CyberSecurity news
FlagThis
|
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
A malicious Python package named `solana-token` has been discovered on the Python Package Index (PyPI) targeting Solana developers. This rogue package, posing as a utility for the Solana blockchain, was designed to exfiltrate source code and developer secrets from compromised machines to a hard-coded IP address. The ReversingLabs research team uncovered this supply chain attack, highlighting the increasing trend of malicious actors targeting cryptocurrency projects. Before being taken down, the `solana-token` package was downloaded over 600 times, potentially distributed through developer-focused platforms.
The malicious package contained telltale signs of compromise, including hardcoded IP addresses, outbound communications to non-standard network ports, and code that reads local files, typical of information stealers. One insidious method employed by the package scanned the Python execution stack, copied, and exfiltrated source code contained in all the files in the execution chain to a remote server. The objective was to steal sensitive information such as developer secrets and hardcoded crypto credentials, which could grant attackers unauthorized access to cryptocurrency wallets and critical infrastructure. This incident is not isolated, a previous package with the same name was published and removed in 2024, suggesting that the same malicious actors may be behind the new malicious version, said the report. Cybersecurity experts recommend that organizations respond to address the increasing number of supply chain threats targeting cryptocurrency projects by aggressively monitoring for suspicious activity and unexplained changes within open source and commercial, third-party software modules. By stopping malicious code before it is allowed to penetrate secure development environments, teams can prevent destructive supply chain attacks. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
Google's Threat Intelligence Group has issued a warning that the cyber collective known as Scattered Spider is now actively targeting US retailers after causing significant disruption to UK retailers like Marks & Spencer, Co-op, and Harrods. This group, also known as UNC3944, employs advanced cyber tactics including social engineering attacks like phishing, SIM swapping, and multi-factor authentication (MFA) bombing to infiltrate organizations. These methods allow the attackers to gain unauthorized access to sensitive systems and data. Experts are urging US retailers to take immediate note of Scattered Spider's tactics.
The shift in focus from UK to US retailers signals a strategic move by Scattered Spider, driven by the potential for higher financial gains and the opportunity to exploit vulnerabilities in the US retail sector’s cybersecurity infrastructure. The group's evolving tactics include new phishing kits and malware, such as the Spectre RAT, used to gain persistent access to compromised systems and exfiltrate sensitive data. Scattered Spider is believed to be composed mainly of young, English-speaking individuals based in the UK and US, and has reportedly executed over 100 cyberattacks. Marks & Spencer has already experienced prolonged disruption following a large-scale cyberattack, highlighting the potential impact on US retailers. Customer data was stolen in the M&S cyberattack, forcing password resets and hampering online services. The stolen data included names, dates of birth, home addresses, and telephone numbers. While usable payment or card details were not compromised, the incident underscores the significant risk Scattered Spider poses to the digital infrastructures of US retailers, and experts warn that restoring normal operations could take months. Recommended read:
References :
@support.broadcom.com
//
Broadcom has issued an urgent patch to address a moderate-severity vulnerability, CVE-2025-22247, affecting VMware Tools versions 11.x.x and 12.x.x. The flaw, characterized as an insecure file handling vulnerability, could be exploited by attackers with limited access within a guest virtual machine (VM). This could allow them to tamper with local files and trigger insecure file operations, potentially leading to further security breaches within the virtual environment. The vulnerability impacts VMware Tools running on Windows and Linux operating systems, while macOS is reportedly unaffected.
Broadcom's security advisory highlights that VMware Tools contains this insecure file handling vulnerability which can be exploited by an attacker with non-administrative privileges within a guest VM. The successful exploitation of CVE-2025-22247 could allow the attacker to tamper with local files, leading to unauthorized actions. VMware has released VMware Tools version 12.5.2 to remediate this vulnerability. For Windows 32-bit systems, the fix is included in VMware Tools 12.4.7, also part of the 12.5.2 release. For Linux systems, the advisory notes that updates addressing CVE-2025-22247 will be distributed by individual Linux vendors. It is crucial for Linux users to stay informed about updates from their respective distribution vendors. System administrators are urged to take immediate action by updating to the latest versions of VMware Tools to mitigate the risks associated with this vulnerability. Sergey Bliznyuk of Positive Technologies has been credited for reporting the vulnerability. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
Compromised iClicker Site Used to Deliver Lumma Stealer - The iClicker website was compromised in a ClickFix attack using a fake CAPTCHA prompt, tricking users into installing Lumma Stealer malware.
