News

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053) For June 2025 Patch Tuesday, Microsoft has fixed 66 new CVEs, including a zero-day exploited in the wild (CVE-2025-33053). Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016) Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform, Akamai researchers have warned. Want fewer security … More →

The post Week in review: Microsoft fixes exploited zero-day, Mirai botnets target unpatched Wazuh servers appeared first on Help Net Security.

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.

SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727—a path traversal vulnerability.¹ Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises.¹ 

CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2025.

CISA urges software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.

Download the PDF version of this report:

Mitigations

CISA "

Autosummary: Anthony Bradshaw, et. al., “DragonForce Actors Target SimpleHelp Vulnerabilities to Attack MSP, Customers,” Sophos News, May 27, 2025, https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/. 2. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by CISA. SimpleHelp Endpoints Determine if an endpoint is running the remote access (RAS) service by checking the following paths depending on the specific environment: Windows: %APPDATA%\JWrapper-Remote Access Linux: /opt/JWrapper-Remote Access MacOs: /Library/Application Support/JWrapper-Remote Access If RAS installation is present and running, open the serviceconfig.xml file in <file_path>/JWrapper-Remote Access/JWAppsSharedConfig/ to determine if the registered service is vulnerable. "

Paragon Graphite Spyware used a zero-day exploit to hack at least two journalists’ iPhones

Autosummary: Paragon Graphite Spyware used a zero-day exploit to hack at least two journalists’ iPhones Pierluigi Paganini June 12, 2025 June 12, 2025 Security researchers at Citizen Lab revealed that Paragon’s Graphite spyware can hack fully updated iPhones via zero-click attacks. On June 5, 2025, Italy’s intelligence oversight committee (COPASIR) confirmed the government used Paragon’s Graphite spyware to spy on Luca Casarini and Dr. Beppe Caccia, but couldn’t determine who targeted journalist Mr. Cancellato. "

Malware attack disguises itself as DeepSeek installer

Autosummary: "

OWASP Nettacker: Open-source scanner for recon and vulnerability assessment

Autosummary: Future plans include improvements in performance and multi-threading, an improved WebUI (including the introduction of a dashboard), a workflow feature, and integrations with other tools,” Stepanyan explained. Future plans and download “We are working on releasing the next version, 0.4.1, very soon, which will include the new custom wordlist feature and several new modules. "

Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild

Autosummary: Other vulnerabilities of note include elevation of privilege flaws in Common Log File System Driver (CVE-2025-32713, CVSS score: 7.8), Windows Netlogon (CVE-2025-33070, CVSS score: 8.1), and Windows SMB Client (CVE-2025-33073, CVSS score: 8.8), as well as a critical unauthenticated RCE vulnerability in the Windows KDC Proxy Service (CVE-2025-33071, CVSS score: 8.1)." The company said it also observed the threat actor leveraging several previously undocumented tools such as the following - Credential Dumper, which targets an already-compromised Domain Controller to steal Active Directory and Domain Controller credential-related files Passive backdoor, which listens for incoming requests and executes shellcode payloads Keylogger, a custom C++ tool that records all keystrokes and writes them to a file under "C:/windows/temp/~TN%LogName%.tmp" The keylogger notably lacks any C2 mechanism, meaning that it likely works in conjunction with another component that can exfiltrate the file to the attackers. Microsoft, however, is not affected by CVE-2025-4275 (aka Hydroph0bia), another Secure Boot bypass vulnerability present in an InsydeH2O UEFI application that allows digital certificate injection through an unprotected NVRAM variable ("SecureFlashCertData"), resulting in arbitrary code execution at the firmware level. "

Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)

Autosummary: Among the vulnerabilities that are more likely to be exploited are: CVE-2025-33070, a Windows Netlogon that could allow attackers to gain domain administrator privileges by sending a specially crafted authentication requests to the domain controller CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167 – RCE flaws in Microsoft Office (that have yet to be fixed in Microsoft 365 Apps for Enterprise) CVE-2025-32717, a Microsoft Word RCE vulnerability that could be exploited via a malicious RTF file, which the victim would open or just view in the preview pane CVE-2025-33071, a use after free flaw in Windows KDC Proxy Service (KPSSVC), which could allow an unauthenticated attacker to execute code over a network. "

INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure

Autosummary: Countries involved in Operation Secure include Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, South Korea, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, and Vietnam. "

Over 80,000 servers hit as Roundcube RCE bug gets rapidly exploited

Autosummary: Firsov estimates that the flaw impacts over 53 million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.), he said that details and PoC will be published soon. "

Hackers exploited Windows WebDav zero-day to drop malware

Autosummary: The loader then drops the primary payload, "Horus Agent," a custom C++ Mythic C2 implant that supports command execution for system fingerprinting, config changes, shellcode injection, and file operations. "

Operation Secure disrupts global infostealer malware operations

Autosummary: The results of Operation Secure are significant, resulting in: Over 20,000 malicious IPs/domains linked to infostealers were taken down 41 servers supporting info-stealers operations were seized 32 suspects were arrested 100 GB of data was confiscated 216,000 victims were notified The authorities also identified a large cluster of 117 servers in Hong Kong that were used as command-and-control (C2) infrastructure for phishing, online fraud, and social media scam operations. "

CISA Adds Erlang SSH and Roundcube Flaws to Known Exploited Vulnerabilities Catalog

Autosummary: But because the endpoint checks for a valid token linked to a hard-coded email address ("commerce.pro@payu[.]in") and there exists another REST API to generate an authentication token for a given email ("/payu/v1/generate-user-token"), an attacker could exploit this behavior to obtain the token corresponding to "commerce.pro@payu[.]in" and send a request to "/payu/v1/get-shipping-cost" to hijack any account. "

44% of people encounter a mobile scam every single day, Malwarebytes finds

Autosummary: With the launch of our free, AI-powered digital safety companion Scam Guard, users can review any concerning text, email, phone number, link, image, or online message and receive on the spot guidance to avert and report scams.By surveying 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, Malwarebytes can reveal a mobile reality full of tension: high concern, low action, and increasingly blurred lines between what’s safe and what’s not. "

Google bug allowed phone number of almost any user to be discovered

Autosummary: Nonetheless, a weakness allowing an attacker to trace phone numbers to Google accounts like this creates a massive risk for phishing and SIM-swapping attacks—especially since the majority of users will have their primary phone number as their account recovery number. "

Mirai botnets exploit Wazuh RCE, Akamai warned

Autosummary: Mirai botnets exploit Wazuh RCE, Akamai warned Pierluigi Paganini June 10, 2025 June 10, 2025 Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai warned.The botnet also exploited other vulnerabilities, including Hadoop YARN, TP-Link AX21, and ZTE routers, using dynamic infrastructure to evade detection and spread rapidly. "

FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware

Autosummary: One of the malware"s known customers is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that originally targeted point-of-sale (PoS) systems in the hospitality and retail sectors to steal payment card details and profit off them. "

Rust-based Myth Stealer Malware Spread via Fake Gaming Sites Targets Chrome, Firefox Users

Autosummary: The findings also follow a report from Positive Technologies that multiple threat actors, including TA558, Blind Eagle, Aggah (aka Hagga), PhaseShifters (aka Angry Likho, Sticky Werewolf, and UAC-0050), UAC-0050, and PhantomControl, are using a crypter-as-a-service offering called Crypters And Tools to obfuscate files like Ande Loader.It"s equipped to steal passwords, cookies, and autofill information from both Chromium- and Gecko-based browsers, such as Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Mozilla Firefox. "

