Oluwapelumi Adejumo@CryptoSlate
//
Cryptocurrency exchange Bybit has confirmed a record-breaking theft of approximately $1.46 billion in digital assets from one of its offline Ethereum wallets. The attack, which occurred on Friday, is believed to be the largest crypto heist on record. Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets.
The theft targeted an Ethereum cold wallet, involving a manipulation of a transaction from the cold wallet to a warm wallet. This allowed the attacker to gain control and transfer the funds to an unidentified address. The incident highlights the rising trend of cryptocurrency heists, driven by the allure of profits and challenges in tracing such crimes.
Recommended read:
References :
- www.techmeme.com: ZachXBT: crypto exchange Bybit has experienced $1.46B worth of "suspicious outflows"; Bybit CEO confirms hacker took control of cold ETH wallet
- CryptoSlate: The crypto exchange ByBit has been hacked, and roughly $1.5 billion in Ethereum (ETH) has been stolen — making this one of the biggest hacks in history.
- infosec.exchange: NEW: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- PCMag UK security: The Bybit exchange lost 400,000 in ETH, or about $1.4 billion, before the price began to slide, making it the biggest crypto-related hack in history.
- techcrunch.com: TechCrunch reports on the Bybit hack, disclosing a loss of approximately $1.4 billion in Ethereum.
- ciso2ciso.com: In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from a cold wallet breach.
- ciso2ciso.com: Bybit Hack: $1.4B Stolen from World’s 2nd Largest Crypto Exchange – Source:hackread.com
- cryptoslate.com: ByBit suffers $1.5 billion Ethereum heist in cold wallet breach
- www.coindesk.com: Bybit experiences USD1.46B in suspicious outflows
- BleepingComputer: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- The Cryptonomist: 3 Best Bybit Alternatives As Top CEX Is Hacked
- Gulf Business: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- Anonymous ???????? :af:: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.bleepingcomputer.com: Hacker steals record $1.46 billion in ETH from Bybit cold wallet
- Techmeme: Bybit Loses $1.5B in Hack but Can Cover Loss, CEO Confirms (Oliver Knight/CoinDesk)
- Report Boom: Report on the Bybit crypto heist, detailing the incident and security recommendations.
- thehackernews.com: Report on the Bybit hack, highlighting the scale of the theft and its implications.
- reportboom.com: Reportboom article about Bybit's $1.46B Crypto Heist.
- www.it-daily.net: Bybit hacked: record theft of 1.5 billion US dollars
- Protos: News about the Bybit cryptocurrency exchange being hacked for over \$1.4 billion.
- The420.in: On Friday, cryptocurrency exchange Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets from one of its offline Ethereum wallets—the largest crypto heist on record.
- TechSpot: The hackers stole the crypto from Bybit's cold wallet, an offline storage system.
- Talkback Resources: Crypto exchange Bybit was targeted in a $1.46 billion theft by the Lazarus Group, highlighting the rising trend of cryptocurrency heists driven by the allure of profits and challenges in tracing such crimes.
- www.bleepingcomputer.com: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.the420.in: The420.in: Biggest Crypto Heist Ever: Bybit Loses Rs 12,000+ Crore in Sophisticated Ethereum Wallet Attack!
- www.cnbc.com: This report discusses the Bybit hack, detailing the amount stolen and the potential impact on the crypto market.
- www.engadget.com: This news piece reports on the massive crypto heist from Bybit, highlighting the scale of the incident and the impact on the crypto market.
- Techmeme: Arkham says ZachXBT submitted proof that North Korea's Lazarus Group is behind Bybit's $1.5B hack, which is the largest single theft in crypto history
- BrianKrebs: Infosec exchange post describing Bybit breach.
- Talkback Resources: Bybit cryptocurrency exchange suffered a cyberattack resulting in the theft of $1.5 billion worth of digital currency, including over 400,000 ETH and stETH, with potential vulnerabilities in the Safe.global platform's user interface exploited.
- securityaffairs.com: SecurityAffairs reports Lazarus APT stole $1.5B from Bybit, it is the largest cryptocurrency heist ever.
- gulfbusiness.com: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- techcrunch.com: Crypto exchange Bybit says it was hacked and lost around $1.4B
- Tekedia: The cryptocurrency industry has been rocked by what is now considered the largest digital asset theft in history, as Bybit, a leading crypto exchange, confirmed on Friday that hackers stole approximately $1.4 billion worth of Ethereum (ETH) from one of its offline wallets.
- blog.checkpoint.com: What the Bybit Hack Means for Crypto Security and the Future of Multisig Protection
- Dan Goodin: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- BleepingComputer: Crypto exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- Security Boulevard: North Korea’s Lazarus Group Hacks Bybit, Steals $1.5 Billion in Crypto
- bsky.app: Elliptic is following the money on this ByBit hack - the biggest theft ot all time. “Within 2 hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH. These are now being systematically emptied�.
- Talkback Resources: Talkback Post about the $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived
- infosec.exchange: Reports that North Korean hackers stole $1.4 billion in crypto from Bybit.
- securityboulevard.com: North Korea's notorious Lazarus Group reportedly stole $1.5 billion in cryptocurrency from the Bybit exchange in what is being called the largest hack in the controversial market's history.
- billatnapier.medium.com: One of the Largest Hacks Ever? But Will The Hackers Be Able To Launder The Gains?
- thecyberexpress.com: thecyberexpress.com - Details on Bybit Cyberattack.
- Matthew Rosenquist: This may turn out to be the biggest hack in history! $1.5 BILLION.
- PCMag UK security: The $1.4 billion at Bybit—the largest known cryptocurrency heist in history—has been traced to the notorious Lazarus North Korean hacking group.
- www.nbcnews.com: Hackers steal $1.5 billion from exchange Bybit in biggest-ever crypto heist: Blockchain analysis firm Elliptic later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking collective
- www.pcmag.com: Researchers spot the $1.4 billion stolen from Bybit moving through cryptocurrency wallets that were used in earlier heists attributed to North Korea's Lazarus hacking group.
