CyberSecurity news

FlagThis - #cybersecurity

@The DefendOps Diaries //
Marks & Spencer (M&S) has confirmed it is currently dealing with a cybersecurity incident that has caused disruption to its UK retail operations. The retail giant said it has been managing this incident for the past few days, leading to operational changes aimed at protecting customers and the business. These changes have resulted in some disruption, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect. The company has apologized to customers for any inconvenience experienced due to the disruptions.

M&S said that despite the ongoing cyber incident, its stores remain open, and its website and app are operating normally. It is working diligently to resolve technical issues and address delays affecting customer orders. In response to customer queries on social media platforms like X, Marks & Spencer acknowledged working to resolve technical issues in its stores. The company is also collaborating with external cybersecurity experts to investigate the incident and has notified data protection authorities, including the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO).

While M&S has confirmed the cybersecurity incident and taken steps to mitigate its impact, specific details regarding the nature of the attack and potential compromise of customer data remain unclear. The company has been tight-lipped on divulging extra information, however it has mentioned it is coordinating with relevant agencies such as the NCSC. The retailer said that if the situation changes an update will be provided as appropriate. Marks & Spencer claims to serve 32 million customers every year.

Recommended read:
References :
  • CyberInsider: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • techcrunch.com: The company said it was necessary to make operational changes to protect the business.
  • www.itpro.com: Retail giant Marks & Spencer (M&S) has revealed it has been dealing with a “cyber incident†in recent days and apologized to customers amid disruption complaints.
  • The Register - Security: Marks & Spencer has been managing a "cyber incident" for "the past few days".
  • cyberinsider.com: Marks & Spencer (M&S) has confirmed it is responding to a cybersecurity incident that has caused disruptions across its UK retail operations, including outages in payment systems and delays in store services such as order pick-ups and click-and-collect.
  • Zack Whittaker: New, by me: Marks & Spencer has confirmed a cyber incident, as customers report disruption and outages. The U.K.-headquartered retail giant said it made operational changes to "protect" the business, and has notified data protection authorities.
  • The DefendOps Diaries: Marks & Spencer cyberattack highlights retail vulnerabilities and the need for robust cybersecurity measures.

Lawrence Abrams@BleepingComputer //
A recent Microsoft Entra ID security update caused widespread account lockouts across numerous organizations, highlighting the potential risks associated with new security feature deployments. The issue stemmed from the rollout of a new "leaked credentials" detection app called MACE (Microsoft Account Credential Evaluation). This new feature inadvertently flagged legitimate user accounts, triggering automatic lockouts despite strong, unique passwords and multi-factor authentication (MFA) being in place.

Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected.

The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences.

Recommended read:
References :
  • BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • The DefendOps Diaries: Microsoft Entra ID Glitch: Lessons from a Security Feature Misstep
  • www.bleepingcomputer.com: Widespread Microsoft Entra lockouts tied to new security feature rollout
  • bsky.app: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • www.techradar.com: Microsoft appears to have flagged some users’ credentials as being compromised erroneously, locking them out.
  • Blog: Microsoft leaked credentials false positives trigger widespread lockouts
  • www.bleepingcomputer.com: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
  • cybersecuritynews.com: Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users
  • hackread.com: Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…
  • www.bleepingcomputer.com: Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE.
  • Anonymous ???????? :af:: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.

@hackread.com //
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.

Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink.

Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging.

Recommended read:
References :
  • Cyber Security News: 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • systemweakness.com: Fortinet Warns of Persistent Access Exploit in FortiGate Devices
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • dashboard.shadowserver.org: Over 16,000 Fortinet devices compromised symlink backdoor
  • thehackernews.com: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • cyberpress.org: Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts
  • cybersecuritynews.com: Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN
  • hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
  • gbhackers.com: RedGolf Hackers Linked to Fortinet Zero-Day Exploits and Cyber Attack Tools
  • Talkback Resources: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • Cyber Security News: Analysis of the exposed infrastructure linking RedGolf to exploitation tools.
  • gbhackers.com: Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days.
  • securityonline.info: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN
  • cyberpress.org: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • cyble.com: IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit
  • Cyber Security News: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • securityonline.info: In a rare window into the operations of an advanced persistent threat, a KeyPlug-linked infrastructure briefly went live,
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • fortiguard.fortinet.com: FG-IR-24-435

Stu Sjouwerman@blog.knowbe4.com //
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.

Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies.

The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers.

