CyberSecurity news
FlagThis - #cybersecurity
|
@sec.cloudapps.cisco.com
//
Cisco is urging immediate action following the discovery of a critical vulnerability, CVE-2025-20309, in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw stems from hardcoded SSH root credentials that cannot be modified or removed, potentially allowing remote attackers to gain root-level access to affected systems. This vulnerability has a maximum severity rating with a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.
Cisco's security advisory specifies that all Engineering Special (ES) releases from 15.0.1.13010-1 through 15.0.1.13017-1 are vulnerable, regardless of optional features in use. An unauthenticated remote attacker can exploit this vulnerability by utilizing the static root account credentials to establish SSH connections to vulnerable systems. Once authenticated, the attacker gains complete administrative control over the affected device, enabling the execution of arbitrary commands with root privileges. There are no temporary workarounds to mitigate this risk. To remediate the vulnerability, administrators are advised to upgrade to version 15SU3 or apply the CSCwp27755 patch. Although Cisco discovered the flaw through internal testing and has not found evidence of active exploitation in the wild, the extreme severity necessitates immediate action to safeguard enterprise communications. The company has issued emergency fixes for the critical root credential flaw in Unified CM. Recommended read:
References :
@www.bleepingcomputer.com
//
The Hunters International ransomware operation has announced its shutdown, stating they will release free decryption keys to their past victims. The group made the announcement on its dark web leak site, removing all previous victim data. In a statement, Hunters International acknowledged the impact their actions have had on organizations, stating the decision to close down was not made lightly. Victims are instructed to visit the ransomware gang's website to obtain the decryption keys and recovery guidance, though some sources indicate victims need to log in to a portal mentioned in the ransom note using existing credentials to obtain the decryption software.
The move to shut down has been met with skepticism from the threat intel community. Several ransomware gangs in the past have released their victims’ decryption keys, then shut down, each of them for different reasons. Some shut down only to return under a new name, perhaps in an attempt to confuse researchers and law enforcement agencies and sometimes toescape sanctions. There is speculation that Hunters International may be rebranding and transitioning to new infrastructure to avoid increased scrutiny from law enforcement. It emerged in late 2023 and was flagged by security researchers and ransomware experts as apotential rebrand of Hive, which had its infrastructure seized earlier that year. Reports indicate that Hunters International launched a separate platform named "World Leaks" in January, advising its affiliates to switch to this new operation. At the time, the group claimed that encryption-based ransomware was no longer profitable and they would be shifting to a hack-and-extort model. However, some sources have found World Leaks victims who also had ransomware deployed on their networks. Hunters International has been linked to almost 300 attacks worldwide including India's Tata Technologies and the US Marshals Service and has earned millions in cryptocurrency. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
Australia's national carrier, Qantas Airways, has disclosed a significant cyberattack affecting approximately six million customers. The breach occurred through unauthorized access to a third-party customer service platform used by a Qantas call center. Exposed data includes customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers, however, the company reports that no financial data, passport details, passwords, or login credentials were compromised. The airline detected the unusual activity on Monday and took immediate action to bring the system back under control.
Qantas has launched an investigation into the incident, working closely with government authorities and cybersecurity experts. The airline has notified Australia’s National Cyber Security Coordinator, the Australian Cyber Security Centre, the Privacy Commissioner, and the Federal Police, reflecting the severity of the situation. Initial reports suggest the Scattered Spider group, known for targeting the aviation sector, may be linked to the attack. Qantas is also enhancing security measures by tightening access controls and improving system monitoring. Vanessa Hudson, Qantas Group Managing Director, has sincerely apologized to customers, acknowledging the uncertainty caused by the breach. A special customer support hotline and dedicated webpage have been established to provide information and assistance to those affected. While Qantas assures that the cyberattack has not impacted flight operations or the safety of the airline, cybersecurity experts warn that the stolen customer data could potentially be used for identity theft and other fraudulent activities. This incident underscores the importance of robust cybersecurity measures and vigilance in protecting sensitive customer information, particularly within third-party platforms. Recommended read:
References :
Zack Whittaker@techcrunch.com
//
The FBI and cybersecurity firms are issuing warnings about the cybercrime group Scattered Spider, which has recently shifted its focus to targeting airlines and the transportation sector. According to a statement released by the FBI and reported by TechCrunch, recent cyberattacks resembling those of Scattered Spider have been observed within the airline sector. Cybersecurity experts from Google's Mandiant and Palo Alto Networks' Unit 42 have also confirmed witnessing Scattered Spider attacks targeting the aviation industry. This shift in focus comes after the group recently targeted the U.K. retail and insurance industries, and previously, tech companies.
