CyberSecurity news

FlagThis - #string

Ojukwu Emmanuel@Tekedia //
On February 21, 2025, the cryptocurrency exchange Bybit suffered a massive security breach resulting in the theft of approximately $1.46 billion in crypto assets. Investigations have pointed towards the Lazarus Group, a North Korean state-sponsored hacking collective, as the perpetrators behind the audacious heist. The FBI has officially accused the Lazarus Group of stealing $1.5 billion in Ethereum and has requested assistance in tracking down the stolen funds.

Bybit has declared war on the Lazarus Group following the incident and is offering a $140 million bounty for information leading to the recovery of the stolen cryptocurrency. CEO Ben Zhou has launched Lazarusbounty.com, a bounty site aiming for transparency on the Lazarus Group's money laundering activities. The attack involved exploiting vulnerabilities in a multisig wallet platform, Safe{Wallet}, by compromising a developer’s machine, enabling the transfer of over 400,000 ETH and stETH (worth over $1.5 billion) to an address under their control.

Recommended read:
References :
  • The Register - Security: The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.
  • Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
  • SecureWorld News: On February 21, 2025, the cryptocurrency world was rocked by the largest crypto heist in history. Dubai-based exchange Bybit was targeted in a malware-driven attack that resulted in the theft of approximately $1.46 billion in crypto assets.
  • Tekedia: Bybit, a leading crypto exchange, has declared war on “notoriousâ€� Lazarus group, a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. This is coming after the crypto exchange experienced a security breach resulting in the unauthorized transfer of over $1.4 billion in liquid-staked crypto assets.
  • ChinaTechNews.com: North Korea was behind the theft of approximately $1.5bn in virtual assets from a cryptocurrency exchange, the FBI has said, in what is being described as the biggest heist in history.
  • iHLS: Largest-Ever Crypto Heist steals $1.4 Billion
  • techcrunch.com: The FBI said the North Korean government is ‘responsible’ for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
  • PCMag UK security: The FBI is urging the cryptocurrency industry to freeze any transactions tied to the Bybit heist. The FBI has the $1.4 billion cryptocurrency at Bybit to North Korean state-sponsored hackers after security researchers reached the same conclusion.
  • Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
  • thehackernews.com: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
  • PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
  • www.pcmag.com: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
  • SecureWorld News: FBI Attributes Bybit Hack: FBI Attributes to North Korea, Urges Crypto Sector to Act
  • Dan Goodin: InfoSec Exchange Post on the FBI attribution to the Lazarus group and Bybit hack
  • bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
  • Wallarm: Lab Wallarm discusses how Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist
  • infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum. Bybit also disclosed preliminary results of investigations, which reveal hackers breached a developer’s device at a wallet platform Safe Wallet.
  • securityaffairs.com: FBI: North Korea-linked TraderTraitor is responsible for $1.5 Billion Bybit hack
  • Cybercrime Magazine: Bybit Suffers Largest Crypto Hack In History
  • www.cnbc.com: Details on the attack in a news article
  • The Register - Security: Bybit declares war on North Korea's Lazarus crime-ring to regain $1.5B stolen from wallet
  • Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
  • gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
  • infosec.exchange: NEW: After security researchers and firms accused North Korea of the massive Bybit hack, the FBI follows suit. North Korean government hackers allegedly stoled more than $1.4 billion in Ethereum from the crypto exchange.
  • www.cysecurity.news: Bybit Suffers Historic $1.5 Billion Crypto Hack, Lazarus Group Implicated
  • infosec.exchange: Bybit, that major cryptocurrency exchange, has been hacked to the tune of $1.5 billion in digital assets stolen, in what’s estimated to be the largest crypto heist in history.
  • BleepingComputer: Bybit, a major cryptocurrency exchange, has fallen victim to a massive cyberattack, with approximately $1.5 billion in cryptocurrency stolen. The breach is believed to be the largest single theft in crypto history.
  • Taggart :donor:: Cryptocurrency exchange Bybit suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack compromised the exchange's cold wallet and involved sophisticated techniques to steal the funds.
  • www.cysecurity.news: CySecurity News report on the Bybit hack, its implications, and the potential Lazarus Group connection.
  • : The 420 report on Bybit theft
  • infosec.exchange: Details of the Bybit hack and Lazarus Group's involvement.
  • Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
  • securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
  • Zack Whittaker: Grab some coffee — your weekly ~ this week in security ~ is out: • North Korea's record-breaking $1.4B crypto heist
  • infosec.exchange: Infosec Exchange post about Bybit crypto heist.
  • The Record: Experts from multiple blockchain security companies said that North Korean hackers were able to move all of the ETH coins stolen from Bybit to new addresses — the first step taken before the funds can be laundered further
  • infosec.exchange: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion.
  • Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit

@pcmag.com //
A recent Windows 11 update has inadvertently uninstalled the Copilot AI assistant from some users' PCs, causing frustration. The bug, affecting updates KB5053598, KB5053602, and KB5053606 across Windows 11 and Windows 10, removes the Copilot app and unpins it from the taskbar. Microsoft has acknowledged the issue and updated the release notes, confirming that Copilot for Microsoft 365 is not affected.

Users affected by this bug can manually reinstall the Copilot app from the Microsoft Store and repin it to their taskbar as a temporary solution. It's worth noting that some users on Reddit have expressed that they appreciate this accidental "feature," stating they would prefer the option to install Copilot rather than having it forced upon them. Microsoft is currently working on a permanent solution and likely to issue an update soon.

Recommended read:
References :
  • futurism.com: Users Cheer as Microsoft Accidentally Removes Hated AI Feature From Windows 11
  • www.techrepublic.com: The Case of the Vanishing Copilot: Is Microsoft’s Update a Feature or a Bug?
  • www.zdnet.com: Windows 11 update accidentally erases Copilot for some users - here's how to get it back
  • PCMag Middle East ai: Oops: Microsoft Update Accidentally Removes Copilot From Windows
  • MSPoweruser: If you install KB5053598, you’ll delete all traces of Copilot in Windows 11
  • www.windowscentral.com: Is this Windows 11 'bug' the feature we've been waiting for? Say goodbye to Copilot (for now)
  • www.techradar.com: Windows 11 bug deletes Copilot from the OS – is this the first glitch ever some users will be happy to encounter?
  • PCWorld: Microsoft shot itself in the foot with its latest Windows update
  • Ars OpenForum: Report that a bug in the Windows 11 update caused Copilot to be removed from some devices.
  • How-To Geek: Explanation and guidance for reinstalling the Copilot app after a recent Windows update.
  • www.pcmag.com: Discussion of the Copilot uninstall issue and possible resolutions.
  • PCWorld: Article discussing the inadvertent uninstallation of the Copilot app in some Windows 11 installations due to a bug in the recent update.

CISO2CISO Editor 2@ciso2ciso.com //
A critical zero-day vulnerability, identified as CVE-2025-0282, is actively being exploited in the wild, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices. Ivanti has confirmed that a limited number of Connect Secure appliances have already been targeted by this exploit. This flaw, boasting a critical CVSS score of 9.0, is particularly concerning as it enables remote code execution without requiring any authentication. The company became aware of the activity through its Integrity Checker Tool (ICT) and has since released a patch for the Connect Secure product line.

Alongside CVE-2025-0282, Ivanti is also addressing CVE-2025-0283, a high-severity stack-based buffer overflow vulnerability with a CVSS score of 7.0. This vulnerability requires a local authenticated attacker and allows for privilege escalation. While no exploitation of CVE-2025-0283 has been observed, patches for all affected products are being developed with fixes for Policy Secure and Neurons for ZTA Gateways expected on January 21. Ivanti urges all customers to apply the provided fixes for Connect Secure (v22.7R2.5) immediately, and to perform factory resets if the integrity checker shows signs of compromise. The company will share indicators of compromise with impacted customers to aid forensic investigations.