U.S. CISA adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws to its Known Exploited Vulnerabilities catalog

Autosummary: Below are the descriptions for these flaws: CVE-2025-32433 (CVSS score of 10) Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability (CVSS score of 10) Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability CVE-2024-42009 (CVSS score of 9.3) RoundCube Webmail Cross-Site Scripting Vulnerability The CVE-2025-32433 flaw is a critical issue that impacts older versions of Erlang/OTP, a toolkit used with the Erlang programming language. "

New Secure Boot flaw lets attackers install bootkit malware, patch now

Autosummary: "During the triage process, Microsoft determined that the issue did not aect just a single module as initially believed, but actually 14 dierent modules," explains Binarly. "

Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws

Autosummary: Tag CVE ID CVE Title Severity .NET and Visual Studio CVE-2025-30399 .NET and Visual Studio Remote Code Execution Vulnerability Important App Control for Business (WDAC) CVE-2025-33069 Windows App Control for Business Security Feature Bypass Vulnerability Important Microsoft AutoUpdate (MAU) CVE-2025-47968 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability Important Microsoft Local Security Authority Server (lsasrv) CVE-2025-33056 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important Microsoft Office CVE-2025-47164 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47167 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47162 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47173 Microsoft Office Remote Code Execution Vulnerability Important Microsoft Office CVE-2025-47953 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office Excel CVE-2025-47165 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2025-47174 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47171 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47176 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office PowerPoint CVE-2025-47175 Microsoft PowerPoint Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47172 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical Microsoft Office SharePoint CVE-2025-47166 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47163 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47170 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47957 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47169 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47168 Microsoft Word Remote Code Execution Vulnerability Important Nuance Digital Engagement Platform CVE-2025-47977 Nuance Digital Engagement PlatformWindows Shortcut Files Security Feature Bypass Vulnerability Important Windows SMB CVE-2025-33073 Windows SMB Client Elevation of Privilege Vulnerability Important Windows SMB CVE-2025-32718 Windows SMB Client Elevation of Privilege Vulnerability Important Windows Standards-Based Storage Management Service CVE-2025-33068 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important Windows Storage Management Provider CVE-2025-32719 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24068 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33055 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24069 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33060 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33059 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33062 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33061 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33058 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-32720 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33063 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Port Driver CVE-2025-32722 Windows Storage Port Driver Information Disclosure Vulnerability Important Windows Win32K - GRFX CVE-2025-32712 Win32k Elevation of Privilege Vulnerability Important "

SAP June 2025 Security Patch Day fixed critical NetWeaver bug

Autosummary: "

DanaBot malware operators exposed via C2 bug added in 2022

Autosummary: "

New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

Autosummary: New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721 Pierluigi Paganini June 09, 2025 June 09, 2025 A new variant of the Mirai botnet exploits CVE-2024-3721 to target DVR systems, using a new infection method. "

Sensata Technologies says personal data stolen by ransomware gang

Autosummary: "

Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

Autosummary: The disclosure comes as China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh have emerged as the most targeted countries in the APAC region in the first quarter of 2025, according to statistics shared by StormWall." Besides attempting to spread via FTP over port 21 and conducting telnet scanning, the botnet has been found to leverage a wide range of exploits targeting Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368). "

Over 84,000 Roundcube instances vulnerable to actively exploited flaw

Autosummary: "

Google patched bug leaking phone numbers tied to accounts

Autosummary: Time to brute-force phone numbers Source: BruteCat To start an attack against someone, their email address is required for the form, but Google has set this to hidden since last year. "

Week in review: Google fixes exploited Chrome zero-day, Patch Tuesday forecast

Autosummary: New infosec products of the week: June 6, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Akamai, AttackIQ, Barracuda Networks, Bitdefender, Fortinet, Malwarebytes, and Varonis. Bankers Association’s attack on cybersecurity transparency A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disclosure of material cybersecurity incidents within four days of detection. Rethinking governance in a decentralized identity world Decentralized identity (DID) is gaining traction, and for CISOs, it’s becoming a part of long-term planning around data protection, privacy, and control. "

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 48

Autosummary: "

New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally

Autosummary: (54 Downloads) @react-native-aria/overlay version 0.3.16 (751 Downloads) @react-native-aria/radio version 0.2.14 (570 Downloads) @react-native-aria/slider version 0.2.13 (264 Downloads) @react-native-aria/switch version 0.2.5 (56 Downloads) @react-native-aria/tabs version 0.2.14 (170 Downloads) @react-native-aria/toggle version 0.2.12 (589 Downloads) @react-native-aria/utils version 0.2.13 (341 Downloads) Furthermore, the malicious code injected into the packages is similar to the remote access trojan that was delivered following the compromise of another npm package "rand-user-agent" last month, indicating that the same threat actors could be behind the activity. The list of the impacted packages and the affected versions is below - @gluestack-ui/utils version 0.1.16 (101 Downloads) @gluestack-ui/utils version 0.1.17 (176 Downloads) @react-native-aria/button version 0.2.11 (174 Downloads) @react-native-aria/checkbox version 0.2.11 (577 Downloads) @react-native-aria/combobox version 0.2.8 (167 Downloads) @react-native-aria/disclosure version 0.2.9 (N/A) "

Malware found in NPM packages with 1 million weekly downloads

Autosummary: 22,000 @react-native-aria/overlays 0.3.16 96,000 @react-native-aria/radio 0.2.14 78,000 @react-native-aria/switch 0.2.5 477 @react-native-aria/toggle 0.2.12 81,000 @react-native-aria/utils "

AI becomes key player in enterprise ransomware defense

Autosummary: At the same time, defenders are increasingly relying on AI to detect and respond to threats faster, with 90% of organizations now using AI in their ransomware defense strategies – primarily within Security Operations Centres (64%), for analysing Indicators of Compromise (62%), and to prevent phishing (51%). "

Ransomware and USB attacks are hammering OT systems

Autosummary: Ransomware, trojans, and malware delivered through USB devices are putting growing pressure on industrial systems, according to the Honeywell 2025 Cyber Threat Report, which draws on data from monitoring tools deployed across industrial sites around the world.The rate at which the Industrials innovates has not kept in lock step and because of this, threat actors can easily repurpose known exploits and easily target industrial customers knowing that these facilities and equipment are 10 to 20 years old and patching schedules are typically sub par,” Paul Smith, director of Honeywell OT Cybersecurity Engineering, told Help Net Security.Worms like W32.Ramnit, a credential-stealing trojan originally tied to banking fraud, showed up in industrial networks with a 3,000 percent increase in detections. "

Play ransomware group hit 900 organizations since 2022

Autosummary: “The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint advisory to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as January 2025.” reads the advisory. "

New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack

Autosummary: Some of the other activities carried out by the threat actor are listed below - Setting up persistence using scheduled tasks Assigning malicious component names similar to system or well-known executable files to evade detection Extracting the Active Directory database using ntdsutil Running various commands to collect information about Telegram, running processes, current users, remote RDP sessions, and antivirus software installed on the endpoints Using RDP and SSH protocols to perform lateral movement within Windows and Linux infrastructures Dropping legitimate remote access software like AnyDesk for command-and-control "The BO Team group poses a significant threat to Russian organizations due to its unconventional approach to conducting attacks," Kaspersky said. Specifically, it targets: Master Boot Record (MBR), $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef. Pro-Ukrainian Hacktivist Group BO Team Targets Russia In recent months, Russian state-owned companies and organizations spanning technology, telecommunications, and production verticals are also said to have come under cyber assaults from a pro-Ukrainian hacktivist group codenamed BO Team (aka Black Owl, Hoody Hyena, and Lifting Zmiy). "