Recommended read:
References :
  • blog.knowbe4.com: Toll-themed smishing attacks surge in US and UK
  • The Hacker News: Cybersecurity researchers are warning of a widespread and ongoing SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • ciso2ciso.com: Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
  • krebsonsecurity.com: Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.
  • The DefendOps Diaries: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States
  • ciso2ciso.com: Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States – Source:thehackernews.com
  • www.scworld.com: Massive ongoing US toll fraud underpinned by Chinese smishing kit

@cyberinsider.com //
Legends International, a prominent entertainment venue management firm, has disclosed a data breach that occurred in November 2024. The breach compromised the personal information of both employees and visitors to venues managed by the company. According to reports, the company detected unauthorized activity within its IT systems on November 9, 2024, prompting an immediate investigation with the assistance of external cybersecurity experts. Legends International also notified law enforcement following the discovery of the cyberattack.

The investigation confirmed that unauthorized actors had accessed and exfiltrated files containing personal data. The compromised information varies by individual but may include sensitive details such as dates of birth, Social Security numbers, driver's license and government ID numbers, financial account details, medical information, and health insurance information. The company has stated that the individuals affected either worked at or visited a venue managed by Legends International.

In response to the breach, Legends International has taken steps to strengthen its security controls. While the company maintains that it is unaware of any misuse of personal information resulting from the incident, it is offering affected individuals a complimentary 24-month membership to Experian's IdentityWorks service. This service includes credit monitoring, identity restoration support, and up to $1 million in identity theft insurance. The incident has impacted at least 8,065 individuals in Texas and Massachusetts, though reports indicate that over 118,000 people nationwide may be affected.

Recommended read:
References :
  • cyberinsider.com: Legends International Discloses Data Breach Impacting Guests and Employees
  • Security Affairs: Entertainment venue management firm Legends International disclosed a data breach
  • BleepingComputer: Entertainment services giant Legends International discloses data breach
  • www.scworld.com: Legends International notifies customers, employees of data breach
  • Cyber Security News: Data Breach at Legends International Exposes Customer Information

Iain Thomson@The Register - Security //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning critical vulnerabilities affecting SonicWall SMA 100 series appliances and legacy Oracle Cloud environments. The alerts highlight potential risks to organizations and individuals stemming from exploited vulnerabilities and data theft. CISA is urging affected users to take immediate steps to mitigate potential cyberattacks, including resetting passwords, monitoring authentication logs, and implementing multi-factor authentication. These actions aim to prevent unauthorized access and escalation of privileges within enterprise environments.

The alert regarding Oracle Cloud addresses the compromise of legacy Oracle Cloud servers earlier in the year. CISA warns that the nature of the reported activity presents a potential risk, especially where credential material may be exposed, reused across separate systems, or embedded within scripts and applications. Compromised credentials, including usernames, emails, passwords, authentication tokens, and encryption keys, can significantly impact enterprise security. The agency has specifically emphasized the danger of embedded credentials, which are difficult to detect and remove, potentially enabling long-term unauthorized access.

CISA has also added CVE-2021-20035, a high-severity OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, to its known exploited vulnerabilities catalog. SonicWall initially disclosed and patched the vulnerability in September 2021, later raising its severity score. The vulnerability allows a threat actor to remotely inject arbitrary commands, potentially leading to code execution. Federal civilian executive branch agencies have been directed to patch their SonicWall appliances by May 7 or discontinue use of the product. SonicWall is actively investigating the scope of the exploitation and urges customers to upgrade to the latest firmware.

Recommended read:
References :

info@thehackernews.com (The@The Hacker News //
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.

The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data.

Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise.

Recommended read:
References :
  • darkwebinformer.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Ubuntu security notices: USN-7443-1: Erlang vulnerability
  • BleepingComputer: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • The Hacker News: TheHackerNews Article about CVSS 10.0 in Erlang/OTP SSH
  • The DefendOps Diaries: Explore the critical CVE-2025-32433 vulnerability in Erlang/OTP SSH, its impact, and mitigation strategies.
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • github.com: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.openwall.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Resources-2: Picus Security Blog on Erlang/OTP SSH RCE
  • Tenable Blog: Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices. Background On April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the vulnerability mailing list.
  • securityonline.info: SecurityOnline article on Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE
  • Security Risk Advisors: Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433).
  • securityonline.info: Erlang/OTP SSH Vulnerability (CVE-2025-32433).
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.runzero.com: Discusses an SSHamble with remote code execution in Erlang/OTP SSH.
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Cyber Security News: Cybersecurity News also reported this vulnerability.
  • securityboulevard.com: Vulnerability in Erlang/OTP SSH allows for unauthenticated remote code execution on vulnerable devices.
  • The DefendOps Diaries: Understanding and Mitigating CVE-2025-32433: A Critical Erlang/OTP Vulnerability
  • www.scworld.com: Maximum severity flaw impacts Erlang/OTP SSH Widely used library Erlang/OTP SSH was discovered to be affected by a maximum severity flaw, tracked as CVE-2025-32433, which could be leveraged to allow code execution without required logins, according to Hackread.
  • Open Source Security: Seclists Details on SSH execution in Erlang
  • Blog: CyberReason article on Erlang/OTP RCE Vulnerability.
  • infosecwriteups.com: InfoSec Writeups: Erlang/OTP SSH CVSS 10 RCE
  • securityboulevard.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH RCE bug now has public exploits, patch now
  • industrialcyber.co: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • www.cybersecuritydive.com: Researchers warn of critical flaw found in Erlang OTP SSH
  • Arctic Wolf: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • Industrial Cyber: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • : Public exploits already available for a severity 10 Erlang SSH vulnerability; patch now
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • Security Risk Advisors: TheHackerNews post on Erlang/OTP SSH vulnerability.

