CyberSecurity news
FlagThis - #Cybersecurity
|
@www.microsoft.com
//
The digital landscape is witnessing a significant shift in authentication methods, with passkeys emerging as a secure and user-friendly alternative to traditional passwords. This evolution has led to the celebration of the inaugural World Passkey Day, marking a pivotal moment in the journey towards a passwordless future. As passwords have long been a source of vulnerability and frustration, the rise of passkeys promises simpler and safer sign-ins, enhancing overall digital security by eliminating the inherent weaknesses associated with passwords.
Microsoft and Yubico are at the forefront of this movement, actively promoting the adoption of passkeys. Microsoft is rolling out updates designed for simpler, safer sign-ins, making passkeys more accessible and convenient for users. Yubico, a strong advocate for ditching passwords altogether, emphasizes the importance of embracing passkeys for a more secure digital future. This collaborative effort underscores the industry's commitment to transitioning to a passwordless authentication system. The transition to passkeys is not merely a technological upgrade but a fundamental shift in how we approach digital security. As highlighted by Microsoft, the number of password-based cyberattacks has dramatically increased, with a staggering 7,000 password attacks per second observed last year. Passkeys, being resistant to phishing and brute-force attacks, offer a robust defense against these threats. By celebrating World Passkey Day and actively promoting the adoption of passkeys, the industry aims to create a safer and more secure online experience for everyone. Recommended read:
References :
@doublepulsar.com
//
The DragonForce ransomware group has claimed responsibility for cyberattacks targeting major UK retailers including Co-op, Marks & Spencer, and Harrods. The attacks, which began in recent weeks, have caused significant service disruptions, affecting payment systems, inventory, payroll, and other critical business functions. DragonForce, which emerged in August 2023, initially presented itself as a Pro-Palestine hacktivist operation but has since shifted its focus to financial gain and extortion, targeting government entities, commercial enterprises, and organizations aligned with specific political causes. The group operates a multi-extortion model, threatening victims with data leakage and reputational damage, and is also known to heavily target law firms and medical practices.
DragonForce employs social engineering tactics to gain initial access to retail networks, often "walking in the front door" via helpdesks to obtain MFA access. Once inside, they move laterally, using tools like Teams and Office search to locate and exfiltrate valuable documentation. According to cybersecurity expert Kevin Beaumont, defenders should review CISA briefs on Scattered Spider and LAPSUS$, as the tactics mirror those used in previous breaches at Nvidia, Samsung, Rockstar, and Microsoft. DragonForce functions as a white-label cartel, allowing other cybercriminals to use their ransomware platform, encryptor, and infrastructure, taking a 20% cut of any ransom obtained. Co-op has confirmed that customer data was stolen in the attack, admitting that the hackers were able to access and extract data from one of their systems. The accessed data included information relating to a significant number of current and past members, such as names and contact details. However, the retailer stated that members' passwords, bank or credit card details, transactions, or information relating to any members' or customers' products were not compromised. DragonForce claims to have stolen data from 20 million customers, a number the Co-op has not confirmed. The BBC reports that DragonForce shared databases with them that include usernames and passwords of all employees. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Cybersecurity firm SentinelOne has become a prime target for state-sponsored threat actors from China and North Korea. SentinelOne, which provides autonomous endpoint protection using AI and machine learning to Fortune 10 and Global 2000 enterprises, government agencies, and managed service providers, is facing persistent cyber espionage and infiltration attempts. A recent analysis by SentinelOne revealed that Chinese actors are actively targeting both the company and its high-value clients, engaging in reconnaissance activities against SentinelOne’s infrastructure and specific organizations they defend.
