CyberSecurity news

FlagThis - #SupplyChain

djohnson@CyberScoop //

China Hack US Treasury via BeyondTrust - Chinese state-sponsored threat actors compromised the US Treasury Department by exploiting a vulnerability in a third-party software provider, BeyondTrust, accessing employee workstations and exfiltrating unclassified documents.
The US Treasury Department has confirmed a major cyber incident involving Chinese state-sponsored hackers who gained unauthorized access to employee workstations and unclassified documents. The breach occurred after a third-party software provider, BeyondTrust, was compromised, allowing the attackers to obtain a security key used for remote technical support. This key enabled the hackers to bypass security measures and remotely access Treasury systems and exfiltrate sensitive information. The Treasury was notified of the breach on December 8th and has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other agencies to investigate the full impact of the incident.

The compromised BeyondTrust service has since been taken offline, and there is currently no evidence to suggest the threat actors still have access to Treasury systems. The Treasury Department has classified the incident as a “major incident” and has reaffirmed its commitment to bolstering cybersecurity defenses, highlighting the importance of addressing third-party vulnerabilities. The breach follows a series of other recent cyberattacks linked to China, further raising concerns about the security posture of the US government.

Recommended read:
References :
  • CyberScoop: Treasury workstations hacked by China-linked threat actors
  • Federal News Network: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • siliconangle.com: Third-party provider hack exposes US Treasury Department unclassified documents
  • Techmeme: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • bsky.app: Chinese state-sponsored hackers broke into the U.S. Treasury Department this month and stole documents from its workstations, according to a letter to lawmakers
  • Chuck Darwin: US treasury’s workstations breached in cyber-attack by China – report A Chinese state-sponsored actor broke into the US treasury department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday.
  • www.theguardian.com: US treasury’s workstations breached in cyber-attack by China – report
  • techcrunch.com: US Treasury says China accessed government documents in ‘major’ cyberattack
  • cyberscoop.com: Treasury workstations hacked by China-linked threat actors
  • techcrunch.com: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • International homepage: ‘In a letter to 🇺🇸 Senate banking committee seen by the Financial Times, the department said it had been informed on December 8 by software company BeyondTrust that a hacker had breached several remote government workstations by obtaining a security key and had in turn gained access to unclassified documents on them.’
  • www.benzinga.com: China-Linked Hackers Breach US Department Of Treasury
  • malware.news: Chinese-sponsored hackers accessed Treasury documents in ‘major incident’
  • www.cnn.com: CNN: China-backed hackers breached US Treasury workstations.
  • Michael West: Treasury says Chinese hackers accessed workstations
  • SiliconANGLE: Third-party provider hack exposes US Treasury Department unclassified documents
  • www.pymnts.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • www.engadget.com: The US Treasury Department says it was hacked in a China-linked cyberattack
  • federalnewsnetwork.com: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • WIRED: US Treasury Department confirms hack by China-backed group.
  • bsky.app: The U.S. Treasury announced a major cyberattack linked to a compromised API key from its contractor, BeyondTrust.
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • PYMNTS.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • san.com: Chinese-sponsored hackers behind ‘major’ breach: Treasury Department
  • securityaffairs.com: China-linked threat actors breached the U.S. Treasury Department by hacking a remote support platform used by the agency.
  • Hong Kong Free Press HKFP: US Treasury says was targeted by China state-sponsored cyberattack.
  • The Hacker News: The United States Treasury Department said it suffered a 'major cybersecurity incident' that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
  • Fortune | FORTUNE: Treasury Department says a China state-sponsored cyberattack gained access to workstations and documents
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • gbhackers.com: US Treasury Department Breach, Hackers Accessed Workstations.
  • SAN: Investigators accuse China of hacking U.S. Treasury Department computers.
  • blog.gitguardian.com: What Happened in the U.S. Department of the Treasury Breach? A Detailed Summary.
  • DataBreaches.Net: Chinese hackers breached Treasury Department workstations, documents in ‘major cybersecurity incident’.
  • go.theregister.com: US Treasury Department outs the blast radius of BeyondTrust's key leak
  • www.wired.com: US Department Admits It Got by Treasury says accessed “certain documents” in a “major” breach, but experts believe the attack’s impacts could prove to be more significant as new details emerge.
  • www.bleepingcomputer.com: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • Hacker News: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • OODAloop: What to know about string of US hacks blamed on China
  • Techmeme: Sources: Chinese government hackers breached the US Treasury Department's OFAC, which administers economic sanctions, and two other Treasury offices (Washington Post)
  • Dataconomy: According to the Washington Post Chinese government hackers compromised the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in December, targeting intelligence related to economic sanctions, officials reported.
  • Carly Page: China-backed hackers reportedly compromised the US Treasury’s highly sensitive sanctions office during December cyberattack
  • techcrunch.com: Chinese government hackers targeted the U.S. Treasury’s highly sensitive sanctions office during a December cyberattack, according to reports.
  • techcrunch.com: Chinese government hackers targeted US Treasury’s sanctions office during December cyberattack
  • Cybernews: On Thursday, it was revealed that PRC-backed hackers behind last month’s US Treasury hack accessed some senior officials' laptops.
  • Bloomberg Technology: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • www.techmeme.com: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • Techmeme: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • The Hacker News: CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing
  • www.helpnetsecurity.com: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • www.the420.in: Chinese APT Exploits BeyondTrust Vulnerability to Breach U.S. Treasury Systems
  • Pyrzout :vm:: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • Help Net Security: CISA says Treasury was the only US agency breached via BeyondTrust
  • industrialcyber.co: US Treasury sanctions Beijing’s Integrity Tech for Flax Typhoon cyber intrusions on critical infrastructure
  • ciso2ciso.com: CISA: Third-Party Data Breach Limited to Treasury Dept. – Source: www.darkreading.com
  • Latest from TechRadar: Chinese cybersecurity firm hit by US sanctions over ties to Flax Typhoon hacking group
Pierluigi Paganini@Security Affairs //

