CyberSecurity news

FlagThis

Sunny Yadav@eSecurity Planet //
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.

The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats.

Recommended read:
References :
  • securityaffairs.com: Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner
  • thehackernews.com: SilentCryptoMiner infects 2,000 Russian users via fake VPN and DPI Bypass Tools
  • eSecurity Planet: SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN Tools

@cyberalerts.io //
Davis Lu, a 55-year-old software developer from Houston, Texas, has been convicted in federal court for sabotaging the computer systems of his former employer, Eaton Corp, after a demotion in 2018 led to reduced responsibilities and system access. Lu, who worked for the company from November 2007 to October 2019, introduced malicious code onto the company's production systems starting in August 2019. This code included "infinite loops" designed to exhaust Java threads, causing system crashes and preventing user logins. Lu also wrote code to delete coworker profile files and implemented a "kill switch" that would lock out all users if his credentials in the company's active directory were disabled.

The "kill switch," named "IsDLEnabledinAD" (abbreviating "Is Davis Lu enabled in Active Directory"), was automatically activated upon his termination on Sept. 9, 2019, impacting thousands of company users globally. Additional code was named "Hakai," meaning "destruction" in Japanese, and "HunShui," meaning "sleep" or "lethargy" in Chinese. On the day he was directed to turn in his company laptop, Lu deleted encrypted data and his internet search history revealed that he had researched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct efforts of his co-workers to resolve the system disruptions. Lu now faces a maximum penalty of 10 years in prison for causing intentional damage to protected computers.

Recommended read:
References :
  • DataBreaches.Net: Texas Man Convicted of Sabotaging his Employer’s Computer Systems and Deleting Data
  • The Register - Software: Developer sabotaged ex-employer with kill switch activated when he was let go
  • www.bleepingcomputer.com: Developer guilty of using kill switch to sabotage employer's systems
  • bsky.app: BSky Post on Sabotaging
  • BleepingComputer: A software developer has been found guilty of sabotaging his ex-employer's systems by running custom malware and installing a "kill switch" after being demoted at the company.
  • : Software developer Davis Lu cost his employer hundreds of thousands after deploying malware that caused crashes and failed logins

Rescana@Rescana //
Cybersecurity experts are warning of a mass exploitation of a critical PHP vulnerability, CVE-2024-4577. This flaw allows attackers to remotely execute code on vulnerable servers using Apache and PHP-CGI. GreyNoise data has confirmed that the exploitation extends far beyond initial reports, with attack attempts observed across multiple regions. Notable spikes have been detected in the United States, Singapore, Japan, and other countries throughout January 2025, signaling a broad campaign targeting this vulnerability.

Cisco Talos has discovered an active exploitation of CVE-2024-4577. The attacker gains access to victim machines and carries out post-exploitation activities. The attempted exploitation has escalated across the U.S., Japan, Singapore, and other parts of the world. GreyNoise detected over 1,000 attacks globally. Experts urge organizations to apply the necessary patches and monitor for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.
  • securityaffairs.com: Threat actors exploit PHP flaw CVE-2024-4577 for remote code execution. Over 1,000 attacks detected globally.
  • www.scworld.com: Attempted exploitation escalated across the U.S., Japan, Singapore, and other parts of the world.
  • www.cybersecuritydive.com: Critical PHP vulnerability under widespread cyberattack
  • The GreyNoise Blog: GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign
  • MSSP feed for Latest: Targeting Of Critical PHP Vulnerability Expands Gloabally
  • www.techradar.com: Experts warn this critical PHP vulnerability could be set to become a global problem

Ashish Khaitan@The Cyber Express //
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.

The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws.

Recommended read:
References :

Samarth Mishra@cysecurity.news //
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.

The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries.
  • Developer Tech News: A malicious package designed to steal private keys for Ethereum wallets has been uncovered within the Python Package Index (PyPI). According to Socket, this package – named ‘set-utils’ – masquerades as a utility for Python sets and has been actively targeting developers.
  • Cyber Security News: PyPI Malware Exploits Developers to Hijack Ethereum Wallets
  • gbhackers.com: New PyPI Malware Targets Developers to Steal Ethereum Wallets
  • www.cysecurity.news: Researchers at have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.â€�

Lily Hay@WIRED //
Cybercriminals have allegedly stolen over $635,000 worth of Taylor Swift concert tickets by exploiting a loophole in an offshore ticketing system. Two individuals, Tyrone Rose, 20, and Shamara Simmons, 31, have been arrested and charged with grand larceny and computer tampering. The scheme involved stealing URLs for nearly 1,000 tickets to various events, including Taylor Swift's Eras Tour, Ed Sheeran concerts, Adele concerts, NBA games, and the US Open Tennis Championships, before reselling them for substantial profit.

