CyberSecurity news

FlagThis - #Cybersecurity

@www.microsoft.com //
References: Source , Yubico
The digital landscape is witnessing a significant shift in authentication methods, with passkeys emerging as a secure and user-friendly alternative to traditional passwords. This evolution has led to the celebration of the inaugural World Passkey Day, marking a pivotal moment in the journey towards a passwordless future. As passwords have long been a source of vulnerability and frustration, the rise of passkeys promises simpler and safer sign-ins, enhancing overall digital security by eliminating the inherent weaknesses associated with passwords.

Microsoft and Yubico are at the forefront of this movement, actively promoting the adoption of passkeys. Microsoft is rolling out updates designed for simpler, safer sign-ins, making passkeys more accessible and convenient for users. Yubico, a strong advocate for ditching passwords altogether, emphasizes the importance of embracing passkeys for a more secure digital future. This collaborative effort underscores the industry's commitment to transitioning to a passwordless authentication system.

The transition to passkeys is not merely a technological upgrade but a fundamental shift in how we approach digital security. As highlighted by Microsoft, the number of password-based cyberattacks has dramatically increased, with a staggering 7,000 password attacks per second observed last year. Passkeys, being resistant to phishing and brute-force attacks, offer a robust defense against these threats. By celebrating World Passkey Day and actively promoting the adoption of passkeys, the industry aims to create a safer and more secure online experience for everyone.

Recommended read:
References :
  • Source: Pushing passkeys forward: Microsoft’s latest updates for simpler, safer sign-ins
  • Yubico: Have you ever been stuck in a relationship with someone who constantly lets you down, exposes your secrets, and leaves you vulnerable?

@doublepulsar.com //
The DragonForce ransomware group has claimed responsibility for cyberattacks targeting major UK retailers including Co-op, Marks & Spencer, and Harrods. The attacks, which began in recent weeks, have caused significant service disruptions, affecting payment systems, inventory, payroll, and other critical business functions. DragonForce, which emerged in August 2023, initially presented itself as a Pro-Palestine hacktivist operation but has since shifted its focus to financial gain and extortion, targeting government entities, commercial enterprises, and organizations aligned with specific political causes. The group operates a multi-extortion model, threatening victims with data leakage and reputational damage, and is also known to heavily target law firms and medical practices.

DragonForce employs social engineering tactics to gain initial access to retail networks, often "walking in the front door" via helpdesks to obtain MFA access. Once inside, they move laterally, using tools like Teams and Office search to locate and exfiltrate valuable documentation. According to cybersecurity expert Kevin Beaumont, defenders should review CISA briefs on Scattered Spider and LAPSUS$, as the tactics mirror those used in previous breaches at Nvidia, Samsung, Rockstar, and Microsoft. DragonForce functions as a white-label cartel, allowing other cybercriminals to use their ransomware platform, encryptor, and infrastructure, taking a 20% cut of any ransom obtained.

Co-op has confirmed that customer data was stolen in the attack, admitting that the hackers were able to access and extract data from one of their systems. The accessed data included information relating to a significant number of current and past members, such as names and contact details. However, the retailer stated that members' passwords, bank or credit card details, transactions, or information relating to any members' or customers' products were not compromised. DragonForce claims to have stolen data from 20 million customers, a number the Co-op has not confirmed. The BBC reports that DragonForce shared databases with them that include usernames and passwords of all employees.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.sentinelone.com: DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
  • securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
  • BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • DataBreaches.Net: Co-op hackers boast of ‘stealing 20 million customers’ data’ – as retailer admits impacts of ‘significant’ attack
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.

info@thehackernews.com (The@The Hacker News //
Cybersecurity firm SentinelOne has become a prime target for state-sponsored threat actors from China and North Korea. SentinelOne, which provides autonomous endpoint protection using AI and machine learning to Fortune 10 and Global 2000 enterprises, government agencies, and managed service providers, is facing persistent cyber espionage and infiltration attempts. A recent analysis by SentinelOne revealed that Chinese actors are actively targeting both the company and its high-value clients, engaging in reconnaissance activities against SentinelOne’s infrastructure and specific organizations they defend.

SentinelOne uncovered a China-nexus threat cluster dubbed PurpleHaze, which conducted reconnaissance attempts against its infrastructure and some of its high-value customers. Researchers first became aware of this group during a 2024 intrusion against an organization that was previously providing hardware logistics services for SentinelOne employees. PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15 and has been observed targeting a South Asian government-supporting entity, employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell.

