CyberSecurity news

FlagThis - #cybersecurity

Field Effect@Blog //
References: Blog , securityaffairs.com
Multiple security vulnerabilities are being actively exploited across various systems, posing significant risks to organizations and individuals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of addressing this flaw. Furthermore, researchers have uncovered a vulnerability chain affecting a wide range of Linux distributions that could allow an unprivileged user to gain full root access. These vulnerabilities, CVE-2025-6018 and CVE-2025-6019, reside in the Pluggable Authentication Modules (PAM) configuration and libblockdev, respectively.

Proof-of-concept (POC) code has been published for the Linux vulnerability chain, raising the potential for widespread exploitation. The libblockdev flaw is exploitable through the udisks daemon, a tool commonly deployed in Linux distributions such as Ubuntu, Debian, Fedora, openSUSE, Arch Linux, and Red Hat Enterprise Linux (RHEL). In addition to Linux vulnerabilities, there is also an increase in infostealer malware such as Lumma Stealer with new rules being added to detect associated command and control (CnC) domains. This highlights the diverse and evolving nature of cyber threats.

The constant discovery and exploitation of vulnerabilities underscore the critical importance of timely patching and robust security awareness. Organizations are advised to prioritize patching the Linux Kernel flaw added to CISA's Known Exploited Vulnerabilities catalog, as well as the vulnerability chain affecting multiple Linux distributions. In addition to addressing Linux flaws, organizations need to also protect themselves from a range of malware, including the Lumma Stealer. The Cybersecurity community continues to identify and address many more vulnerabilities in a range of products including Apple products, TP-Link routers and Zyxel products. Regular security audits and proactive threat hunting are also essential for mitigating risks and maintaining a strong security posture.

Recommended read:
References :
  • Blog: Researchers published proof-of-concept (POC) code for an attack chaining two local privilege escalation (LPE) vulnerabilities affecting a wide range of Linux distributions.
  • securityaffairs.com: U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog.

@cyberscoop.com //
Aflac Incorporated, the insurance giant, has confirmed a cybersecurity incident that occurred on June 12, 2025. The company detected suspicious activity on its US network and promptly initiated its cyber incident response protocols, successfully stopping the intrusion within hours. According to Aflac's official disclosure, their systems were not affected by ransomware, ensuring business operations such as underwriting, claims processing, and customer support remain uninterrupted. However, Aflac warns that sensitive customer information may have been exposed during the breach.

Preliminary findings indicate that the unauthorized party used sophisticated social engineering tactics to gain access to Aflac's network. This method often involves tricking individuals into revealing sensitive information or granting access. Aflac has engaged leading third-party cybersecurity experts to assist with the ongoing investigation. CNN, citing sources familiar with the investigation, reported that this incident, along with others recently affecting the insurance sector, is consistent with the techniques of a cybercrime group known as “Scattered Spider.” Aflac acknowledged the broader context of the attack, stating, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group."

The review of potentially impacted files is still in its early stages, and Aflac has not yet determined the total number of individuals affected. However, the company has indicated that the compromised files may contain sensitive information. The Aflac breach is the latest cyberattack against the insurance industry.

Recommended read:
References :
  • thecyberexpress.com: Insurance giant Aflac reported today that it was hit by a cyberattack on June 12 but was able to stop the intrusion “within hours.â€
  • eSecurity Planet: Aflac Discloses Cybersecurity Incident, Customer Data Potentially Exposed Amid Industry-Wide Attacks
  • www.prnewswire.com: Aflac Incorporated Discloses Cybersecurity Incident

Dissent@DataBreaches.Net //
A massive collection of 16 billion login credentials has been discovered, representing one of the largest data thefts in history. Cybernews reports that the exposed data likely originates from various infostealers, malicious software designed to gather sensitive information from infected devices. Researchers have uncovered 30 exposed data sets containing millions to over 3.5 billion records each, totaling the astounding 16 billion credentials. These datasets include logins for major platforms like Apple, Google, Facebook, and Telegram, raising significant concerns about widespread account compromise.