- siliconangle.com: $1.5B in cryptocurrency stolen from Bybit in attack linked to North Korean hackers
- www.americanbanker.com: Nearly $1.5 billion in tokens lost in Bybit crypto exchange hack
- SiliconANGLE: SiliconAngle reports on the details of the Bybit hack and links it to North Korean hackers.
- techcrunch.com: TechCrunch reports on the massive crypto heist, citing research that points to North Korean hackers as perpetrators.
- OODAloop: Reports that North Korea’s Lazarus Group APT is Behind Largest Crypto Heist Ever
- Be3: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Schneier on Security: Schneier on Security covers the North Korean Hackers Stealing $1.5B in Cryptocurrency.
- Dataconomy: How the Bybit hack shook the crypto world: $1.5B gone overnight
- be3.sk: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Risky Business: Risky Business #781 -- How Bybit oopsied $1.4bn
- cyberriskleaders.com: Bybit, a leading exchange, was hacked for USD1.4 billion in Ethereum and staked Ethereum, sending shockwaves through the digital asset community.
- www.csoonline.com: Independent investigation finds connections to the Lazarus Group.
- Cybercrime Magazine: Bybit suffers the largest crypto hack in history
- www.theguardian.com: Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit.
- bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- SecureWorld News: SecureWorld reports on the Bybit hack, attributing it to the Lazarus Group.
- OODAloop: The Largest Theft in History – Following the Money Trail from the Bybit Hack
- gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
- Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
- Talkback Resources: "
THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma [mal]
- infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum.
- CyberInsider: Record $1.5 billion Bybit hack undermines trust in crypto security
- The Register - Security: Cryptocurrency exchange Bybit, just days after suspected North Korean operatives stole $1.5 billion in Ethereum from it, has launched a bounty program to help recover its funds.
- PCMag UK security: The malicious Javascript code used in the attack could secretly modify transactions for Safe{Wallet}, a cryptocurrency wallet provider. The suspected North Korean hackers who $1.4 billion in cryptocurrency from Bybit pulled off the heist by infiltrating a digital wallet provider and tampering with its software.
- techcrunch.com: Last week, hackers stole around $1.4 billion in Ethereum cryptocurrency from crypto exchange Bybit, believed to be the largest crypto heist in history. Now the company is offering a total of $140 million in bounties for anyone who can help trace and freeze the stolen funds. Bybit’s CEO and
- securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
- The Register - Security: The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.
- techcrunch.com: The FBI said the North Korean government is ‘responsible’ for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
- Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
- PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- The420.in: Rs 1.27 trillion Stolen: Bybit Joins the Ranks of Crypto’s Largest Thefts – Full List Inside
- Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers [mal]
- Tekedia: Bybit Declares War on “Notorious� Lazarus Group After $1.4B Hack, Offers $140m Reward
- SecureWorld News: The FBI officially attributed the massive to North Korea's state-sponsored hacking group, TraderTraitor, more commonly known as the infamous Lazarus Group.
- ChinaTechNews.com: North Korea was behind the theft of approximately $1.5bn in virtual assets from a cryptocurrency exchange, the FBI has said, in what is being described as the biggest heist in history.
- Wallarm: Lab Wallarm discusses how Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist
- iHLS: Cryptocurrency exchange Bybit became the latest victim of a major cyberattack, marking what appears to be the largest crypto hack in history.
- thehackernews.com: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
- www.pcmag.com: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- Dan Goodin: InfoSec Exchange Post on the FBI attribution to the Lazarus group and Bybit hack
@cyberalerts.io
//
Broadcom has issued emergency security patches for VMware ESXi, Workstation, and Fusion products, addressing three zero-day vulnerabilities actively exploited in the wild. These flaws can lead to virtual machine escape, allowing attackers to potentially gain control of the host systems. VMware products, including VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform, are affected. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
The vulnerabilities were discovered by Microsoft and are actively being exploited. Patches are now available to address these critical security issues, and users of affected VMware products are strongly advised to apply the updates immediately to mitigate the risk of exploitation. Information on the patches can be found at the link provided by Broadcom (CVE-2025-22224: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390).
Recommended read:
References :
- bsky.app: Broadcom released security patches to patch an actively exploited zero-day in its VMware ESXi products. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
- The Hacker News: Broadcom Releases Urgent Patches
- The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild
- www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack.
- securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom.
- bsky.app: BleepingComputer article on VMware zero-days.
- Vulnerability-Lookup: A new bundle, VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), has been published on Vulnerability-Lookup:
- The Record: Three product lines from technology giant VMware — ESXI, Workstation and Fusion — have patches for vulnerabilities that the company and the federal government have said are being exploited by hackers
- securityaffairs.com: U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
- borncity.com: 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion
- socradar.io: VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226)
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
- Blog: Multiple zero-days in VMware products actively exploited
- gbhackers.com: CISA Issues Alert on Actively Exploited VMware Vulnerabilities
- www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
- Information Security Buzz: Broadcom warns VMware users of Critical Zero-Day Exploits
- www.cybersecuritydive.com: 37K+ VMware ESXi instances vulnerable to critical zero-day
- www.itpro.com: Broadcom issues urgent alert over three VMware zero-days
- Carly Page: Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by hackers to compromise the networks of its corporate customers
- techcrunch.com: Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape
- Security Risk Advisors: Three Critical VMware Vulnerabilities Exploited in Wild Targeting ESXi, Workstation, and Fusion
- www.cybersecuritydive.com: Broadcom urges customers to patch 3 zero-day VMware flaws
- MSSP feed for Latest: Broadcom: VMware Zero-Days Being Exploited in the Wild
- www.bleepingcomputer.com: Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild.
Shira Landau@Email Security - Blog
//
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.
Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.
This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.