ImgSrc: www.bleepstatic
iClicker, a widely-used student engagement platform, fell victim to a sophisticated ClickFix attack that compromised its website. The attack utilized a fake CAPTCHA prompt to deceive both students and instructors into unknowingly installing malware on their devices. This incident highlights the growing trend of cybercriminals exploiting user trust through social engineering tactics. iClicker, a subsidiary of Macmillan, serves approximately 5,000 instructors and 7 million students across numerous universities in the United States, making it a prime target for such malicious activities. The company has acknowledged the hijacking and issued a security bulletin advising affected users to take immediate action.
The ClickFix attack hinges on exploiting the familiarity users have with CAPTCHA verification processes. Instead of presenting a typical challenge to distinguish between humans and bots, the fake CAPTCHA prompts users to execute malicious scripts. This involves instructing users to open the Windows Run dialog, paste a provided script, and press Enter. Unbeknownst to the user, this action initiates a PowerShell script that retrieves and installs malware, granting attackers unauthorized access to their computer. The University of Michigan’s IT security team issued an early warning to students after discovering the malicious CAPTCHA. Sophos X-Ops revealed that the malware being installed through this method is the notorious Lumma Stealer. Lumma Stealer is a Malware-as-a-Service (MaaS) offering typically sold via Telegram channels, allowing cybercriminals to steal sensitive data, including browser passwords, cookies, cryptocurrency wallets, and session tokens. iClicker advised users who interacted with the false CAPTCHA between April 12-16 to run antivirus software and change their passwords immediately. The attack demonstrates the need for heightened cybersecurity awareness and vigilance when interacting with online prompts, even on trusted websites. Recommended read:
References :
@cyberalerts.io
//
North Korean APT Targeting Ukrainian Government - North Korean APT group Konni is targeting Ukrainian government entities with phishing campaigns to gather intelligence on the Russian invasion.
ImgSrc: blogger.googleu
North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.
The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server. This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A new cyber espionage campaign dubbed "ClickFix" is actively targeting Linux systems, marking a concerning shift in focus for threat actors. This campaign, characterized by its precision and stealth, is not a generic, scattershot attack, but rather a calculated effort by groups like APT36, known for their cyberespionage capabilities. Attackers are exploiting vulnerabilities within Linux environments, highlighting the increasing sophistication and reliance on Linux by critical infrastructure and enterprises worldwide. The rise of ClickFix attacks serves as a wake-up call, demonstrating that attackers are now willing to go deeper and target smarter, making it harder for administrators who may have previously felt secure with standard hardening measures.
The core technique of ClickFix attacks involves social engineering to deceive users into executing malicious commands. Attackers have utilized websites that mimic legitimate entities, such as India’s Ministry of Defence, to lure victims. When users visit these sites, they are profiled based on their operating system and redirected to a tailored attack flow. On Linux, this often involves presenting a CAPTCHA page that, when interacted with, copies a shell command to the user’s clipboard. The user is then instructed to execute this command, which can lead to the installation of malware. The command used in these attacks drops a payload on the target system, which, in its current form, fetches a JPEG image from the attacker’s server. APT36 is reportedly linked to Pakistan and has been known to use sophisticated social engineering tactics to target Indian entities. Historically, APT36 primarily targeted Windows-based environments, but the ClickFix campaign signals a significant evolution in their strategy. This group focuses heavily on espionage, collecting information from government agencies, academic institutions, and defense sectors. What distinguishes APT36 from other advanced persistent threats is its knack for exploiting tools and techniques that leave systems vulnerable without raising immediate alarms. The cross-platform nature of ClickFix attacks, which now include Linux, highlights their versatility and the need for robust defensive measures. Recommended read:
References :
Zeljka Zorz@Help Net Security
//
Fortinet is addressing a critical zero-day vulnerability, CVE-2025-32756, that has been actively exploited to compromise FortiVoice enterprise phone systems. The vulnerability is a stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code or commands by sending a specially crafted HTTP request. Fortinet has released security updates to patch this remote code execution vulnerability, urging users to upgrade to fixed releases for affected solutions, which include FortiMail, FortiNDR, FortiRecorder, and FortiCamera, although attackers are primarily targeting FortiVoice installations.