Researchers noted that these datasets were not simply recycled from old data leaks but represent new, potentially "weaponized" information. The exposed data contains a mix of details from stealer malware, credential stuffing sets, and repackaged leaks. While it was not possible to compare data between the different sets effectively, the sheer volume and the platforms targeted highlight the severity of the situation. The data sets were only exposed for a short period and it remains unknown who controlled the large amount of data.

The exposure of these 16 billion credentials poses a significant risk of account takeovers, identity theft, and targeted phishing attacks. Cybercriminals now have access to an unprecedented volume of personal data. Users are advised to take immediate action to protect their accounts, including enabling multi-factor authentication and using strong, unique passwords for all online services. News sources indicate that this is not a new data breach but is rather a compilation of previously leaked credentials.

Recommended read:
References :
  • www.bleepingcomputer.com: No, the 16 billion credentials leak is not a new data breach.
  • www.it-daily.net: 16 billion login details: the data theft that nobody knew about
  • Malwarebytes: Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online
  • Kaspersky official blog: The world's biggest data breach: what should folks do? | Kaspersky official blog
  • aboutdfir.com: No, the 16 billion credentials leak is not a new data breach  News broke today of a “mother of all breaches,†sparking wide media coverage filled with warnings and fear-mongering.
  • bsky.app: No, the 16 billion credentials leak is not a new data breach. Thanks @lawrenceabrams.bsky.social for being a knowledgeable and calm voice amidst the yelling about this 'breach'.
  • flare.io: This week, Forbes published research from a CyberNews article, which detailed the leakage of 16B credentials. We want to emphasize an important piece of this viral story: “30 exposed datasets containing from tens of millions to over 3.5 billion records each,†have been discovered.
  • techxplore.com: Researchers at cybersecurity outlet Cybernews say that billions of login credentials have been leaked and compiled into datasets online, giving criminals "unprecedented access" to accounts consumers use each day.
  • Billy Bambrough: A massive 16 billion password hack has sparked calls for an urgent upgrade...
  • aboutdfir.com: No, the 16 billion credentials leak is not a new data breach  News broke today of a “mother of all breaches,†sparking wide media coverage filled with warnings and fear-mongering. However, it appears to be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks. To be clear, this
  • flare.io: This week, Forbes published research from a CyberNews article, which detailed the leakage of 16B credentials. We want to emphasize an important piece of this viral story: “30 exposed datasets containing from tens of millions to over 3.5 billion records each,†have been discovered.
  • DataBreaches.Net: DataBreaches.net article on the 16 billion credentials leak
  • Metacurity: Report of 16 billion credentials breach debunked

@blog.talosintelligence.com //
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.

This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS.

PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception.

Recommended read:
References :
  • blog.talosintelligence.com: Talos Intelligence blog post about the Python version of GolangGhost RAT.
  • Cisco Talos: Talos Security's post on Mastodon about Famous Chollima targeting cryptocurrency/blockchain professionals with the new PylangGhost RAT.
  • Cisco Talos Blog: Famous Chollima deploying Python version of GolangGhost RAT
  • hackread.com: N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • Virus Bulletin: Cisco Talos recently identified PylangGhost, a Python-based version of the GolangGhost RAT used exclusively by Famous Chollima, a North Korea-aligned threat actor.
  • Virus Bulletin: This article reports on various APT groups and their activities, including the use of PylangGhost by Famous Chollima.

@www.trendmicro.com //
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.

The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems.

To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense.

