CyberSecurity news
FlagThis - #cyberthreat
|
@The GreyNoise Blog
//
Cybersecurity researchers have issued a warning about a significant surge in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways. Nearly 24,000 unique IP addresses have been observed attempting to access these portals, raising concerns among experts. The activity is suspected to be a coordinated effort aimed at identifying exposed or vulnerable systems, potentially as a precursor to targeted exploitation. GreyNoise, a threat intelligence firm, has indicated that this pattern suggests a systematic probing of network defenses.
The surge reportedly began on March 17, 2025, with the number of unique IP addresses involved peaking at nearly 20,000 per day before tapering off around March 26. Of the total IPs involved, a smaller subset of 154 have been flagged as malicious. The United States and Canada have been identified as the primary sources of the traffic, while systems in the United States, the United Kingdom, Ireland, Russia, and Singapore are the main targets. Organizations using Palo Alto Networks products are urged to take immediate steps to secure their login portals. Recommended read:
References :
SC Staff@scmagazine.com
//
North Korean state-sponsored hackers have been identified as the perpetrators behind cryptocurrency heists totaling over $659 million in 2024. A joint statement from the United States, Japan, and South Korea warns the blockchain industry about these escalating cyber threats, which target not only exchanges and custodians but also individuals. The attacks have used increasingly sophisticated methods, including fake job postings to infiltrate companies, allowing threat actors to deploy malware and conduct social engineering attacks, with the Lazarus Group being identified as a key player in these operations.
The cyberattacks resulted in major losses for various cryptocurrency exchanges and platforms, including $308 million from DMM Bitcoin, $50 million each from Upbit and Radiant Capital, and $16.13 million from Rain Management. Additionally, the joint statement confirmed North Korea was responsible for a $235 million attack on WazirX, an Indian cryptocurrency exchange, in July 2024. These operations are believed to be aimed at funding North Korea's weapons programs, highlighting the international financial impact of the nation's cyber activities. Recommended read:
References :
@www.bleepingcomputer.com
//
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.
The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms. Recommended read:
References :
@securityonline.info
//
References:
Cybernews
, securityonline.info
,
The United States, Japan, and South Korea have jointly issued a warning to the blockchain industry regarding escalating cyber threats from state-sponsored North Korean hackers. These attacks are not limited to the three nations but extend to the broader international community, with a specific focus on stealing cryptocurrencies from exchanges, custodians, and individual users. The hackers' activities, attributed to groups such as the Lazarus Group, are aimed at generating illicit revenue for the North Korean government's weapons programs.
The scale of these cyber heists is significant, with over $650 million stolen in 2024 alone. Major losses include $308 million from DMM Bitcoin, $50 million from Upbit, and $16.1 million from Rain Management. Furthermore, attacks in 2023 on WazirX ($235 million) and Radiant Capital ($50 million) have also been linked to North Korean cyber actors. The tactics used are becoming increasingly advanced, involving social engineering attacks that deploy malware such as TraderTraitor and AppleJeus. This joint statement underscores the need for enhanced cybersecurity measures and international cooperation to prevent further financial losses. Recommended read:
References :
@www.recordedfuture.com
//
The Chinese state-sponsored cyber espionage group known as RedDelta, also referred to as Mustang Panda, has been actively targeting several countries in Asia and beyond since July 2023. Their operations have primarily focused on Mongolia, Taiwan, and Southeast Asia, but have also extended to Japan, the United States, Ethiopia, Brazil, Australia and India. RedDelta employs sophisticated spearphishing techniques, using lure documents themed around political and cultural events, such as the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia and meeting invitations. The group has been observed distributing its customized PlugX backdoor through adapted infection chains, targeting government and diplomatic organizations.
RedDelta has evolved its attack methods over time, initially using Windows Shortcut (LNK) files, transitioning to Microsoft Management Console Snap-In Control (MSC) files in 2024, and most recently using HTML files hosted on Microsoft Azure. Since July 2023 they consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic in order to blend in with legitimate network activity, making victim identification more difficult. The group’s activities, which have included successful compromises of the Mongolian Ministry of Defense and the Communist Party of Vietnam, align with the Chinese governments strategic priorities in Asia. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
References:
securityaffairs.com
, The420.in
,
The LockBit ransomware group has targeted newly appointed FBI Director Kash Patel with an alleged "birthday gift" consisting of leaked classified documents. LockBitSupp, the group's alleged leader, posted a message on February 25, 2025, mocking Patel and claiming the group possesses sensitive data that could "destroy" the FBI. This incident raises serious cybersecurity concerns about potential data breaches targeting high-profile individuals and agencies.
The post, found on LockBit's dark leak blog, describes an "archive of classified information" containing over 250 folders of materials dating back to May 29, 2024. This stolen data is presented as a "guide, roadmap, and some friendly advice" to the new FBI Director. The ransomware cartel's actions represent a bold threat, highlighting the increasing sophistication and audacity of cybercriminals targeting government entities and their leadership. Recommended read:
References :
|