Zeljka Zorz@Help Net Security
//
Fortinet has issued a warning regarding a post-exploitation technique targeting FortiGate devices. Threat actors are exploiting known vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to gain unauthorized read-only access to the device's file system. This allows them to potentially access sensitive configurations and credentials, even after patches for the original vulnerabilities have been applied. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued a security alert encouraging organizations to implement mitigation strategies.
The attackers are creating symbolic links (symlinks) within the user file system, connecting it to the root file system through a folder used for SSL-VPN language files. This modification evades detection, leaving the symlink intact even after the FortiOS is updated. The symlink enables the threat actor to maintain persistent, read-only access to the device's file system, compromising confidentiality. According to Fortinet, this exploitation activity does not appear to be targeted at any specific region or industry. Fortinet has released updated FortiOS versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16) that automatically remove the malicious symlink and prevent future exploitation through the SSL-VPN user interface. Earlier versions (7.4, 7.2, 7.0, and 6.4) also include an antivirus and intrusion prevention system (AV/IPS) signature to detect and remove the symlink, provided the IPS engine is enabled and licensed. Customers are urged to upgrade their devices to the latest versions, review device configurations, reset credentials, and consider temporarily disabling SSL-VPN functionality as a precaution. Recommended read:
References :
Rob Wright@gcp.cybersecuritydive.com
//
Sensata Technologies, a global manufacturer of sensors and industrial technology, has disclosed a recent ransomware attack that significantly disrupted its operations. The Massachusetts-based company, which has sites in approximately a dozen countries, informed the U.S. Securities and Exchange Commission (SEC) about the incident, revealing that it forced the company to take its network offline. The attack, which began on Sunday, April 6th, impacted critical functions, including shipping, receiving, manufacturing production, and other support services. Sensata has engaged law enforcement and cybersecurity experts to investigate the breach and restore its systems.
The preliminary investigation has uncovered evidence indicating that files were exfiltrated from Sensata's environment. The company is currently working to identify the compromised files and will notify affected individuals and regulators in accordance with applicable laws. While interim measures have been implemented to restore certain functions, the timeline for a full recovery remains uncertain. Sensata is an industrial technology company with over 19,000 employees. Despite the operational disruptions, Sensata initially stated that it does not expect the ransomware attack to have a material impact on its financial results for the current quarter. However, the company noted that the full scope and impact of the attack are still being assessed, and this determination could change. Sensata Technologies, known for its work on the Apollo 11 moon mission and Hubble space telescope upgrades, ships approximately 1 billion units of product annually. As of Wednesday evening, no ransomware gang had claimed responsibility for the attack. Recommended read:
References :
Sathwik Ram@seqrite.com
//
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.
The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell. Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services. Recommended read:
References :
@Talkback Resources
//
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.
Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone. Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace. Recommended read:
References :
@www.cybersecurity-insiders.com
//
The Office of the Comptroller of the Currency (OCC), an independent bureau within the U.S. Treasury Department, has confirmed a major email breach impacting approximately 100 bank regulators' accounts. The breach, which lasted for over a year, resulted in unauthorized access to more than 150,000 emails containing sensitive details about banks the agency oversees. According to the OCC's public statement, the compromised emails included highly sensitive information relating to the financial condition of federally regulated financial institutions and used in examination and supervisory oversight processes.
The OCC discovered the unauthorized access after being notified by Microsoft about unusual network behavior on Feb. 11. Following the discovery, the OCC notified Congress of the incident, describing it as a "major information security incident". Analysis by the OCC concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. The agency has since launched an internal and independent third-party review to determine the full extent of the breach and identify vulnerabilities that led to the unauthorized access. Security experts have expressed concern over the news, emphasizing the potential for malicious actors to exploit the exposed information. One expert noted that knowing the weakest targets and their vulnerabilities could enable attackers to launch a broad series of attacks to disrupt services or perpetrate fraud. The OCC also notified the Cybersecurity and Infrastructure Security Agency (CISA) that there is no indication of any impact to the financial sector at this time. The OCC incident is considered the second high-profile breach for the Treasury Department in recent months, the first one involved Chinese state-sponsored hackers breaching their network. Recommended read:
References :
@gbhackers.com
//
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.