Recommended read:
References :
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • www.trendmicro.com: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • cyberpress.org: 76 GitHub Accounts Compromised by Water Curse Hacker Group to Distribute Multistage Malware
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • The Hacker News: The Hacker News report about Water Curse employs 76 GitHub accounts to deliver Multi-Stage Malware Campaign.
  • Blog (Main): Threat actor Banana Squad exploits GitHub repos in new campaign
  • www.sentinelone.com: Pentagon modernize defense via AI, Water Curse spreads malware through GitHub repos, and TaxOff uses Chrome zero-day to deploy backdoor.

@www.healthcarefinancenews.com //
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability.

In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups.

Recommended read:
References :
  • cyble.com: The greatest number of ransomware attacks were directed towards the professional services and construction sectors.
  • cybersecurityventures.com: Ransomware: File Data Is Harder to Manage and Defend
  • : The attack resulted in a significant data breach at Caesars Entertainment.

rulesbot@community.emergingthreats.net //
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.

Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools.

In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors.

Recommended read:
References :

@www.helpnetsecurity.com //
References: Help Net Security , Tenable Blog , AppOmni ...
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).

Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures.

The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors.

Recommended read:
References :
  • Help Net Security: 19 ways to build zero trust: NIST offers practical implementation guide
  • Tenable Blog: Cybersecurity Snapshot: NIST Offers Zero Trust Implementation Advice, While OpenAI Shares ChatGPT Misuse Incidents
  • cyberpress.org: New NIST Guide Outlines 19 Approaches to Zero Trust Architecture
  • AppOmni: 19 ways to build zero trust: NIST offers practical implementation guide
  • www.helpnetsecurity.com: 19 ways to build zero trust: NIST offers practical implementation guide

Cynthia B@Metacurity //
References: Risky.Biz , Metacurity , cyberscoop.com ...
Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.

Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations.

Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator.

Recommended read:
References :
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Metacurity: Customers keep buying Predator spyware despite US sanctions
  • Risky Business Media: Risky Bulletin: Predator spyware alive despite US sanctions
  • cyberscoop.com: Predator spyware activity surfaces in new places with new tricks

@research.checkpoint.com //
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.

CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection.

The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy.

Recommended read:
References :
  • blog.checkpoint.com: Attackers took advantage of a Discord feature that lets expired or deleted invite links be reused, allowing them to hijack trusted community links and redirect users to harmful servers.
  • cyberinsider.com: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • Virus Bulletin: Check Point Research uncovered an active malware campaign exploiting expired & released Discord invite links.
  • bsky.app: Hackers are hijacking  expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware.
  • research.checkpoint.com: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
  • The Hacker News: Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets
  • The DefendOps Diaries: Discord Flaw Exploitation: A Detailed Analysis of Reused Expired Invites in Malware Campaigns
  • CyberInsider: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • BleepingComputer: Discord flaw lets hackers reuse expired invites in malware campaign
  • Check Point Research: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Pierluigi Paganini@securityaffairs.com //
Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.

The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist.

Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.

Recommended read:
References :
  • infosec.exchange: NEW: Four months after releasing iOS 18.3.1, Apple has published details about a zero-day that it fixed at the time, but did not publicize.
  • Zack Whittaker: Citizen Lab have confirmed two journalists had their phones hacked with Paragon's Graphite spyware, likely by the same customer.
  • securityaffairs.com: Security researchers at Citizen Lab revealed that Paragon’s Graphite spyware can hack fully updated iPhones via zero-click attacks.
  • techcrunch.com: Apple fixes new iPhone zero-day bug used in Paragon spyware hacks
  • The Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
  • infosec.exchange: Researchers found forensic evidence of Paragon's spyware on the iPhones of two journalists. One is Ciro Pellegrino, who works for Fanpage.
  • Zack Whittaker: NEW: Apple has confirmed in a now-updated February security advisory that it fixed a zero-day bug used in an "extremely sophisticated attack."
  • cyberinsider.com: New Zero-Click iMessage Exploit Infected iPhones with Paragon Spyware
  • securityaffairs.com: Apple confirmed that Messages app flaw was actively exploited in the wild
  • The Hacker News: Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • Help Net Security: iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200)
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Threats | CyberScoop: Predator spyware activity surfaces in new places with new tricks
  • Risky Business Media: Predator spyware alive despite US sanctions
  • www.scworld.com: New Predator spyware activity identified
  • cyberscoop.com: The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity.
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks
  • www.metacurity.com: Customers keep buying Predator spyware despite US sanctions
  • Schneier on Security: Paragon Spyware Used to Spy on European Journalists
  • citizenlab.ca: First forensic confirmation of Paragon's iOS mercenary spyware finds journalists targeted
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks

info@thehackernews.com (The@The Hacker News //
The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been actively targeting Russian enterprises and engineering schools since at least 2019, with activity continuing through May 2025. This advanced persistent threat group distinguishes itself by primarily utilizing legitimate third-party software instead of developing its own malicious tools. The attacks are characterized by the use of command files and PowerShell scripts to establish remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The campaign has impacted hundreds of Russian users, with additional infections reported in Belarus and Kazakhstan.

The group's initial infection vector typically involves targeted phishing emails containing password-protected archives with executable files disguised as official documents or payment orders. Once the victim opens the attachment, the attackers deploy a legitimate tool called 4t Tray Minimizer to obscure their presence on the compromised system. They also use tools like Defender Control to disable antivirus software and Blat, a legitimate utility, to send stolen data via SMTP. The attackers actively refine their tactics and a new wave of attacks emerged immediately after a slight decline in December 2024.

A key aspect of the Rare Werewolf APT's strategy involves the use of a Windows batch script that launches a PowerShell script, scheduling the victim system to wake up at 1 AM local time and providing a four-hour window for remote access via AnyDesk. The machine is then shut down at 5 AM through a scheduled task, minimizing the chance of detection. The attackers also collect information about available CPU cores and GPUs to optimally configure the crypto miner. Besides cryptomining, the group has also been known to steal sensitive documents, passwords, and compromise Telegram accounts.

Recommended read:
References :
  • The Hacker News: Research focusing on the group's methods, including its use of legitimate software.
  • therecord.media: Report of the malicious campaign targeting Russian enterprises.

info@thehackernews.com (The@The Hacker News //
ConnectWise is initiating a rotation of its ScreenConnect code signing certificates following security concerns identified by a third-party researcher. The issue revolves around how ScreenConnect handled specific configuration data in earlier versions, where configuration data was stored in an unsigned area of the installer. While this area is intended for customization, its coupling with remote control capabilities created a potentially insecure design pattern according to current security standards. The company emphasizes that this action is unrelated to the recent nation-state attacks affecting some of its customers.

ConnectWise is implementing an update to enhance the management of configuration data within ScreenConnect. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions." The rotation of digital certificates is set to take place by June 13 at 8 p.m. ET. ConnectWise is already updating certificates and agents across its cloud instances of Automate and RMM.

Users of on-premise versions of ScreenConnect or Automate are required to update to the latest build and validate all agents before the June 13th deadline to avoid potential service disruptions. ConnectWise acknowledges the challenges this may pose and has committed to supporting users through the transition. Connectwise customers who use the company’s ScreenConnect, Automate, and ConnectWise RMM solutions are urged to update all agents and/or validate that the update has been deployed by Friday, June 13 at 8:00 p.m. ET, or risk disruptions.

Recommended read:
References :

info@thehackernews.com (The@The Hacker News //
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.

The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures.

Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers.