SentinelOne uncovered a China-nexus threat cluster dubbed PurpleHaze, which conducted reconnaissance attempts against its infrastructure and some of its high-value customers. Researchers first became aware of this group during a 2024 intrusion against an organization that was previously providing hardware logistics services for SentinelOne employees. PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15 and has been observed targeting a South Asian government-supporting entity, employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell. North Korean actors have also been targeting SentinelOne, attempting to infiltrate the company through a fake IT worker campaign. The company is tracking approximately 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne and SentinelLabs Intelligence. SentinelOne has warned of threat actors targeting its systems and high-value clients, emphasizing that cybersecurity providers are attractive targets due to the potential for significant compromise and the insights into how thousands of environments and millions of endpoints are protected. Recommended read:
References :
@industrialcyber.co
//
Nova Scotia Power and its parent company, Emera Inc., are actively responding to a cybersecurity incident that has impacted their Canadian IT network. The companies detected unauthorized access to parts of their network and servers which support certain business applications. Immediately upon discovering the intrusion, both companies activated their incident response and business continuity protocols. Top-tier third-party cybersecurity experts have been engaged to assist in isolating the affected systems and preventing any further unauthorized access.
Law enforcement agencies have been notified and an investigation is currently underway. Despite the breach, Emera and Nova Scotia Power stated that there has been no disruption to any of their Canadian physical operations. This includes Nova Scotia Power's generation, transmission, and distribution facilities, as well as the Maritime Link and the Brunswick Pipeline. The incident has not affected the utility's ability to safely and reliably serve its customers in Nova Scotia, nor has it impacted Emera's utilities in the U.S. or the Caribbean. The IT team is working diligently with cybersecurity experts to restore the affected portions of the IT system back online. Nova Scotia Power customers can find the latest updates online. Emera is scheduled to publish its first quarter financial statements and management disclosure on May 8, 2025, as planned. Currently, the incident is not expected to have a material impact on the financial performance of the business. Recommended read:
References :
@blogs.nvidia.com
//
Oracle Cloud Infrastructure (OCI) is now deploying thousands of NVIDIA Blackwell GPUs to power agentic AI and reasoning models. OCI has stood up and optimized its first wave of liquid-cooled NVIDIA GB200 NVL72 racks in its data centers, enabling customers to develop and run next-generation AI agents. The NVIDIA GB200 NVL72 platform is a rack-scale system combining 36 NVIDIA Grace CPUs and 72 NVIDIA Blackwell GPUs, delivering performance and energy efficiency for agentic AI powered by advanced AI reasoning models. Oracle aims to build one of the world's largest Blackwell clusters, with OCI Superclusters scaling beyond 100,000 NVIDIA Blackwell GPUs to meet the growing demand for accelerated computing.
This deployment includes high-speed NVIDIA Quantum-2 InfiniBand and NVIDIA Spectrum-X Ethernet networking for scalable, low-latency performance, along with software and database integrations from NVIDIA and OCI. OCI is among the first to deploy NVIDIA GB200 NVL72 systems, and this deployment marks a transformation of cloud data centers into AI factories. These AI factories are designed to manufacture intelligence at scale, leveraging the NVIDIA GB200 NVL72 platform. OCI offers flexible deployment options to bring Blackwell to customers across public, government, and sovereign clouds, as well as customer-owned data centers. These new racks are the first systems available from NVIDIA DGX Cloud, an optimized platform with software, services, and technical support for developing and deploying AI workloads on clouds. NVIDIA will utilize these racks for various projects, including training reasoning models, autonomous vehicle development, accelerating chip design and manufacturing, and developing AI tools. In related cybersecurity news, Cisco Foundation AI has released its first open-source security model, Llama-3.1-FoundationAI-SecurityLLM-base-8B, designed to improve response time, expand capacity, and proactively reduce risk in security operations. Recommended read:
References :
@www.welivesecurity.com
//
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.
The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor. ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations. Recommended read:
References :
Ddos@securityonline.info
//
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.
Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025. The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data. Recommended read:
References :
Bill Toulas@BleepingComputer
//
Cloudflare has released its 2025 Q1 DDoS Threat Report, revealing a staggering increase in Distributed Denial of Service (DDoS) attacks. The report highlights that Cloudflare mitigated 20.5 million DDoS attacks in the first quarter of 2025 alone. This represents a massive 358% year-over-year and 198% quarter-over-quarter increase, nearly matching the total number of attacks recorded throughout all of 2024. The escalating threat landscape underscores the critical need for robust and adaptive cybersecurity measures to protect online infrastructure from malicious actors.
