CyberSecurity news

FlagThis - #cybersecurity

@cyble.com //
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.

The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches.

The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks.

Recommended read:
References :
  • securityaffairs.com: China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure
  • ciso2ciso.com: China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ.
  • The Hacker News: Researchers from EclecticIQ observed a China-linked APT group that chained two Ivanti EPMM flaws, tracked as CVE-2025-4427 and CVE-2025-4428, in attacks against organizations in Europe, North America, and Asia-Pacific.

@cyberinsider.com //
Adidas has confirmed a data breach impacting customer data via a third-party customer service provider. According to Adidas, the compromised data primarily consists of contact information of customers who had previously contacted their customer service help desk. The company assures that sensitive information like passwords, credit card, or any other payment-related information were not affected in the incident.

Adidas became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. Adidas has immediately taken steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts. The company is currently notifying affected customers and is cooperating with data protection authorities and investigators as required by law.

This breach marks the third publicly acknowledged incident involving the sportswear giant’s customer service systems recently. The company is working to clarify the situation, reinforcing the importance of securing third-party providers to prevent them from becoming a gateway for attackers to access target systems. Adidas expressed that they remain fully committed to protecting the privacy and security of their consumers and sincerely regret any inconvenience or concern caused by this incident.

Recommended read:
References :
  • cyberinsider.com: Adidas Hit by Third Customer Data Breach Linked to Support Systems
  • The Register - Security: Adidas confirms criminals stole data from customer service provider
  • The420.in: Adidas Falls Victim to Cyberattack Amid Retail Industry Wave
  • BleepingComputer: Adidas warns of data breach after customer service provider hack
  • www.it-daily.net: Data leak at Adidas: contact data tapped via third-party providers
  • bsky.app: German sportswear giant Adidas disclosed a data breach after attackers hacked a customer service provider and stole some customers' data.
  • Graham Cluley: Adidas customers’ personal information at risk after data breach
  • hackread.com: Adidas Confirms Cyber Attack, Customer Data Stolen
  • hackread.com: Adidas confirms cyber attack, customer data stolen
  • www.bleepingcomputer.com: Adidas warns of data breach after customer service provider hack
  • Graham Cluley: Adidas customers' personal information at risk after third-party data breach.
  • bsky.app: Adidas customers' personal information at risk after third-party data breach.
  • techinformed.com: Adidas becomes latest consumer brand to be hit with a cyber breach
  • www.techradar.com: Adidas confirms customer data stolen in worrying cyberattack
  • www.techdigest.tv: Adidas customer data stolen in latest retail cyber attack
  • PCMag UK security: Adidas Confirms Data Breach, Customer Contact Details Exposed
  • Rescana: April 2025 Adidas Data Breach: Supply Chain Attack via Third-Party Customer Service Provider

@www.helpnetsecurity.com //
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Recommended read:
References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.

@securityonline.info //
A critical security vulnerability has been discovered in vBulletin forum software, tracked as CVE-2024-45721, that enables unauthenticated attackers to execute arbitrary code on unpatched systems. This flaw puts millions of online communities at risk of full server compromise. The vulnerability affects vBulletin versions 6.0.0 through 6.1.4 and stems from improper sanitization of user inputs in template rendering modules. Discovered by cybersecurity firm SentinelWatch on May 22, 2025, the flaw has already seen significant exploitation attempts, with over 12,000 attack vectors targeting forums in various sectors within 48 hours of public disclosure.

Exploitation of the vulnerability involves crafting malicious forum posts containing payloads that bypass built-in sandboxing through parameter smuggling techniques. Attackers leverage vBulletin’s `vb:rawtemplate` directive, which fails to properly validate nested function calls when processing user-generated content. Successful exploitation grants SYSTEM-level privileges on Windows hosts and www-data access on Linux systems, enabling the installation of web shells, credential harvesters, and cryptocurrency miners. Proof-of-concept exploits have demonstrated the ability to execute OS commands even when PHP security hardening measures are present, by using PHP's `unserialize()` function with crafted OPcache configurations to bypass `disable_functions` restrictions.

