CyberSecurity news
FlagThis
|
@The GreyNoise Blog
//
Cybersecurity researchers have issued a warning about a significant surge in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways. Nearly 24,000 unique IP addresses have been observed attempting to access these portals, raising concerns among experts. The activity is suspected to be a coordinated effort aimed at identifying exposed or vulnerable systems, potentially as a precursor to targeted exploitation. GreyNoise, a threat intelligence firm, has indicated that this pattern suggests a systematic probing of network defenses.
The surge reportedly began on March 17, 2025, with the number of unique IP addresses involved peaking at nearly 20,000 per day before tapering off around March 26. Of the total IPs involved, a smaller subset of 154 have been flagged as malicious. The United States and Canada have been identified as the primary sources of the traffic, while systems in the United States, the United Kingdom, Ireland, Russia, and Singapore are the main targets. Organizations using Palo Alto Networks products are urged to take immediate steps to secure their login portals. Recommended read:
References :
Bill Mann@CyberInsider
//
Apple has released a series of critical security updates for its operating systems, including iOS 18.4 and macOS Sequoia 15.4. These updates address a total of 145 vulnerabilities, including several zero-day exploits that may have been actively exploited. Users of iOS, iPadOS, macOS, tvOS, visionOS, Safari, and Xcode are urged to update their devices immediately to safeguard against potential security threats. Notably, watchOS was missing from this patch lineup.
Apple pushed emergency updates targeting three zero-day vulnerabilities identified as CVE-2025-24200 (Accessibility) and CVE-2025-24201 (WebKit). These patches have been backported to older iOS and iPadOS versions, specifically 15.8.4 and 16.7.11, ensuring that users on older devices are also protected from these actively exploited flaws. The updates include fixes for bugs in WebKit, Siri, Safari, and libxpc, along with numerous other security enhancements, underscoring Apple's commitment to addressing security vulnerabilities across its product ecosystem. Recommended read:
References :
@The DefendOps Diaries
//
A critical authentication bypass vulnerability, identified as CVE-2025-2825, is actively being exploited in CrushFTP file transfer software. Attackers are leveraging publicly available proof-of-concept code to gain unauthenticated access to unpatched devices. The flaw affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, with security analysts confirming that a significant number of instances remain unpatched despite the availability of patches since March 26, 2025. Project Discovery has published a technical write-up and PoC for the bypass.
The vulnerability stems from improper handling of HTTP requests utilizing S3-style authorization headers. Attackers can craft malicious AWS S3-style authorization headers containing a valid username, bypassing password verification. Once access is gained, attackers can execute administrative commands, download sensitive files, create new administrator accounts, and upload malicious payloads, potentially leading to complete system compromise. CrushFTP has addressed this in version 11.3.1 by introducing a new security parameter, s3_auth_lookup_password_supported, set to false by default. Recommended read:
References :
Dissent@DataBreaches.Net
//
References:
DataBreaches.Net
, The Register - Security
,
A former GCHQ intern, Hasaan Arshad, has pleaded guilty to violating the Computer Misuse Act by transferring top-secret data from a secure GCHQ computer to his work phone. He then moved the data to a personal hard drive connected to his home PC. Arshad admitted to the unauthorized acts, which prosecutors say involved a "top secret" tool worth millions of pounds. The tool was developed using a "significant amount" of taxpayer money.
Arshad, a student at the University of Manchester, was arrested and his home searched in September 2022. While he claimed his actions stemmed from curiosity and a desire to further develop the software, the incident underscores the risk of insider threats. Cybersecurity experts highlight the need for organizations to implement strict access controls, restrict removable media, and manage mobile device capabilities in sensitive areas to prevent such breaches. Recommended read:
References :
Microsoft Threat@Microsoft Security Blog
//
Microsoft has uncovered 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders using its AI-powered Security Copilot. These bootloaders are critical components, with GRUB2 commonly used in Linux distributions like Ubuntu, and U-Boot and Barebox prevalent in embedded and IoT devices. The identified vulnerabilities include integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison, potentially enabling threat actors to gain control and execute arbitrary code.