Between June 2022 and July 2023, Rose and Simmons allegedly stole the tickets through an offshore ticket vendor and then resold them on StubHub in the US for significant profit. Rose, an employee of Sutherland Global Services, a third-party contractor for StubHub Jamaica, is accused of abusing his access to the network to find a backdoor. Prosecutors say the pair stole the tickets by allegedly intercepting approximately 350 orders from StubHub. The investigation is ongoing to determine if the Swift ticket scam was part of a wider operation.

Recommended read:
References :
  • WIRED: Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets
  • The Register - Security: Alleged cyber scalpers Swiftly cuffed over $635K Taylor ticket heist
  • The DefendOps Diaries: Cybercrime Exposes Vulnerabilities in Ticketing Systems: A Case Study
  • BleepingComputer: Cybercrime 'crew' stole $635,000 in Taylor Swift concert tickets
  • darkmarc.substack.com: Cybercriminals pulled off a massive ATM heist, hackers stole $600K in Taylor Swift concert tickets, and Mark Cuban made a bold move for laid-off tech workers. Instagram users were hit with a disturbing glitch, and Mozilla’s new terms sparked privacy fears. Here’s what happened this week.
  • www.techradar.com: Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
  • bsky.app: Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets

Mandvi@Cyber Security News //
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.

When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums.

Recommended read:
References :
  • Cyber Security News: A critical zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been discovered by security researcher 0x6rss. This exploit allows attackers to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.
  • WeLiveSecurity: ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos
  • securityonline.info: Telegram’s EvilLoader: Hackers Exploit Video Flaw Again

Rescana@Rescana //
An undocumented "backdoor," which is really undocumented commands, has been discovered in the ESP32 microchip, a product of the Chinese manufacturer Espressif. This chip is a cornerstone in the Internet of Things (IoT) ecosystem, providing essential Bluetooth and Wi-Fi connectivity. It is widely used in over a billion devices as of 2023. The "backdoor," as it is referred to, could be leveraged for attacks including spoofing trusted devices, unauthorized data access, and pivoting to other devices on the network.

This discovery was made by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, who presented their findings at RootedCON. Their research underscores the critical need for robust security measures in IoT devices. The potential impact could be extensive, considering the chip’s widespread usage. This discovery raises concerns about the security of numerous devices and systems that rely on the ESP32 for their operations.

Recommended read:
References :
  • infosec.exchange: Ok, poll for the "supply chain risk management" people! There's a backdoor in the ESP32 wifi/bluetooth chip.
  • Anonymous ???????? :af:: The ubiquitous microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • The DefendOps Diaries: Discover the ESP32 backdoor's impact on IoT security and the urgent need for robust protection measures.
  • www.bleepingcomputer.com: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • BleepingComputer: Infosec.Exchange post about ESP32 Microchip Backdoor
  • BleepingComputer: Infosec.Exchange post about ESP32 microchip with undocumented backdoor.
  • Jon Greig: IOC.Exchange post about the backdoor
  • TARNKAPPE.INFO: Bluetooth-Chip-Backdoor entdeckt: Ãœber 1 Mrd. Geräte betroffen
  • Rescana: Unveiling the ESP32 Bluetooth Chip Backdoor: Security Vulnerabilities and Mitigation Strategies
  • BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.
  • dragosr: Oh, is that all? A few (billion?) ESP32 devices let attackers establish persistency in local flash using an undocumented commands set accessible from an over the air pivot, and low level protocol injection and spoofing control...
  • securityaffairs.com: Undocumented hidden feature found in Espressif ESP32 microchip
  • BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • Davey Winder: Identity Theft Warning—Hidden Commands In 1 Billion Bluetooth Chips
  • www.techradar.com: ESPC32 Bluetooth chip, which has been sold in the billions, allegedly allowed remote access and backdoor deployment.
  • Security | TechRepublic: Researchers warn these commands could be exploited to manipulate memory, impersonate devices, and bypass security controls.
  • BetaNews: Attackers can use undocumented commands to hijack Chinese-made Bluetooth chips
  • CyberInsider: Hidden Commands Discovered in Bluetooth Chip Used in a Billion Devices
  • bsky.app: Undocumented "backdoor" found in Bluetooth chip used by a billion devices

Pierluigi Paganini@Security Affairs //
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.

Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets.

Recommended read:
References :
  • securityaffairs.com: US CISA warns that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.
  • www.bleepingcomputer.com: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • securityonline.info: CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
  • The DefendOps Diaries: Understanding and Mitigating the Edimax IP Camera Vulnerability
  • www.techradar.com: Edimax IC-7100 camera was found vulnerable to a command injection flaw currently being used in remote code execution attacks.
  • www.scworld.com: Edimax IP camera zero-day

Sergiu Gatlan@BleepingComputer //
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.

Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness.

Recommended read:
References :
  • gbhackers.com: North Korean Moonstone Sleet Uses Creative Tactics to Deploy Custom Ransomware
  • The DefendOps Diaries: Moonstone Sleet's Shift to Ransomware-as-a-Service: A New Era in Cyber Threats
  • BleepingComputer: Microsoft: North Korean hackers join Qilin ransomware gang
  • Cyber Security News: North Korean Moonstone Sleet Deploys Custom Ransomware with Creative Tactics
  • securityaffairs.com: Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.
  • www.scworld.com: Moonstone Sleet was previously reported to have been behind a FakePenny ransomware attack.

Bill Toulas@BleepingComputer //
The Akira ransomware group has been observed employing a novel attack technique, weaponizing unsecured IoT devices to bypass traditional security measures. Cybersecurity researchers at S-RM discovered that Akira exploited a vulnerable webcam to circumvent Endpoint Detection and Response (EDR) systems and encrypt systems within a target’s network. This allowed the ransomware to mount Windows Server Message Block (SMB) network shares of other devices on the network.

Akira ransomware successfully encrypted network shares over SMB, effectively working around the EDR defenses. Attackers mounted writable network shares from the webcam’s environment, while EDR solutions often ignore SMB traffic from IoT devices. The attackers demonstrated how unsecured IoT devices can bypass enterprise-grade defenses, highlighting that perimeter defense alone is insufficient in modern network environments.

Recommended read:
References :
  • Cyber Security News: Akira Ransomware Exploits RDP to Attack Windows Servers
  • gbhackers.com: Akira Ransomware Targets Windows Servers via RDP and Evades EDR with Webcam Trick
  • www.bleepingcomputer.com: Akira ransomware encrypted network from a webcam to bypass EDR
  • The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
  • Hidden Dragon ??: Akira ransomware group have been found using an unsecured webcam to launch their attack and encrypt their target’s entire network. Akira used the webcam to mount Windows Server Message Block (SMB) network shares of the company's other devices. Then, they encrypted the network shares over SMB, successfully working around EDR.
  • securityaffairs.com: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim’s network.
  • Hidden Dragon ??: Akira ransomware gang have been found using an unsecured webcam to launch their attack and encrypt their target’s entire network.
  • BleepingComputer: The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
  • Anonymous ???????? :af:: ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
  • DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim’s network.
  • Vulnerability-Lookup: Akira ransomware group have been found using an unsecured webcam to launch their attack and encrypt their target’s entire network
  • BleepingComputer: Ransomware gang encrypted network from a webcam to bypass EDR
  • Secure Bulletin: Akira ransomware’s ingenious IoT gambit: when webcams become cyberweapons
  • www.techradar.com: Security researchers explain how a company with EDR ended up hacked and its infrastructure encrypted.

Bill Mann@CyberInsider //
A newly discovered botnet, Eleven11bot, has infected over 30,000 internet-connected devices. These compromised devices, primarily security cameras and Network Video Recorders (NVRs), are being actively used to launch Distributed Denial of Service (DDoS) attacks. The botnet's malicious activity has been directed towards critical telecom infrastructure and gaming websites, causing significant disruptions.

The activity of Eleven11bot has been traced back to Iran, with the infected devices distributed globally. Security researchers have discovered the botnet is being used to carry out brute force attacks on login pages. Weak or reused passwords are being exploited to take control of vulnerable devices. Regular updates to device firmware, frequent password changes, and disabling remote access can significantly reduce the risk of these breaches.