Silk Typhoon Targets IT Supply Chains with Espionage - Silk Typhoon, a Chinese state-sponsored espionage group, has shifted its tactics to target IT supply chains, exploiting vulnerabilities in remote management tools and cloud applications to gain initial access to victim organizations and compromise various organizations.
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.

US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.

Recommended read:
References :
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
  • BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
  • cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
  • Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
  • The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
  • thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
  • gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
  • Microsoft Security Blog: Silk Typhoon targeting IT supply chain
  • www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
  • Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
  • Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
  • securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
Pierluigi Paganini@securityaffairs.com //

Google Tag Manager Exploited to Deploy Credit Card Skimmers - Hackers exploited a vulnerability in Google Tag Manager (GTM) to deploy credit card skimmers on Magento-based e-commerce websites, using malicious code disguised as a standard GTM and Google Analytics script to steal credit card information.
References: Sucuri Blog , ciso2ciso.com , ...
Hackers are exploiting Google Tag Manager (GTM) to deploy credit card skimmers on Magento-based e-commerce websites. According to reports from The Hacker News, Sucuri, and CISO2CISO, malicious actors are leveraging GTM to deliver malware that targets sensitive payment data. The attack involves injecting code that appears to be a standard GTM or Google Analytics script but contains an obfuscated backdoor. This allows the attackers to gain persistent access to the websites.

Sucuri's investigation into a customer's Magento site revealed that credit card details were being stolen via a skimmer loaded from the cms_block.content database table. The GTM tag contained encoded JavaScript designed to collect and transmit sensitive user data entered during the checkout process to a remote server controlled by the attackers. This highlights the importance of securing third-party integrations and regularly monitoring website files for any suspicious code.

Recommended read:
References :
  • Sucuri Blog: Sucuri warns of credit card data theft from website.
  • ciso2ciso.com: Hackers Exploit Google Tag Manager
  • The Hacker News: The Hacker News reports on hackers exploiting Google Tag Manager to deploy credit card skimmers.
  • : Sucuri : Title is straightforward: Sucuri warns of credit card data theft from a customer's Magento-based eCommerce website. The credit card skimmer malware is delivered by leveraging Google Tag Manager (GTM). GTM is a free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site’s code directly.
  • ciso2ciso.com: Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores – Source:thehackernews.com
  • securityaffairs.com: Sucuri researchers observed threat actors leveraging Google Tag Manager (GTM) to install e-skimmer software on Magento-based e-stores.
  • Security Intelligence: Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.
  • www.scworld.com: Magento stores compromised with Google Tag Manager skimmer
  • gbhackers.com: Information on hackers exploiting Google Tag Manager to steal credit card data from e-commerce sites.
  • securityonline.info: SecurityOnline article on hackers exploiting Google Tag Manager.
  • gbhackers.com: Hackers Exploiting Google Tag Managers to Steal Credit Card from eCommerce Sites
  • securityonline.info: Hackers Exploit Google Tag Manager to Steal Credit Card Data from Magento Sites
  • Sucuri Blog: Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often target to steal as many credit card numbers as possible.
  • Search Engine Journal: Hackers Use Google Tag Manager to Steal Credit Card Numbers
  • www.searchenginejournal.com: Hackers Use Google Tag Manager to Steal Credit Card Numbers
@Talkback Resources //

