CyberSecurity news

FlagThis - #Cybersecurity

Zeljka Zorz@Help Net Security //
Fortinet has issued a warning regarding a post-exploitation technique targeting FortiGate devices. Threat actors are exploiting known vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to gain unauthorized read-only access to the device's file system. This allows them to potentially access sensitive configurations and credentials, even after patches for the original vulnerabilities have been applied. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued a security alert encouraging organizations to implement mitigation strategies.

The attackers are creating symbolic links (symlinks) within the user file system, connecting it to the root file system through a folder used for SSL-VPN language files. This modification evades detection, leaving the symlink intact even after the FortiOS is updated. The symlink enables the threat actor to maintain persistent, read-only access to the device's file system, compromising confidentiality. According to Fortinet, this exploitation activity does not appear to be targeted at any specific region or industry.

Fortinet has released updated FortiOS versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16) that automatically remove the malicious symlink and prevent future exploitation through the SSL-VPN user interface. Earlier versions (7.4, 7.2, 7.0, and 6.4) also include an antivirus and intrusion prevention system (AV/IPS) signature to detect and remove the symlink, provided the IPS engine is enabled and licensed. Customers are urged to upgrade their devices to the latest versions, review device configurations, reset credentials, and consider temporarily disabling SSL-VPN functionality as a precaution.

Recommended read:
References :
  • www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
  • thehackernews.com: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
  • BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
  • BleepingComputer: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
  • Help Net Security: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
  • bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
  • www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.

Rob Wright@gcp.cybersecuritydive.com //
Sensata Technologies, a global manufacturer of sensors and industrial technology, has disclosed a recent ransomware attack that significantly disrupted its operations. The Massachusetts-based company, which has sites in approximately a dozen countries, informed the U.S. Securities and Exchange Commission (SEC) about the incident, revealing that it forced the company to take its network offline. The attack, which began on Sunday, April 6th, impacted critical functions, including shipping, receiving, manufacturing production, and other support services. Sensata has engaged law enforcement and cybersecurity experts to investigate the breach and restore its systems.

The preliminary investigation has uncovered evidence indicating that files were exfiltrated from Sensata's environment. The company is currently working to identify the compromised files and will notify affected individuals and regulators in accordance with applicable laws. While interim measures have been implemented to restore certain functions, the timeline for a full recovery remains uncertain. Sensata is an industrial technology company with over 19,000 employees.

Despite the operational disruptions, Sensata initially stated that it does not expect the ransomware attack to have a material impact on its financial results for the current quarter. However, the company noted that the full scope and impact of the attack are still being assessed, and this determination could change. Sensata Technologies, known for its work on the Apollo 11 moon mission and Hubble space telescope upgrades, ships approximately 1 billion units of product annually. As of Wednesday evening, no ransomware gang had claimed responsibility for the attack.

Recommended read:
References :
  • The Register - Security: The Register article describing that US sensor giant Sensata admits to ransomware issues
  • therecord.media: The Record article about Sensata Technologies ransomware attack.
  • www.cybersecurity-insiders.com: Cybersecurity Insiders article about Sensata Technologies hit by a ransomware attack.
  • www.cybersecuritydive.com: Cybersecurity Dive article about Sensata Technologies being disrupted.
  • The Dysruption Hub: A ransomware attack on Sensata Technologies disrupted production and logistics across global operations, prompting a federal investigation.
  • Jon Greig: Billion-dollar industrial technology company Sensata Technologies warned investors on Wednesday of a ransomware attack that is impacting "shipping, receiving, manufacturing production, and various other support functions"
  • www.cybersecurity-insiders.com: Ransomware attack on Sensata Technologies.
  • www.silentpush.com: Ransomware attack disrupts Sensata Technologies operations

Sathwik Ram@seqrite.com //
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.

The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.

Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.

Recommended read:
References :
  • Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.

@Talkback Resources //
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.

Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone.

Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace.

Recommended read:
References :
  • Talkback Resources: Scattered Spider adds new phishing kit, malware to its web
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
  • cyberpress.org: Article on conducting advances campaigns to steal login credentials and MFA tokens
  • gbhackers.com: The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as Scattered Spider. Active since at least 2022, this group has been consistently refining its strategies for system compromise, data exfiltration, and identity theft. Silent Push analysts have tracked the evolution of Scattered Spider’s tactics, techniques, and procedures (TTPs) through early
  • cybersecuritynews.com: Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens
  • gbhackers.com: Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens

@www.cybersecurity-insiders.com //
The Office of the Comptroller of the Currency (OCC), an independent bureau within the U.S. Treasury Department, has confirmed a major email breach impacting approximately 100 bank regulators' accounts. The breach, which lasted for over a year, resulted in unauthorized access to more than 150,000 emails containing sensitive details about banks the agency oversees. According to the OCC's public statement, the compromised emails included highly sensitive information relating to the financial condition of federally regulated financial institutions and used in examination and supervisory oversight processes.

