CyberSecurity news

FlagThis - #none

Zeljka Zorz@Help Net Security //
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.

Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes.

The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches.

Recommended read:
References :
  • Check Point Research: CVE-2025-24054, NTLM Exploit in the Wild
  • The DefendOps Diaries: Understanding the CVE-2025-24054 Vulnerability: A Critical Threat to Windows Systems
  • BleepingComputer: Windows NTLM hash leak flaw exploited in phishing attacks on governments
  • bsky.app: Windows NTLM hash leak flaw exploited in phishing attacks on governments
  • research.checkpoint.com: CVE-2025-24054, NTLM Exploit in the Wild
  • Talkback Resources: Research team analysis of CVE-2025-24054
  • Help Net Security: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
  • www.helpnetsecurity.com: Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
  • bsky.app: BSky Post on CVE-2025-24054, NTLM Exploit in the Wild
  • Cyber Security News: CyberSecurityNews - Hackers Exploiting Windows NTLM Spoofing Vulnerability in Wild to Compromise Systems
  • The Hacker News: CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download
  • MSSP feed for Latest: Windows NTLM Hash Flaw Targeted in Global Phishing Attacks
  • gbhackers.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to active exploitation of a newly disclosed Microsoft Windows vulnerability tracked as CVE-2025-24054.
  • infosecwriteups.com: Your NTLM Hashes at Risk: Inside CVE‑2025‑24054
  • BetaNews: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
  • www.scworld.com: Cybersecurity News reports on alarms sounding over attacks via Microsoft NTLM vulnerability, impacting Poland and Romania.
  • securityaffairs.com: U.S. CISA adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog
  • gbhackers.com: CISA Warns of Active Exploitation of Windows NTLM Vulnerability
  • Techzine Global: Windows vulnerability with NTLM hash abuse exploited for phishing
  • betanews.com: CISA adds Windows NTLM hash disclosure spoofing flaw to its Known Exploited Vulnerabilities Catalog
  • ciso2ciso.com: Fresh Windows NTLM Vulnerability Exploited in Attacks – Source: www.securityweek.com
  • malware.news: Phishing campaigns abuse Windows NTLM hash leak bug

David Jones@cybersecuritydive.com //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.

CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments.

To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible.

Recommended read:
References :
  • DataBreaches.Net: Sergiu Gatlan reports: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks. CISA said, “the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate,...
  • BleepingComputer: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks.
  • www.cybersecuritydive.com: The agency is asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
  • MSSP feed for Latest: Legacy Oracle cloud breach poses credential exposure risk
  • hackread.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading…
  • www.scworld.com: Secure legacy Oracle cloud credentials amid leak reports, CISA warns
  • www.itpro.com: CISA issues warning in wake of Oracle cloud credentials leak
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The Register - Security: Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter
  • securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
  • The DefendOps Diaries: Understanding the Oracle Cloud Breach: CISA's Guidance and Recommendations
  • ciso2ciso.com: CISA Urges Action on Potential Oracle Cloud Credential Compromise
  • ciso2ciso.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading to phishing, network breaches, and data theft.

@www.microsoft.com //
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.

The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST.

The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes.

Recommended read:
References :

info@thehackernews.com (The@The Hacker News //
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.

This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes.

CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks.

Recommended read:
References :
  • chemical-facility-security-news.blogspot.com: CISA Adds SonicWall Vulnerability to KEV Catalog – 4-16-25
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog
  • The Hacker News: Details on the exploitation of the vulnerability
  • Cyber Security News: CISA Alerts on Exploited SonicWall Command Injection Vulnerabilityâ€
  • gbhackers.com: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • BleepingComputer: On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability. [...]
  • gbhackers.com: GBHackers: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • securityonline.info: CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
  • The DefendOps Diaries: CISA flags critical SonicWall vulnerabilities: Urgent mitigation required to prevent cyber attacks
  • www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
  • Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • Arctic Wolf: On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • arcticwolf.com: On 15 April 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
  • BleepingComputer: SonicWall SMA VPN devices targeted in attacks since January
  • bsky.app: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
  • www.scworld.com: Cybersecurity Dive reports that active exploitation of the nearly half a decade-old high-severity SonicWall SMA100 remote-access appliance operating system command injection flaw
  • www.helpnetsecurity.com: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • securityaffairs.com: CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog.
  • Help Net Security: CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers.
  • arcticwolf.com: Details the credential access campaign targeting SonicWall SMA devices and its potential link to CVE-2021-20035 exploitation.
  • securityaffairs.com: Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025.
  • securityaffairs.com: Security Affairs newsletter reports attackers exploited SonicWall SMA appliances since January 2025
  • www.bleepingcomputer.com: SonicWall SMA VPN devices targeted in attacks since January