WordPress Sites Vulnerable to Script Injection, PyPI Package Pirating Music - Millions of WordPress websites are vulnerable to script injection attacks due to a flaw in the Essential Addons for Elementor plugin, and a fake WordPress plugin is impacting SEO by injecting casino spam while a malicious PyPI package facilitates unauthorized music downloads from Deezer.
References: bsky.app , BleepingComputer , socket.dev ...
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.

A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.

Recommended read:
References :
  • bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
  • BleepingComputer: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
  • socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
  • bsky.app: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
  • Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
  • gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
  • bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and  'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
  • gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
  • aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
  • bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
  • Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
Ridhika Singh@cysecurity.news //

UAE Aviation and Satellite Targeting - UNK_CraftyCamel, a highly targeted cyber-espionage campaign, is underway, primarily targeting UAE aviation, satellite, and transportation firms, employing polyglot malware and compromised business accounts.
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.

The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.

Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.

Recommended read:
References :
  • Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
  • gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
  • The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
  • Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
  • thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
  • Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
  • www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
  • Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
  • Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
  • : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
  • www.scworld.com: New Sosano malware attacks target UAE
  • securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
  • securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
Jessica Lyons@theregister.com //

Abandoned AWS S3 Buckets Facilitate Software Supply Chain Hijacking - Researchers have uncovered a critical security vulnerability in abandoned Amazon Web Services (AWS) S3 buckets that could enable attackers to hijack the global software supply chain.
Researchers at watchTowr Labs have uncovered a significant security flaw involving abandoned Amazon Web Services (AWS) S3 buckets, potentially allowing attackers to compromise the software supply chain. The analysis revealed that nearly 150 S3 buckets previously used by various organizations, including cybersecurity firms, governments, Fortune 500 companies, and open source projects, could be re-registered. This re-registration could enable attackers to inject malicious code or executables into deployment processes and software update mechanisms.

Over a two-month period, these abandoned buckets received over eight million HTTPS requests for various files, including software updates and other binary artifacts. The requests originated from a wide range of sources, including government networks in multiple countries, military networks, Fortune 100 and 500 companies, and even cybersecurity companies. This vulnerability could allow threat actors to deliver malware or backdoors to these organizations, leading to widespread security breaches. AWS has since blocked the specific buckets identified by watchTowr to prevent their re-creation and potential misuse.

Recommended read:
References :
  • The Register - Security: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'
  • : watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • go.theregister.com: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' When cloud customers don't clean up after themselves, part 97 Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia's "SolarWinds adventures look amateurish and insignificant," watchTowr Labs security researchers have claim…
  • www.theregister.com: watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • labs.watchtowr.com: WatchTowr Labs research details 8 million requests against AWS S3 buckets.
  • www.csoonline.com: Code references to nonexistent cloud assets continue to pose significant security risks, and the problem is only growing. Recent research identified approximately 150 AWS S3 storage buckets once used by various software projects to host sensitive scripts, configuration files, software updates, and other binary artifacts that were automatically downloaded and executed on user machines.
  • www.scworld.com: Nearly 150 S3 buckets previously leveraged by cybersecurity firms, governments, Fortune 500 companies, and open source projects could be re-registered with the same AWS account name to facilitate executable and/or code injections in the deployment code/software update mechanism, according to an analysis from watchTowr Labs researchers.
  • www.securityweek.com: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • BleepingComputer: How attackers abuse S3 Bucket Namesquatting — And How to Stop Them
  • SecurityWeek: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • therecord.media: Researchers warn of risks tied to abandoned cloud storage buckets
  • Jon Greig: Researchers at Watchtowr warned of malicious actors taking over abandoned AWS S3 buckets used by governments, militaries, Fortune 500 companies and even some cybersecurity firms
  • darkreading: Researchers from watchTowr discovered around 150 Amazon Web Services S3 buckets that were formerly used by organizations for software deployment and updates but were then abandoned.
Jeff Burt@DevOps.com //

Typosquatting in the Go Ecosystem - A malicious package imitating BoltDB in the Go ecosystem contains a backdoor for remote code execution, exploiting the Go Module Mirror's caching mechanism.
References: ciso2ciso.com , Lobsters , bsky.app ...
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.

