CyberSecurity news
FlagThis - #cyberattack
|
Eduard Kovacs@SecurityWeek - 23d
Spanish authorities have arrested a hacker in Alicante for allegedly conducting over 40 cyberattacks targeting critical public and private organizations, including NATO, the US Army, and various Spanish entities such as the Guardia Civil and the Ministry of Defense. The investigation began in early 2024 after a data leak was reported from a Madrid business association, revealing that the hacker was boasting about stolen information on an underground criminal forum, even defacing the victim's website.
The suspect, known online as "Natohub" among other pseudonyms, is accused of illegally accessing computer systems, disclosing secrets, damaging computers, and money laundering. Police seized multiple computers, electronic devices, and over 50 cryptocurrency accounts containing various digital assets. Although the suspect's name hasn't been released by police, local news reports identify him as an 18-year-old man. Recommended read:
References :
Guru Baran@Cyber Security News - 28d
The New York Blood Center Enterprises (NYBC), a major provider of blood and blood products, has been targeted by a ransomware attack, severely impacting its IT systems. The incident, which was detected on Sunday, January 26th, forced NYBC to take systems offline as a precautionary measure to contain the threat. Cybersecurity experts were immediately engaged and an investigation was launched in conjunction with law enforcement. While the organization is working to restore services, it has noted that operations will be affected and that it is deploying workaround solutions to minimize the disruption. The attack has raised concerns about potential impacts on critical blood donation and distribution services across the region.
NYBC has emphasized that it remains focused on the health of the communities it serves and is taking all possible steps to restore its IT infrastructure. The organization is working with hospital partners to maintain services, while also expressing gratitude for support from the healthcare community during this time. There is currently no indication whether or not sensitive patient or donor data has been compromised, nor has any information on ransom demands been provided. The attack underscores the increasing vulnerability of healthcare entities to cyberattacks and the potential risks associated with these kinds of malicious activities. Recommended read:
References :
Dissent@DataBreaches.Net - 7d
Major Australian IVF provider Genea has confirmed a cybersecurity incident where an unauthorized third party accessed its data. The company detected suspicious activity on its network and promptly shut down some systems and servers to investigate the extent of the breach. Genea is working to determine what specific data was compromised and is taking steps to secure its systems. The incident disrupted patient services, including phone lines, the Genea app, and email communications, causing frustration for patients who rely on the clinic's data processing systems for critical blood test data related to their IVF treatment cycles.
This cyber incident has raised concerns about the security of patient data at healthcare providers. Genea has stated that it is "urgently investigating" the incident and will contact any individuals whose personal data has been compromised. The clinic is also working to restore systems and minimize disruptions to services, assuring patients that their privacy and data security are taken very seriously. Genea has multiple clinics across Australia and is working to ensure minimal disruption to patient services. Recommended read:
References :
@www.csoonline.com - 11d
Ransomware gangs are accelerating their operations, significantly reducing the time between initial system compromise and encryption deployment. Recent cybersecurity analyses reveal the average time-to-ransom (TTR) now stands at a mere 17 hours. This marks a dramatic shift from previous tactics where attackers would remain hidden within networks for extended periods to maximize reconnaissance and control. Some groups, like Akira, Play, and Dharma/Crysis, have even achieved TTRs as low as 4-6 hours, demonstrating remarkable efficiency and adaptability.
This rapid pace presents considerable challenges for organizations attempting to defend against these attacks. The shrinking window for detection and response necessitates proactive threat detection and rapid incident response capabilities. The trend also highlights the increasing sophistication of ransomware groups, which are employing advanced tools and techniques to quickly achieve their objectives, often exploiting vulnerabilities in remote monitoring and management tools or using initial access brokers to infiltrate networks, escalate privileges, and deploy ransomware payloads. Recommended read:
References :
@www.helpnetsecurity.com - 29d
Zyxel CPE devices are under active attack due to a critical, unpatched zero-day vulnerability identified as CVE-2024-40891. This command injection flaw allows unauthenticated attackers to execute arbitrary commands via the telnet protocol, potentially leading to complete system compromise, data exfiltration, and network infiltration. The vulnerability, first acknowledged by VulnCheck in July 2024, is similar to another HTTP-based flaw, CVE-2024-40890, but uses telnet, and continues to be exploited because of the lack of a patch from Zyxel. Cyber security researchers have observed active exploitation attempts originating from numerous IP addresses, particularly in Taiwan, impacting over 1,500 devices globally, according to Censys.
The active exploitation of CVE-2024-40891 has prompted security researchers to issue warnings and provide guidance to affected users. GreyNoise, in collaboration with VulnCheck, has been monitoring the attacks and observed a significant overlap between IPs exploiting this vulnerability and those associated with the Mirai botnet. The lack of an official fix means that users are urged to take immediate steps such as filtering traffic for unusual telnet requests, restricting administrative interface access to trusted IPs, and monitoring Zyxel's official communication channels for patch announcements. These actions are crucial to mitigate the risk of exploitation until Zyxel releases an official patch. Recommended read:
References :
MSSP Alert Staff@MSSP feed for Latest - 15d
The Sarcoma ransomware group has claimed responsibility for a cyberattack against Unimicron, a major Taiwanese printed circuit board (PCB) manufacturer. The attackers are threatening to release 377 GB of allegedly stolen data, including SQL files and documents, if the company refuses to pay a ransom. Sarcoma listed Unimicron on its leak site, publishing samples of the exfiltrated files.
