CyberSecurity news

FlagThis - #none

@cyberinsider.com //
Mozilla has released Firefox 139 to address a critical security vulnerability within the libvpx video codec encoder. This flaw, identified as a double-free vulnerability, could potentially lead to memory corruption and allow for arbitrary code execution on affected systems. Security experts are urging users to update to the latest version of Firefox immediately to mitigate the risk.

The vulnerability is particularly concerning because it is a zero-interaction exploit, meaning that an attacker could potentially execute malicious code without any user action beyond normal browsing activity. This underscores the importance of applying the patch as soon as possible to prevent potential compromise. The update aims to protect users from remote code execution attacks that could exploit the flaw in the libvpx codec.

The Cybersecurity community has highlighted the importance of prioritizing critical patches such as this one to defend against exploitation. This vulnerability demonstrates the persistent threat landscape and the need for constant vigilance in maintaining secure systems. By updating to Firefox 139, users can ensure they are protected against this potentially severe vulnerability.

Recommended read:
References :
  • cyberinsider.com: Mozilla Patches Critical libvpx Double-Free Vulnerability in Firefox 139
  • securityonline.info: Firefox Alert: Zero-Interaction Exploit in libvpx Allows Arbitrary Code Execution

Pierluigi Paganini@securityaffairs.com //
GreyNoise researchers have uncovered a significant and stealthy campaign exploiting ASUS routers, leading to the formation of a new botnet dubbed "AyySSHush". This long-running operation has compromised thousands of ASUS routers, with numbers steadily increasing. The attackers are gaining unauthorized, persistent access to the devices, effectively establishing a distributed network of backdoors, potentially laying the foundation for a future, larger botnet.

This attack is achieved through a sophisticated, multi-step exploitation chain, showcasing advanced knowledge of ASUS systems. Initial access is gained through brute-force login attempts and previously undocumented authentication bypasses. Attackers then exploit CVE-2023-39780, a command injection vulnerability, to execute system commands. This allows them to enable SSH access on a custom port and insert an attacker-controlled SSH public key, granting persistent remote access.

The AyySSHush botnet's stealth is enhanced by disabling router logging to evade detection and avoiding the installation of any malware. Crucially, the backdoor is stored in non-volatile memory (NVRAM), ensuring it survives both firmware upgrades and reboots. As of late May 2025, data confirmed that over 9,000 ASUS routers had been compromised. This campaign highlights the critical need for prompt patching of router vulnerabilities to prevent exploitation and botnet recruitment.

Recommended read:
References :
  • cyberinsider.com: A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.
  • The GreyNoise Blog: GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
  • Blog: ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Here's how to find impacted assets on your network.
  • www.scworld.com: ASUS router backdoors affect 9K devices, persist after firmware updates
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet
  • bsky.app: Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco
  • securityaffairs.com: New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet.
  • CyberInsider: 9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign
  • BleepingComputer: Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
  • www.techradar.com: Thousands of Asus routers hacked to create a major botnet planting damaging malware.

@www.microsoft.com //
IACR News has highlighted recent advancements in post-quantum cryptography, essential for safeguarding data against future quantum computer attacks. A key area of focus is the development of algorithms and protocols that remain secure even when classical cryptographic methods become vulnerable. Among these efforts, FrodoKEM stands out as a conservative quantum-safe cryptographic algorithm, designed to provide strong security guarantees in the face of quantum computing threats.

The adaptive security of key-unique threshold signatures is also under scrutiny. Research presented by Elizabeth Crites, Chelsea Komlo, and Mary Mallere, investigates the security assumptions required to prove the adaptive security of threshold signatures. Their work reveals impossibility results that highlight the difficulty of achieving adaptive security for key-unique threshold signatures, particularly for schemes compatible with standard, single-party signatures like BLS, ECDSA, and Schnorr. This research aims to guide the development of new assumptions and properties for constructing adaptively secure threshold schemes.

In related news, Muhammed F. Esgin is offering PhD and Post-Doc positions in post-quantum cryptography, emphasizing the need for candidates with a strong mathematical and cryptography background. Students at Monash University can expect to work on their research from the beginning, supported by competitive stipends and opportunities for teaching assistant roles. These academic opportunities are crucial for training the next generation of cryptographers who will develop and implement post-quantum solutions.

Recommended read:
References :
  • mfesgin.github.io: PhD and Post-Doc in Post-Quantum Cryptography
  • IACR News: Zero-Trust Post-quantum Cryptography Implementation Using Category Theory

Puja Srivastava@Sucuri Blog //
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.

The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views.

Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns.

Recommended read:
References :
  • Sucuri Blog: Fake Google Meet Page Tricks Users into Running PowerShell Malware
  • securityonline.info: Fake Google Meet Page Tricks Users into Running Malware
  • gbhackers.com: How Google Meet Pages Are Exploited to Deliver PowerShell Malware
  • securityaffairs.com: Crooks use TikTok videos with fake tips to trick users into running commands that install Vidar and StealC malware in ClickFix attacks.
  • securityonline.info: Threat actors have ramped up a new social engineering campaign, dubbed “ClickFix,†where fake CAPTCHA prompts embedded in
  • Know Your Adversary: I think you at least heard about fake CAPTCHA attacks. Yes, ClickFix again. The thing is - adversaries use fake CAPTCHA pages to trick users into executing malicious commands in Windows.

@securityonline.info //
A critical security vulnerability has been discovered in vBulletin forum software, tracked as CVE-2024-45721, that enables unauthenticated attackers to execute arbitrary code on unpatched systems. This flaw puts millions of online communities at risk of full server compromise. The vulnerability affects vBulletin versions 6.0.0 through 6.1.4 and stems from improper sanitization of user inputs in template rendering modules. Discovered by cybersecurity firm SentinelWatch on May 22, 2025, the flaw has already seen significant exploitation attempts, with over 12,000 attack vectors targeting forums in various sectors within 48 hours of public disclosure.

Exploitation of the vulnerability involves crafting malicious forum posts containing payloads that bypass built-in sandboxing through parameter smuggling techniques. Attackers leverage vBulletin’s `vb:rawtemplate` directive, which fails to properly validate nested function calls when processing user-generated content. Successful exploitation grants SYSTEM-level privileges on Windows hosts and www-data access on Linux systems, enabling the installation of web shells, credential harvesters, and cryptocurrency miners. Proof-of-concept exploits have demonstrated the ability to execute OS commands even when PHP security hardening measures are present, by using PHP's `unserialize()` function with crafted OPcache configurations to bypass `disable_functions` restrictions.

In response to the widespread exploitation, vBulletin released patch 6.1.5 on May 25, 2025, which introduces granular template validation. However, as of the latest reports, 68% of installations remain unupdated, leaving a significant number of forums vulnerable. Observed attack clusters include cryptojacking campaigns, data exfiltration, and precursors to ransomware attacks. Notably, 58% of compromised forums had hidden Monero miners installed, while attackers cloned user databases from 23 gaming communities containing 14 million records, now circulating on dark web markets. Additionally, six enterprise forums received tailored malware potentially leading to Black Basta ransomware deployment.