Recommended read:
References :
  • forums.ivanti.com: Security Advisory: Ivanti Connect Secure, Policy Secure, ZTA Gateways - CVE-2025-0282, CVE-2025-0283
  • www.helpnetsecurity.com: Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282)
  • ciso2ciso.com: CISO2CISO - CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • The Hacker News: The Hacker News - Ivanti Flaw CVE-2025-0282 Actively Exploited
  • ciso2ciso.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
  • Kevin Beaumont: Ivanti Connect Secure, Policy Secure & ZTA Gateways customers, it's time to upgrade again as there's another two zero days already being exploited in the wild - CVE-2025-0282 and CVE-2025-0283 Unauth code execution.
  • gbhackers.com: Ivanti 0-Day Vulnerability Exploited in Wild-Patch Now
  • securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
  • : CISA : So hot off the press that it's not live yet 🥵🔥🔥 ( 9.0 critical ) A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
  • Pyrzout :vm:: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • securityboulevard.com: Alert of Buffer Overflow Vulnerabilities in Multiple Ivanti Products (CVE-2025-0282)
  • Pyrzout :vm:: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
  • Techmeme: Ivanti warns that a zero-day in its widely-used Connect Secure VPN service has been exploited to compromise the networks of its corporate customers
  • techcrunch.com: hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks
  • www.tenable.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
  • ciso2ciso.com: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
  • Latest from TechRadar: Ivanti warns another critical security flaw is being attacked
  • www.bleepingcomputer.com: Banshee stealer evades detection using apple xprotect
  • : watchTowr : Absolutely scathing review and rightful criticism of Ivanti as watchTowr successfully reproduces ( 9.0 critical ) Ivanti Connect Secure Buffer Overflow Vulnerability.
  • securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
  • www.scworld.com: Active exploitation of Ivanti Connect Secure zero-day ongoing
  • ciso2ciso.com: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com
  • Kevin Beaumont: WatchTowr have a good look at the latest Ivanti Pulse Secure zero day. Honestly? Don’t buy this product. It isn’t secure and they’re hiding problems.
  • securityaffairs.com: U.S. CISA adds Ivanti Connect Secure, Policy Secure, and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog
  • securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
  • fortiguard.fortinet.com: Ivanti Connect Secure Zero-Day Vulnerability
  • labs.watchtowr.com: Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - watchTowr Labs
  • Pyrzout :vm:: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com 's
  • www.helpnetsecurity.com: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
  • Pyrzout :vm:: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
  • thecyberexpress.com: Ivanti Vulnerabilities Patches Roll Out - The Cyber Express
  • thecyberexpress.com: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
  • arcticwolf.com: CVE-2025-0282: Critical Zero-Day Remote Code Execution Vulnerability Impacts Several Ivanti Products
  • Help Net Security: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
  • gbhackers.com: Gbhackers article about PoC release for Ivanti RCE vulnerability.

MalBot@malware.news //
The US Treasury Department has sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe Network Technology Co., and a Shanghai-based hacker, Yin Kecheng, for their involvement in significant cyberattacks. These attacks compromised sensitive systems at the Treasury Department and major US telecommunication companies and ISPs. Sichuan Juxinhe is linked to the Salt Typhoon hacking group, which has infiltrated numerous US telecom companies and ISPs intercepting sensitive data from high-value political officials and communication platforms. Yin Kecheng, connected to the Chinese Ministry of State Security (MSS), is associated with the recent breach of the Treasury's network, impacting systems involved in sanctions and foreign investment reviews.

The Treasury's systems, including those used by Secretary Janet Yellen, were accessed during the breach resulting in the theft of over 3,000 files. The stolen data included policy documents, organizational charts, and information on sanctions and foreign investment. The cyber activity has been attributed to the Salt Typhoon group, alongside a related group known as Silk Typhoon (formerly Hafnium), which exploited vulnerabilities in Microsoft Exchange Server and used compromised APIs. The Treasury Department stated that it will continue using its authority to hold accountable malicious actors that target American people and the US government.

