Whether the machine is powering a digital restaurant menu, an airport flight schedule, or a billboard advertisement, this update prevents the embarrassment of public crash loops.

The core functionality of this mode revolves around discretion. Once enabled, the operating system suppresses the standard behavior of displaying permanent error screens when a critical fault occurs.

Instead of leaving a frozen blue screen visible to customers for hours, Windows attempts to handle the failure more gracefully behind the scenes.

Diagnostic Recovery Behavior

While hiding errors is crucial for aesthetics, technicians still need access to diagnostic information. Microsoft has implemented a clever workaround: when a critical system error or a recovery screen is required for diagnostics, Windows displays the error message for only 15 seconds.

After this brief window, the screen will automatically turn off to conceal the issue. The display remains black until a technician interacts with the device using a keyboard or mouse, at which point the screen reactivates to allow for troubleshooting, Microsoft added.

It is essential to distinguish this feature from Kiosk mode. This new setting does not replace Kiosk mode, which remains the correct solution for interactive public terminals where users need limited access to specific apps.

This new “hide error” capability is strictly for passive displays where no user interaction is expected.

System administrators can easily enable this feature through the standard Windows Settings app or by deploying a specific registry key across their fleet of devices, making it a simple but effective upgrade for digital signage management.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Windows 11 to Hide BSOD Crash Errors on Public Displays appeared first on Cyber Security News.

The vulnerability was internally discovered and reported by SonicWall’s security team. The flaw, tracked as CVE-2025-40601, carries a CVSS score of 7.5 and affects multiple generations of SonicWall firewall products.

Understanding the Vulnerability

The vulnerability exists in the SSLVPN service component of SonicOS and stems from a stack-based buffer overflow weakness (CWE-121).

When exploited, an attacker can send specially crafted requests to the vulnerable SSLVPN interface without authentication, causing the affected firewall to crash and interrupting services.

SonicWall states that this vulnerability only impacts devices with the SSLVPN interface or service enabled on the firewall. Organizations that do not use this feature remain unaffected.

Currently, SonicWall PSIRT reports no active exploitation in the wild, and no proof-of-concept code has been publicly released.

The vulnerability impacts both Gen7 and Gen8 SonicWall firewalls across hardware and virtual platforms.

Gen7 devices running firmware versions 7.3.0-7012 and older are vulnerable, while Gen8 firewalls with versions 8.0.2-8011 and earlier are affected. SonicWall Gen6 firewalls and SMA 1000/100 series SSL VPN products are not impacted.

SonicWall strongly urges organizations to update to the patched firmware versions immediately.

Until patches can be applied, administrators should restrict SSLVPN access to trusted source IP addresses only or disable the service from untrusted internet sources by modifying existing access rules.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post SonicOS SSLVPN Vulnerability Let Attackers Crash the Firewall Remotely appeared first on Cyber Security News.

The new system represents a significant leap in agentic AI capabilities, enabling machines to work on coding projects with minimal human intervention. GPT-5.1-Codex-Max operates differently from general-purpose AI models.

Built specifically for software engineering, the model features compaction technology that enables it to process millions of tokens in a single session.

This breakthrough means developers can assign extensive refactoring projects, debugging sessions, and multi-hour agent loops to the AI.

Advanced Architecture Powers Independent Development

Which completes them independently without losing context or coherence. The model can sustain work for extended periods.

In internal testing, GPT-5.1-Codex-Max completed tasks running for over 24 hours, automatically managing its context window by compacting sessions when necessary.

This capability transforms how teams approach large-scale code modernization and complex system maintenance. Performance benchmarks demonstrate substantial improvements over previous versions.

On SWE-bench Verified evaluations, GPT-5.1-Codex-Max achieves 77.9% accuracy compared to 73.7% from its predecessor.

More notably, the model uses 30% fewer thinking tokens while delivering superior results, directly translating to reduced computational costs for developers.

Frontend design tasks showcase these efficiency gains effectively. GPT-5.1-Codex-Max produces high-quality interfaces with approximately 27,000 thinking tokens, compared to 37,000 for older models.

Requiring fewer tool calls and generating more efficient code. The enhanced capabilities bring responsibility.

OpenAI acknowledges that advanced coding models can, in theory, assist in cybersecurity attacks. However, the company states it hasn’t observed meaningful abuse at scale.

The team has already disrupted cyber operations by attempting to misuse the model. GPT-5.1-Codex-Max runs in a secure sandbox by default.