Recommended read:
References :
  • cyberpress.org: Severe vBulletin Forum Flaw Enables Remote Code Execution
  • securityonline.info: Critical Pre-Auth RCE: vBulletin Flaw Allows Full Server Compromise (PoC Available)
  • infosec.exchange: A newly discovered vulnerability in vBulletin, one of the world’s most popular forum platforms, has exposed thousands of online communities to the risk of unauthenticated Remote Code Execution
  • Cyber Security News: Severe vBulletin Forum Flaw Enables Remote Code Execution

Pierluigi Paganini@Security Affairs //
The FBI has issued a warning to U.S. law firms regarding an escalating cyber threat posed by the Silent Ransom Group (SRG), also known as Luna Moth or Chatty Spider. This group, active since 2022, has refined its tactics to target law firms specifically since early 2023, likely due to the valuable and confidential client data they possess. The group aims to gain unauthorized access to systems and devices in order to steal sensitive information and extort victims with threats of public data leaks.

SRG's methods include IT-themed social engineering calls and callback phishing emails. In these attacks, they impersonate IT personnel to deceive employees into granting remote access to systems. They may direct the employee to a malicious website or send a link via email that installs remote access software. Once inside, the attackers discreetly extract sensitive files using tools like WinSCP or disguised versions of Rclone. This campaign is particularly dangerous because it leaves minimal digital traces and can bypass traditional security measures.

To defend against these attacks, the FBI urges law firms to enhance staff training to recognize and avoid social engineering tactics. Implementing multi-factor authentication is crucial, as is proactive monitoring for unauthorized access attempts. The agency also advises that victims share any ransom evidence with law enforcement to aid in investigations. Furthermore, CISOs are encouraged to fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy.

Recommended read:
References :
  • DataBreaches.Net: DataBreaches.net issues a Private Industry Notification about the Silent Ransom Group targeting law firms.
  • securityaffairs.com: SecurityAffairs reports on Silent Ransom Group targeting law firms, the FBI warns.
  • The DefendOps Diaries: The DefendOps Diaries explores the Silent Ransom Group's new era of cyber extortion.
  • bsky.app: The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
  • BleepingComputer: FBI warns of Luna Moth extortion attacks targeting law firms
  • ciso2ciso.com: Silent Ransom Group targeting law firms, the FBI warns – Source: securityaffairs.com
  • hackread.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls
  • databreaches.net: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Security Affairs: The FBI warns that the Silent Ransom Group, active since 2022 and also known as Luna Moth, has targeted U.S. law firms using phishing and social engineering. Linked to BazarCall campaigns, the group previously […]
  • ciso2ciso.com: FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls – Source:hackread.com
  • malware.news: Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • ciso2ciso.com: FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks.
  • gbhackers.com: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • malware.news: FBI Issues on Silent Ransom Group Using Fake IT Support Calls to Target Victims
  • The Hacker News: FBI Alerts Law Firms to Rising Threat of Silent Ransom Group’s Extortion Tactics
  • gbhackers.com: The Federal Bureau of Investigation (FBI) has issued a critical alert regarding the escalating activities of the cyber threat actor known as Silent Ransom Group (SRG), also identified under aliases such as Luna Moth, Chatty Spider, and UNC3753.
  • Tech Monitor: The FBI alerts law firms to rising threat of Silent Ransom Group’s extortion tactics
  • thecyberexpress.com: FBI Silent Ransom Group Advisory
  • eSecurity Planet: The FBI warns law firms of a stealth phishing scam where hackers call victims, pose as IT staff, and use remote access tools to steal sensitive data.
  • www.scworld.com: US law firms facing Luna Moth ransomware threat
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.esecurityplanet.com: FBI Warns Law Firms: Hackers Are Calling Offices in Stealth Phishing Scam
  • cyble.com: FBI Warns Silent Ransom Group Targeting U.S. Law Firms Using Social Engineering and Callback Phishing
  • www.techradar.com: FBI warns legal firms of Luna Moth extortion attacks where hackers will call their office

karlo.zanki@reversinglabs.com (Karlo@Blog (Main) //
References: Blog (Main) , www.tripwire.com ,
Cybersecurity experts are raising alarms over the increasing use of artificial intelligence for malicious purposes. ReversingLabs (RL) researchers recently discovered a new malicious campaign targeting the Python Package Index (PyPI) that exploits the Pickle file format. This attack involves threat actors distributing malicious ML models disguised as a "Python SDK for interacting with Aliyun AI Labs services," preying on users of Alibaba AI labs. Once installed, the package delivers an infostealer payload hidden inside a PyTorch model, exfiltrating sensitive information such as machine details and contents of the .gitconfig file. This discovery highlights the growing trend of attackers leveraging AI and machine learning to compromise software supply chains.

Another significant security concern is the rise of ransomware attacks employing social engineering tactics. The 3AM ransomware group has been observed impersonating IT support personnel to trick employees into granting them remote access to company networks. Attackers flood an employee's inbox with unsolicited emails and then call, pretending to be from the organization's IT support, using spoofed phone numbers to add credibility. They then convince the employee to run Microsoft Quick Assist, granting them remote access to "fix" the email issue, allowing them to deploy malicious payloads, create new user accounts with admin privileges, and exfiltrate large amounts of data. This highlights the need for comprehensive employee training to recognize and defend against social engineering attacks.

The US Department of Justice has announced charges against 16 Russian nationals allegedly tied to the DanaBot malware operation, which has infected at least 300,000 machines worldwide. The indictment describes how DanaBot was used in both for-profit criminal hacking and espionage against military, government, and NGO targets. This case illustrates the blurred lines between cybercrime and state-sponsored cyberwarfare, with a single malware operation enabling various malicious activities, including ransomware attacks, cyberattacks in Ukraine, and spying. The Defense Criminal Investigative Service (DCIS) has seized DanaBot infrastructure globally, underscoring the severity and scope of the threat posed by this operation.

Recommended read:
References :
  • Blog (Main): Malicious attack method on hosted ML models now targets PyPI
  • www.tripwire.com: 3AM ransomware attack poses as a call from IT support to compromise networks
  • www.wired.com: Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying

CISA@All CISA Advisories //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a potential broader campaign targeting Software-as-a-Service (SaaS) providers. This alert follows the discovery of unauthorized activity within Commvault's Microsoft Azure environment. CISA believes threat actors may have gained access to client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution hosted in Azure. This access could allow the threat actors to compromise Commvault's customers' M365 environments where application secrets are stored by Commvault.

The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure.

CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities.

Recommended read:
References :
  • The Hacker News: TheHackerNews post about broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs
  • www.commvault.com: Commvault blogs on a customer security update.
  • The Register - Security: CISA says SaaS providers in firing line after Commvault zero-day Azure attack
  • thecyberexpress.com: Nation-state threat actors targeting Commvault applications hosted in Microsoft Azure may be part of a broader campaign targeting Software-as-a-Service (SaaS) applications, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory this week.
  • www.scworld.com: CISA warns of attacks on Commvault’s Microsoft Azure environment
  • malware.news: China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says
  • bsky.app: Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic) | CISA
  • www.nextgov.com: China-linked Silk Typhoon hackers accessed Commvault cloud environments, person familiar says
  • www.techradar.com: Commvault attack may put SaaS companies across the world at risk, CISA warns
  • www.csoonline.com: The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about threat actors abusing Commvault’s SaaS cloud application, Metallic, to access its clients’ critical application secrets.
  • cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform
  • cyble.com: CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform

@securebulletin.com //
A new wave of cyberattacks is leveraging sophisticated social engineering techniques combined with technical exploits to breach corporate networks. Security firms are reporting a rise in attacks linked to the 3AM ransomware operation. These attacks begin with an overwhelming flood of emails, known as email bombing, directed at specific employees. This is followed by spoofed phone calls where the attackers impersonate the organization's IT support team, attempting to trick the employee into granting remote access to their computer. The attackers’ use of real phone calls marks a notable escalation in social engineering sophistication.

