Ransomware Gangs Exploit Paragon Partition Manager Driver for Privilege Escalation
Threat actors exploit a zero-day vulnerability (CVE-2025-0289) in Paragon Partition Manager’s BioNTdrv.sys driver to escalate privileges and execute arbitrary code in ransomware attacks. This flaw is part of a larger set of five vulnerabilities discovered by Microsoft, impacting versions 1.3.0, 1.5.1, and 17 of the driver. Attackers leverage this vulnerability using the Bring Your Own Vulnerable Driver (BYOVD) technique, allowing them to load the signed driver on Windows systems, even if Paragon Partition Manager is not installed, to bypass security defenses and gain SYSTEM-level access. Once exploited, attackers can manipulate kernel memory, disable security tools, and execute malicious payloads, making it a valuable tool for ransomware operators. Microsoft has observed ransomware groups using CVE-2025-0289 in active BYOVD attacks, though the specific groups remain undisclosed. Paragon Software has released version 2.0.0 of the BioNTdrv.sys driver to address these vulnerabilities, while Microsoft has added the affected driver versions to its Vulnerable Driver Blocklist to prevent them from loading in Windows. However, systems without the blocklist enabled remain at risk, as attackers can deploy the vulnerable driver themselves to exploit the flaw. Users and organizations are advised to upgrade Paragon Partition Manager to the latest version and verify that Microsoft’s driver blocklist is active. Additionally, enabling core isolation and restricting unsigned driver installations can help mitigate the risk of BYOVD attacks. With ransomware groups increasingly adopting this technique, ensuring strong endpoint protection and monitoring for anomalous driver activity remains critical in defending against privilege escalation and system compromise.
Massive Data Leak: Thousands of API Keys and Secrets Found in AI Training Data
Security researchers uncovered nearly 12,000 valid API keys, passwords, and other sensitive secrets within the Common Crawl dataset, a massive open-source web archive frequently used to train large language models (LLMs) from OpenAI, Google, Meta, and others. This discovery raises serious concerns about insecure coding practices and the potential risks associated with AI training data. Many of the leaked credentials were hardcoded into front-end HTML and JavaScript rather than being stored securely in server-side environment variables, making them easily accessible to attackers. The dataset contained AWS root keys, MailChimp API keys, Slack webhooks, and WalkScore credentials, with some secrets appearing tens of thousands of times across multiple web pages, increasing the likelihood of exploitation. Attackers could use these exposed keys to launch phishing campaigns, impersonate brands, steal sensitive data, or gain unauthorized access to cloud services. While AI training data undergoes pre-processing and filtering, removing all sensitive information from billions of web pages is nearly impossible. Truffle Security, the research team behind the discovery, worked with impacted vendors to revoke thousands of compromised keys, but this incident highlights the dangers of hardcoded secrets and their potential influence on AI models. Moving forward, organizations must enforce secure coding practices, rotate credentials regularly, and improve security monitoring to prevent unauthorized access to critical systems and sensitive data leaks in AI training datasets.
Poco RAT: New Espionage Malware Targets Latin America
A newly discovered malware variant, Poco RAT, has surfaced in a cyber-espionage campaign targeting Spanish-speaking users in Latin America. Researchers at Positive Technologies have linked this operation to Dark Caracal, a known cyber-mercenary group with a history of surveillance and data theft. The attack begins with phishing emails containing weaponized PDF attachments that impersonate financial documents. These decoy files redirect victims to download malicious archives from cloud services like Google Drive or Dropbox. Inside, a dropper executes Poco RAT without leaving traces on the disk, allowing it to bypass traditional antivirus detection. Once deployed, the malware grants attackers remote access, enabling system command execution, file system navigation, and data exfiltration while using encrypted communication to evade monitoring. Dark Caracal’s shift to Poco RAT marks an evolution from its previous use of Bandook-based backdoors, incorporating advanced evasion techniques and persistence mechanisms. The malware actively checks for virtualized environments, ensuring it runs only on legitimate targets, and leverages legitimate services and URL shorteners to disguise malicious payloads. The campaign primarily impacts victims in Venezuela, Colombia, and Chile, signaling a strategic focus on Latin America. Given its stealthy entry methods and robust espionage capabilities, Poco RAT presents a significant threat to corporate environments. Organizations should enhance phishing defenses, deploy behavioral threat detection, and monitor network traffic for signs of compromise linked to Dark Caracal’s expanding operations.
U.S. Halts Offensive Cyber Ops Against Russia Amid Rising Global Threats
The United States has temporarily suspended offensive cyber operations against Russia, a decision reportedly made by Defense Secretary Pete Hegseth to facilitate potential diplomatic negotiations regarding the Ukraine conflict. While the Pentagon recalibrates its cyber strategy, the Cybersecurity and Infrastructure Security Agency (CISA) has reaffirmed its commitment to defending U.S. critical infrastructure against ongoing cyber threats. Critics argue that pausing U.S. Cyber Command’s operations could embolden Russian state-backed groups like Midnight Blizzard and Sandworm, which continue launching ransomware attacks, phishing campaigns, and supply-chain compromises against American organizations. Some analysts believe the move is part of a broader effort to shift focus toward countering China, whose cyber-espionage campaigns targeting U.S. infrastructure have intensified in recent months. However, cybersecurity experts warn that reducing offensive pressure on Moscow could lead to a surge in Russian cyberattacks, mirroring past escalations following geopolitical lulls. Meanwhile, Chinese hackers infiltrated Belgian security services for two years, extracting sensitive emails and personnel details via a compromised Barracuda Networks email gateway, reinforcing concerns about vulnerabilities in government infrastructure. As nation-state cyber threats, sophisticated cybercrime, and emerging surveillance risks escalate, the decision to halt U.S. cyber operations against Russia reflects the complex balance between diplomacy, deterrence, and resource allocation. However, with adversaries actively exploiting digital weaknesses worldwide, the long-term impact of this strategic shift remains highly uncertain.