@www.bleepingcomputer.com //
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.

Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions.

When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely.

Recommended read:
References :
  • The Register - Software: ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK?
  • Will Dormann: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 About damn time!
  • www.bleepingcomputer.com: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
  • IT-Connect: Microsoft : les contrôles ActiveX bientôt bloqués par défaut dans Office et Microsoft 365 Apps
  • www.it-connect.fr: Microsoft : les contrôles ActiveX bientôt bloqués par défaut dans Office et Microsoft 365 Apps
  • BleepingComputer: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
  • Cyber Security News: Microsoft Disables ActiveX by Default in 365 to Block Malware Execution by Hackers

Dissent@DataBreaches.Net //
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.

China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US.

Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed.

Recommended read:
References :
  • The Register - Security: China names alleged US snoops over Asian Winter Games attacks
  • www.cybersecurity-insiders.com: China accuses US of launching advanced Cyber Attacks on its infrastructure
  • CyberScoop: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • DataBreaches.Net: China accuses US of launching ‘advanced’ cyberattacks, names alleged NSA agents
  • www.scworld.com: China's allegation that NSA hacked Asian Winter Games draws suspicion
  • cyberscoop.com: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • PCMag UK security: Police in the Chinese city of Harbin say three NSA operatives disrupted the 2025 Asian Winter Games and hacked Huawei.
  • www.csoonline.com: China accused the United States National Security Agency (NSA) on Tuesday of launching “advanced†cyberattacks during the Asian Winter Games in February, targeting essential industries.
  • Metacurity: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.metacurity.com: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.dailymail.co.uk: China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents
  • sysdig.com: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
  • aboutdfir.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure

@securityonline.info //
A critical security vulnerability has been discovered in Apache Roller, a Java-based blogging server software. The flaw, identified as CVE-2025-24859 and carrying a maximum severity CVSS score of 10.0, allows attackers to retain unauthorized access even after a user changes their password. This session management issue affects Apache Roller versions up to and including 6.1.4, potentially exposing blogs to unauthorized actions and undermining the security measures intended by password changes.

The vulnerability stems from the failure to properly invalidate active user sessions when a password is changed, either by the user or an administrator. This means that an attacker who has compromised a user's credentials could maintain continued access through an old session, even after the user has taken steps to secure their account by changing their password. This poses a significant risk, as it could enable unauthorized individuals to access and manipulate blog content, potentially leading to data breaches or other malicious activities.

To address this critical flaw, Apache Roller version 6.1.5 has been released with a fix that implements centralized session management. This ensures that all active sessions are invalidated when passwords are changed or users are disabled, effectively preventing attackers from maintaining unauthorized access. Users of Apache Roller are strongly advised to upgrade to version 6.1.5 as soon as possible to mitigate the risk of exploitation and safeguard their blog sites from potential security breaches. The vulnerability was discovered and reported by security researcher Haining Meng.

Recommended read:
References :
  • securityaffairs.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change
  • securityonline.info: CVE-2025-24859 (CVSSv4 10): Apache Roller Flaw Exposes Blogs to Unauthorized Access
  • The Hacker News: Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence
  • bsky.app: 10/10 CVSS in the Apache Roller blogging platform "active user sessions are not properly invalidated after password changes"
  • ciso2ciso.com: Critical Apache Roller flaw allows to retain unauthorized access even after a password change – Source: securityaffairs.com
  • lists.apache.org: Apache Roller Fails to Invalidate Sessions on Password Change (CVE-2025-24859)

@unit42.paloaltonetworks.com //
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.