The OCC discovered the unauthorized access after being notified by Microsoft about unusual network behavior on Feb. 11. Following the discovery, the OCC notified Congress of the incident, describing it as a "major information security incident". Analysis by the OCC concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. The agency has since launched an internal and independent third-party review to determine the full extent of the breach and identify vulnerabilities that led to the unauthorized access.

Security experts have expressed concern over the news, emphasizing the potential for malicious actors to exploit the exposed information. One expert noted that knowing the weakest targets and their vulnerabilities could enable attackers to launch a broad series of attacks to disrupt services or perpetrate fraud. The OCC also notified the Cybersecurity and Infrastructure Security Agency (CISA) that there is no indication of any impact to the financial sector at this time. The OCC incident is considered the second high-profile breach for the Treasury Department in recent months, the first one involved Chinese state-sponsored hackers breaching their network.

Recommended read:
References :
  • The Register - Security: The Register's article on the sensitive financial files that may have been stolen from US bank watchdog.
  • CyberScoop: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • www.cybersecurity-insiders.com: Hackers breach email systems of OCC to gather intelligence from emails
  • Metacurity: Hackers intercepted emails at US Comptroller of the Currency for over a year
  • thecyberexpress.com: Hackers Had Access to 150,000 Emails in U.S. Treasury Email Breach
  • www.cybersecuritydive.com: Treasury Department bank regulator discloses major hack
  • www.scworld.com: Hackers accessed 150,000 emails of 100 US bank regulators at OCC
  • Tech Monitor: OCC reports major email security breach to US Congress
  • cyberscoop.com: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • securityaffairs.com: The US Treasury’s OCC disclosed an undetected major email breach for over a year
  • www.csoonline.com: OCC email system breach described as ‘stunning, serious’
  • BleepingComputer: Hackers lurked in Treasury OCC’s systems since June 2023 breach

@gbhackers.com //
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.

The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password.

Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign.

Recommended read:
References :
  • cyberpress.org: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: Attackers Exploit SourceForge Platform to Distribute Malware
  • Securelist: Attackers distributing a miner and the ClipBanker Trojan via SourceForge
  • The Hacker News: The Hacker News Article on Cryptocurrency Miner and Clipper Malware Spread via SourceForge
  • Cyber Security News: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: GBHackers article on Attackers Exploit SourceForge Platform to Distribute Malware
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • The DefendOps Diaries: Unmasking the SourceForge Malware Campaign: A Deceptive Attack on Users
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • www.bleepingcomputer.com: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • securityonline.info: For many developers, SourceForge has long been a cornerstone of open-source collaboration — a trusted hub to host and distribute software. But for cybercriminals, it has recently become a platform to stage deception.
  • securityonline.info: SourceForge Used to Distribute ClipBanker Trojan and Cryptocurrency Miner
  • Cyber Security News: Cybersecurity News article on SourceForge malware distribution
  • Tech Monitor: Threat actors exploit SourceForge to spread fake Microsoft add-ins

@Latest from ITPro //
Europcar Mobility Group has confirmed a data breach affecting potentially up to 200,000 customers. The breach occurred through unauthorized access to the company’s GitLab repositories. According to reports, the stolen data includes source code for Europcar's Android and iOS mobile applications, as well as personal data linked to tens of thousands of customers. This incident raises significant security concerns, as the exposure of source code could potentially reveal vulnerabilities that could be exploited in future attacks.

Europcar is currently assessing the full extent of the damage caused by the breach. Preliminary findings indicate that the compromised data includes names and email addresses of users belonging to the Goldcar and Ubeeqo brands. The compromised records date back as far as 2017 and 2020. Europcar maintains that no financial information, passwords, or biometric details were exposed. The company has notified data protection authorities and has begun the process of informing affected customers about the incident.

The attacker reportedly claimed responsibility for the breach in late March and attempted to extort Europcar, threatening to release 37GB of stolen data. The data allegedly includes internal backups, infrastructure documentation, and application source code. Europcar has denied that all of its GitLab repositories were compromised, but has confirmed that the threat actor accessed over 9,000 SQL files and 269 environment configuration files. The method of access remains unclear, although similar breaches often involve stolen credentials obtained through infostealer malware. The investigation is ongoing.

