CyberSecurity news
FlagThis
|
Dissent@DataBreaches.Net
//
References:
socradar.io
, www.cysecurity.news
,
Recent data breaches have affected multiple organizations, exposing sensitive information and highlighting the importance of robust security measures. SOCRadar's Dark Web Team has uncovered several significant threats, including a breach at AUTOSUR, a French vehicle inspection company, where approximately 10.7 million customer records were leaked. The exposed data includes customer names, emails, phone numbers, hashed passwords, home addresses, vehicle information, and license plate numbers. This breach poses significant risks such as identity theft, phishing attacks, and financial fraud.
Unauthorized access to shipping portals associated with Lenovo and HP has also been detected, targeting shipment tracking activities in India. This breach could expose sensitive supply chain information. Furthermore, cybercriminals are actively exploiting the gaming and entertainment sectors, utilizing tools such as a Disney+ credential checker and exploiting a leaked FiveM database. A massive dataset of crypto and forex leads is also up for sale, creating risks of fraud and financial scams. Additionally, Cardiovascular Consultants Ltd. (CVC) in Arizona experienced a ransomware attack, impacting 484,000 patients, with data later appearing on a clear net IP address associated with “WikiLeaksV2." The breach at Sunflower and CCA impacted 220,968 individuals according to a filing with the Maine Attorney General's Office. Recommended read:
References :
Kirsten Doyle@Information Security Buzz
//
Millions of RSA Encryption Keys Vulnerable to Attack - Millions of RSA encryption keys have critical flaws, primarily affecting IoT devices due to poor random number generation, making them susceptible to attacks.
ImgSrc: informationsecu
References:
Information Security Buzz
, Davey Winder
,
Millions of RSA encryption keys are vulnerable to attack due to a significant security flaw. New research indicates that roughly 1 in 172 online certificates are susceptible to compromise via a mathematical attack. This vulnerability primarily affects Internet of Things (IoT) devices, but it can pose a risk to any system utilizing improperly generated RSA keys. The root cause lies in poor random number generation during the key creation process.
The flaw occurs because keys sometimes share prime factors with other keys. If two keys share a prime factor, both can be broken by computing the Greatest Common Divisor (GCD). According to researchers, with modest resources, hundreds of millions of RSA keys used to protect real-world internet traffic can be obtained. Using a single cloud-hosted virtual machine and a well-studied algorithm, over one in 200 certificates can be compromised within days. Recommended read:
References :
@pcmag.com
//
A recent Windows 11 update has inadvertently uninstalled the Copilot AI assistant from some users' PCs, causing frustration. The bug, affecting updates KB5053598, KB5053602, and KB5053606 across Windows 11 and Windows 10, removes the Copilot app and unpins it from the taskbar. Microsoft has acknowledged the issue and updated the release notes, confirming that Copilot for Microsoft 365 is not affected.
Users affected by this bug can manually reinstall the Copilot app from the Microsoft Store and repin it to their taskbar as a temporary solution. It's worth noting that some users on Reddit have expressed that they appreciate this accidental "feature," stating they would prefer the option to install Copilot rather than having it forced upon them. Microsoft is currently working on a permanent solution and likely to issue an update soon. Recommended read:
References :
Microsoft Incident@Microsoft Security Blog
//
Microsoft's Incident Response team has uncovered a novel remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection and steal sensitive data. Discovered in November 2024, StilachiRAT demonstrates advanced methods to remain undetected, persist in the targeted environment, and exfiltrate valuable information. The malware is capable of gathering system information, stealing credentials stored in browsers, targeting cryptocurrency wallets, and using command-and-control connectivity for remote execution.
The RAT scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser and extracts credentials from the browser, indicating its focus on cryptocurrency theft and credential compromise. It establishes communication with remote command-and-control (C2) servers to execute commands, manipulate registry settings, and clear logs, making it challenging to detect and remove. Microsoft advises users to download software from official sources, use web browsers with SmartScreen support, and enable Safe Links and Safe Attachments for Office 365 to prevent StilachiRAT infections. Recommended read:
References :
Bill Toulas@BleepingComputer
//
OKX Suspends Services After Lazarus Group Abuse - OKX Web3 suspended its DEX aggregator services after North Korean Lazarus hackers abused the platform to launder funds from a $1.5 billion crypto heist.
ImgSrc: www.bleepstatic
OKX Web3 has suspended its DEX aggregator services following reports of abuse by the North Korean Lazarus hackers. The Lazarus Group, known for conducting a $1.5 billion crypto heist, triggered this action. The suspension is aimed at implementing security upgrades to prevent further abuse and protect users from illicit activities like money laundering.
