@Talkback Resources - 7d
On February 21, 2025, the cryptocurrency exchange Bybit suffered a massive security breach resulting in the theft of approximately $1.46 billion in crypto assets. Investigations have pointed towards the Lazarus Group, a North Korean state-sponsored hacking collective, as the perpetrators behind the audacious heist. The FBI has officially accused the Lazarus Group of stealing $1.5 billion in Ethereum and has requested assistance in tracking down the stolen funds.
Bybit has declared war on the Lazarus Group following the incident and is offering a $140 million bounty for information leading to the recovery of the stolen cryptocurrency. CEO Ben Zhou has launched Lazarusbounty.com, a bounty site aiming for transparency on the Lazarus Group's money laundering activities. The attack involved exploiting vulnerabilities in a multisig wallet platform, Safe{Wallet}, by compromising a developer’s machine, enabling the transfer of over 400,000 ETH and stETH (worth over $1.5 billion) to an address under their control.
Recommended read:
References :
- www.techmeme.com: ZachXBT: crypto exchange Bybit has experienced $1.46B worth of "suspicious outflows"; Bybit CEO confirms hacker took control of cold ETH wallet
- CryptoSlate: The crypto exchange ByBit has been hacked, and roughly $1.5 billion in Ethereum (ETH) has been stolen — making this one of the biggest hacks in history.
- infosec.exchange: NEW: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- PCMag UK security: The Bybit exchange lost 400,000 in ETH, or about $1.4 billion, before the price began to slide, making it the biggest crypto-related hack in history.
- techcrunch.com: TechCrunch reports on the Bybit hack, disclosing a loss of approximately $1.4 billion in Ethereum.
- ciso2ciso.com: In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from a cold wallet breach.
- ciso2ciso.com: Bybit Hack: $1.4B Stolen from World’s 2nd Largest Crypto Exchange – Source:hackread.com
- cryptoslate.com: ByBit suffers $1.5 billion Ethereum heist in cold wallet breach
- www.coindesk.com: Bybit experiences USD1.46B in suspicious outflows
- BleepingComputer: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- The Cryptonomist: 3 Best Bybit Alternatives As Top CEX Is Hacked
- Gulf Business: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- Anonymous ???????? :af:: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.bleepingcomputer.com: Hacker steals record $1.46 billion in ETH from Bybit cold wallet
- Techmeme: Bybit Loses $1.5B in Hack but Can Cover Loss, CEO Confirms (Oliver Knight/CoinDesk)
- Report Boom: Report on the Bybit crypto heist, detailing the incident and security recommendations.
- thehackernews.com: Report on the Bybit hack, highlighting the scale of the theft and its implications.
- reportboom.com: Reportboom article about Bybit's $1.46B Crypto Heist.
- www.it-daily.net: Bybit hacked: record theft of 1.5 billion US dollars
- Protos: News about the Bybit cryptocurrency exchange being hacked for over \$1.4 billion.
- The420.in: On Friday, cryptocurrency exchange Bybit disclosed that a highly sophisticated attack resulted in the theft of more than Rs 11,972 crores in digital assets from one of its offline Ethereum wallets—the largest crypto heist on record.
- TechSpot: The hackers stole the crypto from Bybit's cold wallet, an offline storage system.
- Talkback Resources: Crypto exchange Bybit was targeted in a $1.46 billion theft by the Lazarus Group, highlighting the rising trend of cryptocurrency heists driven by the allure of profits and challenges in tracing such crimes.
- www.bleepingcomputer.com: Cryptocurrency exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- www.the420.in: The420.in: Biggest Crypto Heist Ever: Bybit Loses Rs 12,000+ Crore in Sophisticated Ethereum Wallet Attack!
- www.cnbc.com: This report discusses the Bybit hack, detailing the amount stolen and the potential impact on the crypto market.
- www.engadget.com: This news piece reports on the massive crypto heist from Bybit, highlighting the scale of the incident and the impact on the crypto market.
- Techmeme: Arkham says ZachXBT submitted proof that North Korea's Lazarus Group is behind Bybit's $1.5B hack, which is the largest single theft in crypto history
- BrianKrebs: Infosec exchange post describing Bybit breach.