Recommended read:
References :
  • techhq.com: Up to 200,000 Europcar users affected in GitLab security breach
  • www.it-daily.net: Europcar hacked: Up to 200,000 customer data at risk
  • www.itpro.com: Europcar data breach could affect up to 200,000 customers
  • www.scworld.com: Up to 200K purportedly impacted by Europcar GitLab breach
  • Techzine Global: Data breach at Europcar: GitLab hack affects up to 200,000 customers

Mandvi@Cyber Security News //
The Everest ransomware gang's dark web leak site has been compromised in a brazen act of cyber defiance. The site, typically used by the gang to publish stolen data and extort victims, was hacked and defaced, disrupting their operations significantly. The attackers replaced the usual content with a taunting message: "Don’t do crime CRIME IS BAD xoxo from Prague," showcasing a clear intent to disrupt and mock the cybercriminals.

This incident marks a rare occasion where a ransomware group becomes the target of a cyberattack, highlighting vulnerabilities even within sophisticated cybercriminal networks. Security experts speculate that the attackers may have exploited weaknesses in Everest’s web infrastructure, potentially a WordPress vulnerability. The takedown of the site disrupts Everest’s ability to pressure victims and underscores the risks faced by cybercriminal organizations, showing they are not immune to being targeted themselves.

The breach of Everest's leak site underscores an emerging trend of counterattacks and internal sabotage targeting ransomware groups. While the identity of the attacker remains unknown, the defacement underscores vulnerabilities within cybercriminal networks, potentially stemming from insider threats or rival factions. This attack comes amid broader shifts in the ransomware landscape, with recent data indicating a decline in victim payouts during 2024, as more organizations adopt robust cybersecurity measures and refuse to comply with ransom demands.

Recommended read:
References :
  • Cyber Security News: In a significant cybersecurity incident, the leak site operated by the Everest ransomware gang was hacked and defaced over the weekend.
  • The DefendOps Diaries: News about Everest Ransomware's Dark Web Leak Site Defaced and Taken Offline
  • BleepingComputer: Everest ransomware's dark web leak site defaced, now offline
  • cyberpress.org: Hackers Breach and Deface Everest Ransomware Gang’s Leak Site
  • Secure Bulletin: Secure Bulletin discusses how the Everest ransomware gang faced an unprecedented blow, with their leak site hacked and defaced.
  • techcrunch.com: TechCrunch reports the dark web leak site of the Everest ransomware gang got hacked.
  • gbhackers.com: Everest ransomware's dark web leak site defaced, highlighting vulnerabilities in cybercriminal networks and impacting their operations.
  • The Hacker News: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.
  • The Record: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend. Everest ransomware group’s darknet site offline following defacement
  • Cyber Security News: Everest Ransomware Gang Leak Site Hacked and Defaced
  • Techzine Global: Leak site of ransomware gang Everest has been hacked
  • gbhackers.com: gbhackers article highlighting the defacement of the Everest ransomware leak site
  • securityaffairs.com: SecurityAffairs article about Everest ransomware group’s Tor leak site offline after a defacement.
  • securebulletin.com: In a surprising turn of events, the Everest ransomware gang—a notorious Russia-linked cybercriminal organization—has suffered a significant setback.
  • www.scworld.com: Cyberattack takes down Everest ransomware leak site
  • ciso2ciso.com: Everest ransomware group’s Tor leak site offline after a defacement – Source: securityaffairs.com
  • therecord.media: The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.

Graham Cluley@Graham Cluley //
Noah Urban, a 20-year-old from Palm Coast, Florida, has pleaded guilty to charges related to cryptocurrency thefts, conspiracy, wire fraud, and identity theft. Urban, known online as "King Bob," was a key member of the notorious Scattered Spider hacking gang. The charges stem from two federal cases, one in Florida and another in California. Urban's activities involved orchestrating sophisticated attacks, including SIM swapping, to steal hundreds of thousands of dollars in cryptocurrency from investors. He was arrested in January 2024, and during the raid, he reportedly attempted to wipe his computer and social media history in an effort to destroy evidence.

The cybercriminal's operations involved stealing victims' personal information and using it to hijack their phone numbers through SIM swap fraud. This allowed Urban and his accomplices to bypass two-factor authentication and gain unauthorized access to cryptocurrency wallets. They then transferred the cryptocurrency to their own accounts, netting significant profits. Urban's activities also extended to leaking songs from famous music artists after breaking into the accounts of music industry executives, disrupting planned album releases and causing financial and emotional strain on the artists involved.