The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password. Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign. Recommended read:
References :
@Latest from ITPro
//
Europcar Mobility Group has confirmed a data breach affecting potentially up to 200,000 customers. The breach occurred through unauthorized access to the company’s GitLab repositories. According to reports, the stolen data includes source code for Europcar's Android and iOS mobile applications, as well as personal data linked to tens of thousands of customers. This incident raises significant security concerns, as the exposure of source code could potentially reveal vulnerabilities that could be exploited in future attacks.
Europcar is currently assessing the full extent of the damage caused by the breach. Preliminary findings indicate that the compromised data includes names and email addresses of users belonging to the Goldcar and Ubeeqo brands. The compromised records date back as far as 2017 and 2020. Europcar maintains that no financial information, passwords, or biometric details were exposed. The company has notified data protection authorities and has begun the process of informing affected customers about the incident. The attacker reportedly claimed responsibility for the breach in late March and attempted to extort Europcar, threatening to release 37GB of stolen data. The data allegedly includes internal backups, infrastructure documentation, and application source code. Europcar has denied that all of its GitLab repositories were compromised, but has confirmed that the threat actor accessed over 9,000 SQL files and 269 environment configuration files. The method of access remains unclear, although similar breaches often involve stolen credentials obtained through infostealer malware. The investigation is ongoing. Recommended read:
References :
Mandvi@Cyber Security News
//
The Everest ransomware gang's dark web leak site has been compromised in a brazen act of cyber defiance. The site, typically used by the gang to publish stolen data and extort victims, was hacked and defaced, disrupting their operations significantly. The attackers replaced the usual content with a taunting message: "Don’t do crime CRIME IS BAD xoxo from Prague," showcasing a clear intent to disrupt and mock the cybercriminals.
This incident marks a rare occasion where a ransomware group becomes the target of a cyberattack, highlighting vulnerabilities even within sophisticated cybercriminal networks. Security experts speculate that the attackers may have exploited weaknesses in Everest’s web infrastructure, potentially a WordPress vulnerability. The takedown of the site disrupts Everest’s ability to pressure victims and underscores the risks faced by cybercriminal organizations, showing they are not immune to being targeted themselves. The breach of Everest's leak site underscores an emerging trend of counterattacks and internal sabotage targeting ransomware groups. While the identity of the attacker remains unknown, the defacement underscores vulnerabilities within cybercriminal networks, potentially stemming from insider threats or rival factions. This attack comes amid broader shifts in the ransomware landscape, with recent data indicating a decline in victim payouts during 2024, as more organizations adopt robust cybersecurity measures and refuse to comply with ransom demands. Recommended read:
References :
Graham Cluley@Graham Cluley
//
Noah Urban, a 20-year-old from Palm Coast, Florida, has pleaded guilty to charges related to cryptocurrency thefts, conspiracy, wire fraud, and identity theft. Urban, known online as "King Bob," was a key member of the notorious Scattered Spider hacking gang. The charges stem from two federal cases, one in Florida and another in California. Urban's activities involved orchestrating sophisticated attacks, including SIM swapping, to steal hundreds of thousands of dollars in cryptocurrency from investors. He was arrested in January 2024, and during the raid, he reportedly attempted to wipe his computer and social media history in an effort to destroy evidence.
The cybercriminal's operations involved stealing victims' personal information and using it to hijack their phone numbers through SIM swap fraud. This allowed Urban and his accomplices to bypass two-factor authentication and gain unauthorized access to cryptocurrency wallets. They then transferred the cryptocurrency to their own accounts, netting significant profits. Urban's activities also extended to leaking songs from famous music artists after breaking into the accounts of music industry executives, disrupting planned album releases and causing financial and emotional strain on the artists involved. As part of his plea agreement, Urban has agreed to forfeit his jewelry, currency, and cryptocurrency assets. He will also pay US $13 million in restitution to 59 victims. Urban is expected to be sentenced within the next 75 days. He faces a potentially long prison term, which will include an additional two-year sentence for aggravated identity theft, as it cannot be served concurrently with other charges. Other suspected members of the Scattered Spider gang remain under investigation, highlighting the ongoing efforts to combat this cybercriminal syndicate. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
Tolling agencies throughout the United States are currently grappling with an escalating cybersecurity threat: deceptive text message scams known as smishing. These scams involve cybercriminals sending text messages that impersonate toll payment notifications, tricking individuals into clicking malicious links and making unauthorized payments. These messages often embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority.