- Talkback Resources: Bybit cryptocurrency exchange suffered a cyberattack resulting in the theft of $1.5 billion worth of digital currency, including over 400,000 ETH and stETH, with potential vulnerabilities in the Safe.global platform's user interface exploited.
- securityaffairs.com: SecurityAffairs reports Lazarus APT stole $1.5B from Bybit, it is the largest cryptocurrency heist ever.
- gulfbusiness.com: ‘Worst hack in history’: Dubai crypto exchange Bybit suffers $1.5bn ether heist
- techcrunch.com: Crypto exchange Bybit says it was hacked and lost around $1.4B
- Tekedia: The cryptocurrency industry has been rocked by what is now considered the largest digital asset theft in history, as Bybit, a leading crypto exchange, confirmed on Friday that hackers stole approximately $1.4 billion worth of Ethereum (ETH) from one of its offline wallets.
- blog.checkpoint.com: What the Bybit Hack Means for Crypto Security and the Future of Multisig Protection
- Dan Goodin: Crypto exchange Bybit said it was hacked and suffered a loss of around $1.4 billion (~401,346 ETH) at the time of the hack.
- BleepingComputer: Crypto exchange Bybit revealed today that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets.
- Security Boulevard: North Korea’s Lazarus Group Hacks Bybit, Steals $1.5 Billion in Crypto
- bsky.app: Elliptic is following the money on this ByBit hack - the biggest theft ot all time. “Within 2 hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH. These are now being systematically emptied�.
- Talkback Resources: Talkback Post about the $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived
- infosec.exchange: Reports that North Korean hackers stole $1.4 billion in crypto from Bybit.
- securityboulevard.com: North Korea's notorious Lazarus Group reportedly stole $1.5 billion in cryptocurrency from the Bybit exchange in what is being called the largest hack in the controversial market's history.
- billatnapier.medium.com: One of the Largest Hacks Ever? But Will The Hackers Be Able To Launder The Gains?
- thecyberexpress.com: thecyberexpress.com - Details on Bybit Cyberattack.
- Matthew Rosenquist: This may turn out to be the biggest hack in history! $1.5 BILLION.
- PCMag UK security: The $1.4 billion at Bybit—the largest known cryptocurrency heist in history—has been traced to the notorious Lazarus North Korean hacking group.
- www.nbcnews.com: Hackers steal $1.5 billion from exchange Bybit in biggest-ever crypto heist: Blockchain analysis firm Elliptic later linked the attack to North Korea’s Lazarus Group, a state-sponsored hacking collective
- www.pcmag.com: Researchers spot the $1.4 billion stolen from Bybit moving through cryptocurrency wallets that were used in earlier heists attributed to North Korea's Lazarus hacking group.
- siliconangle.com: $1.5B in cryptocurrency stolen from Bybit in attack linked to North Korean hackers
- www.americanbanker.com: Nearly $1.5 billion in tokens lost in Bybit crypto exchange hack
- SiliconANGLE: SiliconAngle reports on the details of the Bybit hack and links it to North Korean hackers.
- techcrunch.com: TechCrunch reports on the massive crypto heist, citing research that points to North Korean hackers as perpetrators.
- OODAloop: Reports that North Korea’s Lazarus Group APT is Behind Largest Crypto Heist Ever
- Be3: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Schneier on Security: Schneier on Security covers the North Korean Hackers Stealing $1.5B in Cryptocurrency.
- Dataconomy: How the Bybit hack shook the crypto world: $1.5B gone overnight
- be3.sk: Looming Shadows: $1.5 Billion Crypto Heist Shakes Confidence in Security Measures
- Risky Business: Risky Business #781 -- How Bybit oopsied $1.4bn
- cyberriskleaders.com: Bybit, a leading exchange, was hacked for USD1.4 billion in Ethereum and staked Ethereum, sending shockwaves through the digital asset community.
- www.csoonline.com: Independent investigation finds connections to the Lazarus Group.