Recommended read:
References :
  • CyberInsider: Massive DDoS Botnet Eleven11bot Infects 30,000+ IoT Devices
  • www.cybersecurity-insiders.com: DDoS attacks by 30k botnets and IBM n Vodafone safe internet from quantum computing attacks
  • securityaffairs.com: New Eleven11bot botnet infected +86K IoT devices
  • www.scworld.com: Over 86K devices impacted by novel global Eleven11bot botnet
  • www.techradar.com: Another huge new botnet is infecting thousands of webcams and video recorders for DDoS attacks
  • aboutdfir.com: Massive botnet that appeared overnight is delivering record-size DDoSes A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.
  • The GreyNoise Blog: A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks.
  • WIRED: Eleven11bot infects webcams and video recorders, with a large concentration in the US.

Thomas Brewster,@Thomas Fox-Brewster //
Federal investigators have linked the 2022 LastPass data breach to a $150 million cryptocurrency theft from a Ripple XRP wallet in January 2024. Authorities believe the hackers exploited stolen master passwords to gain unauthorized access to the wallet. The stolen XRP, initially valued at $150 million, is now worth an estimated $716 million due to fluctuations in the cryptocurrency market.

U.S. law enforcement has seized over $23 million in cryptocurrency connected to the theft. The U.S. Secret Service and FBI are actively investigating the case and working to recover the remaining stolen funds. Security researchers had previously identified a pattern of similar crypto heists linked to the LastPass breach, suggesting a broader impact of the password manager vulnerability. The incident highlights the significant risks associated with compromised password management systems.

Recommended read:
References :
  • bsky.app: US authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • krebsonsecurity.com: KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022.
  • The DefendOps Diaries: The Seizure of $23 Million in Cryptocurrency: A Detailed Analysis of the Ripple Wallet Hack Linked to LastPass Breach
  • Thomas Fox-Brewster: Feds Suspect LastPass Hackers Stole $150 Million In Crypto From One Person
  • www.bleepingcomputer.com: U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • BrianKrebs: New, by me: Feds Link $150M Cyberheist to 2022 LastPass Hacks In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.
  • Metacurity: Hack of LastPass in 2022 led to massive theft of XRP, now worth nearly $700 million

Amar Ćemanović@CyberInsider //
References: Carly Page , CyberInsider , techcrunch.com ...
Japanese telecom giant NTT Communications has confirmed a data breach impacting nearly 18,000 corporate customers. The company discovered unauthorized access to its internal systems on February 5, 2025. Hackers are reported to have accessed details of these organizations, potentially compromising sensitive data.

The stolen data includes customer names, contract numbers, phone numbers, email addresses, physical addresses, and information on service usage belonging to 17,891 organizations, according to NTT Com. While NTT Com has restricted access to compromised devices and disconnected another compromised device, the specific nature of the cyberattack and the identity of the perpetrators remain unknown. It’s not yet known how many individuals had personal data stolen.

Recommended read:
References :
  • Carly Page: Japanese telecom giant NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack. It’s not yet known how many individuals had personal data stolen or who was behind the NTT breach
  • CyberInsider: NTT Communications Suffers Data Breach Impacting 18,000 Companies
  • BleepingComputer: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • techcrunch.com: Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers
  • bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • The DefendOps Diaries: Lessons from the NTT Data Breach: A 2025 Perspective
  • bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • www.scworld.com: NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack
  • securityaffairs.com: Japanese telecom giant NTT suffered a data breach that impacted 18,000 companies
  • The420.in: Japanese Telecom Giant NTT Suffers Data Breach, Impacting 18,000 Companies
  • www.it-daily.net: The Japanese ICT provider NTT Communications (NTT Com) has admitted to a serious security breach that resulted in the loss of information on a total of 17,891 corporate customers.
  • www.scworld.com: Nearly 18K orgs' data compromised in NTT Communications hack

Amar Ćemanović@CyberInsider //
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.

The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites.