In response to the widespread exploitation, vBulletin released patch 6.1.5 on May 25, 2025, which introduces granular template validation. However, as of the latest reports, 68% of installations remain unupdated, leaving a significant number of forums vulnerable. Observed attack clusters include cryptojacking campaigns, data exfiltration, and precursors to ransomware attacks. Notably, 58% of compromised forums had hidden Monero miners installed, while attackers cloned user databases from 23 gaming communities containing 14 million records, now circulating on dark web markets. Additionally, six enterprise forums received tailored malware potentially leading to Black Basta ransomware deployment.

Recommended read:
References :
  • cyberpress.org: Severe vBulletin Forum Flaw Enables Remote Code Execution
  • securityonline.info: Critical Pre-Auth RCE: vBulletin Flaw Allows Full Server Compromise (PoC Available)
  • infosec.exchange: A newly discovered vulnerability in vBulletin, one of the world’s most popular forum platforms, has exposed thousands of online communities to the risk of unauthenticated Remote Code Execution
  • Cyber Security News: Severe vBulletin Forum Flaw Enables Remote Code Execution

karlo.zanki@reversinglabs.com (Karlo@Blog (Main) //
References: Blog (Main) , www.tripwire.com ,
Cybersecurity experts are raising alarms over the increasing use of artificial intelligence for malicious purposes. ReversingLabs (RL) researchers recently discovered a new malicious campaign targeting the Python Package Index (PyPI) that exploits the Pickle file format. This attack involves threat actors distributing malicious ML models disguised as a "Python SDK for interacting with Aliyun AI Labs services," preying on users of Alibaba AI labs. Once installed, the package delivers an infostealer payload hidden inside a PyTorch model, exfiltrating sensitive information such as machine details and contents of the .gitconfig file. This discovery highlights the growing trend of attackers leveraging AI and machine learning to compromise software supply chains.

Another significant security concern is the rise of ransomware attacks employing social engineering tactics. The 3AM ransomware group has been observed impersonating IT support personnel to trick employees into granting them remote access to company networks. Attackers flood an employee's inbox with unsolicited emails and then call, pretending to be from the organization's IT support, using spoofed phone numbers to add credibility. They then convince the employee to run Microsoft Quick Assist, granting them remote access to "fix" the email issue, allowing them to deploy malicious payloads, create new user accounts with admin privileges, and exfiltrate large amounts of data. This highlights the need for comprehensive employee training to recognize and defend against social engineering attacks.

The US Department of Justice has announced charges against 16 Russian nationals allegedly tied to the DanaBot malware operation, which has infected at least 300,000 machines worldwide. The indictment describes how DanaBot was used in both for-profit criminal hacking and espionage against military, government, and NGO targets. This case illustrates the blurred lines between cybercrime and state-sponsored cyberwarfare, with a single malware operation enabling various malicious activities, including ransomware attacks, cyberattacks in Ukraine, and spying. The Defense Criminal Investigative Service (DCIS) has seized DanaBot infrastructure globally, underscoring the severity and scope of the threat posed by this operation.

Recommended read:
References :
  • Blog (Main): Malicious attack method on hosted ML models now targets PyPI
  • www.tripwire.com: 3AM ransomware attack poses as a call from IT support to compromise networks
  • www.wired.com: Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying

Waqas@hackread.com //
A massive data breach has exposed over 184 million passwords and login credentials from various online platforms, including major players like Google, Microsoft, Facebook, and Apple. The unprotected database, containing 184,162,718 records, was discovered by security researcher Jeremiah Fowler. The exposed data includes logins for accounts connected to multiple governments, highlighting the severity of the potential impact.

The exposed Elastic database, which was over 47 GB in size, contained a plain text file with millions of sensitive pieces of data, lacking encryption, password protection, or any security measures. Fowler noted the unusual nature of the discovery, as the database didn't offer any clues about its owner or the source of the collected data. The unsecured nature of the database highlights the risks associated with recklessly compiling sensitive information in a single, vulnerable repository.