- Cybercrime Magazine: Bybit suffers the largest crypto hack in history
- www.theguardian.com: Cyberattackers believed to be affiliated with the state-sponsored threat group pulled off the largest crypto heist reported to date, stealing $1.5 billion from exchange Bybit.
- bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- SecureWorld News: SecureWorld reports on the Bybit hack, attributing it to the Lazarus Group.
- OODAloop: The Largest Theft in History – Following the Money Trail from the Bybit Hack
- gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
- Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
- Talkback Resources: "
THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma [mal]
- infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum.
- CyberInsider: Record $1.5 billion Bybit hack undermines trust in crypto security
- The Register - Security: Cryptocurrency exchange Bybit, just days after suspected North Korean operatives stole $1.5 billion in Ethereum from it, has launched a bounty program to help recover its funds.
- PCMag UK security: The malicious Javascript code used in the attack could secretly modify transactions for Safe{Wallet}, a cryptocurrency wallet provider. The suspected North Korean hackers who $1.4 billion in cryptocurrency from Bybit pulled off the heist by infiltrating a digital wallet provider and tampering with its software.
- techcrunch.com: Last week, hackers stole around $1.4 billion in Ethereum cryptocurrency from crypto exchange Bybit, believed to be the largest crypto heist in history. Now the company is offering a total of $140 million in bounties for anyone who can help trace and freeze the stolen funds. Bybit’s CEO and
- securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
- The Register - Security: The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.
- techcrunch.com: The FBI said the North Korean government is ‘responsible’ for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
- Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
- PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- The420.in: Rs 1.27 trillion Stolen: Bybit Joins the Ranks of Crypto’s Largest Thefts – Full List Inside
- Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers [mal]
- Tekedia: Bybit, a leading crypto exchange, has declared war on “notorious� Lazarus group, a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. This is coming after the crypto exchange experienced a security breach resulting in the unauthorized transfer of over $1.4 billion in liquid-staked crypto assets.
- SecureWorld News: The FBI officially attributed the massive to North Korea's state-sponsored hacking group, TraderTraitor, more commonly known as the infamous Lazarus Group.
- ChinaTechNews.com: North Korea was behind the theft of approximately $1.5bn in virtual assets from a cryptocurrency exchange, the FBI has said, in what is being described as the biggest heist in history.
- Wallarm: API Armor: How Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist
- infosec.exchange: NEW: After security researchers and firms accused North Korea of the massive Bybit hack, the FBI follows suit. North Korean government hackers allegedly stoled more than $1.4 billion in Ethereum from the crypto exchange.
- iHLS: Cryptocurrency exchange Bybit became the latest victim of a major cyberattack, marking what appears to be the largest crypto hack in history.
Bill Mann@CyberInsider - 10d
The Qualys Threat Research Unit (TRU) has revealed two significant vulnerabilities in OpenSSH, impacting both client and server components. The first, CVE-2025-26465, is a machine-in-the-middle (MitM) attack that targets OpenSSH clients when the VerifyHostKeyDNS option is enabled. The second, CVE-2025-26466, involves a pre-authentication denial-of-service (DoS) attack affecting both client and server systems by exhausting resources. These vulnerabilities expose systems to potential interception of communications and resource exhaustion, potentially crippling SSH servers.
The MitM vulnerability, CVE-2025-26465, allows attackers to impersonate a server, bypassing client identity checks even if VerifyHostKeyDNS is set to "yes" or "ask". This flaw was introduced in December 2014 and affects OpenSSH versions 6.8p1 through 9.9p1. The DoS vulnerability, CVE-2025-26466, enables attackers to consume excessive memory and CPU resources, impacting versions 9.5p1 through 9.9p1. While mitigations exist, such as LoginGraceTime and MaxStartups, immediate patching is strongly advised. OpenSSH version 9.9p2 addresses these vulnerabilities, urging administrators to upgrade affected systems promptly.
Recommended read:
References :
- CyberInsider: OpenSSH Vulnerabilities Exposed Millions to Multi-Year Risks
- buherator's timeline: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enab...
- Open Source Security: Qualys Security Advisory discussing MitM and DoS attacks against OpenSSH clients and servers.