Fortinet's Product Security Team discovered CVE-2025-32756 based on attackers' activity, including network scans, erasing system crashlogs, enabling "fcgi debugging" to log credentials, and dropping malware. The company has shared indicators of compromise (IOCs), such as IP addresses used by attackers, log entries, added or modified files, and modified settings. These IOCs help users detect and respond to potential breaches. Fortinet’s swift response to this exploit involved releasing security patches and providing mitigation strategies to protect their customers. For FortiVoice installations that cannot be immediately upgraded, Fortinet recommends disabling the system’s HTTP/HTTPS administrative interface as a temporary workaround. The broader issue, ZDI-25-288, involves a directory traversal remote code execution vulnerability within FortiWeb. Discovered by Kentaro Kawane of GMO Cybersecurity by Ierae, this flaw allows remote attackers to execute arbitrary code on affected FortiWeb installations, requiring authentication. Fortinet has issued an update to correct this vulnerability, emphasizing the company's commitment to addressing security flaws promptly. Recommended read:
References :
@cyberscoop.com
//
CISA has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This action follows Microsoft's May 2025 Patch Tuesday, which addressed a total of 72 vulnerabilities, including these five zero-day exploits. The vulnerabilities affect various Windows components, posing a significant risk to systems if left unpatched. The addition to the KEV catalog underscores the urgency for organizations to apply the relevant Microsoft patches.
The zero-day vulnerabilities include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709. CVE-2025-30397 is a memory corruption vulnerability in the Windows scripting engine, while CVE-2025-30400 affects the Microsoft DWM Core Library. CVE-2025-32701 and CVE-2025-32706 are defects in the Windows Common Log File System (CLFS) Driver, which are particularly concerning as they can lead to elevation of privilege to SYSTEM. CVE-2025-32709 resides in the Windows Ancillary Function Driver for WinSock. Security experts recommend immediate patching, especially for the CLFS driver vulnerabilities. Mike Walters of Action1 warned that attackers could exploit the CLFS zero-days to gain full control of systems, allowing them to run arbitrary code, install malware, modify data, or disable security protections. The Cybersecurity and Infrastructure Security Agency (CISA) encourages all organizations to review and apply the necessary updates to mitigate the risk of exploitation. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Moldovan law enforcement, in collaboration with Dutch authorities, have apprehended a 45-year-old foreign man suspected of orchestrating a series of ransomware attacks targeting Dutch companies in 2021. The suspect is wanted internationally for a range of cybercrimes, including ransomware attacks, blackmail, and money laundering. This arrest marks a significant step in the fight against cybercrime, particularly concerning the persistent threat posed by DoppelPaymer ransomware. The operation involved a coordinated effort between Moldovan prosecutors, the country's Center for Combating Cybercrimes, and law enforcement from the Netherlands, highlighting the importance of international cooperation in tackling sophisticated cyber threats.
