The Sandworm group, a Russian military cyber-espionage unit, is actively targeting Windows users in Ukraine. They are distributing trojanized versions of Microsoft Key Management Service (KMS) activators and fake Windows updates to compromise systems. This campaign highlights the ongoing cyber warfare efforts by Russian actors and the potential risks associated with using unofficial activation tools.
A subgroup of the Russian state-sponsored hacking group APT44, also known as Seashell Blizzard and Sandworm, has been targeting critical organizations and governments in a multi-year campaign dubbed BadPilot. The group conducts globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations, gaining initial access to dozens of strategically important organizations across the U.S. and Europe.
This cluster centers around the UK government’s order mandating Apple to create a backdoor for accessing end-to-end encrypted data in iCloud. This order raises significant concerns about user privacy and security, as well as potential implications for global digital privacy norms. Apple is being legally pressured to compromise user data which would seriously damage privacy and security.
Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems that could allow remote code execution. These flaws include external control of a file name and other issues, necessitating immediate patching to prevent potential exploitation.
A high-severity authentication bypass vulnerability, CVE-2024-53704, affects SonicWall firewalls running specific versions of SonicOS, allowing attackers to hijack active SSL VPN sessions. Bishop Fox researchers discovered nearly 4,500 internet-exposed SonicWall firewalls at risk. The vulnerability affects SonicOS versions 7.1.x, 7.1.2-7019, and 8.0.0-8035, used in various Gen firewalls.
International law enforcement agencies have seized the dark web leak site of the 8Base ransomware gang. The takedown is a significant success in disrupting ransomware operations and potentially preventing future attacks. This operation highlights the importance of international collaboration in combating cybercrime. This event is important as it demonstrates a direct action to combat cyber crime and ransomware in particular.
The Sarcoma ransomware group has claimed responsibility for a breach at Unimicron, a Taiwanese printed circuit board (PCB) manufacturer. The attackers claim to have stolen 377 GB of data, including SQL files, and are threatening to release it if a ransom is not paid. The company confirmed a ransomware intrusion at its China-based subsidiary but has not yet confirmed the data breach.
The North Korea-linked APT group Kimsuky, also known as Emerald Sleet, is using a new tactic to compromise its traditional espionage targets. The group is tricking targets into running PowerShell as an administrator and executing malicious code. They build rapport with targets before sending a spear-phishing email with an attached PDF. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet. If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool. This allows the threat actor to access the device and carry out data exfiltration.
JumpCloud has enhanced its SaaS management platform to better detect and block unauthorized SaaS application usage via the cloud. The update focuses on improved visibility into unsanctioned software, and tighter integration with its Resmo acquisition to bolster its single sign-on (SSO) directory. This proactive security enhancement helps organizations gain greater control over SaaS applications used within their networks and reduces the risk of malicious actors gaining unauthorized access to sensitive data or systems.
CISA and the FBI issued a joint alert emphasizing the elimination of buffer overflow vulnerabilities through secure software development practices. They highlighted the prevalence of these vulnerabilities and the need for proactive measures to prevent exploitation, including using memory-safe languages and methods.
The Kimsuky hacking group is using a custom-built RDP Wrapper and proxy tools to gain access to infected machines. This allows them to bypass security measures and maintain persistent access.
The China-backed Salt Typhoon group is actively breaching telecommunications providers despite US sanctions. Recorded Future reports that Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP. The group exploits vulnerabilities in Cisco devices for initial access and subsequent network compromise.
The XE Group, a cybercrime group initially focused on credit card skimming, has shifted its tactics to exploit zero-day vulnerabilities for persistent access. They target software products like VeraCore, deploying reverse shells and web shells. Their recent activity involves exploiting a VeraCore zero-day to maintain remote access to compromised systems, moving from skimming to long-term infiltration of manufacturing and distribution networks.
Microsoft released its February 2025 security update, addressing 63 vulnerabilities. Two of the vulnerabilities were actively exploited in the wild.
A critical vulnerability (CVE-2024-0132 & CVE-2025-23359) in the NVIDIA Container Toolkit allows for full host compromise. The vulnerability enables attackers to break out of a container’s isolation protections and gain complete access to the underlying host. Researchers found a new exploit bypassing patched NVIDIA Container Toolkit vulnerability. It is recommended to update to NVIDIA Container Toolkit 1.17.4 immediately and restrict access to privileged runtime sockets.
Hewlett Packard Enterprise (HPE) experienced a data breach in May 2023, attributed to the Russian state-sponsored hacking group Midnight Blizzard (also known as Cozy Bear or APT29). The breach involved their Office 365 email environment and was confirmed in December 2023. The breach compromised employee data and was contained after its discovery.
Multiple high-severity vulnerabilities have been discovered in Progress Software’s LoadMaster software, potentially allowing attackers to execute arbitrary system commands. The vulnerabilities include improper input validation, leading to OS command injection. Successful exploitation requires an attacker to gain access to the management interface and authenticate.
The affected software is a high-performance load balancer and application delivery controller (ADC) designed to optimize availability, security, and performance of applications. Progress Software has released patches to address these vulnerabilities, and users are advised to apply the updates immediately to prevent potential exploitation.
A widespread campaign is targeting Microsoft Internet Information Services (IIS) servers to deploy the BadIIS malware, used for search engine optimization (SEO) fraud and malicious content injection. This campaign is attributed to the Chinese-speaking hacking group DragonRank and has affected over 35 IIS servers across Asia, Europe, and beyond, across industries such as government, technology, telecommunications, and e-commerce. This malware can manipulate SEO rankings and distribute malicious content.
A new “quishing” attack vector involves the use of counterfeit QR codes to deceive users into visiting fraudulent websites, downloading malware, or surrendering sensitive information. Scammers use fake QR codes to redirect people to fraudulent websites when the code is scanned, enabling them to download information and profiles from the target’s device.