CyberSecurity news

FlagThis - #cybersecurity

@sec.cloudapps.cisco.com //
Cisco is urging immediate action following the discovery of a critical vulnerability, CVE-2025-20309, in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw stems from hardcoded SSH root credentials that cannot be modified or removed, potentially allowing remote attackers to gain root-level access to affected systems. This vulnerability has a maximum severity rating with a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.

Cisco's security advisory specifies that all Engineering Special (ES) releases from 15.0.1.13010-1 through 15.0.1.13017-1 are vulnerable, regardless of optional features in use. An unauthenticated remote attacker can exploit this vulnerability by utilizing the static root account credentials to establish SSH connections to vulnerable systems. Once authenticated, the attacker gains complete administrative control over the affected device, enabling the execution of arbitrary commands with root privileges.

There are no temporary workarounds to mitigate this risk. To remediate the vulnerability, administrators are advised to upgrade to version 15SU3 or apply the CSCwp27755 patch. Although Cisco discovered the flaw through internal testing and has not found evidence of active exploitation in the wild, the extreme severity necessitates immediate action to safeguard enterprise communications. The company has issued emergency fixes for the critical root credential flaw in Unified CM.

Recommended read:
References :
  • MeatMutts: Cisco Urges Immediate Action After Discovering Backdoor in Unified Communications Manager
  • infosec.exchange: : Unified Communications Manager systems could allow remote attackers to gain root-level access. The vulnerability CVE-2025-20309 with a maximum CVSS 10.0, stems from hardcoded SSH root credentials that cannot be modified or removed: 👇
  • Rescana: Critical Cisco Unified CM Vulnerability: Root Access via Static Credentials – Technical Analysis & Mitigation Strategies
  • cybersecuritynews.com: Unified Communications Manager systems could allow remote attackers to gain root-level access. The vulnerability CVE-2025-20309 with a maximum CVSS 10.0, stems from hardcoded SSH root credentials that cannot be modified or removed:
  • hackread.com: Cisco Issues Emergency Fix for Critical Root Credential Flaw in Unified CM
  • thecyberexpress.com: Cisco Issues Urgent Patch for Critical Unified CM Vulnerability (CVE-2025-20309)
  • Arctic Wolf: CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Maximum Severity Vulnerability
  • arcticwolf.com: CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Maximum Severity Vulnerability
  • sec.cloudapps.cisco.com: Security advisory from Cisco addressing the vulnerability.
  • The Register - Security: Cisco scores a perfect 10 - sadly for a critical flaw in its comms platform
  • nvd.nist.gov: Details of the Cisco vulnerability CVE-2025-20309.

@www.bleepingcomputer.com //
The Hunters International ransomware operation has announced its shutdown, stating they will release free decryption keys to their past victims. The group made the announcement on its dark web leak site, removing all previous victim data. In a statement, Hunters International acknowledged the impact their actions have had on organizations, stating the decision to close down was not made lightly. Victims are instructed to visit the ransomware gang's website to obtain the decryption keys and recovery guidance, though some sources indicate victims need to log in to a portal mentioned in the ransom note using existing credentials to obtain the decryption software.

The move to shut down has been met with skepticism from the threat intel community. Several ransomware gangs in the past have released their victims’ decryption keys, then shut down, each of them for different reasons. Some shut down only to return under a new name, perhaps in an attempt to confuse researchers and law enforcement agencies and sometimes toescape sanctions. There is speculation that Hunters International may be rebranding and transitioning to new infrastructure to avoid increased scrutiny from law enforcement. It emerged in late 2023 and was flagged by security researchers and ransomware experts as apotential rebrand of Hive, which had its infrastructure seized earlier that year.

Reports indicate that Hunters International launched a separate platform named "World Leaks" in January, advising its affiliates to switch to this new operation. At the time, the group claimed that encryption-based ransomware was no longer profitable and they would be shifting to a hack-and-extort model. However, some sources have found World Leaks victims who also had ransomware deployed on their networks. Hunters International has been linked to almost 300 attacks worldwide including India's Tata Technologies and the US Marshals Service and has earned millions in cryptocurrency.