- securityonline.info: Securityonline.info article on OpenSSH flaws CVE-2025-26465 and CVE-2025-26466 exposing clients and servers to attacks.
- www.openwall.com: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enab...
- cyberinsider.com: The Qualys Threat Research Unit (TRU) has disclosed two critical vulnerabilities in OpenSSH affecting both client and server components.
- securityonline.info: OpenSSH Flaws CVE-2025-26465 & CVE-2025-26466 Expose Clients and Servers to Attacks
- blog.qualys.com: Qualys TRU Discovers Two Vulnerabilities in OpenSSH (CVE-2025-26465, CVE-2025-26466)
- hackread.com: Critical OpenSSH Vulnerabilities Expose Users to MITM and DoS Attacks
- Ubuntu security notices: USN-7270-2: OpenSSH vulnerability
- The Hacker News: Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions.
- www.csoonline.com: OpenSSH fixes flaws that enable man-in-the-middle, DoS attacks
- securityaffairs.com: OpenSSH bugs allows Man-in-the-Middle and DoS Attacks
- www.scworld.com: OpenSSH flaws could enable man-in-the-middle attacks, denial of service Two vulnerabilities in OpenSSH could enable man-in-the-middle (MitM) attacks or denial of service (DoS), the Qualys Threat Research Unit (TRU) revealed Tuesday.
- KubikPixel: OpenSSH flaws could enable man-in-the-middle attacks, denial of service Two vulnerabilities in OpenSSH could enable man-in-the-middle (MitM) attacks or denial of service (DoS), the Qualys Threat Research Unit (TRU) revealed Tuesday. â˜�ï¸
- AAKL: Infosec Exchange Post: Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466 More: The Register: FreSSH bugs undiscovered for years threaten OpenSSH security
- socradar.io: Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)
- Information Security Buzz: Qualys Identifies Critical Vulnerabilities that Enable DDoS, MITM Attacks
- www.theregister.com: FreSSH bugs undiscovered for years threaten OpenSSH security
- socprime.com: Socprime discusses CVE-2025-26465 & CVE-2025-26466 Vulnerabilities.
- Full Disclosure: Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client CVE-2025-26466: DoS attack against OpenSSH's client and server
- www.scworld.com: The security flaws, tracked as CVE-2025-26465 and CVE-2025-26466, can be used by an attacker to conduct an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled.
- SOC Prime Blog: CVE-2025-26465 & CVE-2025-26466 Vulnerabilities Expose Systems to Man-in-the-Middle and DoS Attacks
- Security Risk Advisors: OpenSSH Vulnerabilities Enable MITM Attacks and Denial-of-Service (CVE-2025-26465 & CVE-2025-26466)
@csoonline.com - 15d
A high-severity SQL injection vulnerability, identified as CVE-2025-1094, has been discovered in PostgreSQL's psql interactive tool. Rapid7 researchers found that threat actors exploited this zero-day flaw in conjunction with a BeyondTrust vulnerability (CVE-2024-12356) during targeted attacks in December 2024. Specifically, attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL.
This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to OS command execution. The flaw stems from how PostgreSQL handles invalid UTF-8 characters, which allows attackers to inject malicious code via a shortcut command "\!". Rapid7 discovered that successful exploitation of the BeyondTrust vulnerability required exploiting CVE-2025-1094 to achieve remote code execution. Patches have been released for PostgreSQL versions 13 through 17 to address this issue, and users are advised to upgrade their database servers immediately.
Recommended read:
References :
- The Register - Security: High-complexity bug unearthed by infoseccers, as Rapid7 probes exploit further A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say.…
- Caitlin Condon: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation
- securityaffairs.com: Threat actors are exploiting a zero-day SQL injection vulnerability in PostgreSQL, according to researchers from cybersecurity firm Rapid7.
- The Hacker News: Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7.