U.S. Offers $10M bounty for info on RedLine malware creator and state hackers

Autosummary: Australian Federal Police The Netherlands : National Police, Team Cybercrime Limburg, Public Prosecution Service : National Police, Team Cybercrime Limburg, Public Prosecution Service United States : Federal Bureau of Investigation; Naval Criminal Investigative Service; Internal Revenue Service Criminal Investigations; Department of Defense Criminal Investigative Service; Army Criminal Investigation Division : Federal Bureau of Investigation; Naval Criminal Investigative Service; Internal Revenue Service Criminal Investigations; Department of Defense Criminal Investigative Service; Army Criminal Investigation Division Belgium : Federal Prosecutor’s Office; Federal Police : Federal Prosecutor’s Office; Federal Police Portugal : Polícia Judiciária : Polícia Judiciária United Kingdom: National Crime Agency Cybersecurity firm ESET also supported international law enforcement operations. “Anyone with information on foreign government linked associates of Rudometov, or their malicious cyber activities, or foreign government-linked use of RedLine malware, should contact Rewards for Justice via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required).” continues the announcement.U.S. Offers $10M bounty for info on RedLine malware creator and state hackers Pierluigi Paganini June 06, 2025 June 06, 2025 The U.S. offers up to $10M for info on state hackers linked to RedLine malware and its creator, Maxim Rudometov, tied to attacks on U.S. infrastructure. "

Kettering Health confirms Interlock ransomware behind cyberattack

Autosummary: "

New PathWiper data wiper malware hits critical infrastructure in Ukraine

Autosummary: This includes wipers named DoubleZero, CaddyWiper, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain. "

Critical Fortinet flaws now exploited in Qilin ransomware attacks

Autosummary: For instance, in February, Fortinet disclosed that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger custom remote access trojan (RAT) malware, which had been previously used to backdoor a Dutch Ministry of Defence military network. "

Marks & Spencer’s ransomware nightmare – more details emerge

Autosummary: "

Tax resolution firm Optima Tax Relief hit by ransomware, data leaked

Autosummary: "

New Atomic macOS Stealer Campaign Exploits ClickFix to Target Apple Users

Autosummary: However, when the user clicks the "I am human" checkbox for evaluation, they are displayed an error message stating "CAPTCHA verification failed," urging them to click a button to go ahead with an "Alternative Verification. "

Attackers exploit Fortinet flaws to deploy Qilin ransomware

Autosummary: However, Mora_001 is tracked as an independent threat actor, it exhibits consistent post-exploitation tactics, including identical usernames across victims, overlapping IPs, and rapid ransomware deployment within 48 hours. "

Interlock ransomware claims Kettering Health breach, leaks stolen data

Autosummary: "

US offers $10M for tips on state hackers tied to RedLine malware

Autosummary: "

Ransomware hiding in fake AI, business tools

Autosummary: This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites. "

Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware

Autosummary: Then last November, the cybersecurity firm said it observed the hacking crew orchestrating attacks against Iran"s neighbors, particularly regional and government entities in Iraq and diplomatic envoys from Iraq to various countries, using bespoke backdoors like Whisper (aka Veaty), Spearal, and Optimizer. "

Hacker selling critical Roundcube webmail exploit as tech info disclosed

Autosummary: “Given the active exploitation and evidence of the exploit being sold in underground forums, I believe it is in the best interest of defenders, blue teams, and the broader security community to publish a full technical breakdown but without complete PoC for now” - Kirill Firsov At the root of the security problem is the lack of sanitization of the $_GET["_from"] parameter, which leads to PHP Object deserialization. "

FBI: BADBOX 2.0 Android malware infects millions of consumer devices

Autosummary: Devices connected to the BADBOX 2.0 operation included lower-price-point, "off brand", uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN. BADBOX 2.0 Global Distribution Source: HUMAN Satori In a joint operation led by HUMAN"s Satori team and Google, Trend Micro, The Shadowserver Foundation, and other partners, the BADBOX 2.0 botnet was disrupted again to prevent over 500,000 infected devices from communicating with the attacker"s servers. "

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

Autosummary: "

How to build a robust Windows service to block malware and ransomware

Autosummary: Process and File System Monitoring This component focuses on monitoring the system’s processes and file system activities: Process Monitoring: Tracks the creation, modification, and termination of processes. Architectural Overview of a Robust Security Service A robust security service typically comprises several components working together: Monitoring Engine: Continuously observes system activities such as process execution, file access, and network connections. Key Design Principles for Security Services When designing a security-focused Windows Service, several principles are essential to ensure effectiveness and reliability: Minimal Attack Surface: Design the service with the least privilege principle, granting it only the permissions necessary to perform its tasks. By integrating real-time monitoring, process and file system analysis, and network activity monitoring, the Windows Service can provide comprehensive protection against various threats. Network Activity Analysis Monitoring network activity is essential for identifying potential threats that rely on communication with external servers or other infected devices: Outbound Connections: Watches for unauthorized or unusual outbound connections, which could indicate data exfiltration or communication with a command-and-control server. "

TXOne Networks unveils intelligent vulnerability mitigation capability

Autosummary: The TXOne Networks solution implements a rigorous, three-phase approach to risk-based vulnerability management: Assess —TXOne SageOne pulls deep, OS-level vulnerability and configuration data—augmented by real-time threat intelligence—to build an accurate, context-rich view of every CPS asset’s true risk exposure. "

HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass

Autosummary: "

Google fixes Chrome zero-day with in-the-wild exploit (CVE-2025-5419)

Autosummary: "

Roundcube Webmail under fire: critical exploit found after a decade

Autosummary: Roundcube Webmail under fire: critical exploit found after a decade Pierluigi Paganini June 04, 2025 June 04, 2025 A critical flaw in Roundcube webmail, undetected for 10 years, allows attackers to take over systems and execute arbitrary code. "

U.S. CISA adds Multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities catalog

Autosummary: CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability This week, Qualcomm addressed the above zero-day vulnerabilities that, according to the company, have been exploited in limited, targeted attacks in the wild. "

Google fixes another actively exploited vulnerability in Chrome, so update now!

Autosummary: This Chrome update also patches a medium-severity, use-after-free flaw (CVE-2025-5068) in the open-source rendering engine Blink and one internally discovered vulnerability. "

Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads

Autosummary: Once installed, the malware connects to an external server and awaits commands that allow it to launch reverse shells, upload/download/delete files, enumerate files and directories, take screenshots, gather system information, lock/restart/shutdown the machine, and open arbitrary URLs. "

FBI: Play ransomware breached 900 victims, including critical orgs

Autosummary: Previous high-profile Play ransomware victims include cloud computing company Rackspace, the City of Oakland in California, Dallas County, car retailer giant Arnold Clark, the Belgian city of Antwerp, and, more recently, doughnut chain Krispy Kreme and American semiconductor supplier Microchip Technology. "

Cisco warns of ISE and CCP flaws with public exploit code

Autosummary: "A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained. "

New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch

Autosummary: "

Google patches new Chrome zero-day bug exploited in attacks

Autosummary: "

Android malware Crocodilus adds fake contacts to spoof trusted callers

Autosummary: JS snippet to create a new contact on the device Source: Threat Fabric "Upon receiving the command "TRU9MMRHBCRO", Crocodilus adds a specified contact to the victim"s contact list," explains Threat Fabric in the report. "

Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets

Autosummary: The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim"s contacts list. "

Google fixed the second actively exploited Chrome zero-day since the start of the year

Autosummary: Google fixed the second actively exploited Chrome zero-day since the start of the year Pierluigi Paganini June 03, 2025 June 03, 2025 Google addressed three vulnerabilities in its Chrome browser, including one that it actively exploited in attacks in the wild. "

CISA warns of ConnectWise ScreenConnect bug exploited in attacks

Autosummary: "

Scammers are constantly changing the game, but so are we. Introducing Malwarebytes Scam Guard

Autosummary: Comprehensive scam detection: Scam Guard is trained to recognize various scams, including romance, phishing, financial fraud, text, robocall, and shipping fraud, helping you stay ahead of cybercriminals at all times. "

Malwarebytes Scam Guard spots and avoids potential scams

Autosummary: Scam Guard is trained to recognize various scams, including romance, phishing, financial fraud, text, robocall and shipping fraud, helping users stay ahead of cybercriminals at all times. "

Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code

Autosummary: "

Android banking trojan Crocodilus rapidly evolves and goes global

Autosummary: Meanwhile, smaller campaigns show a broader, global focus, impersonating apps from countries like Argentina, Brazil, the U.S., Indonesia, and India. "

U.S. CISA adds ASUS RT-AX55 devices, Craft CMS, and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog

Autosummary: Below are the descriptions for these flaws: CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability CVE-2024-56145 Craft CMS Code Injection Vulnerability CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability Last week, ConnectWise revealed it had detected suspicious activity linked to an advanced nation-state actor. "

Qualcomm fixes three Adreno GPU zero-days exploited in attacks

Autosummary: "

⚡ Weekly Recap: APT Intrusions, AI Malware, Zero-Click Exploits, Browser Hijacks and More

Autosummary: This week"s list includes — CVE-2025-3935 (ConnectWise ScreenConnect), CVE-2025-47577 (TI WooCommerce Wishlist plugin), CVE-2025-2760, CVE-2025-2761 (GIMP), CVE-2025-0072 (Arm Mali GPU), CVE-2025-27462, CVE-2025-27463, CVE-2025-27464 (Citrix XenServer VM Tools for Windows), CVE-2025-4793 (PHPGurukul Online Course Registration), CVE-2025-47933 (Argo CD), CVE-2025-46701 (Apache Tomcat CGI servlet), CVE-2025-48057 (Icinga 2), CVE-2025-48827, CVE-2025-48828 (vBulletin), CVE-2025-41438, CVE-2025-46352 (Consilium Safety CS5000 Fire Panel), CVE-2025-1907 (Instantel Micromate), CVE-2025-26383 (Johnson Controls iSTAR Configuration Utility), CVE-2018-1285 (Rockwell Automation FactoryTalk Historian ThingWorx), CVE-2025-26147 (Denodo Scheduler), CVE-2025-24916, and CVE-2025-24917 (Tenable Network Monitor).According to Dawn, among those arrested included Rameez Shahzad (aka Saim Raza), the alleged ringleader of the criminal enterprise, as well as Muhammad Aslam (Rameez"s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.According to Dawn, among those arrested included Rameez Shahzad (aka Saim Raza), the alleged ringleader of the criminal enterprise, as well as Muhammad Aslam (Rameez"s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.The hacking group, which overlaps with REF0657, STAC6451, and CL-STA-0048, makes use of various flaws in internet-exposed servers, including the recently disclosed SAP NetWeaver vulnerability, to obtain initial access, drop web shells, and deploy post-exploitation tools like Cobalt Strike, VShell, and Brute Ratel C4.The hacking group, which overlaps with REF0657, STAC6451, and CL-STA-0048, makes use of various flaws in internet-exposed servers, including the recently disclosed SAP NetWeaver vulnerability, to obtain initial access, drop web shells, and deploy post-exploitation tools like Cobalt Strike, VShell, and Brute Ratel C4.New versions of the malware have been found to improve upon their data exfiltration and remote-control functionality, in addition to refining its obfuscation methods, adding features, switching between encryption algorithms, shifting targets, setting itself as the default messaging app to harvest one-time passwords (OTPs), and modifying social engineering techniques to boost infection rates.New versions of the malware have been found to improve upon their data exfiltration and remote-control functionality, in addition to refining its obfuscation methods, adding features, switching between encryption algorithms, shifting targets, setting itself as the default messaging app to harvest one-time passwords (OTPs), and modifying social engineering techniques to boost infection rates.It supports Cobalt Strike, Mythic, and phishing setups across AWS, Azure, and DigitalOcean—handling config generation, provisioning, and teardown through repeatable, secure workflows.Stalkerware Apps Spyzie, Cocospy, and Spyic Go Offline — Three "near-identical but differently branded" stalkerware apps, Cocospy, Spyic, and Spyzie, have gone dark and the websites advertising them have disappeared." — Earlier this year, Lovable, the popular vibe coding app, was found to be susceptible to VibeScamming, enabling anyone to create perfect scam pages, host them, and even set up admin dashboards to track stolen data.Security Flaw in Lovable Allows Access to Sensitive Data — Earlier this year, Lovable, the popular vibe coding app, was found to be susceptible to VibeScamming, enabling anyone to create perfect scam pages, host them, and even set up admin dashboards to track stolen data."The admins did not provide the security they promised," officials said in a notice, stating they have also confiscated a database containing usernames, email addresses, payment information, and more."The admins did not provide the security they promised," officials said in a notice, stating they have also confiscated a database containing usernames, email addresses, payment information, and more.UTG-Q-015 Targets Government and Enterprise Websites — A threat actor called UTG-Q-015 has been observed leveraging N-day security flaws (CVE-2021-38647, CVE-2017-9805, and CVE-2017-12611) to infiltrate government and enterprise websites in March 2025, as well as single out blockchain websites and financial institutions using puddle mounting and instant messaging phishing tactics to deliver backdoors and other malicious payloads.Characterized as a pro-Palestinian threat group along the lines of Handala, Cyber Toufan has claimed responsibility for over 100 breaches across sectors including government, defense, finance, and critical infrastructure, OP Innovate said. — A threat actor called UTG-Q-015 has been observed leveraging N-day security flaws (CVE-2021-38647, CVE-2017-9805, and CVE-2017-12611) to infiltrate government and enterprise websites in March 2025, as well as single out blockchain websites and financial institutions using puddle mounting and instant messaging phishing tactics to deliver backdoors and other malicious payloads.U.S. Government Employee Arrested for Allegedly Trying to Leak Secrets to Foreign Government — Nathan Vilas Laatsch, a 28-year-old IT specialist employed by the Defense Intelligence Agency (DIA), was arrested on May 29, 2025, for allegedly attempting to transmit national defense information to an officer or agent of a foreign government. — Cybersecurity researchers have detailed a new Android malware called GhostSpy that enables keylogging, screen capture, background audio and video recording, SMS and call log theft, GPS location tracking, and remote command execution.New Android Malware GhostSpy Emerges — Cybersecurity researchers have detailed a new Android malware called GhostSpy that enables keylogging, screen capture, background audio and video recording, SMS and call log theft, GPS location tracking, and remote command execution. — Nathan Vilas Laatsch, a 28-year-old IT specialist employed by the Defense Intelligence Agency (DIA), was arrested on May 29, 2025, for allegedly attempting to transmit national defense information to an officer or agent of a foreign government. — Three "near-identical but differently branded" stalkerware apps, Cocospy, Spyic, and Spyzie, have gone dark and the websites advertising them have disappeared. "