Recommended read:
References :
  • infosec.exchange: NEW: The ransomware gang called Hunters International says it's shutting down and giving victims free decryption tools. “This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,
  • Risky.Biz: Risky Bulletin: Hunters International ransomware shuts down and releases decryption keys
  • Risky Business Media: Risky Bulletin: Hunters International ransomware shuts down, releases decryption keys
  • techcrunch.com: Ransomware gang Hunters International says it’s shutting down
  • www.bleepingcomputer.com: Hunters International ransomware shuts down, releases free decryptors
  • Talkback Resources: Hunters International Ransomware Gang Rebrands as World Leaks
  • www.bitdefender.com: Hunters International ransomware group shuts down – but will it regroup under a new guise?
  • www.bleepingcomputer.com: Hunters International ransomware shuts down, releases free decryptors
  • techcrunch.com: NEW: The ransomware gang called Hunters International says it's shutting down and giving victims free decryption tools.
  • The Register - Security: Another news article covering Hunters International's shutdown.
  • Graham Cluley: Mastodon post discussing the Hunters International shutdown and possible rebranding.
  • slcyber.io: Blog post discussing the shutdown and potential rebranding of the Hunters International ransomware group.
  • bsky.app: Ransomware crew Hunters International shuts down, hands out keys to victims. Could law enforcement ops be having an impact on criminal confidence?
  • www.itpro.com: A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
  • news.risky.biz: Risky Bulletin: Hunters International ransomware shuts down and releases decryption keys
  • securityaffairs.com: Hunters International ransomware gang shuts down and offers free decryption keys to all victims
  • WeLiveSecurity: WeLiveSecurity reports Hunters International ransomware group shuts down – but will it regroup under a new guise?

Ashish Khaitan@The Cyber Express //
Australia's national carrier, Qantas Airways, has disclosed a significant cyberattack affecting approximately six million customers. The breach occurred through unauthorized access to a third-party customer service platform used by a Qantas call center. Exposed data includes customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers, however, the company reports that no financial data, passport details, passwords, or login credentials were compromised. The airline detected the unusual activity on Monday and took immediate action to bring the system back under control.

Qantas has launched an investigation into the incident, working closely with government authorities and cybersecurity experts. The airline has notified Australia’s National Cyber Security Coordinator, the Australian Cyber Security Centre, the Privacy Commissioner, and the Federal Police, reflecting the severity of the situation. Initial reports suggest the Scattered Spider group, known for targeting the aviation sector, may be linked to the attack. Qantas is also enhancing security measures by tightening access controls and improving system monitoring.

Vanessa Hudson, Qantas Group Managing Director, has sincerely apologized to customers, acknowledging the uncertainty caused by the breach. A special customer support hotline and dedicated webpage have been established to provide information and assistance to those affected. While Qantas assures that the cyberattack has not impacted flight operations or the safety of the airline, cybersecurity experts warn that the stolen customer data could potentially be used for identity theft and other fraudulent activities. This incident underscores the importance of robust cybersecurity measures and vigilance in protecting sensitive customer information, particularly within third-party platforms.

Recommended read:
References :
  • techxplore.com: Australian airline Qantas says hit by 'significant' cyberattack
  • thecyberexpress.com: Australia’s Qantas Confirms Cyberattack: 6 Million Service Records Compromised
  • www.bleepingcomputer.com: Qantas discloses cyberattack amid Scattered Spider aviation breaches
  • www.it-daily.net: Australian airline Qantas victim of cyber attack
  • securityaffairs.com: Qantas confirms customer data breach amid Scattered Spider attacks
  • Malwarebytes: Qantas: Breach affects 6 million people, “significant” amount of data likely taken
  • Cybersecurity Blog: Qantas Data Breach: Scattered Spider Takes to the Skies?
  • Rescana: Qantas Airlines API Breach: Exploited Vulnerability Exposes 6 Million Customer Records
  • Talkback Resources: The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner
  • techcrunch.com: Qantas hack results in theft of 6 million passengers’ personal data
  • www.qantas.com: Qantas statement about the incident.
  • Zack Whittaker: Weekly cybersecurity newsletter featuring Qantas' data breach.