Scattered Spider is known to employ social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve bypassing multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. The FBI warns that Scattered Spider targets large corporations and their third-party IT providers, meaning any organization within the airline ecosystem, including trusted vendors and contractors, could be at risk. Unit 42 has also warned that organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests. Once inside a system, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims. The agency emphasizes the importance of early reporting, as it allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. The recent attacks on the airline sector follow reported intrusions at Hawaiian Airlines and WestJet, with media reports linking the WestJet incident to Scattered Spider. The FBI recommends quickly reporting incidents to allow them to act fast, share intelligence, and limit damage. Recommended read:
References :
@www.dhs.gov
//
Following U.S. airstrikes on Iranian nuclear sites on June 21, 2025, a wave of cyberattacks has been launched against U.S. organizations by Iran-aligned hacktivist groups. Cyble threat intelligence researchers reported that in the first 24 hours after the strikes, 15 U.S. organizations and 19 websites were targeted with DDoS attacks. Groups such as Mr Hamza, Team 313, Keymous+, and Cyber Jihad have claimed responsibility, targeting U.S. Air Force websites, aerospace and defense companies, and financial services organizations.
The attacks have been framed as retaliation for U.S. involvement in the ongoing Israel-Iran conflict, with the groups using the hashtag #Op_Usa to deface websites and leak credentials. The U.S. Department of Homeland Security (DHS) issued a bulletin on June 22, 2025, warning of likely low-level cyber attacks against U.S. networks by pro-Iranian hacktivists, noting that cyber actors affiliated with the Iranian government may also conduct attacks. This warning highlights the escalating cyber warfare activity between the two nations. In a notable incident, Donald Trump's social media platform, Truth Social, was paralyzed by a DDoS attack just hours after the U.S. airstrikes. The hacker group “313 Team” claimed responsibility, stating the attack was in response to President Trump's announcement of the successful strikes on Iranian nuclear sites. The DHS emphasizes that this cyber activity reflects an increasing shift of geopolitical tensions into the digital space, further intensifying the cyber security concerns. Recommended read:
References :
Field Effect@Blog
//
References:
Blog
, securityaffairs.com
Multiple security vulnerabilities are being actively exploited across various systems, posing significant risks to organizations and individuals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of addressing this flaw. Furthermore, researchers have uncovered a vulnerability chain affecting a wide range of Linux distributions that could allow an unprivileged user to gain full root access. These vulnerabilities, CVE-2025-6018 and CVE-2025-6019, reside in the Pluggable Authentication Modules (PAM) configuration and libblockdev, respectively.
Proof-of-concept (POC) code has been published for the Linux vulnerability chain, raising the potential for widespread exploitation. The libblockdev flaw is exploitable through the udisks daemon, a tool commonly deployed in Linux distributions such as Ubuntu, Debian, Fedora, openSUSE, Arch Linux, and Red Hat Enterprise Linux (RHEL). In addition to Linux vulnerabilities, there is also an increase in infostealer malware such as Lumma Stealer with new rules being added to detect associated command and control (CnC) domains. This highlights the diverse and evolving nature of cyber threats. The constant discovery and exploitation of vulnerabilities underscore the critical importance of timely patching and robust security awareness. Organizations are advised to prioritize patching the Linux Kernel flaw added to CISA's Known Exploited Vulnerabilities catalog, as well as the vulnerability chain affecting multiple Linux distributions. In addition to addressing Linux flaws, organizations need to also protect themselves from a range of malware, including the Lumma Stealer. The Cybersecurity community continues to identify and address many more vulnerabilities in a range of products including Apple products, TP-Link routers and Zyxel products. Regular security audits and proactive threat hunting are also essential for mitigating risks and maintaining a strong security posture. Recommended read:
References :
@cyberscoop.com
//
References:
thecyberexpress.com
, eSecurity Planet
,
Aflac Incorporated, the insurance giant, has confirmed a cybersecurity incident that occurred on June 12, 2025. The company detected suspicious activity on its US network and promptly initiated its cyber incident response protocols, successfully stopping the intrusion within hours. According to Aflac's official disclosure, their systems were not affected by ransomware, ensuring business operations such as underwriting, claims processing, and customer support remain uninterrupted. However, Aflac warns that sensitive customer information may have been exposed during the breach.