Cryptojacking Campaign Exploits DevOps APIs Using Off-the-Shelf Tools from GitHub

Autosummary: " The Python code, Sysdig said, is designed to download and execute cryptocurrency miners like T-Rex and XMRig, creates a systemd service for persistence, and utilizes a Discord webhook for command-and-control (C2). HashiCorp Consul, likewise, could pave the way for arbitrary code execution if the system is not properly configured and it permits any user with remote access to the server to register services and define health checks, which, in turn, can include a bash command that will be executed by the registered agent. "

Qualcomm Fixes 3 Zero-Days Used in Targeted Android Attacks via Adreno GPU

Autosummary: "

Qualcomm fixed three zero-days exploited in limited, targeted attacks

Autosummary: Qualcomm fixed three zero-days exploited in limited, targeted attacks Pierluigi Paganini June 02, 2025 June 02, 2025 Qualcomm addressed three zero-day vulnerabilities that, according to the company, have been exploited in limited, targeted attacks in the wild. "

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 47

Autosummary: "

Exploit details for max severity Cisco IOS XE flaw now public

Autosummary: "

Interlock ransomware: what you need to know

Autosummary: In October last year, the US Government warned internet users to be vigilant of the ClickFix threat, giving the example of websites that impersonated Google, Facebook, reCAPTCHA, and others.Yes, as is so normal with cyber attacks these days, the malicious hackers will leave an extortion note on your system - telling you that you will need to pay a ransom for the decryption key that will unlock the encrypted files, and also to prevent the files from being published on the dark web. using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication. "

China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil

Autosummary: remote code execution vulnerability CVE-2021-22205 - GitLab remote code execution vulnerability CVE-2024-9047 - WordPress File Upload plugin arbitrary file access vulnerability CVE-2024-27198 - JetBrains TeamCity authentication bypass vulnerability CVE-2024-27199 - JetBrains TeamCity path traversal vulnerability CVE-2024-51378 - CyberPanel remote code execution vulnerability CVE-2024-51567 - CyberPanel remote code execution vulnerability CVE-2024-56145 - Craft CMS remote code execution vulnerability Describing it as "highly active," Trend Micro noted that the threat actor has shifted its focus from financial services to logistics and online retail, and most recently, to IT companies, universities, and government organizations. "

Germany doxxes Conti ransomware and TrickBot ring leader

Autosummary: The leaks ultimately expedited Conti"s shutdown, with the cybercrime members moving to other operations or starting new gangs, including Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON. "

New EDDIESTEALER Malware Bypasses Chrome"s App-Bound Encryption to Steal Browser Data

Autosummary: The disclosure comes as c/side revealed details of a ClickFix campaign that targets multiple platforms, such as Apple macOS, Android, and iOS, using techniques like browser-based redirections, fake UI prompts, and drive-by download techniques." AppleProcessHub Stealer, on the other hand, is designed to exfiltrate user files including bash history, zsh history, GitHub configurations, SSH information, and iCloud Keychain. "

Hackers are exploiting critical flaw in vBulletin forum software

Autosummary: The flaws, tracked under CVE-2025-48827 and CVE-2025-48828, and rated critical (CVSS v3 score: 10.0 and 9.0 respectively), are an API method invocation and a remote code execution (RCE) via template engine abuse flaws. "

Police takes down AVCheck site used by cybercriminals to scan malware

Autosummary: "By leveraging counter antivirus services, malicious actors refine their weapons against the world"s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims" systems. "

Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations

Autosummary: APT41, also tracked as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, and Winnti, is the name assigned to a prolific nation-state group known for its targeting of governments and organizations within the global shipping and logistics, media and entertainment, technology, and automotive sectors. "

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

Autosummary: "

DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints

Autosummary: Sophos said while the ransomware attack was ultimately thwarted, the attackers managed to steal data and dwell on the network for nine days before attempting to launch the locker, "The combination of vishing and email bombing continues to be a potent, effective combination for ransomware attackers – and the 3AM ransomware group has now found a way to take advantage of remote encryption to stay out of sight of traditional security software," Sean Gallagher, principal threat researcher at Sophos, said. "DragonForce is not just another ransomware brand – it"s a destabilizing force trying to reshape the ransomware landscape," Aiden Sinnott, senior threat researcher at Sophos Counter Threat Unit, said. "

Cybercriminals exploit AI hype to spread ransomware, malware

Autosummary: The ransom note demands a $50,000 ransom to be paid in the hard-to-trace Monero cryptocurrency, claiming that the funds will support humanitarian causes in Palestine, Ukraine, Africa, and Asia. "

Take back control of your browser—Malwarebytes Browser Guard now blocks search hijacking attempts

Autosummary: "

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Autosummary: This DLL uses advanced control flow obfuscation techniques, like register-based indirect calls, dynamic address arithmetic, 64-bit register overflow, and function dispatch tables, to hide its behavior. "

Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools

Autosummary: " The three malware families are below - GRIMPULL, a downloader that uses a TOR tunnel to fetch additional .NET payloads that are decrypted, decompressed, and loaded into memory as .NET assemblies FROSTRIFT, a .NET backdoor that collects system information, details about installed applications, and scans for 48 extensions related to password managers, authenticators, and cryptocurrency wallets on Chromium-based web browsers XWorm, a known .NET-based remote access trojan (RAT) with features like keylogging, command execution, screen capture, information gathering, and victim notification via Telegram STARKVEIL also serves as a conduit to launch a Python-based dropper codenamed COILHATCH that"s actually tasked with running the aforementioned three payloads via DLL side-loading. The ransomware is equipped to escalate privileges and re-execute itself with administrative permissions, if not already, and encrypts files located in the partitions "C:\," "D:\," and "E:\" that match a certain set of extensions. "

GitHub becomes go-to platform for malware delivery across Europe

Autosummary: No app, or app traffic, should be considered trusted, or exempted from a security policy,” said Gianpietro Cutolo, Cloud Threat Researcher at Netskope Threat Labs. "

Attackers hit MSP, use its RMM software to deliver ransomware to clients

Autosummary: The vulnerabilities in question are CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726, which can be used to compromise SimpleHelp server instances and, through them, push malicious payloads to machines with the client software installed. "

Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware

Autosummary: The threat activity has been attributed to an intrusion set dubbed Mimo (aka Mimo), which is believed to be active since March 2022, previously relying on vulnerabilities in Apache Log4j (CVE-2021-44228), Atlassian Confluence (CVE-2022-26134), PaperCut (CVE-2023–27350), and Apache ActiveMQ (CVE-2023-46604) to deploy the miner. "

251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch

Autosummary: "

Crooks use a fake antivirus site to spread Venom RAT and a mix of malware

Autosummary: “This research examines the attackers’ methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.” "

Iranian Man pleaded guilty to role in Robbinhood Ransomware attacks

Autosummary: “Gholinejad and his co-conspirators — all of whom were overseas — caused tens of millions of dollars in losses and disrupted essential public services by deploying the Robbinhood ransomware against U. S. cities, health care organizations, and businesses,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. "

Interlock ransomware gang deploys new NodeSnake RAT on universities

Autosummary: Gathering system data Source: QuorumCyber The malware can kill active processes or load additional EXE, DLL, or JavaScript payloads on the device. "

Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware

Autosummary: According to researchers at Mandiant, the criminals are setting up websites claiming to offer “AI video generator” services, and then using those fake tools to distribute information stealers, Trojans, and backdoors. Look out for ads with too-good-to-be-true offers, urgent deadlines, or unusual payment methods like cryptocurrency or wire transfers. "

Iranian Hacker Pleads Guilty in $19 Million Robbinhood Ransomware Attack on Baltimore

Autosummary: "

APT41 malware abuses Google Calendar for stealthy C2 communication

Autosummary: Overview of the attack Source: Google APT41 attack flow The attack starts with a malicious email sent to targets, linking to a ZIP archive hosted on a previously compromised government website. "

Smashing Security podcast #419: Star Wars, the CIA, and a WhatsApp malware mirage

Autosummary: Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Guest: Allan Liska – @ransomwaresommelier.com Episode links: Sponsored by: Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. "

Nova Scotia Power confirms it was hit by ransomware attack but hasn’t paid the ransom

Autosummary: “ The impacted personal information varies by customer and could include different types depending on what each customer provided, including name, phone number, email address, mailing and service addresses, Nova Scotia Power program participation information, date of birth, and customer account history (such as power consumption, service requests, customer payment, billing, and credit history, and customer correspondence), driver’s license number, and Social Insurance Number.Its operations encompass generation, transmission, and distribution of electricity, utilizing a diverse mix of energy sources including coal, natural gas, hydroelectric, wind, tidal, oil, and biomass. "

Not Every CVE Deserves a Fire Drill: Focus on What’s Exploitable

Autosummary: That shift saves hours of patching, clears out the noise, and most importantly, lets security teams more effectively focus on real threats and effectively stop chasing ghosts. This post breaks down why traditional vulnerability prioritization often leads you astray, and how a better approach, exposure validation, helps teams focus on what’s truly exploitable. It’s like running safe, controlled attack simulations, using real-world adversarial techniques, to see if the entire kill chain of the exploitation campaign works on you. Now it’s time to check your security stack: cloud controls, network protections, endpoint tools, and SIEM rules.However, in your real-world environment, this vuln would be blocked and detected, letting you deal with far more critical vulnerabilities to your org.And many tools, scanners, patching platforms, and dashboards still sort them by raw CVSS or EPSS scores. "

MATLAB dev confirms ransomware attack behind service outage

Autosummary: "

Iranian pleads guilty to RobbinHood ransomware attacks, faces 30 years

Autosummary: "

New Self-Spreading Malware Infects Docker Containers to Mine Dero Cryptocurrency

Autosummary: " As a way of setting up persistence, the transferred "nginx" binary is added to the "/root/.bash_aliases" file to make sure that it automatically launches upon shell login. "

DragonForce ransomware abuses SimpleHelp in MSP supply chain attack

Autosummary: The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP"s customers, including device names and configuration, users, and network connections. "

NIST proposes new metric to gauge exploited vulnerabilities

Autosummary: It’s a statistical estimate, not a confirmation, which is why the whitepaper emphasizes that LEV is meant to augment, not replace, existing methods. The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks.For now, it works best with CVEs published after March 2023, when EPSS version 3, the most accurate to date, was introduced. "

⚡ Weekly Recap: APT Campaigns, Browser Hijacks, AI Malware, Cloud Breaches and Critical CVEs

Autosummary: This week"s list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (RomethemeKit For Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779 (pfSense), CVE-2025-41229 (VMware Cloud Foundation), CVE-2025-4322 (Motors WordPress theme), CVE-2025-47934 (OpenPGP.js), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GitLab), CVE-2025-36535 (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (BIND DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-2025-37899 (Linux Kernel), CVE-2025-26817 (Netwrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (Canon Printers), and CVE-2025-4978 (NETGEAR).According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account."According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account."The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said."The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said." — Microsoft has revealed that it"s making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0.Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it"s making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT.Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation.While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation."The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said."The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said."Threat actors may have accessed client secrets for Commvault"s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said."Threat actors may have accessed client secrets for Commvault"s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said." — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. "

China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure

Autosummary: After breaching the system, they used hardcoded MySQL credentials, stored insecurely in system files, to access the database, which contains sensitive information like mobile device data (IMEI, SIM, location), LDAP user details, and Office 365 tokens.China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure Pierluigi Paganini May 26, 2025 May 26, 2025 China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ. "

Week in review: Trojanized KeePass allows ransomware attacks, cyber risks of AI hallucinations

Autosummary: Why legal must lead on AI governance before it’s too late In this Help Net Security interview, Brooke Johnson, Chief Legal Counsel and SVP of HR and Security, Ivanti, explores the legal responsibilities in AI governance, highlighting how cross-functional collaboration enables safe, ethical AI use while mitigating risk and ensuring compliance. Closing security gaps in multi-cloud and SaaS environments In this Help Net Security interview, Kunal Modasiya, SVP, Product Management, GTM, and Growth at Qualys, discusses recent Qualys research on the state of cloud and SaaS security. The hidden gaps in your asset inventory, and how to close them In this Help Net Security interview, Tim Grieveson, CSO at ThingsRecon, breaks down the first steps security teams should take to regain visibility, the most common blind spots in asset discovery, and why context should drive risk prioritization. "

Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware

Autosummary: " The attacks, like those that have deployed Winos 4.0 in the past, appear to focus specifically on Chinese-speaking environments, with the cybersecurity company calling out the "careful, long-term planning" by a very capable threat actor. "

Operation ENDGAME disrupted global ransomware infrastructure

Autosummary: Neutralized strains include Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie, all commonly used in ransomware-as-a-service schemes. "

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 46

Autosummary: "

Fake Zenmap. WinMRT sites target IT staff with Bumblebee malware

Autosummary: Google Search results Source: BleepingComputer Bleepingcolputer"s tests show that if you visit the fake Zenmap site directly, it shows several AI-generated articles instead, as seen in the image below: Innocuous blog loading on direct hits Source: BleepingComputer "

CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs

Autosummary: "

GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts

Autosummary: "For organizations, this means that private information such as internal rules, functionalities, filtering criteria, permissions, and user roles can be leaked," Trend Micro said in a report published earlier this month. "Duo analyzes the entire context of the page, including comments, descriptions, and the source code — making it vulnerable to injected instructions hidden anywhere in that context," security researcher Omer Mayraz said. "

Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks

Autosummary: Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks Pierluigi Paganini May 23, 2025 May 23, 2025 A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy Cobalt Strike and VShell. "

TikTok videos now push infostealer malware in ClickFix attacks

Autosummary: After being deployed, Vidar can take desktop screenshots and steal credentials, credit cards, cookies, cryptocurrency wallets, text files, and Authy 2FA authenticator databases. "

Police takes down 300 servers in ransomware supply-chain crackdown

Autosummary: " ​Previous Operation Endgame actions This week"s action follows multiple other Operation Endgame phases, including the seizure of over 100 servers hosting over 2,000 domains used by multiple malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. "

SafeLine WAF: Open Source Web Application Firewall with Zero-Day Detection and Bot Protection