This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.

Recommended read:
References :
  • ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
  • Lobsters: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
  • ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
  • www.infoworld.com: Malicious package found in the Go ecosystem
  • ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
  • ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
  • heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
  • www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered
info@thehackernews.com (The Hacker News)@The Hacker News //

XE Group Exploits VeraCore Zero-Day for Web Shells - The XE Group, a cybercrime group initially focused on credit card skimming, has shifted its tactics to exploit zero-day vulnerabilities for persistent access, targeting software products like VeraCore and deploying reverse shells and web shells.
The cybercrime group XE Group has shifted its tactics from credit card skimming to exploiting zero-day vulnerabilities, with a recent focus on VeraCore software. This involves deploying reverse shells and web shells to maintain persistent remote access to compromised systems, targeting supply chains in the manufacturing and distribution sectors. The group has been active since at least 2010, marking a significant shift in their operational priorities towards targeted information theft.

The vulnerabilities exploited include CVE-2024-57968, an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. These shortcomings are being chained to deploy ASPXSpy web shells for unauthorized access to infected systems, enabling file system enumeration, data exfiltration, and the execution of SQL queries. The exploitation activity was discovered in November 2024, with evidence suggesting the group leveraged CVE-2025-25181 as early as 2020.

Recommended read:
References :
  • securityaffairs.com: XE Group shifts from credit card skimming to exploiting zero-days
  • The Hacker News: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells
  • ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
  • ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
  • Blog: Article about the XE group exploiting Veracore zero-day to deploy persistent web shells.
  • www.scworld.com: Report details how XE Group exploited a VeraCore zero-day to deploy reverse shells and web shells.
  • SOC Prime Blog: SOCRadar: Detect XE Group Attacks
  • intezer.com: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
  • socprime.com: XE Group, likely a Vietnam-linked hacking collective that has been active in the cyber threat arena for over a decade is believed to be behind the exploitation of a couple of VeraCore zero-day vulnerabilities.
  • Virus Bulletin: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
  • securityaffairs.com: The cybercrime group XE Group exploited a VeraCore zero-day to deploy reverse shells, web shells in recent attacks.
  • securityaffairs.com: Analysis of the XE Group's recent operations and their use of VeraCore zero-day vulnerabilities to deploy reverse shells and web shells.
info@thehackernews.com (The Hacker News)@The Hacker News //

Malicious NPM Packages Target Ethereum Devs - Malicious npm packages impersonating Hardhat plugins are targeting Ethereum developers to steal private keys and sensitive data using a supply chain vulnerability.
Ethereum developers are being targeted by a supply chain attack involving malicious npm packages designed to look like legitimate Hardhat plugins. These fake packages, with names closely resembling real ones, are being used to steal sensitive data, including private keys and mnemonics. Researchers have identified at least 20 of these malicious packages, which have collectively been downloaded over 1,000 times. The attack exploits trust in the open-source ecosystem, specifically within the npm registry. Once installed, the malicious packages use Hardhat runtime functions to collect sensitive information and transmit it to attacker-controlled endpoints.

The attackers are using Ethereum smart contracts to store and distribute Command & Control (C2) server addresses, making it more difficult to disrupt their infrastructure. This strategy, combined with using hardcoded keys and Ethereum addresses, enables efficient data exfiltration. The campaign is attributed to a Russian-speaking threat actor known as "_lain." The compromised development environments could lead to backdoors in production systems and significant financial losses for affected developers. Developers are urged to verify package authenticity, inspect source code, and exercise caution when using package names.

Recommended read:
References :
  • ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
  • securityaffairs.com: Malicious npm packages target Ethereum developers
  • The Hacker News: Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages
  • ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
  • gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
  • osint10x.com: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
  • Osint10x: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
  • gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
MalBot@malware.news //

Illumina DNA Sequencer Vulnerable BIOS Found - Critical BIOS/UEFI vulnerabilities found in Illumina iSeq 100 DNA gene sequencer due to outdated firmware, allowing attackers to overwrite firmware and potentially brick the device or install malware.
Researchers at Eclypsium have uncovered critical security flaws in the Illumina iSeq 100 DNA gene sequencer. The device utilizes an outdated BIOS firmware implementation, employing Compatibility Support Mode (CSM) without Secure Boot or standard firmware write protections. This vulnerability allows an attacker with system access to overwrite the firmware. This could potentially disable the device entirely or install persistent malware.

