CyberSecurity news
FlagThis - #cyberattack
|
Zack Whittaker@techcrunch.com
//
Marks & Spencer (M&S) has confirmed it is currently dealing with a cybersecurity incident that has caused disruption to its UK retail operations. The retail giant said it has been managing this incident for the past few days, leading to operational changes aimed at protecting customers and the business. These changes have resulted in some disruption, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect. The company has apologized to customers for any inconvenience experienced due to the disruptions.
M&S said that despite the ongoing cyber incident, its stores remain open, and its website and app are operating normally. It is working diligently to resolve technical issues and address delays affecting customer orders. In response to customer queries on social media platforms like X, Marks & Spencer acknowledged working to resolve technical issues in its stores. The company is also collaborating with external cybersecurity experts to investigate the incident and has notified data protection authorities, including the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO). While M&S has confirmed the cybersecurity incident and taken steps to mitigate its impact, specific details regarding the nature of the attack and potential compromise of customer data remain unclear. The company has been tight-lipped on divulging extra information, however it has mentioned it is coordinating with relevant agencies such as the NCSC. The retailer said that if the situation changes an update will be provided as appropriate. Marks & Spencer claims to serve 32 million customers every year. Recommended read:
References :
@hackread.com
//
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.
Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink. Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging. Recommended read:
References :
@x.com
//
Ahold Delhaize, the multinational retail and wholesale company with operations in both Europe and the United States, has confirmed a data breach following a cyberattack in November 2024. The company, which owns supermarket brands such as Stop & Shop, Giant Food, Food Lion and Hannaford, acknowledged that certain files were stolen from its U.S. business systems. The breach was claimed by the INC ransomware group, which has threatened to release sensitive information if its demands are not met, according to researchers at Arctic Wolf. The company is currently working with outside forensics experts to determine the exact nature of the compromised data and to comply with legal obligations regarding disclosure to affected individuals.
The cyberattack disrupted e-commerce operations, particularly affecting Hannaford's pickup and delivery services, which were halted for several days. Other U.S. banners also experienced disruptions and reduced availability for e-commerce services due to "system outages." While physical stores remained open and continued to accept most payment methods, including credit cards, Ahold Delhaize took some systems offline to protect them. The company also notified and updated law enforcement about the incident. The INC ransomware group claims to have exfiltrated approximately 6 terabytes of data from Ahold Delhaize's U.S. division. This data includes sensitive documents and personal identifiers, raising concerns about potential misuse and privacy violations. Ahold Delhaize is advising customers to be vigilant for phishing attempts and fraudulent activity. The company is currently investigating the extent of the breach and is committed to taking necessary measures to contain the situation and prevent further unauthorized access. Recommended read:
References :
@gbhackers.com
//
References:
gbhackers.com
, securityonline.info
,
The Interlock ransomware group has escalated its operations across North America and Europe, employing sophisticated techniques to evade detection. Cybersecurity firms such as Sekoia Threat Detection & Research (TDR) are closely monitoring Interlock's activities, revealing their evolving tactics and tools. Unlike typical Ransomware-as-a-Service (RaaS) operations, Interlock operates independently, focusing on targeted attacks known as Big Game Hunting and double extortion campaigns. Their tactics include compromising legitimate websites to host deceptive browser update pages, tricking users into downloading malicious PyInstaller files that appear as legitimate Google Chrome or Microsoft Edge installers.
These fake installers launch PowerShell-based backdoors, which continuously execute HTTP requests to communicate with command-and-control (C2) servers. This PowerShell script collects system information and offers functionality for executing arbitrary commands and establishing persistence. Interlock uses a continuous communication loop with the C2 server to maintain persistence. The C2 server can then issue commands to terminate the backdoor or deploy additional malware, such as keyloggers or credential stealers like LummaStealer and BerserkStealer. These actions bypass automated defenses by tricking victims into manually executing malicious commands. In early 2025, Interlock began experimenting with ClickFix, a social engineering technique that prompts users to execute malicious PowerShell commands through spoofed CAPTCHAs or browser alerts, supposedly to "fix" an issue. Interlock also uses IP address clustering to maintain infrastructure resilience, often utilizing IPs from BitLaunch, Hetzner Online GmbH, and other autonomous systems. The group commonly uses RDP and stolen credentials for lateral movement within compromised networks, often targeting domain controllers to gain widespread control. Cybersecurity researchers actively adapt defenses against Interlock's techniques. Recommended read:
References :
@nvd.nist.gov
//
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.