Zack Whittaker@techcrunch.com //
The FBI and cybersecurity firms are issuing warnings about the cybercrime group Scattered Spider, which has recently shifted its focus to targeting airlines and the transportation sector. According to a statement released by the FBI and reported by TechCrunch, recent cyberattacks resembling those of Scattered Spider have been observed within the airline sector. Cybersecurity experts from Google's Mandiant and Palo Alto Networks' Unit 42 have also confirmed witnessing Scattered Spider attacks targeting the aviation industry. This shift in focus comes after the group recently targeted the U.K. retail and insurance industries, and previously, tech companies.

Scattered Spider is known to employ social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve bypassing multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. The FBI warns that Scattered Spider targets large corporations and their third-party IT providers, meaning any organization within the airline ecosystem, including trusted vendors and contractors, could be at risk. Unit 42 has also warned that organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.

Once inside a system, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims. The agency emphasizes the importance of early reporting, as it allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. The recent attacks on the airline sector follow reported intrusions at Hawaiian Airlines and WestJet, with media reports linking the WestJet incident to Scattered Spider. The FBI recommends quickly reporting incidents to allow them to act fast, share intelligence, and limit damage.

Recommended read:
References :
  • Zack Whittaker: Mandiant and Unit 42 say Scattered Spider attacks now targeting airlines and the transportation industry, the latest sector after recently hitting U.K. retail, insurance, and before that, tech companies.
  • securityaffairs.com: The FBI warns that Scattered Spider is now targeting the airline sector.
  • techcrunch.com: FBI, cybersecurity firms say a prolific hacking crew is now targeting airlines and the transportation sector
  • Zack Whittaker: New: Mandiant and Unit 42 say Scattered Spider attacks now targeting airlines and the transportation industry, the latest sector after recently hitting U.K. retail, insurance, and before that, tech companies.
  • techcrunch.com: Prolific cybercrime gang now targeting airlines and the transportation sector
  • cyberscoop.com: Hawaiian Airlines announced a cybersecurity incident Friday as security experts warned of a sector-wide threat.
  • thehackernews.com: The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector.
  • Threats | CyberScoop: Scattered Spider strikes again? Aviation industry appears to be next target for criminal group
  • Risky.Biz: Risky Bulletin: Scattered Spider goes after aviation sector
  • Risky Business Media: Risky Bulletin: Scattered Spider targets the aviation sector
  • Metacurity: Airlines, transportation sector are Scattered Spider's latest targets
  • www.itpro.com: The Scattered Spider hacker group has a new industry in its crosshairs

@www.dhs.gov //
Following U.S. airstrikes on Iranian nuclear sites on June 21, 2025, a wave of cyberattacks has been launched against U.S. organizations by Iran-aligned hacktivist groups. Cyble threat intelligence researchers reported that in the first 24 hours after the strikes, 15 U.S. organizations and 19 websites were targeted with DDoS attacks. Groups such as Mr Hamza, Team 313, Keymous+, and Cyber Jihad have claimed responsibility, targeting U.S. Air Force websites, aerospace and defense companies, and financial services organizations.

The attacks have been framed as retaliation for U.S. involvement in the ongoing Israel-Iran conflict, with the groups using the hashtag #Op_Usa to deface websites and leak credentials. The U.S. Department of Homeland Security (DHS) issued a bulletin on June 22, 2025, warning of likely low-level cyber attacks against U.S. networks by pro-Iranian hacktivists, noting that cyber actors affiliated with the Iranian government may also conduct attacks. This warning highlights the escalating cyber warfare activity between the two nations.

In a notable incident, Donald Trump's social media platform, Truth Social, was paralyzed by a DDoS attack just hours after the U.S. airstrikes. The hacker group “313 Team” claimed responsibility, stating the attack was in response to President Trump's announcement of the successful strikes on Iranian nuclear sites. The DHS emphasizes that this cyber activity reflects an increasing shift of geopolitical tensions into the digital space, further intensifying the cyber security concerns.