Preliminary findings indicate that the unauthorized party used sophisticated social engineering tactics to gain access to Aflac's network. This method often involves tricking individuals into revealing sensitive information or granting access. Aflac has engaged leading third-party cybersecurity experts to assist with the ongoing investigation. CNN, citing sources familiar with the investigation, reported that this incident, along with others recently affecting the insurance sector, is consistent with the techniques of a cybercrime group known as “Scattered Spider.” Aflac acknowledged the broader context of the attack, stating, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group." The review of potentially impacted files is still in its early stages, and Aflac has not yet determined the total number of individuals affected. However, the company has indicated that the compromised files may contain sensitive information. The Aflac breach is the latest cyberattack against the insurance industry. Recommended read:
References :
Dissent@DataBreaches.Net
//
A massive collection of 16 billion login credentials has been discovered, representing one of the largest data thefts in history. Cybernews reports that the exposed data likely originates from various infostealers, malicious software designed to gather sensitive information from infected devices. Researchers have uncovered 30 exposed data sets containing millions to over 3.5 billion records each, totaling the astounding 16 billion credentials. These datasets include logins for major platforms like Apple, Google, Facebook, and Telegram, raising significant concerns about widespread account compromise.
Researchers noted that these datasets were not simply recycled from old data leaks but represent new, potentially "weaponized" information. The exposed data contains a mix of details from stealer malware, credential stuffing sets, and repackaged leaks. While it was not possible to compare data between the different sets effectively, the sheer volume and the platforms targeted highlight the severity of the situation. The data sets were only exposed for a short period and it remains unknown who controlled the large amount of data. The exposure of these 16 billion credentials poses a significant risk of account takeovers, identity theft, and targeted phishing attacks. Cybercriminals now have access to an unprecedented volume of personal data. Users are advised to take immediate action to protect their accounts, including enabling multi-factor authentication and using strong, unique passwords for all online services. News sources indicate that this is not a new data breach but is rather a compilation of previously leaked credentials. Recommended read:
References :
@blog.talosintelligence.com
//
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.
This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS. PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception. Recommended read:
References :
@www.trendmicro.com
//
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.
The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems. To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense. Recommended read:
References :
@www.healthcarefinancenews.com
//
References:
cyble.com
, cybersecurityventures.com
,
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.
The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability. In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups. Recommended read:
References :
rulesbot@community.emergingthreats.net
//
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.
Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools. In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors. Recommended read:
References :
@www.helpnetsecurity.com
//
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).
Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures. The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors. Recommended read:
References :
@research.checkpoint.com
//
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.
CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection. The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.
The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist. Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
References:
The Hacker News
, therecord.media
The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been actively targeting Russian enterprises and engineering schools since at least 2019, with activity continuing through May 2025. This advanced persistent threat group distinguishes itself by primarily utilizing legitimate third-party software instead of developing its own malicious tools. The attacks are characterized by the use of command files and PowerShell scripts to establish remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The campaign has impacted hundreds of Russian users, with additional infections reported in Belarus and Kazakhstan.
The group's initial infection vector typically involves targeted phishing emails containing password-protected archives with executable files disguised as official documents or payment orders. Once the victim opens the attachment, the attackers deploy a legitimate tool called 4t Tray Minimizer to obscure their presence on the compromised system. They also use tools like Defender Control to disable antivirus software and Blat, a legitimate utility, to send stolen data via SMTP. The attackers actively refine their tactics and a new wave of attacks emerged immediately after a slight decline in December 2024. A key aspect of the Rare Werewolf APT's strategy involves the use of a Windows batch script that launches a PowerShell script, scheduling the victim system to wake up at 1 AM local time and providing a four-hour window for remote access via AnyDesk. The machine is then shut down at 5 AM through a scheduled task, minimizing the chance of detection. The attackers also collect information about available CPU cores and GPUs to optimally configure the crypto miner. Besides cryptomining, the group has also been known to steal sensitive documents, passwords, and compromise Telegram accounts. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
ConnectWise is initiating a rotation of its ScreenConnect code signing certificates following security concerns identified by a third-party researcher. The issue revolves around how ScreenConnect handled specific configuration data in earlier versions, where configuration data was stored in an unsigned area of the installer. While this area is intended for customization, its coupling with remote control capabilities created a potentially insecure design pattern according to current security standards. The company emphasizes that this action is unrelated to the recent nation-state attacks affecting some of its customers.
ConnectWise is implementing an update to enhance the management of configuration data within ScreenConnect. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions." The rotation of digital certificates is set to take place by June 13 at 8 p.m. ET. ConnectWise is already updating certificates and agents across its cloud instances of Automate and RMM. Users of on-premise versions of ScreenConnect or Automate are required to update to the latest build and validate all agents before the June 13th deadline to avoid potential service disruptions. ConnectWise acknowledges the challenges this may pose and has committed to supporting users through the transition. Connectwise customers who use the company’s ScreenConnect, Automate, and ConnectWise RMM solutions are urged to update all agents and/or validate that the update has been deployed by Friday, June 13 at 8:00 p.m. ET, or risk disruptions. Recommended read:
References :
|