The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications.

GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team.

Recommended read:
References :
  • Virus Bulletin: VirusBulletin reports on Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) campaign targeting cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
  • unit42.paloaltonetworks.com: Unit 42 reports that North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges.
  • securityonline.info: Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges
  • The Hacker News: Crypto Developers Targeted by Python Malware Disguised as Coding Challenges
  • Unit 42: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
  • Security Risk Advisors: Slow Pisces Targets Crypto Developers With “Coding Challenges†That Deliver New RN Loader and RN Stealer Malware
  • www.itpro.com: Hackers are duping developers with malware-laden coding challenges
  • cyberpress.org: Slow Pisces Hackers Target Developers with Malicious Python Coding Tests
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
  • sra.io: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
  • Security Risk Advisors: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.

@learn.microsoft.com //
Microsoft is alerting IT administrators to a significant issue affecting Windows Server 2025 domain controllers (DCs). After a restart, these DCs may experience a loss of network connectivity due to the servers loading the standard firewall profile instead of the domain firewall profile. This problem can render the domain controllers inaccessible on the network, disrupting Active Directory (AD) environments and potentially causing applications and services running on those servers or remote devices to fail or remain unreachable. The issue primarily impacts systems running the Active Directory Domain Services role on Windows Server 2025, with no client systems or earlier server versions affected.

This problem arises from the domain controllers failing to apply the correct network profile after a reboot, instead defaulting to a "Public" or standard firewall profile rather than the required "Domain Authenticated" profile. This misconfiguration can lead to ports and protocols that should be restricted by the domain firewall profile remaining open, posing potential security risks. Essential AD functions like Group Policy application, replication, and authentication are also disrupted, further compounding the problem for organizations relying on Active Directory for network management.

While Microsoft is actively working on a permanent fix for this issue, which is expected to be included in a future update, they have provided a temporary workaround for affected systems. Administrators can manually restart the network adapter on the affected servers using PowerShell with the command 'Restart-NetAdapter *'. However, because the issue reoccurs after each system restart, this workaround must be applied repeatedly. To streamline this process, Microsoft suggests creating a scheduled task that automatically restarts the network adapter each time the domain controller reboots.

Recommended read:
References :
  • Techzine Global: Emergency Windows update solves Active Directory problem Microsoft is launching emergency patches to correctly display local audit logon policies in Active Directory Group Policy.
  • bsky.app: Microsoft has released emergency Windows updates to address a known issue affecting local audit logon policies in Active Directory Group Policy. https://www.bleepingcomputer.com/news/microsoft/microsoft-new-emergency-windows-updates-fix-ad-policy-issues/
  • BleepingComputer: Microsoft: New Windows updates fix Active Directory policy issues Microsoft has released emergency Windows updates to address a known issue affecting local audit logon policies in Active Directory Group Policy.
  • Cyber Security News: Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller
  • www.networkworld.com: Windows Server 2025 domain controllers may lose connectivity after reboot, says Microsoft
  • cybersecuritynews.com: Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller
  • BleepingComputer: Microsoft: Windows Server 2025 restarts break connectivity on some DCs
  • Techzine Global: Microsoft warns that Windows Server 2025 domain controllers may become inaccessible after a restart. Affected servers load the default firewall profile instead of the domain firewall profile, interrupting applications and services.

Pierluigi Paganini@securityaffairs.com //
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows confirmed active exploitation of the vulnerability in the wild, targeting multiple sectors including retail, marketing, and semiconductor industries. The flaw, present in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows unauthenticated remote attackers to potentially take over susceptible instances of CrushFTP file transfer software if exposed publicly over HTTP(S).