OKX's response includes implementing advanced security technologies, such as multi-factor authentication and machine learning algorithms, to predict and prevent potential security breaches. The company is also collaborating with regulatory authorities to align its security measures with international standards, including stricter Know Your Customer protocols and enhanced transaction monitoring systems. These steps are part of a comprehensive security overhaul aimed at fortifying the platform against sophisticated cyber threats. Recommended read:
References :
Graham Cluley@Graham Cluley
//
The FBI has issued a warning regarding the rising use of malicious file conversion tools to spread malware. These scams are described as "rampant" and target individuals seeking free online services for tasks like converting Word documents to PDFs. Instead of simply converting files, these tools can secretly install malware onto victims’ computers.
This malware can lead to severe consequences, including ransomware attacks and data theft, with victims often unaware of the infection until it's too late. The FBI's warning applies to both online websites and downloadable apps that offer file conversion services. Stolen personal data can include social security numbers, financial information, passwords, and email addresses. To protect against these threats, the FBI advises users to exercise caution when using free file conversion tools and ensure they download software from trusted sources. It's also recommended to use active anti-malware protection and to report any incidents to the Internet Crime Complaint Center. If affected, users should change their passwords on a clean device. The FBI emphasizes education as the best defense against these fraudsters. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Cybersecurity researchers at CyberArk have uncovered a new cryptojacking malware campaign called MassJacker. This sophisticated malware targets users who download pirated software, particularly from websites known for distributing malware, such as pesktop[.]com. MassJacker operates as a clipboard hijacker, monitoring the Windows clipboard for copied cryptocurrency wallet addresses.
When a user copies an address, the malware stealthily replaces it with one controlled by the attackers, resulting in the victim unknowingly sending cryptocurrency to the malicious actors instead of the intended recipient. The investigation revealed that MassJacker has been associated with over 750,000 unique cryptocurrency addresses, with one wallet holding over $300,000. Recommended read:
References :
John Engates@The Cloudflare Blog
//
Cloudflare has announced an expansion of its Zero Trust platform to protect organizations against emerging quantum computing threats. The upgrade focuses on enabling post-quantum cryptography for corporate network traffic, allowing secure routing of communications from web browsers to corporate web applications. This provides immediate, end-to-end quantum-safe connectivity, addressing the increasing vulnerability of conventional cryptography to quantum computer attacks. Cloudflare has been actively developing and implementing post-quantum cryptography since 2017 and are already making post-quantum security free, by default, for all of its customers.
Organizations can tunnel their corporate network traffic through Cloudflare’s Zero Trust platform, thereby shielding sensitive data from potential quantum breaches. Over 35% of non-bot HTTPS traffic that touches Cloudflare is already post-quantum secure, with the expectation that this percentage will grow as more browsers and clients support post-quantum cryptography. The National Institute of Standards and Technology (NIST) is also encouraging this transition, setting a timeline to phase out conventional cryptographic algorithms like RSA and Elliptic Curve Cryptography (ECC) by 2030 and completely disallowing them by 2035. Cloudflare's CEO Matthew Prince states "Cloudflare has long committed to making post-quantum security the new baseline for Internet security, delivering it to all customers so we can bolster defenses against future quantum threats. Now, we’re offering that protection built directly into our Zero Trust solutions". He continues "We want every Cloudflare customer to have a clear path to quantum safety, and we are already working with some of the most innovative banks, ISPs, and governments around the world as they begin their journeys to quantum security. We will continue to make advanced cryptography accessible to everyone, at no cost, in all of our products.” Recommended read:
References :
@borncity.com
//
A series of security vulnerabilities has been uncovered in the widely used ESP32 microchip, a product of Chinese company Espressif Systems. This chip, found in over a billion devices as of 2023, is commonly utilized for Wi-Fi and Bluetooth connectivity in numerous IoT devices. Researchers at Tarlogic Security have detected undocumented commands within the ESP32's Bluetooth firmware, potentially creating a backdoor that could be exploited for cyberattacks. These hidden manufacturer-specific commands, identified as opcode 0x3F, enable low-level control over Bluetooth functions.
These vulnerabilities pose significant risks, potentially allowing malicious actors to impersonate known devices, even in offline mode. This could lead to the infection of sensitive devices like cell phones, computers, smart locks, and medical equipment, bypassing existing code audit controls. By exploiting these undocumented commands, attackers could gain unauthorized access to confidential information stored on these devices, enabling the spying on personal and business conversations. The potential for remote code execution via wireless interfaces makes this a high-severity issue. Recommended read:
References :
Microsoft Threat@Microsoft Security Blog
//
References:
Microsoft Security Blog
, Schneier on Security
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.
Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
References:
The DefendOps Diaries
, www.bleepingcomputer.com
,
A large-scale Coinbase phishing attack is underway, targeting users with a sophisticated scam disguised as a mandatory wallet migration. The attackers trick recipients into setting up a new wallet using a pre-generated recovery phrase, effectively gaining control of any funds transferred into it. The phishing emails falsely claim that Coinbase is transitioning to self-custodial wallets due to a court order, creating a sense of urgency and legitimacy. This manipulation of emotions and perceived authority is a common tactic in phishing scams.