Autosummary: It"s particularly well-suited for: Organizations with strict data privacy or regulatory compliance requirements Teams Targeted by Sophisticated Bots and Automated Threats Small and medium-sized businesses seeking affordable, enterprise-grade protection DevOps and Security Teams Requiring Full Deployment Control and Customization Projects requiring rapid deployment and easy maintenance Final Words SafeLine stands out as a powerful, open-source alternative to traditional cloud-based WAFs. Key Features of SafeLine WAF Comprehensive Attack Prevention SafeLine effectively blocks a wide range of common and advanced web attacks, including SQL injection(SQLi), cross-site scripting (XSS), OS command injection, CRLF injection, XML External Entity (XXE) attacks, Server Side Request Forgery (SSRF), and directory traversal, etc.With cutting-edge zero-day detection, robust bot mitigation, and zero trust–aligned identity features—all bundled into a self-hosted, easy-to-deploy package—SafeLine empowers developers, security teams, and organizations of all sizes to take control of their web security. "

U.S. Dismantles DanaBot Malware Network, Charges 16 in $50M Global Cybercrime Operation

Autosummary: The malware"s infrastructure consists of multiple components: A "bot" that infects target systems and performs data collection, an "OnlineServer" that manages the RAT functionalities, a "client" for processing collected logs and bot management, and a "server" that handles bot generation, packing, and C2 communication DanaBot has been used in targeted espionage attacks against government officials in the Middle East and Eastern Europe The authors of DanaBot operate as a single group, offering the malware for rent to potential affiliates, who subsequently use it for their own malicious purposes by establishing and managing their own botnets using private servers DanaBot"s developers have partnered with the authors of several malware cryptors and loaders, such as Matanbuchus, and offered special pricing for distribution bundles DanaBot maintained an average of 150 active tier-1 C2 servers per day, with approximately 1,000 daily victims across more than 40 countries, making it one of the largest MaaS platforms active in 2025 Proofpoint, which first identified and named DanaBot in May 2018, said the disruption of the MaaS operation is a win for defenders and that it will have an impact on the cybercriminal threat landscape. High-level diagram of multi-tiered C2 architecture The DoJ further credited several private sector firms, Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team Cymru, and Zscaler, for providing "valuable assistance." Some of the noteworthy aspects of DanaBot, compiled from various reports, are below - DanaBot"s sub-botnet 5 received commands to download a Delphi-based executable leveraged to conduct HTTP-based distributed denial-of-service (DDoS) attacks against the Ukrainian Ministry of Defence (MOD) webmail server and the National Security and Defense Council (NSDC) of Ukraine in March 2022, shortly after Russia"s invasion of the country Two DanaBot sub-botnets, 24 and 25, were specifically used for espionage purposes likely with an aim to further intelligence-gathering activities on behalf of Russian government interests DanaBot operators have periodically restructured their offering since 2022 to focus on defense evasion, with at least 85 distinct build numbers identified to date (The most recent version is 4006, which was compiled in March 2025) "

3AM ransomware attack poses as a call from IT support to compromise networks

Autosummary: As security firm Sophos explains, a virtual machine is deployed on the compromised computer, in an attempt to evade detection from security software, and the attackers roll out a series of commands to create new user accounts and gain admin privileges. "

TikTok videos + ClickFix tactic = Malware infection

Autosummary: "

300 Servers and €3.5M Seized as Europol Strikes Ransomware Networks Worldwide

Autosummary: Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32, a member of the TrickBot group Mikhail Mikhailovich Tsarev (aka mango), 36, a member of the TrickBot group Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43, a member of the TrickBot group Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, a member of the TrickBot group The disclosure comes as Europol took the wraps off a large-scale law enforcement operation that resulted in 270 arrests of dark web vendors and buyers across 10 countries: the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19), Austria (4), the Netherlands (4), Brazil (3), Switzerland (1), and Spain (1). "

Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique

Autosummary: Incidentally, the malware is one among the many malicious software to suffer an operational setback as part of Operation Endgame, which took down 300 servers worldwide and neutralized 650 domains related to Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE between May 19 and 22, 2025. "

CTM360 report: Ransomware exploits trust more than tech

Autosummary: What CISOs should focus on The report recommends: Seeing the organization from an attacker’s perspective Reducing digital exposure across identity and supply chain systems Reviewing remote access practices Applying focused hardening policies that are easy to enforce Auditing how internal trust boundaries are managed Download CTM360’s How To Harden Against Ransomware report and discover how ransomware groups are exploiting identity systems instead of technical flaws.These attacks succeeded not because defences failed, but because basic trust was abused: trust in employees to recognize phishing attempts, trust in identity systems to block unauthorised access, and trust in remote access tools that attackers easily repurposed. "

Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE

Autosummary: Attackers can overwrite a binary like "test" with a reverse shell script, which is then executed by a host cron job, resulting in full host compromise The researchers created a video to demonstrate how CVE-2025-34027 could be exploited in attacks: ProjectDiscovery reported the vulnerabilities to the vendor on February 13, with a 90-day disclosure period. "

FBI and Europol Disrupt Lumma Stealer Malware Network Linked to 10 Million Infections

Autosummary: The stealer is typically bundled with spoofed software or cracked versions of popular commercial software, targeting users looking to avoid paying for legitimate licenses The operators have created a Telegram marketplace with a rating system for affiliates to sell stolen data without intermediaries The core binary is obfuscated with advanced protection such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, huge stack variables, and dead codes, among others to make static analysis difficult There were more than 21,000 market listings selling Lumma Stealer logs on multiple cybercriminal forums from April through June of 2024, a 71.7% increase from April through June of 2023 "The Lumma Stealer distribution infrastructure is flexible and adaptable," Microsoft said.The Windows maker, which is tracking the threat actor behind the stealer under the name Storm-2477, said its distribution infrastructure is both "dynamic and resilient," leveraging a combination of phishing, malvertising, drive-by download schemes, abuse of trusted platforms, and traffic distribution systems like Prometheus. "

Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies

Autosummary: The entities targeted in the latest UNC5221 exploitation campaign are: UK National Health Service institutions National healthcare/pharma provider in North America U.S. medical device manufacturer Municipal agencies in Scandinavia and the UK German Federal Research Institute German telecommunications giant and IT subsidiaries U.S.-based cybersecurity firm Major U.S. foodservice distributor Irish aerospace leasing firm German industrial manufacturer Japanese automotive electronics and powertrain supplier U.S. firearms manufacturer South Korean multinational commercial and consumer bank These were confirmed breaches, as evidenced by reverse shells, data exfiltration/database exports, persistent malware injections, and abuse of internal Office 365 tokens and LDAP configurations. "

Chinese hackers breach US local governments using Cityworks zero-day

Autosummary: "

Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise

Autosummary: " The problem identified by Akamai is that during the dMSA Kerberos authentication phase, the Privilege Attribute Certificate (PAC) embedded into a ticket-granting ticket (i.e., credentials used to verify identity) issued by a key distribution center (KDC) includes both the dMSAs security identifier (SID) as well as the SIDs of the superseded service account and of all its associated groups. "

Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks

Autosummary: The Dutch cybersecurity company said the earliest exploitation activity dates back to May 15, 2025, with the attacks targeting healthcare, telecommunications, aviation, municipal government, finance, and defense sectors. "

Unpatched Windows Server vulnerability allows full domain compromise

Autosummary: “The [“BadSuccessor”] attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,” Akamai researcher Yuval Gordon warned. "

Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks

Autosummary: "

US indicts leader of Qakbot botnet linked to ransomware attacks

Autosummary: Starting in 2019, Qakbot became the initial infection vector in many ransomware attacks from infamous gangs such as Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus. "

U.S. CISA adds a Samsung MagicINFO 9 Server flaw to its Known Exploited Vulnerabilities catalog

Autosummary: "