File operations remain confined to designated workspaces, and network access stays disabled unless explicitly enabled.

OpenAI recommends keeping Codex restricted, as enabling internet connectivity introduces prompt injection vulnerabilities. The company advises developers to review all AI-generated code before deployment.

Codex produces terminal logs and cites tool calls, reducing bug risks, but should complement rather than replace human code reviews.

GPT-5.1-Codex-Max is now available through Codex for ChatGPT Plus, Pro, Business, Edu, and Enterprise subscribers. API access is coming soon.

Internally, 95% of OpenAI’s engineers use Codex weekly, and adoption correlates with approximately 70% more pull requests shipped.

The model represents progress toward reliable AI coding partners that enhance developer productivity while maintaining security standards.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post OpenAI Releases GPT-5.1-Codex-Max that Performs Coding Tasks Independently appeared first on Cyber Security News.

This Russia-based bulletproof hosting company provides infrastructure to ransomware and other cybercriminals.

The U.S. Federal Bureau of Investigation also coordinated the action targeting the company’s leadership team and related entities.

Bulletproof hosting providers offer specialized servers designed to help criminals hide their activities and avoid law enforcement.

These services give ransomware gangs, hackers, and other cybercriminals the infrastructure they need to launch attacks against businesses and critical infrastructure.

Media Land’s Criminal Operations

Media Land, headquartered in St. Petersburg, Russia, supplied hosting services to major ransomware groups, including LockBit, BlackSuit, and Play.

The company’s infrastructure was also used for distributed denial-of-service (DDoS attacks targeting U.S. companies and critical systems. Company leadership played direct roles in the criminal operation.

Aleksandr Volosovik, Media Land’s general director, advertised the company’s services on cybercriminal forums under the alias “Yalishanda” and provided servers to ransomware actors.

Kirill Zatolokin, an employee, collected payments from customers and coordinated with other cyber actors. Yulia Pankova assisted Volosovik with legal matters and financial management.

The Treasury also designated Hypercore Ltd., a UK-registered company created by the Aeza Group after it was sanctioned in July 2025. Aeza attempted to rebrand and hide its connections to avoid sanctions.

Treasury officials designated new companies and individuals involved in the evasion effort, including directors Maksim Makarov and Ilya Zakirov. Related entities in Serbia and Uzbekistan were also targeted.

All property and assets belonging to the designated individuals and companies in the United States are now frozen.

U.S. persons and businesses are prohibited from conducting transactions with these entities. Financial institutions engaging with sanctioned parties risk enforcement actions.

The U.S. Treasury emphasized that these coordinated international actions demonstrate a commitment to preventing ransomware and protecting citizens from cybercrime.

The Cybersecurity and Infrastructure Security Agency released additional guidance on protecting against bulletproof hosting providers.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Authorities Sanctioned Russia-based Bulletproof Hosting Provider for Supporting Ransomware Operations appeared first on Cyber Security News.

The CRM giant’s investigation indicates that this activity may have enabled unauthorized access to Salesforce data through the applications’ external connections.

In an immediate response to contain the threat, Salesforce has revoked all active access and refresh tokens associated with the affected Gainsight apps and temporarily removed them from the AppExchange.​

Salesforce explicitly stated that this incident does not stem from a vulnerability within the Salesforce platform itself. Instead, it exploits the trust relationship between the platform and third-party integrations.

The attack leverages compromised OAuth tokens and digital keys that allow apps to access data without sharing user credentials.

Salesforce Gainsight Breach

This mirrors the tactics used in the August 2025 campaign involving Salesloft Drift, in which attackers used stolen OAuth tokens to bypass authentication and access CRM-layer data, such as business contacts and case logs, across hundreds of organizations.​

Gainsight had previously acknowledged its exposure to the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause. Now, threat actors appear to be replaying the same playbook: combining stolen OAuth tokens with over-permissioned applications to create a “perfect attack chain” that bypasses traditional perimeter defenses.​

Security researchers have linked this campaign to ShinyHunters (also tracked as UNC6040), a threat group notorious for targeting SaaS ecosystems. This group typically employs social engineering to trick users into approving malicious apps or, as seen here, pivots from one compromised vendor to another.

From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a “supply-chain blast radius” event, where a single compromised vendor serves as a gateway into dozens of downstream environments.

