CyberSecurity news
FlagThis
|
@cyberscoop.com
//
A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.
The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach. The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures. Recommended read:
References :
@x.com
//
References:
thecyberexpress.com
, SpiderLabs Blog
,
The ongoing Israel-Iran conflict has expanded into cyberspace, marked by a surge in hacktivist activity and the deployment of new malware campaigns. Pro-Israel and pro-Iranian groups are actively engaging in cyberattacks, including DDoS attacks, website defacements, and data breaches, targeting organizations within each other's territories. This digital warfare mirrors the escalating military tensions between the two nations, turning the internet into a covert combat zone.
Amidst this cyber conflict, a pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for hacking Bank Sepah, a major Iranian financial institution. Predatory Sparrow alleges that the bank was used to circumvent international sanctions and finance the Iranian regime's military activities. While independent verification of the attack is pending, reports have emerged of banking disruptions and closed Bank Sepah branches across Iran. The group has targeted Iranian organizations in the past. The intensification of cyber hostilities between Israel and Iran raises concerns about potential spillover effects, with U.S. companies and critical infrastructure facing increased risks. Cybersecurity experts are urging organizations to brace for potential disruptions and enhance their defenses against cyberattacks. The digital conflict highlights the importance of cybersecurity preparedness in a world where geopolitical tensions increasingly manifest in cyberspace. Recommended read:
References :
@cert.europa.eu
//
On June 17, 2025, Veeam released critical security updates for its Backup & Replication software to address several vulnerabilities, including a critical Remote Code Execution (RCE) flaw identified as CVE-2025-23121. The vulnerability, which has a CVSS score of 9.9, could allow an authenticated domain user to execute arbitrary code on affected Backup Servers, potentially leading to system compromise. This flaw impacts Veeam Backup & Replication version 12 builds, including version 12.3.1.1139. The update to version 12.3.2 (build 12.3.2.3617) resolves this critical issue and other related vulnerabilities.
Researchers at watchTowr and Code White GmbH discovered that the vulnerability, CVE-2025-23121, could bypass a previous patch released in March 2025 for vulnerability CVE-2025-23120. According to the researchers, the underlying issue stems from uncontrolled deserialization vulnerabilities in BinaryFormatter, a component that Microsoft has deprecated and deemed inherently insecure. Veeam's approach to mitigating these vulnerabilities has involved maintaining an exclusion list of gadgets that can lead to deserialization issues, however researchers suggest this approach is not sufficient. Veeam has urged users to update to the latest patched version of Backup & Replication, specifically version 12.3.2, as soon as possible. While Veeam notes that unsupported product versions have not been tested, they are likely affected and should be considered vulnerable. The company also advises against joining backup servers to domains, although this practice is common for efficiency. Veeam recommends implementing best practices like using a separate management workgroup or domain for Veeam components to isolate them from the protected environment. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
References:
The Hacker News
, securityaffairs.com
,
A new Flodrix botnet variant is actively targeting vulnerable Langflow AI servers by exploiting a critical remote code execution (RCE) vulnerability tracked as CVE-2025-3248. Langflow, a Python-based visual framework used for building artificial intelligence (AI) applications, contains a missing authentication vulnerability that enables unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Cybersecurity researchers at Trend Micro have highlighted this ongoing campaign, revealing that attackers are leveraging the flaw to execute downloader scripts on compromised Langflow servers. These scripts then fetch and install the Flodrix malware, ultimately leading to full system compromise.
Trend Micro's analysis reveals that attackers are exploiting CVE-2025-3248, which has a CVSS score of 9.8, by using publicly available proof-of-concept (PoC) code to target unpatched, internet-exposed Langflow instances. The vulnerability lies in the lack of input validation or sandboxing within Langflow, allowing malicious payloads to be compiled and executed within the server's context. The downloader scripts retrieve the Flodrix botnet malware from a specified host and, once installed, Flodrix establishes communication with a remote server via TCP to receive commands for launching distributed denial-of-service (DDoS) attacks against targeted IP addresses. Flodrix also supports connections over the TOR anonymity network. The Flodrix botnet is considered an evolution of the LeetHozer botnet, linked to the Moobot group. This improved variant incorporates stealth techniques, including the ability to discreetly remove itself, minimize forensic traces, and obfuscate command-and-control (C2) server addresses, making analysis more challenging. Further enhancements include new, encrypted DDoS attack types. Organizations using Langflow are urged to immediately patch their systems to version 1.3.0 or later, which addresses CVE-2025-3248. Furthermore, implementing robust network monitoring is crucial to detect and mitigate any botnet activity resulting from this vulnerability. Recommended read:
References :
@techcrunch.com
//
Pro-Israel hacktivist group Predatory Sparrow has claimed responsibility for a cyberattack against Bank Sepah, a major Iranian financial institution. The group, known for its past credible claims regarding high-profile hacks in Iran, announced the alleged breach on X, stating they "destroyed the data" of the bank. Predatory Sparrow accused Bank Sepah of circumventing international sanctions and funding the Iranian regime's "terrorist proxies, its ballistic missile program and its military nuclear program" using Iranian citizens' money. Independent verification of the claim is currently pending.
