CyberSecurity news
FlagThis
|
@securityonline.info
//
Cisco has issued a critical security advisory to address CVE-2025-20188, a severe vulnerability affecting its IOS XE Wireless LAN Controllers (WLCs). This flaw, which has been assigned a CVSS score of 10.0, allows an unauthenticated, remote attacker to upload arbitrary files to a vulnerable system. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT) present within the affected system, enabling attackers to potentially gain root privileges. The vulnerability impacts several products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs.
The exploitation requires the Out-of-Band AP Image Download feature to be enabled, which is not enabled by default. An attacker can exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges, leading to a complete compromise of the affected system. Cisco advises administrators to check if the Out-of-Band AP Image Download feature is enabled by using the `show running-config | include ap upgrade` command. If the command returns `ap upgrade method https`, the feature is enabled, and the device is vulnerable. Currently, there are no direct workarounds available to address this vulnerability. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed. Cisco has released free software updates to address this vulnerability, advising customers with service contracts to obtain these security fixes through their usual update channels, urging them to upgrade to the fixed release as soon as possible. As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability. Recommended read:
References :
@vulnerability.circl.lu
//
References:
The Hacker News
, securityonline.info
,
SonicWall has released critical security patches to address three vulnerabilities affecting its SMA 100 series of Secure Mobile Access (SMA) appliances. These flaws, which could lead to remote code execution with root privileges, pose a significant threat to organizations using the affected devices. One of the vulnerabilities, CVE-2025-32819, is already being actively exploited in the wild, underscoring the urgency of applying the patches. The vulnerabilities impact SMA 200, 210, 400, 410, and 500v appliances running versions 10.2.1.14-75sv and earlier.
CVE-2025-32819 allows a remote, authenticated attacker with SSL-VPN user privileges to bypass path traversal checks and delete arbitrary files, potentially resetting the device to factory default settings. CVE-2025-32820 enables an attacker with similar privileges to inject a path traversal sequence, making any directory on the SMA appliance writable. CVE-2025-32821 permits an attacker with SSL-VPN admin privileges to inject shell command arguments to upload a file on the appliance. Security researchers have demonstrated that chaining these vulnerabilities together allows attackers to gain root-level remote code execution. To mitigate these risks, SonicWall strongly advises users of the affected SMA 100 series products to upgrade to version 10.2.1.15-81sv or higher. As a further safeguard, SonicWall recommends enabling multifactor authentication (MFA) and Web Application Firewall (WAF) on SMA100 devices. The company also suggests resetting passwords for users who may have logged into the device via the web interface. These measures, along with the security update, will help protect systems from potential exploitation. Recommended read:
References :
@ai-techpark.com
//
SpyCloud, an identity threat protection company, released an analysis on May 7th, 2025, concerning the exposure of employee data in Fortune 50 companies due to phishing attacks. The report detailed the examination of nearly 6 million phished data records, which were recovered from criminal sources over the preceding six months. The findings reveal that a staggering 94% of Fortune 50 companies have had employee identity data compromised as a result of these attacks. The research further highlights that cybercriminals are increasingly targeting high-value identity data, which they can exploit for various malicious activities, including ransomware deployment, account takeovers, and fraudulent schemes.
The analysis revealed several key data points. Notably, 81% of the compromised records contained email addresses, 42% included IP addresses, and 31% featured user-agent information that could identify device and browser details. Telecommunications, IT, and financial services emerged as the most frequently impersonated industries in these phishing campaigns. Out of the 5.5 million records examined, two-thirds held credentials, financial details, or visitor metadata, while 37% originated from email targeting lists, although not all such lists resulted in successful breaches. According to Brian Jack, chief information security officer at KnowBe4, a SpyCloud partner, phishing threats are evolving with a 17% increase in phishing emails observed in the last six months. He highlighted that nearly 82% of victims had their email credentials previously compromised in data breaches, providing attackers with a significant advantage. Jack emphasized the need for continuous security awareness training and the importance of security teams having visibility into specific exposures to enable swift and targeted remediation. He believes combining human vigilance with actionable intelligence is the most effective approach to thwart phishing attacks and prevent broader cyberattacks. Recommended read:
References :
Jacob Santos@feeds.trendmicro.com
//
The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.
