News – BU-CERT

13-year-old hacks Microsoft Teams, rewrites rules for global security program

Posted on 6 July 2025

From interestingengineering.com

Dylan has filed over 20 vulnerabilities, earned a top-three finish at Zero Day Quest, and changed Microsoft’s security policy.

Bug bounty programs attract some of the most skilled engineers in cybersecurity. These are professionals who find their way through enterprise-level software in search of vulnerabilities for recognition, impact, or high payouts.

But Dylan, a high school junior, entered that world at just 13. His first major find, a critical Microsoft Teams vulnerability, didn’t just earn him accolades. It led Microsoft to rewrite the rules of its bug bounty program to allow teenage researchers.

chwoot: Critical Linux vulnerability makes users root on most systems

Posted on 3 July 2025

From heise.de

An example exploit is available online and works on many standard systems. Admins should quickly install the available updates.

There is a critical security flaw in the Linux tool “sudo” and makes unprivileged users “root”, the system administrator, in no time at all. The reason for the malaise: a bug in the chroot function of sudo. This function is actually intended to “lock” users in their home directory, but allows them to break out of it and extend their rights. An update is available; admins of multi-user systems should act quickly.

The vulnerability exploits a bug in the chroot implementation. Between two function calls, this calls the “Name Service Switch” (NSS), which in turn loads the file /etc/nsswitch.conf. The attacker can now cause this function to load a file he has prepared with C code (a dynamic .so library) and execute it with root rights.

Notepad++ Vulnerability Let Attacker Gain Complete System Control – PoC Released

Posted on 25 June 2025

From cybersecuritynews.com

A severe privilege escalation vulnerability has been discovered in Notepad++ version 8.8.1, potentially exposing millions of users worldwide to complete system compromise.

The flaw, designated CVE-2025-49144, allows attackers to gain SYSTEM-level privileges through a technique known as binary planting, with a proof-of-concept demonstration now publicly available.

The vulnerability affects the Notepad++ v8.8.1 installer released on May 5, 2025, exploiting an uncontrolled executable search path that enables local privilege escalation attacks.

India-based car-sharing company Zoomcar suffered a data breach impacting 8.4M users

Posted on 17 June 2025

From securityaffairs.com

Zoomcar is an India-based car-sharing and self-drive car rental company. Zoomcar discovered a data breach impacting 8.4M users after threat actors contacted the internal personnel claiming the compromise of internal systems.

The company is investigating the security breach and has determined that the exposed information included names, contacts, and addresses. No financial data or passwords were compromised.

Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

Posted on 14 June 2025

From TheHackerNews.com

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider.

“This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025,” the agency said in an advisory.

Over 4 billion user records leaked in “largest breach ever” – here’s what you need to know

Posted on 10 June 2025

From techradar.com

A huge dataset has been discovered unsecured online by researchers
This contained roughly 4 billion records – including personal information
The data could potentially be part of a surveillance effort targeting Chinese citizens

Fake IT support calls hit 20 orgs, end in stolen Salesforce data and extortion, Google warns

Posted on 4 June 2025

Victims include hospitality, retail and education sectors

From theRegister.com

A group of financially motivated cyberscammers who specialize in Scattered-Spider-like fake IT support phone calls managed to trick employees at about 20 organizations into installing a modified version of Salesforce’s Data Loader that allows the crims to steal sensitive data.

Google Threat Intelligence Group (GTIG) tracks this crew as UNC6040, and in research published today said they specialize in voice-phishing campaigns targeting Salesforce instances for large-scale data theft and extortion.