Recommended read:
References :
  • thehackernews.com: The United States government has warned of cyber attacks mounted by pro-Iranian groups after it launched airstrikes on Iranian nuclear sites as part of the Iran–Israel war that commenced on June 13, 2025.
  • www.cybersecuritydive.com: Federal officials are warning that pro-Iran hacktivists or state-linked actors may target poorly secured U.S. networks.
  • www.scworld.com: Feds tell companies to prepare for cyberattacks on U.S. systems.
  • Cyber Florida at USF: CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity
  • cyble.com: The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.
  • thecyberexpress.com: Iran-aligned hacktivists launched DDoS attacks against 15 U.S. organizations and 19 websites in the first 24 hours after the U.S. bombed Iranian nuclear targets on June 21, Cyble threat intelligence researchers reported today.
  • www.dhs.gov: U.S. entry into the conflict has drawn retaliation from hacktivist groups, with attack claims ranging from credible to questionable. In the wake of the U.S. involvement, the Department of Homeland Security (DHS) on June 22 that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and affiliated with the Iranian government may conduct attacks against US networks.
  • www.esecurityplanet.com: US Warns of Iranian Cyber Threats as Tensions Rise Over Middle East Conflict
  • www.cybersecuritydive.com: DHS Warns of Heightened Cyber Threat as US Enters Iran Conflict
  • techcrunch.com: Homeland Security warns of Iran-backed cyberattacks targeting US networks

Field Effect@Blog //
References: Blog , securityaffairs.com
Multiple security vulnerabilities are being actively exploited across various systems, posing significant risks to organizations and individuals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of addressing this flaw. Furthermore, researchers have uncovered a vulnerability chain affecting a wide range of Linux distributions that could allow an unprivileged user to gain full root access. These vulnerabilities, CVE-2025-6018 and CVE-2025-6019, reside in the Pluggable Authentication Modules (PAM) configuration and libblockdev, respectively.

Proof-of-concept (POC) code has been published for the Linux vulnerability chain, raising the potential for widespread exploitation. The libblockdev flaw is exploitable through the udisks daemon, a tool commonly deployed in Linux distributions such as Ubuntu, Debian, Fedora, openSUSE, Arch Linux, and Red Hat Enterprise Linux (RHEL). In addition to Linux vulnerabilities, there is also an increase in infostealer malware such as Lumma Stealer with new rules being added to detect associated command and control (CnC) domains. This highlights the diverse and evolving nature of cyber threats.

The constant discovery and exploitation of vulnerabilities underscore the critical importance of timely patching and robust security awareness. Organizations are advised to prioritize patching the Linux Kernel flaw added to CISA's Known Exploited Vulnerabilities catalog, as well as the vulnerability chain affecting multiple Linux distributions. In addition to addressing Linux flaws, organizations need to also protect themselves from a range of malware, including the Lumma Stealer. The Cybersecurity community continues to identify and address many more vulnerabilities in a range of products including Apple products, TP-Link routers and Zyxel products. Regular security audits and proactive threat hunting are also essential for mitigating risks and maintaining a strong security posture.

Recommended read:
References :
  • Blog: Researchers published proof-of-concept (POC) code for an attack chaining two local privilege escalation (LPE) vulnerabilities affecting a wide range of Linux distributions.
  • securityaffairs.com: U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Linux Kernel vulnerability to its Known Exploited Vulnerabilities catalog.

@cyberscoop.com //
Aflac Incorporated, the insurance giant, has confirmed a cybersecurity incident that occurred on June 12, 2025. The company detected suspicious activity on its US network and promptly initiated its cyber incident response protocols, successfully stopping the intrusion within hours. According to Aflac's official disclosure, their systems were not affected by ransomware, ensuring business operations such as underwriting, claims processing, and customer support remain uninterrupted. However, Aflac warns that sensitive customer information may have been exposed during the breach.

Preliminary findings indicate that the unauthorized party used sophisticated social engineering tactics to gain access to Aflac's network. This method often involves tricking individuals into revealing sensitive information or granting access. Aflac has engaged leading third-party cybersecurity experts to assist with the ongoing investigation. CNN, citing sources familiar with the investigation, reported that this incident, along with others recently affecting the insurance sector, is consistent with the techniques of a cybercrime group known as “Scattered Spider.” Aflac acknowledged the broader context of the attack, stating, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group."

The review of potentially impacted files is still in its early stages, and Aflac has not yet determined the total number of individuals affected. However, the company has indicated that the compromised files may contain sensitive information. The Aflac breach is the latest cyberattack against the insurance industry.

