Hackers have posted over 1 Tb of information allegedly stolen from Harvard on the Cl0p data leak website.
The post Harvard Is First Confirmed Victim of Oracle EBS Zero-Day Hack appeared first on SecurityWeek.
Hidden comments allowed full control over Copilot responses and leaked sensitive information and source code.
The post GitHub Copilot Chat Flaw Leaked Data From Private Repositories appeared first on SecurityWeek.
Salesforce says the extortion attempts are related to past or unsubstantiated incidents, and not to fresh intrusions.
The post Hackers Extorting Salesforce After Stealing Data From Dozens of Customers appeared first on SecurityWeek.
Using a seven-year-old vulnerability, researchers said they were able to realistically leak private data from public clouds, suggesting that a βlack of concernβ about such supposedly impractical attacks is misguided, according to a presentation delivered Monday.
The anonymous researchers presented their findings at a hacker conference, WHY2025, in the Netherlands, and they leaned on the kind of βtransient executionβ vulnerabilities that attracted attention in 2018 with high-profile Intel chip flaw revelations, one of which was known as Spectre.
βGiven that todayβs clouds have large fleets of older CPUs that lack comprehensive, in-silicon fixes to a variety of transient execution vulnerabilities, the question arises whether sufficient software-based defenses have been deployed to stop realistic attacks β especially those using older, supposedly mitigated vulnerabilities,β they wrote. The answer to that question is βno,β they concluded. βWe show that the practice of mitigating vulnerabilities in isolation, without removing the root cause, leaves systems vulnerable.β
The findings demonstrate that βmore than a theoretical possibility, this is a real-world threat in popular clouds,β they explained, unlike the Spectre vulnerability that hasnβt had much real-world applicability.Β
βFor regular users, these CPU vulnerabilities are likely not that much of a threat,β the researchers said. βHowever, that is not the case for public cloud providers. Their business model is to provide remote code execution as a service [emphasis theirs], and to rent out shared hardware resources as efficiently as possible.β
The researchers said they worked within dedicated host systems of Google Cloud and Amazon Web Services to avoid any actual harm. AWS was able to restrict leakage to non-sensitive host data. Google paid a more than $150,000 bounty, the highest its cloud vulnerability reward program has ever doled out.
Both companies have patched the exploit and plan future security steps.
βOur conclusion is not that AWSβs and Googleβs security was lacking, but that they are actively stimulating security improvements,β the researchers said.
The researchers dubbed the attack βL1TF Reloaded,β after another 2018 Intel chip data-stealing vulnerability.
In a blog post, Amazon β which noted that it sponsored a portion of the work β said the research was βimpressiveβ but that the L1TF Reloaded vulnerability does not impact the guest data of AWS customers running on the AWS Nitro System or Nitro Hypervisor.
A Google spokesperson pointed to a security bulletin the company issued.
βWhen this vulnerability was initially discovered, Google immediately implemented mitigations to address the known risks. Since then, we have collaborated with security researchers from academia to assess the current state of CPU security mitigations, and new attack techniques,β the spokesperson said. βWe applied new fixes to the affected assets, including Google Cloud, to mitigate the issue.β
While such vulnerabilities have previously caused little concern, the researchers wrote that βwe question this lack of concern and show not only that practical attacks on modern clouds are possible, but that they are possible with vulnerabilities we considered mitigated 7 years ago.β
The post Researchers determine old vulnerabilities pose real-world threat to sensitive data in public clouds appeared first on CyberScoop.
Login