The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts. Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide. Recommended read:
References :
@sec.cloudapps.cisco.com
//
Cisco has issued critical patches for a severe vulnerability, CVE-2025-20188, affecting its IOS XE Wireless Controller software. This flaw, which received a maximum severity score of 10.0 on the CVSS scale, could allow an unauthenticated remote attacker to gain root-level access to affected systems. The root cause of the vulnerability lies in a hard-coded JSON Web Token (JWT) embedded within the IOS XE Wireless Controller, making it possible for attackers to upload arbitrary files and execute commands with the highest privileges. This vulnerability poses a significant risk to organizations using Cisco Catalyst 9800 wireless controllers and related products.
The vulnerability, detailed in Cisco security advisory cisco-sa-wlc-file-uplpd-rHZG9UfC, can be exploited by sending specially crafted HTTPS requests to the Access Point (AP) image download interface. A successful exploit could enable attackers to perform path traversal and execute arbitrary commands with root privileges. For the exploit to work, the Out-of-Band AP Image Download feature must be enabled on the device, which is disabled by default. Affected products include Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs. Cisco has released free software updates to address this vulnerability, urging customers with affected products to update to the latest versions immediately. As a temporary mitigation, administrators can disable the Out-of-Band AP Image Download feature until the upgrade is complete. Disabling this feature forces AP image downloads to use the CAPWAP method, which does not impact the AP client state. Cisco credits X.B. of the Cisco Advanced Security Initiatives Group (ASIG) for discovering and reporting the vulnerability during internal security testing. At present, there's no evidence of this vulnerability being exploited in the wild. Recommended read:
References :
@www.helpnetsecurity.com
//
SysAid On-Premises Vulnerable to Pre-Auth RCE Exploitation - A pre-authenticated Remote Code Execution vulnerability affects SysAid On-Premises, allowing attackers to execute arbitrary code with elevated privileges.
ImgSrc: img.helpnetsecu
A pre-authenticated Remote Code Execution (RCE) vulnerability chain has been discovered in SysAid On-Premises, a self-hosted IT service management platform. Researchers at watchTowr Labs have disclosed technical details and a proof-of-concept exploit for this vulnerability, identified as CVE-2025-2775 along with related XXE injection vulnerabilities (CVE-2025-2776, CVE-2025-2777). The flaws allow threat actors to execute arbitrary code on affected systems without prior authentication. This vulnerability affects the on-premise version of SysAid IT support software, posing a significant risk to organizations using the platform.
SysAid addressed these critical vulnerabilities in early March 2025 with the release of on-premise version 24.4.60 b16. The vulnerabilities are XML External Entity (XXE) injections within specific endpoints (/mdm/checkin and /lshw), which can be exploited via specially crafted HTTP POST requests. Successful exploitation could allow attackers to retrieve sensitive local files, including the "InitAccount.cmd" file containing administrator credentials. This access can then be leveraged to gain full administrative control over the SysAid instance. The severity of the XXE flaws is compounded by the possibility of chaining them with a separate operating system command injection vulnerability (CVE-2025-2778), enabling remote code execution. Given SysAid's history of being targeted by ransomware groups, including the exploitation of CVE-2023-47246 in zero-day attacks, security experts are urging users to immediately update their SysAid On-Premises installations to the latest version to mitigate the risk of exploitation. A proof-of-concept (PoC) exploit combining the four vulnerabilities has been made available, further emphasizing the need for immediate patching. Recommended read:
References :
Dissent@DataBreaches.Net
//
PowerSchool, a major education technology vendor, is grappling with the aftermath of a December cyberattack. Despite paying a ransom to the perpetrators in an attempt to prevent the release of stolen data, the hacker is now directly extorting individual school districts. The threat actor is demanding additional ransom payments from these districts, threatening to release sensitive student and teacher data if their demands are not met. This turn of events highlights the challenges and risks associated with paying ransoms in cyber extortion cases, as it does not guarantee the deletion of stolen data.