This alleged cyberattack comes amidst escalating tensions between Israel and Iran, with recent reports of military strikes between the two nations. According to Iran International, there are reports of widespread banking disruptions across Iran, including several Bank Sepah branches being closed and customers unable to access their accounts. Ariel Oseran, a correspondent for i24NEWS, shared images of ATMs in Iran displaying error messages. TechCrunch reached out to Bank Sepah for comment but did not receive an immediate response. The identity of those behind Predatory Sparrow remains unclear. The group has targeted Iranian organizations for years. The potential breach raises serious concerns about the vulnerability of Iranian financial infrastructure and the intensification of cyber warfare between pro-Israel and pro-Iran groups. Such attacks could significantly disrupt financial services and compromise the sensitive data of Iranian individuals and businesses. Recommended read:
References :
@www.healthcareitnews.com
//
References:
www.comparitech.com
, www.healthcareitnews.com
The healthcare sector has been rocked by a recent ransomware attack on Episource, a medical coding, risk adjustment services, and software company. The breach, which occurred in February 2025, resulted in the compromise of sensitive patient health information. According to reports, unauthorized access to Episource's computer systems allowed cybercriminals to view and copy data belonging to the company's healthcare provider and health plan customers. The exposed information includes personal contact information, health insurance plan data, medical diagnoses, test results, and images, raising serious concerns about patient privacy and security.
Sharp Community Medical Group and Sharp Healthcare, Episource clients, have confirmed that patient data was compromised in the attack. While the incident did not involve unauthorized access to electronic health records or patient portals, the exposed data includes health insurance information and health data, such as medical record numbers, doctors, diagnoses, medications, test results, images, care, and treatments. Episource began notifying affected customers about which individuals and specific data may have been involved starting on April 23, 2025. Sharp Healthcare has also started sending out patient breach notifications. This incident highlights the increasing vulnerability of healthcare organizations to ransomware attacks. Microsoft reports that 389 healthcare companies have been hit by ransomware this year alone, resulting in network shutdowns, offline systems, rescheduled appointments, and delays in critical procedures. The financial impact is significant, with healthcare organizations losing up to $900,000 per day on downtime. Experts emphasize the importance of strengthening cybersecurity measures, including employee training and awareness programs, to protect sensitive patient data and mitigate the risk of future attacks. Episource is working to strengthen its computer systems and has notified law enforcement. Recommended read:
References :
@cyberscoop.com
//
Scattered Spider, a cybercrime collective known for targeting U.K. and U.S. retailers, has shifted its focus to the U.S. insurance industry, according to warnings issued by Google Threat Intelligence Group (GTIG). The group, tracked as UNC3944, is known for utilizing sophisticated social engineering tactics to breach organizations, often impersonating employees, deceiving IT support teams, and bypassing multi-factor authentication (MFA). Google is urging insurance companies to be on high alert for social engineering schemes targeting help desks and call centers, emphasizing that multiple intrusions bearing the hallmarks of Scattered Spider activity have already been detected in the U.S.
GTIG's warning comes amidst a recent surge in Scattered Spider activity, with multiple U.S.-based insurance companies reportedly impacted over the past week and a half. The threat group has a history of targeting specific industries in clusters, with previous attacks impacting MGM Resorts and other casino companies. Security specialists emphasize that Scattered Spider often targets large enterprises with extensive help desks and outsourced IT functions, making them particularly susceptible to social engineering attacks. The group is also suspected of having ties to Western countries. The shift in focus towards the insurance sector follows Scattered Spider's previous campaigns targeting retailers, including a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. To mitigate against Scattered Spider's tactics, security experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions, and providing comprehensive training to help desk personnel to effectively identify employees before resetting accounts. One insurance company, Erie Insurance, has already reported a cyberattack earlier this month, although the perpetrators have not yet been identified. Recommended read:
References :
@www.trendmicro.com
//
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.
The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems. To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense. Recommended read:
References :
Rescana@Rescana
//
A new and dangerous version of the Anubis ransomware has emerged, now equipped with a data wiping module that significantly increases the stakes for victims. The Anubis Ransomware-as-a-Service (RaaS) has been active since December 2024 and now presents a dual-threat by not only encrypting files, but also permanently deleting them. This means that even if victims pay the ransom, data recovery is impossible because of the '/WIPEMODE' parameter which renders file contents to 0 KB, despite preserving the file names and extensions.