Recommended read:
References :
- Arctic Wolf: Self-Proclaimed “BianLian Group� Uses Physical Mail to Extort Organizations
- CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
- DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
- www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
- PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
- BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
- Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
- gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
- techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
- thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
- Email Security - Blog: FBI Alert: Email Extortion Campaign Falsely Claims BianLian Ransomware Affiliation
- Threats | CyberScoop: Ransomware poseurs are trying to extort businesses through physical letters
- gbhackers.com: The novel approach highlights a shift in extortion tactics.
- Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
- Malwarebytes: Ransomware threat mailed in letters to business owners
- www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
- Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
- borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
- Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
Bill Mann@CyberInsider
//
The Qualys Threat Research Unit (TRU) has revealed two significant vulnerabilities in OpenSSH, impacting both client and server components. The first, CVE-2025-26465, is a machine-in-the-middle (MitM) attack that targets OpenSSH clients when the VerifyHostKeyDNS option is enabled. The second, CVE-2025-26466, involves a pre-authentication denial-of-service (DoS) attack affecting both client and server systems by exhausting resources. These vulnerabilities expose systems to potential interception of communications and resource exhaustion, potentially crippling SSH servers.
The MitM vulnerability, CVE-2025-26465, allows attackers to impersonate a server, bypassing client identity checks even if VerifyHostKeyDNS is set to "yes" or "ask". This flaw was introduced in December 2014 and affects OpenSSH versions 6.8p1 through 9.9p1. The DoS vulnerability, CVE-2025-26466, enables attackers to consume excessive memory and CPU resources, impacting versions 9.5p1 through 9.9p1. While mitigations exist, such as LoginGraceTime and MaxStartups, immediate patching is strongly advised. OpenSSH version 9.9p2 addresses these vulnerabilities, urging administrators to upgrade affected systems promptly.
Recommended read:
References :
- CyberInsider: OpenSSH Vulnerabilities Exposed Millions to Multi-Year Risks
- buherator's timeline: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enab...
- Open Source Security: Qualys Security Advisory discussing MitM and DoS attacks against OpenSSH clients and servers.
- securityonline.info: Securityonline.info article on OpenSSH flaws CVE-2025-26465 and CVE-2025-26466 exposing clients and servers to attacks.
- www.openwall.com: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enab...
- cyberinsider.com: The Qualys Threat Research Unit (TRU) has disclosed two critical vulnerabilities in OpenSSH affecting both client and server components.
- securityonline.info: OpenSSH Flaws CVE-2025-26465 & CVE-2025-26466 Expose Clients and Servers to Attacks
- blog.qualys.com: Qualys TRU Discovers Two Vulnerabilities in OpenSSH (CVE-2025-26465, CVE-2025-26466)
- hackread.com: Critical OpenSSH Vulnerabilities Expose Users to MITM and DoS Attacks
- Ubuntu security notices: USN-7270-2: OpenSSH vulnerability
- The Hacker News: Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions.
- www.csoonline.com: OpenSSH fixes flaws that enable man-in-the-middle, DoS attacks
- securityaffairs.com: OpenSSH bugs allows Man-in-the-Middle and DoS Attacks
- www.scworld.com: OpenSSH flaws could enable man-in-the-middle attacks, denial of service Two vulnerabilities in OpenSSH could enable man-in-the-middle (MitM) attacks or denial of service (DoS), the Qualys Threat Research Unit (TRU) revealed Tuesday.
- KubikPixel: OpenSSH flaws could enable man-in-the-middle attacks, denial of service Two vulnerabilities in OpenSSH could enable man-in-the-middle (MitM) attacks or denial of service (DoS), the Qualys Threat Research Unit (TRU) revealed Tuesday. â˜�ï¸
- AAKL: Infosec Exchange Post: Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466 More: The Register: FreSSH bugs undiscovered for years threaten OpenSSH security
- socradar.io: Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)
- Information Security Buzz: Qualys Identifies Critical Vulnerabilities that Enable DDoS, MITM Attacks
- www.theregister.com: FreSSH bugs undiscovered for years threaten OpenSSH security
- socprime.com: Socprime discusses CVE-2025-26465 & CVE-2025-26466 Vulnerabilities.
- Full Disclosure: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client CVE-2025-26466: DoS attack against OpenSSH's client and server
- www.scworld.com: The security flaws, tracked as CVE-2025-26465 and CVE-2025-26466, can be used by an attacker to conduct an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled.
- SOC Prime Blog: CVE-2025-26465 & CVE-2025-26466 Vulnerabilities Expose Systems to Man-in-the-Middle and DoS Attacks
- Security Risk Advisors: OpenSSH Vulnerabilities Enable MITM Attacks and Denial-of-Service (CVE-2025-26465 & CVE-2025-26466)
Titiksha Srivastav@The420.in
//
Lee Enterprises, a major American media company with over 75 publications, has confirmed a ransomware attack that has disrupted operations across its network. The notorious Qilin ransomware gang has claimed responsibility for the February 3rd attack, alleging the theft of 350GB of sensitive data. This stolen data purportedly includes investor records, financial arrangements, payments to journalists and publishers, funding for tailored news stories, and even approaches to obtaining insider information. The cyberattack has resulted in widespread outages, significantly impacting the distribution of printed newspapers, subscription services, and internal business operations.
The attack has caused delays in the distribution of print publications and has partially limited online operations. Lee Enterprises anticipates a phased recovery over the next several weeks and has implemented temporary measures, including manual processing of transactions. The company has also launched a forensic investigation to determine the full extent of the breach. The Qilin ransomware group's actions have brought attention to the increasing threat facing media organizations and the importance of robust cybersecurity measures to protect sensitive information and maintain operational integrity.
Recommended read:
References :
- securityaffairs.com: SecurityAffairs: Qilin ransomware gang claimed responsibility for the Lee Enterprises attack
- www.cysecurity.news: CySecurity News: Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations
- The420.in: The420.in: American Media Group Hit by Cyber Attack, 75 Newspapers Disrupted & Informers’ Data Leaked
- bsky.app: The Qilin ransomware gang has claimed
responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
- bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
- Information Security Buzz: Qilin Claims Lee Enterprises Ransomware Attack
- securityaffairs.com: The Qilin ransomware group claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers. Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than
- CyberInsider: Reports that Qilin ransomware gang claimed responsibility for Lee Enterprises attack, threatens to leak stolen data
- www.cysecurity.news: reports on Ransomware
- Zack Whittaker: Lee Enterprises is still experiencing disruption and outages after a ransomware attack.
