@gbhackers.com
// 2h
References:
gbhackers.com
, Malwarebytes
,
Cybercriminals are increasingly employing sophisticated tactics to bypass traditional security measures and ensnare unsuspecting users in phishing scams. One notable trend is the use of benign-worded email subjects such as "request," "forward," and "report" to lower suspicion. Additionally, attackers are leveraging URL shorteners and QR codes to mask malicious links, making it harder for users and security systems to identify threats. These techniques allow cybercriminals to evade detection and increase the likelihood of successful attacks aimed at stealing personal and financial information.
Tax-themed phishing campaigns are surging as the United States approaches Tax Day on April 15th. Microsoft has observed threat actors exploiting tax-related anxieties through emails containing malicious attachments. These attachments frequently include QR codes that redirect users to fake login pages designed to steal credentials. In other instances, attackers embed DoubleClick URLs in PDF attachments that redirect users through shortened links to fake DocuSign pages, serving either malicious JavaScript files leading to malware installation or benign decoy files based on filtering rules. The malware families being deployed in these campaigns are becoming increasingly advanced. Latrodectus, for example, features dynamic command-and-control configurations and anti-analysis capabilities, allowing attackers to execute Windows commands remotely and establish persistence through scheduled tasks. BruteRatel C4 (BRc4), originally designed for red-teaming exercises, is being exploited for post-exploitation activities, enabling attackers to bypass security defenses. According to Kendall McKay, strategic lead for cyber threat intelligence at Cisco’s Talos division, phishing scams are constantly evolving to maintain their effectiveness. Recommended read:
References :
@parquet.apache.org
// 20h
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-30065, has been discovered in Apache Parquet's Java Library. This flaw carries a maximum severity rating and could allow a remote attacker to execute arbitrary code on susceptible systems. Apache Parquet is a widely used open-source columnar data file format designed for efficient data processing and retrieval, commonly employed in big data processing frameworks like Hadoop and Spark. Given the popularity of Apache Parquet and the severity of the vulnerability, immediate action is crucial to mitigate the risk.
This critical flaw stems from the deserialization of untrusted data within the parquet-avro module of the Java library. An attacker can exploit this vulnerability by tricking a vulnerable system into processing a specially crafted Parquet file. Upon processing the malicious file, the deserialization of untrusted data allows the attacker to execute arbitrary code, potentially gaining full control over the affected system. Consequences of successful exploitation could include data exfiltration or modification, service disruption, and the deployment of malicious payloads such as ransomware. The vulnerability impacts all versions of Apache Parquet up to and including 1.15.0. Systems and applications that utilize data pipelines and analytics frameworks, particularly those that import Parquet files from external or untrusted sources, are at heightened risk. The flaw was fixed with the release of Apache version 1.15.1. Users are strongly advised to update their Apache Parquet installations to the latest version as soon as possible to address this critical security vulnerability and prevent potential exploitation. Recommended read:
References :
Bill Toulas@BleepingComputer
// 1d
The State Bar of Texas has confirmed a data breach following a ransomware attack claimed by the INC ransomware gang. The breach, which occurred between January 28 and February 9, 2025, involved unauthorized access to the organization's network, leading to the exfiltration of sensitive information. The incident was discovered on February 12, 2025, prompting immediate action to secure the network and initiate an investigation with the assistance of third-party forensic specialists. The organization is the second-largest bar association in the United States, with over 100,000 licensed attorneys, regulating the legal profession in Texas by overseeing licensing, continuing legal education, ethical compliance, and disciplinary actions.
