Zeljka Zorz@Help Net Security
//
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.
Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes. The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches. Recommended read:
References :
David Jones@cybersecuritydive.com
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments. To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible. Recommended read:
References :
@www.microsoft.com
//
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.
The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST. The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.
This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes. CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks. Recommended read:
References :
@www.bleepingcomputer.com
//
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.
Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions. When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely. Recommended read:
References :
Dissent@DataBreaches.Net
//
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.
China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US. Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability has been discovered in Apache Roller, a Java-based blogging server software. The flaw, identified as CVE-2025-24859 and carrying a maximum severity CVSS score of 10.0, allows attackers to retain unauthorized access even after a user changes their password. This session management issue affects Apache Roller versions up to and including 6.1.4, potentially exposing blogs to unauthorized actions and undermining the security measures intended by password changes.
The vulnerability stems from the failure to properly invalidate active user sessions when a password is changed, either by the user or an administrator. This means that an attacker who has compromised a user's credentials could maintain continued access through an old session, even after the user has taken steps to secure their account by changing their password. This poses a significant risk, as it could enable unauthorized individuals to access and manipulate blog content, potentially leading to data breaches or other malicious activities. To address this critical flaw, Apache Roller version 6.1.5 has been released with a fix that implements centralized session management. This ensures that all active sessions are invalidated when passwords are changed or users are disabled, effectively preventing attackers from maintaining unauthorized access. Users of Apache Roller are strongly advised to upgrade to version 6.1.5 as soon as possible to mitigate the risk of exploitation and safeguard their blog sites from potential security breaches. The vulnerability was discovered and reported by security researcher Haining Meng. Recommended read:
References :
@unit42.paloaltonetworks.com
//
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.
The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications. GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team. Recommended read:
References :
@learn.microsoft.com
//
Microsoft is alerting IT administrators to a significant issue affecting Windows Server 2025 domain controllers (DCs). After a restart, these DCs may experience a loss of network connectivity due to the servers loading the standard firewall profile instead of the domain firewall profile. This problem can render the domain controllers inaccessible on the network, disrupting Active Directory (AD) environments and potentially causing applications and services running on those servers or remote devices to fail or remain unreachable. The issue primarily impacts systems running the Active Directory Domain Services role on Windows Server 2025, with no client systems or earlier server versions affected.
This problem arises from the domain controllers failing to apply the correct network profile after a reboot, instead defaulting to a "Public" or standard firewall profile rather than the required "Domain Authenticated" profile. This misconfiguration can lead to ports and protocols that should be restricted by the domain firewall profile remaining open, posing potential security risks. Essential AD functions like Group Policy application, replication, and authentication are also disrupted, further compounding the problem for organizations relying on Active Directory for network management. While Microsoft is actively working on a permanent fix for this issue, which is expected to be included in a future update, they have provided a temporary workaround for affected systems. Administrators can manually restart the network adapter on the affected servers using PowerShell with the command 'Restart-NetAdapter *'. However, because the issue reoccurs after each system restart, this workaround must be applied repeatedly. To streamline this process, Microsoft suggests creating a scheduled task that automatically restarts the network adapter each time the domain controller reboots. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows confirmed active exploitation of the vulnerability in the wild, targeting multiple sectors including retail, marketing, and semiconductor industries. The flaw, present in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows unauthenticated remote attackers to potentially take over susceptible instances of CrushFTP file transfer software if exposed publicly over HTTP(S).
The vulnerability stems from a weakness in the HTTP authorization header, enabling attackers to authenticate to any known or guessable user account, such as "crushadmin," potentially leading to a full system compromise. CrushFTP released fixes for the issue in versions 10.8.4 and 11.3.1, urging customers to update their systems immediately. Initial disclosure of the vulnerability has been controversial, with accusations of premature disclosure and attempts to conceal the issue to allow time for patching. Despite the controversy, the inclusion of CVE-2025-31161 in the KEV catalog signifies its high risk and the need for immediate action. SecurityWeek reports that the ongoing exploitation of the vulnerability has seen attackers deploying tools like MeshAgent for remote monitoring and DLL files indicative of Telegram bot utilization for data exfiltration. In some instances, AnyDesk has been installed prior to the deployment of SAM and System registry hives for credential compromise. FortiGuard Labs has also observed in-the-wild attack attempts targeting CVE-2025-31161. Although Shadowserver Foundation reports a decline in attacks since patches were issued on March 21, 2025, the CISA's warning and inclusion in the KEV catalog emphasize the persistent threat and the critical need for organizations to apply the necessary updates. Recommended read:
References :
@hackread.com
//
The Medusa ransomware group has claimed responsibility for a cyberattack on NASCAR, alleging the theft of over 1TB of data. In a posting on its dark web leak site, Medusa has demanded a $4 million ransom for the deletion of NASCAR's data. The group has placed a countdown timer on the leak site, threatening to make the stolen data available to anyone on the internet after the deadline. The countdown deadline can be extended at a cost of $100,000 per day.