Recommended read:
References :
  • malware.news: US Sanctions Chinese firm behind sweeping Salt Typhoon telecom hacks
  • The Hacker News: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon
  • BleepingComputer: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
  • ciso2ciso.com: US Sanctions Chinese Hacker & Firm for Treasury, Critical Infrastructure Breaches – Source: www.darkreading.com
  • ciso2ciso.com: US sanctions Chinese hacker & firm for Treasury, critical infrastructure breaches
  • : U.S. Treasury : Treasury's OFAC is sanctioning Yin Kecheng, a Shanghai-based cyber actor who was involved with the recent Department of the Treasury network compromise.
  • ciso2ciso.com: U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Silk Typhoon – Source:thehackernews.com
  • www.bleepingcomputer.com: US sanctions Chinese firm, hacker behind telecom and Treasury hacks
  • securityaffairs.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
  • ciso2ciso.com: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
  • Pyrzout :vm:: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network – Source: www.securityweek.com
  • ciso2ciso.com: The U.S. Treasury’s OFAC sanctioned a Chinese cybersecurity firm and a Shanghai cyber actor for ties to Salt Typhoon and a federal agency breach.
  • www.tomshardware.com: News report on Chinese hackers infiltrating US Treasury Secretary's PC and gaining access to over 400 PCs.
  • ciso2ciso.com: U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
  • www.nextgov.com: US Treasury Department sanctions imposed for Salt Typhoon's involvement.
  • www.nextgov.com: The Treasury Department's sanctions follow a major hack targeting telecommunications companies and potentially impacting high-value political officials.
  • Threats | CyberScoop: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks.
  • cyberscoop.com: Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks
  • thecyberexpress.com: U.S. Treasury sanctions Salt Typhoon hackers
  • www.csoonline.com: The US is hitting back against the threat group, dubbed Salt Typhoon by Microsoft, which is allegedly behind recent cyber attacks against American telecommunications providers, as part of a wider campaign against Chinese-based hacking.
  • Security Affairs: The US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Chinese firm Sichuan Juxinhe Network Technology Co., LTD.
  • Security Boulevard: U.S. Treasury Sanctions Chinese Individual, Company for Data Breaches

@www.bleepingcomputer.com //
A new ransomware campaign is exploiting Amazon Web Services (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt S3 buckets. The attackers, known as "Codefinger," utilize encryption keys unknown to the victims. The hackers demand ransoms in exchange for the decryption keys, effectively holding the data hostage. This attack leverages a legitimate AWS feature, making data recovery incredibly difficult without the attacker's keys. The Codefinger crew was first spotted in December, and at least two AWS native software developers were recently targeted.

The attackers gain access to victims’ cloud storage by using compromised AWS keys with read and write permissions and encrypt files by calling the "x-amz-server-side-encryption-customer-algorithm" header and using a locally stored AES-256 encryption key they generate. AWS processes the key during encryption but does not store it, meaning the victim cannot decrypt their data without the attacker-generated key. Furthermore, the encrypted files are marked for deletion within seven days using the S3 Object Lifecycle Management API, adding pressure on the victims. This tactic represents a significant risk, as it’s the first known instance of ransomware using AWS's native secure encryption infrastructure via SSE-C to lock up victims data.

Recommended read:
References :
  • bsky.app: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • BleepingComputer: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • www.bleepingcomputer.com: A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
  • The Register - Security: Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days
  • AAKL: Seems like cybercriminals are getting bolder. Halcyon: Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C More: New ransomware gang dubbed Codefinger abuses AWS native encryption, sets data-destruct timer for 7 days
  • www.halcyon.ai: Ransomware Encrypting S3 Buckets with SSE-C
  • www.theregister.com: ransomware_crew_abuses_compromised_aws
  • osint10x.com: New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets
  • securityaffairs.com: Codefinger ransomware gang uses compromised AWS keys to encrypt S3 bucket

@www.bleepingcomputer.com //
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.

The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms.

Recommended read:
References :
  • www.bleepingcomputer.com: A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers
  • bsky.app: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • hackread.com: Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices
  • www.cloudsek.com: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • Cyber Security News: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • cyberpress.org: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • www.scworld.com: XWorm RAT builder leveraged for widespread device compromise

@www.forbes.com //
References: citizenlab.ca , Deeplinks , Deeplinks ...
A new report by Citizen Lab and the EFF Threat Lab has uncovered critical security vulnerabilities within the popular Chinese social media application, RedNote. The analysis, conducted on version 8.59.5 of the app, revealed that RedNote transmits user content, including viewed images and videos, over unencrypted HTTP connections. This exposes sensitive user data to potential network eavesdroppers, who can readily access the content being browsed.