Despite confirming that its China-based subsidiary, Unimicron Technology (Shenzhen) Corp., experienced a ransomware intrusion, Unimicron has not yet confirmed the data breach. The company noted that it is currently conducting an ongoing investigation into the incident that disrupted operations on January 30th. Sarcoma has emerged as a leading threat, having claimed attacks against dozens of organizations since October. Recommended read:
References :
Veronika Telychko@SOC Prime Blog - 2d
Criminal group UAC-0173 is actively targeting Ukrainian notaries in a series of cyberattacks. These attacks, which have been ongoing since mid-January 2025, involve the use of DARKCRYSTALRAT malware. The cybercriminals are exploiting RDP tools to breach Ukraine's notarial offices, aiming to manipulate state registers. CERT-UA has issued an alert, CERT-UA#13738, regarding these activities.
SOC Prime has released Sigma rules to detect UAC-0173 attacks leveraging DARKCRYSTALRAT malware, providing cybersecurity professionals with tools to identify and mitigate these threats. These attacks by UAC-0173 highlight the ongoing cyber warfare impacting critical infrastructure and organizations within Ukraine. CERT-UA reports Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices. Recommended read:
References :
@techcrunch.com - 19d
Lee Enterprises, a major media group and one of the largest newspaper publishers in the U.S., has confirmed it experienced a cyberattack that disrupted its systems. The attack, which began on February 3, 2025, caused a technology outage impacting various business applications and resulting in operational disruptions across numerous news outlets. CEO Kevin Mowbray stated the company is working to fully restore its systems, while a spokesperson confirmed they are determining what information, if any, may have been affected by the situation.
The cyberattack impacted Lee Enterprises' publishing technology and website services, affecting 72 publications, including the St. Louis Post-Dispatch and the Casper Star-Tribune. While the Post-Dispatch managed to avoid missing any publication days, it reported that most of its newspaper editions were affected, with some being smaller than usual. The Star-Tribune noted that the cyberattack initially prevented many of Lee's newspapers from building pages and publishing. The company's focus is now on determining if any data was stolen and restoring full operational capabilities. Recommended read:
References :
@cyberinsider.com - 10d
Lee Enterprises, a major newspaper publisher with 77 newspapers and 350 weekly publications, has confirmed that a recent system outage was caused by a ransomware attack. The cyberattack disrupted newspaper operations starting in early February. The attackers are suspected of using double-extortion tactics, encrypting critical applications and exfiltrating files.
Cybercriminals launched a large-scale campaign, dubbed StaryDobry, which distributed the XMRig cryptominer through trojanized game installers. The attackers targeted users worldwide, including in Russia, Brazil, Germany, Belarus, and Kazakhstan. Cracked versions of popular games like BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy were used to deliver the malware. Once downloaded, the installer extracts and executes a malicious payload, injecting the cryptominer into the victim's system. Recommended read:
References :
@techcrunch.com - 8d
UK healthcare giant HCRG Care Group, previously known as Virgin Care, is currently investigating an IT security incident after the Medusa ransomware gang claimed responsibility for breaching the company's systems. The attackers allege to have stolen troves of sensitive data, totaling 2.275 TB, and are demanding $2 million (£1.6 million) in ransom. HCRG, which runs child and family health and social services across the UK for the NHS and local authorities, is working with external forensic specialists to investigate the incident.
HCRG has stated that its services are continuing to operate safely, and patients should keep their scheduled appointments. The Medusa crew is threatening to leak the stolen information online if the ransom isn't paid by February 27th. Samples of the allegedly stolen data, which include employees’ personal information, sensitive medical records, financial records, and government identification documents, have been shared by Medusa. HCRG has notified the U.K.’s Information Commissioner’s Office and other relevant regulators about the breach. Recommended read:
References :
Pierluigi Paganini@Security Affairs - 25d
A web skimming campaign has targeted multiple websites, including Casio UK, in a sophisticated double-entry attack. Security firm Jscrambler discovered that at least 17 websites were compromised, with the attack on Casio UK lasting from January 14th to January 24th. The threat actor installed a web skimmer on all pages except the checkout page. This skimmer altered the usual payment flow, manipulating the user into entering sensitive information such as name, address, email, phone number, and credit card details into a fake payment form.
The double-entry technique involved an unobfuscated loader that fetched a second-stage skimmer from an attacker-controlled server. This skimmer encrypted and exfiltrated sensitive customer information, including contact information, credit card details, and billing addresses, concealing malicious activity through XOR-based string masking and custom encoding. After completing the fake form, victims were redirected to the legitimate checkout page, where they were asked to fill out the same details again. Jscrambler noted that Casio UK's website had a content security policy set to report-only, which logged events but failed to prevent the attack. Recommended read:
References :
@www.the420.in - 3d
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems. Recommended read:
References :
@www.bleepingcomputer.com - 20d
Hospital Sisters Health System (HSHS) has notified over 882,000 patients about a significant data breach stemming from a cyberattack in August 2023. The breach exposed the personal and health information of these individuals, raising concerns about data security within the healthcare sector. HSHS, established in 1875, operates a network of 15 local hospitals across Illinois and Wisconsin and works with over 2,200 physicians.