Risk in modern SaaS ecosystems no longer travels linearly; it fans out, creating exponential exposure from a single point of failure.​

Organizations using Gainsight integrations must assume their current connections are compromised until re-authenticated. Teams should immediately audit every connected app in their Salesforce instance, removing or restricting any integration that does not require wide API access.

It is critical to rotate vendor OAuth tokens immediately and treat any token with broad permissions as high-risk. Furthermore, security teams should harden their approval processes for new integrations, as threat actors have previously used social engineering to get malicious apps approved.

Ferhat Dikbiyik, Chief Research and Intelligence Officer (CRIO) at Black Kite, said to cybersecuritynews.com “that this wasn’t a breach of Salesforce’s core platform. Instead, attackers linked to ShinyHunters (ScatteredSpider Lapsu$ Hunters) exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments. And there’s an important pattern here”.

“Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, mostly business contact info and some Salesforce case text, had been accessed”.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Salesforce Confirms that Customers’ Data Was Accessed Following the Gainsight Breach appeared first on Cyber Security News.

This development is part of a massive extortion campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882.

The group, tracked as Graceful Spider, claims to have exfiltrated sensitive data from Oracle and dozens of its high-profile customers, marking a significant escalation in supply chain attacks reminiscent of the MOVEit incident.​

The Zero-Day Exploit: CVE-2025-61882

The attack vector centers on a critical, unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite.

Security researchers indicate that Clop affiliates began exploiting this flaw as early as August 2025, months before Oracle released a patch in October 2025.

The exploit chain specifically targets the OA_HTML/SyncServlet endpoint to bypass authentication, followed by malicious XSLT template injection via OA_HTML/RF.jsp to execute arbitrary commands.

This “pre-auth” nature allowed attackers to compromise servers without valid credentials, granting them full control over sensitive ERP data.​

Extortion Campaign and High-Profile Victims

Evidence from Clop’s leak site displays a “PAGE CREATED” status for ORACLE.COM, appearing alongside major entities such as MAZDA.COM, HUMANA.COM, and the Washington Post.

The listing of Oracle Corporation itself suggests the vendor may have fallen victim to its own software flaw, potentially exposing internal corporate data.

Victims report receiving extortion emails from addresses like support@pubstorm[.]com, threatening the release of financial and personal records if ransom demands are not met.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack appeared first on Cyber Security News.

With a CVSS score of 9.8, this vulnerability poses a severe threat to Windows users worldwide, as it requires no user interaction for exploitation.

Discovered in May 2025 and patched by Microsoft on August 12, 2025, the issue stems from an untrusted pointer dereference in the windowscodecs.dll library, affecting core image processing functions.​

Attackers can embed the malicious JPEG in everyday files like Microsoft Office documents, enabling silent compromise when the file is opened or previewed.

This flaw highlights ongoing risks in legacy graphics handling, where seemingly innocuous image decoding can result in a complete system takeover. As Windows powers billions of devices, unpatched systems remain highly exposed to phishing campaigns or drive-by downloads.​

Zscaler ThreatLabz identified the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on JPEG encoding and decoding paths in windowscodecs.dll.

The entry point for exploitation lies in the GpReadOnlyMemoryStream::InitFile function, where manipulated buffer sizes allow attackers to control memory snapshots during file mapping.

Fuzzing revealed a crash triggered by dereferencing an uninitialized pointer at jpeg_finish_compress+0xcc, exposing user-controllable data via heap spraying.​

Stack traces from WinDbg analysis pointed to key functions like CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource, confirming the flaw in JPEG metadata encoding processes.

This uninitialized resource issue enables arbitrary code execution without privileges, making it exploitable over networks. Microsoft confirmed the vulnerability affects automatic image rendering in applications reliant on the Graphics Component.​

Affected Versions and Patching

The vulnerability impacts recent Windows releases, particularly those using vulnerable builds of windowscodecs.dll. Organizations must prioritize updates to mitigate risks, as exploitation could chain with other attacks for lateral movement in networks.

Exploitation Mechanics and Proof-of-Concept

Exploiting CVE-2025-50165 involves crafting a JPEG that triggers the pointer dereference during decoding, often via embedded files in Office or third-party apps.

For 64-bit systems, attackers bypass Control Flow Guard using Return-Oriented Programming (ROP) chains in sprayed heap chunks of size 0x3ef7. This pivots execution by creating read-write-execute memory with VirtualAlloc and loading shellcode for persistent access.​

Zscaler’s proof-of-concept demonstrates heap manipulation through an example app that allocates, frees, and processes Base64-encoded JPEGs, achieving RIP control.