To verify its claim, Medusa has published screenshots of what it claims are internal NASCAR documents. These include names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated. While NASCAR has not yet confirmed or denied reports of the attack, the details published by Medusa on its leak site appear credible. The Medusa ransomware group operates under a ransomware-as-a-service (RaaS) model and is known for its double extortion tactics. The FBI and CISA issued a joint cybersecurity advisory last month warning that Medusa ransomware had impacted over 300 organizations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology, and manufacturing. Past victims include Minneapolis Public Schools, which refused to pay a million-dollar ransom and saw approximately 92 GB of stolen data released to the public. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.
This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site. WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4). Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
Cisco Talos has uncovered an extensive and ongoing SMS phishing campaign that began in October 2024, targeting toll road users across the United States. The "Smishing Triad," a China-based eCrime group, is suspected to be behind these attacks, impersonating E-ZPass and other U.S. toll agencies to steal financial information. Victims receive fraudulent text messages claiming they have an outstanding toll bill, typically under $5, and are urged to pay immediately to avoid late fees. These messages prompt users to click on a link that leads to a spoofed domain mimicking the legitimate toll service's website.
Once on the fake webpage, victims are asked to solve a CAPTCHA before being directed to a fraudulent bill displaying their name and the supposed amount owed. Upon clicking "Proceed Now," users are prompted to enter personal information, including their name, address, phone number, and credit card details, which are then stolen by the threat actors. Talos assesses with moderate confidence that multiple financially motivated threat actors are involved, utilizing a smishing kit developed by "Wang Duo Yu." The actors have targeted individuals in at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas, identified through spoofed domains containing the states' two-letter abbreviations. The Smishing Triad, known for systematically targeting organizations in at least 121 countries across various industries, has shown remarkable success in converting phished payment card data into mobile wallets from Apple and Google. Silent Push analysts have found that the group's infrastructure generated over one million page visits in just 20 days, suggesting a potentially higher volume of SMS messages sent than previously estimated. The group continues to sell its phishing kits via Telegram and other channels. Authorities, including the FBI's IC3, have been aware of similar scams since at least April 2024, highlighting the persistent and evolving nature of these phishing campaigns. Recommended read:
References :
Sathwik Ram@seqrite.com
//
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.
The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell. Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services. Recommended read:
References :
@www.cybersecurity-insiders.com
//
The US Treasury's Office of the Comptroller of the Currency (OCC) has disclosed a significant email breach, classified as a "major incident." The breach, which went undetected for over a year, involved unauthorized access to 150,000 emails within 100 accounts belonging to US bank regulators at the OCC. These emails contained highly sensitive details concerning the financial condition of federally regulated financial institutions, information critical to the OCC's examinations and supervisory oversight processes. The OCC became aware of unusual activity on February 11th, discovering an administrative account interacting with agency mailboxes in an unauthorized manner. IT staff confirmed the unauthorized access and disabled the affected accounts the following day.
Advertisement The OCC notified Congress about the incident on the same day as a Bloomberg report, calling it a “major incident.” Internal and independent investigations of email accounts and attachments indicate that OCC first became aware of the incident Feb. 11, when the office was notified of an administrative account that was interacting with agency mailboxes in an unusual fashion. The next day, IT staff confirmed the account’s access was unauthorized and disabled the accounts. Acting Comptroller of the Currency Rodney E. Hood stated that immediate steps have been taken to determine the full extent of the breach and address organizational deficiencies that contributed to it. Hood promised full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access. Cybersecurity experts have expressed concern about the implications of this breach. The compromised data could allow malicious actors to exploit weaknesses in banks' cybersecurity controls and processes, making it easier to perpetrate fraud or disrupt services. Knowing the weakest targets and their specific vulnerabilities provides a significant advantage to attackers, enabling them to target banks with precision. Security experts also point to how recent cuts at CISA and other federal agencies will weaken cybersecurity in the federal government and across the public sector and U.S. election systems. The OCC is collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury during its investigations. Recommended read:
References :
@Talkback Resources
//
Despite recent arrests in 2024, the Scattered Spider cybercrime collective remains active in 2025, continuing to target high-profile organizations with sophisticated social engineering attacks. The group, known for its audacious breaches including attacks against MGM Resorts and Caesars Entertainment in 2023, employs tactics such as impersonating IT staff to steal login credentials and using remote access tools. Security firm Silent Push has uncovered the group's persistence in 2025 and has outlined the group's latest tactics, techniques and procedures.
