CyberSecurity news

FlagThis - #cyberthreat

@The GreyNoise Blog //
Cybersecurity researchers have issued a warning about a significant surge in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways. Nearly 24,000 unique IP addresses have been observed attempting to access these portals, raising concerns among experts. The activity is suspected to be a coordinated effort aimed at identifying exposed or vulnerable systems, potentially as a precursor to targeted exploitation. GreyNoise, a threat intelligence firm, has indicated that this pattern suggests a systematic probing of network defenses.

The surge reportedly began on March 17, 2025, with the number of unique IP addresses involved peaking at nearly 20,000 per day before tapering off around March 26. Of the total IPs involved, a smaller subset of 154 have been flagged as malicious. The United States and Canada have been identified as the primary sources of the traffic, while systems in the United States, the United Kingdom, Ireland, Russia, and Singapore are the main targets. Organizations using Palo Alto Networks products are urged to take immediate steps to secure their login portals.

Recommended read:
References :
  • The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
  • The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
  • BleepingComputer: Nearly 24,000 IPs behind wave of Palo Alto Global Protect scans
  • The GreyNoise Blog: Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
  • securityaffairs.com: Spike in Palo Alto Networks scanner activity suggests imminent cyber threats
  • Help Net Security: Attackers are probing Palo Alto Networks GlobalProtect portals
  • www.scworld.com: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.

SC Staff@scmagazine.com //
North Korean state-sponsored hackers have been identified as the perpetrators behind cryptocurrency heists totaling over $659 million in 2024. A joint statement from the United States, Japan, and South Korea warns the blockchain industry about these escalating cyber threats, which target not only exchanges and custodians but also individuals. The attacks have used increasingly sophisticated methods, including fake job postings to infiltrate companies, allowing threat actors to deploy malware and conduct social engineering attacks, with the Lazarus Group being identified as a key player in these operations.

The cyberattacks resulted in major losses for various cryptocurrency exchanges and platforms, including $308 million from DMM Bitcoin, $50 million each from Upbit and Radiant Capital, and $16.13 million from Rain Management. Additionally, the joint statement confirmed North Korea was responsible for a $235 million attack on WazirX, an Indian cryptocurrency exchange, in July 2024. These operations are believed to be aimed at funding North Korea's weapons programs, highlighting the international financial impact of the nation's cyber activities.

Recommended read:
References :
  • techcrunch.com: North Korea stole over $659M in crypto heists during 2024, deployed fake job seekers
  • www.scworld.com: North Korean crypto heist toll exceeded $659M in 2024
  • cryptobriefing.com: US, Japan, and South Korea warn blockchain industry of North Korea’s ongoing cyber threats
  • The Verge: North Korea linked to crypto heists of over $650 million in 2024 alone
  • : SecurityScorecard : North Korean state-sponsored APT Lazarus (Group) is targeting software developers looking for freelance Web3 and cryptocurrency work in what SecurityScorecard calls Operation 99.

@www.bleepingcomputer.com //
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.

The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms.

Recommended read:
References :
  • www.bleepingcomputer.com: A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers
  • bsky.app: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • hackread.com: Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices
  • www.cloudsek.com: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • Cyber Security News: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • cyberpress.org: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • www.scworld.com: XWorm RAT builder leveraged for widespread device compromise

@securityonline.info //
References: Cybernews , securityonline.info ,
The United States, Japan, and South Korea have jointly issued a warning to the blockchain industry regarding escalating cyber threats from state-sponsored North Korean hackers. These attacks are not limited to the three nations but extend to the broader international community, with a specific focus on stealing cryptocurrencies from exchanges, custodians, and individual users. The hackers' activities, attributed to groups such as the Lazarus Group, are aimed at generating illicit revenue for the North Korean government's weapons programs.

The scale of these cyber heists is significant, with over $650 million stolen in 2024 alone. Major losses include $308 million from DMM Bitcoin, $50 million from Upbit, and $16.1 million from Rain Management. Furthermore, attacks in 2023 on WazirX ($235 million) and Radiant Capital ($50 million) have also been linked to North Korean cyber actors. The tactics used are becoming increasingly advanced, involving social engineering attacks that deploy malware such as TraderTraitor and AppleJeus. This joint statement underscores the need for enhanced cybersecurity measures and international cooperation to prevent further financial losses.

Recommended read:
References :
  • Cybernews: State-sponsored North Korean hackers threaten not only the US, Japan, and South Korea but also the broader international community.
  • securityonline.info: Millions Stolen: North Korea Hackers Target Blockchain Industry
  • Crypto Briefing: US, Japan, and South Korea warn blockchain industry of North Korea’s ongoing cyber threats

@www.recordedfuture.com //
The Chinese state-sponsored cyber espionage group known as RedDelta, also referred to as Mustang Panda, has been actively targeting several countries in Asia and beyond since July 2023. Their operations have primarily focused on Mongolia, Taiwan, and Southeast Asia, but have also extended to Japan, the United States, Ethiopia, Brazil, Australia and India. RedDelta employs sophisticated spearphishing techniques, using lure documents themed around political and cultural events, such as the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia and meeting invitations. The group has been observed distributing its customized PlugX backdoor through adapted infection chains, targeting government and diplomatic organizations.

RedDelta has evolved its attack methods over time, initially using Windows Shortcut (LNK) files, transitioning to Microsoft Management Console Snap-In Control (MSC) files in 2024, and most recently using HTML files hosted on Microsoft Azure. Since July 2023 they consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic in order to blend in with legitimate network activity, making victim identification more difficult. The group’s activities, which have included successful compromises of the Mongolian Ministry of Defense and the Communist Party of Vietnam, align with the Chinese governments strategic priorities in Asia.

Recommended read:
References :
  • malware.news: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • : RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • The Hacker News: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • app.recordedfuture.com: Recorded Future: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • osint10x.com: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • securityonline.info: RedDelta Leverages PlugX Backdoor in State-Sponsored Espionage Campaigns

Pierluigi Paganini@Security Affairs //
References: securityaffairs.com , The420.in ,
The LockBit ransomware group has targeted newly appointed FBI Director Kash Patel with an alleged "birthday gift" consisting of leaked classified documents. LockBitSupp, the group's alleged leader, posted a message on February 25, 2025, mocking Patel and claiming the group possesses sensitive data that could "destroy" the FBI. This incident raises serious cybersecurity concerns about potential data breaches targeting high-profile individuals and agencies.

The post, found on LockBit's dark leak blog, describes an "archive of classified information" containing over 250 folders of materials dating back to May 29, 2024. This stolen data is presented as a "guide, roadmap, and some friendly advice" to the new FBI Director. The ransomware cartel's actions represent a bold threat, highlighting the increasing sophistication and audacity of cybercriminals targeting government entities and their leadership.

Recommended read:
References :
  • securityaffairs.com: LockBit taunts FBI Director Kash Patel with alleged “Classifiedâ€� leak threat
  • The420.in: LockBit Targets FBI Director with Alleged Classified Leak
  • iHLS: In a chilling message posted on February 25, 2025, the alleged leader of the notorious LockBit ransomware group, LockBitSupp, issued a disturbing “birthday giftâ€� to Kash Patel, the newly appointed Director of the FBI.