Once the attackers have gained the trust of the employee, they will try to convince them to run Microsoft Quick Assist, a legitimate remote access tool. This grants the attackers remote access to the victim's machine under the guise of fixing a problem. This initial access is then used to deploy a malicious payload, which may include virtual machines or other tools designed to evade detection by security software. After gaining control of the system they install malicious software, create new user accounts, and gain admin privileges.

Sophos has documented multiple ransomware actors leveraging an attack pattern first reported by Microsoft using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year. This allows the attackers to perform reconnaissance, create local admin accounts, and install remote management tools for persistence and lateral movement within the network, often resulting in significant data exfiltration.

Recommended read:
References :
  • bsky.app: Bsky post about 3AM ransomware posing as a call from IT support to compromise networks.
  • securebulletin.com: Secure Bulletin post covering 3AM Ransomware attacks
  • www.bleepingcomputer.com: BleepingComputer post about 3AM ransomware uses spoofed IT calls
  • www.tripwire.com: Tripwire State of Security blog post on 3AM ransomware attack posing as a call from IT support.
  • www.scworld.com: BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year.
  • BleepingComputer: A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.
  • The DefendOps Diaries: Explore the sophisticated tactics of 3AM ransomware, including social engineering and advanced encryption, to protect your network.
  • Graham Cluley: 3AM ransomware attack poses as a call from IT support to compromise networks

Andres Ramos@Arctic Wolf //
Versa Concerto, a network security and SD-WAN orchestration platform, is facing scrutiny after the public disclosure of multiple unpatched vulnerabilities. ProjectDiscovery researchers revealed technical details on May 21, 2025, following a 90-day responsible disclosure period that began on February 13, 2025. The disclosed flaws include authentication bypasses, remote code execution (RCE), and container escapes, posing a significant threat to the platform and its underlying host systems. The platform is a Spring Boot-based application deployed via Docker containers and routed through Traefik, making it vulnerable to attacks targeting these components.

These vulnerabilities, when chained together, could allow a complete system compromise. One notable flaw, CVE-2025-34027, carries a maximum severity score of 10.0 and involves a URL decoding inconsistency issue. This could facilitate unauthorized access to file upload endpoints and enable remote code execution. Other critical vulnerabilities include CVE-2025-34026, an authentication bypass allowing access to administrative endpoints, and CVE-2025-34025, a privilege escalation leading to Docker container escape and code execution on the host machine.

Despite the disclosure of these vulnerabilities, Versa Networks has stated that patches were implemented in early March and made publicly available in mid-April. According to a Versa Networks spokesperson, all affected customers were notified through established security and support channels with guidance on applying the recommended updates, and there is no indication that these vulnerabilities were exploited in the wild. However, ProjectDiscovery researchers initially noted the lack of patches, prompting the need for public disclosure after the 90-day deadline passed.

Recommended read:
References :
  • Arctic Wolf: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • The Hacker News: Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host
  • securityonline.info: Unpatched 0-Days (CVSS 10): Versa Concerto Flaws Threaten Enterprise Networks
  • BleepingComputer: Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
  • thecyberexpress.com: Versa Patches 3 Concerto SD-WAN Vulnerabilities, Including a Perfect 10.0
  • Arctic Wolf: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • www.scworld.com: Significant compromise possible with critical Versa Concerto flaws
  • arcticwolf.com: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • Blog: Project Discovery has disclosed several vulnerabilities in Versa Concerto, a tool used to configure and monitor Versa devices in networks.
  • Blog: Security researchers have identified several critical vulnerabilities in Versa Concerto, a centralized management platform for Versa Networks' SD-WAN and SASE solutions.
  • projectdiscovery.io: The Versa Concerto vulnerabilities were revealed by Project Discovery in a earlier this week, which said Versa hadn’t responded to the researchers’ disclosures that were first made in February.

@arstechnica.com //
Signal, the privacy-focused messaging application, has taken action to block Microsoft's controversial Recall feature from capturing screenshots of its desktop app content on Windows 11. Citing privacy concerns over Recall's ability to automatically take screenshots of on-screen activity, Signal has implemented a "screen security" setting, enabled by default, that leverages Digital Rights Management (DRM) to prevent the tool from accessing and recording private conversations. This move comes as Signal expresses discontent with Microsoft's approach, arguing that Recall lacks sufficient developer controls to exclude specific apps and protect sensitive information.

Microsoft's Recall feature, designed for Copilot+ PCs, works by continuously taking screenshots and creating a searchable database of user activity. Signal argues that this poses a significant risk to the privacy of its users, as private conversations could be inadvertently captured and stored. By implementing DRM, Signal sets a flag on its application window that instructs Recall, and any other screenshotting application, to ignore its content. While Signal acknowledges this is a blunt tool that may interfere with accessibility software, it believes Microsoft left them with no other choice.

Signal has criticized Microsoft for not providing developers with the necessary tools to manage how Recall interacts with their applications. The messaging app argues that it shouldn't have to resort to using DRM "content protection hacks" to safeguard user privacy. Signal hopes that AI teams building systems like Recall will carefully consider the privacy implications and avoid forcing apps to use workarounds to protect the integrity of their services. They want the AI teams to know that this will potentially affect accessibility options like screen readers.

Recommended read:
References :
  • security ? Ars Technica: “Microsoft has simply given us no other option,†Signal says as it blocks Windows Recall
  • The Register - Software: Signal shuts the blinds on Microsoft Recall with the power of DRM
  • www.techradar.com: Signal blasts Microsoft over Recall privacy failings, as secure messaging app is forced to fudge a way of blocking the controversial Windows 11 feature
  • Dropsafe: By Default, Signal Doesn’t Recall | Signal Windows app leverages DRM content protection hacks to hide messages from Windows Recall
  • Dan Goodin: Signal writes: "We hope that the AI teams building systems like Recall will think through these implications more carefully in the future. Apps like Signal shouldn’t have to implement “one weird trick†in order to maintain the privacy and integrity of their services without proper developer tools. People who care about privacy shouldn’t be forced to sacrifice accessibility upon the altar of AI aspirations either."
  • www.bleepingcomputer.com: Signal now blocks Microsoft Recall screenshots on Windows 11
  • CyberInsider: Signal Deploys Countermeasure to Shield Messages from Windows Recall
  • securityaffairs.com: New Signal update stops Windows from capturing user chats
  • Schneier on Security: Signal Blocks Windows Recall
  • cyberinsider.com: Signal Deploys Countermeasure to Shield Messages from Windows Recall

info@thehackernews.com (The@The Hacker News //
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.

UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor.

Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities.