- www.csoonline.com: PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks
- infosec.exchange: New vuln disclosure c/o : CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting on its relation to BeyondTrust exploitation
- MSSP feed for Latest: New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks
- www.scworld.com: New PostgreSQL zero-day potentially leveraged in BeyondTrust attacks
- Talkback Resources: Rapid7 discovered a zero-day vulnerability in PostgreSQL's psql terminal (CVE-2025-1094) enabling SQL injection, exploited in attacks on BeyondTrust Remote Support systems, compromising US Treasury Department machines.
- Caitlin Condon: CVE-2025-1094 affects all supported versions of PostgreSQL
- Open Source Security: Hi, As announced on February 13 in: This vulnerability is related to BeyondTrust CVE-2024-12356: In Caitlin Condon's words in the thread above: The referenced Rapid7 blog post:
- www.postgresql.org: PostgreSQL security announcement about CVE-2025-1094.
- Open Source Security: Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection
- securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
- securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
- Caitlin Condon: Infosec.exchange post linking to various resources related to CVE-2025-1094 in PostgreSQL.
- www.postgresql.org: PostgreSQL announcement about PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 releases fixing CVE-2025-1094
@cyberscoop.com - 15d
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.
Recommended read:
References :
- cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
- Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
- techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
- www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
- Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
- CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
- Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
- industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
- Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
- Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
- cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
@www.bleepingcomputer.com - 10d
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.
Recommended read:
References :
- www.trendmicro.com: Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems.
- securityonline.info: Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on .
- Talkback Resources: Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vigilance among cybersecurity professionals, particularly those using ESET antivirus applications.
- Talkback Resources: Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal]
- securityonline.info: Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
- aboutdfir.com: InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility.
- The Hacker News: Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks
- www.bleepingcomputer.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus
- Anonymous ???????? :af:: hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Know Your Adversary: Here's How Mustang Panda Evades AV and How to Detect It
- BleepingComputer: Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Information Security Buzz: Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets
- aboutdfir.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Panda� has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Talkback Resources: Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a decoy PDF to distract victims, while evading detection and maintaining persistence in compromised systems.
info@thehackernews.com (The Hacker News)@The Hacker News - 11d
A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.
Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.
Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.
Recommended read:
References :
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
- The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
- hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
- Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
- securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
- Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
- www.scworld.com: Telegram API exploited by new Golang backdoor
- Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
- securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
- Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
- www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations
Juan Perez@Tenable Blog - 7d
The Ghost (Cring) ransomware group, known for exploiting vulnerabilities in software and firmware, remains a significant threat as of January 2025. A joint cybersecurity alert from the FBI, CISA, and other partners warns the global cyber defender community of increasing attacks from this financially motivated group. CISA issued a joint advisory on February 19, 2025, emphasizing the group's ongoing activity.
The Ghost (Cring) ransomware first appeared in early 2021 and has impacted organizations across more than 70 countries by compromising vulnerable, internet-facing services. Security measures such as patching known vulnerabilities and implementing basic infosec actions are crucial in defending against these attacks. The SOC Prime Platform has curated Sigma rules to help detect Ghost (Cring) ransomware activity.
Recommended read:
References :
- SecureWorld News: The FBI, CISA, and MS-ISAC have issued a joint cybersecurity advisory warning organizations about Ghost (Cring) ransomware, a sophisticated cyber threat that has been compromising critical infrastructure, businesses, and government entities worldwide.
- Tenable Blog: Rapid7 discusses Ghost Ransomware group targeting known Vulns.
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions.
- Resources-2: Picus Security provides Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation.
- socprime.com: Ghost (Cring) Ransomware Detection: The FBI, CISA, and Partners Warn of Increasing China-Backed Group’s Attacks for Financial Gain
- SOC Prime Blog: The FBI, CISA, and partners have recently issued a joint cybersecurity alert warning the global cyber defender community of increasing Ghost (Cring) ransomware attacks aimed at financial gain.
- thecyberexpress.com: A Ghost ransomware group also referred to as Cring, has been actively exploiting vulnerabilities in software and firmware as recently as January 2025.