Approximately 2,700 individuals were affected by the breach. The compromised data includes full names, Social Security numbers, financial account details such as credit and debit card numbers, driver’s licenses, and medical and health insurance details. The exposure of such a wide array of sensitive information poses significant risks of identity theft and financial fraud. The Texas State Bar has emphasized that there is no current evidence of misuse or fraudulent activity involving the compromised data but is urging affected parties to remain vigilant and monitor their financial accounts and credit reports for suspicious activity over the next 12 to 24 months. In response to the data breach, the State Bar of Texas has implemented additional security measures to prevent future incidents and is reviewing its data privacy policies. Affected individuals are being notified directly and offered complimentary credit monitoring services through Experian for a specified period, including features such as credit monitoring, identity restoration support, and identity theft insurance coverage up to $1 million. Recipients were advised to consider activating a credit freeze or placing a fraud alert on their credit files to mitigate potential risks from the data exposure. The incident serves as a wake-up call for legal cybersecurity, highlighting the vulnerabilities inherent in even the most established institutions and emphasizing the need for robust data protection measures. Recommended read:
References :
Bill Toulas@BleepingComputer
// 1d
The PoisonSeed campaign is a sophisticated phishing operation targeting CRM and bulk email providers like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. It aims to compromise enterprise organizations and individuals through cryptocurrency-related scams. Threat actors behind this campaign leverage compromised credentials to steal email lists and send bulk phishing emails, ultimately targeting cryptocurrency wallets using a novel seed phrase poisoning technique. The campaign employs advanced phishing techniques to steal credentials, exfiltrate email lists, and execute cryptocurrency scams.
PoisonSeed’s operation involves setting up phishing pages that closely mimic login portals of prominent CRM and bulk email platforms. These fake login pages are used to steal credentials from targeted users. Once access is gained, the attackers automate the export of email lists and maintain persistence by creating new API keys, even if passwords are reset. The compromised accounts are then used to send phishing emails at scale, often employing urgent lures, such as notifications about “restricted sending privileges” or fake wallet migration notices. The core of PoisonSeed’s strategy lies in its seed phrase poisoning attack. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. This method represents a shift from traditional phishing tactics, as it delays the theft until victims unknowingly use the compromised seed phrases. While PoisonSeed shares certain infrastructural similarities with CryptoChameleon, a threat group known for targeting high-net-worth cryptocurrency holders, PoisonSeed’s tactics such as targeting CRM platforms and delaying cash-out efforts differ significantly from CryptoChameleon’s rapid exploitation methods. Recommended read:
References :
@cyberalerts.io
// 1d
The Port of Seattle, responsible for overseeing the Seattle-Tacoma International Airport, is currently notifying approximately 90,000 individuals about a significant data breach. This breach stems from a ransomware attack that occurred in August 2024, where personal information was stolen. The attack disrupted operations at the airport, affecting critical systems such as baggage handling, check-in kiosks, and passenger information displays. The Port of Seattle took immediate action by isolating critical systems to prevent further compromise.
The ransomware attack was attributed to the Rhysida ransomware group, who demanded a ransom of 100 bitcoin, equivalent to about $6 million. The Port refused to pay the ransom, deeming it an imprudent use of taxpayer money. The compromised data included names, dates of birth, and Social Security numbers of around 90,000 individuals, with roughly 71,000 of them being Washington state residents. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
// 1d
The Ransomware-as-a-Service (RaaS) group Hunters International has reportedly shifted its focus from ransomware to data extortion, rebranding itself as "World Leaks" on January 1, 2025. This change in tactics signals a new era in cybercrime, driven by the declining profitability of ransomware and increased scrutiny from law enforcement and governments worldwide. Group-IB researchers revealed that the group's senior personnel decided ransomware was becoming too "unpromising, low-converting, and extremely risky," leading to the development of an extortion-only operation.
The group is reportedly leveraging custom-built exfiltration tools to automate data theft from victim networks, enhancing their ability to carry out extortion-only attacks. Cybersecurity researchers have also linked Hunters International to the infamous Hive ransomware group. There are suggestions that they acquired Hive’s source code and operational tools. While Hunters International denies being a direct continuation of Hive, evidence suggests that they acquired Hive’s source code and operational tools. The group targets various industries, including healthcare, real estate, and professional services, across North America, Europe, and Asia. Recommended read:
References :
Swagath Bandhakavi@Tech Monitor
// 1d
A coordinated cyberattack has struck major Australian superannuation funds, compromising thousands of member accounts. Using credential stuffing techniques, hackers targeted accounts across multiple large funds, including AustralianSuper, Rest, and Australian Retirement Trust. The attacks have resulted in unauthorized access and, in some cases, the theft of funds from members' accounts, raising concerns about the security of Australia's A$4.2 trillion retirement savings sector.