One of the most significant incidents during this period was the mitigation of a record-breaking DDoS attack peaking at 4.8 billion packets per second (Bpps). This hyper-volumetric attack, part of a late-April campaign, presented a substantial technical challenge due to its immense scale and short duration, typically lasting between 35 and 45 seconds. Cloudflare also neutralized a 6.5 terabit-per-second (Tbps) UDP flood. Overall, the company recorded over 700 hyper-volumetric DDoS attacks, each exceeding either 1 Tbps or 1 Bpps, demonstrating the growing sophistication and intensity of these threats. Network-layer DDoS attacks fueled much of this increase, totaling 16.8 million incidents between January and March 2025. A notable 6.6 million of these attacks targeted Cloudflare's own infrastructure. Attackers are increasingly deploying sophisticated multi-vector campaigns, leveraging tactics such as SYN floods, Mirai-botnet assaults, and SSDP amplification to overwhelm targets from multiple angles. Cloudflare identified two emerging threats: Connectionless Lightweight Directory Access Protocol (CLDAP) attacks, which saw a 3,488% quarter-over-quarter increase, and Encapsulating Security Payload (ESP) attacks, growing by 2,301% in the same period. Recommended read:
References :
Swagath Bandhakavi@Tech Monitor
//
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.
France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm. France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks. Recommended read:
References :
@cloud.google.com
//
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.
Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices. Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgent need for organizations to address these security flaws. The newly added vulnerabilities include a code injection flaw in Broadcom Brocade Fabric OS (CVE-2025-1976), an unspecified vulnerability in Commvault Web Server (CVE-2025-3928), and a vulnerability in Qualitia Active! Mail. CISA's inclusion of these vulnerabilities in the KEV catalog indicates that they are being actively exploited in the wild, posing a significant risk to federal enterprises and other organizations.
CISA strongly urges all organizations to prioritize the timely remediation of these Known Exploited Vulnerabilities as part of their vulnerability management practice to reduce their exposure to cyberattacks. The Broadcom Brocade Fabric OS vulnerability (CVE-2025-1976) allows a local user with administrative privileges to execute arbitrary code with full root privileges. The Commvault Web Server vulnerability (CVE-2025-3928) enables a remote, authenticated attacker to create and execute web shells. Successful exploitation of these flaws could lead to significant system compromise and data breaches. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches for the Commvault Web Server by May 17, 2025, and for Broadcom Brocade Fabric OS by May 19, 2025. While there are currently no public details on how the vulnerabilities have been exploited in the wild, the scale of the attacks, and who may be behind them, organizations are advised to follow CISA's guidance and implement the necessary security updates to protect their systems. Tenable Vulnerability Watch classification system can help organizations prioritize the exposures that represent the greatest risk to their operations. Recommended read:
References :
@securityonline.info
//
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.
Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT. Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms. Recommended read:
References :
@cyberinsider.com
//
VeriSource Services, a Houston-based employee benefits administration firm, has disclosed a significant data breach impacting four million individuals. The company, which provides HR services, revealed that an "unknown actor" gained access to sensitive personal data during a digital break-in that occurred in February 2024. This incident has expanded considerably from initial estimates, highlighting the challenges organizations face in accurately assessing the scope of cyberattacks. VeriSource began notifying affected individuals on April 23, providing more details in a filing with the Maine Attorney General's office.
The exposed information includes names, addresses, dates of birth, genders, and Social Security numbers, although not all data points were compromised for every individual. The discovery that gender and home address data were potentially accessed represents a significant update from previous notifications. VeriSource initially believed that only around 112,000 individuals were affected, according to a filing made in August 2024 with the US Health and Human Services Office for Civil Rights. This initial assessment followed the first round of investigations, which focused on determining if sensitive data had been stolen. The latest disclosure follows VeriSource's collaboration with its "client companies" to gather more information, concluding on April 17. The VeriSource data breach underscores the critical need for organizations to enhance their cybersecurity detection and response capabilities. Delayed detection can lead to substantial financial repercussions, including higher costs associated with data recovery, legal fees, and regulatory fines. Furthermore, reputational damage and the need for extensive post-breach audits add to the financial strain. Implementing advanced threat detection technologies, such as behavioral analytics and machine learning, can significantly reduce detection times. VeriSource is working with the FBI and stated that it has not seen "evidence" to suggest any of the stolen data has yet been misused. Recommended read:
References :
|