- Security Boulevard: [CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- www.attackiq.com: CISA AA25-050A] #StopRansomware: Ghost (Cring) Ransomware
- industrialcyber.co: CISA, FBI, MS-ISAC warn of Ghost ransomware
- aboutdfir.com: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions, according to a joint advisory issued Wednesday by the FBI and US Cybersecurity and
- securebulletin.com: Secure Bulletin provides an analysis of tactics, targets, and techniques used by Ghost Ransomware.
- Secure Bulletin: Securebulletin article on Ghost Ransomware
- The Register - Security: Ghost ransomware crew continues to haunt IT depts with scarily bad infosec
- cyble.com: FBI-CISA Ghost Ransomware Warning Shows Staying Power of Old Vulnerabilities
- aboutdfir.com: News article covering the joint advisory from CISA and the FBI on the Ghost/Cring ransomware.
@Talkback Resources - 10d
Juniper Networks has addressed a critical authentication bypass vulnerability, identified as CVE-2025-21589, affecting its Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The vulnerability allows a network-based attacker to bypass authentication and gain administrative control over affected devices. The severity of the flaw is highlighted by its critical CVSS score of 9.8.
Juniper has released updated software versions to mitigate this issue, including SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, and SSR-6.3.3-r2, advising users to upgrade their affected systems promptly. For conductor-managed deployments, upgrading only the Conductor nodes is sufficient, while WAN Assurance users connected to the Mist Cloud have already received automatic patches. It was found through internal security testing.
Recommended read:
References :
- securityaffairs.com: Juniper Networks fixed a critical flaw in Session Smart Routers
- Talkback Resources: Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication [exp] [net]
- securityonline.info: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers
- securityonline.info: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers
- The Hacker News: Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication
- www.bleepingcomputer.com: Juniper Patches Critical Auth Bypass in Session Smart Routers
- www.heise.de: Juniper Session Smart Router: Security leak enables takeover
- Vulnerability-Lookup: Vulnerability ncsc-2025-0062 has received a comment on Vulnerability-Lookup: 2025-02: Out-of-Cycle Security Bulletin: Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass Vulnerability (CVE-2025-21589)
- BleepingComputer: Infosec Exchange Post: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- socradar.io: Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)
- Talkback Resources: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers [app] [net]
- BleepingComputer: ​Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- Anonymous ???????? :af:: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- cyble.com: Major Security Flaw in Juniper Networks Routers: How to Protect Your Systems
Dissent@DataBreaches.Net - 7d
Major Australian IVF provider Genea has confirmed a cybersecurity incident where an unauthorized third party accessed its data. The company detected suspicious activity on its network and promptly shut down some systems and servers to investigate the extent of the breach. Genea is working to determine what specific data was compromised and is taking steps to secure its systems. The incident disrupted patient services, including phone lines, the Genea app, and email communications, causing frustration for patients who rely on the clinic's data processing systems for critical blood test data related to their IVF treatment cycles.
This cyber incident has raised concerns about the security of patient data at healthcare providers. Genea has stated that it is "urgently investigating" the incident and will contact any individuals whose personal data has been compromised. The clinic is also working to restore systems and minimize disruptions to services, assuring patients that their privacy and data security are taken very seriously. Genea has multiple clinics across Australia and is working to ensure minimal disruption to patient services.
Recommended read:
References :
- Carly Page: Australian IVF giant Genea has disclosed a cybersecurity incident that disrupted patient services and led to the access of potentially sensitive information
- ciso2ciso.com: Australian IVF Clinic Suffers Data Breach Following Cyber Incident – Source: www.infosecurity-magazine.com
- www.cybersecurity-insiders.com: Genea Australia data breach and Black Basta Ransomware gang data leak Genea IVF Australia, a leading fertility service provider and one of the three largest in the country, has confirmed that it has fallen victim to a significant cyberattack, resulting in a data breach.