While no in-the-wild exploits have been reported, the low complexity and wide network reach make it a prime target for ransomware or espionage. CFG is disabled by default in 32-bit versions, easing attacks on older setups.​

Users should immediately apply the August 2025 Patch Tuesday updates via Windows Update, targeting high-value assets first. Disable automatic image previews in email clients and enforce sandboxing for untrusted files. Zscaler has implemented cloud-based protections to block exploit attempts.​

This incident underscores the perils of unpatched graphics libraries in enterprise environments, where JPEGs are ubiquitous in workflows.

As threat actors evolve tactics, timely patching remains the strongest defense against such pixel-perfect poisons. With no observed active exploitation yet, proactive measures can prevent widespread damage.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Windows Graphics Vulnerability Lets Hackers Seize Control with a Single Image appeared first on Cyber Security News.

First identified around mid-2025 by Kaspersky GReAT researchers, this botnet demonstrates the evolving sophistication of supply chain attacks.

The threat originates from activity first observed in October 2024, where attackers created 287 malicious npm packages using typosquatting—mimicking the names of popular libraries like Puppeteer and Bignum.js to deceive developers into installation.

The infection vector has evolved considerably since then. Tsundere spreads through multiple pathways, including Remote Monitoring and Management tools and disguised game installers that capitalize on piracy communities.

Samples discovered in the wild bear names like “valorant,” “cs2,” and “r6x,” specifically targeting first-person shooter enthusiasts.

This approach proves highly effective at evading traditional security awareness since users expect these applications anyway.

The botnet particularly threatens Windows users, though the initial campaign exposed systems across Windows, Linux, and macOS platforms when it operated through npm package deployment.

The infrastructure behind Tsundere reveals a sophisticated understanding of modern attack methods. Rather than relying on traditional centralized command-and-control infrastructure, the botnet utilizes Ethereum blockchain smart contracts to store and retrieve C2 addresses.

This approach adds resilience by making servers difficult to take down through conventional means. The threat actor, identified as koneko—a Russian-speaking operative—operates a professional marketplace where other cybercriminals can purchase botnet services or deploy their own functionality.

Securelist security analysts identified the malware after discovering connections between the current campaign and earlier supply chain attacks.

Their investigation revealed that the threat actor has since resurfaced with enhanced capabilities, launching Tsundere as an evolution of previous malware efforts.

The panel supports both MSI installer and PowerShell script delivery mechanisms, giving attackers flexibility in deployment strategies across different network environments and defenses.

How Tsundere Maintains Persistence Through Node.js Abuse

The infection mechanism begins when an MSI installer or PowerShell script executes on the victim’s system, dropping legitimate Node.js runtime files into AppData alongside malicious JavaScript.

The setup uses a hidden PowerShell command that spawns a Node.js process executing obfuscated loader code.

This loader script decrypts the main bot using AES-256-CBC encryption before establishing the botnet environment. The bot automatically installs three critical npm packages: ws for WebSocket communication, ethers for Ethereum blockchain interaction, and pm2 for process persistence.

The pm2 package plays a crucial role in maintaining presence on compromised machines. It creates registry entries that ensure the bot restarts automatically whenever a user logs in, achieving effective persistence.

The bot then queries Ethereum blockchain nodes through public RPC providers, retrieving the current C2 server address from a smart contract variable.

This clever approach means defenders cannot simply block a known IP address—the attackers rotate C2 infrastructure at will through blockchain transactions, rendering traditional IP-based blocking ineffective.

Once connected, the bot establishes encrypted communication and awaits commands from operators, which arrive as dynamic JavaScript code for execution.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users appeared first on Cyber Security News.

Security researchers have discovered that this sophisticated Android trojan can capture encrypted messages from popular messaging apps like WhatsApp, Telegram, and Signal by accessing content directly from the device screen after decryption.

The malware’s ability to monitor these communications marks a serious advancement in mobile banking threats, combining credential theft with extensive remote access capabilities.

The malware operates by harvesting banking credentials through convincing fake login screens that perfectly replicate legitimate banking applications.

What makes Sturnus particularly dangerous is its capacity to provide attackers with full device takeover, allowing them to observe all user activity without physical interaction.

Attackers can inject text messages, intercept communications, and even black out the device screen while conducting fraudulent transactions in the background, leaving victims completely unaware of the theft occurring on their compromised devices.