Jenna McLaughlin@NPR Topics: Technology //
A whistleblower at the US National Labor Relations Board (NLRB) has come forward with allegations of a significant cybersecurity breach involving the Department of Government Efficiency (DOGE), overseen by Elon Musk. According to the whistleblower, Daniel Berulis, DOGE operatives arrived at the agency in early March and were granted unrestricted access to internal systems, a move that deviated from standard operating procedures. The whistleblower claims that these DOGE employees ignored infosec rules and were instructed to hand over any requested accounts and stay out of DOGE’s way.

According to the affidavit submitted to the Senate Intelligence Committee, these actions led to a "significant cybersecurity breach" potentially exposing the agency's data to foreign adversaries. The whistleblower also alleges that during their activity, DOGE employees exfiltrated 10GB of data to servers in the US and disabled monitoring tools, raising concerns about potential data exposure. Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it.

The most alarming aspect of the allegations involves attempted access to the NLRB's systems from a Russian IP address using legitimate accounts created by DOGE staffers. These attempts were reportedly blocked, but the valid credentials used suggest a potential compromise. The NPR has reported that the data that DOGE moved could have included sensitive information on unions, ongoing legal cases and corporate secrets. Democratic lawmakers are calling for an investigation into the matter.

Recommended read:
References :
  • ciso2ciso.com: Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts – Source: www.csoonline.com
  • The Register - Security: Whistleblower describes DOGE IT dept rampage at America's labor watchdog
  • : Whistleblower alleges Russian IP address attempted access to US agency’s systems via DOGE-created accounts.
  • DataBreaches.Net: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
  • aboutdfir.com: A whistleblower’s disclosure details details how DOGE may have taken sensitive labor data In the first days of March, a team of advisers from President Trump’s new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.
  • Policy ? Ars Technica: Government IT whistleblower calls out DOGE, says he was threatened at home
  • NPR Topics: Technology: Someone using a Russian IP address attempted to access the internal systems of the US National Labor Relations Board (NLRB) using legitimate accounts set up by staff from Elon Musk's Department of Government Efficiency (DOGE), a whistleblower inside the agency has alleged.

@www.microsoft.com //
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.

The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST.

The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes.

Recommended read:
References :

info@thehackernews.com (The@The Hacker News //
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.

This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes.

CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks.

Recommended read:
References :
  • chemical-facility-security-news.blogspot.com: CISA Adds SonicWall Vulnerability to KEV Catalog – 4-16-25
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog
  • The Hacker News: Details on the exploitation of the vulnerability
  • Cyber Security News: CISA Alerts on Exploited SonicWall Command Injection Vulnerabilityâ€
  • gbhackers.com: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • BleepingComputer: On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability. [...]
  • gbhackers.com: GBHackers: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • securityonline.info: CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
  • The DefendOps Diaries: CISA flags critical SonicWall vulnerabilities: Urgent mitigation required to prevent cyber attacks
  • www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
  • Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • Arctic Wolf: On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • arcticwolf.com: On 15 April 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
  • BleepingComputer: SonicWall SMA VPN devices targeted in attacks since January
  • bsky.app: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
  • www.scworld.com: Cybersecurity Dive reports that active exploitation of the nearly half a decade-old high-severity SonicWall SMA100 remote-access appliance operating system command injection flaw
  • www.helpnetsecurity.com: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • securityaffairs.com: CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog.
  • Help Net Security: CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers.
  • arcticwolf.com: Details the credential access campaign targeting SonicWall SMA devices and its potential link to CVE-2021-20035 exploitation.
  • securityaffairs.com: Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025.
  • securityaffairs.com: Security Affairs newsletter reports attackers exploited SonicWall SMA appliances since January 2025
  • www.bleepingcomputer.com: SonicWall SMA VPN devices targeted in attacks since January
  • BleepingComputer: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.

@nvd.nist.gov //
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.

Recommended read:
References :
  • cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
  • Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
  • thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat
  • seceon.com: The TraderTraitor Crypto Heist: Nation-State Tactics Meet Financial Cybercrime