Recommended read:
References :
  • Cisco Talos Blog: Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.
  • securityonline.info: Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
  • The Hacker News: Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks
  • BleepingComputer: Chinese hackers breach US local governments using Cityworks zero-day
  • bsky.app: Cisco Talos says a group tracked as UAT-6382 has used a recent Trimble CityWorks zero-day (CVE-2025-0944) to breach local governing bodies in the US
  • securityonline.info: SecurityOnline.info article on critical 0-day Cityworks flaw exploited by Chinese APT UAT-6382
  • malware.news: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Chinese Hackers Exploit Cityworks Zero-Day Vulnerability in US Local Governments
  • www.scworld.com: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Exploitation of Ivanti EPMM Vulnerabilities by Chinese Hackers: A Detailed Analysis
  • BleepingComputer: Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
  • securityaffairs.com: Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • blog.talosintelligence.com: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
  • www.techradar.com: The Chinese used the Cityworks bug to deploy Cobalt Strike beacons and backdoors.
  • www.cybersecuritydive.com: Cisco Talos researchers attribute the exploitation of the CVE-2025-0994 in Trimble Cityworks to Chinese-speaking threat actor UAT-6382, based on tools and TTPs used in the intrusions.
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • Blog: The Chinese-speaking cyber-espionage group identified as UAT-6382 has been observed exploiting a critical vulnerability in Trimble's Cityworks software to infiltrate U.S. government networks.
  • StateScoop: Report: Chinese hackers used Cityworks vulnerability to deliver malware
  • Cisco Talos Blog: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.
  • hackread.com: Warnings on active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks.

@www.first.org //
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new security metric designed to better assess the likelihood of vulnerability exploitation. This metric aims to enhance the existing Exploit Prediction Scoring System (EPSS) and CISA's Known Exploited Vulnerabilities (KEV) catalog, providing a more refined approach to identifying vulnerabilities that are at high risk of being exploited in the wild. Peter Mell, formerly of NIST, and Jonathan Spring from CISA are credited with outlining this vulnerability exploit metric.

This new metric, detailed in a NIST White Paper titled "Likely Exploited Vulnerabilities," seeks to improve the accuracy with which vulnerabilities are prioritized for remediation. By augmenting the EPSS and KEV lists, the metric intends to provide a clearer understanding of a vulnerability's exploitability. The researchers propose this augmentation as a means to better express how likely a vulnerability is to be exploited, which can aid organizations in focusing their security efforts on the most critical threats.

Meanwhile, CISA has recently added six new vulnerabilities to its Known Exploited Vulnerabilities catalog, underscoring the importance of addressing actively exploited flaws. In a related development, Wiz Research has observed in-the-wild exploitation of CVE-2025-4427 and CVE-2025-4428, two recently disclosed vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). These Ivanti EPMM vulnerabilities, which involve a chain of exploits leading to remote code execution, highlight the need for organizations to promptly apply security patches and mitigate potential risks.

Recommended read:
References :
  • Metacurity: Peter Mell from NIST and Tom Spring from CISA propose an alternative/augmentation to the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerability (KEV) lists to better express a vulnerability's exploitability.
  • thecyberexpress.com: Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System ( ) and CISA’s Known Exploited Vulnerabilities ( ) catalog.

@cyberscoop.com //
A 19-year-old college student from Worcester, Massachusetts, Matthew Lane, has agreed to plead guilty to charges related to a massive cyberattack on PowerSchool, a cloud-based education software provider. The cyberattack involved extorting millions of dollars from PowerSchool in exchange for not leaking the personal data of millions of students and teachers. Lane exploited stolen credentials to gain unauthorized access to PowerSchool's networks, leading to the theft of sensitive student and teacher data.

The data breach is considered one of the largest single breaches of American schoolchildren's data, affecting approximately 62.4 million students and 9.5 million teachers. According to court documents, Lane obtained stolen data from a U.S. telecommunications company before targeting PowerSchool. After the initial victim refused to pay a ransom, Lane allegedly sought to hack another company that would pay. The stolen information included sensitive details like Social Security numbers and academic records.

Lane will plead guilty to multiple charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The incident has been described by authorities as a serious attack on the economy, with the potential to instill fear in parents regarding the safety of their children's data. This case highlights the increasing risk of cyberattacks targeting educational institutions and the importance of robust cybersecurity measures to protect student and teacher data.

Recommended read:
References :
  • cyberscoop.com: Massachusetts man will plead guilty in PowerSchool hack case
  • DataBreaches.Net: The incident involved a student who used stolen credentials.
  • BleepingComputer: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers.
  • The DefendOps Diaries: Explore the PowerSchool data breach, its impact on education tech, and lessons for cybersecurity.
  • BleepingComputer: PowerSchool hacker pleads guilty to student data extortion scheme
  • www.bleepingcomputer.com: A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers. [...]
  • cyberinsider.com: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • Threats | CyberScoop: Massachusetts man will plead guilty in PowerSchool hack case
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students
  • The Register - Security: US teen to plead guilty to extortion attack against PowerSchool
  • CyberInsider: PowerSchool Hacker to Plead Guilty for Extortion Affecting Millions
  • hackread.com: 19-Year-Old Admits to PowerSchool Data Breach Extortion
  • techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students

info@thehackernews.com (The@The Hacker News //
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.

Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource.

The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking.

Recommended read:
References :
  • BleepingComputer: Threat actors have been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDSes).
  • BleepingComputer: Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains
  • The Hacker News: Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery
  • hackread.com: Infoblox reveals Hazy Hawk, a new threat exploiting abandoned cloud resources (S3, Azure) and DNS gaps since Dec…
  • The DefendOps Diaries: Explore Hazy Hawk's DNS hijacking tactics and learn how to protect your domains from this emerging cybersecurity threat.
  • bsky.app: A threat actor named 'Hazy Hawk' has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
  • www.bleepingcomputer.com: Hazy Hawk has been observed hijacking abandoned cloud resources.
  • Virus Bulletin: Researchers Jacques Portal & Renée Burton look into Hazy Hawk, a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • blogs.infoblox.com: Hazy Hawk is a threat actor that hijacks abandoned cloud resources of high-profile organizations.
  • www.scworld.com: Misconfigured DNS, neglected cloud assets harnessed in Hazy Hawk domain hijacking attacks
  • Infoblox Blog: Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor
  • DomainTools: Report on the threat actor's tactics and techniques, including targeting abandoned cloud resources.
  • Security Risk Advisors: Hazy Hawk Actor Hijacks Abandoned Cloud DNS Records of High-Profile Organizations for Scam Distribution
  • cyble.com: Cyble reports on Hazy Hawk campaign hijacks abandoned cloud DNS records from CDC, Berkeley, & 100+ major orgs to distribute scams.
  • BleepingComputer: Hazy Hawk exploits abandoned cloud resources from high-profile organizations to distribute scams and malware through traffic distribution systems (TDSes).
  • cyberscoop.com: Coordinated effort took down seven kinds of malware and targeted initial access brokers.
  • securityonline.info: A significant takedown neutralized ransomware delivery and initial access malware infrastructure.
  • BleepingComputer: International law enforcement took down hundreds of servers and domains.

@cloudnativenow.com //
References: Docker , BetaNews , Techzine Global ...
Docker, Inc. has unveiled Docker Hardened Images (DHI), a new offering designed to enhance software supply chain security for application development teams. These curated container images are built to be secure, minimal, and production-ready, providing a trusted foundation for developers working across multiple Linux distributions, including Alpine and Debian. DHI aims to address the growing challenges of securing container dependencies by providing enterprise-grade images with built-in security features.