- Metacurity: UK ICO launches children's social media privacy probe, Qilin claims attack on Lee Enterprises, Polish Space Agency breached, Cellebrite zero days used to hack Serbian student's phone, Man sentenced to 24 years for putting CSAM on dark web, Canceled CFPB contracts threaten data security, much more
- Konstantin :C_H:: Qilin claims attack on Lee Enterprises,
- The420.in: Qilin ransomware group claimed responsibility for the Lee Enterprises attack.
- Kim Zetter: Reports Qilin claims attack on Lee Enterprises
- BleepingComputer: Qilin claiming responsibility for the cyberattack on Lee Enterprises.
- BleepingComputer: Qilin Ransomware Gang Claims Lee Enterprises Attack
- DataBreaches.Net: Japanese cancer hospital confirms breach; Qilin gang claims responsibility
- The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
- www.cysecurity.news: Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach
- www.scworld.com: The ransomware group Qilin has taken credit for the cyberattack on Lee Enterprises.
@csoonline.com
//
Recent reports have surfaced indicating that the US government ordered a temporary halt to offensive cyber operations against Russia, a decision that has stirred considerable debate and concern within the cybersecurity community. According to an exclusive report, Defense Secretary Pete Hegseth instructed U.S. Cyber Command (CYBERCOM) to suspend all planning against Moscow, including offensive digital actions. The directive, delivered to CYBERCOM chief Gen. Timothy Haugh, appears to be part of a broader effort by the White House to normalize relations with Russia amid ongoing negotiations regarding the war in Ukraine.
The decision to pause cyber operations has been met with skepticism and warnings from cybersecurity professionals, who fear the potential consequences of reducing vigilance against a known digital adversary. Concerns have been raised about potential increases in global cyber threats and a decrease in shared confidence in the U.S. as a defensive partner. However, the Cybersecurity and Infrastructure Security Agency (CISA) has denied these reports, labeling them as fake news and a danger to national security. CISA also noted that Russia has been at the center of numerous cybersecurity concerns for the U.S.
Recommended read:
References :
- bsky.app: DHS says CISA will not stop monitoring Russian cyber threats
- The Register - Security: US Cyber Command reportedly pauses cyberattacks on Russia
- Anonymous ???????? :af:: US Cybersecurity and Infrastructure Security Agency says that media reports about it being directed to no longer follow or report on Russian cyber activity are untrue, and its mission remains unchanged.
- securityboulevard.com: Security Pros Push Back as Trump Orders Halt to Cyber Ops vs. Russia
- www.bitdefender.com: Stop targeting Russian hackers, Trump administration orders US Cyber Command
- www.csoonline.com: US Cybercom, CISA retreat in fight against Russian cyber threats: reports
- Carly Page: The US has suspended its offensive cyber operations against Russia, according to reports, amid efforts by the Trump administration to grant Moscow concessions to end the war in Ukraine.
- Metacurity: US Cybercom, CISA are softening stances on Russia as a cyber foe: reports
- Zack Whittaker: The U.S. has reportedly suspended its offensive cyber operations against Russia, per multiple news outlets, amid efforts by the Trump administration to grant Moscow concessions to end the war in Ukraine.
- securityaffairs.com: CISA maintains stance on Russian cyber threats despite policy shift
- CyberInsider: CISA Denies Reports That It Has Halted Cyber Operations Against Russian Threats
- iHLS: U.S. Pauses Cyber Operations Against Russia
Juan Perez@Tenable Blog
//
The Ghost (Cring) ransomware group, known for exploiting vulnerabilities in software and firmware, remains a significant threat as of January 2025. A joint cybersecurity alert from the FBI, CISA, and other partners warns the global cyber defender community of increasing attacks from this financially motivated group. CISA issued a joint advisory on February 19, 2025, emphasizing the group's ongoing activity.
The Ghost (Cring) ransomware first appeared in early 2021 and has impacted organizations across more than 70 countries by compromising vulnerable, internet-facing services. Security measures such as patching known vulnerabilities and implementing basic infosec actions are crucial in defending against these attacks. The SOC Prime Platform has curated Sigma rules to help detect Ghost (Cring) ransomware activity.
Recommended read:
References :
- SecureWorld News: The FBI, CISA, and MS-ISAC have issued a joint cybersecurity advisory warning organizations about Ghost (Cring) ransomware, a sophisticated cyber threat that has been compromising critical infrastructure, businesses, and government entities worldwide.
- Tenable Blog: Rapid7 discusses Ghost Ransomware group targeting known Vulns.
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions.
- Resources-2: Picus Security provides Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation.
- socprime.com: Ghost (Cring) Ransomware Detection: The FBI, CISA, and Partners Warn of Increasing China-Backed Group’s Attacks for Financial Gain
- SOC Prime Blog: The FBI, CISA, and partners have recently issued a joint cybersecurity alert warning the global cyber defender community of increasing Ghost (Cring) ransomware attacks aimed at financial gain.
- thecyberexpress.com: A Ghost ransomware group also referred to as Cring, has been actively exploiting vulnerabilities in software and firmware as recently as January 2025.
- Security Boulevard: [CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- www.attackiq.com: CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- industrialcyber.co: CISA, FBI, MS-ISAC warn of Ghost ransomware
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions, according to a joint advisory issued Wednesday by the FBI and US Cybersecurity and
- securebulletin.com: Secure Bulletin provides an analysis of tactics, targets, and techniques used by Ghost Ransomware.
- Secure Bulletin: Securebulletin article on Ghost Ransomware
- The Register - Security: Ghost ransomware crew continues to haunt IT depts with scarily bad infosec
- cyble.com: FBI-CISA Ghost Ransomware Warning Shows Staying Power of Old Vulnerabilities
- aboutdfir.com: News article covering the joint advisory from CISA and the FBI on the Ghost/Cring ransomware.
