Weekly Security Update: DNS Blunders, New Command-and-Control Methods, and the Emergence of Authentic Scams

In a series of recent findings, the cybersecurity landscape has been rattled by several notable incidents.

Firstly, Electron, a popular web framework, has addressed an issue related to heap snapshots. However, it seems that Chrome itself may still be vulnerable in certain cases. This highlights the ongoing need for vigilance in the world of software development.

Meanwhile, using CSS for data theft has its limitations. Despite CSS now having statements and the ability to perform background downloads from remote sites, the lack of string carving functions means that data thieves must know exactly what they are looking for ahead of time. This could potentially prevent CSS from becoming a widely used tool for data theft.

In a high-profile example, three critical TLS certificates for the IP address 1.1.1.1, Cloudflare's public DNS resolver, were issued without authorization by an unspecified certificate authority in May 2025. This posed a significant security threat to Cloudflare users, as the certificates were evidently issued without Cloudflare's knowledge or consent. Cloudflare, it should be noted, did not request or authorize these certificates.

Researchers at Silent Signal have also found a critical vulnerability in the IBM i mainframe system. This exploit, involving a replay attack followed by a command injection, was found to rely heavily on SQL.

On a more positive note, Trail of Bits is currently focusing on the application integrity problem when running applications inside Electron and Chrome, specifically looking at heap snapshots.

Elsewhere, the cybersecurity community has seen the emergence of malware designed to take over webcams, similar to the classic spam emails threatening to do so. Interestingly, this malware is open source.

In another interesting development, researchers have found that persuasion techniques may work on Large Language Models (LLMs). This was indicated by a pre-print study, suggesting that AI could potentially be influenced in the same way as humans.

Finally, the approach of using CSS for data theft is still being used in the wild. This underscores the importance of understanding the limitations of such techniques and being vigilant against potential threats.

One such threat is the newly developed C2 tool called MeshC2, which uses Meshtastic to run commands on remote hosts. This tool, created by Eric Escobar from Sophos, is another example of the creative ways cybercriminals are finding to infiltrate systems.

In conclusion, while advancements in technology continue to push boundaries, it is crucial to remain vigilant against potential threats and to address vulnerabilities as they are discovered. Whether it's heap snapshots, TLS certificates, or even CSS, understanding these tools and their limitations is key to maintaining security in the digital age.