- DataBreaches.Net: Major Australian IVF provider Genea suffers ‘cyber incident’
- techcrunch.com: Australian IVF giant Genea has disclosed a cybersecurity incident that disrupted patient services and led to the access of potentially sensitive information
- kirbyidau.com: Incident: Australian IVF provider Genea in cyber incident | iTnews
- www.scworld.com: Cyberattack compromises leading Australian IVF provider's data
- kirbyidau.com: Kirbyidau - Australian IVF provider Genea in cyber incident | iTnews
- Carly Page: Australian IVF provider Genea confirms hackers have leaked sensitive patient data after Termite listed the firm on its dark web site. A court order prohibiting publication of the stolen data reveals that hackers breached Genea's network on January 31 to steal more than 900GB of information
- The420.in: Termite Ransomware Gang Breaches Australian IVF Giant Genea
- bsky.app: The Termite ransomware gang has claimed responsibility for breaching and stealing sensitive healthcare data belonging to Genea patients, one of Australia's largest fertility services providers.
- thecyberexpress.com: Cyberattack on Australia’s Genea: Stolen Patient Data Hits the Dark Web
@ciso2ciso.com - 13d
The US Coast Guard is facing increasing pressure to bolster its cybersecurity defenses within the Maritime Transportation System (MTS). A recent Government Accountability Office (GAO) report highlights critical shortcomings in the Coast Guard's cybersecurity strategy, including a lack of comprehensive planning and unreliable access to vulnerability data. This leaves the MTS, which supports $5.4 trillion in annual economic activity and over 30 million jobs, vulnerable to attacks from foreign governments, transnational criminals, and hacktivists.
The GAO audit, conducted between December 2023 and December 2024, revealed that while the Coast Guard developed a cybersecurity strategy in 2021, it lacks key components such as clearly defined national security risks, measurable targets, and an implementation budget. The report also found that the Coast Guard's system for managing cybersecurity checks on facilities and vessels does not readily provide complete information about cybersecurity problems. The GAO has made five recommendations to the Coast Guard to address these vulnerabilities.
Recommended read:
References :
- ciso2ciso.com: Probe finds US Coast Guard has left maritime cybersecurity adrift
- The Register - Security: Probe finds US Coast Guard has left maritime cybersecurity adrift
- Graham Cluley: US Coast Guard Urged to Strengthen Cybersecurity Amid $2B Daily Port Risk
@cyberinsider.com - 10d
Lee Enterprises, a major newspaper publisher with 77 newspapers and 350 weekly publications, has confirmed that a recent system outage was caused by a ransomware attack. The cyberattack disrupted newspaper operations starting in early February. The attackers are suspected of using double-extortion tactics, encrypting critical applications and exfiltrating files.
Cybercriminals launched a large-scale campaign, dubbed StaryDobry, which distributed the XMRig cryptominer through trojanized game installers. The attackers targeted users worldwide, including in Russia, Brazil, Germany, Belarus, and Kazakhstan. Cracked versions of popular games like BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy were used to deliver the malware. Once downloaded, the installer extracts and executes a malicious payload, injecting the cryptominer into the victim's system.
Recommended read:
References :
- cyberinsider.com: Lee Enterprises has officially confirmed that the cyberattack disrupting its newspaper operations since early February was a ransomware incident.
- www.bleepingcomputer.com: Newspaper publishing giant Lee Enterprises has confirmed that a ransomware attack is behind ongoing disruptions impacting the group's operations for over two weeks.
- BleepingComputer: Newspaper publishing giant Lee Enterprises has confirmed that a ransomware attack is behind ongoing disruptions impacting the group's operations for over two weeks.
- The Register - Security: US newspaper publisher uses linguistic gymnastics to avoid saying its outage was due to ransomware
- Cybernews: Lee Enterprises expects that a recent cyberattack will most likely have a material impact on its operations.
- CyberInsider: Lee Enterprises has officially confirmed that the cyberattack disrupting its newspaper operations since early February was a ransomware incident.
- DataBreaches.Net: Newspaper publishing giant Lee Enterprises said an ongoing cyberattack is causing disruptions across its business, and is now in its third week of outages.
- Talkback Resources: Lee Enterprises Newspaper Disruptions Caused by Ransomware [for] [mal]
- securityonline.info: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
- Talkback Resources: Lee Enterprises Newspaper Disruptions Caused by Ransomware [for] [mal]
- Talkback Resources: Lee Enterprises Newspaper Disruptions Caused by Ransomware
Pierluigi Paganini@Security Affairs - 5d
Microsoft has issued updates to address a critical vulnerability, CVE-2025-24989, impacting its Power Pages platform. This flaw, a high-severity issue, is already being actively exploited in the wild, allowing unauthorized access to websites. Threat actors can leverage the vulnerability to achieve privilege escalation within targeted networks and evade user registration controls, granting them unauthorized access to sites.
