ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Vulnerability, AI in Cybercrime, and 13 Additional Security Updates
In a week marked by significant cybersecurity developments, the landscape reveals a troubling trend: outdated practices and lax security measures continue to expose organizations to threats. From vulnerabilities in widely used software to the emergence of sophisticated phishing techniques, the cybersecurity community faces persistent challenges that require immediate attention.
Privacy-First Bot Defense Initiative
Cloudflare has partnered with major web browsers—Google Chrome, Microsoft Edge, and Mozilla Firefox—to introduce a privacy-preserving protocol designed to differentiate between legitimate and malicious web traffic. This initiative employs Private Access Control Tokens (PACT) that allow websites to issue anonymous tokens, confirming that a browsing session is human-operated. This development aims to reduce reliance on cumbersome CAPTCHAs and invasive tracking methods. Cloudflare emphasized that PACT is structured to prevent sites from using it to track or identify users or their browsing history.
Vulnerabilities in Curl
A recent discovery by AISLE has unveiled six vulnerabilities in the curl library, which are characterized by various issues, including memory management flaws and logic errors in connection validation. Notably, CVE-2026-8932 allows the library to reuse connections despite changes in mTLS configurations that should prevent such actions. This vulnerability is particularly concerning as it has been present since curl version 7.7, released in March 2001. The identified vulnerabilities have been addressed in curl version 8.21.0.
Unauthenticated Takeover in Hoppscotch
A critical flaw has been identified in self-hosted versions of Hoppscotch, an open-source API platform, with a CVSS score of 10.0. The vulnerability allows unauthenticated attackers to inject arbitrary configuration keys into the database, leading to potential server compromise. Offgrid Security’s AI security agent, Kiro, discovered this flaw, which enables attackers to overwrite sensitive keys like JWT_SECRET and SESSION_SECRET without requiring credentials. The issue has been resolved in hoppscotch-backend version 2026.5.0.
Proxyware in Smart TVs
A report from Spur Intelligence has highlighted a concerning trend: over one-third of LG and Samsung smart TV applications contain proxyware that can relay third-party traffic through users’ internet connections. The analysis of 6,038 apps revealed that 42.5% of LG webOS apps and 26.9% of Samsung Tizen apps included residential proxy software. This situation raises significant privacy concerns, as users may unknowingly consent to share access to their residential IP addresses. Spur’s CTO, Alastair Parr, noted that smart TVs often go unmonitored, making them ideal targets for exploitation.
Edgecution via Microsoft Teams
Zscaler ThreatLabz reported that an initial access broker associated with the Payouts King ransomware has been observed conducting social engineering attacks through Microsoft Teams. The attacker masquerades as IT personnel to deliver a malicious Microsoft Edge browser extension named Edgecution. This extension exploits the Chrome native messaging protocol to gain access to host applications, allowing attackers to manipulate files and execute arbitrary code. The malware operates in a headless browser, remaining undetectable to users.
Legacy Credential Breach Impacting Salesforce
Klue, a competitive intelligence firm, disclosed that a legacy credential from 2022 was exploited by the Icarus extortionists to access Salesforce data from various corporate clients, including cybersecurity firms. The credential was originally issued for a limited pilot program, raising questions about its security management. Several companies confirmed that they experienced data breaches during this incident, highlighting the risks associated with outdated credentials.
Convergence of State and Cybercrime Tactics
NCC Group has observed a troubling trend where nation-state actors are increasingly adopting tactics traditionally associated with financially motivated cybercrime. This convergence blurs the lines between espionage and criminal activity, complicating attribution and response efforts. Matt Hull, VP of Cyber Intelligence and Response at NCC Group, noted that threat actors are sharing infrastructure and tools, making it difficult to distinguish between state-sponsored and financially motivated attacks.
Enhanced Admin Reset Alerts from Google
Google has announced an expansion of its Admin password reset alert system to cover all administrator roles within organizations. This update enhances visibility and control over privileged accounts, allowing for quicker responses to potential compromises. Previously, alerts were limited to super admin password changes.
ClickFix Campaign Targeting macOS
A new ClickFix campaign has been identified that tricks macOS users into executing malicious commands via the Terminal app. This campaign delivers a self-signed information stealer capable of harvesting sensitive data, including system passwords and cryptocurrency wallet information. The malware is linked to the Atomic macOS Stealer (AMOS) lineage, emphasizing the ongoing threat to macOS users.
Cybercriminal Convictions in the UK
Thalha Jubair and Owen Flowers have been convicted in the UK for their roles in a cyberattack on Transport for London (TfL) that resulted in losses of $38.2 million. The duo, part of the Scattered Spider criminal group, utilized social engineering techniques to execute their attack. They are scheduled for sentencing on July 16, 2026.
Extradition of Cybercrime Marketplace Administrator
Abdellah Belmili, an Algerian national, has been extradited to the U.S. on charges of conspiracy to commit bank fraud. Allegations indicate that he acted as an administrator for a cybercrime marketplace and created phishing kits targeting major U.S. financial institutions. The Justice Department has identified approximately 5,600 victims linked to his activities.
Collaboration Phishing Campaigns
A new phishing campaign has emerged that exploits Microsoft 365 collaboration features to facilitate credential theft and malware delivery. This technique involves adding targets to attacker-controlled groups, making malicious activities appear routine and blending them into trusted workflows.
AI’s Role in Cybercrime
Sophos has reported that AI has become a focal point in underground cybercrime communities, with discussions around its potential for malware development and social engineering. While some actors see AI as a tool for enhancing their capabilities, others express concerns about its impact on job opportunities within the cybercrime economy.
REDCap Instances Exposed
Censys has identified over 8,500 REDCap instances globally, primarily in the U.S., U.K., Germany, and Australia. REDCap is widely used for managing sensitive research data. Recent reports attribute a year-long espionage campaign against North American institutions to a China-nexus actor, highlighting the vulnerabilities associated with internet-facing REDCap servers.
Surveillance Technology Export Gaps
A Human Rights Watch report has revealed that a Bulgarian surveillance technology firm sold tools to countries likely to use them for human rights violations. The report underscores significant flaws in the implementation of EU export controls for surveillance technology.
BitB Malware Distribution Techniques
A campaign utilizing the Browser-in-the-Browser (BitB) technique has been identified, leveraging social engineering to distribute malicious payloads. This method tricks victims into downloading and executing harmful software disguised as legitimate updates.
The cybersecurity landscape remains fraught with challenges, as attackers exploit outdated practices and technologies. Organizations must prioritize security measures to mitigate risks associated with these evolving threats.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