North Korean actors have also been targeting SentinelOne, attempting to infiltrate the company through a fake IT worker campaign. The company is tracking approximately 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne and SentinelLabs Intelligence. SentinelOne has warned of threat actors targeting its systems and high-value clients, emphasizing that cybersecurity providers are attractive targets due to the potential for significant compromise and the insights into how thousands of environments and millions of endpoints are protected.

Recommended read:
References :
  • securityaffairs.com: SentinelOne warns of threat actors targeting its systems and high-value clients
  • The Hacker News: SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients
  • www.techradar.com: SentinelOne targeted by Chinese espionage campaign probing customers and infrastructure
  • www.scworld.com: Report: Cyber threats bombard cybersecurity vendors

@industrialcyber.co //
Nova Scotia Power and its parent company, Emera Inc., are actively responding to a cybersecurity incident that has impacted their Canadian IT network. The companies detected unauthorized access to parts of their network and servers which support certain business applications. Immediately upon discovering the intrusion, both companies activated their incident response and business continuity protocols. Top-tier third-party cybersecurity experts have been engaged to assist in isolating the affected systems and preventing any further unauthorized access.

Law enforcement agencies have been notified and an investigation is currently underway. Despite the breach, Emera and Nova Scotia Power stated that there has been no disruption to any of their Canadian physical operations. This includes Nova Scotia Power's generation, transmission, and distribution facilities, as well as the Maritime Link and the Brunswick Pipeline. The incident has not affected the utility's ability to safely and reliably serve its customers in Nova Scotia, nor has it impacted Emera's utilities in the U.S. or the Caribbean.

The IT team is working diligently with cybersecurity experts to restore the affected portions of the IT system back online. Nova Scotia Power customers can find the latest updates online. Emera is scheduled to publish its first quarter financial statements and management disclosure on May 8, 2025, as planned. Currently, the incident is not expected to have a material impact on the financial performance of the business.

Recommended read:
References :
  • industrialcyber.co: Emera, Nova Scotia Power respond to cybersecurity breach; incident response teams mobilized
  • securityaffairs.com: Canadian electric utility Nova Scotia Power and parent company Emera suffered a cyberattack
  • cyberinsider.com: Nova Scotia Power Says Cybersecurity Incident Impacting IT Systems
  • www.scworld.com: Cyberattack impacts Nova Scotia Power's systems
  • www.cybersecurity-insiders.com: Canadian electric utility Nova Scotia Power and parent company Emera are facing a cyberattack that disrupted their IT systems and networks.

@blogs.nvidia.com //
Oracle Cloud Infrastructure (OCI) is now deploying thousands of NVIDIA Blackwell GPUs to power agentic AI and reasoning models. OCI has stood up and optimized its first wave of liquid-cooled NVIDIA GB200 NVL72 racks in its data centers, enabling customers to develop and run next-generation AI agents. The NVIDIA GB200 NVL72 platform is a rack-scale system combining 36 NVIDIA Grace CPUs and 72 NVIDIA Blackwell GPUs, delivering performance and energy efficiency for agentic AI powered by advanced AI reasoning models. Oracle aims to build one of the world's largest Blackwell clusters, with OCI Superclusters scaling beyond 100,000 NVIDIA Blackwell GPUs to meet the growing demand for accelerated computing.

This deployment includes high-speed NVIDIA Quantum-2 InfiniBand and NVIDIA Spectrum-X Ethernet networking for scalable, low-latency performance, along with software and database integrations from NVIDIA and OCI. OCI is among the first to deploy NVIDIA GB200 NVL72 systems, and this deployment marks a transformation of cloud data centers into AI factories. These AI factories are designed to manufacture intelligence at scale, leveraging the NVIDIA GB200 NVL72 platform. OCI offers flexible deployment options to bring Blackwell to customers across public, government, and sovereign clouds, as well as customer-owned data centers.

These new racks are the first systems available from NVIDIA DGX Cloud, an optimized platform with software, services, and technical support for developing and deploying AI workloads on clouds. NVIDIA will utilize these racks for various projects, including training reasoning models, autonomous vehicle development, accelerating chip design and manufacturing, and developing AI tools. In related cybersecurity news, Cisco Foundation AI has released its first open-source security model, Llama-3.1-FoundationAI-SecurityLLM-base-8B, designed to improve response time, expand capacity, and proactively reduce risk in security operations.