Recommended read:
References :

Dissent@DataBreaches.Net //
A massive collection of 16 billion login credentials has been discovered, representing one of the largest data thefts in history. Cybernews reports that the exposed data likely originates from various infostealers, malicious software designed to gather sensitive information from infected devices. Researchers have uncovered 30 exposed data sets containing millions to over 3.5 billion records each, totaling the astounding 16 billion credentials. These datasets include logins for major platforms like Apple, Google, Facebook, and Telegram, raising significant concerns about widespread account compromise.

Researchers noted that these datasets were not simply recycled from old data leaks but represent new, potentially "weaponized" information. The exposed data contains a mix of details from stealer malware, credential stuffing sets, and repackaged leaks. While it was not possible to compare data between the different sets effectively, the sheer volume and the platforms targeted highlight the severity of the situation. The data sets were only exposed for a short period and it remains unknown who controlled the large amount of data.

The exposure of these 16 billion credentials poses a significant risk of account takeovers, identity theft, and targeted phishing attacks. Cybercriminals now have access to an unprecedented volume of personal data. Users are advised to take immediate action to protect their accounts, including enabling multi-factor authentication and using strong, unique passwords for all online services. News sources indicate that this is not a new data breach but is rather a compilation of previously leaked credentials.

Recommended read:
References :
  • www.bleepingcomputer.com: No, the 16 billion credentials leak is not a new data breach.
  • www.it-daily.net: 16 billion login details: the data theft that nobody knew about
  • Malwarebytes: Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online
  • Kaspersky official blog: The world's biggest data breach: what should folks do? | Kaspersky official blog
  • aboutdfir.com: No, the 16 billion credentials leak is not a new data breach  News broke today of a “mother of all breaches,†sparking wide media coverage filled with warnings and fear-mongering.
  • bsky.app: No, the 16 billion credentials leak is not a new data breach. Thanks @lawrenceabrams.bsky.social for being a knowledgeable and calm voice amidst the yelling about this 'breach'.
  • flare.io: This week, Forbes published research from a CyberNews article, which detailed the leakage of 16B credentials. We want to emphasize an important piece of this viral story: “30 exposed datasets containing from tens of millions to over 3.5 billion records each,†have been discovered.
  • techxplore.com: Researchers at cybersecurity outlet Cybernews say that billions of login credentials have been leaked and compiled into datasets online, giving criminals "unprecedented access" to accounts consumers use each day.
  • Billy Bambrough: A massive 16 billion password hack has sparked calls for an urgent upgrade...
  • aboutdfir.com: No, the 16 billion credentials leak is not a new data breach  News broke today of a “mother of all breaches,†sparking wide media coverage filled with warnings and fear-mongering. However, it appears to be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks. To be clear, this
  • flare.io: This week, Forbes published research from a CyberNews article, which detailed the leakage of 16B credentials. We want to emphasize an important piece of this viral story: “30 exposed datasets containing from tens of millions to over 3.5 billion records each,†have been discovered.
  • DataBreaches.Net: DataBreaches.net article on the 16 billion credentials leak
  • Metacurity: Report of 16 billion credentials breach debunked
  • www.cysecurity.news: Massive Data Leak Exposes 16 Billion Login Records from Major Online Services

@blog.talosintelligence.com //
North Korean-aligned threat actor Famous Chollima, also known as Wagemole, is actively targeting cryptocurrency and blockchain professionals, primarily in India, using a newly discovered Python-based Remote Access Trojan (RAT) named PylangGhost. This RAT, identified by Cisco Talos in May 2025, serves as a Python-equivalent to their existing GolangGhost RAT, which was previously deployed against MacOS users. The threat actor seeks financial gain by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.

This campaign involves a sophisticated operation where attackers impersonate recruiters from well-known tech firms like Coinbase, Robinhood, Uniswap, and Archblock. Victims are lured through fake job advertisements and skill-testing pages, directed to submit personal and professional information, grant camera access, and copy/execute a malicious shell command under the guise of installing video drivers. Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS, including PowerShell for Windows and Bash for MacOS.