The vulnerability stems from a weakness in the HTTP authorization header, enabling attackers to authenticate to any known or guessable user account, such as "crushadmin," potentially leading to a full system compromise. CrushFTP released fixes for the issue in versions 10.8.4 and 11.3.1, urging customers to update their systems immediately. Initial disclosure of the vulnerability has been controversial, with accusations of premature disclosure and attempts to conceal the issue to allow time for patching. Despite the controversy, the inclusion of CVE-2025-31161 in the KEV catalog signifies its high risk and the need for immediate action.

SecurityWeek reports that the ongoing exploitation of the vulnerability has seen attackers deploying tools like MeshAgent for remote monitoring and DLL files indicative of Telegram bot utilization for data exfiltration. In some instances, AnyDesk has been installed prior to the deployment of SAM and System registry hives for credential compromise. FortiGuard Labs has also observed in-the-wild attack attempts targeting CVE-2025-31161. Although Shadowserver Foundation reports a decline in attacks since patches were issued on March 21, 2025, the CISA's warning and inclusion in the KEV catalog emphasize the persistent threat and the critical need for organizations to apply the necessary updates.

Recommended read:
References :
  • The Hacker News: CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation
  • www.cybersecuritydive.com: CISA adds Ivanti Connect Secure vulnerability to KEV catalog
  • fortiguard.fortinet.com: FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software
  • securityboulevard.com: Imperva Customers Are Protected Against CVE-2025-31161 in CrushFTP
  • www.scworld.com: Attacks involving critical CrushFTP vulnerability target several sectors
  • DataBreaches.Net: CISA, experts warn of Crush file transfer attacks after a controversial disclosure

@hackread.com //
The Medusa ransomware group has claimed responsibility for a cyberattack on NASCAR, alleging the theft of over 1TB of data. In a posting on its dark web leak site, Medusa has demanded a $4 million ransom for the deletion of NASCAR's data. The group has placed a countdown timer on the leak site, threatening to make the stolen data available to anyone on the internet after the deadline. The countdown deadline can be extended at a cost of $100,000 per day.

To verify its claim, Medusa has published screenshots of what it claims are internal NASCAR documents. These include names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated. While NASCAR has not yet confirmed or denied reports of the attack, the details published by Medusa on its leak site appear credible.

The Medusa ransomware group operates under a ransomware-as-a-service (RaaS) model and is known for its double extortion tactics. The FBI and CISA issued a joint cybersecurity advisory last month warning that Medusa ransomware had impacted over 300 organizations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology, and manufacturing. Past victims include Minneapolis Public Schools, which refused to pay a million-dollar ransom and saw approximately 92 GB of stolen data released to the public.

Recommended read:
References :
  • Rescana: Rescana post about the ransomware attack on NASCAR
  • hackread.com: Medusa Ransomware Claims NASCAR Breach in Latest Attack, Demands $4M Ransom
  • bsky.app: Medusa ransomware gang claims to have hacked NASCAR. https://www.bitdefender.com/en-us/blog/hotforsecurity/medusa-ransomware-hacked-nascar
  • cybersecuritynews.com: The Medusa ransomware group has reportedly launched a major cyberattack on the National Association for Stock Car Auto Racing (NASCAR), demanding a $4 million ransom to prevent the release of sensitive data.
  • www.bitdefender.com: Medusa ransomware gang claims to have hacked NASCAR The Medusa ransomware-as-a-service (RaaS) claims to have compromised the computer systems of NASCAR, the United States' National Association for Stock Car Auto Racing, and made off with more than 1TB of data.
  • www.cysecurity.news: Hackers Demand $4 Million After Alleged NASCAR Data Breach. The motorsports industry has recently been faced with troubling news that NASCAR may have become the latest high-profile target for a ransomware attack as a result of the recent hackread.com report.
  • Cyber Security News: Medusa Ransomware Claims NASCAR Hack, Demands $4 Million Ransom

@securityonline.info //
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.

This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site.

WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4).