Recommended read:
References :
  • The Hacker News: Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide
  • Microsoft Security Blog: Malvertising campaign leads to info stealers hosted on GitHub
  • CyberInsider: Microsoft has uncovered a large-scale malvertising campaign that compromised nearly one million devices worldwide, distributing information-stealing malware via GitHub. The attack, detected in early December 2024, originated from illegal streaming websites that redirected users through multiple malicious domains before delivering payloads hosted on GitHub, Dropbox, and Discord.
  • Hidden Dragon ??: Nearly 1 million Windows devices were targeted in recent months by a sophisticated "malvertising" campaign that surreptitiously stole login credentials, cryptocurrency, and other sensitive information from infected machines.
  • hackread.com: Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox
  • www.techradar.com: Microsoft reveals over a million PCs hit by malvertising campaign
  • www.bleepingcomputer.com: Microsoft says malvertising campaign impacted 1 million PCs
  • Tech Monitor: Microsoft neutralises malvertising scheme that affected one million devices
  • Cyber Security News: Microsoft Warns That 1 Million Devices Are Infected by Malware from GitHub
  • gbhackers.com: 1 Million Devices Infected by Malware from GitHub
  • The Register - Security: Microsoft admits GitHub hosted malware that infected almost a million devices
  • securityonline.info: Microsoft Uncovers Massive Malvertising Campaign Distributing Info Stealers via GitHub
  • Virus Bulletin: Microsoft researchers detail their investigation of a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information.
  • www.itpro.com: Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
  • Security Risk Advisors: Malvertising Campaign Targets One Million Devices with Info Stealers Hosted on GitHub
  • Digital Information World: Microsoft Discovers Massive Malvertising Campaign Infecting Over 1 Million Devices

Lorenzo Franceschi-Bicchierai@techcrunch.com //
The U.S. Secret Service, in collaboration with international law enforcement agencies, has seized the domain of the Russian cryptocurrency exchange Garantex. This action was part of an ongoing investigation and involved agencies such as the Department of Justice's Criminal Division, the FBI, Europol, the Dutch National Police, the German Federal Criminal Police Office, the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. The Secret Service confirmed the seizure of website domains associated with Garantex's administration and operation.

The seizure warrant was obtained by the US Attorney's Office for the Eastern District of Virginia. Garantex had previously been sanctioned by the U.S. in April 2022, due to its association with illicit activities. Authorities have linked over $100 million in transactions on the exchange to criminal enterprises and dark web markets, including substantial sums connected to the Conti ransomware gang and the Hydra online drug marketplace.

Recommended read:
References :
  • bsky.app: The US Secret Service has seized the domain of the sanctioned Russian cryptocurrency exchange Garantex in collaboration with the Department of Justice's Criminal Division, the FBI, and Europol.
  • The Register - Security: International cops seize ransomware crooks' favorite Russian crypto exchange
  • infosec.exchange: UPDATE: Secret Service spokesperson told us that it "has seized website domains associated with the administration and operation of Russian cryptocurrency exchange, Garantex as part of an ongoing investigation."
  • Zack Whittaker: NEW: Russian crypto exchange Garantex has been seized by the U.S. Secret Service during an international law enforcement operation. FBI declined to comment; Secret Service didn't respond, but Garantex's domain is now pointing to nameservers run by the Secret Service. More from :
  • securityaffairs.com: International law enforcement operation seized the domain of the Russian crypto exchange Garantex
  • The Register - Security: Uncle Sam charges alleged Garantex admins after crypto-exchange web seizures
  • infosec.exchange: NEW: The U.S. government has accused two administrators of Russian crypto exchange Garantex of facilitating money laundering for terrorists and cybercriminals. Aleksej Besciokov and Aleksandr Mira Serda allegedly knew they were helping ransomware hackers as well as DPRK's Lazarus Group. Besciokov is also accused of conspiracy to violate U.S. sanctions.
  • The Hacker News: U.S. Secret Service Seizes Russian Garantex Crypto Exchange Website
  • infosec.exchange: NEW: U.S. Secret Service and other international law enforcement agencies have seized the website of Russian crypto exchange Garantex. Garantex had previously been sanctioned by the U.S. government for being associated with ransomware gangs like Conti and darknet markets, as well as by the European Union for ties to sanctioned Russian banks.
  • The DefendOps Diaries: International Collaboration in the Takedown of Garantex
  • Threats | CyberScoop: The Department of Justice also indicted two men tied to the exchange.
  • BleepingComputer: The administrators of the Russian Garantex crypto-exchange have been charged in the United States with facilitating money laundering for criminal organizations and violating sanctions.
  • techcrunch.com: US charges admins of Garantex for allegedly facilitating crypto money laundering for terrorists and hackers
  • Metacurity: Law enforcement took down hacker-friendly Russian crypto exchange Garantex
  • www.scworld.com: Global law enforcement crackdown hits Russian crypto exchange Garantex
  • securityonline.info: Secret Service-Led Operation Seizes Garantex Cryptocurrency Exchange
  • techcrunch.com: Russian crypto exchange Garantex seized by law enforcement operation
  • Jon Greig: US officials charged Aleksej Besciokov and Aleksandr Mira Serda on Friday for their roles at Garantex They also made copies of Garantex’s customer and accounting databases before servers were seized by German and Finnish officials
  • infosec.exchange: NEW: After authorities took down the domains of Russian crypto exchange's Garantex, and charged two of its administrators for facilitating money laundering, the company is now inviting customers for “face-to-face meetingsâ€� at its headquarters. 🤔

