CyberSecurity news
FlagThis - #cybersecurity
|
@cyble.com
//
References:
securityaffairs.com
, ciso2ciso.com
,
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.
The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches. The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks. Recommended read:
References :
@cyberinsider.com
//
Adidas has confirmed a data breach impacting customer data via a third-party customer service provider. According to Adidas, the compromised data primarily consists of contact information of customers who had previously contacted their customer service help desk. The company assures that sensitive information like passwords, credit card, or any other payment-related information were not affected in the incident.
Adidas became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. Adidas has immediately taken steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts. The company is currently notifying affected customers and is cooperating with data protection authorities and investigators as required by law. This breach marks the third publicly acknowledged incident involving the sportswear giant’s customer service systems recently. The company is working to clarify the situation, reinforcing the importance of securing third-party providers to prevent them from becoming a gateway for attackers to access target systems. Adidas expressed that they remain fully committed to protecting the privacy and security of their consumers and sincerely regret any inconvenience or concern caused by this incident. Recommended read:
References :
@www.helpnetsecurity.com
//
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.
The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees. Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability has been discovered in vBulletin forum software, tracked as CVE-2024-45721, that enables unauthenticated attackers to execute arbitrary code on unpatched systems. This flaw puts millions of online communities at risk of full server compromise. The vulnerability affects vBulletin versions 6.0.0 through 6.1.4 and stems from improper sanitization of user inputs in template rendering modules. Discovered by cybersecurity firm SentinelWatch on May 22, 2025, the flaw has already seen significant exploitation attempts, with over 12,000 attack vectors targeting forums in various sectors within 48 hours of public disclosure.
Exploitation of the vulnerability involves crafting malicious forum posts containing payloads that bypass built-in sandboxing through parameter smuggling techniques. Attackers leverage vBulletin’s `vb:rawtemplate` directive, which fails to properly validate nested function calls when processing user-generated content. Successful exploitation grants SYSTEM-level privileges on Windows hosts and www-data access on Linux systems, enabling the installation of web shells, credential harvesters, and cryptocurrency miners. Proof-of-concept exploits have demonstrated the ability to execute OS commands even when PHP security hardening measures are present, by using PHP's `unserialize()` function with crafted OPcache configurations to bypass `disable_functions` restrictions. In response to the widespread exploitation, vBulletin released patch 6.1.5 on May 25, 2025, which introduces granular template validation. However, as of the latest reports, 68% of installations remain unupdated, leaving a significant number of forums vulnerable. Observed attack clusters include cryptojacking campaigns, data exfiltration, and precursors to ransomware attacks. Notably, 58% of compromised forums had hidden Monero miners installed, while attackers cloned user databases from 23 gaming communities containing 14 million records, now circulating on dark web markets. Additionally, six enterprise forums received tailored malware potentially leading to Black Basta ransomware deployment. Recommended read:
References :
karlo.zanki@reversinglabs.com (Karlo@Blog (Main)
//
References:
Blog (Main)
, www.tripwire.com
,
Cybersecurity experts are raising alarms over the increasing use of artificial intelligence for malicious purposes. ReversingLabs (RL) researchers recently discovered a new malicious campaign targeting the Python Package Index (PyPI) that exploits the Pickle file format. This attack involves threat actors distributing malicious ML models disguised as a "Python SDK for interacting with Aliyun AI Labs services," preying on users of Alibaba AI labs. Once installed, the package delivers an infostealer payload hidden inside a PyTorch model, exfiltrating sensitive information such as machine details and contents of the .gitconfig file. This discovery highlights the growing trend of attackers leveraging AI and machine learning to compromise software supply chains.
Another significant security concern is the rise of ransomware attacks employing social engineering tactics. The 3AM ransomware group has been observed impersonating IT support personnel to trick employees into granting them remote access to company networks. Attackers flood an employee's inbox with unsolicited emails and then call, pretending to be from the organization's IT support, using spoofed phone numbers to add credibility. They then convince the employee to run Microsoft Quick Assist, granting them remote access to "fix" the email issue, allowing them to deploy malicious payloads, create new user accounts with admin privileges, and exfiltrate large amounts of data. This highlights the need for comprehensive employee training to recognize and defend against social engineering attacks. The US Department of Justice has announced charges against 16 Russian nationals allegedly tied to the DanaBot malware operation, which has infected at least 300,000 machines worldwide. The indictment describes how DanaBot was used in both for-profit criminal hacking and espionage against military, government, and NGO targets. This case illustrates the blurred lines between cybercrime and state-sponsored cyberwarfare, with a single malware operation enabling various malicious activities, including ransomware attacks, cyberattacks in Ukraine, and spying. The Defense Criminal Investigative Service (DCIS) has seized DanaBot infrastructure globally, underscoring the severity and scope of the threat posed by this operation. Recommended read:
References :
Waqas@hackread.com
//
A massive data breach has exposed over 184 million passwords and login credentials from various online platforms, including major players like Google, Microsoft, Facebook, and Apple. The unprotected database, containing 184,162,718 records, was discovered by security researcher Jeremiah Fowler. The exposed data includes logins for accounts connected to multiple governments, highlighting the severity of the potential impact.
