Welcome to Cyberchat, our quarterly newsletter that keeps you updated on relevant news stories and cybersecurity threats that may put organizations at risk, as well as tops and solutions to help protect again these malicious activities.
Here’s what is top of mind for Q2 2025:
AI Code Hallucinations Increase the Risk of “Package Confusion” Attacks
The efficiency of Artificial Intelligence (AI) code writing is appealing to any understaffed or time-crunched organization, but there are potential security risks if it’s used haphazardly. Wired recently highlighted how AI hallucinations often reference third-party libraries that don’t exist, offering hackers a juicy opportunity to steal data, establish backdoors, or commit other crimes. Threats come not only from in-house apps but also third-party vendors relying on AI-generated code.
Key Takeaways:
- A study of 16 commonly used large language models (LLMs) found 440,000 of the package dependencies in 576,000 code samples were “hallucinated” (i.e., they did not exist).
- At least 21% of the package dependencies of open-source models linked to nonexistent libraries.
- Cybercriminals can publish a malicious package and give it the same name as a hallucinated library, which will likely be chosen.
- These attacks are known as package confusion, which is used in supply-chain attacks to poison software at the source.
- In the study, 43 percent of package hallucinations were repeated over 10 queries, potentially creating a domino effect of vulnerability across organizations.
Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
Your WordPress site might not be as safe as you would like. A new malware campaign is disguising a malicious plugin as a security tool in the hopes of tricking users into installing and trusting it. Organizations that download this malware give hackers ongoing access, remote code execution, and opportunities to inject malicious JavaScript and PHP codes.
Key Takeaways:
- The plugin is hidden from the dashboard to evade detection.
- The file names ‘wp-cron.php,’ ‘addons.php,’ ‘wpconsole.php,’ ‘wp-performance-booster.php,’ and ‘scr.php’ have all been used for this type of malicious plugin.
- If the plugin is deleted, the malware recreates and reactivates it automatically on the next site visit.
- This malware uses the REST API to facilitate remote code execution through the injection of malicious code.
- Moreover, hackers can use your site’s resources to serve ads, steal your ad revenue, or even trick visitors to download and execute Node.js-based backdoors.
Learn more via The Hacker News
Why Top SOC Teams Are Shifting to Network Detection and Response
Cybercriminals are increasingly adept at evading endpoint-based defenses and signature-based detection systems, so security operations center (SOC) teams need to evolve. The Hacker News recently highlighted the growing need for network detection and response (NDR) as part of a multi-layered approach to detecting and mitigating threats. Security teams that employ NDR solutions often immediately discover basic network visibility issues or suspicious activities that had been previously invisible.
Key Takeaways
- The ability of NDR solutions to capture and analyze raw network traffic and metadata to detect malicious activities, security anomalies, and protocol violations make them indispensable.
- Rapidly expanding and diversifying attack vectors, privacy-centric technology, device proliferation, and cybersecurity workforce shortages are contributing to the need for NDR.
- The average time between initial compromise and detection is still at 21 days in many industries – and some breaches go undetected for years.
- Hackers have grown more sophisticated in their strategies, using stolen credentials to move laterally, encrypted channels to communicate, and carefully timed attacks to blend with normal activity.
- Effective NDR must be cloud-native and align with SOAR (Security Orchestration, Automation and Response) platforms.
Learn more via The Hacker News
Zero-Day Exploitation Drops Slightly from Last Year, Google Report Finds
Good news in the world of cybersecurity: hackers appear to have exploited fewer zero-day vulnerabilities in 2024 than 2023. A recent Google report indicates that more teams are baking security into their software development practices, which reduces some instances of zero-day attacks without completely solving the problem, showing how the industry remains adaptive in challenging times.
Key Takeaways
- “Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success,” said Google.
- Government-backed cyber espionage operations accounted for 29% and spyware firms accounted for 23.5% of zero-day attacks in 2024.
- Zero-day exploits decreased by about one-third for internet browsers and one-half for mobile devices.
- Cyber threat actors are quickly pivoting their attacks to enterprise platforms in the hopes of compromising systems and networks for greater profitability.
- One bit of bad news from the report is a three-year trend suggesting a steady increase in the number of vendors with zero-day vulnerabilities, showing that the fight is far from over.
Learn more via Cybersecurity Dive
Customer Account Takeovers: The Multi-Billion Dollar Problem You Don’t Know About
Account takeover (ATO) attacks are common these days. The process might seem like a mere inconvenience for enterprises and corporations, even though hackers often gain access to thousands of customer accounts daily. However, the impact on in-house labor, increase in fraud, and customer churn make it an expensive problem, along with concerns about the safety and security of AI.
Key Takeaways
- Reports find the median ATO exposure rate of 1.4% among platforms ranging from five million to 300 million users.
- One major problem is the rise of session hijacking, which allows attackers to bypass multi-factor authentication by stealing session cookies
- Whether the attack is caused by a company or user mistakes, 73% of consumers believe the brand – not the user – is still responsible for preventing ATOs.
- Only 43% of users affected by ATO attacks said the company notified them about the compromise.
- To prevent and mitigate ATOs, monitor the infostealer ecosystem, detect and remediate exposed accounts, and take a security-first approach.