@www.bleepingcomputer.com
//
JPMorgan Chase Bank will soon block Zelle payments that originate from social media platforms and messaging apps, aiming to combat a surge in online scams. This policy change, set to take effect on March 23rd, 2025, is a direct response to the increasing fraudulent activities exploiting peer-to-peer payment services. Chase emphasizes that Zelle is intended for transactions between trusted contacts like friends and family, not for payments to unfamiliar individuals encountered through social media.
The bank will decline or block payments identified as stemming from social media interactions. In addition, Chase may request further information from users when setting up payments or adding recipients, including the payment purpose and contact method. This move follows scrutiny from the Consumer Financial Protection Bureau (CFPB), which has criticized Zelle for its limited safeguards against fraud and scams, and a lawsuit filed in December by the CFPB.
Recommended read:
References :
- 9to5Mac: 9to5Mac article reporting that Zelle scams are leading Chase Bank to block payments to social media contacts.
- BleepingComputer: BleepingComputer article reporting that JPMorgan Chase Bank will soon start blocking Zelle payments to social media contacts to combat a significant rise in online scams.
- Techmeme: Techmeme article reporting Chase's plan to stop users from making Zelle payments originating from social media contacts.
- The Verge: The Verge article detailing Chase's decision to start blocking Zelle payments originating from social media.
info@thehackernews.com (The Hacker News)@The Hacker News
//
SecurityScorecard has uncovered a stealthy malware campaign orchestrated by North Korea's Lazarus Group, dubbed "Marstech Mayhem." The campaign involves the deployment of an advanced malware implant named "marstech1," designed to target cryptocurrency wallets and infiltrate the software supply chain. The implant first emerged in late December 2024, spreading through open-source software via GitHub and NPM packages, putting unsuspecting developers and their projects at risk. The group has been injecting JavaScript implants into repositories, blending malicious code with legitimate code to avoid detection.
The marstech1 implant targets Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. Once installed, the malware scans systems for crypto wallets, attempting to steal sensitive information. SecurityScorecard confirmed at least 233 victims across the U.S., Europe, and Asia. According to SecurityScorecard’s analysis, the threat actors have established a command and control server hosted on Stark Industries LLC infrastructure. Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, noted that the malware uses layered obfuscation techniques, highlighting the group's sophisticated approach to evading static and dynamic analysis.
Recommended read:
References :
- readwrite.com: Details of marstech1 implant used by Lazarus group in supply chain attacks.
- The Hacker News: Article describing Lazarus Group's attack campaign targeting developers using marstech1 implant.
- www.developer-tech.com: Report on Lazarus Group's use of marstech1 malware.
- ReadWrite: North Korea’s Lazarus Group spreads crypto-stealing malware through open-source software
- Developer Tech News: Lazarus Group infiltrates supply chain with stealthy malware
info@thehackernews.com (The Hacker News)@The Hacker News
//
Ivanti has released critical security updates for Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) to address multiple vulnerabilities. These include three critical severity problems that could allow remote code execution (RCE), posing a significant risk. The updates aim to patch flaws such as external control of a file name (CVE-2024-38657) and a stack-based buffer overflow (CVE-2025-22467), which can be exploited by authenticated attackers to execute arbitrary code and compromise system integrity.
The specific vulnerabilities addressed include CVE-2024-38657, which allows remote authenticated attackers with admin privileges to write arbitrary files, and CVE-2025-22467, a stack-based buffer overflow that enables remote code execution. Also patched is CVE-2024-10644 which is a code injection vulnerability, and CVE-2024-47908, an operating system command injection flaw in the admin web console of Ivanti CSA. Users are urged to update to the latest versions, Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5, as soon as possible to mitigate potential exploitation. While Ivanti is not aware of active exploitation, it's imperative to apply the patches due to the history of Ivanti appliances being weaponized.
Recommended read:
References :
- Vulnerability-Lookup: Security advisory for Ivanti Connect Secure, Policy Secure, and Secure Access Client (multiple CVEs).
- securityonline.info: Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products, with some The post appeared first on .
- The Hacker News: Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now
- BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- securityonline.info: CVE-2025-22467 (CVSS 9.9): Ivanti Connect Secure Vulnerability Allows Remote Code Execution
- www.bleepingcomputer.com: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- vulnerability.circl.lu: February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs), has been published on Vulnerability-Lookup
- research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
- bsky.app: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- socradar.io: Ivanti Security Update Addresses Severe Vulnerabilities in ICS, IPS, and ISAC (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644)
- research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
- BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems
info@thehackernews.com (The Hacker News)@The Hacker News
//
The Winnti Group, a China-based threat actor also known as APT41, is actively targeting Japanese organizations within the manufacturing, materials, and energy sectors. Researchers at LAC's Cyber Emergency Center identified a new campaign dubbed "RevivalStone," which employs an advanced version of the Winnti malware. This updated malware exhibits enhanced capabilities and sophisticated evasion techniques, posing a significant threat to the targeted industries.
This RevivalStone campaign initiates by exploiting SQL injection vulnerabilities in web-facing Enterprise Resource Planning (ERP) systems. Attackers deploy web shells like China Chopper to gain initial access, enabling reconnaissance, credential harvesting, and lateral movement within targeted networks. The updated Winnti malware variant features AES and ChaCha20 encryption, device-specific decryption keys using IP and MAC addresses, a kernel-level rootkit for covert data exfiltration, and code obfuscation to evade endpoint detection and response (EDR) systems.
Recommended read:
References :
- www.lac.co.jp: Researchers from LAC's Cyber Emergency Center analyze the "RevivalStone" campaign operated by China-based threat group Winnti
- cyberpress.org: Winnti Hackers Target Japanese Organizations with Advanced Malware
- Talkback Resources: The content provides an in-depth analysis of the Winnti Group's activities, including the RevivalStone campaign, tools used such as WinntiWebShell and China Chopper, and techniques like AES encryption, Winnti RAT, and Winnti Rootkit, with a focus on detection and prevention strategies.