As part of his plea agreement, Urban has agreed to forfeit his jewelry, currency, and cryptocurrency assets. He will also pay US $13 million in restitution to 59 victims. Urban is expected to be sentenced within the next 75 days. He faces a potentially long prison term, which will include an additional two-year sentence for aggravated identity theft, as it cannot be served concurrently with other charges. Other suspected members of the Scattered Spider gang remain under investigation, highlighting the ongoing efforts to combat this cybercriminal syndicate.

Recommended read:
References :
  • bsky.app: Wild details here from a Scattered Spider hacker who pleaded guilty last week. Noah Urban from Florida was known online as 'King Bob' (yes from the Minions movie) and was making insane money from his hacking gang from the age of just 17...
  • DataBreaches.Net: A 20-year-old Palm Coast man linked to a massive cybercriminal gang pleaded guilty in a Jacksonville federal courtroom Friday morning to charges including conspiracy and wire fraud.
  • Cyber Security News: Noah Michael Urban, a 20-year-old Palm Coast resident known online as “King Bob,†pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
  • securityaffairs.com: Noah Urban, a 20-year-old from Palm Coast, pleaded guilty to conspiracy, wire fraud, and identity theft in two federal cases, one in Florida and another in California.
  • www.bitdefender.com: Noah Urban, a 20-year-old man linked to the Scattered Spider hacking gang, pleaded guilty to charges related to cryptocurrency thefts.
  • cyberpress.org: A 20-year-old Palm Coast resident known online as “King Bob,” pleaded guilty on April 7, 2025, to charges related to an extensive cryptocurrency theft operation.
  • Cyber Security News: A 20-year-old Florida man identified as a key member of the notorious "Scattered Spider" cybercriminal collective has pleaded guilty to orchestrating sophisticated ransomware attacks and cryptocurrency theft schemes targeting major corporations.
  • The Register - Security: Alleged Scattered Spider SIM-swapper must pay back $13.2M to 59 victims
  • gbhackers.com: A 20-year-old Noah Urban, a resident of Palm Coast, Florida, pleaded guilty to a series of federal charges in a Jacksonville courtroom.
  • www.404media.co: Wild details here from a Scattered Spider hacker who pleaded guilty last week.
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit

Stu Sjouwerman@blog.knowbe4.com //
Tolling agencies throughout the United States are currently grappling with an escalating cybersecurity threat: deceptive text message scams known as smishing. These scams involve cybercriminals sending text messages that impersonate toll payment notifications, tricking individuals into clicking malicious links and making unauthorized payments. These messages often embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority.

These scams are part of a sophisticated campaign leveraging platforms, most recently a PhaaS platform called Lucid. This platform enables cybercriminals to launch large-scale phishing campaigns with minimal effort. Cybercriminals behind this scheme are exploiting legitimate communication technologies like Apple iMessage and Android RCS to bypass traditional spam filters and deliver their malicious messages at scale.

The phishing messages typically claim unpaid toll fees and threaten fines or license suspension if recipients fail to respond. The Lucid platform offers advanced features such as dynamic targeting, device-specific focus, and evasion techniques. These features allow attackers to tailor campaigns for iOS or Android users, block connections from non-targeted regions, and prevent direct access to phishing domains.