The identified security gaps underscore the substantial risks associated with reusing commodity hardware and neglecting regular firmware updates. The lack of modern security measures in the iSeq 100 presents a major supply chain vulnerability. This also highlights the need for stringent security protocols and configuration management to protect devices that handle sensitive genomic data, as outlined by NIST guidelines published in 2023.

Recommended read:
References :
  • malware.news: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • eclypsium.com: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • : Eclypsium identified BIOS/UEFI vulnerabilities in a popular DNA gene sequencer by healthcare technology vendor Illumina.
  • The Hacker News: Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers
  • BleepingComputer: BIOS/UEFI vulnerabilities in the iSeq 100 DNA sequencer from U.S. biotechnology company Illumina could let attackers disable devices used for detecting illnesses and developing vaccines.
  • gbhackers.com: Critical BIOS/UEFI Vulnerabilities Allow Attackers To Overwrite System Firmware
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • ciso2ciso.com: Insecure Medical Devices — Illumina DNA Sequencer Illuminates Risks
@socket.dev //

OpenSSF Launches Open Source Project Security Baseline - The Open Source Security Foundation (OpenSSF) launched the Open Source Project Security Baseline (OSPS Baseline), a tiered framework designed to help open source projects implement appropriate security measures.
References: Help Net Security , Tenable Blog , OpenSSF ...
The Open Source Security Foundation (OpenSSF), a Linux Foundation cross-industry initiative, has launched the Open Source Project Security Baseline (OSPS Baseline), a tiered framework designed to standardize security practices for open source projects. This initiative aims to provide practical and impactful security best practices, enhancing software development and consumption security for projects of all sizes. The OSPS Baseline compiles existing guidance from OpenSSF and other expert groups, offering actionable steps to improve the security posture of open source software.

The OSPS Baseline organizes controls into three maturity levels, catering to projects with varying numbers of maintainers and users. These levels address crucial areas such as access control, documentation, governance, build and release processes, security assessment, and vulnerability management. By adhering to the Baseline, developers can build a foundation that supports compliance with global cybersecurity regulations, including the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF). OpenSSF invites open source developers, maintainers, and organizations to utilize the OSPS Baseline to refine the framework and promote the adoption of security best practices in the open source community.

Recommended read:
References :
  • Help Net Security: OSPS Baseline: Practical security best practices for open source software projects
  • Tenable Blog: Check out a new framework for better securing open source projects. Plus, learn how AI is making ransomware harder to detect and mitigate.
  • socket.dev: OpenSSF Launches Open Source Project Security Baseline to Strengthen Software Supply Chain
  • OpenSSF: The February 2025 Newsletter is out! Get the latest on: Community Days 2025 – Register for Denver & Amsterdam OSPS Baseline – New framework to secure open source projects
@securityonline.info //

Hackers Weaponize OAST in NPM, PYPI, Ruby - Hackers are weaponizing security testing tools using OAST techniques in npm, PyPI, and RubyGems to steal developer secrets and establish command and control channels, impersonating legitimate libraries to steal data and user information.
Hackers are increasingly weaponizing legitimate security testing tools, specifically Out-of-Band Application Security Testing (OAST) techniques, within the npm, PyPI, and RubyGems ecosystems. Malicious packages are being used to exfiltrate sensitive data and establish command and control channels, allowing for multi-stage attacks using what appears to be legitimate infrastructure. These packages often impersonate genuine libraries to steal developer secrets. For example, one campaign targeted Ethereum developers by mimicking Hardhat plugins to obtain private keys and configuration details. In some cases, threat actors are using a mix of methods, from high versioning to typosquatting of package names to deceive developers into downloading the malicious payloads.

These malicious packages are collecting a range of information, including user system information like hostname, username, working directories, and private keys. This data is often encrypted and transmitted to attacker-controlled endpoints using hardcoded keys and Ethereum addresses. Notably, OAST services such as oastify.com and oast.fun are being abused to exfiltrate this stolen information. This method is particularly dangerous as it allows attackers to perform stealthy reconnaissance and data theft while bypassing basic intrusion detection systems. The exploitation of these ecosystems underscores the need for developers to be vigilant and implement stricter auditing practices.