- Virus Bulletin: Researchers from LAC's Cyber ​​Emergency Center analyse the "RevivalStone" campaign operated by China-based threat group Winnti
- securityaffairs.com: SecurityAffairs: China-linked APT group Winnti targets Japanese organizations since March 2024
- The Hacker News: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
- Talkback Resources: China-linked APT group Winnti targeted Japanese organizations
- Talkback Resources: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
- www.scworld.com: Winnti attacks set sights on Japan
info@thehackernews.com (The Hacker News)@The Hacker News
//
Microsoft has uncovered a new variant of the XCSSET macOS malware, marking the first major revision since 2022. This latest version features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. The malware is spread through infected Xcode projects, posing a significant risk to Apple developers.
The new XCSSET variant uses more randomized encoding methods, including Base64 in addition to xxd, and obfuscates module names to make analysis more difficult. The malware also employs a "dock method" where a fake Launchpad application is created, replacing the legitimate Launchpad's path in the dock, ensuring the malicious payload executes every time Launchpad is started. Microsoft advises users to inspect Xcode projects before using them and only install apps from trusted sources.
Recommended read:
References :
- Talkback Resources: Talkback.sh article summarizing Microsoft's discovery of an advanced XCSSET malware variant for macOS.
- The Hacker News: The Hacker News article about Microsoft uncovering a new XCSSET macOS malware variant with advanced obfuscation tactics.
- www.bleepingcomputer.com: Microsoft spots XCSSET macOS malware variant used for crypto theft
- Help Net Security: The XCSSET info-stealing malware is back, targeting macOS users and devs
- securityonline.info: XCSSET Malware Returns with Enhanced Capabilities to Target macOS Users
- www.helpnetsecurity.com: The XCSSET info-stealing malware is back, targeting macOS users and devs
- ciso2ciso.com: Source: thehackernews.com – Author: . Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild.
- The Register: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- ciso2ciso.com: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics – Source:thehackernews.com
- go.theregister.com: XCSSET macOS malware returns with first new version since 2022 Known for popping zero-days of yesteryear, Microsoft puts Apple devs on high alert Microsoft says there's a new variant of XCSSET on the prowl for Mac users – the first new iteration of the malware since 2022.…
- BleepingComputer: Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics
- securityaffairs.com: New XCSSET macOS malware variant used in limited attacks
Jessica Lyons@The Register - Software
//
The FBI and CISA have jointly issued an advisory urging software developers to eliminate buffer overflow vulnerabilities, labeling them "unforgivable defects." These agencies highlighted the continued presence of such vulnerabilities in products from major vendors like Microsoft and VMware. The advisory emphasizes the need for developers to adopt secure-by-design practices and memory-safe programming languages to prevent these flaws.
The agencies pointed out several recent buffer overflow vulnerabilities, including those found in Microsoft's Hyper-V, Ivanti's Connect Secure, and VMware's vCenter. These vulnerabilities, if exploited, could lead to privilege escalation, remote code execution, and full system access. The advisory stresses that buffer overflows are avoidable by using updated coding practices and safe languages. They also call on manufacturers to implement compile-time and runtime protections, conduct thorough testing, and analyze the root cause of past vulnerabilities to prevent future occurrences.
Recommended read:
References :
- The Register - Software: Feds want devs to stop coding 'unforgivable' buffer overflow vulnerabilities
- Information Security Buzz: CISA and FBI warn of threats exploiting buffer overflow vulnerabilities.
- : CISA and FBI release a joint Secure by Design Alert on eliminating buffer overflow vulnerabilities.
- industrialcyber.co: CISA, FBI urge manufacturers to eliminate buffer overflow vulnerabilities with secure-by-design practices
- ciso2ciso.com: CISA, FBI call software with buffer overflow issues ‘unforgivable’ – Source: www.csoonline.com
- Talkback Resources: US govt wants developers to stop coding 'unforgivable' bugs [app] [exp]
- Tenable Blog: Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat
- cyble.com: FBI, CISA Urge Memory-Safe Practices for Software Development
- securityonline.info: Buffer Overflows Vulnerabilities: CISA & FBI Issue Urgent Warning
@cyberinsider.com
//
A new malware family, dubbed FinalDraft, has been discovered using Microsoft Outlook drafts for command-and-control (C2) communication. This covert method allows the malware to blend into typical Microsoft 365 traffic, making it harder to detect. The malware has been used in attacks against a ministry in a South American country and was identified by Elastic Security Labs during an investigation into the REF7707 intrusion set.
The FinalDraft toolkit includes a loader, named PathLoader, a backdoor, and multiple submodules. PathLoader is a lightweight Windows PE executable that downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory, avoiding static analysis through API hashing and obfuscation. FinalDraft itself is a 64-bit malware written in C++ focused on data exfiltration and process injection, exploiting Outlook's mail drafts as a C2 channel. The malware creates session draft emails, reads and deletes command request drafts generated by the attackers, executes commands, and writes responses as draft emails.
Recommended read:
References :
- cyberinsider.com: Elastic Security Labs has identified a new malware family named FinalDraft, that uses Microsoft’s Graph API to communicate through Outlook email drafts, allowing attackers to bypass traditional network monitoring.
- Virus Bulletin: infosec.exchange post on finaldraft
- The Hacker News: FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux
- BleepingComputer: A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country.
- securityonline.info: SecurityOnline article detailing how FinalDraft malware uses Outlook drafts for covert communication.
- www.bleepingcomputer.com: BleepingComputer news article on FinalDraft malware abusing Outlook email drafts for command-and-control.
- securityonline.info: In a recent investigation into the REF7707 intrusion set, Elastic Security Labs has identified a new malware family The post appeared first on .
- Anonymous ???????? :af:: A new malware called FinalDraft has been using email drafts for command-and-control communication in attacks against a ministry in a South American country.