The suspect's alleged involvement includes a ransomware attack on the Netherlands Organization for Scientific Research (NWO), resulting in estimated damages of €4.5 million. During the arrest on May 6, Moldovan police searched the suspect's residence and car, seizing substantial evidence, including over €84,000 in cash, an electronic wallet, two laptops, a mobile phone, a tablet, six bank cards, two data storage devices, and six memory cards. The suspect is currently in custody, and extradition procedures to the Netherlands are underway, where he will face charges related to his alleged cybercrimes. The DoppelPaymer ransomware group emerged in 2019, known for its sophisticated tactics, including data exfiltration before encryption, to pressure victims into paying ransoms. The group has targeted various sectors globally and evolved into other ransomware variants, showcasing the challenges in combating this type of cyber threat. The arrest in Moldova underscores the ongoing efforts by law enforcement to pursue and bring cybercriminals to justice, reinforcing the message that cybercrime will not go unpunished. Recommended read:
References :
Jessica Lyons@theregister.com
//
Marks & Spencer (M&S) has confirmed that customer data was stolen during a recent cyberattack, with the ransomware group DragonForce claiming responsibility. The retail giant has initiated a mandatory password reset for all customers as a precautionary measure following the breach. The attack, which has shaken the UK retail sector, also affected other major retailers including the Co-operative Group (Co-op) and Harrods.
The stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. However, M&S assures customers that the compromised information does not include usable card or payment details, or account passwords. The company is working with external experts to secure its systems and has reported the incident to the relevant government authorities and law enforcement agencies. Initially reports linked Scattered Spider to the attack, it has now been claimed that DragonForce are responsible. DragonForce, a relatively new Ransomware-as-a-Service (RaaS) group, has emerged as a significant threat, initially framing itself as a pro-Palestinian hacktivist collective before shifting to profit-driven operations. They operate by leasing their ransomware to affiliates, who then carry out the attacks, with the developers taking a cut of the ransom payments. DragonForce has been targeting high-profile UK retailers, deploying ransomware to encrypt networks, disrupt online orders and payment systems, and threaten the public release of stolen data. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
Ivanti has released security updates to address two zero-day vulnerabilities, CVE-2025-4427 and CVE-2025-4428, affecting its Endpoint Manager Mobile (EPMM) product. These vulnerabilities reside in open-source libraries integrated into EPMM and when chained together, allow unauthenticated remote code execution on vulnerable devices. The vendor stated that a limited number of customers have already been affected by exploits targeting these flaws. CERT-EU strongly recommends that users apply the patches as soon as possible, with priority given to internet-facing devices.
It has been confirmed that the vulnerabilities only affect the on-premises version of Ivanti EPMM. The authentication bypass vulnerability, CVE-2025-4427 (CVSS score 5.3), permits attackers to access protected resources without proper credentials. Paired with CVE-2025-4428 (CVSS score 7.2), a remote code execution flaw, threat actors can execute arbitrary code on the target system. Ivanti has released specific EPMM versions with fixes: 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. For organizations unable to immediately apply the updates, Ivanti recommends mitigating the threat by filtering access to the API using either the built-in Portal ACLs functionality or an external Web Application Firewall (WAF). Additionally, customers can open a Support Case to receive an RPM file with a hot-fix mitigation, along with a step-by-step guide provided by Ivanti. The company is actively collaborating with security partners, the broader security community, and law enforcement to address the situation. Recommended read:
References :
@securityonline.info
//
The North Korean threat actor WaterPlum, also known as Famous Chollima or PurpleBravo, is behind the latest iteration of the OtterCookie malware, version 4. This cross-platform malware is designed to target financial institutions, cryptocurrency platforms, and FinTech companies across the globe. OtterCookie's evolution demonstrates a significant advancement in its capabilities, posing an increased threat level. The malware is often deployed through the "Contagious Interview" campaign, which uses fake job offers to entice victims into opening malicious payloads.