Ameer Owda@socradar.io //
A critical security vulnerability, CVE-2025-25012, has been identified in Kibana, the data visualization platform used with Elasticsearch. This flaw stems from prototype pollution and could enable attackers to execute arbitrary code on affected systems. Given Kibana's widespread adoption across various industries, this vulnerability poses a significant risk to data security, integrity, and system stability. The vulnerability has a CVSS score of 9.9.

Versions 8.15.0 up to 8.17.3 are affected, where users with the Viewer role can be exploited, and versions 8.17.1 and 8.17.2 can be exploited through roles with elevated privileges. It is advised to update Kibana to version 8.17.3. Immediate action is crucial for organizations using vulnerable versions of Kibana to mitigate the potential for unauthorized access, data exfiltration, and service disruption.

Recommended read:
References :
  • socradar.io: Critical Kibana Vulnerability (CVE-2025-25012) Exposes Systems to Code Execution, Patch Now
  • securityaffairs.com: Security Affairs article on Elastic patching critical Kibana flaw.
  • The Hacker News: The Hacker News article on Elastic releasing an urgent fix for a critical Kibana vulnerability.
  • thecyberexpress.com: Elastic Issues Urgent Update for Critical Kibana Vulnerability Exposing Remote Code Execution Risk
  • Rescana: Critical Kibana Vulnerability Report: Urgent Mitigation Needed for CVE-2025-25015
  • securityonline.info: CVE-2025-25012 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
  • securityonline.info: CVE-2025-25015 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
  • research.kudelskisecurity.com: Critical Kibana Vulnerability Enabling Remote Code Execution (CVE-2025-25012)
  • Tom Sellers: Elastic has published a security advisory for a CVSSv3 9.9 rated RCE in Kibana versions 8.15.0 to 8.17.2. The access required varies depending on the version, see the post below. Kibana version 8.17.3 has been released to address this vulnerability.
  • securityaffairs.com: Elastic patches critical Kibana flaw allowing code execution

Dhara Shrivastava@cysecurity.news //
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.

Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.

Recommended read:
References :
  • cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
  • The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
  • iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
  • securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
  • thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
  • The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
  • blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
  • DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.

Shira Landau@Email Security - Blog //
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.

Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.

This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.

Recommended read:
References :
  • Arctic Wolf: Self-Proclaimed “BianLian Groupâ€� Uses Physical Mail to Extort Organizations
  • CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
  • DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
  • www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
  • PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
  • BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
  • Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
  • gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
  • techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
  • thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
  • Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
  • Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
  • gbhackers.com: The novel approach highlights a shift in extortion tactics.
  • Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
  • Malwarebytes: Ransomware threat mailed in letters to business owners
  • www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
  • Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
  • borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
  • Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters

eff.org via@Lobsters //
The Electronic Frontier Foundation (EFF) has launched Rayhunter, a new free and open-source tool designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays. These devices masquerade as legitimate cell towers, tricking phones into connecting to them. Law enforcement and other entities use CSS to pinpoint the location of phones and log identifying information, sometimes intercepting communications.

Rayhunter operates using an affordable mobile hotspot, empowering individuals, regardless of their technical skills, to search for CSS around the world. The EFF hopes this tool will help uncover how these devices are being used, as there is a lack of solid, empirical evidence about the function and usage of CSS. Police departments are often resistant to releasing logs of their use, and the companies that manufacture them are unwilling to divulge details of how they work.

Recommended read:
References :
  • bsky.app: The Electronic Frontier Foundation (EFF) has released a free, open-source tool named Rayhunter that is designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays.
  • cyberinsider.com: EFF Launches Rayhunter Open-Source Tool to Detect Cellular Spying
  • Lobsters: Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying
  • mastodon.social: At EFF we spend a lot of time thinking about the tech used by police and authorities to spy on you while you’re going about your everyday life, like cell-site simulators (CSS).
  • mastodon.social: At EFF we spend a lot of time thinking about the tech used by police and authorities to spy on you while you’re going about your everyday life, like cell-site simulators (CSS). Rayhunter is a new open source tool we’ve created that we hope empowers everyone to help search out CSS around the world.