Threat Fabric security analysts identified Sturnus as a privately operated trojan currently in its early testing phase, with targeted campaigns already configured against financial institutions across Southern and Central Europe.

Although the malware remains in limited deployment, researchers emphasize that Sturnus is fully functional and more advanced than several established malware families in certain aspects, particularly regarding its communication protocol and device support capabilities.

This combination of sophisticated features and targeted geographic focus suggests attackers are refining their tools before launching broader operations.

The current threat landscape indicates that Sturnus.A operates with region-specific targeting, using tailored overlay templates designed for Southern and Central European victims.

The malware’s operators demonstrate clear focus on compromising secure messaging platforms, testing the trojan’s ability to capture sensitive communications across different environments.

The relatively few samples detected so far, combined with short intermittent campaigns rather than sustained large-scale activity, indicate the operation remains in evaluation and tuning phases.

Understanding the Communication Protocol

The malware’s complex communication structure inspired its name, drawing parallels to the Sturnus vulgaris bird, whose rapid and irregular chatter jumps between whistles, clicks, and imitations.

Sturnus mirrors this chaotic pattern through its layered mix of plaintext, RSA, and AES communications that switch unpredictably between simple and complex messages.

The malware establishes a connection with its command-and-control server using both WebSocket (WSS) and HTTP channels, transmitting a combination of encrypted and plaintext data primarily over WebSocket connections.

The technical handshake begins with an HTTP POST request where the malware registers the device using a placeholder payload. The server responds with a UUID client identifier and an RSA public key.

The malware then generates a 256-bit AES key locally, encrypts it using RSA/ECB/OAEPWithSHA-1AndMGF1Padding, and transmits the encrypted key back while storing the plaintext AES key on the device in Base64 format.

Once key exchange completes, all subsequent communication receives protection through AES/CBC/PKCS5Padding with a 256-bit encryption key.

The trojan generates fresh 16-byte initialization vectors for each message, prepends them to encrypted payloads, and wraps results in custom binary protocols containing message type headers, message length data, and client UUIDs.

This sophisticated encryption scheme demonstrates the developers’ expertise in secure communications while maintaining malicious functionality.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Sturnus Banking Malware Steals Communications from Signal and WhatsApp, Gaining Full Control of The Device appeared first on Cyber Security News.

Rodriguez, who served as the Chief Executive Officer, received a five-year prison sentence on November 6, 2025, while Hill, the Chief Technology Officer, was sentenced to four years on November 19, 2025.

Their criminal enterprise facilitated the laundering of over $237 million in illicit funds through their mobile application platform.

Starting around 2015, Rodriguez and Hill developed Samourai with the explicit purpose of concealing criminal proceeds.

The application’s architecture centered on two core services built specifically to obstruct law enforcement investigations and prevent financial tracing.

Over 80,000 Bitcoin, valued at more than $2 billion at the time, flowed through their services, generating approximately $6 million in fees for the operators.

The U.S. Attorney’s Office, Southern District of New York security analysts identified that the criminal proceeds originated from multiple sources including drug trafficking, darknet marketplaces, cyber-intrusions, frauds, sanctioned jurisdictions, murder-for-hire schemes, and child pornography operations.

How Samourai’s Technical Infrastructure Enabled Money Laundering

The mixing service functioned through two primary obfuscation mechanisms. The first, known as “Whirlpool,” coordinated Bitcoin exchanges among user groups, effectively scrambling the blockchain record and making fund origins virtually untraceable to law enforcement and cryptocurrency exchanges.

The second service, called “Ricochet,” inserted unnecessary intermediate transactions referred to as “hops” between sending and receiving addresses, significantly complicating the ability of monitoring entities to establish connections between transfers and criminal activities.

Beyond the technical infrastructure, Rodriguez and Hill actively promoted their service to criminal communities.

Hill marketed Samourai on Dread, a darknet forum, explicitly recommending Whirlpool as the optimal method to “clean dirty BTC.”

Similarly, Rodriguez personally encouraged social media platform hackers via Twitter to route their stolen proceeds into Samourai’s Whirlpool service in July 2020, demonstrating direct knowledge and intentional facilitation of criminal activity.

The sentencing reflects the serious consequences of operating money laundering services, regardless of the technology employed, signaling law enforcement’s commitment to pursuing cryptocurrency-based financial crime.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Samourai Wallet Cryptocurrency Mixing Founders Jailed for Laundering Over $237 Million appeared first on Cyber Security News.