Recommended read:
References :
  • aboutdfir.com: Have you ever received an odd text message on your phone, purporting to be from a toll provider or package delivery service? If you have a U.S. cell phone, chances are you’ve encountered one of these SMiShing attempts—cybercriminals’ latest ploy to trick you into giving up your personal
  • www.cysecurity.news: Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate.
  • Cyber Security News: Beware! Phishing Scam Uses Fake Unpaid Tolls Messages to Harvest Login Credentials
  • gbhackers.com: Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials
  • www.bleepingcomputer.com: The E-ZPass toll payment texts return in massive phishing wave
  • BleepingComputer: Toll payment text scam returns in massive phishing wave
  • The DefendOps Diaries: The Toll Payment Text Scam: A Modern Cybersecurity Threat
  • www.bleepingcomputer.com: An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.
  • blog.knowbe4.com: Upgraded Phishing-as-a-Service Platform Drives a Wave of Smishing Attacks
  • cybersecuritynews.com: Threat Actors Leveraging Toll Payment Services in Massive Hacking Attack
  • Cyber Security News: Toll Payment Services Abused in Large-Scale Hacking Campaign
  • gbhackers.com: Threat Actors Exploit Toll Payment Services in Widespread Hacking Campaign
  • securityonline.info: Smishing campaigns exploiting toll payment systems to deceive consumers into disclosing sensitive information, often linked to popular platforms like FasTrak, E-ZPass, and I-Pass.
  • securityonline.info: Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services
  • www.scworld.com: Toll payment service-targeted schemes by Smishing Triad escalates
  • blog.talosintelligence.com: Unraveling the U.S. toll road smishing scams
  • DataBreaches.Net: E-ZPass toll payment texts return in massive phishing wave
  • Blog: Unpaid toll-themed smishing campaign gives victims no free ‘E-ZPass’
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • krebsonsecurity.com: China-based SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad†mainly impersonated toll road operators and shipping companies.
  • www.silentpush.com: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit
  • bsky.app: SilentPush has published a profile of Chinese cybercrime group Smishing Triad. The group is massive, with operations across 121 countries. The report also looks at the group's new phishing kit, named Lighthouse.
  • gbhackers.com: Smishing Triad has targeted numerous countries, including but not limited to UK, Canada, and USA.
  • www.silentpush.com: Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Intros New Banking Phishing Kit

Stu Sjouwerman@blog.knowbe4.com //
Since October 2024, a widespread SMS phishing campaign has been targeting toll road users across the United States. This "smishing" scam involves fraudulent text messages impersonating E-ZPass and other U.S.-based toll agencies. These messages falsely claim recipients have unpaid tolls, urging immediate payment to avoid penalties or suspension of driving privileges. The texts contain links leading to counterfeit websites designed to steal personal and financial information.

These fake websites prompt victims to enter their name, address, phone number, and credit card information. After a fake bill is shown, and the user clicks "Proceed Now", this sensitive data is then harvested by the threat actors. Authorities have been aware of similar scams, including a warning issued by the FBI's Internet Crime Complaint Center (IC3) in April 2024. The current surge and targeting of toll road users in multiple states indicates the likelihood of the threat actors leveraging user information publicly leaked from large databases.

The individuals behind these phishing kits are known as the 'Smishing Triad', who are a China-based eCrime group. The group has systematically targeted organizations in at least 121 countries across numerous industries including postal, logistics, telecommunications, transportation, finance, retail, and public sectors with SMS phishing. The Smishing Triad claims to have over 300 front desk staff worldwide supporting their operations, and they continue to sell phishing kits to other threat actors via Telegram and other channels. Silent Push analysts have acquired Smishing Triad server log data and determined that portions of the group’s infrastructure generated over one million page visits within a period of only 20 days.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • Blog: A recent smishing campaign is impersonating E-ZPass and other U.S.-based toll agencies and sending fraudulent text messages to individuals. These messages claim that recipients have unpaid tolls and urge immediate payment to avoid penalties or suspension of driving privileges.
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • krebsonsecurity.com: China-based SMS phishing Triad Pivots to Banks

SC Staff@scmagazine.com //
FortiGuard Labs has issued an alert regarding active attacks targeting CVE-2025-31161, an authentication bypass vulnerability found in CrushFTP managed file transfer (MFT) software. This vulnerability could allow attackers to gain administrative access to the application, presenting a significant risk to enterprise environments. A proof-of-concept (PoC) exploit is now publicly available, making exploitation easier for malicious actors. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161 to its Known Exploited Vulnerabilities catalog, underscoring the urgency of addressing this threat.

FortiGuard Labs observed these attacks "in-the-wild", and SecurityWeek reports that four organizations in the retail, marketing, and semiconductor sectors have already been targeted. Initial reports previously tracked the vulnerability as CVE-2025-2825. The vulnerability is officially identified as CVE-2025-3102 with a CVSS score of 8.1, placing it in the high-severity category. Some of the intrusions have involved the delivery of the MeshAgent open-source remote monitoring tool, a DLL file for Telegram bot utilization, and AnyDesk installation for credential compromise.

CrushFTP developers blame VulnCheck's premature CVE designation; however, organizations are advised to update to the latest versions of CrushFTP to mitigate the risk of exploitation. The Shadowserver Foundation reported that attacks have declined since fixes were issued on March 21, but vigilance remains crucial. Further analysis and indicators of compromise (IOCs) are available to subscribers of AhnLab TIP.

Recommended read:
References :
  • fortiguard.fortinet.com: FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software.
  • www.scworld.com: Attacks involving critical CrushFTP vulnerability target several sectors