PylangGhost is a multi-stage Python malware framework disguised in a ZIP archive downloaded via the shell command. Upon execution, a Visual Basic Script extracts and launches the malware. The framework consists of modular components that enable credential and cookie theft from over 80 browser extensions, file operations (upload, download), remote shell access, and system reconnaissance. The attackers are primarily targeting individuals with experience in cryptocurrency and blockchain technologies, utilizing skill-testing sites that impersonate legitimate companies to further their deception.

Recommended read:
References :
  • blog.talosintelligence.com: Talos Intelligence blog post about the Python version of GolangGhost RAT.
  • Cisco Talos: Talos Security's post on Mastodon about Famous Chollima targeting cryptocurrency/blockchain professionals with the new PylangGhost RAT.
  • Cisco Talos Blog: Famous Chollima deploying Python version of GolangGhost RAT
  • hackread.com: N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • securityonline.info: PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
  • Virus Bulletin: Cisco Talos recently identified PylangGhost, a Python-based version of the GolangGhost RAT used exclusively by Famous Chollima, a North Korea-aligned threat actor.
  • Virus Bulletin: This article reports on various APT groups and their activities, including the use of PylangGhost by Famous Chollima.

@www.trendmicro.com //
Trend Micro has identified a new threat actor known as Water Curse, which is actively exploiting GitHub repositories to distribute multistage malware. This campaign poses a significant supply chain risk, especially to cybersecurity professionals, game developers, and DevOps teams who rely on open-source tooling. Researchers have already identified at least 76 GitHub accounts that are related to this campaign, highlighting the scale of the operation. The attackers embed malicious payloads within build scripts and project files, effectively weaponizing trusted open-source resources.

The Water Curse campaign utilizes a sophisticated infection chain. Project files contain malicious batch file code within the `` tag, which is triggered during the code compilation process. This malicious batch file code leads to the execution of a VBS file. Upon execution, obfuscated scripts written in Visual Basic Script (VBS) and PowerShell initiate complex multistage infection chains. These scripts download encrypted archives, extract Electron-based applications, and perform extensive system reconnaissance. The malware is designed to exfiltrate data, including credentials, browser data, and session tokens, and establishes remote access and long-term persistence on infected systems.

To defend against these attacks, organizations are advised to audit open-source tools used by red teams, DevOps, and developer environments, especially those sourced from GitHub. It's crucial to validate build files, scripts, and repository histories before use. Security teams should also monitor for unusual process executions originating from MSBuild.exe. Trend Micro's Vision One™ detects and blocks the indicators of compromise (IOCs) associated with this campaign, providing an additional layer of defense.

Recommended read:
References :
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • www.trendmicro.com: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • cyberpress.org: 76 GitHub Accounts Compromised by Water Curse Hacker Group to Distribute Multistage Malware
  • Know Your Adversary: Trend Micro has a new threat actor dubbed  Water Curse . The adversary uses weaponized GitHub repositories to deliver multistage malware.
  • The Hacker News: The Hacker News report about Water Curse employs 76 GitHub accounts to deliver Multi-Stage Malware Campaign.
  • Blog (Main): Threat actor Banana Squad exploits GitHub repos in new campaign
  • www.sentinelone.com: Pentagon modernize defense via AI, Water Curse spreads malware through GitHub repos, and TaxOff uses Chrome zero-day to deploy backdoor.

@www.healthcarefinancenews.com //
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability.

In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups.

Recommended read:
References :
  • cyble.com: The greatest number of ransomware attacks were directed towards the professional services and construction sectors.
  • cybersecurityventures.com: Ransomware: File Data Is Harder to Manage and Defend
  • : The attack resulted in a significant data breach at Caesars Entertainment.

rulesbot@community.emergingthreats.net //
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.

Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools.

In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors.

Recommended read:
References :

@www.helpnetsecurity.com //
References: Help Net Security , Tenable Blog , AppOmni ...
The National Institute of Standards and Technology (NIST) has released a new guide, SP 1800-35, titled "Implementing a Zero Trust Architecture," aimed at providing practical assistance in building zero trust architectures (ZTA). This guidance includes 19 example setups that utilize commercially available, off-the-shelf tools. The initiative is a result of work conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE).