Water Gamayun, a suspected Russian hacking group, has been linked to the exploitation of CVE-2025-26633 (MSC EvilTwin) to deploy SilentPrism and DarkWisp. The group uses malicious provisioning packages, signed .msi files, and Windows MSC files to deliver information stealers and backdoors. These backdoors, SilentPrism and DarkWisp, enable persistence, system reconnaissance, data exfiltration, and remote command execution. The threat actors transitioned to their own infrastructure for staging and command-and-control purposes after using a GitHub repository to push various kinds of malware families. Recommended read:
References :
@upguard.com
//
API Security Firm APIsec Exposes Customer Data - API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data.
ImgSrc: cdn.prod.websit
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.
The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025. The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts." Recommended read:
References :
do son@securityonline.info
//
References:
securityonline.info
, Cyber Security News
,
Russia-aligned cyber threat groups UAC-0050 and UAC-0006 are actively using bulletproof hosting infrastructures to conduct cyberattacks globally. These networks, often obscured by offshore shell companies, provide a shield for malicious activities including espionage, financial theft, and psychological operations. Intrinsec analysts have uncovered campaigns blending cyber espionage, financial theft, and psychological warfare, primarily targeting Ukraine and its allies with tactics like bomb threats and fake banking transactions.
These threat groups heavily rely on bulletproof hosting providers to evade detection. Entities like Global Connectivity Solutions LLP and Railnet LLC act as legal fronts, using offshore shell companies in jurisdictions like Seychelles to make attribution and legal action difficult. This infrastructure also supports ransomware groups like Black Basta and RansomHub and involves frequent IP migrations across autonomous systems, further complicating efforts to block malicious activities. UAC-0050 has also engaged in psychological operations, such as sending bomb threats to Ukrainian institutions under the guise of the "Fire Cells Group." Recommended read:
References :
do son@securityonline.info
//
Fake Zoom Installer Leads to BlackSuit Ransomware - The Lazarus Group is targeting the cryptocurrency industry with a ClickFake Interview campaign, deploying the GolangGhost malware via fake job offers.
ImgSrc: securityonline.
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.
The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Security researchers have uncovered a rise in hackers exploiting WordPress mu-plugins to inject malicious code. The mu-plugins directory, designed for automatically loading essential plugins, is being used to conceal malware, enabling persistent remote access and site redirection. Because these plugins are automatically enabled and not visible in the standard WordPress plugin interface, attackers can maintain a stealthy foothold, bypassing typical security checks. This allows them to inject spam, hijack site images, and maintain long-term control over compromised sites.
Researchers at Sucuri have identified three distinct types of malicious code being deployed. One variant redirects site visitors to external malicious websites, often disguised as browser updates serving malware. Another executes a webshell, providing attackers with remote code execution capabilities. The third injects spam onto the website, replacing images with explicit content and hijacking outbound links to malicious popups. The goal of this spam injection is often to promote scams or manipulate SEO rankings. These tactics are used to target website visitors while evading detection by search engines and administrators. Website administrators are advised to include the mu-plugins directory in their regular security scans to detect and remove any unrecognized or suspicious files. Security experts recommend ensuring WordPress, plugins, and themes are updated and employing strong passwords with two-factor authentication. If a compromise is suspected, all unauthorized admin accounts and malicious files should be removed to prevent reinfection. These measures are crucial to securing WordPress sites against this evolving threat. Recommended read:
References :
Lenart Bermejo@feeds.feedburner.com
//
Earth Alux APT Uses VARGIET Malware in Espionage - Earth Alux, a China-linked APT group, conducts cyberespionage attacks on critical industries in APAC and Latin America using VARGEIT malware for data theft.
ImgSrc: www.trendmicro.
Earth Alux, a China-linked advanced persistent threat (APT) group, has been identified launching cyberespionage attacks aimed at critical industries. Since the second quarter of 2023, this group has been targeting organizations in the Asia-Pacific (APAC) and Latin American regions, with a focus on sectors including government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Trend Micro's monitoring and investigation efforts have uncloaked the group's stealthy activities and advanced techniques, highlighting the significant risk they pose to sensitive data and operational continuity.
Earth Alux primarily employs the VARGEIT malware as its main backdoor and control tool. VARGEIT is utilized at multiple stages of an attack to maintain persistence, collect data, and execute malicious operations. The malware operates as a multi-channel configurable backdoor with capabilities such as drive information collection, process monitoring, file manipulation, and command line execution. It can also inject additional tools into processes like mspaint.exe for fileless operations, making detection challenging. The group uses sophisticated techniques, including DLL sideloading, timestomping, and encrypted communication channels, to ensure stealth and evade conventional security systems. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Sam's Club Investigates Alleged Cl0p Ransomware Data Breach - Sam’s Club is investigating claims of a Cl0p ransomware breach, with the Cl0p group claiming responsibility for the security breach.
ImgSrc: securityaffairs
Sam's Club, the membership warehouse club chain owned by Walmart, is currently investigating claims of a Clop ransomware breach. The Clop ransomware group has reportedly taken responsibility for the alleged security incident. The investigation aims to determine the scope and nature of the potential data compromise, with Sam's Club stating they are actively looking into the matter.
The alleged breach is tied to the Clop ransomware operation's exploitation of vulnerabilities in Cleo file transfer software. Cybernews reports that Sam's Club is among the numerous organizations purportedly affected. Sam's Club has acknowledged the situation and initiated an internal investigation, though specific details regarding the alleged compromise remain limited. The company has affirmed its commitment to protecting the privacy and security of its members' information. Recommended read:
References :
rohansinhacyblecom@cyble.com
//
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.
Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection. Recommended read:
References :
@www.infosecurity-magazine.com
//
Cybersecurity researchers are raising concerns about a new sophisticated malware loader called CoffeeLoader, designed to stealthily download and execute secondary payloads while evading detection. The malware, first observed around September 2024, shares behavioral similarities with SmokeLoader, another known malware loader. CoffeeLoader employs a variety of techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.
CoffeeLoader's infection sequence starts with a dropper that attempts to execute a DLL payload packed by Armoury, impersonating ASUS's Armoury Crate utility. The malware establishes persistence by creating scheduled tasks and uses call stack spoofing and sleep obfuscation to evade antivirus and EDR solutions. Upon successful connection to a command-and-control server, CoffeeLoader receives commands to inject and execute Rhadamanthys shellcode, highlighting the potential for significant harm. While there are notable similarities between CoffeeLoader and SmokeLoader, researchers are still determining the exact relationship between the two malware families. Recommended read:
References :
do son@Daily CyberSecurity
//
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.
RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution. Recommended read:
References :
@itpro.com
//
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.
Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks. Recommended read:
References :
cybernewswire@The Last Watchdog
//
Palo Alto, USA, March 29, 2025 - SquareX has disclosed a new form of ransomware that operates natively within web browsers and is undetectable by traditional antivirus software. This browser-native ransomware poses a significant threat to enterprises, potentially putting millions at risk. The disclosure comes as ransomware continues to be a major cybersecurity concern, with Chainalysis estimating that corporations spend nearly $1 billion annually on ransom payments alone. The true cost, however, is often much higher due to reputational damage and operational disruption.
SquareX's research highlights that unlike traditional ransomware, this new variant does not require victims to download and install malicious files. Instead, it targets the user's digital identity, exploiting the increasing reliance on cloud-based enterprise storage and browser-based authentication. SquareX founder, Vivek Ramachandran, warns that the rise in browser-based identity attacks indicates that the "ingredients" for browser-native ransomware are already being used by adversaries. He emphasizes the need for browser-native solutions to combat this emerging threat, as traditional endpoint security measures are ineffective against these attacks. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.
The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013. Recommended read:
References :
|