The Association of Superannuation Funds of Australia (ASFA) acknowledged that several funds were impacted by the attacks. AustralianSuper reported that up to 600 member passwords were stolen to access accounts and attempt fraud, while Rest Super confirmed that around 20,000 accounts were affected. National Cyber Security Coordinator Michelle McGuinness stated that the government, regulators, and industry are coordinating a response. Affected funds are contacting impacted members and implementing enhanced security measures to prevent further breaches. Recommended read:
References :
gallagherseanm@Sophos News
// 2d
A recent cyberattack has exploited vulnerabilities in Managed Service Providers (MSPs) through a sophisticated phishing campaign, leading to the deployment of Qilin ransomware across multiple customer environments. The attackers, identified as affiliates of the STAC4365 threat cluster, targeted MSPs by mimicking the login page of ScreenConnect, a widely used Remote Monitoring and Management (RMM) tool. The attackers used spear-phishing emails directed at MSP administrators, disguising them as authentication alerts from ScreenConnect.
These emails directed recipients to counterfeit domains closely resembling the legitimate ScreenConnect login page, cloud.screenconnect[.]com.ms for example. Using an adversary-in-the-middle (AITM) attack framework, credentials and time-based one-time passwords (TOTP) required for multi-factor authentication (MFA) were intercepted. With these credentials, the attackers gained super administrator access to the legitimate ScreenConnect portal, enabling them to deploy malicious ScreenConnect instances across customer environments and ultimately launch Qilin ransomware. The attack highlights the risks for MSP and their customer base. Recommended read:
References :
Veronika Telychko@SOC Prime Blog
// 2d
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of ongoing cyberattacks targeting Ukrainian state administration bodies and critical infrastructure. These attacks, attributed to the hacking group UAC-0219, have been ongoing since late 2024 and involve the use of the WRECKSTEEL PowerShell stealer to harvest data from infected computers. The attackers are distributing malware via phishing emails containing links to file-sharing platforms such as DropMeFiles and Google Drive, often disguised as research invitations or important documents like employee lists.
The multi-stage infection process begins with victims unknowingly downloading a VBScript loader from these links. Once executed, the loader deploys a PowerShell script that searches for and exfiltrates sensitive files, including documents, spreadsheets, presentations, and images. CERT-UA's analysis indicates that UAC-0219 has been refining its techniques over time. Indicators of compromise (IOCs) have been shared publicly to aid detection efforts, and CERT-UA urges organizations to remain vigilant and report any signs of compromise immediately. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
// 2d
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.
The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat. Recommended read:
References :
@cyble.com
// 2d
EvilCorp, a Russia-based cybercriminal enterprise already under sanctions, has been linked to the RansomHub ransomware operation, indicating a concerning level of cooperation between the two groups. Intelligence sources confirm that EvilCorp and RansomHub are actively sharing intrusion methods, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs). This collaboration poses a significant threat as it combines the capabilities of a sanctioned entity known for large-scale financial cyberattacks with a prominent ransomware-as-a-service (RaaS) operation. RansomHub, active since February 2024 and reportedly run by Russian-speaking cybercriminals, has become increasingly popular among former affiliates of other RaaS platforms such as ALPHV/BlackCat and LockBit.
One of EvilCorp's signature TTPs involves the use of SocGholish JavaScript malware, also known as FAKEUPDATES, to gain initial access to systems. This malware employs drive-by downloads disguised as web browser software updates. Once a system is infected with SocGholish, EvilCorp affiliates can then deploy the RansomHub ransomware. Given the sanctions imposed on EvilCorp since 2019, organizations that fall victim to this attack face a difficult dilemma: paying the ransom is illegal and can lead to substantial fines from the US Treasury’s Office of Foreign Assets Control. This situation is further complicated by the fact that EvilCorp affiliates are known to rebrand their ransomware and become affiliates of other RaaS operations. The partnership between EvilCorp and RansomHub highlights the evolving and increasingly complex nature of the cybercrime landscape. Maksim Yakubets, a figure reportedly at the helm of EvilCorp, has a long-standing involvement in high-profile hacking campaigns and has been connected to the LockBit ransomware and the Dridex Banking Trojan. The use of Microsoft Teams and other tools to spread malware via vishing scams further demonstrates the diverse range of tactics employed by these threat actors. Cybersecurity experts advise organizations to be vigilant, monitor for PowerShell commands in Teams messages, and investigate any unusual use of Quick Assist or signed binaries running from unexpected locations. Recommended read:
References :
Bill Mann@CyberInsider
// 2d
CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.
Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security. Recommended read:
References :
|