13.06.2025

CSO Online 12.06.2025 20:27

A new vulnerability in GitLab’s Ultimate Enterprise Edition used for managing source code is “dangerous” and needs to be quickly patched, says an expert.

The vulnerability, CVE-2025-5121, is one of 10 described Wednesday by GitLab as it released bug and security fixes for self-managed installations.

“We strongly recommend that all self-managed GitLab installations be upgraded to one of these [patched] versions [18.0.2, 17.11.4, 17.10.8] immediately,” the platform said. GitLab.com is already running the patched version, so GitLab Dedicated customers do not need to take action.

Four of the vulnerabilities are rated as High severity.

Johannes Ullrich, dean of research at the SANS Institute, was particularly worried about CVE-2025-5121, a missing authorization issue. He described it as “dangerous.” If not patched, under certain conditions it can allow a successful attacker with authenticated access to a GitLab instance with a GitLab Ultimate license applied (paid customer or trial) to inject a malicious CI/CD job into all future CI/CD pipelines of any project.

“By injecting a malicious job, an attacker would be able to compromise how software is built,” Ullrich told CSO. “This could likely include adding backdoors to the software or skipping certain validation steps. The code will likely also have access to secrets used during the build process.”

Impacted versions are GitLab Ultimate EE 17.11 prior to 17.11.4, and 18.0 before 18.0.2. This vulnerability has been given a CVSS score of 8.5.

The other vulnerability Ullrich drew attention to is CVE-2025-4278, an HTML injection hole. He described it as essentially a cross site scripting vulnerability, but with more limited impact. GitLab gives it a CVSS score of 8.7.

“The impact of these vulnerabilities is often difficult to assess,” Ullrich said, “but creative attackers are often able to leverage them to trick users into performing dangerous actions on behalf of the attacker.”

GitLab says that, unless patched, under certain conditions the flaw would allow a successful attacker to take over an account by injecting code into the search page. 

All version 18.0 instances prior to 18.0.2 of Community and Enterprise editions are impacted.

The other two vulnerabilities rated as High are:

CVE-2025-2254, a cross-site scripting issue, which, under certain conditions, could allow an attacker to act like a legitimate user by injectin

CSO Online 12.06.2025 19:13

Interpol, together with 26 countries and several cybersecurity companies, has carried out a major international operation against so-called infostealers — malicious code that can steal sensitive information such as passwords, credit card details, and crypto keys.

The operation, which went by the name Secure, ran between January and April 2025 and resulted in over 20,000 malicious IP addresses and domains being taken down.

A total of 32 suspects were arrested, the majority in Vietnam and Sri Lanka. In Vietnam, police found large amounts of cash, SIM cards and documents linked to corporate fraud. Operations were also carried out in Nauru and Hong Kong, where over 100 servers used for phishing and other types of cyber fraud were identified.

Over 216,000 people suspected of having their information stolen were informed and urged to take security measures, such as changing passwords and monitoring unauthorized account activity.

Infostealer malware continues to pose a significant threat despite an increase in takedowns of late.

Information-stealing malware accounted for 75% of stolen credentials in 2024, according to a report from Flashpoint. Threat intel firm ReliaQuest reported more than a 50% year-on-year increase in infostealer logs posted on the dark web this year.

Password managers in particular are experiencing significant targeting from infostealers this year.

The Hacker News 12.06.2025 13:11
A novel attack technique named EchoLeak has been characterized as a "zero-click" artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 Copilot’s context sans any user interaction.
The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already

Golem 12.06.2025 11:47
CCC-Sprecher Matthias Marx hat ein Datenleck bei der Hotelkette Numa aufgedeckt. Er konnte auf Rechnungen und Ausweise fremder Personen zugreifen. (Datenleck, Datenschutz)

CSO Online 12.06.2025 9:00

Limited budgets, overstretched IT teams, and a rapidly evolving threat landscape mean smaller organizations are approaching a “cybersecurity tipping point.”

The World Economic Forum’s (WEF) Global Cybersecurity Outlook 2025 report noted that “71% of cyber leaders say small organizations have already reached a critical tipping point where they can no longer adequately secure themselves against growing complexity of cyber risks.”

More than a third (35%) of small organizations believe their cyber resilience is inadequate, a proportion that has increased sevenfold since 2022.