OtterCookie v4 boasts enhanced credential theft capabilities, with modules specifically designed to steal credentials from Google Chrome, MetaMask, and iCloud Keychain. One module decrypts and extracts passwords from Chrome using the Windows Data Protection API (DPAPI), while another targets the MetaMask extension in browsers like Chrome and Brave, as well as iCloud Keychain, to harvest sensitive data. These stolen credentials are then stored in a local database before being exfiltrated. These advancements represent a significant leap from earlier versions of OtterCookie which primarily functioned as a file grabber. A key feature of OtterCookie v4 is its ability to detect virtual machine environments, including VMware, VirtualBox, Microsoft Hyper-V, and QEMU. This allows the malware to evade analysis and detection by security researchers and automated sandbox environments. The malware's cross-platform functionality allows it to operate across Windows, macOS, and Linux, significantly broadening its potential impact. Researchers first exposed OtterCookie in December 2024, and the malware has rapidly evolved since then, with version 3 appearing in February 2025 and version 4 in April 2025. Recommended read:
References :
@securebulletin.com
//
References:
securebulletin.com
, securityonline.info
,
A new multi-platform malware campaign is targeting organizations in Southern Europe, specifically Spain, Italy, and Portugal, through sophisticated phishing emails. This campaign leverages weaponized PDF invoices to deliver a Java-based Remote Access Trojan (RAT) known as RATty. The attack begins with emails that bypass SPF/DKIM checks by abusing Spain's serviciodecorreo.es email service, allowing forged sender addresses to appear legitimate. The emails contain a PDF attachment mimicking an invoice from Medinova Health Group, enticing recipients to click a Dropbox link.
This link redirects victims to an HTML file (Fattura.html) that initiates a multi-stage verification process, including a fake CAPTCHA, to further deceive the user. The HTML file then utilizes Ngrok tunneling to dynamically switch content based on the victim's geolocation. If the request originates from Italy, the user is redirected to MediaFire to download a malicious Java Archive (JAR) file named FA-43-03-2025.jar. Users outside of Italy are redirected to benign Google Drive documents, effectively bypassing automated sandboxes typically hosted in cloud regions outside Italy. The final JAR file contains the RATty malware, a cross-platform Remote Access Trojan that exploits Java's capabilities to grant attackers extensive control over the compromised system. This includes remote command execution, keystroke logging, screenshot capture, and data exfiltration. The attackers may also repackage RATty in MSI installers, further disguising the threat as a software update to increase the odds of user execution. Organizations are advised to update endpoint protection tools to defend against this evolving phishing tactic. Recommended read:
References :
@cyberpress.org
//
References:
cyberpress.org
, www.genians.co.kr
The North Korea-linked threat group APT37 has been identified as the perpetrator of a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. Genians Security Center researchers analyzed the campaign, dubbed "Operation: ToyBox Story," which involved the use of fake academic forum invites from a South Korean national security think tank to lure victims. The attackers leveraged Dropbox to deliver malicious LNK files, demonstrating an evolution in their attack methodology.
The spear phishing emails were cleverly disguised as invitations and information from a legitimate South Korean national security think tank, referencing real-world events such as "Trump 2.0 Era: Prospects and South Korea’s Response" to enhance credibility. These emails contained Dropbox links leading to compressed ZIP archives, which, upon extraction, harbored malicious shortcut (LNK) files. When a user opens the malicious LNK file, it initiates a multi-stage malware loader chain. The campaign highlighted APT37's ongoing use of trusted cloud platforms like Dropbox as command and control (C2) infrastructure, a tactic known as "Living off Trusted Sites" (LoTS). This approach allows the attackers to blend malicious traffic with legitimate cloud service activity, complicating detection and response efforts. The malicious LNK files are designed to execute hidden PowerShell commands, which deploy a decoy document while simultaneously creating hidden files and ultimately injecting shellcode directly into memory to install a variant of the RoKRAT malware family. RoKRAT collects system information and allows for further exploitation of the victim's system. Recommended read:
References :
@www.microsoft.com
//
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.
The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory. The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities. Recommended read:
References :
Sead Fadilpašić@techradar.com
//
ASUS DriverHub Vulnerabilities Expose Users to RCE - Critical security flaws were discovered in ASUS DriverHub, allowing remote code execution, emphasizing the need for immediate updates.
ImgSrc: cdn.mos.cms.fut
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.
Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe. ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards. Recommended read:
References :
@blog.checkpoint.com
//
References:
Check Point Blog
, Kaspersky official blog
,
Ransomware attacks have surged in 2025, evolving into more sophisticated and dangerous threats than ever before. What started as simple file encryption schemes has morphed into full-blown extortion ecosystems. These modern attacks now involve data exfiltration, public shaming of victims, and even DDoS attacks, marking a significant escalation in cybercriminal tactics. According to Check Point Research, the first quarter of 2025 saw a record-breaking 2,289 victims published on data leak sites, representing a staggering 126% year-over-year increase, demonstrating the growing threat volume and the evolving tactics employed by attackers.
The rise of Ransomware-as-a-Service (RaaS) has also significantly contributed to the increased threat landscape. Check Point's 2024 Annual Ransomware Report revealed that 46 new ransomware groups emerged in that year alone, a 48% increase compared to the previous year. These groups offer ready-made ransomware kits, lowering the barrier to entry for cybercriminals and enabling a wider range of actors to launch attacks. Experts are particularly concerned about the potential for "triple extortion" models, which combine DDoS attacks, public leak threats, and direct harassment of customers or partners to pressure victims into paying ransoms. In addition to the increasing sophistication of ransomware itself, cybercriminals are also abusing legitimate tools to blend in with compromised environments. The Cactus ransomware gang, for example, has been known to direct victims to initiate Microsoft Quick Assist remote access sessions, even assisting them with the installation of the program. With Anti-Ransomware Day being on May 12, organizations are urged to prioritize proactive defenses, incident response planning, and employee awareness training to mitigate the growing risk of ransomware attacks in 2025 and beyond. Recommended read:
References :
@cyberinsider.com
//
References:
cyberinsider.com
Recent reports highlight a surge in the exploitation of critical software vulnerabilities across various platforms. These vulnerabilities, affecting both widely used software like Microsoft products and open-source tools such as the Linux kernel, pose significant risks to system security. A particularly concerning flaw has been identified in ASUS DriverHub, potentially allowing remote code execution with administrative privileges. This highlights the persistent challenge of maintaining secure software ecosystems and the importance of vigilant monitoring and rapid patching.
The vulnerabilities span a range of severity levels, with some enabling privilege escalation and remote code execution, as demonstrated by the ASUS DriverHub flaw. Cyble has issued weekly vulnerability reports, emphasizing the presence of zero-day vulnerabilities and active exploits targeting popular IT products. Specific details include Commvault updating its advisory for a critical Commvault Command Center Vulnerability (CVE-2025-34028) and Ubuntu releasing a security notice (USN-7506-3) addressing multiple vulnerabilities within the Linux kernel (FIPS). These instances underscore the need for comprehensive vulnerability management strategies for both enterprises and individual users. Security experts emphasize the critical role of timely patching and robust vulnerability management practices in mitigating these risks. For example, Arctic Wolf noted that updating to Commvault versions 11.38.20 or 11.38.25 alone is insufficient to fully address the CVE-2025-34028 vulnerability. Ubuntu users are advised to perform a standard system update followed by a reboot to apply the necessary Linux kernel fixes, while also being aware of the need to recompile and reinstall third-party kernel modules due to an unavoidable ABI change. Organizations are urged to implement proactive security measures, including continuous monitoring, vulnerability scanning, and rapid deployment of security patches to protect their systems from exploitation. Recommended read:
References :
@cyberpress.org
//
Mitel SIP Phone Vulnerabilities Allow Command Injection - Critical vulnerabilities have been discovered in Mitel SIP phones, allowing attackers to execute arbitrary commands and upload malicious files.
ImgSrc: blogger.googleu
Critical security vulnerabilities have been discovered in Mitel SIP phones, potentially exposing enterprise communication systems to unauthorized access and control. The flaws impact widely deployed models, including the 6800, 6900, and 6900w Series, as well as the 6970 Conference Unit. These vulnerabilities include a command injection flaw (CVE-2025-47188) and an unauthenticated file upload vulnerability (CVE-2025-47187). Mitel has issued a security advisory, MISA-2025-0004, urging users to update their devices immediately.
