FlagThis

A threat actor has successfully targeted low-skilled hackers, often referred to as ‘script kiddies,’ by distributing a fake malware builder. The builder is not what they expected, instead it secretly infects the user’s systems with a backdoor. This sophisticated method allowed the attacker to compromise over 18,000 devices, highlighting a serious issue in the threat landscape. This indicates that even low skilled attackers can be targets and may unknowingly become victims.

A sophisticated campaign dubbed ‘J-Magic’ has been discovered targeting enterprise-grade Juniper routers. Attackers are using ‘magic packets’ to trigger a custom cd00r variant, allowing them to establish a reverse shell and gain full access. The J-magic malware was found to be active from 2023 until at least mid-2024. The malware passively monitors the network for these ‘magic packets’, which are specifically designed TCP packets. This allows for data exfiltration, device takeover, and further malware deployment. This malware targeted semiconductor, energy, manufacturing and IT sectors.

UK telco TalkTalk is investigating a potential data breach, after a threat actor offered the data of millions of its current and former customers on a cybercrime forum. The investigation is in progress, but the claims suggest a potential exfiltration of sensitive user data. This incident highlights the ongoing challenges of safeguarding user data in the telecommunications sector. The claims about data size might be overstated.

The fact that a threat actor is attempting to sell user data on a cybercrime forum is a big risk. The incident highlights the need for telcos to invest more into security practices. It also shows that customers are at risk of their data being exposed via a third party.

Two ransomware groups, tracked as STAC5143 and STAC5777, are actively exploiting Microsoft 365 services and default settings to gain access to internal enterprise users. These groups are using their own Microsoft 365 tenants to target organizations, underscoring significant security risks. These attacks highlight the need for enhanced security measures on Microsoft 365 platform to defend against ransomware.

Threat actor IntelBroker has claimed responsibility for a breach of Hewlett Packard Enterprise (HPE), a major IT provider. The group allegedly gained access to sensitive data, including source code, certificates, and PII, which is now reportedly available for sale on the dark web. The extent of the data compromise and its potential impact on customers and partners requires further assessment.

PowerSchool, a provider of education software, has suffered a data breach impacting millions of students and educators. Hackers stole historical data by compromising customer support portal credentials. This has led to the exfiltration of sensitive information from school districts in the US and Canada, highlighting the serious risks in educational institutions and the need for stronger security measures.

The US Treasury Department sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe, and a Shanghai-based hacker, Yin Kecheng, for their involvement in the Salt Typhoon cyberattacks. These attacks targeted major US telecom companies, compromising sensitive data and the US Treasury’s network, including systems used for sanctions and foreign investment reviews, and even impacted the computer of the outgoing Treasury Secretary Janet Yellen. This highlights the ongoing sophisticated cyber espionage campaigns from China targeting critical infrastructure and government entities within the US and globally. The sanctioned entities are directly linked to the Chinese Ministry of State Security (MSS), and used a combination of zero-day exploits and other techniques for infiltrating networks and exfiltrating data. The compromise of the Department of the Treasury’s network is considered a major breach, potentially impacting national security due to access to sensitive information.

The Chinese state-sponsored hacking group ‘Silk Typhoon’ has been linked to a significant breach of a US Treasury agency in December 2024, with further reports indicating they also compromised the Committee on Foreign Investment in the United States (CFIUS), which assesses national security risks associated with foreign investments. The attackers are suspected to have stolen sensitive information from both the Treasury and the CFIUS, which has raised significant concerns in the US government. This coordinated attack demonstrates a pattern of sophisticated cyber espionage activities by the Silk Typhoon group.

The US Department of Justice, with the FBI, conducted a multi-month operation to remove the PlugX malware from over 4,200 infected computers in the United States. PlugX is a remote access trojan (RAT) widely used by threat actors associated with the People’s Republic of China. This action targeted the command and control infrastructure used by these actors to compromise systems, disrupting their ability to maintain persistent access and conduct further malicious activities on affected networks. The operation underscores the US government’s proactive efforts in combating state-sponsored cyber espionage activities, aiming to neutralize threats before they can be further leveraged for malicious purposes.

A recent cyberattack on PowerSchool has resulted in the compromise of all historical student and teacher data. The breach has affected multiple US school districts, exposing highly sensitive personal information. The impacted data includes all student and teacher records stored within PowerSchool’s systems. This breach represents a significant risk to the privacy and security of student and teacher information.

A Chinese state-sponsored hacking group, known as Silk Typhoon, infiltrated over 400 computers belonging to the US Treasury Department. The hackers gained access to sensitive information, including sanctions materials, travel data, and foreign investment metrics. The breach targeted computers focusing on sanctions, international affairs, and intelligence. The attackers were likely operating outside of normal working hours to avoid detection. The incident highlights the growing threat posed by state-sponsored hacking groups, particularly those operating from China.