By contrast, the share of large organizations reporting insufficient cyber resilience has nearly halved over the same period.

Skills gap leading to deteriorating security outlook

Experts quizzed by CSO said that the rapid adoption of emerging technologies — which comes with the downside of fresh vulnerabilities that cybercriminals can exploit — together with a widening skills gap is contributing to a deteriorating security outlook for small and midsize businesses (SMBs).

“Cyber skills gaps are prevalent in SMBs largely due to a lack of resources and specialized knowledge,” says Tom Exelby, head of cybersecurity at managed security services firm Red Helix. “Many SMBs don’t have dedicated cybersecurity teams, and those in charge of security can lack the confidence to perform even basic cyber tasks.”

Small and medium enteprises (SMEs) that do have budget to hire specialists often struggle to attract and retain skilled professionals due to the lack of variation in the role. Burnout is also a growing issue for the understaffed, underqualified IT teams common in small business.

“With limited resource in the business, employees are often wearing multiple hats and the pressure to manage cybersecurity on top of their regular duties can lead to fatigue, missed threats, and higher turnover,” Exelby says.

WEF’s report estimates that the cyber skills gap has increased by 8%, with two out of three organizations reporting moderate-to-critical skills gaps, including a lack of essential talent and skills to meet their security requirements. WEF’s findings are based on a survey of 321 qualified participants supplemented by 43 one-to-one interviews.

Resource constraints common in smaller businesses make maintaining even basic security posture an uphill struggle.

Steven Wood, director of solution consulting for EMEA at Op

CSO Online 12.06.2025 8:00

In today’s data-driven world, data breaches can affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of data moving, and data breaches have scaled up with it as attackers exploit the data-dependencies of daily life. How large cyberattacks of the future might become remains speculation, but as this list of the biggest data breaches of the 21st Century indicates, they have already reached enormous magnitudes.

For transparency, this list has been calculated by the number of users impacted, records exposed, or accounts affected. We have also made a distinction between incidents where data was actively stolen or reposted maliciously and those where an organization has inadvertently left data unprotected and exposed, but there has been no significant evidence of misuse. The latter have purposefully not been included in the list.

So, here it is – an up-to-date list of the 20 biggest data breaches in recent history, including details of those affected, who was responsible, and how the companies responded.

1. Chinese surveillance database

Date: June 2025Impact: 4 billion records

The biggest ever data leak to date exposed 4 billion records, including WeChat data, bank details, and Alipay profile information of hundreds of millions of users, primarily from China.

The 631GB database — which also included phone numbers, home addresses, and behavioral profiles — was left wide open on the internet, unprotected by a password or any other form of authentication control.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, and cybersecurity website Cybernews stumbled on the billions of exposed records during a research project.

The “meticulously gathered and maintained” database offered comprehensive behavioral, economic, and social profiles of the vast majority of the Chinese population. Researchers believe that one collection, named “tw_db” contains Taiwan-related details.

“The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the researchers concluded.

Information from the database might be abused for anything from large-scale phishing, industrial-scale fraud, state-sponsored intelligence gathering, and more. The exposed instance was quickly taken down shortly after its

CSO Online 11.06.2025 16:36

Organizations everywhere are facing a perfect storm of cybersecurity challenges. As AI accelerates the volume and velocity of threats, sophisticated technology and skilled human analysts are vital to building an effective defense. Digital transformation initiatives are creating an expanding attack surface of endpoints that teams must secure, often while operating with outdated infrastructure and constrained budgets. Regardless of the unique challenges an entity faces, executives are concerned—72% of leaders report an increase in cyber risks at their respective organizations, and nearly half are worried about significant disruption to their operations.

While businesses grapple with this new reality, security leaders around the world face additional and distinct challenges that differ from their American counterparts, particularly in developing nations. The skills gap continues to widen, with nearly 5 million professionals needed to fill vital roles worldwide—a 19% increase from 2023. Some regions struggle with limited IT education resources and training opportunities, making finding or upskilling talent even more difficult. In addition to finding the right practitioners, many leaders say they lack the necessary resources to help existing employees advance their skills. More than a quarter (26%) noted the difficulty of retaining individuals with in-demand skill sets, and 22% said they struggle to provide professional development opportunities for their existing employees.