Recommended read:
References :
  • securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
  • BleepingComputer: Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure.
  • thecyberexpress.com: 100,000+ WordPress Sites at Risk as SureTriggers Exploit Goes Live
  • bsky.app: Bsky post on Hackers exploit WordPress plugin auth bypass hours after disclosure
  • www.scworld.com: Immediate exploitation of high-severity WordPress plugin flaw reported
  • securityonline.info: SureTriggers Vulnerability Exposes 100,000+ WordPress Sites to Admin Takeover
  • gbhackers.com: GBHackers article on WordPress Plugin Rogue Account‑Creation Flaw Leaves 100 K WordPress Sites Exposed.
  • Cyber Security News: Rogue User‑Creation Bug Exposes 100,000 WordPress Sites to Takeover
  • thehackernews.com: OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation
  • gbhackers.com: A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave over 100,000 websites at risk. The issue, discovered by security researcher mikemyers, allows attackers to create rogue administrative users on sites where the plugin is not properly configured.
  • securityaffairs.com: Attackers are exploiting recently disclosed OttoKit WordPress plugin flaw
  • ciso2ciso.com: Attackers are actively exploiting a vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin, with many websites potentially exposed to complete compromise.
  • Security Risk Advisors: Critical Authentication Bypass in WordPress SureTriggers Plugin Leads to Admin Account Creation

Stu Sjouwerman@blog.knowbe4.com //
Cisco Talos has uncovered an extensive and ongoing SMS phishing campaign that began in October 2024, targeting toll road users across the United States. The "Smishing Triad," a China-based eCrime group, is suspected to be behind these attacks, impersonating E-ZPass and other U.S. toll agencies to steal financial information. Victims receive fraudulent text messages claiming they have an outstanding toll bill, typically under $5, and are urged to pay immediately to avoid late fees. These messages prompt users to click on a link that leads to a spoofed domain mimicking the legitimate toll service's website.

Once on the fake webpage, victims are asked to solve a CAPTCHA before being directed to a fraudulent bill displaying their name and the supposed amount owed. Upon clicking "Proceed Now," users are prompted to enter personal information, including their name, address, phone number, and credit card details, which are then stolen by the threat actors. Talos assesses with moderate confidence that multiple financially motivated threat actors are involved, utilizing a smishing kit developed by "Wang Duo Yu." The actors have targeted individuals in at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing the states' two-letter abbreviations.

The Smishing Triad, known for systematically targeting organizations in at least 121 countries across various industries, has shown remarkable success in converting phished payment card data into mobile wallets from Apple and Google. Silent Push analysts have found that the group's infrastructure generated over one million page visits in just 20 days, suggesting a potentially higher volume of SMS messages sent than previously estimated. The group continues to sell its phishing kits via Telegram and other channels. Authorities, including the FBI's IC3, have been aware of similar scams since at least April 2024, highlighting the persistent and evolving nature of these phishing campaigns.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
  • Blog: A recent smishing campaign is impersonating E-ZPass and other U.S.-based toll agencies and sending fraudulent text messages to individuals. These messages claim that recipients have unpaid tolls and urge immediate payment to avoid penalties or suspension of driving privileges.
  • Cisco Talos: Have you received a suspicious text that seemed to be from a toll road service? Discover how this widespread smishing scam is targeting U.S. drivers and uncover the actors behind it in our latest blog post:
  • krebsonsecurity.com: China-based SMS phishing Triad Pivots to Banks
  • www.silentpush.com: Smishing Triad is a Chinese eCrime group systematically targeting organizations in at least 121 countries with SMS phishing “smishing†campaigns.

Sathwik Ram@seqrite.com //
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.

The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.

Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.

Recommended read:
References :
  • Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
  • cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
  • gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
  • beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.

@www.cybersecurity-insiders.com //
The US Treasury's Office of the Comptroller of the Currency (OCC) has disclosed a significant email breach, classified as a "major incident." The breach, which went undetected for over a year, involved unauthorized access to 150,000 emails within 100 accounts belonging to US bank regulators at the OCC. These emails contained highly sensitive details concerning the financial condition of federally regulated financial institutions, information critical to the OCC's examinations and supervisory oversight processes. The OCC became aware of unusual activity on February 11th, discovering an administrative account interacting with agency mailboxes in an unauthorized manner. IT staff confirmed the unauthorized access and disabled the affected accounts the following day.