DHI is integrated directly into Docker Hub, making it easily accessible to developers. Docker Hardened Images are designed to prevent them from being able to run at root, which is an important security consideration. Each curated container image has been digitally signed and complies with the Supply Chain Levels for Software Artifacts (SLSA) framework defined by Google and the Open Source Security Foundation (OpenSSF). Several partners, including Cloudsmith, GitLab, Grype, JFrog, Microsoft, Neo4j, NGINX, Sonatype, Sysdig and Wiz, are also providing hardened container images of their software.

The focus of DHI is on practicality and seamless integration into existing developer workflows. Docker is committed to making software supply chain security more accessible and actionable. DHI offers platform engineers a scalable way to manage secure, compliant images with full control over policies and provenance. DHI containers include SBOMs, VEX statements, digital signatures, and SLSA Build Level 3 attestations for full provenance and transparency.

Recommended read:
References :
  • Docker: Introducing Docker Hardened Images: Secure, Minimal, and Ready for Production
  • BetaNews: Docker introduces Hardened Images to boost supply chain security
  • cloudnativenow.com: Docker, Inc. Adds Curated Hardened Container Images to Hub
  • Techzine Global: Docker launches Hardened Images for enhanced security

@cyberinsider.com //
O2 UK has recently patched a security vulnerability in its 4G Calling (VoLTE) and WiFi Calling technologies that could have allowed unauthorized individuals to determine the general location of its mobile users. The flaw stemmed from an improper implementation of the IMS standard, leading to the leakage of user location data through network responses. An attacker could exploit this by simply initiating a phone call to the target, making it a significant privacy concern for O2 UK's nearly 23 million mobile customers. The problem, discovered by security researcher Daniel Williams, is believed to have existed since February 2023 before being resolved.

The vulnerability resided in how O2 UK handled encryption protocols, specifically within the EEA2 encryption algorithm. Researchers from Beijing University of Posts and Telecommunications and the University of Birmingham discovered that this algorithm was not as robust as previously believed, allowing attackers to intercept and decrypt voice call data. By examining the non-encrypted MAC sub-header, attackers could identify the Logical Channel ID (LCID) of the sub-PDU, enabling them to specifically target VoLTE traffic. This exposed call metadata, including call times, duration, direction, and the user's approximate location.

O2 UK's swift action to patch the bug demonstrates the critical importance of telecom providers adhering to stringent security standards. Proper validation and security measures in IMS implementations are essential to safeguarding user privacy. The incident serves as a reminder for regular security audits and enhanced protection of user data within telecommunications networks. As VoLTE and WiFi Calling continue to transform communication with superior call quality and reliability, addressing security vulnerabilities is paramount to maintaining user trust and preventing future exploits.

Recommended read:
References :
  • cyberinsider.com: O2 UK VoLTE Leak Exposes Real-Time Location of Any Customer Through a Phone Call
  • BleepingComputer: O2 UK patches bug leaking mobile user location from call metadata
  • bsky.app: O2 UK patches bug leaking mobile user location from call metadata
  • The DefendOps Diaries: Security Flaw in O2 UK's VoLTE and WiFi Calling: A Call for Enhanced Protection
  • The Register - Security: Virgin Media O2 patches hole that let callers snoop on your coordinates
  • CyberInsider: A critical privacy vulnerability in O2 UK's Voice over LTE (VoLTE) system allows any caller to accurately geolocate any O2 customer simply by initiating a phone call, without their consent or knowledge.
  • securityaffairs.com: A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due to improper IMS standard implementation.
  • Tech Monitor: O2 UK resolved security vulnerability in VoLTE and WiFi Calling features, which exposed users' general locations and personal identifiers.

Mandvi@Cyber Security News //
Skitnet, also known as Bossnet, is a multi-stage malware that has emerged as a favored tool for ransomware gangs, offering stealth and versatility in cybercrime. First advertised on underground forums like RAMP in April 2024, it has quickly gained traction among notorious groups such as BlackBasta. These groups have leveraged Skitnet's capabilities in phishing attacks targeting enterprise platforms like Microsoft Teams. The malware is attributed to threat actor LARVA-306.

Skitnet employs advanced techniques for stealthy payload delivery and persistent system compromise. Its initial executable, written in Rust, decrypts an embedded payload compiled in Nim. The Nim binary then establishes a reverse shell connection with the command-and-control (C2) server via DNS resolution, evading detection by dynamically resolving API function addresses. This method avoids traditional import tables, enhancing its stealth capabilities. The malware initiates the session with randomized DNS queries, creating a robust and stealthy communication channel.

To maintain persistence, Skitnet utilizes sophisticated mechanisms such as DLL hijacking. It leverages a legitimate, signed executable from Asus (ISP.exe) placed alongside a malicious library (SnxHidLib.DLL). This malicious DLL triggers the execution of a PowerShell script (pas.ps1), which operates in an infinite loop to relay the device’s C drive serial number to the C2 server, continuously awaiting commands. Skitnet also features commands for data exfiltration and can even download a .NET loader binary for serving additional payloads, showcasing its versatility as a post-exploitation tool.

Recommended read:
References :
  • bsky.app: Ransomware gangs increasingly use Skitnet post-exploitation malware ift.tt/cCJbfqk
  • Cyber Security News: Skitnet Malware Uses Advanced Stealth Methods to Deliver Payload and Ensure Persistence Techniques
  • The DefendOps Diaries: Explore Skitnet, a powerful ransomware tool reshaping cybercrime with its stealth and versatility, used by notorious gangs like BlackBasta.
  • The Hacker News: Ransomware Gangs Use Skitnet Malware for Stealthy Data Theft and Remote Access

securebulletin.com@Secure Bulletin //
Eric Council Jr., a 26-year-old from Alabama, has been sentenced to 14 months in prison for his role in hacking the U.S. Securities and Exchange Commission’s (SEC) X account in January 2024. This breach involved a SIM swap attack, a method where a criminal fraudulently induces a cellular phone carrier to reassign a cellular phone number from a victim’s SIM card to a SIM card controlled by the criminal. Council pleaded guilty in February 2025 to conspiracy charges involving aggravated identity theft and access device fraud, and was sentenced on Friday by Judge Amy Berman Jackson in Washington, D.C.

The hack of the SEC's X account was used to post a false announcement about Bitcoin ETF approvals, which had an immediate and significant impact on the cryptocurrency market. Following the false announcement, the price of Bitcoin increased by more than $1,000 per BTC, but after the SEC regained control and confirmed the announcement as unauthorized, the value of BTC decreased by more than $2,000. Council received $50,000 for his participation in the scheme, which involved using a portable ID card printer to create a fraudulent identification card to impersonate a user of a government phone connected to the SEC’s account on X.

In addition to the prison sentence, Council faces further penalties including the forfeiture of $50,000 in Bitcoin proceeds and three years of supervised release with restrictions on dark web access and identity fraud. Prosecutors highlighted Council's post-arrest conduct, which included mocking the SEC's cybersecurity measures. The incident underscores critical vulnerabilities in institutional cybersecurity and highlights the need for stricter carrier verification protocols, especially concerning SIM swap risks, and a move away from over-reliance on SMS-based multi-factor authentication.