The incident underscores the importance of robust data security practices and the potential consequences of misconfigured or unsecured databases. The exposure of millions of plaintext passwords and login credentials raises significant concerns about potential misuse and unauthorized access to personal accounts. The discovery serves as a stark reminder of the need for organizations to prioritize data protection and implement strong security measures to safeguard sensitive user information.

Recommended read:
References :
  • hackread.com: Database Leak Reveals 184 Million Infostealer-Harvested Emails and Passwords
  • PCMag UK security: Security Nightmare: Researcher Finds Trove of 184M Exposed Logins for Google, Apple, More
  • WIRED: Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • www.zdnet.com: Massive data breach exposes 184 million passwords for Google, Microsoft, Facebook, and more
  • Davey Winder: 184,162,718 Passwords And Logins Leaked — Apple, Facebook, Snapchat
  • DataBreaches.Net: Mysterious database of 184 million records exposes vast array of login credentials
  • 9to5Mac: Apple logins with plain text passwords found in massive database of 184M records
  • www.engadget.com: Someone Found Over 180 Million User Records in an Unprotected Online Database
  • borncity.com: Suspected InfoStealer data leak exposes 184 million login data
  • databreaches.net: The possibility that data could be inadvertently exposed in a misconfigured or otherwise unsecured database is a longtime privacy nightmare that has been difficult to fully address.
  • borncity.com: [German]Security researcher Jeremiah Fowler came across a freely accessible and unprotected database on the Internet. The find was quite something, as a look at the data sets suggests that it was probably data collected by InfoStealer malware. Records containing 184 …
  • securityonline.info: 184 Million Leaked Credentials Found in Open Database
  • Know Your Adversary: 184 Million Records Database Leak: Microsoft, Apple, Google, Facebook, PayPal Logins Found
  • securityonline.info: Security researchers have identified a database containing a staggering 184 million account credentials—prompting yet another urgent reminder to The post appeared first on .

@ketteringhealth.org //
Kettering Health, a healthcare network operating 14 medical centers and over 120 outpatient facilities in western Ohio, has been hit by a ransomware attack causing a system-wide technology outage. The cyberattack, which occurred on Tuesday, May 20, 2025, has forced the cancellation of elective inpatient and outpatient procedures and has disrupted access to critical patient care systems, including phone lines, the call center, and the MyChart patient portal. Emergency services remain operational, but emergency crews are being diverted to other facilities due to the disruption. Kettering Health has confirmed they are responding to the cybersecurity incident involving unauthorized access to its network and has taken steps to contain and mitigate the breach, while actively investigating the situation.

The ransomware attack is suspected to involve the Interlock ransomware gang, which emerged last fall and has targeted various sectors, including tech, manufacturing firms, and government organizations. A ransom note, viewed by CNN, claimed the attackers had secured Kettering Health's most vital files and threatened to leak stolen data unless the health network began negotiating an extortion fee. In response to the disruption, Kettering Health has canceled elective procedures and is rescheduling them for a later date. Additionally, the organization is cautioning patients about scam calls from individuals posing as Kettering Health team members requesting credit card payments and has halted normal billing calls as a precaution.

The incident highlights the increasing cybersecurity challenges facing healthcare systems. According to cybersecurity experts, healthcare networks often operate with outdated technology and lack comprehensive cybersecurity training for staff, making them vulnerable to attacks. There is a call to action to invest in healthcare cybersecurity, with recommendations for the government and its partners to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity.

Recommended read:
References :
  • industrialcyber.co: Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • BleepingComputer: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage.
  • www.bleepingcomputer.com: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. [...]
  • DataBreaches.Net: Elective inpatient and outpatient procedures were canceled.
  • thecyberexpress.com: Kettering Health Hit by Cyberattack: Network Outage and Scam Calls Reported
  • The DefendOps Diaries: Strengthening Cybersecurity in Healthcare: Lessons from the Kettering Health Ransomware Attack
  • BleepingComputer: Kettering Health hit by system-wide outage after ransomware attack
  • The Dysruption Hub: Reports Ransomware Attack Cripples Kettering Health Systems Across Ohio
  • www.healthcareitnews.com: Kettering Health faces a ransomware attack and confirms a scam targeting its patients
  • www.scworld.com: Apparent ransomware attack leads to systemwide outage for Kettering Health
  • Industrial Cyber: Reports Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • www.itpro.com: The incident at Kettering Health disrupted procedures for patients
  • www.cybersecuritydive.com: Ohio’s Kettering Health hit by cyberattack

@www.first.org //
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new security metric designed to better assess the likelihood of vulnerability exploitation. This metric aims to enhance the existing Exploit Prediction Scoring System (EPSS) and CISA's Known Exploited Vulnerabilities (KEV) catalog, providing a more refined approach to identifying vulnerabilities that are at high risk of being exploited in the wild. Peter Mell, formerly of NIST, and Jonathan Spring from CISA are credited with outlining this vulnerability exploit metric.

This new metric, detailed in a NIST White Paper titled "Likely Exploited Vulnerabilities," seeks to improve the accuracy with which vulnerabilities are prioritized for remediation. By augmenting the EPSS and KEV lists, the metric intends to provide a clearer understanding of a vulnerability's exploitability. The researchers propose this augmentation as a means to better express how likely a vulnerability is to be exploited, which can aid organizations in focusing their security efforts on the most critical threats.

Meanwhile, CISA has recently added six new vulnerabilities to its Known Exploited Vulnerabilities catalog, underscoring the importance of addressing actively exploited flaws. In a related development, Wiz Research has observed in-the-wild exploitation of CVE-2025-4427 and CVE-2025-4428, two recently disclosed vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). These Ivanti EPMM vulnerabilities, which involve a chain of exploits leading to remote code execution, highlight the need for organizations to promptly apply security patches and mitigate potential risks.

Recommended read:
References :
  • Metacurity: Peter Mell from NIST and Tom Spring from CISA propose an alternative/augmentation to the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerability (KEV) lists to better express a vulnerability's exploitability.
  • thecyberexpress.com: Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System ( ) and CISA’s Known Exploited Vulnerabilities ( ) catalog.

@industrialcyber.co //
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.

These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes.

To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat.

Recommended read:
References :
  • Metacurity: This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
  • NCSC News Feed: UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
  • CyberInsider: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • securityonline.info: Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
  • securityonline.info: Russian GRU Targets Global Logistics Supporting Ukraine Defense
  • www.cybersecuritydive.com: Russian stepping up attacks on firms aiding Ukraine, Western nations warn
  • cyberinsider.com: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • securityaffairs.com: Russia-linked APT28 targets western logistics entities and technology firms
  • Threats | CyberScoop: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • socprime.com: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Blog: Russian APT28 targets Western firms supporting Ukraine
  • SOC Prime Blog: Detect APT28 Attacks: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Metacurity: Russia's APT28 accused of infiltrating Western logistics, technology firms
  • Resources-2: Russian APT28 (aka Fancy Bear/Unit 26165) targets Western logistics and tech firms in Ukraine aid tracking operation
  • Virus Bulletin: Details a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies involved in the coordination, transport and delivery of foreign assistance to Ukraine.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • www.scworld.com: CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing an elevated threat to supply chains
  • eSecurity Planet: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
  • cyberscoop.com: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • industrialcyber.co: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.csoonline.com: Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
  • Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains

@cyberscoop.com //
A 19-year-old college student from Worcester, Massachusetts, Matthew Lane, has agreed to plead guilty to charges related to a massive cyberattack on PowerSchool, a cloud-based education software provider. The cyberattack involved extorting millions of dollars from PowerSchool in exchange for not leaking the personal data of millions of students and teachers. Lane exploited stolen credentials to gain unauthorized access to PowerSchool's networks, leading to the theft of sensitive student and teacher data.

The data breach is considered one of the largest single breaches of American schoolchildren's data, affecting approximately 62.4 million students and 9.5 million teachers. According to court documents, Lane obtained stolen data from a U.S. telecommunications company before targeting PowerSchool. After the initial victim refused to pay a ransom, Lane allegedly sought to hack another company that would pay. The stolen information included sensitive details like Social Security numbers and academic records.