@ciso2ciso.com
//
The US Coast Guard is facing increasing pressure to bolster its cybersecurity defenses within the Maritime Transportation System (MTS). A recent Government Accountability Office (GAO) report highlights critical shortcomings in the Coast Guard's cybersecurity strategy, including a lack of comprehensive planning and unreliable access to vulnerability data. This leaves the MTS, which supports $5.4 trillion in annual economic activity and over 30 million jobs, vulnerable to attacks from foreign governments, transnational criminals, and hacktivists.
The GAO audit, conducted between December 2023 and December 2024, revealed that while the Coast Guard developed a cybersecurity strategy in 2021, it lacks key components such as clearly defined national security risks, measurable targets, and an implementation budget. The report also found that the Coast Guard's system for managing cybersecurity checks on facilities and vessels does not readily provide complete information about cybersecurity problems. The GAO has made five recommendations to the Coast Guard to address these vulnerabilities.
Recommended read:
References :
- ciso2ciso.com: Probe finds US Coast Guard has left maritime cybersecurity adrift
- The Register - Security: Probe finds US Coast Guard has left maritime cybersecurity adrift
- Graham Cluley: US Coast Guard Urged to Strengthen Cybersecurity Amid $2B Daily Port Risk
Pierluigi Paganini@Security Affairs
//
Microsoft has issued updates to address a critical vulnerability, CVE-2025-24989, impacting its Power Pages platform. This flaw, a high-severity issue, is already being actively exploited in the wild, allowing unauthorized access to websites. Threat actors can leverage the vulnerability to achieve privilege escalation within targeted networks and evade user registration controls, granting them unauthorized access to sites.
Microsoft reports that the vulnerability, CVE-2025-24989, only impacts certain Power Pages users. The company urges users to examine their websites for possible compromise. The U.S. CISA has added the Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog.
Recommended read:
References :
- securityaffairs.com: U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog
- socradar.io: Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
- www.scworld.com: Actively exploited Microsoft Power Pages flaw patched
- Report Boom: Microsoft has addressed a high-severity issue in Power Pages, CVE-2025-24989...
@www.bleepingcomputer.com
//
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.
Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.
Recommended read:
References :
- ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
- securityaffairs.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage.
- www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access.
- www.microsoft.com: Microsoft details Kimsuky's new PowerShell-based attack tactic.
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
@www.ghacks.net
//
Recent security analyses have revealed that the iOS version of DeepSeek, a widely-used AI chatbot developed by a Chinese company, transmits user data unencrypted to servers controlled by ByteDance. This practice exposes users to potential data interception and raises significant privacy concerns. The unencrypted data includes sensitive information such as organization identifiers, software development kit versions, operating system versions, and user-selected languages. Apple's App Transport Security (ATS), designed to enforce secure data transmission, has been globally disabled in the DeepSeek app, further compromising user data security.
Security experts from NowSecure recommend that organizations remove the DeepSeek iOS app from managed and personal devices to mitigate privacy and security risks, noting that the Android version of the app exhibits even less secure behavior. Several U.S. lawmakers are advocating for a ban on the DeepSeek app on government devices, citing concerns over potential data sharing with the Chinese government. This mirrors previous actions against other Chinese-developed apps due to national security considerations. New York State has already banned government employees from using the DeepSeek AI app amid these concerns.
Recommended read:
References :
- cset.georgetown.edu: China’s ability to launch DeepSeek’s popular chatbot draws US government panel’s scrutiny
- PCMag Middle East ai: House Bill Proposes Ban on Using DeepSeek on Government-Issued Devices
- Information Security Buzz: Recent security analyses have found that the iOS version of DeepSeek transmits user data unencrypted.
- www.ghacks.net: Security analyses revealed unencrypted data transmission by DeepSeek's iOS app.
- iHLS: Article about New York State banning the DeepSeek AI app.
@www.cybersecurity-insiders.com
//
Orange Group has confirmed a data breach affecting its Romanian branch after a hacker, allegedly associated with the HellCat ransomware group and known as "Rey," breached their systems. The breach resulted in the exposure of over 380,000 email addresses and other sensitive data belonging to customers, partners, and employees. The attacker claims to have stolen thousands of internal documents after infiltrating the company’s infrastructure, and demanded a ransom which Orange refused to pay.
The leaked dataset includes over 600,000 customer records, employee details, financial documents, and source code. While the breach did not impact Orange’s core services, the company acknowledges major security gaps were highlighted as attackers had access to Orange’s systems for over a month before exfiltrating the data. This incident follows a similar cyber incident reported by Orange Spain just last week, increasing concerns about data security in the telecom sector.
Recommended read:
References :
- Dataconomy: dataconomy.com on Orange Group data breach: Every step explained
- The420.in: the420.in on Orange Group Suffers Data Breach: Hacker Claims Theft of Thousands of Internal Documents
- www.cybersecurity-insiders.com: Orange Group, a telecom services provider based in France, has confirmed that one of its internal systems at its Romanian branch was breached by a cyber attacker identified as “Rey,� an individual reportedly associated with the HellCat ransomware group.
- bsky.app: French telecommunications and digital services provider Orange confirmed that a hacker breached their systems and stole company data that includes customer, partners, and employee information.
- CyberInsider: Confirmation of a data breach impacting the French telecommunications and digital service provider Orange Group, following the leak of internal documents, particularly those affecting Orange Romania.
@ExpressVPN Blog
//
ExpressVPN has announced a significant upgrade to its Lightway VPN protocol, rewriting it in the Rust programming language to enhance security, improve performance, and streamline future development. This move demonstrates ExpressVPN's commitment to setting new industry standards and proactively addressing potential vulnerabilities. The company claims that Rust's memory safety features will eliminate common attack vectors, while its support for safer multicore processing will lead to better performance and battery life for users.
This reimplementation of Lightway in Rust is backed by two independent security audits conducted by cybersecurity firms Cure53 and Praetorian. These audits examined Lightway's new source code implementation, with both reports delivering positive results and validating the security enhancements. While a small number of issues were identified, none were deemed critical, and this rigorous dual-audit approach highlights ExpressVPN's dedication to transparency and security validation, promising users a faster, more secure, and reliable VPN experience.
