News – BU-CERT

New FileFix attack uses cache smuggling to evade security software

Posted on 9 October 2025

(Image from Google Gemini.)

BLUF: Threat actors are using a sophisticated variant of the FileFix social engineering attack, known as cache smuggling. It plants malicious ZIP archives in a victim’s browser cache. This enables execution of malware while bypassing security software checks for active file downloads or web requests.

The new FileFix campaign lures victims with a spoofed tool such as “Fortinet VPN Compliance Checker.” The user is told to copy a seemingly innocuous network file path and paste it into the Windows File Explorer address bar.

However, the text copied to the clipboard is heavily padded with spaces, concealing a malicious PowerShell command that is executed in headless mode when the user presses Enter.

The principle behind the attack is ‘cache smuggling’. When the user accesses the phishing page for the first time, JavaScript requests the browser to fetch a payload which has been disguised as a legitimate JPEG image. The browser caches this file, which actually contains a malicious ZIP archive.

The PowerShell script scans the local browser cache, extracts the hidden archive, and launches the malware from the local system without initiating any new web requests.

This method circumvents established security programmes that monitor network traffic or file downloads. The technique is being rapidly adopted by various threat actors, including ransomware gangs.

Action points

It is critically important to never copy and paste text or commands provided by an external website into operating system dialogue boxes, terminal windows, or address bars.
Organisationally, Endpoint Detection and Response (EDR) capabilities should be used that look for PowerShell scripts interacting with or manipulating browser cache files, or which execute in a hidden (headless) manner. These are clear indicators of this attack vector.
Browsers and security software should restrict or audit the automatic execution of files retrieved from the browser cache by command-line utilities.
Consider implementing’zero trust’ security policies that limit the execution of unrecognised executable files, even if they originate from what appears to be a local path, such as the extracted file from the cache.

The rise of ‘no malware’ attacks and ransomware

Posted on 9 October 2025

BLUF: Database ransomware, which relies on native database commands rather than traditional malware to wipe data from exposed servers, represents a persistent and automated extortion threat to organisations.

This form of ‘malware-less’ attack operates by exploiting misconfigured, Internet-facing database services. Targets include MongoDB and PostgreSQL. Attackers authenticate using weak or non-existent credentials before remotely connecting to the server. Once inside, they steal data and then use legitimate, destructive database queries (such as DROP DATABASE or bulk DELETE commands) to erase the data. They then insert a ransom note into a new table or document.

This produces the effect of denial of service, but without dropping a detectable binary. Because the attacks use authorised operations within normal protocols, they can bypass conventional host-based security defences.

The result is not only data loss and double extortion attempts but also a significant risk of lateral movement and privilege escalation for Remote Code Execution (RCE) in the wider environment.

Action Points

Network segmentation: Isolate database servers by placing them in private network segments, protected by strict firewalls and security groups that only permit access from trusted application servers.
Secure remote access: Do not expose database ports directly to the Internet; instead, route remote administrative access through a secure jump server protected by multi-factor authentication (MFA).
Enforce strong authentication: Disable password-less access and mandate the use of unique, strong credentials for all database accounts.
Backup and recovery: Implement a robust strategy of regular, automated backups for all critical data. Store these backups in a separate, access-controlled location, and routinely test the data recovery process.
Continuous attack surface mapping: Proactively scan the environment to map the effective attack surface, continuously identifying and correcting exposed database instances and mis-configurations.
Monitor for IOCs: Establish monitoring for Indicators of Compromise (IOCs), such as the creation of new tables or documents named similarly to ransom notes (e.g., README_TO_RECOVER).

The Y2K38 bug Is a Vulnerability, not just a date problem

Posted on 8 October 2025

BLUF: The Y2K38 and related time rollover issues are critical security vulnerabilities that can be exploited by threat actors today through time manipulation to cause system failures, security bypasses, and physical damage, rather than just being a future date-related programming bug.

The Year 2038 problem (Y2K38), which affects systems using a 32-bit integer to store time as seconds since 1970, poses an immediate security risk because time manipulation techniques, such as NTP injection or GPS spoofing, allow malicious actors to force the date rollover today, causing systems to malfunction or crash.

This vulnerability impacts a wide range of critical and embedded systems, including Industrial Control Systems (ICS), potentially leading to physical harm or catastrophic operational failures, while also compromising core cybersecurity functions like logging, forensics, and time-based authentication.

Unlike the Y2K bug, remediation is significantly more challenging, potentially requiring complex and costly migration from 32-bit to 64-bit architecture, rather than simple software fixes, particularly for the millions of difficult-to-update legacy and embedded devices. Stakeholders should treat the issue as an active vulnerability and prioritise fixes using established frameworks. A global effort is necessary to identify, upgrade, and develop contingency plans for vulnerable critical assets before the inevitable rollover date.

A final thought: we are much, much closer to Y2K38 than we are to the original Y2K bug.

More discussion here.

Flights cancelled after cyber attack hits European airports as Heathrow warns of delays

Posted on 20 September 2025

From: independent.co.uk

Flights have been delayed and cancelled at several European airports after a cyber attack targeting a service provider for check-in and boarding systems.

The attack has rendered automated systems inoperable, allowing only manual check-in and boarding procedures, according to Brussels Airport.

London Heathrow and Berlin airport also said the attack was disrupting its flights, with passengers advised to confirm their travel with airlines before heading to the airport on Saturday.

New LunaLock ransomware group emerges with unique extortion tactic

Posted on 4 September 2025

From cyberdaily.au

Hacker targets art commissioning site Artists&Clients and threatens to share artworks in AI training datasets: “[….]Additionally, we will submit all artwork to AI companies to be added to training datasets,” LunaLock said.

First known AI-powered ransomware uncovered by ESET Research

Posted on 28 August 2025

From welivesecurity.com

ESET researchers have discovered what they called “the first known AI-powered ransomware”. The malware, which ESET has named PromptLock, has the ability to exfiltrate, encrypt and possibly even destroy data, though this last functionality appears not to have been implemented in the malware yet.

While PromptLock was not spotted in actual attacks and is instead thought to be a proof-of-concept (PoC) or a work in progress, ESET’s discovery shows how malicious use of publicly-available AI tools could supercharge ransomware and other pervasive cyberthreats.

FBI seized multiple piracy sites distributing pirated video games

Posted on 16 July 2025

From securityaffairs.com

FBI seizes multiple piracy sites for Nintendo Switch and PlayStation 4 games, dismantling their infrastructure.

The FBI, with the help of the Dutch FIOD, seized multiple piracy sites distributing pirated video games, including nsw2u.com, ps4pkg.com, and mgnetu.com, dismantling their infrastructure. These sites, active for over four years, offered early access to popular game titles and logged 3.2 million downloads between February and May 2025, causing an estimated $170 million in losses.