Scattered Spider is utilizing updated phishing kits and a new version of the Spectre RAT malware to compromise systems and exfiltrate sensitive data. Their phishing campaigns involve impersonating well-known brands and software vendors, including the use of dynamic DNS services to evade detection. Targets in 2025 include organizations such as Klaviyo, HubSpot, Pure Storage, Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone. Law enforcement has made some progress in disrupting Scattered Spider's operations. Noah Michael Urban, also known as "King Bob," a 20-year-old member of the group, pleaded guilty to charges related to SIM swap fraud, aggravated identity theft, and cryptocurrency thefts. He faces potential decades in prison and is required to pay over $13.2 million in restitution to 59 victims. Silent Push made available code for a Spectre RAT string decoder and command and control (C2) emulator that defenders can use in their efforts to squash the eight-legged menace. Recommended read:
References :
@www.cybersecurity-insiders.com
//
The Office of the Comptroller of the Currency (OCC), an independent bureau within the U.S. Treasury Department, has confirmed a major email breach impacting approximately 100 bank regulators' accounts. The breach, which lasted for over a year, resulted in unauthorized access to more than 150,000 emails containing sensitive details about banks the agency oversees. According to the OCC's public statement, the compromised emails included highly sensitive information relating to the financial condition of federally regulated financial institutions and used in examination and supervisory oversight processes.
The OCC discovered the unauthorized access after being notified by Microsoft about unusual network behavior on Feb. 11. Following the discovery, the OCC notified Congress of the incident, describing it as a "major information security incident". Analysis by the OCC concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. The agency has since launched an internal and independent third-party review to determine the full extent of the breach and identify vulnerabilities that led to the unauthorized access. Security experts have expressed concern over the news, emphasizing the potential for malicious actors to exploit the exposed information. One expert noted that knowing the weakest targets and their vulnerabilities could enable attackers to launch a broad series of attacks to disrupt services or perpetrate fraud. The OCC also notified the Cybersecurity and Infrastructure Security Agency (CISA) that there is no indication of any impact to the financial sector at this time. The OCC incident is considered the second high-profile breach for the Treasury Department in recent months, the first one involved Chinese state-sponsored hackers breaching their network. Recommended read:
References :
@gbhackers.com
//
Cybercriminals are exploiting SourceForge, a legitimate software hosting and distribution platform, to spread malware disguised as Microsoft Office add-ins. Attackers are using SourceForge's subdomain feature to create fake project pages, making them appear credible and increasing the likelihood of successful malware distribution. One such project, named "officepackage," contains Microsoft Office add-ins copied from a legitimate GitHub project, but the subdomain "officepackage.sourceforge[.]io" displays a list of office applications with download links that lead to malware. This campaign is primarily targeting Russian-speaking users.
The attackers are manipulating search engine rankings to ensure these fake project pages appear prominently in search results. When users search for Microsoft Office add-ins, they are likely to encounter these malicious pages, which appear legitimate at first glance. Clicking the download button redirects users through a series of intermediary sites before finally downloading a suspicious 7MB archive named "vinstaller.zip." This archive contains another password-protected archive, "installer.zip," and a text file with the password. Inside the second archive is an MSI installer responsible for creating several files and executing embedded scripts. A Visual Basic script downloads and executes a batch file that unpacks additional malware components, including a cryptocurrency miner and the ClipBanker Trojan. This Trojan steals cryptocurrency by hijacking cryptocurrency wallet addresses. Telemetry data shows that 90% of potential victims are in Russia, with over 4,604 users impacted by this campaign. Recommended read:
References :
@Latest from ITPro
//
Europcar Mobility Group has confirmed a data breach affecting potentially up to 200,000 customers. The breach occurred through unauthorized access to the company’s GitLab repositories. According to reports, the stolen data includes source code for Europcar's Android and iOS mobile applications, as well as personal data linked to tens of thousands of customers. This incident raises significant security concerns, as the exposure of source code could potentially reveal vulnerabilities that could be exploited in future attacks.
Europcar is currently assessing the full extent of the damage caused by the breach. Preliminary findings indicate that the compromised data includes names and email addresses of users belonging to the Goldcar and Ubeeqo brands. The compromised records date back as far as 2017 and 2020. Europcar maintains that no financial information, passwords, or biometric details were exposed. The company has notified data protection authorities and has begun the process of informing affected customers about the incident. The attacker reportedly claimed responsibility for the breach in late March and attempted to extort Europcar, threatening to release 37GB of stolen data. The data allegedly includes internal backups, infrastructure documentation, and application source code. Europcar has denied that all of its GitLab repositories were compromised, but has confirmed that the threat actor accessed over 9,000 SQL files and 269 environment configuration files. The method of access remains unclear, although similar breaches often involve stolen credentials obtained through infostealer malware. The investigation is ongoing. Recommended read:
References :
|