Microsoft reports that the vulnerability, CVE-2025-24989, only impacts certain Power Pages users. The company urges users to examine their websites for possible compromise. The U.S. CISA has added the Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog.
Recommended read:
References :
- securityaffairs.com: U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog
- socradar.io: Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
- www.scworld.com: Actively exploited Microsoft Power Pages flaw patched
- Report Boom: Microsoft has addressed a high-severity issue in Power Pages, CVE-2025-24989...
@www.reliaquest.com - 10d
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.
BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.
Recommended read:
References :
- AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
- www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
- www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
- Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
- www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
- Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
@Talkback Resources - 4d
Google Cloud has launched quantum-safe digital signatures within its Cloud Key Management Service (Cloud KMS), now available in preview. This cybersecurity enhancement prepares users against future quantum threats by aligning with the National Institute of Standards and Technology’s (NIST) post-quantum cryptography (PQC) standards. The upgrade provides developers with the necessary tools to protect encryption.
Google's implementation integrates NIST-standardized algorithms FIPS 204 and FIPS 205, enabling signing and validation processes resilient to attacks from quantum computers. By incorporating these protocols into Cloud KMS, Google enables enterprises to future-proof authentication workflows, which is particularly important for systems requiring long-term security, such as critical infrastructure firmware or software update chains. This allows organizations to manage quantum-safe keys alongside classical ones, facilitating a phased migration.
Recommended read:
References :
- gbhackers.com: Google Introduces Quantum-Safe Digital Signatures in Cloud KMS
- BleepingComputer: Google Cloud has introduced quantum-safe digital signatures to its Cloud Key Management Service (Cloud KMS), making them available in preview.
- Talkback Resources: Google Cloud KMS Adds Quantum-Safe Digital Signatures to Defend Against Future Threats [cloud] [crypto]
- gbhackers.com: Google Cloud has unveiled a critical cybersecurity upgrade: quantum-safe digital signatures via its Key Management Service (Cloud KMS), now available in preview.
- www.bleepingcomputer.com: BleepingComputer reports on Quantum-Safe Digital Signatures.
- The Quantum Insider: Google Expands Post-Quantum Cryptography Support with Quantum-Safe Digital Signatures
Aman Mishra@gbhackers.com - 3d
Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States. These campaigns, observed since August 2024, have exploited the academic calendar and institutional trust to deceive students, faculty, and staff. The attacks have been linked to a broader campaign dating back to at least October 2022, targeting thousands of users monthly.
The phishing attacks are strategically timed to coincide with key academic events such as the start of the school year and financial aid deadlines. Attackers have tricked victims into revealing sensitive credentials and financial information by leveraging these high-pressure periods. The campaigns employ various tactics, including hosting malicious Google Forms on compromised university domains and cloning university login portals to carry out payment redirection attacks. Google is addressing security concerns surrounding SMS 2FA codes by replacing Gmail’s SMS authentication with QR codes in the coming months.
Recommended read:
References :
- gbhackers.com: Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States.
- Virus Bulletin: Researchers from Google's Mandiant have observed a notable increase in phishing attacks targeting the education sector. These attacks, timed to coincide with key dates in the academic calendar, exploit trust within academic institutions to deceive students, faculty & staff.
- Cyber Security News: Google, in collaboration with Mandiant, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States.
- Anonymous ???????? :af:: Mandiant reported a surge in phishing campaigns targeting U.S. universities, exploiting trust to deceive students and staff, with tactics like Google Forms and website cloning, coinciding with key academic dates.
- be4sec: Is your university prepared for the latest wave of phishing attacks? A recent blog post on Google Cloud dives deep into the concerning increase in phishing campaigns specifically targeting higher education institutions.
|
|
FlagThis - #cybersecurity