Overly Permissive Default IAM Roles in AWS Pose Critical Security Risks
Security researchers have identified several risky default IAM roles within Amazon Web Services that attackers could exploit to escalate privileges and move laterally across cloud environments. These IAM roles are often automatically created during the setup of services like Amazon SageMaker, AWS Glue, EMR, and Lightsail. While intended to simplify service integration, many roles include overly broad permissions, particularly AmazonS3FullAccess, which grants read/write access to all S3 buckets in an account. Once attackers compromise one of these roles, they can discover and manipulate critical cloud assets, including CloudFormation templates, SageMaker resources, EMR scripts, or Glue jobs. This allows them to bypass service isolation boundaries, execute code, extract credentials, and pivot within the cloud environment. One of the more concerning examples is using SageMaker to import a poisoned machine learning model that triggers code execution and leads to access to other services. These default permissions silently create attack paths that can lead to full account compromise if not properly restricted. Aqua Security researchers also noted the presence of similarly dangerous configurations in open-source projects, particularly the Ray framework, which creates a default IAM role with AmazonS3FullAccess under the name ray-autoscaler-v1. Exploiting these roles doesn't require the attacker to guess S3 bucket names, as they can programmatically search the account using the permissions granted. Once identified, malicious actors can alter configurations or inject backdoors to escalate privileges further. In one hypothetical scenario, access to SageMaker leads to full AWS Glue compromise, allowing for credential theft and a system-wide breach. In response to the findings, AWS has taken corrective action by modifying the default S3 access policies tied to service-created IAM roles. However, cloud administrators are urged to audit their existing IAM configurations, reduce permission scopes, and eliminate reliance on default roles wherever possible. This incident reinforces the broader need for organizations to proactively manage identity and access controls to defend against exploitation within increasingly complex cloud infrastructures.
Critical WordPress Theme Vulnerability Leaves Thousands of Sites Exposed
A critical security vulnerability, CVE-2025-4322 with a CVSS score of 9.8, has been discovered in the Motors WordPress theme, affecting all versions up to and including 5.6.67. This flaw allows unauthenticated attackers to reset passwords for any user account, including administrators, without prior authentication. The issue stems from improper validation in the password recovery function, where the system fails to verify if a password reset was genuinely requested. Attackers can exploit this by supplying an invalid UTF-8 character in the hash_check parameter, which gets stripped by the esc_attr() function after the initial !empty() check but before the comparison, effectively bypassing the hash verification. This vulnerability enables attackers to gain administrative access, upload malicious files, inject malware, redirect users to phishing sites, or modify website content. The Motors theme, developed by StylemixThemes, is widely used across various industries, including automotive dealerships, classified listings, and rental services, making the potential impact of this vulnerability extensive. While there have been no confirmed reports of exploitation in the wild, the ease of exploitation and the severity of the vulnerability pose a significant risk to affected websites. StylemixThemes released a patched version, 5.6.68, on May 14, 2025, after being notified of the vulnerability on May 5. Wordfence, a WordPress security company, provided firewall protection against this exploit to its Premium, Care, and Response subscribers on May 6, with free users scheduled to receive the same protection on June 5, 2025. Site owners using the Motors theme are strongly urged to update to the latest version to mitigate the risk immediately. Strong passwords, two-factor authentication, and regular security audits are recommended to enhance overall site security. Given the critical nature of this vulnerability and the potential for complete site takeover, prompt action is essential to protect affected websites from potential exploitation.
UnsolicitedBooker Deploys MarsSnake Backdoor in Targeted Espionage Campaign
A China-aligned threat group, UnsolicitedBooker, has been tied to a long-running cyber espionage campaign targeting an international organization in Saudi Arabia. The group was first observed infiltrating this organization in March 2023, with renewed activity in 2024 and again in January 2025. The attacks involved spear-phishing emails crafted to resemble flight ticket confirmations from Saudia Airlines, using attached Word documents as the primary delivery method. These documents executed a malicious macro that deployed a backdoor named MarsSnake, previously undocumented until now. Once installed, the malware established contact with a remote server, enabling full command-and-control capabilities. The backdoor allows persistent access, data theft, and remote command execution. The repeated targeting across multiple years strongly suggests this group has strategic interests in the victim organization and its operations. UnsolicitedBooker's tactics are consistent with known techniques used by Chinese cyber espionage groups, including deploying backdoors, including Chinoxy, DeedRAT, Poison Ivy, and BeRAT. The group is also linked to threat clusters like Space Pirates and an unidentified actor previously observed using a Zardoor backdoor against a Saudi-based Islamic nonprofit. Their broader targeting scope includes government institutions across Asia, Africa, and the Middle East, indicating a regional focus on politically and diplomatically sensitive entities. The phishing lures are tailored to mimic routine travel correspondence, exploiting user familiarity to gain initial access. Custom-built malware and repeated, tailored intrusions point to a well-funded and disciplined operation focused on long-term access and intelligence gathering. While specific threat actor attribution remains partial, their methods and toolset place them within the sphere of China-aligned state-sponsored cyber operations. Organizations operating in targeted regions or sectors should bolster their defenses by enforcing advanced email security, improving staff awareness, and monitoring for indicators of compromise related to MarsSnake and associated backdoors.
Skitnet Malware Enables Stealthy Post-Exploitation and Lateral Movement in Ransomware Attacks
Skitnet, or Bossnet, is a multi-stage malware tool increasingly used by ransomware groups for post-exploitation and remote control. First advertised on underground forums in April 2024, it became active in real-world attacks by early 2025, including phishing campaigns by Black Basta targeting corporate environments. Developed by a threat actor tracked as LARVA-306, Skitnet uses a Rust-based binary to decrypt and execute an embedded Nim payload that establishes a reverse shell over DNS. This method allows the malware to bypass traditional detection by avoiding standard import tables and using dynamic API resolution. Once deployed, it launches multiple threads that handle DNS-based command retrieval and execution every ten seconds. The malware communicates with a C2 server and enables full control of compromised systems, including lateral movement and payload delivery. Skitnet supports commands for persistence, remote access, data collection, and further exploitation. It creates startup shortcuts, captures desktop screenshots, deploys remote access tools like AnyDesk or Remote Utilities, executes PowerShell scripts from remote servers, and gathers information on installed security software. It can also download and run additional payloads through a .NET loader component. The malware’s DNS communication channel and use of multiple programming languages make it difficult to detect and analyze. Its structure and capabilities are designed for stealth and adaptability, enabling attackers to maintain long-term access and move laterally within compromised networks. Skitnet's use by ransomware actors highlights its role in advanced intrusion campaigns and the need for stronger controls around phishing, DNS traffic, and script execution.