This situation has prompted a warning from PowerSchool to its customers. The company acknowledges that a threat actor has contacted multiple school districts, attempting to extort them using data from the December 2024 incident. PowerSchool maintains that this is not a new breach, as the data samples match those stolen previously. Law enforcement has been notified and is now involved in the investigation. The incident raises concerns about the ongoing security risks faced by organizations when vendors in their supply chain are targeted by cyberattacks. PowerSchool provides cloud-based software to K-12 schools and districts, supporting over 60 million students across 18,000 customers in more than 90 countries. The company made the decision to pay the initial ransom because it believed it was in the best interest of its customers and communities. They understood the risks that the bad actors might not delete the data despite assurances. The Toronto District School Board, a PowerSchool customer, voiced doubts about the ransomware crew's deletion of data, emphasizing the ongoing pressure on school officials to prevent data leaks. Recommended read:
References :
@securityonline.info
//
Security researchers are raising alarms about the open-source library 'easyjson,' a Golang package used extensively across cloud-native technologies. A new investigation by cybersecurity firm Hunted Labs has revealed that easyjson is maintained and controlled by developers associated with VK Group, a major Russian internet conglomerate based in Moscow. VK Group's ties to the Kremlin, including its leadership being under U.S. and E.U. sanctions, have ignited concerns about potential supply chain risks for organizations relying on this library. Easyjson is used by the US government and American companies.
The 'easyjson' library is deeply embedded in the software ecosystem, particularly in cloud-native applications, distributed systems, and real-time analytics platforms. It's found to be widely used in projects like Helm, Istio, Kubernetes, ArgoCD, Grafana, Sigstore, and across many US Government and Fortune 500 organizations. This widespread integration makes it difficult to monitor, remove, or replace, according to Hunted Labs. The firm's report warns that "Any compromise of a serializer is extremely dangerous because they are: invisible, deeply integrated, hard to remove, and trusted by default.” Researchers fear that Russia could alter easyjson to steal data or otherwise be abused. Hunted Labs outlines alarming possibilities if easyjson were to be compromised or weaponized, including supply chain backdoors enabling mass compromise, remote code execution via crafted JSON inputs, espionage and covert data exfiltration, and even kill switch activation across critical systems. As Hayden Smith, a cofounder at Hunted Labs, stated, the package is "basically a linchpin for the cloud native ecosystem, that’s maintained by a group of individuals based in Moscow belonging to an organization that has this suspicious history." Recommended read:
References :
Dysruption Hub@The Dysruption Hub
//
Medical device maker Masimo Corporation reported a cyberattack on April 27th, 2025, that impacted its on-premise internal IT infrastructure. The attack forced shutdowns across manufacturing operations and has temporarily delayed customer orders. The Irvine, California-based company, a leading global provider of noninvasive monitoring technologies like pulse oximeters, has filed an 8K with the Securities and Exchange Commission to clarify the details. While the full scope, nature, and impact of the incident are still under investigation, Masimo has taken immediate steps to contain the incident and isolate the affected systems.
Masimo is working with third-party incident response experts to assess, mitigate, and remediate the attack. Law enforcement authorities, including the FBI, have been notified and are coordinating with the company's response efforts. Despite the disruption, Masimo stated in regulatory filings that there is no evidence of employee or patient data being compromised. CEO Katie Szyman confirmed the attack disrupted the company's website and several computer systems but indicated the incident is not expected to change the company's financial guidance at this time, although the company cautioned it has not yet determined the full impact. The cyberattack comes amid internal restructuring within Masimo, including new leadership and pressure from an activist investor. Masimo also announced a $350 million agreement to sell its consumer audio division, Sound United, to Harman International, a subsidiary of Samsung Electronics Co. Masimo reaffirmed its annual revenue forecast, and noted non-GAAP earnings rose 56% from the year-ago period. The incident highlights the increasing cybersecurity vulnerabilities facing the healthcare and medical device sectors. Recommended read:
References :
@socket.dev
//
A malicious Python package named 'discordpydebug' has been discovered on the Python Package Index (PyPI) repository, posing a significant threat to Discord developers. The package, disguised as a simple utility for debugging Discord bots, actually contains a remote access trojan (RAT). This RAT allows attackers to execute commands and exfiltrate data from infected systems via a covert command-and-control (C2) channel. The 'discordpydebug' package was uploaded on March 21, 2022, and has since been downloaded over 11,000 times, putting numerous developer systems at risk.
The 'discordpydebug' package targets developers who build or maintain Discord bots. The attackers took advantage of the fact that PyPI doesn't enforce strict security audits, misleading developers with a legitimate-sounding name and copying code from popular projects to appear trustworthy. The package establishes communication with an attacker-controlled server at "backstabprotection.jamesx123.repl[.]co", and includes features to read and write arbitrary files based on commands received from the server, along with the ability to run shell commands. The simplicity of the RAT is what makes it effective. The package avoids inbound connections, instead opting for outbound HTTP polling to bypass firewalls and security monitoring tools, especially in less controlled development environments. This discovery highlights the increasing danger of software supply chain attacks and the importance of vigilance when installing packages from open-source repositories. The Socket Research Team urges developers to be cautious and scrutinize any third-party tools or code snippets shared within the Discord developer community. Recommended read:
References :
@securityonline.info
//
Play Ransomware Exploits Windows Zero-Day Vulnerability - The Play ransomware group exploited a Windows CLFS zero-day vulnerability (CVE-2025-29824) to gain SYSTEM privileges and deploy malware.
ImgSrc: securityonline.
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.
The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes. The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
CISA Warns of Attacks Targeting US Energy Sector - CISA and other US agencies are warning about cyberattacks targeting US energy sector, specifically oil and natural gas, operational technology and ICS/SCADA systems.
ImgSrc: www.bleepstatic
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, EPA, and DOE, have issued a joint alert regarding escalating cyber threats targeting operational technology (OT) and industrial control systems (ICS) within critical U.S. infrastructure. These agencies are urging critical infrastructure asset owners and operators, particularly in the energy and transportation sectors, to immediately review and implement measures to strengthen their cybersecurity defenses against intentionally targeted internet-connected OT and ICS. The alert emphasizes that while the intrusion techniques employed are often basic, the presence of poor cyber hygiene and exposed assets can significantly amplify the threat, potentially leading to severe consequences like defacement, operational disruptions, or even physical damage.
CISA is specifically highlighting the risk posed by "unsophisticated cyber actors" targeting ICS/SCADA systems within the oil and natural gas sectors. These threat actors exploit common vulnerabilities such as default passwords, exposed devices, and misconfigured remote access, often identified through publicly available search engine tools. OT devices are deemed particularly vulnerable due to their lack of modern authentication and authorization mechanisms, making them easily discoverable and exploitable. Organizations are urged to remove OT connections from the public internet to mitigate this risk. To address these threats, CISA recommends several immediate actions, including removing OT connections from the public internet, securing remote access with private IP connections and VPNs utilizing multi-factor authentication, and changing default passwords on OT systems to strong, unique credentials. The agency also emphasizes the importance of segmenting IT and OT networks to reduce the risk of disruptions to essential OT operations, limiting privileges and disabling dormant accounts, and preparing for manual operations in the event of a cyber incident. CISA advises critical infrastructure entities to identify all public-facing assets and eliminate any unintentional exposure, as well as working closely with managed service providers, system integrators, and product vendors to ensure secure configurations. Recommended read:
References :
@securityonline.info
//
A critical vulnerability, CVE-2025-46762, has been identified in Apache Parquet Java, a widely used open-source columnar storage format. This flaw exposes systems to potential remote code execution (RCE) attacks through insecure schema parsing in the parquet-avro module. The vulnerability resides in how Avro schemas are deserialized from metadata stored in Parquet files, potentially allowing malicious actors to inject code into the file's metadata. If an application uses parquet-avro to read Parquet files and employs the specific or reflective Avro deserialization models, processing an untrusted Parquet file could trigger unauthorized code execution during schema parsing.
The vulnerability impacts all versions of Apache Parquet Java up to and including 1.15.1, where schema parsing in the parquet-avro module allows bad actors to execute arbitrary code. While version 1.15.1 introduced restrictions on untrusted packages, the default list of trusted packages remained permissive, possibly enabling attackers to exploit the vulnerability using classes from whitelisted packages. Exploitability is contingent upon specific usage patterns, primarily when applications use parquet-avro, employ the specific or reflective Avro deserialization models, and process untrusted or user-supplied Parquet files. To mitigate this serious threat, Apache recommends upgrading to version 1.15.2, which includes hardened default settings to prevent execution from trusted but potentially dangerous packages. Users on version 1.15.1 can explicitly set the system property org.apache. Although this vulnerability is not exploitable by default, the potential for RCE makes it a high-priority concern for organizations utilizing Apache Parquet in data-intensive applications and analytics pipelines, especially those dealing with untrusted data sources. Recommended read:
References :
@Talkback Resources
//
Critical Langflow Flaw Exploited, Added to CISA KEV List - A critical security flaw in Langflow (CVE-2025-3248) allows unauthenticated remote code execution, prompting CISA to add it to the KEV catalog.
ImgSrc: s3.talkback.sh
A critical security vulnerability in Langflow, an open-source platform used for building agentic AI workflows, is under active exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-3248, carries a critical CVSS score of 9.8 out of 10, indicating its high severity. Organizations are being urged to immediately apply security updates and mitigation measures to prevent potential attacks.
The flaw is caused by a missing authentication vulnerability in the `/api/v1/validate/code` endpoint of Langflow. This allows unauthenticated remote attackers to execute arbitrary code through crafted HTTP requests. Specifically, the endpoint improperly invokes Python's built-in `exec()` function on user-supplied code without adequate authentication or sandboxing. This allows attackers to execute arbitrary commands on the server, potentially leading to full system compromise. The vulnerability affects most versions of Langflow and has been addressed in version 1.3.0, released on March 31, 2025. According to security researchers, the vulnerability is easily exploitable and allows unauthenticated remote attackers to take control of Langflow servers. There are currently 466 internet-exposed Langflow instances, with a majority of them located in the United States, Germany, Singapore, India, and China. While the specifics of real-world exploitation are not fully known, exploit attempts have been recorded against honeypots. Federal Civilian Executive Branch (FCEB) agencies have been given until May 26, 2025, to apply the necessary fixes. Recommended read:
References :
@cyberalerts.io
//
Cybersecurity researchers have confirmed that the Samsung MagicINFO 9 Server is under active exploitation, with hackers leveraging a remote code execution (RCE) vulnerability, CVE-2024-7399, to deploy the Mirai botnet. This vulnerability, a path traversal flaw, allows attackers to write arbitrary files as system authority, ultimately leading to remote code execution. The unauthenticated nature of the flaw exacerbates the risk, allowing threat actors to exploit systems without requiring any user credentials. The attacks target the file upload functionality in the MagicINFO 9 Server, intended for updating display content, but is being abused to upload malicious code and execute a shell script responsible for downloading the botnet.
The exploitation of CVE-2024-7399 began shortly after a proof-of-concept (PoC) exploit was made public. Arctic Wolf researchers have observed this exploitation in the wild, noting that the vulnerability allows for arbitrary file writing by unauthenticated users. This improper sanitation of filename input, without validating the file extension or checking for authentication, allows threat actors to upload JSP files and execute arbitrary code with system authority on vulnerable servers. While Samsung released a patch for this vulnerability in August 2024, many systems remain unpatched, leaving them vulnerable to these attacks. The exploitation of the Samsung MagicINFO flaw is not an isolated incident; threat actors are also targeting GeoVision end-of-life (EoL) Internet of Things (IoT) devices to incorporate them into the Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. Given the low barrier to exploitation, the availability of a public PoC, and the potential for widespread impact, organizations are strongly advised to update their Samsung MagicINFO Server instances to version 21.1050 and later, and implement the patch for CVE-2024-7399 immediately to mitigate potential operational impact. Recommended read:
References :
Mandiant@Threat Intelligence
//
References:
gbhackers.com
, cyberpress.org
UNC3944, a financially motivated cyber threat actor also known as Scattered Spider, has evolved from primarily conducting SIM swapping operations to focusing on ransomware and data extortion. Initially, UNC3944 targeted telecommunications organizations to facilitate SIM swaps, but since early 2023, they have shifted their focus to a broader range of industries, deploying ransomware and stealing data for extortion purposes. This transition marks a significant escalation in their tactics and impact, affecting sectors such as technology, financial services, business process outsourcing (BPO), gaming, hospitality, retail, and media & entertainment. The group has been observed conducting targeted waves of attacks against specific sectors, indicating a strategic and adaptable approach to their operations.
Despite law enforcement actions in 2024 that led to a temporary decline in UNC3944's activity, experts caution that their established connections within the cybercrime ecosystem suggest a strong potential for rapid recovery. This could involve forming new partnerships, adopting new tools to evade detection, or shifting strategies to circumvent security measures. Recent reports have indicated the use of tactics consistent with Scattered Spider in attacks against UK retail organizations, involving the deployment of DragonForce ransomware. Furthermore, the operators of DragonForce have reportedly taken control of RansomHub, a ransomware-as-a-service (RaaS) platform where UNC3944 was previously an affiliate after the shutdown of ALPHV (Blackcat) RaaS. The retail sector has emerged as an increasingly attractive target for threat actors like UNC3944. Data from tracked data leak sites (DLS) reveals that retail organizations accounted for 11% of DLS victims in 2025, a notable increase from 8.5% in 2024. This trend is attributed to the large quantities of personally identifiable information (PII) and financial data typically held by retail companies, combined with their susceptibility to business disruption. The potential for significant financial losses resulting from ransomware attacks further incentivizes these companies to pay ransom demands, making them lucrative targets for financially motivated cybercriminals. Recommended read:
References :
@cyberscoop.com
//
Google has issued its May 2025 Android security update, addressing a total of 47 vulnerabilities. Among these fixes is a critical zero-day flaw, identified as CVE-2025-27363, which has been actively exploited by attackers. The vulnerability resides within the widely used FreeType software library, a font rendering engine utilized in over a billion devices. This flaw could potentially allow attackers to execute arbitrary code on affected devices, posing a significant security risk.
The specific vulnerability, an out-of-bounds write defect in FreeType versions 2.13.0 and below, was initially disclosed by Facebook in March 2025. It carries a CVSS score of 8.1, indicating its high severity. Google has acknowledged that there are indications CVE-2025-27363 may be under limited, targeted exploitation but the exact specifics are unknown. Users with Android versions 13, 14 and 15 are advised to update as soon as possible. The update includes two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address vulnerabilities across different devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-27363 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply the necessary patches by May 27, 2025. Users can check their device's Android version and security update level in the settings app, to ensure their system is up to date. Recommended read:
References :
Anna Ribeiro@Industrial Cyber
//
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.
This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection. Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation. Recommended read:
References :
Matt Kapko@CyberScoop
//
Google Fixes Actively Exploited Android Vulnerability - Google fixed a zero-day vulnerability (CVE-2025-27363) in the Android System component, which was actively exploited, leading to local code execution.
ImgSrc: cyberscoop.com
Google has released its May 2025 Android security update, addressing a total of 46 or 47 security flaws affecting Android devices. The update includes a fix for CVE-2025-27363, a high-severity vulnerability in the Android System component that has been actively exploited in the wild. The vulnerability, which is present in versions of FreeType up to 2.13, could allow for local code execution without requiring any additional execution privileges or user interaction. Google noted that there are indications that this flaw may be under limited, targeted exploitation.
The actively exploited vulnerability, CVE-2025-27363, is an out-of-bounds write defect in the FreeType font rendering library. FreeType is a widely used open-source library that allows developers to render fonts and is found in over a billion devices. The vulnerability, discovered by Facebook security researchers in March 2025, has a base score of 8.1 on the CVSS scale. Exploitation of this flaw could lead to arbitrary code execution when parsing TrueType GX and variable font files. The May 2025 security update contains two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address a range of vulnerabilities on different devices. In addition to the FreeType flaw, the update also resolves eight other flaws in the Android System and 15 flaws in the Framework module, which could be abused to facilitate privilege escalation, information disclosure, and denial-of-service attacks. Google Pixel users will automatically receive the update, while other Android device manufacturers will release the patches after customizing the operating system for their specific hardware. Source code patches for all addressed vulnerabilities will be released to the Android Open Source Project repository. Recommended read:
References :
@Talkback Resources
//
References:
Talkback Resources
, Rescana
,
The Co-op has confirmed a significant data breach following a cyberattack carried out by the ransomware group DragonForce. The attackers claim to have stolen sensitive data from current and former Co-op members, including names and contact details. While financial information and passwords were not compromised, the breach impacts a substantial number of individuals signed up for the Co-op's membership scheme, with DragonForce claiming access to the private information of around 20 million people. The NCSC is working with The Co-op to understand the full scope of the incident and provide expert advice.
DragonForce gained initial access to Co-op's IT networks by exploiting a vulnerability in internal communication systems, such as Microsoft Teams. They then exfiltrated large volumes of customer and employee data, using the stolen information to demand a ransom payment. Screenshots of extortion messages sent to Co-op's head of cyber security via an internal Microsoft Teams chat were shared with the BBC as proof of the breach. In response, the Co-op has implemented immediate security measures, including verifying meeting participants and requiring cameras to be turned on during calls. The attack on Co-op is believed to be part of a broader campaign targeting major UK retailers, with similar incidents recently affecting Marks & Spencer and Harrods. These attacks are linked to affiliates of the DragonForce ransomware group, believed to be part of the Scattered Spider cybercrime community. This group is known for employing aggressive extortion tactics and sophisticated entry methods such as SIM swapping and MFA fatigue. The Co-op is currently rebuilding its Windows domain controllers and strengthening its defenses in collaboration with Microsoft DART and KPMG. Recommended read:
References :
@www.co-operative.coop
//
The UK's National Cyber Security Centre (NCSC) has issued an advisory following a series of cyberattacks targeting major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods. These incidents, which began in April 2025, have prompted warnings for organizations to remain vigilant and implement robust cybersecurity measures. The NCSC is working closely with affected organizations to understand the nature of the intrusions and provide targeted advice to the broader retail sector.
The NCSC's advice strongly suggests the involvement of Scattered Spider, a group of English-speaking cyber criminals previously linked to breaches at MGM Resorts and Caesars Entertainment in the U.S. Scattered Spider is believed to have deployed ransomware to encrypt key systems at M&S, causing significant disruption, including the suspension of online sales. Authorities are urging security teams to implement multi-factor authentication, monitor for risky logins, and review help desk login procedures to mitigate potential ransomware attacks. While investigations are ongoing to determine if the attacks are linked or the work of a single actor, reports suggest that a group called DragonForce may also be involved. DragonForce operates as a ransomware-as-a-service, providing tools and infrastructure for contracted hackers. The NCSC emphasizes that all organizations should follow the advice on its website to ensure they have appropriate measures in place to prevent attacks and effectively respond to and recover from them. Recommended read:
References :
@arcticwolf.com
//
Arctic Wolf Labs has identified a spear-phishing campaign orchestrated by the financially motivated threat group known as Venom Spider. The campaign targets hiring managers by abusing legitimate messaging services and job platforms. Attackers submit fake job applications with malicious resumes, leveraging an updated backdoor called More_eggs.
The fake resumes are designed to deliver the More_eggs backdoor onto the devices of unsuspecting HR personnel. Once installed, the backdoor allows the attackers to perform a variety of malicious activities, including stealing credentials, customer payment data, intellectual property, and trade secrets. Arctic Wolf warns that the updated More_eggs malware is more sophisticated, making it harder to detect than previous versions. They advise CISOs to warn HR staff about this ongoing threat and implement measures to identify and block these malicious resumes. Notably, threat actors are using msxsl.exe, a legitimate Microsoft Command Line Transformation Utility to execute the backdoor. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.
The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised. TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk. Recommended read:
References :
|