The ransomware is being deployed via phishing emails with malicious attachments or deceptive links which bypass endpoint defenses. Once inside a network, it uses lateral movement techniques, such as privilege escalation, to gain deeper access. The primary targets are organizations within the healthcare, hospitality, and construction sectors, impacting entities across Australia, Canada, Peru, and the United States. This dual-threat capability represents an evolution from traditional ransomware, exerting even more pressure on victims to comply with ransom demands. Cybersecurity experts are urging organizations to implement robust backup and recovery procedures to mitigate the impact of Anubis attacks. Trend Micro researchers and others describe Anubis as a "rare dual-threat" that encrypts and permanently erases files. Anubis also operates a flexible affiliate program with negotiable revenue splits, offering additional monetization paths like data extortion and access sales. The discovery of this destructive behavior highlights the increasing sophistication of ransomware operations and the importance of proactive cybersecurity measures. Recommended read:
References :
@www.healthcareitnews.com
//
References:
cyble.com
, cybersecurityventures.com
,
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability. In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups. Recommended read:
References :
@blog.redteam-pentesting.de
//
A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.
Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token. The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A sophisticated cybercriminal network known as VexTrio has been exploiting WordPress sites to run a global scam network. Cybersecurity researchers have uncovered a large-scale campaign involving malicious JavaScript injections into legitimate websites. These injections redirect visitors to various scam pages through traffic broker networks associated with VexTrio, a major cybercriminal affiliate network. The network uses sophisticated DNS techniques, traffic distribution systems (TDS), and domain generation algorithms to deliver malware and scams across global networks, impacting thousands of websites globally.
VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns. The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat. Recommended read:
References :
@www.helpnetsecurity.com
//
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).
Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures. The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors. Recommended read:
References :
@www.euractiv.com
//
References:
bsky.app
, databreaches.net
,
Sweden is currently facing a significant surge in cyberattacks, prompting Prime Minister Ulf Kristersson to sound the alarm. The attacks, primarily Distributed Denial-of-Service (DDoS) events, have targeted critical infrastructure, including SVT, Sweden's public television broadcaster, government websites, and key organizations. These disruptions have raised serious concerns about the resilience and security of Sweden's digital systems. The Prime Minister addressed the situation, acknowledging the severity and widespread nature of the cyber assaults impacting essential services.
The cyber offensive follows Sweden's recent entry into NATO in 2024, leading many to suspect potential involvement from Russia. While Prime Minister Kristersson refrained from explicitly naming the perpetrators, he alluded to previous reports from the Swedish Security Service identifying Russia, China, and Iran as frequent actors behind similar cyber operations. The focus of these attacks appears to be on disruption and undermining trust in institutions rather than data theft or ransomware, highlighting a strategy aimed at demonstrating cyber warfare capabilities. Authorities are actively investigating the attacks and working to enhance the nation's cybersecurity defenses. The disruptions serve as a stark reminder of the evolving landscape of modern warfare, where cyberattacks can be leveraged to destabilize countries and critical infrastructure. The situation underscores the importance of international cooperation and vigilance in addressing cyber threats. Recommended read:
References :
@cyberpress.org
//
GitLab Patches Critical Vulnerabilities, Account Takeover Possible - GitLab released security updates for vulnerabilities in GitLab CE and EE, including CVE-2025-5121, which allows injecting malicious CI/CD jobs.
ImgSrc: blogger.googleu
GitLab has issued critical security updates on June 11, 2025, to address multiple vulnerabilities in both the Community Edition (CE) and Enterprise Edition (EE) of its platform. These patches are crucial for self-managed GitLab installations, with experts urging immediate upgrades to prevent potential exploits. The updates tackle high-severity vulnerabilities that could allow attackers to achieve complete account takeover and compromise enterprise development environments, emphasizing the importance of proactive security measures in DevSecOps environments.
One of the most concerning vulnerabilities, CVE-2025-5121, affects GitLab Ultimate EE customers and carries a CVSS score of 8.5. This missing authorization issue allows attackers with authenticated access to a GitLab instance with a GitLab Ultimate license to inject malicious CI/CD jobs into all future pipelines of any project. This can lead to backdoors being added, validation steps being skipped, and secrets used during the build process being exposed, significantly compromising the software development lifecycle. Other notable vulnerabilities addressed in this patch release include CVE-2025-4278, an HTML injection vulnerability with a CVSS score of 8.7 that could lead to account takeover, and CVE-2025-2254, a cross-site scripting (XSS) vulnerability, also with a CVSS score of 8.7, allowing attackers to act in the context of legitimate users. GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 for both CE and EE to address these issues, and it's strongly recommended that all affected installations be updated as soon as possible. Recommended read:
References :
@research.checkpoint.com
//
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.
CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection. The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy. Recommended read:
References :
Michael Kan@PCMag Middle East ai
//
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.
This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data. Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps. Recommended read:
References :
|