Recommended read:
References :
  • NVIDIA Newsroom: Oracle has stood up and optimized its first wave of liquid-cooled NVIDIA GB200 NVL72 racks in its data centers.
  • Security @ Cisco Blogs: Foundation AI's first release — Llama-3.1-FoundationAI-SecurityLLM-base-8B — is designed to improve response time, expand capacity, and proactively reduce risk.
  • insidehpc.com: Nvidia said Oracle has stood up its first wave of liquid-cooled NVIDIA GB200 NVL72 racks in its data centers.
  • www.networkworld.com: Palo Alto Networks unpacks security platform to protect AI resources

@www.welivesecurity.com //
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.

The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor.

ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations.

Recommended read:
References :
  • BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • The Hacker News: Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool
  • ESET Research: Details the toolset of the China-aligned APT group that we have named . It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates.
  • BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • www.welivesecurity.com: Links between and the Chinese company Dianke Network Security Technology, also known as UPSEC.
  • www.bleepingcomputer.com: The China-aligned APT threat actor abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • The DefendOps Diaries: Unveiling the Threat: How 'The Wizards' Exploit IPv6 for Cyber Attacks
  • Security Risk Advisors: TheWizards APT Group Targets Southeast Asian Governments Using Rootkits and Cloud Tools
  • bsky.app: TheWizards APT group abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
  • cyberinsider.com: Chinese Hackers Use IPv6 SLAAC Spoofing to Deliver WizardNet Backdoor
  • WeLiveSecurity: ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks
  • www.scworld.com: IPv6 SLAAC exploited by Chinese APT for AitM attacks
  • Blog: ‘TheWizards’ exploit IPv6 feature as part of AitM attacks
  • Cyber Security News: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool
  • cybersecuritynews.com: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool

Ddos@securityonline.info //
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.

Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025.

The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data.

Recommended read:
References :
  • The DefendOps Diaries: Understanding SonicWall SMA100 Vulnerabilities: Risks and Mitigation
  • BleepingComputer: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • Arctic Wolf: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • isc.sans.edu: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
  • securityonline.info: SonicWall confirms active exploitation of SMA 100 vulnerabilities – urges immediate patching
  • Talkback Resources: SonicWall disclosed exploited security flaws in SMA100 Secure Mobile Access appliances, including OS Command Injection and Apache HTTP Server mod_rewrite issues, with patches released in versions 10.2.1.10-62sv and 10.2.1.14-75sv.
  • www.bleepingcomputer.com: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • securityonline.info: SecurityOnline
  • Talkback Resources: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models [net]
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • es-la.tenable.com: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • bsky.app: Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • securityaffairs.com: SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
  • MSSP feed for Latest: SonicWall Flags New Wave of VPN Exploits Targeting SMA Devices
  • bsky.app: Security company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • Help Net Security: Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)
  • www.scworld.com: SonicWall confirms exploitation of two SMA 100 bugs, one critical
  • securityonline.info: SonicWall Issues Patch for SSRF Vulner
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware
  • hackread.com: watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
  • cyberpress.org: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • www.helpnetsecurity.com: Attackers exploited old flaws to breach SonicWall SMA appliances.
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • Talkback Resources: Iranian state-sponsored threat group conducted a long-term cyber intrusion targeting critical national infrastructure in the Middle East, exhibiting tradecraft overlaps with Lemon Sandstorm, using custom malware families and sophisticated tactics to maintain persistence and bypass network segmentation.
  • Cyber Security News: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • RedPacket Security: SonicWall Products Multiple Vulnerabilities

Bill Toulas@BleepingComputer //
Cloudflare has released its 2025 Q1 DDoS Threat Report, revealing a staggering increase in Distributed Denial of Service (DDoS) attacks. The report highlights that Cloudflare mitigated 20.5 million DDoS attacks in the first quarter of 2025 alone. This represents a massive 358% year-over-year and 198% quarter-over-quarter increase, nearly matching the total number of attacks recorded throughout all of 2024. The escalating threat landscape underscores the critical need for robust and adaptive cybersecurity measures to protect online infrastructure from malicious actors.