AutoPatchBench: Meta’s new way to test AI bug fixing tools

Autosummary: Patch generation flowchart CyberSecEval 4 AutoPatchBench is part of Meta’s CyberSecEval 4, a benchmark designed to objectively evaluate and compare various LLM-based auto-patching agents for vulnerabilities specifically identified via fuzzing, a widely used method of automated security testing. "

SK Telecom revealed that malware breach began in 2022

Autosummary: “The personal information that has been confirmed to have been leaked so far is a total of 25 types, including users’ mobile phone numbers, IMSI (subscriber identification number), SIM authentication keys, and other SIM-related information that were stored in HSS*.”The company offers cellular service, along with 5G development, AI services, IoT solutions, cloud computing, and smart city infrastructure. "

Kettering Health hit by system-wide outage after ransomware attack

Autosummary: "While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice," it added. "

PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms

Autosummary: "

Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims

Autosummary: The loader, besides monitoring for analysis tools such as Wireshark, OllyDbg, Procmon, ProcExp, PeStudio, and Fiddler, makes Windows Registry changes to set up persistence and launches the second-stage by injecting it into a legitimate system process like "CasPol.exe" or "InstallUtil.exe" to evade detection. "

U.S. CISA adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog

Autosummary: U.S. CISA adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini May 21, 2025 May 21, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog. "

3AM ransomware uses spoofed IT calls, email bombing to breach networks

Autosummary: Next, the attacker downloaded and extracted a malicious archive from a spoofed domain, containing a VBS script, a QEMU emulator, and a Windows 7 image pre-loaded with QDoor backdoor. "

Lumma infostealer malware operation disrupted, 2,300 domains seized

Autosummary: After compromising a system, Lumma can steal data from web browsers and applications, including cryptocurrency wallets and cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers. "

ThreatLocker Patch Management: A Security-First Approach to Closing Vulnerability Windows

Autosummary: ThreatLocker Ringfencing™ controls what approved applications can access—like files, scripts, or the internet—stopping living-off-the-land attacks and preventing lateral movement before it starts Learn More ThreatLocker Patch Management: Designed for Zero Trust Environments ThreatLocker flips the typical patching script by assuming that every change — even a vendor patch — must be treated as untrusted until verified. Closing the Vulnerability Gap: Visibility, Control, Speed ThreatLocker Patch Management isn’t just about automating updates — it’s about giving security teams the tools they need to: Understand the security and operational impact of patches before hitting deploy. ThreatLocker Patch Management is built to tackle this reality head-on, providing security teams with greater control, visibility, and confidence over patching workflows — without compromising the stability of production systems. In fact, according to the 2023 Top Routinely Exploited Vulnerabilities (CISA), many breaches traced back to vulnerabilities that had patches available for months, or even years — a clear sign that it"s not awareness that"s lacking, but execution. "

Lumma Stealer Malware-as-a-Service operation disrupted

Autosummary: The organizations involved in the joint action include the US DoJ, Europol, Japan’s Cybercrime Control Center (which helped suspend Lumma infrastructure in Japan), Microsoft’s Digital Crimes Unit, Cloudflare, Lumen Technologies, Bitsight, ESET, CleanDNS, GMO Registry, and Orrick. "

Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics

Autosummary: Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. "

Go-Based Malware Deploys XMRig Miner on Linux Hosts via Redis Configuration Abuse

Autosummary: "While regular users received the bulk of authentication attempts (50,214), admin accounts and shared mailboxes were targeted at a specific pattern, with admin accounts receiving 9,847 attempts across 432 IPs over 8 hours, suggesting an average of 22.79 attempts per IP and a velocity of 1,230.87 attempts per hour," the company said. "

Malicious PyPI Packages Exploit Instagram and TikTok APIs to Validate User Accounts

Autosummary: It achieves this by targeting different API endpoints - i.instagram[.]com/api/v1/users/lookup/ i.instagram[.]com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/ i.instagram[.]com/api/v1/accounts/send_recovery_flow_email/ www.instagram[.]com/api/v1/web/accounts/check_email/ "Sinnercore," on the other hand, aims to trigger the forgot password flow for a given username, targeting the API endpoint "b.i.instagram[.]com/api/v1/accounts/send_password_reset/" with fake HTTP requests containing the target"s username. "

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Autosummary: "

Trojanized KeePass opens doors for ransomware attackers

Autosummary: During this engagement, WithSecure’s Threat intelligence analysts have also uncovered a slew of malvertising campaigns, typosquatted domains, and subdomains that served KeeLoader, the Nitrogen loader posing as legitimate software (WinSCP, TreeSize Free), and phishing pages impersonating financial institutions and services, as well as evidence of active, 8-month-long development of KeeLoader. "

South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware

Autosummary: "

AWS Default IAM Roles Found to Enable Lateral Movement and Cross-Service Exploitation

Autosummary: Some of the identified services with the permissive policy are listed below - Amazon SageMaker AI, which creates a default execution role named AmazonSageMaker-ExecutionRole-<Date&Time> when setting up a SageMaker Domain that comes with a custom policy equivalent to AmazonS3FullAccess AWS Glue, which creates a default AWSGlueServiceRole role with the AmazonS3FullAccess policy Amazon EMR, which creates a default AmazonEMRStudio_RuntimeRole_<Epoch-time> role that"s assigned the AmazonS3FullAccess policy In a hypothetical attack scenario, a threat actor could upload a malicious machine learning model to Hugging Face that, when imported into SageMaker, can result in the execution of arbitrary code, which could then be used to seize control of other AWS services like Glue by injecting a backdoor capable of stealing IAM credentials of the Glue job. "

SK Telecom says malware breach lasted 3 years, impacted 27 million numbers

Autosummary: This breach allowed attackers to steal data that included IMSI, USIM authentication keys, network usage data, and SMS/contacts stored in the SIM. "

Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains

Autosummary: "

RVTools hit in supply chain attack to deliver Bumblebee malware

Autosummary: While the Conti ransomware operation shut down in 2022, many of its members split off into other ransomware operations, including Black Basta, Royal, Silent Ransom, and others, who likely still have access to the tooling.When it came back online, the download had changed: the file size was smaller, and the hash now matched the clean version listed on the site" Bumblebee is a malware loader that is typically promoted via SEO poisoning, malvertising, and phishing attacks. "

Malware-infected printer delivered something extra to Windows users

Autosummary: Error. "

Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery

Autosummary: " In doing so, the idea is to flood a victim"s device with push notifications and deliver an endless torrent of malicious content, with each notification leading to different scams, scareware, and fake surveys, and accompanied by requests to allow more push notifications. "

VanHelsing ransomware builder leaked on hacking forum

Autosummary: common.h header file used by the builder Source: BleepingComputer However, the leak also includes the source code for the affiliate panel, which hosts the api.php endpoint, so threat actors could modify the code or run their own version of this panel to get the builder to work. "

Trojanized RVTools push Bumblebee malware in SEO poisoning campaign

Autosummary: When it came back online, the download had changed: the file size was smaller, and the hash now matched the clean version listed on the site" Bumblebee is a malware loader that is typically promoted via SEO poisoning, malvertising, and phishing attacks.While the Conti ransomware operation shut down in 2022, many of its members split off into other ransomware operations, including Black Basta, Royal, Silent Ransom, and others, who likely still have access to the tooling." Notice on robware.net and rvtools.com Source: BleepingComputer.com RVTool supply chain attack RVTools, initially developed by Robware and now owned by Dell, is a Windows utility that provides comprehensive inventory and health reporting for VMware vSphere environments. "

Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations