CyberSecurity news
FlagThis
|
Sunny Yadav@eSecurity Planet
//
References:
securityaffairs.com
, thehackernews.com
,
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.
The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats. Recommended read:
References :
@cyberalerts.io
//
Davis Lu, a 55-year-old software developer from Houston, Texas, has been convicted in federal court for sabotaging the computer systems of his former employer, Eaton Corp, after a demotion in 2018 led to reduced responsibilities and system access. Lu, who worked for the company from November 2007 to October 2019, introduced malicious code onto the company's production systems starting in August 2019. This code included "infinite loops" designed to exhaust Java threads, causing system crashes and preventing user logins. Lu also wrote code to delete coworker profile files and implemented a "kill switch" that would lock out all users if his credentials in the company's active directory were disabled.
The "kill switch," named "IsDLEnabledinAD" (abbreviating "Is Davis Lu enabled in Active Directory"), was automatically activated upon his termination on Sept. 9, 2019, impacting thousands of company users globally. Additional code was named "Hakai," meaning "destruction" in Japanese, and "HunShui," meaning "sleep" or "lethargy" in Chinese. On the day he was directed to turn in his company laptop, Lu deleted encrypted data and his internet search history revealed that he had researched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct efforts of his co-workers to resolve the system disruptions. Lu now faces a maximum penalty of 10 years in prison for causing intentional damage to protected computers. Recommended read:
References :
Rescana@Rescana
//
Cybersecurity experts are warning of a mass exploitation of a critical PHP vulnerability, CVE-2024-4577. This flaw allows attackers to remotely execute code on vulnerable servers using Apache and PHP-CGI. GreyNoise data has confirmed that the exploitation extends far beyond initial reports, with attack attempts observed across multiple regions. Notable spikes have been detected in the United States, Singapore, Japan, and other countries throughout January 2025, signaling a broad campaign targeting this vulnerability.
Cisco Talos has discovered an active exploitation of CVE-2024-4577. The attacker gains access to victim machines and carries out post-exploitation activities. The attempted exploitation has escalated across the U.S., Japan, Singapore, and other parts of the world. GreyNoise detected over 1,000 attacks globally. Experts urge organizations to apply the necessary patches and monitor for suspicious activity to mitigate the risk of compromise. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
References:
thecyberexpress.com
, research.kudelskisecurity.com
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.
The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws. Recommended read:
References :
Samarth Mishra@cysecurity.news
//
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.
The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages. Recommended read:
References :
Lily Hay@WIRED
//
Cybercriminals have allegedly stolen over $635,000 worth of Taylor Swift concert tickets by exploiting a loophole in an offshore ticketing system. Two individuals, Tyrone Rose, 20, and Shamara Simmons, 31, have been arrested and charged with grand larceny and computer tampering. The scheme involved stealing URLs for nearly 1,000 tickets to various events, including Taylor Swift's Eras Tour, Ed Sheeran concerts, Adele concerts, NBA games, and the US Open Tennis Championships, before reselling them for substantial profit.
Between June 2022 and July 2023, Rose and Simmons allegedly stole the tickets through an offshore ticket vendor and then resold them on StubHub in the US for significant profit. Rose, an employee of Sutherland Global Services, a third-party contractor for StubHub Jamaica, is accused of abusing his access to the network to find a backdoor. Prosecutors say the pair stole the tickets by allegedly intercepting approximately 350 orders from StubHub. The investigation is ongoing to determine if the Swift ticket scam was part of a wider operation. Recommended read:
References :
Mandvi@Cyber Security News
//
Telegram for Android Zero-Day Exploited - A zero-day vulnerability, dubbed EvilLoader, in Telegram for Android allows attackers to install malware disguised as video files.
ImgSrc: blogger.googleu
References:
Cyber Security News
, WeLiveSecurity
,
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.
When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums. Recommended read:
References :
Rescana@Rescana
//
An undocumented "backdoor," which is really undocumented commands, has been discovered in the ESP32 microchip, a product of the Chinese manufacturer Espressif. This chip is a cornerstone in the Internet of Things (IoT) ecosystem, providing essential Bluetooth and Wi-Fi connectivity. It is widely used in over a billion devices as of 2023. The "backdoor," as it is referred to, could be leveraged for attacks including spoofing trusted devices, unauthorized data access, and pivoting to other devices on the network.
This discovery was made by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, who presented their findings at RootedCON. Their research underscores the critical need for robust security measures in IoT devices. The potential impact could be extensive, considering the chip’s widespread usage. This discovery raises concerns about the security of numerous devices and systems that rely on the ESP32 for their operations. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Edimax IP Camera Flaw Exploited by Mirai Botnets - A critical command injection vulnerability (CVE-2025-1316) in Edimax IC-7100 IP cameras is actively exploited by Mirai-based botnets for remote command execution.
ImgSrc: securityaffairs
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.
Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
North Korean Moonstone Sleet Deploys Qilin Ransomware - North Korean actor Moonstone Sleet deploys Qilin ransomware in limited attacks, using fake companies and trojanized software to target organizations worldwide.
ImgSrc: www.bleepstatic
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.
Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness. Recommended read:
References :
Bill Toulas@BleepingComputer
//
Akira Ransomware Uses IoT for Network Intrusion - The Akira ransomware group is using compromised IoT webcams to bypass EDR systems and encrypt networks by mounting Windows SMB network shares.