Mitel's critical command injection vulnerability (CVE-2025-47188) allows unauthenticated attackers with network access to execute arbitrary commands on affected phones. The flaw stems from insufficient sanitization of parameters within the device’s web management interface. With a CVSS score of 9.8, exploitation of this vulnerability could grant attackers control over the device, enabling them to exfiltrate sensitive data, alter system settings, and disrupt operations. This could also allow attackers to use the compromised device as a foothold to pivot deeper into enterprise networks. The affected devices are Mitel 6800, 6900, and 6900w Series SIP Phones, and the 6970 Conference Unit running firmware version R6.4.0.SP4 or earlier. Mitel recommends upgrading to firmware version R6.4.0.SP5 or newer releases to mitigate these risks. While Mitel suggests keeping SIP phones on protected internal networks, organizations with expansive and poorly segmented networks remain at heightened risk. Recommended read:
References :
@www.webroot.com
//
References:
www.eweek.com
, www.webroot.com
Cybercriminals are increasingly using sophisticated tactics to deceive individuals and steal sensitive information. One common method involves sending fraudulent text messages, known as smishing, that impersonate legitimate businesses like delivery services or banks. These scams often entice victims to click on malicious links, leading to identity theft, financial loss, or the installation of malware. Webroot emphasizes mobile security, particularly protecting phones from text scams with potential identity theft and malware planting. The Federal Trade Commission reported that consumers lost $470 million to scams initiated through text messages in 2024.
Google is intensifying its efforts to combat these online threats by integrating artificial intelligence across its various platforms. The company is leveraging AI in Search, Chrome, and Android to identify and block scam attempts more effectively. Google's AI-powered defenses are capable of detecting 20 times more scam pages than before, significantly improving the quality of search results. Furthermore, AI is used to identify fraudulent websites, app notifications, calls, and direct messages, helping to safeguard users from various scam tactics. A key component of Google's enhanced protection is the integration of Gemini Nano, a lightweight, on-device AI model, into Chrome. This allows for instant identification of scams, even those that haven't been previously encountered. When a user navigates to a potentially dangerous page, Chrome evaluates the page using Gemini Nano, which extracts security signals to determine the intent of the page. This information is then sent to Safe Browsing for a final verdict, adding an extra layer of protection against evolving online threats. Recommended read:
References :
@cyberpress.org
//
A new method has emerged for stealing Microsoft Entra refresh tokens using Beacon Command & Control (C2) frameworks. This novel technique leverages browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms, allowing attackers to maintain persistent access to cloud resources, even on devices not joined to a domain. The exploit utilizes Beacon Object Files (BOFs) to extract Entra tokens from compromised endpoints, posing a significant risk to enterprise cloud environments. By exploiting the OAuth 2.0 authorization code flow with modifications for offensive operations, attackers can initiate a hidden browser session and scrape the authorization code from the browser window title using the GetWindowTextA Win32 API.
The attack method capitalizes on First-Party Client IDs (FOCI) such as Microsoft Teams, allowing access to multiple Microsoft services through "family refresh tokens." This provides operational advantages by blending token requests with legitimate user activity as they originate from the compromised host's IP address. Furthermore, it is compatible with Bring Your Own Device (BYOD) scenarios, where traditional Primary Refresh Token (PRT) extraction methods fail. After acquiring refresh tokens, attackers can conduct AzureAD reconnaissance via tools like ROADrecon. A separate but related flaw in Microsoft Entra ID's legacy login process has also been exploited to bypass MFA and Conditional Access, targeting admin accounts across various sectors including finance, healthcare, manufacturing, and technology. This vulnerability resides in the Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method that allows authentication using simple usernames and passwords. The attacks, which occurred between March 18 and April 7, 2025, demonstrate the dangers of outdated authentication protocols in cloud environments, highlighting how attackers can circumvent modern protections by exploiting compatibility features within Entra ID. Recommended read:
References :
@cyberalerts.io
//
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.
Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain. The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems. Recommended read:
References :
|