Over the course of four years, NIST collaborated with 24 industry partners, including major tech companies, to build, install, test, and document the 19 ZTA models. These models illustrate various real-world scenarios such as hybrid cloud setups, branch offices, and even public Wi-Fi use in coffee shops. Each model provides technical details on deployment, sample configurations, integration steps, test results, and best practices derived from real-world experiences. The guide also maps these setups onto NIST's broader cybersecurity framework (CSF), SP 800-53 controls, and critical software measures.

The rise in popularity of zero trust architectures comes as traditional on-prem security perimeters weaken due to the increasing adoption of cloud services, mobile devices, remote employees, and IoT devices. The new NIST guidance builds on its earlier zero trust framework, SP 800-207, by providing more hands-on implementation advice. According to Brian Soby, CTO at AppOmni, one of the main challenges in real-world zero trust implementations is the existence of multiple policy decision and policy enforcement points, which are often left out of many zero trust plans, potentially leaving doors open for attackers. This new guidance recognizes the reality of multiple PDP/PEPs and operationalizes the concept of Policy Information Points, enhancing decision-making within the architecture by adapting to changing context and user behaviors.

Recommended read:
References :
  • Help Net Security: 19 ways to build zero trust: NIST offers practical implementation guide
  • Tenable Blog: Cybersecurity Snapshot: NIST Offers Zero Trust Implementation Advice, While OpenAI Shares ChatGPT Misuse Incidents
  • cyberpress.org: New NIST Guide Outlines 19 Approaches to Zero Trust Architecture
  • AppOmni: 19 ways to build zero trust: NIST offers practical implementation guide
  • www.helpnetsecurity.com: 19 ways to build zero trust: NIST offers practical implementation guide

@research.checkpoint.com //
A critical vulnerability in Discord's invitation system has been identified, enabling malicious actors to hijack expired or deleted invite links and redirect unsuspecting users to harmful servers. Check Point Research (CPR) uncovered this flaw, revealing that attackers are exploiting a Discord feature that allows the reuse of expired or deleted invite links. By registering vanity links, attackers can silently redirect users from trusted sources, such as community forums and social media posts, to malicious servers designed to deliver malware.

CPR's research details real-world attacks leveraging hijacked links to deploy sophisticated phishing schemes and malware campaigns. These campaigns often involve multi-stage infections that evade detection by antivirus tools and sandbox checks. The attack tricks users with a fake verification bot and phishing site that look like legitimate Discord servers, leading victims to unknowingly run harmful commands that download malware on their computer. The malware spreads quietly in multiple steps using popular, trusted services like GitHub and Pastebin to hide its activity and avoid detection.

The attackers are primarily targeting cryptocurrency users, with the goal of stealing credentials and wallet information for financial gain. Over 1,300 downloads have been tracked across multiple countries, including the U.S., Vietnam, France, Germany, and the UK, demonstrating the global scale of the campaign. The delivered malware includes remote access trojans (RATs) like AsyncRAT and information-stealing malware like Skuld Stealer, posing a significant threat to users' security and privacy.

Recommended read:
References :
  • blog.checkpoint.com: Attackers took advantage of a Discord feature that lets expired or deleted invite links be reused, allowing them to hijack trusted community links and redirect users to harmful servers.
  • cyberinsider.com: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • Virus Bulletin: Check Point Research uncovered an active malware campaign exploiting expired & released Discord invite links.
  • bsky.app: Hackers are hijacking  expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware.
  • research.checkpoint.com: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery
  • The Hacker News: Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets
  • The DefendOps Diaries: Discord Flaw Exploitation: A Detailed Analysis of Reused Expired Invites in Malware Campaigns
  • CyberInsider: Expired Discord Invites Hijacked for Stealthy Malware Attacks
  • BleepingComputer: Discord flaw lets hackers reuse expired invites in malware campaign
  • Check Point Research: From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Pierluigi Paganini@securityaffairs.com //
Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.

The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist.

Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.