Beyond staffing-related hurdles, changing regulatory requirements, aging infrastructure, a general lack of connectivity (or 5G deployment challenges), and limited modernization resources have significant implications for business leaders and security professionals in many regions. All of these factors must be considered as we work together to find solutions for building the global cybersecurity talent pipeline.

A scalable, sustainable approach to developing cybersecurity talent

I recently attended the second annual Global Conference on Cyber Capacity Building (GC3B) in Geneva, Switzerland, hosted by the Swiss Federal Department of Foreign Affairs and in collaboration with the Global Forum on Cyber Expertise. While conversations spanned a variety of topics related to cybersecurity capacity building, talent development was a recurring discussion theme.

One of the event’s keynote speakers said it best: “Building cyber capacity is not just about tec

CSO Online 11.06.2025 14:49

srcset="https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?quality=50&strip=all 5666w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=300%2C168&quality=50&strip=all 300w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=768%2C432&quality=50&strip=all 768w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=1024%2C576&quality=50&strip=all 1024w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=1536%2C864&quality=50&strip=all 1536w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=2048%2C1152&quality=50&strip=all 2048w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=1240%2C697&quality=50&strip=all 1240w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=150%2C84&quality=50&strip=all 150w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=854%2C480&quality=50&strip=all 854w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=640%2C360&quality=50&strip=all 640w, https://b2b-contenthub.com/wp-content/uploads/2024/11/shutterstock_2322281155.jpg?resize=444%2C250&quality=50&strip=all 444w" width="1024" height="576" sizes="(max-width: 1024px) 100vw, 1024px">Ein neu entwickeltes GenAI-Tool soll helfen, Schwachstellen in großen Open-Source-Repositories zu erkennen und zu patchen.Teerachai Jampanak – Shutterstock.com

Niederländische und iranische Sicherheitsforscher haben ein neues Tool auf Basis von generativer KI (GenAI) ins Leben gerufen, das Plattformen wie ChatGPT ermöglichen soll, Bugs in Code-Repositories zu erkennen und zu patchen.

Die Anwendung wurde getestet, indem GitHub nach einer bestimmten Schwachstelle durch Pfadüberquerung in Node.js-Projekten gescannt wurde, die seit 2010 besteht. Dabei wurden 1.756 anfällige Projekte identifiziert, von denen einige als „sehr einflussreich“ bezeichnet wurden. Bisher konnten 63 Projekte gepatcht werden.

Die in einem kürzlich veröffentlichten Artikel beschriebene Entwicklung weist jedoch auch auf eine gravierende Einschränkung bei der Verwendung von KI hin. Während das automatisierte Patchen durch ein groß

The Hacker News 11.06.2025 13:32
INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants.
The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns.
"These

Golem 11.06.2025 12:49
Forscher haben Tausende von Sicherheitskameras entdeckt, auf die mit einem Webbrowser frei zugegriffen werden kann. Nicht mal Passwörter werden abgefragt. (Spionage, Kameras)

CSO Online 11.06.2025 9:00

When a cyber incident happens, it’s more than just an isolated event. For many CISOs, it reshapes their approach to resilience, risk management, and even their personal well-being in the job.

Several security leaders reflect on the lessons from real-world incidents and why it’s vital to share them with the community to strengthen collective resilience, break down the stigma around breaches, and help others who may face an incident themselves.

1. Share learnings and improve security for all

CISOs in the eye of the storm should expect media attention and all sorts of different agendas from people who weigh in on an incident.

“You get the attention of the world very quickly,” says Solarwinds CISO, Tim Brown.

And it isn’t all well-intentioned as some commentators use an incident to further their own interests, whether it’s to raise their profile, speak poorly of another organization, or just get into the news cycle.

On the other hand, some incidents present an opportunity to help the industry at large because all sorts of people are paying attention, including good researchers, according to Brown.

There may be legal, corporate, and regulatory considerations with what you can share. But in terms of the technical playbook, there are likely to be things worth sharing.

Brown believes there are often important lessons that come out of breaches, whether it’s high-profile ones that end up in textbooks and university courses, or experiences that can be shared among peers through conference panels and other events. “Always look for good to come from events. How can you help the industry forward? Can you help the CISO community?” he says.