Recommended read:
References :
  • Secure Bulletin: SEC X account hack report
  • DataBreaches.Net: DataBreachesNet reports Alabama Man Sentenced to 14 Months in Connection with Securities and Exchange Commission X Hack that Spiked Bitcoin Prices
  • therecord.media: News article about SEC X account hack and sentencing
  • malware.news: Malware news discusses Alabama Man Sentenced to 14 Months in Connection with Securities and Exchange Commission X Hack that Spiked Bitcoin Prices
  • PCMag UK security: PCMag Alabama Man Gets 14 Months for Hacking SEC's X Account With SIM-Swap Scheme
  • www.justice.gov: DOJ announces Alabama Man Sentenced to Hack SEC X Account, Spiked Value of Bitcoin
  • securebulletin.com: Alabama man sentenced to 14 months in SEC X account hack
  • Daily CyberSecurity: Crypto Crash: Alabama Man Sentenced for Hijacking SEC’s X Account
  • techcrunch.com: US man who hacked SEC’s X account to spike Bitcoin price sentenced to prison
  • The Record: An Alabama man will spend more than a year in prison for his role in the January 2024 SIM-swap hack of a Securities and Exchange Commission social media account that resulted in swings to the price of bitcoin.
  • thecyberexpress.com: SIM Swap Hacker Jailed for Hijacking SEC’s X Account and Faking Bitcoin ETF News
  • securityonline.info: SecurityOnline reports on Crypto Crash: Alabama Man Sentenced for Hijacking SEC’s X Account.
  • Talkback Resources: Alabama man sentenced to 14 months for hijacking SEC's Twitter account, causing Bitcoin price surge and crash, using SIM swap attack, emphasizing cybersecurity importance.
  • gbhackers.com: Hacker Arrested for Taking Over SEC Social Media to Spread False Bitcoin News
  • cyberpress.org: Hacker Charged After SEC Twitter Account Breach Causes Bitcoin Price Spike
  • gbhackers.com: Hacker Arrested for Taking Over SEC Social Media to Spread False Bitcoin News
  • www.scworld.com: Hacker of SEC's X account gets 14 month jail time
  • hackread.com: Man Behind SEC Bitcoin Hoax Tweet Sentenced in SIM Swap Hack
  • Cyber Security News: Hacker Charged After SEC Twitter Account Breach Causes Bitcoin Price Spike
  • The Register - Security: SEC SIM-swapper who Googled 'signs that the FBI is after you' put behind bars
  • bsky.app: SEC Twitter hack: Man imprisoned for role in attack that caused Bitcoin's price to soar. Read more in my article on the Bitdefender blog: https://www.bitdefender.com/en-us/blog/hotforsecurity/sec-twitter-hack-bitcoins-price
  • www.bitdefender.com: SEC Twitter hack: Man imprisoned for role in attack that caused Bitcoin’s price to soar.

Dissent@DataBreaches.Net //
Coinbase recently disclosed a significant data breach resulting from a bribery scheme targeting overseas customer support agents. The breach, which came to light after a $20 million ransom demand, involved rogue contractors who abused their access to exfiltrate customer data. Coinbase has confirmed that these contractors, located outside the United States, were successfully bribed by cybercriminals to access internal systems and steal sensitive information. Upon discovering the unauthorized activity, Coinbase terminated the involved personnel and initiated a thorough internal investigation.

The compromised data, affecting less than 1% of Coinbase's monthly transacting users, includes names, addresses, phone numbers, email addresses, and the last four digits of Social Security numbers. Additionally, masked bank account numbers, some banking identifiers, government-issued ID images such as driver's licenses and passports, and account data including balance snapshots and transaction histories were exposed. Importantly, Coinbase has stated that no passwords, private keys, or access to customer funds were compromised, and Coinbase Prime accounts and wallets were unaffected.

In response to the breach, Coinbase refused to pay the $20 million ransom and instead offered a $20 million reward for information leading to the identification and prosecution of those responsible. The company is also reimbursing customers who mistakenly sent funds to the scammers due to phishing attempts. Furthermore, Coinbase is taking several steps to enhance security, including stricter identity verification, scam-awareness prompts, relocating support functions to a U.S.-based hub, and improving fraud monitoring and insider threat detection capabilities. This incident could potentially cost Coinbase between $180 million and $400 million for remediation and customer reimbursement.

Recommended read:
References :
  • DataBreaches.Net: Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom
  • fortune.com: Coinbase puts $20 million bounty on crooks who tried to extort firm over stolen customer data
  • BleepingComputer: Coinbase, a cryptocurrency exchange with over 100 million customers, has disclosed that cybercriminals working with rogue support agents stole customer data and demanded a $20 million ransom not to publish the stolen information.
  • techcrunch.com: Coinbase says customers’ personal information stolen in data breach. The crypto exchange giant said the hacker was "paying multiple contractors or employees working in support roles," and contacted Coinbase with a ransom demand this week with stolen data, which Coinbase says is "credible."
  • BleepingComputer: Coinbase data breach exposes customer info and government IDs
  • www.bleepingcomputer.com: Coinbase Discloses Breach, Faces Up to $400 Million in Losses
  • The Register - Security: Coinbase says some of its overseas support staff were paid off to steal information on behalf of cybercriminals, and the company is now being extorted for $20 million.
  • Zack Whittaker: Coinbase CEO says the hacker demanded $20 million in a ransom payment not to publish the stolen data. A Coinbase spokesperson tells me that less than 1% of its monthly customers are affected.
  • techxplore.com: Coinbase, the largest cryptocurrency exchange based in the U.S., said Thursday that criminals had improperly obtained personal data on the exchange's customers for use in crypto-stealing scams and were demanding a $20 million payment not to publicly release the info.
  • Metacurity: Hacking incident could cost Coinbase $400 million, $20 million reward offered
  • securityaffairs.com: Coinbase disclosed a data breach after an extortion attempt
  • thecyberexpress.com: Coinbase details insider data theft that led to a $20 million ransom demand. In a and , Coinbase – the third largest crypto exchange by volume – said it will reimburse any customers tricked into sending funds to the attacker.
  • The Hacker News: The Hacker News reports on Coinbase agents being bribed.
  • Secure Bulletin: Coinbase, one of the world’s largest cryptocurrency exchanges with over 100 million customers, has disclosed a significant data breach orchestrated through insider collusion.
  • cyberinsider.com: Coinbase Hit by Insider Breach and Extortion, User Data Compromised
  • securebulletin.com: Coinbase faces major Data Breach: $400 Million in potential losses
  • www.metacurity.com: Hacking incident could cost Coinbase $400 million, $20 million reward offered
  • Zack Whittaker: Coinbase says it was breached, and customers' personal information stolen. The crypto giant said the hacker was "paying multiple contractors or employees working in support roles," and contacted Coinbase with a ransom demand this week with stolen data, which Coinbase says is "credible."
  • The DefendOps Diaries: Inside the Coinbase Breach: Lessons in Cybersecurity
  • techxplore.com: Coinbase on Thursday said criminals bribed and duped their way to stealing cryptocurrency from its users, then tried to blackmail the exchange to keep the crime quiet.
  • Risky Business Media: Risky Bulletin: Coinbase reveals insider breach, extortion attempt
  • hackread.com: Coinbase Customer Info Stolen by Bribed Overseas Agents
  • techcrunch.com: Coinbase says customers’ personal information stolen in data breach
  • www.techradar.com: Personal information leaked in Coinbase cyberattack, cost could be $400 million
  • Security Latest: Coinbase Will Reimburse Customers Up to $400 Million After Data Breach
  • Matthew Rosenquist: This is how you handle digital extortion! Cybercriminals attempted to extort $20 million from Coinbase, but Coinbase refused and will instead fund a $20 million bounty for those that provide information that leads to the attacker’s arrest!
  • Cybersecurity Blog: Cracking the Coinbase Breach: What Went Wrong and What We Can Learn
  • www.cybersecuritydive.com: The crypto exchange is offering a $20 million reward for information leading to the hackers’ arrest. Coinbase terminated customer support agents who leaked customer data.
  • Threats | CyberScoop: Coinbase flips $20M extortion demand into bounty for info on attackers
  • Bitcoin News: Coinbase says it might cost between $180 million and $400 million to upgrade its security measures and reimburse lost funds.
  • www.csoonline.com: Coinbase ( ), the largest crypto exchange in the US, is offering a $20 million bounty for information leading to those behind a May 2025 breach that compromised customer data.
  • cyberscoop.com: Coinbase is offering a $20 million reward for information leading to the hackers’ arrest.
  • www.cybersecurity-insiders.com: Coinbase, one of the largest cryptocurrency exchanges, has disclosed a significant data breach that exposed sensitive customer information, including government-issued IDs. The attackers contacted Coinbase on May 11, demanding a $20 million ransom to prevent the public release of the stolen data.
  • hackernoon.com: Contractor Backdoor: Coinbase Faces $400M Blow in Major Data Breach
  • The Register - Security: Coinbase confirms insiders handed over data of 70K users
  • securityaffairs.com: Coinbase data breach impacted 69,461 individuals
  • PCMag UK security: Coinbase Hackers Went Undetected for 4+ Months, Stole Data on 69K Users
  • www.techradar.com: Coinbase admits data breach affected 69,000 customers - here's what you need to know
  • CyberInsider: Coinbase Says Insider Data Breach Impacted Over 69,000 Users
  • techcrunch.com: Coinbase says its data breach affects at least 69,000 customers