Recommended read:
References :
  • Cyber Security News: Hackers Weaponize npm, PyPI, & Ruby for Devastating Exploit Packages
  • gbhackers.com: Hackers Weaponize Security Testing By Weaponizing npm, PyPI, & Ruby Exploit Packages
  • securityonline.info: Malicious Packages Weaponize OAST for Stealthy Data Exfiltration and Reconnaissance
  • cyberpress.org: Hackers Weaponize npm, PyPI, & Ruby for Devastating Exploit Packages
  • gbhackers.com: Hackers Weaponize Security Testing By Weaponizing npm, PyPI, & Ruby Exploit Packages
  • securityonline.info: Malicious Packages Weaponize OAST for Stealthy Data Exfiltration and Reconnaissance
CISO2CISO Editor 2@ciso2ciso.com //

Lumma Stealer Distributed through GitHub Infrastructure - A sophisticated malware campaign distributes Lumma Stealer and other malware through GitHub, exploiting its release infrastructure.
A new, sophisticated cyber campaign is utilizing GitHub's infrastructure to distribute the Lumma Stealer malware, a notorious data-stealing tool. This campaign doesn't only focus on Lumma Stealer, it also distributes other malicious software including SectopRAT, Vidar, and Cobeacon. Attackers are exploiting the platform's release mechanisms to gain initial access to systems and subsequently deploy these harmful payloads. This tactic has allowed the threat actors to leverage a trusted platform, tricking users into downloading files from malicious URLs, thereby increasing the risk of widespread infections.

Trend Micro researchers have analyzed the tactics, techniques and procedures (TTPs) used in this campaign and found significant similarities with those used by the Stargazer Goblin group, indicating a potential connection between the two. The Lumma Stealer malware is known for extracting credentials, cryptocurrency wallets, system details, and other sensitive files. SOC Prime Platform has released detection content aimed at helping security teams proactively identify and thwart related threats. This includes Sigma rules for Lumma Stealer, SectopRAT, Vidar, and Cobeacon detection, highlighting the ongoing efforts to counter this dangerous threat.

Recommended read:
References :
  • ciso2ciso.com: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • SOC Prime Blog: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • Virus Bulletin: Trend Micro researchers dissect the tactics, techniques and procedures (TTPs) employed by a campaign distributing Lumma Stealer through GitHub.
  • ciso2ciso.com: Lumma Stealer Detection: Sophisticated Campaign Using GitHub Infrastructure to Spread SectopRAT, Vidar, Cobeacon, and Other Types of Malware – Source: socprime.com
  • www.trendmicro.com: Trend Micro : Trend Micro reports on a campaign distributing Lumma stealer through GitHub.
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
CISO2CISO Editor 2@ciso2ciso.com //

PlushDaemon APT Hits VPN Provider Via Supply Chain - A China-aligned APT group, PlushDaemon, is conducting cyber espionage using a supply chain attack by replacing legitimate software installers with malicious ones deploying the SlowStepper malware.
A new China-aligned cyber espionage group named PlushDaemon has been discovered conducting a supply chain attack against a South Korean VPN provider, IPany. The group compromised the VPN provider's software installer, replacing it with a malicious version that deploys the custom SlowStepper malware. This malware is a sophisticated backdoor with a large toolkit composed of around 30 modules, programmed in C++, Python, and Go, designed for espionage activities. The initial access vector for the group is typically by hijacking legitimate software updates of Chinese applications, but this supply chain attack marks a significant departure from their usual tactics.

ESET Research identified the attack after detecting malicious code in a Windows NSIS installer downloaded from the IPany website in May 2024. The compromised installer included both the legitimate VPN software and the SlowStepper backdoor. ESET researchers notified IPany, and the malicious installer has since been removed. PlushDaemon, active since at least 2019, is believed to be the exclusive user of the SlowStepper malware and has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is also known to gain access via vulnerabilities in legitimate web servers.

Recommended read:
References :
  • ciso2ciso.com: PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack.
  • BleepingComputer: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group
  • : ESET Research : A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Details about the Chinese threat group PlushDaemon.
  • www.welivesecurity.com: A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Chinese cyberspies target South Korean VPN in supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.
  • www.bleepingcomputer.com: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the company's VPN installer to deploy the custom 'SlowStepper' malware.
  • discuss.privacyguides.net: The attackers replaced the legitimate installer with one that also deployed the group’s signature backdoor.
  • therecord.media: Chinese hackers target Korean VPN provider by placing backdoored installer on website
  • ciso2ciso.com: ESET researchers discovered a previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon, which has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023.
  • go.theregister.com: Supply chain attack hits Chrome extensions, could expose millions

Blogs

Research Tools