The emails stand out because they lack traditional phishing links, instead directing users to legitimate Coinbase pages to build trust. The core mechanism involves providing a pre-generated recovery phrase, exploiting the user's potential misunderstanding of recovery phrases. By convincing users to set up their new Coinbase Wallet with this phrase, attackers gain full access to the wallet. Recommended read:
References :
Rescana@Rescana
//
References:
securityonline.info
, Rescana
A critical security flaw, tracked as CVE-2025-21590, has been identified in Juniper Networks' Junos OS and is currently being exploited in the wild. This vulnerability, characterized by an Improper Isolation or Compartmentalization issue in the kernel, could allow a local attacker with shell access to execute arbitrary code and compromise affected devices. Juniper has released an urgent fix to address this actively exploited flaw, urging users to upgrade to a patched release as soon as possible.
Juniper's Security Incident Response Team (SIRT) has received reports of malicious exploitation of this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog, advising immediate patching. The vulnerability impacts a wide range of Junos OS versions, specifically all versions before 21.2R3-S9, 21.4 versions before 21.4R3-S10, and 22.2 versions before 22.2R3-S6, among others, Juniper Networks strongly advises customers to upgrade to a fixed release as soon as it becomes available. Recommended read:
References :
@itpro.com
//
GitHub Actions Supply Chain Attack Leaks Secrets - A supply chain attack targeting the popular GitHub Action ‘tj-actions/changed-files-action’ resulted in the leakage of secrets from numerous repositories.
ImgSrc: cdn.mos.cms.fut
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.
This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible. Recommended read:
References :
Bill Toulas@BleepingComputer
//
The Black Basta ransomware operation has developed a new automated brute-forcing framework called 'BRUTED' to compromise edge networking devices such as firewalls and VPNs. This framework is designed to automate the process of gaining unauthorized access to sensitive networks, which can lead to ransomware deployment and data theft. Security experts warn that this new tool empowers attackers to more efficiently breach enterprise VPNs and firewalls, marking a worrying escalation in ransomware tactics.
EclecticIQ analysts, after analyzing the source code, confirmed the primary capability of the tool is the automated internet scanning and credential stuffing against edge network devices. This framework targets widely used firewalls and VPN solutions in corporate networks. This tool is able to exploit weak or reused credentials, gaining an initial foothold for lateral movement and ransomware deployment. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
Cisco has addressed a critical denial-of-service (DoS) vulnerability, CVE-2025-20115, found in the Border Gateway Protocol (BGP) confederation implementation of its IOS XR Software. The vulnerability arises from a memory corruption flaw, specifically the improper handling of the AS_CONFED_SEQUENCE attribute within BGP update messages. An attacker can exploit this by injecting a crafted message containing 255 or more autonomous system numbers, leading to process instability and a potential BGP process restart.
Successful exploitation of this flaw allows unauthenticated attackers to crash the BGP process, disrupting network routing and potentially causing significant service outages. This is particularly concerning for large-scale networks using BGP confederation. The affected software versions include Cisco IOS XR Release 7.11 and earlier, Release 24.1 and earlier, Release 24.2 until version 24.2.21, and Release 24.3, which has been patched in version 24.3.1. The primary mitigation strategy is to apply the latest software update provided by Cisco. Recommended read:
References :
Bill Toulas@BleepingComputer
//
GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.
Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability. Recommended read:
References :
Lorenzo Franceschi-Bicchierai@techcrunch.com
//
Rostislav Panev, a dual Russian-Israeli national suspected of being a key developer for the notorious LockBit ransomware operation, has been extradited to the United States. Panev was arrested in Israel in August 2024 following a U.S. provisional arrest request and has now made an initial appearance before a U.S. magistrate, where he was detained pending trial. U.S. authorities allege that Panev played a crucial role in developing the LockBit ransomware from its inception around 2019 through February 2024.
Panev is accused of developing code and maintaining infrastructure for LockBit. The U.S. Department of Justice (DoJ) stated that Panev and his co-conspirators grew LockBit into one of the most active and destructive ransomware groups globally. LockBit operators and affiliates have extracted at least $500 million in ransom payments from victims, causing billions of dollars in lost revenue and recovery costs. The complaint against Panev follows charges brought against other LockBit members, including its alleged primary creator, developer, and administrator, Dmitry Yuryevich Khoroshev, for whom the U.S. is offering a reward of up to $10 million. Recommended read:
References :
Bill Toulas@BleepingComputer
//
SuperBlack Ransomware Exploits Fortinet Authentication Bypass Flaws - A new ransomware operator, Mora_001, is exploiting Fortinet vulnerabilities to deploy the SuperBlack ransomware.
ImgSrc: www.bleepstatic
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.
The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks. Recommended read:
References :
|