@securebulletin.com //
China-linked APT groups are actively exploiting a critical vulnerability, CVE-2025-31324, in SAP NetWeaver to breach systems globally. This flaw, an unauthenticated file upload vulnerability, allows for remote code execution, granting unauthorized access to sensitive systems. EclecticIQ assesses with high confidence that these attacks, which commenced in April 2025, are being launched by Chinese nation-state APTs targeting critical infrastructure networks. The scope of the campaign is significant, with evidence indicating the compromise of over 580 SAP NetWeaver instances across various sectors.

Researchers at EclecticIQ uncovered evidence revealing the campaign's breadth. A publicly accessible directory on a threat actor-controlled server contained event logs confirming compromises across 581 SAP NetWeaver instances worldwide. These systems span critical sectors like natural gas distribution networks, water, waste management utilities, medical device manufacturing plants, and government ministries. Additionally, a list of 800 domains running SAP NetWeaver was found, indicating a large pool of potential future targets.

The exploitation of CVE-2025-31324 is being attributed to multiple distinct China-linked threat clusters, including CL-STA-0048, UNC5221, and UNC5174. These groups employ various tactics, techniques, and procedures (TTPs), including the use of reverse shells, Rust-based malware loaders like KrustyLoader, and remote access trojans like VShell. In addition to CVE-2025-31324, SAP addressed a second zero-day vulnerability, CVE-2025-42999, which has also been actively exploited in attacks targeting SAP NetWeaver servers and is being used in conjunction with CVE-2025-31324 by threat actors.

Recommended read:
References :
  • securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
  • The Hacker News: BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan
  • BleepingComputer: Ransomware gangs join ongoing SAP NetWeaver attacks
  • www.techradar.com: SAP NetWeaver woes worsen as ransomware gangs join the attack
  • Blog: A second zero-day vulnerability, identified as CVE-2025-42999, which was actively exploited in attacks targeting SAP NetWeaver servers.
  • onapsis.com: Threat Briefing Report: Critical SAP Vulnerabilities (CVE-2025-31324 and CVE-2025-42999) Under Active Mass Exploitation
  • industrialcyber.co: EclecticIQ details Chinese state-backed hackers launch global attacks on critical infrastructure via SAP vulnerability
  • Onapsis: Threat Briefing Report: Critical SAP Vulnerabilities (CVE-2025-31324 and CVE-2025-42999) Under Active Mass Exploitation
  • socradar.io: May 2025 Patch Tuesday: 78 Flaws, 5 Exploited, & Critical SAP Fixes
  • socprime.com: Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure
  • SOC Prime Blog: Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure

Jessica Lyons@theregister.com //
References: bsky.app , CyberInsider , techcrunch.com ...
Marks & Spencer (M&S) has confirmed that customer data was stolen during a recent cyberattack, with the ransomware group DragonForce claiming responsibility. The retail giant has initiated a mandatory password reset for all customers as a precautionary measure following the breach. The attack, which has shaken the UK retail sector, also affected other major retailers including the Co-operative Group (Co-op) and Harrods.

The stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. However, M&S assures customers that the compromised information does not include usable card or payment details, or account passwords. The company is working with external experts to secure its systems and has reported the incident to the relevant government authorities and law enforcement agencies. Initially reports linked Scattered Spider to the attack, it has now been claimed that DragonForce are responsible.

DragonForce, a relatively new Ransomware-as-a-Service (RaaS) group, has emerged as a significant threat, initially framing itself as a pro-Palestinian hacktivist collective before shifting to profit-driven operations. They operate by leasing their ransomware to affiliates, who then carry out the attacks, with the developers taking a cut of the ransom payments. DragonForce has been targeting high-profile UK retailers, deploying ransomware to encrypt networks, disrupt online orders and payment systems, and threaten the public release of stolen data.

Recommended read:
References :
  • bsky.app: The inevitable has happened then. M&S now admits that customer data was stolen as part of the ransomware attack. The cyber world had been waiting (a long time) to hear this from the supermarket giant as DragonForce hackers are known to use double extortion method.
  • CyberInsider: Marks & Spencer Confirms Customer Data Theft in April Cyberattack
  • securityaffairs.com: Marks and Spencer confirms data breach after April cyber attack
  • techcrunch.com: Marks & Spencer confirms customers’ personal data was stolen in hack
  • ComputerWeekly.com: M&S forces customer password resets after data breach
  • slcyber.io: DragonForce Claims Responsibility for Series of Attacks on UK Retailers
  • www.itpro.com: The retailer confirmed hackers accessed customer data –but not payment information or passwords
  • cyberinsider.com: Marks & Spencer (M&S) has confirmed that personal customer data was stolen during the cyberattack that disrupted its retail operations last month, escalating a previously opaque incident into a confirmed data breach.
  • The Register - Security: Marks & Spencer admits cybercrooks made off with customer info
  • ComputerWeekly.com: M&S is instructing all its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • www.cysecurity.news: Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers. This incident follows a wave of cyber intrusions, including those at Co-op and Harrods, allegedly orchestrated by the same hacking collective — Scattered Spider.
  • Tech News | Euronews RSS: M&S warned that there could be security risks as a result of stolen data. Here’s what you should do to protect yourself from future scams.
  • The Register - Security: Here's what we know about the DragonForce ransomware that hit Marks & Spencer
  • techxplore.com: Customer data stolen in Marks & Spencer cyberattack
  • ComputerWeekly.com: M&S is instructing all its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • techhq.com: Hackers behind M&S breach may target US next. Google warns US retailers may be next in line for ransomware attacks. A cyberattack that hit UK retailer Marks & Spencer is raising alarms in the US
  • BleepingComputer: Bleeping Computer reports M&S data stolen
  • Cybersecurity Blog: UK Retailers Cyber Attack Saga; Is USA next for Scattered Spider?
  • www.itpro.com: The British retailer has confirmed the theft of customer data in the cyberattack.