Lane will plead guilty to multiple charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The incident has been described by authorities as a serious attack on the economy, with the potential to instill fear in parents regarding the safety of their children's data. This case highlights the increasing risk of cyberattacks targeting educational institutions and the importance of robust cybersecurity measures to protect student and teacher data.

Recommended read:
References :
  • cyberscoop.com: Massachusetts man will plead guilty in PowerSchool hack case
  • DataBreaches.Net: The incident involved a student who used stolen credentials.
  • BleepingComputer: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers.
  • The DefendOps Diaries: Explore the PowerSchool data breach, its impact on education tech, and lessons for cybersecurity.
  • BleepingComputer: PowerSchool hacker pleads guilty to student data extortion scheme
  • www.bleepingcomputer.com: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers. [...]
  • cyberinsider.com: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • Threats | CyberScoop: Massachusetts man will plead guilty in PowerSchool hack case
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students
  • The Register - Security: US teen to plead guilty to extortion attack against PowerSchool
  • CyberInsider: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • hackread.com: 19-Year-Old Admits to PowerSchool Data Breach Extortion
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students

info@thehackernews.com (The@The Hacker News //
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.

Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource.

The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking.

Recommended read:
References :
  • BleepingComputer: Threat actors have been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDSes).
  • BleepingComputer: Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains
  • The Hacker News: Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
  • hackread.com: Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec…
  • The DefendOps Diaries: Explore Hazy Hawk's DNS hijacking tactics and learn how to protect your domains from this emerging cybersecurity threat.
  • bsky.app: A threat actor named 'Hazy Hawk' has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
  • www.bleepingcomputer.com: Hazy Hawk has been observed hijacking abandoned cloud resources.
  • Virus Bulletin: Researchers Jacques Portal & Renée Burton look into Hazy Hawk, a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • blogs.infoblox.com: Hazy Hawk is a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • www.scworld.com: Misconfigured DNS, neglected cloud assets harnessed in Hazy Hawk domain hijacking attacks
  • Infoblox Blog: Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor
  • DomainTools: Report on the threat actor's tactics and techniques, including targeting abandoned cloud resources.
  • Security Risk Advisors: Hazy Hawk Actor Hijacks Abandoned Cloud DNS Records of High-Profile Organizations for Scam Distribution
  • cyble.com: Cyble reports on Hazy Hawk campaign hijacks abandoned cloud DNS records from CDC, Berkeley, & 100+ major orgs to distribute scams.
  • BleepingComputer: Hazy Hawk exploits abandoned cloud resources from high-profile organizations to distribute scams and malware through traffic distribution systems (TDSes).
  • cyberscoop.com: Coordinated effort took down seven kinds of malware and targeted initial access brokers.
  • securityonline.info: A significant takedown neutralized ransomware delivery and initial access malware infrastructure.
  • BleepingComputer: International law enforcement took down hundreds of servers and domains.

Sead Fadilpašić@techradar.com //
Cryptocurrency exchange Coinbase recently admitted to a data breach affecting 69,461 of its customers. The company confirmed the news in a filing with the Office of the Maine Attorney General, stating that the breach occurred in late December 2024 but was not discovered until mid-May 2025. The incident involved a small number of individuals performing services for Coinbase at its overseas retail support locations improperly accessing customer information. This information did not include user passwords, seed phrases, or private keys that would allow direct access to accounts or funds, however, it contained a combination of sensitive data.

This exposed data included names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers, and images of government IDs like passports and driver's licenses. Additionally, the breach compromised Coinbase account data, including balance snapshots and transaction histories, and limited corporate data such as training materials and communications available to support agents. Coinbase believes that the threat actors bribed the support staff to exfiltrate the sensitive customer data. The support staff involved in facilitating the data theft have since been fired.

Following the data breach, the hackers attempted to extort Coinbase for $20 million in exchange for deleting the stolen data. Coinbase refused to pay the ransom and instead offered the same amount, $20 million, as a reward for information leading to the arrest of the culprits. The company is taking measures to reimburse customers who mistakenly sent funds to the scammers as a direct result of the incident prior to the disclosure. Coinbase is also bolstering its security measures around customer support to prevent future breaches and relocating some of its customer support operations.

Recommended read:
References :