The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques. The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A newly discovered remote access trojan (RAT) called ResolverRAT is actively targeting healthcare and pharmaceutical organizations worldwide. Security researchers at Morphisec have identified this sophisticated malware as a new threat, noting its advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. ResolverRAT is designed for stealth and resilience, making static and behavioral analysis significantly more difficult. The malware has been observed in attacks as recently as March 10, indicating an ongoing campaign.
ResolverRAT spreads through meticulously crafted phishing emails, often employing fear-based lures to pressure recipients into clicking malicious links. These emails are localized, using languages spoken in targeted countries, including Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian. The content often revolves around legal investigations or copyright violations to induce a sense of urgency. The infection chain initiates through DLL side-loading, with a legitimate executable used to inject ResolverRAT into memory, a technique previously observed in Rhadamanthys malware attacks. Once deployed, ResolverRAT utilizes a multi-stage bootstrapping process engineered for stealth. The malware employs encryption and compression and exists only in memory after decryption to prevent static analysis. It also incorporates redundant persistence methods via the Windows Registry and file system. Furthermore, ResolverRAT uses a bespoke certificate-based authentication to communicate with its command-and-control (C2) server, bypassing machine root authorities and implementing an IP rotation system to connect to alternate C2 servers if necessary. These advanced C2 infrastructure capabilities indicate a sophisticated threat actor combining secure communications and fallback mechanisms. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
References:
securityaffairs.com
, www.cysecurity.news
A cybercriminal group has suffered a taste of its own medicine after its website was hacked, with the attacker leaving a message warning against illegal activity. In a separate incident, the National Social Security Fund (CNSS) of Morocco has confirmed a data breach following a cyber attack. The incidents highlight the ever-present threat of cybercrime, even within the cybercriminal underworld itself.
The CNSS of Morocco has acknowledged that its computer systems were targeted by cyber attacks, leading to a data breach. A threat actor, using the alias 'Jabaroot', claimed responsibility for stealing large volumes of citizen data. The actor is reportedly targeting government systems in Morocco. The CNSS has activated its security protocols and launched an internal investigation to determine the extent and origin of the breach. Initial investigations have revealed that leaked documents circulating on social media contain false, inaccurate, or incomplete information. The Fund is working diligently to understand the full scope of the incident and protect the personal data and confidentiality of user information. Recommended read:
References :
@www.bleepingcomputer.com
//
References:
BleepingComputer
, BleepingComputer
,
The Fourlis Group, which operates IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has revealed a significant financial impact stemming from a ransomware attack that occurred in November 2024. The attack, which targeted the online IKEA shops just before the busy Black Friday weekend, resulted in substantial operational disruptions and financial losses. The company confirmed that these losses are estimated to be approximately €20 million ($22.8 million).
The initial signs of the attack became public on December 3, 2024, when the Fourlis Group acknowledged technical issues affecting the IKEA online stores, attributing them to a "malicious external action". While the group manages other retail brands such as Intersport, Foot Locker, and Holland & Barrett, the ransomware attack primarily impacted IKEA's online operations. A forensic investigation later revealed that the temporary unavailability of data was quickly restored, and there was no evidence to suggest any data theft or leaks of personal data occurred as a result of the incident. Despite the significant financial impact and operational disruptions, no ransomware group has claimed responsibility for the attack to date. The lack of a public claim could indicate that the attackers were unsuccessful in stealing data or that they are pursuing a private settlement with the Fourlis Group. The incident underscores the growing threat of ransomware attacks targeting major retailers and the potential for substantial financial losses and operational challenges these attacks can cause. Recommended read:
References :
@hackread.com
//
The Medusa ransomware group has claimed responsibility for a cyberattack on NASCAR, alleging the theft of over 1TB of data. In a posting on its dark web leak site, Medusa has demanded a $4 million ransom for the deletion of NASCAR's data. The group has placed a countdown timer on the leak site, threatening to make the stolen data available to anyone on the internet after the deadline. The countdown deadline can be extended at a cost of $100,000 per day.
To verify its claim, Medusa has published screenshots of what it claims are internal NASCAR documents. These include names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated. While NASCAR has not yet confirmed or denied reports of the attack, the details published by Medusa on its leak site appear credible. The Medusa ransomware group operates under a ransomware-as-a-service (RaaS) model and is known for its double extortion tactics. The FBI and CISA issued a joint cybersecurity advisory last month warning that Medusa ransomware had impacted over 300 organizations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology, and manufacturing. Past victims include Minneapolis Public Schools, which refused to pay a million-dollar ransom and saw approximately 92 GB of stolen data released to the public. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging. GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection. Recommended read:
References :
Sathwik Ram@seqrite.com
//
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.
The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell. Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services. Recommended read:
References :
|