@cyberalerts.io //
Cybercriminals are exploiting the popularity of AI by distributing the 'Noodlophile' information-stealing malware through fake AI video generation tools. These deceptive websites, often promoted via Facebook groups, lure users with the promise of AI-powered video creation from uploaded files. Instead of delivering the advertised service, users are tricked into downloading a malicious ZIP file containing an executable disguised as a video file, such as "Video Dream MachineAI.mp4.exe." This exploit capitalizes on the common Windows setting that hides file extensions, making the malicious file appear legitimate.

Upon execution, the malware initiates a multi-stage infection process. The deceptive executable launches a legitimate binary associated with ByteDance's video editor ("CapCut.exe") to run a .NET-based loader. This loader then retrieves a Python payload ("srchost.exe") from a remote server, ultimately leading to the deployment of Noodlophile Stealer. This infostealer is designed to harvest sensitive data, including browser credentials, cryptocurrency wallet information, and other personal data.

Morphisec researchers, including Shmuel Uzan, warn that these campaigns are attracting significant attention, with some Facebook posts garnering over 62,000 views. The threat actors behind Noodlophile are believed to be of Vietnamese origin, with the developer's GitHub profile indicating a passion for malware development. The rise of AI-themed lures highlights the growing trend of cybercriminals weaponizing public interest in emerging technologies to spread malware, impacting unsuspecting users seeking AI tools for video and image editing.

Recommended read:
References :
  • Blog: A new cyber threat has emerged involving counterfeit AI video generation tools that distribute a malware strain known as 'Noodlophile.'
  • securityaffairs.com: Threat actors use fake AI tools to trick users into installing the information stealer Noodlophile, Morphisec researchers warn.
  • thehackernews.com: Threat actors have been observed leveraging fake artificial intelligence (AI)-powered tools as a lure to entice users into downloading an information stealer malware dubbed Noodlophile.
  • Virus Bulletin: Morphisec's Shmuel Uzan reveals how attackers exploit AI hype to spread malware. Victims expecting custom AI videos instead get Noodlophile Stealer, a new infostealer targeting browser credentials, crypto wallets, and sensitive data.
  • SOC Prime Blog: Noodlophile Stealer Detection: Novel Malware Distributed Through Fake AI Video Generation Tools

@cyberpress.org //
Critical security vulnerabilities have been discovered in Mitel SIP phones, potentially exposing enterprise communication systems to unauthorized access and control. The flaws impact widely deployed models, including the 6800, 6900, and 6900w Series, as well as the 6970 Conference Unit. These vulnerabilities include a command injection flaw (CVE-2025-47188) and an unauthenticated file upload vulnerability (CVE-2025-47187). Mitel has issued a security advisory, MISA-2025-0004, urging users to update their devices immediately.

Mitel's critical command injection vulnerability (CVE-2025-47188) allows unauthenticated attackers with network access to execute arbitrary commands on affected phones. The flaw stems from insufficient sanitization of parameters within the device’s web management interface. With a CVSS score of 9.8, exploitation of this vulnerability could grant attackers control over the device, enabling them to exfiltrate sensitive data, alter system settings, and disrupt operations. This could also allow attackers to use the compromised device as a foothold to pivot deeper into enterprise networks.

The affected devices are Mitel 6800, 6900, and 6900w Series SIP Phones, and the 6970 Conference Unit running firmware version R6.4.0.SP4 or earlier. Mitel recommends upgrading to firmware version R6.4.0.SP5 or newer releases to mitigate these risks. While Mitel suggests keeping SIP phones on protected internal networks, organizations with expansive and poorly segmented networks remain at heightened risk.

Recommended read:
References :
  • cyberpress.org: Hackers Can Exploit Mitel SIP Phone Vulnerabilities to Run Malicious Commands
  • Cyber Security News: Critical Vulnerabilities in Mitel SIP Phones Let Attackers Inject Malicious Commands
  • gbhackers.com: Mitel SIP Phone Flaws Allow Attackers to Inject Malicious Commands
  • securityonline.info: Critical Vulnerabilities Uncovered in Mitel SIP Phones: Command Injection and File Upload Risks

@cyberalerts.io //
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.

Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain.

The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems.

Recommended read:
References :

@cyble.com //
In May 2025, cybersecurity experts reported a significant surge in hacktivist activity targeting Indian digital infrastructure. This wave of attacks followed the terror attack in Pahalgam, located in the Indian state of Jammu and Kashmir on April 22nd, and India’s retaliatory strikes across the border. A coordinated effort by more than 40 hacktivist groups sought to disrupt and deface numerous Indian websites, leading to widespread alarm across media and social networks as many claimed significant breaches of government, educational, and critical infrastructure websites.

However, detailed technical investigations revealed that the actual impact of these attacks on Indian cyber assets was minimal. Claims of major data breaches, such as a supposed 247 GB breach of the National Informatics Centre (NIC), were largely unfounded as the data was publicly available or fabricated. Website defacements and Distributed Denial of Service (DDoS) attacks, while numerous, were short-lived and ineffective.

Despite the relatively low impact, the cyberattacks highlighted the ongoing tensions in cyberspace between India and Pakistan. Technisanct identified 36 pro-Pakistan hacktivist groups involved in the digital assaults, countered by 14 Indian groups retaliating. The escalation in hacktivist activity serves as a reminder of the persistent and evolving cyber threats facing both nations, even amidst military tensions.

Recommended read:
References :
  • cyble.com: More than 40 hacktivist groups conducted coordinated cyberattacks against India following the April 22 terror attack in Pahalgam in the Indian state of Jammu and Kashmir, which in turn prompted India to respond with targeted strikes aimed at alleged terrorist infrastructure across the border and the Pakistan-Occupied Kashmir region (PoK).
  • thecyberexpress.com: Over 40 Hacktivist Groups Target India in Coordinated Cyber Campaign: High Noise, Low Impact
  • Secure Bulletin: Tactical reality behind the India-Pakistan hacktivist surge
  • securebulletin.com: Tactical reality behind the India-Pakistan hacktivist surge
  • cyble.com: India Experiences Surge in Hacktivist Group Activity Amid Military Tensions
  • thecyberexpress.com: No Ceasefire in the Cyberspace Between India and Pakistan
  • www.cysecurity.news: Cyber War Escalates Between Indian and Pakistani Hacktivists After Pahalgam Attack

@securityonline.info //
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.

The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF).

Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development.

Recommended read:
References :
  • securityonline.info: Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
  • Talkback Resources: Microsoft addressed critical vulnerabilities in various Azure services, including Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, emphasizing the need for proactive security measures in cloud-native development environments.
  • Davey Winder: Microsoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
  • Davey Winder: Critical 10/10 Microsoft Cloud Security Vulnerability Confirmed