The health system discovered the security breach on August 27, 2023, after detecting unauthorized access to its network. Following the discovery, HSHS initiated an investigation to assess the scope and impact of the incident. The notification sent to patients confirmed that the cyberattack led to the compromise of their personal data, emphasizing the importance of vigilance regarding potential misuse of the exposed information. Recommended read:
References :
Swagta Nath@The420.in - 2h
References:
The420.in
, gbhackers.com
,
EncryptHub, also known as LARVA-208, is a sophisticated cyber threat actor conducting widespread spear-phishing and social engineering campaigns. Since June 2024, the group has successfully infiltrated at least 618 organizations globally. EncryptHub employs SMS phishing (smishing) and voice phishing (vishing) to distribute infostealers and ransomware, targeting corporate networks worldwide. Cybersecurity firms Catalyst and Prodaft report the group impersonates IT personnel to trick employees into revealing VPN credentials or installing remote monitoring software, bypassing multi-factor authentication and redirecting victims to legitimate login pages.
EncryptHub registers domain names mimicking popular VPN services to enhance phishing campaign credibility. Once inside, custom PowerShell scripts install information-stealing malware to extract sensitive data, including credentials and system information. The final stage involves deploying ransomware payloads like Locker.ps1 to encrypt files and demand cryptocurrency payments. The group has also been linked to other ransomware strains such as RansomHub and BlackSuit, causing widespread operational disruptions. Recommended read:
References :
BushidoToken (noreply@blogger.com)@blog.bushidotoken.net - 22h
BlackBasta ransomware group's attack on Ascension Health, one of the largest healthcare providers in the US, has been brought to light by leaked chat logs. The incident, which occurred in May 2024, significantly disrupted services and involved the exfiltration of 1.4TB of data and encryption of over 12,000 servers. The BlackBasta gang gained initial access months prior to deploying the ransomware, starting around November 2023, using phishing and password guessing techniques to compromise 14 email addresses of Ascension Health employees.
These leaked chat logs provide researchers a unique opportunity to understand the inner workings of the Russia-based cybercrime enterprise. The BlackBasta gang, consisting of former Conti ransomware members, exhibits similar operational structures. Veriti Research analyzed the leaked communications, revealing that BlackBasta exploited vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, and Fortinet firewalls, and Active Directory. The gang also uses cloud services for malware hosting and adjusts tactics to evade detection, while expressing frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations. Recommended read:
References :
@techcrunch.com - 10d
New York-based venture capital and private equity firm Insight Partners has disclosed a security breach of its systems. The firm, which manages over $90 billion in regulatory assets and has invested in over 800 software and technology startups globally over the past 30 years, revealed that the incident occurred in January. The breach involved unauthorized access to its information systems following what they are calling "a sophisticated social engineering attack."
Insight Partners confirmed that the attack took place on January 16, 2025. The company has taken steps to address the situation, notifying law enforcement in relevant jurisdictions and engaging third-party cybersecurity experts to investigate the full scope and impact of the breach. The investigation is ongoing to determine the extent of data exposure and to implement measures to prevent future incidents. Recommended read:
References :
Dissent@DataBreaches.Net - 2d
References:
Carly Page
, thecyberexpress.com
,
Australian fertility provider Genea has confirmed a significant cyberattack resulting in the potential compromise of sensitive patient data. The Termite ransomware group has claimed responsibility, alleging to have stolen approximately 700GB of confidential information after breaching Genea's systems. This data is said to include medical records, personal identifiers, and insurance details, affecting one of Australia's largest IVF providers.
Genea has acknowledged the unauthorized access and the subsequent leak of patient data on the dark web after Termite listed the firm on its site. In response, a court order was obtained to prevent further dissemination of the stolen information. The attack reportedly occurred on January 31, with the cybercriminals claiming to have exfiltrated over 900GB of data. Recommended read:
References :
@ciso2ciso.com - 29d
SquareX has revealed a new attack method called "Browser Syncjacking" which exploits browser synchronization features to give attackers full control over a user's browser and device. This technique uses malicious browser extensions to hijack a user's browser by silently adding a profile managed by the attacker, essentially granting them complete access and control of the system. The attack starts when a user installs a seemingly innocuous extension, which could be disguised as an AI tool or even a popular extension already with millions of users.
The malicious extension then automatically authenticates the victim into a Chrome profile controlled by the attacker's Google Workspace. This method does not require any additional permissions from the user above read/write capabilities that most browser extensions already request. Experts from SquareX demonstrated how this enables attackers to escalate privileges and conduct a total browser and device takeover with minimal user interaction. This discovery suggests that any browser extension could be a potential attack vector as these extensions are not put through additional security scrutiny. Recommended read:
References :
|