Recommended read:
References :
- CyberInsider: CyberInsider article on ExpressVPN rewriting its Lightway VPN protocol in Rust.
- PCWorld: PCWorld article about ExpressVPN's massive upgrade to Lightway protocol written in Rust.
- cyberinsider.com: ExpressVPN Rewrites Lightway VPN Protocol in Rust for Security
- www.expressvpn.com: Why ExpressVPN switched from C to Rust for Lightway’s code
- www.expressvpn.com: Lightway’s Rust rewrite undergoes two security audits, by Cure53 and Praetorian
Field Effect@Blog
//
The Australian government has banned Kaspersky Lab products and web services from all government systems, citing an "unacceptable security risk" stemming from potential foreign interference, espionage, and sabotage. Effective April 1, 2025, government entities must remove the software, reflecting concerns about Kaspersky's data collection practices and possible exposure to foreign government influence. The ban follows a threat and risk analysis that concluded the software posed a significant threat to Australian Government networks and data.
The directive aims to also encourage critical infrastructure providers and personal users to reconsider their use of Kaspersky products due to the identified security risks. While the directive does not explicitly name the foreign government, Kaspersky Lab is a Russian cybersecurity company, raising concerns about ties to the Russian government. Similar bans have been implemented in other countries, including the United States, which banned Kaspersky products from federal systems back in 2017. Exemptions to the ban may be considered for legitimate business reasons related to national security, subject to appropriate mitigations.
Recommended read:
References :
- BleepingComputer: The Australian government has banned all Kaspersky Lab products and web services from its systems and devices following an analysis that claims the company poses a significant security risk to the country.
- securityaffairs.com: Australia bans Kaspersky software over national security concerns, citing risks of foreign interference, espionage, and sabotage of government networks.
- Talkback Resources: The Australian Government has banned Kaspersky Lab products and web services from all government systems and devices due to security concerns related to potential foreign interference and espionage, effective April 1, 2025.
- Talkback Resources: Australia Bans Kaspersky Software Over National Security and Espionage Concerns [app]
- Blog: FieldEffect reports on the Australian government banning Kaspersky software.
Pierluigi Paganini@Security Affairs
//
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities affect Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM), posing significant risks to organizations. The advisory issued by CISA strongly urges immediate remediation to mitigate the threat of potential exploitation.
These vulnerabilities include CVE-2017-3066 in Adobe ColdFusion and CVE-2024-20953 in Oracle Agile PLM. The agency has set a deadline of March 17, 2025, for federal agencies to secure their networks against these flaws. Active exploitation attempts have been reported, highlighting the urgency of applying necessary updates.
Recommended read:
References :
- Talkback Resources: Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA [exp] [net]
- thecyberexpress.com: CISA Warns of Actively Exploited Adobe ColdFusion and Oracle Agile PLM Vulnerabilities
- cyble.com: Overview The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
- Talkback Resources: Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA [exp] [net]
@techcrunch.com
//
New York-based venture capital and private equity firm Insight Partners has disclosed a security breach of its systems. The firm, which manages over $90 billion in regulatory assets and has invested in over 800 software and technology startups globally over the past 30 years, revealed that the incident occurred in January. The breach involved unauthorized access to its information systems following what they are calling "a sophisticated social engineering attack."
Insight Partners confirmed that the attack took place on January 16, 2025. The company has taken steps to address the situation, notifying law enforcement in relevant jurisdictions and engaging third-party cybersecurity experts to investigate the full scope and impact of the breach. The investigation is ongoing to determine the extent of data exposure and to implement measures to prevent future incidents.
Recommended read:
References :
- cyberinsider.com: Insight Partners Investigates Data Breach Following Cyberattack
- BleepingComputer: New York-based venture capital firm Insight Partners has disclosed that its systems were breached
- techcrunch.com: VC giant Insight Partners confirms a January cyberattack
- CyberInsider: Insight Partners Investigates Data Breach Following Cyberattack
- securityaffairs.com: Venture capital firm Insight Partners discloses security breach
- www.bleepingcomputer.com: Insight Partners hit by cyberattack
- Carly Page: US-based VC giant Insight Partners has confirmed that hackers breached its systems in January.
- aboutdfir.com: Insight Partners confirms cyberattack in January 2025, with unauthorized access to information systems.
@www.verdict.co.uk
//
OpenAI is shifting its strategy by integrating its o3 technology, rather than releasing it as a standalone AI model. CEO Sam Altman announced this change, stating that GPT-5 will be a comprehensive system incorporating o3, aiming to simplify OpenAI's product offerings. This decision follows the testing of advanced reasoning models, o3 and o3 mini, which were designed to tackle more complex tasks.
Altman emphasized the desire to make AI "just work" for users, acknowledging the complexity of the current model selection process. He expressed dissatisfaction with the 'model picker' feature and aims to return to "magic unified intelligence". The company plans to unify its AI models, eliminating the need for users to manually select which GPT model to use.
This integration strategy also includes the upcoming release of GPT-4.5, which Altman describes as their last non-chain-of-thought model. A key goal is to create AI systems capable of using all available tools and adapting their reasoning time based on the task at hand. While GPT-5 will be accessible on the free tier of ChatGPT with standard intelligence, paid subscriptions will offer a higher level of intelligence incorporating voice, search, and deep research capabilities.
Recommended read:
References :
- www.verdict.co.uk: The Microsoft-backed AI company plans not to release o3 as an independent AI model.
- sherwood.news: This article discusses OpenAI's 50 rules for AI model responses, emphasizing the loosening of restrictions and potential influence from the anti-DEI movement.
- thezvi.substack.com: This article explores the controversial decision by OpenAI to loosen restrictions on its AI models.
- thezvi.wordpress.com: This article details three recent events involving OpenAI, including the release of its 50 rules and the potential impact of the anti-DEI movement.
- www.artificialintelligence-news.com: This blog post critically examines OpenAI's new AI model response rules.
|
|
FlagThis - #NULL