Todd Thorsen, CrashPlan CISO, agrees there are tactical lessons that come with being involved in an incident. Sometimes an incident is the perfect test case of what shouldn’t happen, says Thorsen, who was on the cybersecurity team during the Target data breach of 2013.

His approach is to conduct blameless post-mortems to understand root causes, create a safe environment for open discussion, and identify what could have been done better. The goal is to analyze processes without fear of repercussions. He encourages security people to share learnings with the community because “in the end everyone’s fighting the same battles”.

Sharing insights is also an important way to build support networks across the wider community and pay it forward because a time may

CSO Online 11.06.2025 5:34

Mit einer ISO 27001-Zertifizierung weisen Unternehmen nach, dass sie ein wirksames Informationssicherheits-Managementsystems (ISMS) betreiben. Lesen Sie, weshalb der Zertifizierungsprozess häufig schief geht. Foto: mentalmind – shutterstock.comISO-Zertifizierungen, aber auch die Einführung eines Informationssicherheits-Managementsystems (ISMS) nach IT-Grundschutz, werden von vielen Unternehmen als Beweis für ihre Qualität und ihren professionellen Ansatz bei der Durchführung ihrer Geschäftstätigkeit angesehen. Obwohl das ein wichtiger Grundstein für jedes Unternehmen ist, läuft in einigen Fällen nicht immer alles wie geplant. Im Folgenden werden die häufigsten Fallstricke bei der ISO-/ISMS-Einführung und deren Zertifizierung sowie Lösungsansätze aufgeführt.

1. Fehlende Verbindlichkeit der Geschäftsleitung

Allen voran geht die Geschäftsleitung. Egal, ob als Einzelperson oder zu mehreren. Einer der maßgeblichen Faktoren, der dazu führt, dass ISO-/ISMS-Einführungen in Unternehmen nicht funktionieren, ist das fehlende Commitment der Geschäftsführer. Diese muss die Bedeutung der ISO-/ISMS-Einführungen verstehen und sich aktiv für ihre Umsetzung und Aufrechterhaltung einsetzen. Ohne das Engagement der Geschäftsleitung ist es oft schwierig, alle Mitarbeiter für den Prozess zu gewinnen und sicherzustellen, dass die ISO-Standards oder auch die Standards nach IT-Grundschutz in den täglichen Geschäftsablauf integriert werden.

Deshalb sollten Unternehmen auf jeden Fall klarstellen, wie wichtig das Thema ist – auch, wenn die Umsetzung mit hohem Aufwand und Unannehmlichkeiten verbunden sein kann. “Aufräumen” ist nicht immer schön. Das Ergebnis dafür aber umso lohnender. Wenn die Geschäftsleitung die ISO-/ISMS-Einführungen unterstützt und fördert, kann dies zu einem erfolgreichen Abschluss und einem besseren Unternehmensimage führen.

2. Dran vorbei statt mittendrin

Einer der häufigsten Gründe, warum ISO-/ISMS-Einführungen in Unternehmen nicht funktionieren, ist, dass sie nicht tatsächlich in den täglichen Geschäftsablauf integriert werden. Viele betrachten die ISO-/ISMS-Einführungen als eine einmalige Aktivität, die einmal durchgeführt wurde, um das Zertifikat zu erhalten. Dabei achten sie jedoch nicht darauf, die geschaffenen Abläufe in ihre täglichen Geschäftspraktiken zu integrieren. Ohne eine tatsächliche Einbindung in den täglichen Geschäftsablauf wird das Zertifikat nu

The Hacker News 10.06.2025 20:04
Cybersecurity researchers have uncovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries), exposing sensitive data to unauthorized internal and external parties.
The weaknesses affect various components like FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions.
"Low-code platforms such as

Infosecurity Magazine 10.06.2025 17:00
A ransomware attack on Mastery Schools, Philadelphia, has compromised personal information of 37,031 individuals, exposing sensitive data

Heise Security 10.06.2025 13:50
Das EU-Projekt bietet wahlweise Filter für den Jugendschutz und welche mit Werbeblockern an, aber auch ungefilterte DNS-Resolver. Der Dienst ist kostenlos.

Golem 10.06.2025 11:26
Mittels Brute-Force-Attacke konnte ein Forscher Rufnummern fremder Google-Nutzer bestimmen. Nur die zugehörige E-Mail-Adresse war erforderlich. (Sicherheitslücke, Google)