European Parliament Member Investigated for Spyware Hacked with Pegasus
A former European Parliament member, Stelios Kouloglou, was hacked using Pegasus spyware while serving on a committee investigating such surveillance tools.
Key Points:
- Kouloglou's device was compromised multiple times during his term on the PEGA Committee.
- The hacking incidents raise concerns about surveillance misuse against journalists and lawmakers.
- Analysis indicates a connection between the spyware and a campaign targeting exiled journalists in Europe.
The Citizen Lab's report disclosed that Stelios Kouloglou, while a member of the European Parliament's Committee of Inquiry into Pegasus surveillance, was repeatedly hacked by the notorious spyware. Forensic analysis of his device revealed that the spyware allowed potential access to confidential deliberations within the committee tasked with investigating such surveillance abuses in the European Union. Notably, the first infection was estimated to have occurred around October 21, 2022, coinciding with significant discussions that could have implications for both political processes and privacy rights within the region.
While no direct attribution to the Greek government has been established, the overlapping timeline of Kouloglou's infections with broader campaigns targeting Russian-speaking exiled journalists suggests that a Pegasus customer wielding authorization to operate across multiple European jurisdictions may be responsible. These findings spotlight troubling aspects of government surveillance, particularly how tools meant to combat serious crimes like terrorism can easily pivot to undermine the rights of citizens, including journalists and lawmakers. As the investigation into the misuse of surveillance technologies continues, this incident marks a pivotal moment, highlighting the urgent need for regulatory scrutiny over such practices.
What measures should be taken to protect lawmakers and journalists from invasive surveillance tactics?
Learn More: The Hacker News
Want to stay updated on the latest cyber threats?
Sandhills Medical Foundation reveals a ransomware breach impacting nearly 170,000 individuals, with significant personal information compromised.
Key Points:
- Ransomware attack discovered on May 8, 2025.
- Nearly 170,000 individuals have had their data compromised.
- Compromised data includes personal health information and social security numbers.
- The Inc Ransom group has publicly listed Sandhills Medical on its leak website.
- The healthcare provider is cooperating with law enforcement and cybersecurity experts.
Sandhills Medical Foundation, located in South Carolina, has announced a significant data breach stemming from a ransomware attack identified on May 8, 2025. This incident has resulted in almost 170,000 individuals being affected, as the healthcare organization has acknowledged that hackers accessed sensitive personal information belonging to select patients. The breach has raised alarms, as the compromised data includes crucial information such as names, dates of birth, social security numbers, and personal health details, putting the affected individuals at heightened risk for identity theft and fraud.
The situation has been compounded by the involvement of the Inc Ransom ransomware group, which has indicated that it possesses the files stolen from Sandhills Medical and has made them available for public download on its leak site as of early June 2025. In response to this incident, Sandhills Medical is currently collaborating with law enforcement, cybersecurity experts, and forensic investigators to assess the full extent of the breach and implement measures to protect affected individuals. The disclosure of this breach nearly a year after its occurrence underscores the persistent vulnerability of healthcare organizations and the critical importance of robust cybersecurity practices.
What steps should healthcare organizations take to prevent ransomware attacks in the future?
Learn More: Security Week
Want to stay updated on the latest cyber threats?