Recommended read:
References :
  • Virus Bulletin: Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
  • The Hacker News: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool
  • Help Net Security: Researchers warn of ongoing Entra ID account takeover campaign
  • ciso2ciso.com: Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool – Source:thehackernews.com
  • www.helpnetsecurity.com: Researchers warn of ongoing Entra ID account takeover campaign
  • Proofpoint Threat Insight: Attackers Unleash TeamFiltration Account Takeover Campaign
  • BleepingComputer: Password-spraying attacks target 80,000 Microsoft Entra ID accounts
  • Techzine Global: Cybercriminals are using the TeamFiltration pentesting tool in a large-scale campaign targeting Office 365 accounts. The attacks, attributed to UNK_SneakyStrike, have so far targeted more than 80,000 user accounts.
  • www.scworld.com: TeamFiltration pentesting tool harnessed in global Microsoft Entra ID attack campaign
  • bsky.app: Reported UNK_SneakyStrike campaigns have leveraged TeamFiltration which can steal the victim’s Cookies, Password, History, Bookmarks and AutoFill data.
  • sra.io: UNK_SneakyStrike weaponizes TeamFiltration tool targeting 80K+ Entra ID accounts via AWS infrastructure. #AccountTakeover #Microsoft365 #AWS The post appeared first on .
  • Security Risk Advisors: UNK_SneakyStrike Campaign Weaponizes TeamFiltration Tool to Target 80,000 Entra ID Accounts

@cyberscoop.com //
INTERPOL has announced the successful culmination of Operation Secure, a global initiative targeting the infrastructure of information-stealing malware. The operation, which spanned from January to April 2025, involved law enforcement agencies from 26 countries who worked collaboratively to locate servers, map physical networks, and execute targeted takedowns. This coordinated effort resulted in the dismantling of more than 20,000 malicious IP addresses and domains associated with 69 different variants of infostealer malware, significantly disrupting cybercriminal activities worldwide.

Operation Secure also led to the seizure of 41 servers and over 100 GB of data, providing valuable insights into the operations of cybercriminals. A total of 32 suspects were arrested across multiple countries in connection with illegal cyber activities, demonstrating the effectiveness of international cooperation in combating cybercrime. Eighteen arrests occurred in Vietnam, where authorities confiscated devices, SIM cards, business registration documents, and a substantial sum of cash, revealing a scheme to open and sell corporate accounts for illicit purposes.

The operation was further bolstered by the contributions of private sector cybersecurity firms, including Group-IB, Kaspersky, and Trend Micro, who provided critical intelligence and Cyber Activity Reports to assist cyber teams. This collaboration resulted in the takedown of 79% of identified suspicious IP addresses. Hong Kong police played a key role by analyzing over 1,700 pieces of intelligence and identifying 117 command-and-control servers used by cybercriminals to orchestrate phishing schemes, online fraud, and social media scams.

Recommended read:
References :
  • www.helpnetsecurity.com: Operation Secure takes down 20,000 malicious IPs and domains.
  • The Hacker News: INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure
  • therecord.media: Interpol said a global operation successfully targeted the infrastructure of infostealer malware.
  • cyberinsider.com: INTERPOL Seizes 20,000 Infostealer-Linked Assets, Arrests 32 Operators
  • Threats | CyberScoop: Operation Secure targeted malicious IPs, domains and servers used for infostealer operations that claimed more than 216,000 victims.
  • hackread.com: Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested
  • securityaffairs.com: Operation Secure: INTERPOL dismantles 20,000+ malicious IPs in major cybercrime crackdown
  • The Record: Interpol said a global operation successfully targeted the infrastructure of infostealer malware.
  • www.cybersecuritydive.com: Global law-enforcement operation targets infostealer malware
  • CyberInsider: INTERPOL Seizes 20,000 Infostealer-Linked Assets, Arrests 32 Operators
  • cyberscoop.com: Global law enforcement action in Asia nets large infrastructure seizure, 32 arrests
  • www.trendmicro.com: Operation Secure: Trend Micro's Threat Intelligence Fuels INTERPOL's Infostealer Infrastructure Takedown
  • Tech Monitor: Interpol’s cybercrime operation dismantles over 20,000 malicious domains
  • securityonline.info: Interpol & Asian Agencies Dismantle Major Malware Infrastructure: 20,000 Malicious IPs Blocked