Recommended read:
References :
  • infosec.exchange: NEW: Four months after releasing iOS 18.3.1, Apple has published details about a zero-day that it fixed at the time, but did not publicize.
  • Zack Whittaker: Citizen Lab have confirmed two journalists had their phones hacked with Paragon's Graphite spyware, likely by the same customer.
  • securityaffairs.com: Security researchers at Citizen Lab revealed that Paragon’s Graphite spyware can hack fully updated iPhones via zero-click attacks.
  • techcrunch.com: Apple fixes new iPhone zero-day bug used in Paragon spyware hacks
  • The Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
  • infosec.exchange: Researchers found forensic evidence of Paragon's spyware on the iPhones of two journalists. One is Ciro Pellegrino, who works for Fanpage.
  • Zack Whittaker: NEW: Apple has confirmed in a now-updated February security advisory that it fixed a zero-day bug used in an "extremely sophisticated attack."
  • cyberinsider.com: New Zero-Click iMessage Exploit Infected iPhones with Paragon Spyware
  • securityaffairs.com: Apple confirmed that Messages app flaw was actively exploited in the wild
  • The Hacker News: Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • Help Net Security: iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200)
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Threats | CyberScoop: Predator spyware activity surfaces in new places with new tricks
  • Risky Business Media: Predator spyware alive despite US sanctions
  • www.scworld.com: New Predator spyware activity identified
  • cyberscoop.com: The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity.
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks
  • www.metacurity.com: Customers keep buying Predator spyware despite US sanctions
  • Schneier on Security: Paragon Spyware Used to Spy on European Journalists
  • citizenlab.ca: First forensic confirmation of Paragon's iOS mercenary spyware finds journalists targeted
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks

info@thehackernews.com (The@The Hacker News //
The Rare Werewolf APT group, also known as Librarian Ghouls and Rezet, has been actively targeting Russian enterprises and engineering schools since at least 2019, with activity continuing through May 2025. This advanced persistent threat group distinguishes itself by primarily utilizing legitimate third-party software instead of developing its own malicious tools. The attacks are characterized by the use of command files and PowerShell scripts to establish remote access to compromised systems, steal credentials, and deploy the XMRig cryptocurrency miner. The campaign has impacted hundreds of Russian users, with additional infections reported in Belarus and Kazakhstan.

The group's initial infection vector typically involves targeted phishing emails containing password-protected archives with executable files disguised as official documents or payment orders. Once the victim opens the attachment, the attackers deploy a legitimate tool called 4t Tray Minimizer to obscure their presence on the compromised system. They also use tools like Defender Control to disable antivirus software and Blat, a legitimate utility, to send stolen data via SMTP. The attackers actively refine their tactics and a new wave of attacks emerged immediately after a slight decline in December 2024.

A key aspect of the Rare Werewolf APT's strategy involves the use of a Windows batch script that launches a PowerShell script, scheduling the victim system to wake up at 1 AM local time and providing a four-hour window for remote access via AnyDesk. The machine is then shut down at 5 AM through a scheduled task, minimizing the chance of detection. The attackers also collect information about available CPU cores and GPUs to optimally configure the crypto miner. Besides cryptomining, the group has also been known to steal sensitive documents, passwords, and compromise Telegram accounts.

Recommended read:
References :
  • The Hacker News: Research focusing on the group's methods, including its use of legitimate software.
  • therecord.media: Report of the malicious campaign targeting Russian enterprises.

info@thehackernews.com (The@The Hacker News //
ConnectWise is initiating a rotation of its ScreenConnect code signing certificates following security concerns identified by a third-party researcher. The issue revolves around how ScreenConnect handled specific configuration data in earlier versions, where configuration data was stored in an unsigned area of the installer. While this area is intended for customization, its coupling with remote control capabilities created a potentially insecure design pattern according to current security standards. The company emphasizes that this action is unrelated to the recent nation-state attacks affecting some of its customers.

ConnectWise is implementing an update to enhance the management of configuration data within ScreenConnect. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions." The rotation of digital certificates is set to take place by June 13 at 8 p.m. ET. ConnectWise is already updating certificates and agents across its cloud instances of Automate and RMM.

Users of on-premise versions of ScreenConnect or Automate are required to update to the latest build and validate all agents before the June 13th deadline to avoid potential service disruptions. ConnectWise acknowledges the challenges this may pose and has committed to supporting users through the transition. Connectwise customers who use the company’s ScreenConnect, Automate, and ConnectWise RMM solutions are urged to update all agents and/or validate that the update has been deployed by Friday, June 13 at 8:00 p.m. ET, or risk disruptions.

Recommended read:
References :