Advertisement

The OCC notified Congress about the incident on the same day as a Bloomberg report, calling it a “major incident.” Internal and independent investigations of email accounts and attachments indicate that OCC first became aware of the incident Feb. 11, when the office was notified of an administrative account that was interacting with agency mailboxes in an unusual fashion. The next day, IT staff confirmed the account’s access was unauthorized and disabled the accounts. Acting Comptroller of the Currency Rodney E. Hood stated that immediate steps have been taken to determine the full extent of the breach and address organizational deficiencies that contributed to it. Hood promised full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.

Cybersecurity experts have expressed concern about the implications of this breach. The compromised data could allow malicious actors to exploit weaknesses in banks' cybersecurity controls and processes, making it easier to perpetrate fraud or disrupt services. Knowing the weakest targets and their specific vulnerabilities provides a significant advantage to attackers, enabling them to target banks with precision. Security experts also point to how recent cuts at CISA and other federal agencies will weaken cybersecurity in the federal government and across the public sector and U.S. election systems. The OCC is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury during its investigations.

Recommended read:
References :
  • cyberscoop.com: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • thecyberexpress.com: Hackers Had Access to 150,000 Emails in U.S. Treasury Email Breach
  • www.scworld.com: Hackers accessed 150,000 emails of 100 US bank regulators at OCC
  • securityaffairs.com: The US Treasury’s OCC disclosed an undetected major email breach for over a year
  • CyberScoop: The OCC said the February incident resulted in the theft of “highly sensitive information" tied to the financial conditions of federally regulated institutions.
  • BleepingComputer: Hackers lurked in Treasury OCC’s systems since June 2023 breach
  • www.cybersecuritydive.com: Treasury Department bank regulator discloses major hack

@Talkback Resources //
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.

Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone.

Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace.

Recommended read:
References :
  • Talkback Resources: Scattered Spider adds new phishing kit, malware to its web
  • www.scworld.com: Scattered Spider persists with use of Spectre RAT, new phishing kit
  • cyberpress.org: Article on conducting advances campaigns to steal login credentials and MFA tokens
  • gbhackers.com: The cyber threat landscape has witnessed remarkable adaptation from the notorious hacker collective known as Scattered Spider. Active since at least 2022, this group has been consistently refining its strategies for system compromise, data exfiltration, and identity theft. Silent Push analysts have tracked the evolution of Scattered Spider’s tactics, techniques, and procedures (TTPs) through early
  • cybersecuritynews.com: Scattered Spider Employs Sophisticated Attacks to Steal Login Credentials & MFA Tokens
  • gbhackers.com: Scattered Spider Launches Sophisticated Attacks to Steal Login Credentials and MFA Tokens

@www.cybersecurity-insiders.com //
The Office of the Comptroller of the Currency (OCC), an independent bureau within the U.S. Treasury Department, has confirmed a major email breach impacting approximately 100 bank regulators' accounts. The breach, which lasted for over a year, resulted in unauthorized access to more than 150,000 emails containing sensitive details about banks the agency oversees. According to the OCC's public statement, the compromised emails included highly sensitive information relating to the financial condition of federally regulated financial institutions and used in examination and supervisory oversight processes.

The OCC discovered the unauthorized access after being notified by Microsoft about unusual network behavior on Feb. 11. Following the discovery, the OCC notified Congress of the incident, describing it as a "major information security incident". Analysis by the OCC concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. The agency has since launched an internal and independent third-party review to determine the full extent of the breach and identify vulnerabilities that led to the unauthorized access.

Security experts have expressed concern over the news, emphasizing the potential for malicious actors to exploit the exposed information. One expert noted that knowing the weakest targets and their vulnerabilities could enable attackers to launch a broad series of attacks to disrupt services or perpetrate fraud. The OCC also notified the Cybersecurity and Infrastructure Security Agency (CISA) that there is no indication of any impact to the financial sector at this time. The OCC incident is considered the second high-profile breach for the Treasury Department in recent months, the first one involved Chinese state-sponsored hackers breaching their network.

