FlagThis

HellCat and Morpheus, two ransomware-as-a-service (RaaS) operations, have been observed using identical payloads to target victims. The payloads use Windows Cryptographic Application Programming Interface (CAPI) to encrypt data, and both ransomware operations direct victims to use Tor browsers and provided credentials to access their respective .onion portals. Researchers believe that the overlap in tactics and payloads is likely due to a connection between the two groups. The use of similar tools and tactics suggests a collaboration between HellCat and Morpheus or a shared origin, which is a cause for concern for security professionals, as it indicates a potential for increased sophistication and impact of ransomware attacks.

Multiple vulnerabilities in Git’s credential retrieval protocol have been discovered which could allow attackers to access user credentials. These flaws stem from the improper handling of messages within Git’s credential protocol affecting tools like GitHub Desktop, Git Credential Manager, and Git LFS. Successful exploitation of these flaws can lead to credential exposure.

Tesla’s vehicle and charging infrastructure have been repeatedly compromised at the Pwn2Own Automotive 2025 hacking competition. Researchers demonstrated the lack of effective security, managing to exploit vulnerabilities in charging stations and infotainment systems. The consistent success of these attacks underscores the pressing need for enhanced security measures within connected vehicles.

The successful exploits in the Pwn2Own contests highlights the need for better security protocols for automotive tech. The fact that multiple systems were compromised should raise concerns for consumers and car manufacturers about the overall security of connected vehicles.

North Korean IT workers are increasingly using their access to company systems to steal source code and extort companies for ransom. These workers, often hired under false pretenses, are becoming more aggressive and are actively funneling funds back to the North Korean regime. The FBI and Mandiant have issued fresh warnings regarding this evolving threat, urging organizations to be vigilant. These North Korean IT workers are exploiting their remote access to extract sensitive data from companies and demand payment to prevent its release. Additionally, the US Department of Justice has charged several individuals involved in this scheme for conspiracy and money laundering. This highlights the severity and breadth of North Korean cybercrime activities.

A new ‘Sneaky 2FA’ phishing kit is targeting Microsoft 365 accounts, using a sophisticated Adversary-in-the-Middle technique to bypass 2FA. This kit utilizes compromised WordPress sites and other domains to host phishing pages, collecting credentials and 2FA codes. The kit has been linked to the W3LL Panel OV6 phishing kit, indicating a larger threat landscape for Microsoft 365 users. The phishing method is capable of intercepting user credentials and session cookies.

A sophisticated credit card skimmer malware campaign is targeting WordPress e-commerce checkout pages. The malware injects malicious JavaScript code directly into the database tables, evading traditional detection methods. This allows attackers to steal sensitive payment information, highlighting the need for robust security practices, including database monitoring and regular security audits to protect against such advanced threats.

FunkSec, a rising ransomware group, blurs the lines between cybercrime and hacktivism. This group utilizes AI to develop malware and has quickly gained notoriety by breaching databases and selling access to government websites. They have unusually low ransom demands and operate as a four-member team, indicating a blend of financial and visibility motivations. This group emphasizes the evolving landscape of ransomware and the potential for AI to lower the barrier for new groups to engage in cybercrime. This group is being tracked as an evolving cyber threat. Organizations should implement robust security measures, including network segmentation, data backups and security awareness trainings.

Multiple vulnerabilities have been discovered in Palo Alto Networks’ Expedition migration tool, including an OS command injection flaw and a vulnerability that exposes sensitive firewall credentials. These vulnerabilities could allow attackers to execute arbitrary code and access usernames, cleartext passwords, device configurations, and API keys. The vulnerabilities pose a significant risk to organizations using the tool for firewall migration and optimization.

The White House has launched the Cyber Trust Mark program, a labeling scheme for IoT devices. This program informs consumers that applicable household products meet certain government-vetted cybersecurity standards. The Cyber Trust Mark aims to certify devices’ security, similar to the Energy Star label for energy efficiency. The initiative, coordinated with NIST and FCC, is set to have labeled products on shelves in 2025. This could encourage manufacturers to focus more on cybersecurity, and also help consumers pick safer devices.

A significant number of work-from-home job scams are targeting job seekers. These scams are designed to steal personal information and financial details. New techniques include using AI to enhance the believability of job postings and communication, making them more sophisticated and harder to detect. McAfee has also introduced Scam Detector tool to stop scams.

Compliance as cybersecurity is being scrutinized due to the trend of risk management becoming a checkbox activity. While compliance is essential, it does not guarantee complete protection. There’s a concern that compliance is shifting authority from security experts to lawyers. This trend has been highlighted after the SEC’s recent push for disclosure by public companies. Compliance should be viewed as a minimum requirement, and not the only aspect of enterprise security. Compliance should also not replace sound security practices.

The T3 Financial Crime Unit, a collaboration between TRON, Tether, and TRM Labs, has frozen over $100 million in cryptocurrency assets linked to illicit activities. This initiative involves working with global law enforcement to disrupt organized crime schemes that utilize blockchain technology for illicit transactions, highlighting the increasing efforts to combat crypto-related financial crimes.

A Russian-linked ‘dark fleet’ ship, initially suspected of cutting cables on Christmas Day, was discovered to be equipped with spying equipment. This indicates a dual-purpose mission involving both physical infrastructure disruption and signals intelligence gathering. This ship was boarded in the Baltic Sea and revealed to be a vessel used for both cable cutting and spying, posing a threat to critical infrastructure and international security.

A zero-day exploit was discovered in the OAuth implementation for Google Chrome extensions. This vulnerability allowed malicious actors to insert malicious code into Chrome extensions via a phishing campaign. The security flaw was identified by SquareX researchers just days before a widespread attack, highlighting the critical need for improved browser security and proactive detection methods for zero day vulnerabilities. This incident led to the hijacking of multiple Chrome extensions, compromising user security.

Several industrial control system (ICS) vulnerabilities have been disclosed. These include 29 vulnerabilities in Hitachi Disk Array Systems, an improper check vulnerability in Palo Alto Networks products, and an unrestricted file upload issue in Philips products using Apache Struts. Additionally, ABB Cylon Aspect and HMS Ewon Flexy 205 products have been found vulnerable to code injection and remote code execution, respectively. These vulnerabilities, some with publicly available exploits, pose a risk to industrial and infrastructure environments, requiring prompt patching and mitigation.

Multiple reports indicate that the state of Rhode Island experienced a significant cyberattack that has compromised the personal data of hundreds of thousands of residents. The data breach targeted the state’s online portal for social services, possibly exposing Social Security numbers and bank account details. This has led to demands for ransom and a shutdown of the affected systems, leading to a potential crisis in public services.

The Winnti hacking group is using a new PHP backdoor called ‘Glutton’. This backdoor is being used in attacks targeting organizations in both China and the United States. Additionally, Winnti is also targeting other cybercriminals, indicating a shift in their focus and tactics. The use of the Glutton backdoor is a concerning development as it demonstrates the group’s ability to adapt and create new tools for their operations.

Over 300,000 Prometheus monitoring servers and exporters are exposed to various attacks, including information disclosure, denial-of-service (DoS), and potential remote code execution. These vulnerabilities stem from improper authentication and insecure configurations, allowing attackers to steal sensitive information such as credentials and API keys. The widespread exposure highlights the need for better security practices in Prometheus deployments and the critical nature of securing monitoring infrastructure.