In today’s cybersecurity news…
150,000 sites compromised by JavaScript injection
At researchers at website security company c/side, this campaign infiltrates legitimate websites with malicious JavaScript, using an iframe injection to display a full-screen overlay in a visitor’s browser using CSS. This takes them to sites promoting Chinese gambling platforms. This current campaign largely targets infected WordPress sites, but the researchers state the technique demonstrates how threat actors continually adapt, increasing their sophistication.
Vulnerabilities found in numerous solar power systems
Researchers at cybersecurity firm Forescout are warning of “dozens of vulnerabilities” in solar power system products from Sungrow, Growatt and SMA. They say some of these flaws can pose a serious threat to electrical grids. The flaws exist within components such as one that “connects a solar power system to the internet, another in a cloud service where data is sent for monitoring and control, and a mobile application that enables the user to interact with the cloud service,” some of which will allow an attacker to upload files to enable arbitrary code execution on the cloud platform server, steal information, or vandalize the power grid itself.
T-Mobile pays $33 million in SIM swap lawsuit
The law firm Greenberg Glusker has secured a $33 million arbitration award against T-Mobile over a SIM swap attack that led to a massive cryptocurrency theft. The case involved an investor whose phone number was hijacked on February 21, 2020, leading to the theft of Bitcoin valued at $38 million. T-Mobile “revealed that the incident occurred after a threat actor accessed T-Mobile’s systems and abused them for SIM swapping.” The law firm argued that T-Mobile’s security failures enabled the breach, potentially through a system backdoor, [and that] T-Mobile “attempted to keep details of its security failures sealed.”
NHS software supplier gets discount on fine for good behavior
This story follows up on an event from August 2022, in which the LockBit ransomware gang attacked Advanced Health and Care Limited, an IT company that provided services to the UK’s National Health Service (NHS), along with other healthcare organizations. The fine of £3.07 million being levied on the company by the UK’s data protection branch called Information Commissioner’s Office (ICO) is just half of what was originally proposed. The ICO said Advanced Health and Care Limited “settled for the reduced fine after acknowledging the watchdog’s decision; agreeing to pay up without appealing; playing nicely with the NHS and related regulatory bodies following the attack; as well as taking “other steps” taken to mitigate related risk.
Huge thanks to our sponsor, ThreatLocker
Defects in Kubernetes component put 40% of cloud environments at risk
Researchers at Wiz state that this number, 40%, is due to five recently discovered vulnerabilities, one regarded critical with a CVSS score of 9.8, in the Ingress Nginx Controller for Kubernetes.” The researchers state that “they aren’t aware of any active exploitation, but the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.” Stephen Fewer, principal security researcher at Rapid7, stated separately, “with exploit code [for this vulnerability] starting to be published online, Kubernetes administrators should remediate publicly exposed instances on an urgent basis.” He added, “successful exploitation could allow attackers to access cluster-wide secrets, including passwords or tokens, or completely take over a cluster.”
The top three Microsoft Office exploits to watch for
The Hacker News is out with its summary of the most popular Office exploits, and they are, in brief: phishing, using email attachments that now include fake Captcha, Cloudflare and other “prove you’re a human” steps, as well as QR codes; the Microsoft Equation Editor which still exists on many machines, and which is a zero click exploit embedded in Microsoft Word files; and thirdly, another Microsoft Word zero click, Follina, which “abuses the Microsoft Support Diagnostic Tool (MSDT) and special URLs embedded in Office documents to execute remote code.” More details and tips on how to mitigate are available in the link.
Windows Server 2025 updates cause remote desktop freezes
Microsoft has acknowledged a known issue causing Remote Desktop freezes on Windows Server 2025 after installing security updates since February 2025 Patch Tuesday. Users experience unresponsive mouse and keyboard input shortly after connecting, requiring reconnection. The issue also affected Windows 11 24H2 but was resolved with its February 25 update. Microsoft has yet to release a fix for Windows Server 2025 but plans to address it in a future update.
Mozilla warns Windows users of critical Firefox sandbox escape flaw
Mozilla has released a new version of Firefox 136.0.4 to patch a critical security flaw that allows attackers to escape the browser’s sandbox on Windows. The issue affects standard and extended support releases (ESR). While details are limited, the flaw is similar to a Chrome zero-day recently patched by Google. Mozilla noted attackers exploited a related vulnerability in the wild, allowing them to confuse processes and leak handles, leading to a sandbox escape. Other operating systems are unaffected.