The exposed Elastic database, which was over 47 GB in size, contained a plain text file with millions of sensitive pieces of data, lacking encryption, password protection, or any security measures. Fowler noted the unusual nature of the discovery, as the database didn't offer any clues about its owner or the source of the collected data. The unsecured nature of the database highlights the risks associated with recklessly compiling sensitive information in a single, vulnerable repository. The incident underscores the importance of robust data security practices and the potential consequences of misconfigured or unsecured databases. The exposure of millions of plaintext passwords and login credentials raises significant concerns about potential misuse and unauthorized access to personal accounts. The discovery serves as a stark reminder of the need for organizations to prioritize data protection and implement strong security measures to safeguard sensitive user information. Recommended read:
References :
@ketteringhealth.org
//
Kettering Health, a healthcare network operating 14 medical centers and over 120 outpatient facilities in western Ohio, has been hit by a ransomware attack causing a system-wide technology outage. The cyberattack, which occurred on Tuesday, May 20, 2025, has forced the cancellation of elective inpatient and outpatient procedures and has disrupted access to critical patient care systems, including phone lines, the call center, and the MyChart patient portal. Emergency services remain operational, but emergency crews are being diverted to other facilities due to the disruption. Kettering Health has confirmed they are responding to the cybersecurity incident involving unauthorized access to its network and has taken steps to contain and mitigate the breach, while actively investigating the situation.
The ransomware attack is suspected to involve the Interlock ransomware gang, which emerged last fall and has targeted various sectors, including tech, manufacturing firms, and government organizations. A ransom note, viewed by CNN, claimed the attackers had secured Kettering Health's most vital files and threatened to leak stolen data unless the health network began negotiating an extortion fee. In response to the disruption, Kettering Health has canceled elective procedures and is rescheduling them for a later date. Additionally, the organization is cautioning patients about scam calls from individuals posing as Kettering Health team members requesting credit card payments and has halted normal billing calls as a precaution. The incident highlights the increasing cybersecurity challenges facing healthcare systems. According to cybersecurity experts, healthcare networks often operate with outdated technology and lack comprehensive cybersecurity training for staff, making them vulnerable to attacks. There is a call to action to invest in healthcare cybersecurity, with recommendations for the government and its partners to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity. Recommended read:
References :
@www.first.org
//
References:
Metacurity
, thecyberexpress.com
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new security metric designed to better assess the likelihood of vulnerability exploitation. This metric aims to enhance the existing Exploit Prediction Scoring System (EPSS) and CISA's Known Exploited Vulnerabilities (KEV) catalog, providing a more refined approach to identifying vulnerabilities that are at high risk of being exploited in the wild. Peter Mell, formerly of NIST, and Jonathan Spring from CISA are credited with outlining this vulnerability exploit metric.
This new metric, detailed in a NIST White Paper titled "Likely Exploited Vulnerabilities," seeks to improve the accuracy with which vulnerabilities are prioritized for remediation. By augmenting the EPSS and KEV lists, the metric intends to provide a clearer understanding of a vulnerability's exploitability. The researchers propose this augmentation as a means to better express how likely a vulnerability is to be exploited, which can aid organizations in focusing their security efforts on the most critical threats. Meanwhile, CISA has recently added six new vulnerabilities to its Known Exploited Vulnerabilities catalog, underscoring the importance of addressing actively exploited flaws. In a related development, Wiz Research has observed in-the-wild exploitation of CVE-2025-4427 and CVE-2025-4428, two recently disclosed vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). These Ivanti EPMM vulnerabilities, which involve a chain of exploits leading to remote code execution, highlight the need for organizations to promptly apply security patches and mitigate potential risks. Recommended read:
References :
@industrialcyber.co
//
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.
These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes. To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat. Recommended read:
References :
@cyberscoop.com
//
A 19-year-old college student from Worcester, Massachusetts, Matthew Lane, has agreed to plead guilty to charges related to a massive cyberattack on PowerSchool, a cloud-based education software provider. The cyberattack involved extorting millions of dollars from PowerSchool in exchange for not leaking the personal data of millions of students and teachers. Lane exploited stolen credentials to gain unauthorized access to PowerSchool's networks, leading to the theft of sensitive student and teacher data.
The data breach is considered one of the largest single breaches of American schoolchildren's data, affecting approximately 62.4 million students and 9.5 million teachers. According to court documents, Lane obtained stolen data from a U.S. telecommunications company before targeting PowerSchool. After the initial victim refused to pay a ransom, Lane allegedly sought to hack another company that would pay. The stolen information included sensitive details like Social Security numbers and academic records. Lane will plead guilty to multiple charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The incident has been described by authorities as a serious attack on the economy, with the potential to instill fear in parents regarding the safety of their children's data. This case highlights the increasing risk of cyberattacks targeting educational institutions and the importance of robust cybersecurity measures to protect student and teacher data. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.
Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource. The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking. Recommended read:
References :
Sead Fadilpašić@techradar.com
//
Cryptocurrency exchange Coinbase recently admitted to a data breach affecting 69,461 of its customers. The company confirmed the news in a filing with the Office of the Maine Attorney General, stating that the breach occurred in late December 2024 but was not discovered until mid-May 2025. The incident involved a small number of individuals performing services for Coinbase at its overseas retail support locations improperly accessing customer information. This information did not include user passwords, seed phrases, or private keys that would allow direct access to accounts or funds, however, it contained a combination of sensitive data.
This exposed data included names, addresses, phone numbers, email addresses, the last four digits of Social Security numbers, masked bank account numbers, and images of government IDs like passports and driver's licenses. Additionally, the breach compromised Coinbase account data, including balance snapshots and transaction histories, and limited corporate data such as training materials and communications available to support agents. Coinbase believes that the threat actors bribed the support staff to exfiltrate the sensitive customer data. The support staff involved in facilitating the data theft have since been fired. Following the data breach, the hackers attempted to extort Coinbase for $20 million in exchange for deleting the stolen data. Coinbase refused to pay the ransom and instead offered the same amount, $20 million, as a reward for information leading to the arrest of the culprits. The company is taking measures to reimburse customers who mistakenly sent funds to the scammers as a direct result of the incident prior to the disclosure. Coinbase is also bolstering its security measures around customer support to prevent future breaches and relocating some of its customer support operations. Recommended read:
References :
|