One of the most significant incidents during this period was the mitigation of a record-breaking DDoS attack peaking at 4.8 billion packets per second (Bpps). This hyper-volumetric attack, part of a late-April campaign, presented a substantial technical challenge due to its immense scale and short duration, typically lasting between 35 and 45 seconds. Cloudflare also neutralized a 6.5 terabit-per-second (Tbps) UDP flood. Overall, the company recorded over 700 hyper-volumetric DDoS attacks, each exceeding either 1 Tbps or 1 Bpps, demonstrating the growing sophistication and intensity of these threats.

Network-layer DDoS attacks fueled much of this increase, totaling 16.8 million incidents between January and March 2025. A notable 6.6 million of these attacks targeted Cloudflare's own infrastructure. Attackers are increasingly deploying sophisticated multi-vector campaigns, leveraging tactics such as SYN floods, Mirai-botnet assaults, and SSDP amplification to overwhelm targets from multiple angles. Cloudflare identified two emerging threats: Connectionless Lightweight Directory Access Protocol (CLDAP) attacks, which saw a 3,488% quarter-over-quarter increase, and Encapsulating Security Payload (ESP) attacks, growing by 2,301% in the same period.

Recommended read:
References :
  • cyberpress.org: Cyberpress article on Cloudflare's 2025 DDoS Mitigation
  • The DefendOps Diaries: TheDefendOpsDiaries on Cloudflare's 2025 DDoS Mitigation Achievements
  • BleepingComputer: Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase.
  • www.scworld.com: SecurityWorld Article on Cloudflare's 2025 DDoS Mitigation
  • Blog: Cloudflare has reported a significant surge in distributed denial-of-service (DDoS) attacks, marking a new record in 2025.
  • Cyber Security News: Cloudflare mitigated a record 20.5 million DDoS attacks in the first quarter of 2025
  • Anonymous ???????? :af:: In 2025 Q1, Cloudflare blocked +20M attacks (a 358% YoY spike) along with 5.6 Tbps and 4.8 Bpps record-breaking attacks.
  • Cloudflare: DDoS attacks are surging. In 2025 Q1, Cloudflare blocked +20M attacks (a 358% YoY spike) along with 5.6 Tbps and 4.8 Bpps record-breaking attacks. Read more in our latest DDoS Threat Report 👉
  • The Cloudflare Blog: Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report
  • BleepingComputer: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • The DefendOps Diaries: Pro-Russian hacktivists disrupt Dutch public services with DDoS attacks, highlighting vulnerabilities and resilience in digital infrastructure.
  • www.bleepingcomputer.com: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • bsky.app: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.

Swagath Bandhakavi@Tech Monitor //
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.

France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm.

France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks.

Recommended read:
References :
  • therecord.media: In a rare public attribution, the French foreign ministry said it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • BleepingComputer: Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years.
  • www.diplomatie.gouv.fr: Government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU
  • The Record: Mastodon post referencing the French foreign ministry statement that it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
  • The DefendOps Diaries: The article is about unmasking APT28: The Sophisticated Threat to French Cybersecurity
  • bsky.app: Russian military intelligence cyber operations targeting French entities
  • www.techradar.com: France accuses Russian GRU hackers of targeting French organizations
  • securityaffairs.com: France links Russian APT28 to attacks on dozen French entities
  • Metacurity: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Risky.Biz: Risky Bulletin: French government grows a spine and calls out Russia's hacks
  • www.metacurity.com: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
  • Tech Monitor: France links Russian military-backed hackers APT28 to multiple cyber intrusions
  • hackread.com: France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.
  • Risky Business Media: Risky Bulletin: French government grows spine, calls out Russian hacks
  • bsky.app: Russian military intelligence cyber operations targeting French entities. Primarily includes governmental, diplomatic, and research entities, as well as think-tanks.
  • www.scworld.com: French authorities have condemned a long-term cyber-espionage campaign by a Russian military intelligence group, APT28, targeting various French institutions.
  • Andrew ? Brandt ?: The government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU ( ), and condemns them, officially, in a statement posted to their website.
  • www.csoonline.com: France has publicly accused Russias GRU military intelligence agency, specifically its APT28 unit, of orchestrating a sustained cyber campaign targeting French institutions to undermine national stability, Reuters reports.
  • Industrial Cyber: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked...
  • industrialcyber.co: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked... The post appeared first on .
  • hackread.com: From TV5Monde to Critical Infrastructure: France Blames Russia’s APT28 for Persistent Cyberattacks
  • securityonline.info: APT28 Cyber Espionage Campaign Targets French Institutions Since 2021

@cloud.google.com //
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.

Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices.

Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services.

Recommended read:
References :
  • Threat Intelligence: Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
  • securityaffairs.com: Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis.
  • techcrunch.com: Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
  • The Hacker News: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • CyberInsider: The Google Threat Intelligence Group (GTIG) has published its annual review of zero-day exploits for 2024, revealing a gradual but persistent rise in zero-day exploitation and a concerning shift towards enterprise-targeted attacks.
  • The Register - Security: Enterprise tech dominates zero-day exploits with no signs of slowdown
  • cyberinsider.com: Google Logs 75 Zero-Days in 2024, Enterprise Attacks at All-Time High
  • securityonline.info: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • BleepingComputer: Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks.
  • www.techradar.com: Of all the zero-days abused in 2024, the majority were used in state-sponsored attacks by China and North Korea.
  • thecyberexpress.com: Google's Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
  • Security Risk Advisors: Zero-Day Exploitation Continues to Grow with Shifting Focus Toward Enterprise Security Products
  • socradar.io: Google’s 2024 Zero-Day Report: Key Trends, Targets, and Exploits In late April, Google’s Threat Intelligence Group (GTIG) published its annual report on zero-day exploitation, offering a detailed account of in-the-wild attacks observed throughout 2024. The report draws on GTIG’s original breach investigations, technical analysis, and insights from trusted open-source reporting. GTIG tracked 75 zero-day vulnerabilities
  • cloud.google.com: Threat actors exploited 75 zero-days last year, with 33 of those targeting enterprise products

Pierluigi Paganini@Security Affairs //
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgent need for organizations to address these security flaws. The newly added vulnerabilities include a code injection flaw in Broadcom Brocade Fabric OS (CVE-2025-1976), an unspecified vulnerability in Commvault Web Server (CVE-2025-3928), and a vulnerability in Qualitia Active! Mail. CISA's inclusion of these vulnerabilities in the KEV catalog indicates that they are being actively exploited in the wild, posing a significant risk to federal enterprises and other organizations.

CISA strongly urges all organizations to prioritize the timely remediation of these Known Exploited Vulnerabilities as part of their vulnerability management practice to reduce their exposure to cyberattacks. The Broadcom Brocade Fabric OS vulnerability (CVE-2025-1976) allows a local user with administrative privileges to execute arbitrary code with full root privileges. The Commvault Web Server vulnerability (CVE-2025-3928) enables a remote, authenticated attacker to create and execute web shells. Successful exploitation of these flaws could lead to significant system compromise and data breaches.

Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches for the Commvault Web Server by May 17, 2025, and for Broadcom Brocade Fabric OS by May 19, 2025. While there are currently no public details on how the vulnerabilities have been exploited in the wild, the scale of the attacks, and who may be behind them, organizations are advised to follow CISA's guidance and implement the necessary security updates to protect their systems. Tenable Vulnerability Watch classification system can help organizations prioritize the exposures that represent the greatest risk to their operations.

Recommended read:
References :
  • securityaffairs.com: U.S. CISA adds Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities catalog
  • The Hacker News: TheHackerNews article on CISA Adding Actively Exploited Broadcom and Commvault Flaws to KEV Database
  • The DefendOps Diaries: Understanding the Broadcom Brocade Fabric OS Vulnerability: A Critical Security Threat
  • BleepingComputer: CISA tags Broadcom Fabric OS, CommVault flaws as exploited in attacks
  • Help Net Security: CISA warns about actively exploited Broadcom, Commvault vulnerabilities
  • Anonymous ???????? :af:: : Two critical flaws — in Broadcom Fabric OS (CVE-2025-1976) and Commvault Web Server (CVE-2025-3928) — are now on the Known Exploited Vulnerabilities (KEV) list. 🔹 Both bugs are actively exploited. 🔹 Admin access can lead to full system compromise. 🔹 Patching deadlines: May 17–19, 2025.
  • www.scworld.com: Ongoing intrusions leveraging a critical Qualitia flaw in Active! mail 6 and a pair of high-severity bugs in the Commvault webserver and Broadcom Brocade Fabric OS have been reported by the Cybersecurity and Infrastructure Security Agency, which urged the remediation of the issues by May 17 following their inclusion in its Known Exploited Vulnerabilities catalog, according to SecurityWeek.
  • securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog

@securityonline.info //
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.

Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT.

Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms.

Recommended read:
References :
  • securityaffairs.com: SecurityAffairs: Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia
  • securityonline.info: SecurityOnline: Earth Kurma APT Targets Southeast Asia with Stealthy Cyberespionage
  • The Hacker News: TheHackNews: Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools
  • Know Your Adversary: Know Your Adversary: That's How Earth Kurma Abuses PowerShell for Data Collection
  • www.trendmicro.com: Trend Micro: Earth Kurma APT Campaign
  • Industrial Cyber: Earth Kurma APT targets Southeast Asian government, telecom sectors in latest cyberespionage campaigns.
  • industrialcyber.co: Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively
  • www.scworld.com: Trend Micro researchers have identified a sophisticated cyberespionage campaign orchestrated by the APT group, Earth Kurma, focusing on organizations in Southeast Asia, including Malaysia, Thailand, Vietnam, and the Philippines.
  • Security Risk Advisors: #EarthKurma #APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents. #CyberEspionage #ThreatIntel
  • securityonline.info: In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group,
  • sra.io: APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents.
  • Virus Bulletin: Trend Micro's Nick Dai & Sunny Lu look into the Earth Kurma APT campaign targeting government and telecommunications sectors in Southeast Asia. The campaign used advanced malware, rootkits, and trusted cloud services to conduct cyberespionage.

@cyberinsider.com //
VeriSource Services, a Houston-based employee benefits administration firm, has disclosed a significant data breach impacting four million individuals. The company, which provides HR services, revealed that an "unknown actor" gained access to sensitive personal data during a digital break-in that occurred in February 2024. This incident has expanded considerably from initial estimates, highlighting the challenges organizations face in accurately assessing the scope of cyberattacks. VeriSource began notifying affected individuals on April 23, providing more details in a filing with the Maine Attorney General's office.

The exposed information includes names, addresses, dates of birth, genders, and Social Security numbers, although not all data points were compromised for every individual. The discovery that gender and home address data were potentially accessed represents a significant update from previous notifications. VeriSource initially believed that only around 112,000 individuals were affected, according to a filing made in August 2024 with the US Health and Human Services Office for Civil Rights. This initial assessment followed the first round of investigations, which focused on determining if sensitive data had been stolen. The latest disclosure follows VeriSource's collaboration with its "client companies" to gather more information, concluding on April 17.

The VeriSource data breach underscores the critical need for organizations to enhance their cybersecurity detection and response capabilities. Delayed detection can lead to substantial financial repercussions, including higher costs associated with data recovery, legal fees, and regulatory fines. Furthermore, reputational damage and the need for extensive post-breach audits add to the financial strain. Implementing advanced threat detection technologies, such as behavioral analytics and machine learning, can significantly reduce detection times. VeriSource is working with the FBI and stated that it has not seen "evidence" to suggest any of the stolen data has yet been misused.

Recommended read:
References :
  • cyberinsider.com: VeriSource Breach Exposes Personal Data of 4 Million Individuals
  • The Register - Security: From 112k to 4 million folks' data – HR biz attack goes from bad to mega bad
  • BleepingComputer: Employee benefits administration firm VeriSource Services is warning that a data breach exposed the personal information of four million people.
  • The DefendOps Diaries: Explore lessons from the VeriSource breach on improving cybersecurity detection and response to mitigate financial and reputational risks.
  • www.scworld.com: VSI, VeriSource's parent company, said the investigation and notification process took over a year.
  • bsky.app: Employee benefits administration firm VeriSource Services is warning that a data breach exposed the personal information of four million people.
  • BleepingComputer: VeriSource now says February data breach impacts 4 million people
  • CyberInsider: VeriSource Breach Exposes Personal Data of 4 Million Individuals
  • securityaffairs.com: VeriSource data breach impacted 4M individuals
  • www.techradar.com: VeriSource bumps up potential victim count of data breach to 4 million
  • www.bleepingcomputer.com: VeriSource now says February data breach impacts 4 million people