These scams are part of a sophisticated campaign leveraging platforms, most recently a PhaaS platform called Lucid. This platform enables cybercriminals to launch large-scale phishing campaigns with minimal effort. Cybercriminals behind this scheme are exploiting legitimate communication technologies like Apple iMessage and Android RCS to bypass traditional spam filters and deliver their malicious messages at scale. The phishing messages typically claim unpaid toll fees and threaten fines or license suspension if recipients fail to respond. The Lucid platform offers advanced features such as dynamic targeting, device-specific focus, and evasion techniques. These features allow attackers to tailor campaigns for iOS or Android users, block connections from non-targeted regions, and prevent direct access to phishing domains. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
Since October 2024, a widespread SMS phishing campaign has been targeting toll road users across the United States. This "smishing" scam involves fraudulent text messages impersonating E-ZPass and other U.S.-based toll agencies. These messages falsely claim recipients have unpaid tolls, urging immediate payment to avoid penalties or suspension of driving privileges. The texts contain links leading to counterfeit websites designed to steal personal and financial information.
These fake websites prompt victims to enter their name, address, phone number, and credit card information. After a fake bill is shown, and the user clicks "Proceed Now", this sensitive data is then harvested by the threat actors. Authorities have been aware of similar scams, including a warning issued by the FBI's Internet Crime Complaint Center (IC3) in April 2024. The current surge and targeting of toll road users in multiple states indicates the likelihood of the threat actors leveraging user information publicly leaked from large databases. The individuals behind these phishing kits are known as the 'Smishing Triad', who are a China-based eCrime group. The group has systematically targeted organizations in at least 121 countries across numerous industries including postal, logistics, telecommunications, transportation, finance, retail, and public sectors with SMS phishing. The Smishing Triad claims to have over 300 front desk staff worldwide supporting their operations, and they continue to sell phishing kits to other threat actors via Telegram and other channels. Silent Push analysts have acquired Smishing Triad server log data and determined that portions of the group’s infrastructure generated over one million page visits within a period of only 20 days. Recommended read:
References :
SC Staff@scmagazine.com
//
References:
fortiguard.fortinet.com
, www.scworld.com
FortiGuard Labs has issued an alert regarding active attacks targeting CVE-2025-31161, an authentication bypass vulnerability found in CrushFTP managed file transfer (MFT) software. This vulnerability could allow attackers to gain administrative access to the application, presenting a significant risk to enterprise environments. A proof-of-concept (PoC) exploit is now publicly available, making exploitation easier for malicious actors. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161 to its Known Exploited Vulnerabilities catalog, underscoring the urgency of addressing this threat.
FortiGuard Labs observed these attacks "in-the-wild", and SecurityWeek reports that four organizations in the retail, marketing, and semiconductor sectors have already been targeted. Initial reports previously tracked the vulnerability as CVE-2025-2825. The vulnerability is officially identified as CVE-2025-3102 with a CVSS score of 8.1, placing it in the high-severity category. Some of the intrusions have involved the delivery of the MeshAgent open-source remote monitoring tool, a DLL file for Telegram bot utilization, and AnyDesk installation for credential compromise. CrushFTP developers blame VulnCheck's premature CVE designation; however, organizations are advised to update to the latest versions of CrushFTP to mitigate the risk of exploitation. The Shadowserver Foundation reported that attacks have declined since fixes were issued on March 21, but vigilance remains crucial. Further analysis and indicators of compromise (IOCs) are available to subscribers of AhnLab TIP. Recommended read:
References :
|