Recommended read:
References :
  • CyberScoop: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • The Register - Security: Sensitive financial files feared stolen from US bank watchdog
  • www.cybersecurity-insiders.com: Hackers breach email systems of OCC to gather intelligence from emails
  • Metacurity: Hackers intercepted emails at US Comptroller of the Currency for over a year
  • thecyberexpress.com: Hackers Had Access to 150,000 Emails in U.S. Treasury Email Breach
  • www.cybersecuritydive.com: Treasury Department bank regulator discloses major hack
  • www.scworld.com: Hackers accessed 150,000 emails of 100 US bank regulators at OCC
  • Tech Monitor: OCC reports major email security breach to US Congress
  • cyberscoop.com: Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
  • securityaffairs.com: The US Treasury’s OCC disclosed an undetected major email breach for over a year
  • www.csoonline.com: OCC email system breach described as ‘stunning, serious’

@gbhackers.com //
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.

The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password.

Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign.

Recommended read:
References :
  • cyberpress.org: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: Attackers Exploit SourceForge Platform to Distribute Malware
  • Securelist: Attackers distributing a miner and the ClipBanker Trojan via SourceForge
  • The Hacker News: The Hacker News Article on Cryptocurrency Miner and Clipper Malware Spread via SourceForge
  • Cyber Security News: Threat Actors Leverage SourceForge Platform to Spread Malware
  • gbhackers.com: GBHackers article on Attackers Exploit SourceForge Platform to Distribute Malware
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • The DefendOps Diaries: Unmasking the SourceForge Malware Campaign: A Deceptive Attack on Users
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • BleepingComputer: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • www.bleepingcomputer.com: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • bsky.app: Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency.
  • securityonline.info: For many developers, SourceForge has long been a cornerstone of open-source collaboration — a trusted hub to host and distribute software. But for cybercriminals, it has recently become a platform to stage deception.
  • securityonline.info: SourceForge Used to Distribute ClipBanker Trojan and Cryptocurrency Miner
  • Cyber Security News: Cybersecurity News article on SourceForge malware distribution
  • Tech Monitor: Threat actors exploit SourceForge to spread fake Microsoft add-ins

@Latest from ITPro //
Europcar Mobility Group has confirmed a data breach affecting potentially up to 200,000 customers. The breach occurred through unauthorized access to the company’s GitLab repositories. According to reports, the stolen data includes source code for Europcar's Android and iOS mobile applications, as well as personal data linked to tens of thousands of customers. This incident raises significant security concerns, as the exposure of source code could potentially reveal vulnerabilities that could be exploited in future attacks.

Europcar is currently assessing the full extent of the damage caused by the breach. Preliminary findings indicate that the compromised data includes names and email addresses of users belonging to the Goldcar and Ubeeqo brands. The compromised records date back as far as 2017 and 2020. Europcar maintains that no financial information, passwords, or biometric details were exposed. The company has notified data protection authorities and has begun the process of informing affected customers about the incident.

The attacker reportedly claimed responsibility for the breach in late March and attempted to extort Europcar, threatening to release 37GB of stolen data. The data allegedly includes internal backups, infrastructure documentation, and application source code. Europcar has denied that all of its GitLab repositories were compromised, but has confirmed that the threat actor accessed over 9,000 SQL files and 269 environment configuration files. The method of access remains unclear, although similar breaches often involve stolen credentials obtained through infostealer malware. The investigation is ongoing.

Recommended read:
References :
  • techhq.com: Up to 200,000 Europcar users affected in GitLab security breach
  • www.it-daily.net: Europcar hacked: Up to 200,000 customer data at risk
  • www.itpro.com: Europcar data breach could affect up to 200,000 customers
  • www.scworld.com: Up to 200K purportedly impacted by Europcar GitLab breach
  • Techzine Global: Data breach at Europcar: GitLab hack affects up to 200,000 customers