ImgSrc: www.bleepstatic
The Akira ransomware group has been observed employing a novel attack technique, weaponizing unsecured IoT devices to bypass traditional security measures. Cybersecurity researchers at S-RM discovered that Akira exploited a vulnerable webcam to circumvent Endpoint Detection and Response (EDR) systems and encrypt systems within a target’s network. This allowed the ransomware to mount Windows Server Message Block (SMB) network shares of other devices on the network.
Akira ransomware successfully encrypted network shares over SMB, effectively working around the EDR defenses. Attackers mounted writable network shares from the webcam’s environment, while EDR solutions often ignore SMB traffic from IoT devices. The attackers demonstrated how unsecured IoT devices can bypass enterprise-grade defenses, highlighting that perimeter defense alone is insufficient in modern network environments. Recommended read:
References :
Bill Mann@CyberInsider
//
A newly discovered botnet, Eleven11bot, has infected over 30,000 internet-connected devices. These compromised devices, primarily security cameras and Network Video Recorders (NVRs), are being actively used to launch Distributed Denial of Service (DDoS) attacks. The botnet's malicious activity has been directed towards critical telecom infrastructure and gaming websites, causing significant disruptions.
The activity of Eleven11bot has been traced back to Iran, with the infected devices distributed globally. Security researchers have discovered the botnet is being used to carry out brute force attacks on login pages. Weak or reused passwords are being exploited to take control of vulnerable devices. Regular updates to device firmware, frequent password changes, and disabling remote access can significantly reduce the risk of these breaches. Recommended read:
References :
Thomas Brewster,@Thomas Fox-Brewster
//
Federal investigators have linked the 2022 LastPass data breach to a $150 million cryptocurrency theft from a Ripple XRP wallet in January 2024. Authorities believe the hackers exploited stolen master passwords to gain unauthorized access to the wallet. The stolen XRP, initially valued at $150 million, is now worth an estimated $716 million due to fluctuations in the cryptocurrency market.
U.S. law enforcement has seized over $23 million in cryptocurrency connected to the theft. The U.S. Secret Service and FBI are actively investigating the case and working to recover the remaining stolen funds. Security researchers had previously identified a pattern of similar crypto heists linked to the LastPass breach, suggesting a broader impact of the password manager vulnerability. The incident highlights the significant risks associated with compromised password management systems. Recommended read:
References :
Amar Ćemanović@CyberInsider
//
Japanese telecom giant NTT Communications has confirmed a data breach impacting nearly 18,000 corporate customers. The company discovered unauthorized access to its internal systems on February 5, 2025. Hackers are reported to have accessed details of these organizations, potentially compromising sensitive data.
The stolen data includes customer names, contract numbers, phone numbers, email addresses, physical addresses, and information on service usage belonging to 17,891 organizations, according to NTT Com. While NTT Com has restricted access to compromised devices and disconnected another compromised device, the specific nature of the cyberattack and the identity of the perpetrators remain unknown. It’s not yet known how many individuals had personal data stolen. Recommended read:
References :
Amar Ćemanović@CyberInsider
//
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites. Recommended read:
References :
Lorenzo Franceschi-Bicchierai@techcrunch.com
//
The U.S. Secret Service, in collaboration with international law enforcement agencies, has seized the domain of the Russian cryptocurrency exchange Garantex. This action was part of an ongoing investigation and involved agencies such as the Department of Justice's Criminal Division, the FBI, Europol, the Dutch National Police, the German Federal Criminal Police Office, the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. The Secret Service confirmed the seizure of website domains associated with Garantex's administration and operation.
The seizure warrant was obtained by the US Attorney's Office for the Eastern District of Virginia. Garantex had previously been sanctioned by the U.S. in April 2022, due to its association with illicit activities. Authorities have linked over $100 million in transactions on the exchange to criminal enterprises and dark web markets, including substantial sums connected to the Conti ransomware gang and the Hydra online drug marketplace. Recommended read:
References :
Ameer Owda@socradar.io
//
A critical security vulnerability, CVE-2025-25012, has been identified in Kibana, the data visualization platform used with Elasticsearch. This flaw stems from prototype pollution and could enable attackers to execute arbitrary code on affected systems. Given Kibana's widespread adoption across various industries, this vulnerability poses a significant risk to data security, integrity, and system stability. The vulnerability has a CVSS score of 9.9.
Versions 8.15.0 up to 8.17.3 are affected, where users with the Viewer role can be exploited, and versions 8.17.1 and 8.17.2 can be exploited through roles with elevated privileges. It is advised to update Kibana to version 8.17.3. Immediate action is crucial for organizations using vulnerable versions of Kibana to mitigate the potential for unauthorized access, data exfiltration, and service disruption. Recommended read:
References :
Dhara Shrivastava@cysecurity.news
//
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.
Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data. Recommended read:
References :
Shira Landau@Email Security - Blog
//
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days. This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime. Recommended read:
References :
eff.org via@Lobsters
//
The Electronic Frontier Foundation (EFF) has launched Rayhunter, a new free and open-source tool designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays. These devices masquerade as legitimate cell towers, tricking phones into connecting to them. Law enforcement and other entities use CSS to pinpoint the location of phones and log identifying information, sometimes intercepting communications.
Rayhunter operates using an affordable mobile hotspot, empowering individuals, regardless of their technical skills, to search for CSS around the world. The EFF hopes this tool will help uncover how these devices are being used, as there is a lack of solid, empirical evidence about the function and usage of CSS. Police departments are often resistant to releasing logs of their use, and the companies that manufacture them are unwilling to divulge details of how they work. Recommended read:
References :
|