Additionally, the report highlights that the Android version of RedNote contains a vulnerability that could allow attackers to access the contents of files on a user's device. The app also transmits device metadata without adequate encryption, sometimes even when using TLS, potentially enabling attackers to learn about a user's device screen size and mobile network carrier. Despite responsible disclosures to RedNote and its vendors NEXTDATA and MobTech in late 2024 and early 2025, no response has been received regarding these critical security flaws.

Recommended read:
References :
  • citizenlab.ca: The report highlights three serious security issues in the RedNote app.
  • Deeplinks: The EFF Threat Lab confirmed the Citizen Lab findings about Red Note.
  • www.forbes.com: Is RedNote Safe? Here's What Millions of TikTok Users Need to Know
  • Deeplinks: Crimson Memo: Analyzing the Privacy Impact of Xiaohongshu AKA Red Note

Pierluigi Paganini@securityaffairs.com //
Rhode Island's health benefits system has suffered a significant data breach, with residents' personal information being leaked onto the dark web. The compromised data originated from the state's RIBridges system, which supports various state programs like Medicaid, SNAP, and childcare assistance. The breach was confirmed by Governor Daniel McKee's office and further details suggest that Deloitte, the firm responsible for designing and maintaining RIBridges, is investigating the incident. The cybercriminals responsible for the attack released some RIBridges files, prompting state officials to notify individuals who may be affected.

The state is working to determine the full scope of the breach and which specific data has been leaked. Impacted individuals will be contacted via letters containing instructions on accessing free credit monitoring. Gov. McKee stated the state had prepared for this and is encouraging residents to remain vigilant and protect their personal information. The incident highlights a growing concern over the vulnerability of state systems to cyber threats and the importance of proactive cybersecurity measures.

Recommended read:
References :
  • securityaffairs.com: Rhode Island’s data from health benefits system leaked on the dark web.
  • ciso2ciso.com: Rhode Islanders’ Data Was Leaked From a Cyberattack on State Health Benefits Website – Source: www.securityweek.com
  • Pyrzout :vm:: Rhode Islanders’ Data Was Leaked From a Cyberattack on State Health Benefits Website – Source: www.securityweek.com
  • ciso2ciso.com: Rhode Island ’s data from health benefits system leaked on the dark web – Source: securityaffairs.com
  • ciso2ciso.com: Rhode Island’s data from health benefits system leaked on the dark web
  • Pyrzout :vm:: Rhode Island ’s data from health benefits system leaked on the dark web.
  • ciso2ciso.com: Hackers Leak Rhode Island Citizens’ Data on Dark Web – Source: www.infosecurity-magazine.com
  • BleepingComputer: The Brain Cipher ransomware gang has begun to leak documents stolen in an attack on Rhode Island's 'RIBridges' social services platform.

@ciso2ciso.com //
UK telecommunications provider, TalkTalk, is currently investigating a potential data breach following claims made on a cybercrime forum. A threat actor, using the handle "b0nd," has alleged to possess the data of nearly 19 million current and former TalkTalk customers. The investigation is in its early stages and involves a third-party supplier whose platform is believed to manage a small part of the company’s customer base. This platform, however, does not store billing details or other sensitive financial information. TalkTalk has confirmed that they are aware of the posts and that an investigation is underway with the supplier, and that immediate protective measures have been taken.

The threat actor has claimed that the data includes subscriber PINs, names, email addresses, last account access information, IP addresses, and phone numbers. However, TalkTalk believes that the reported scale of the data breach is significantly overstated. They highlight that they have never had close to 19 million customers and that the platform involved only manages a subset of their total of around 2.4 million. The company is working with the third-party supplier to determine the validity of the claims but have stated no billing or financial data was held on the third party system. TalkTalk continues to prioritize the protection of customer data and is actively addressing this matter.

Recommended read:
References :
  • Pyrzout :vm:: UK telco TalkTalk confirms probe into alleged data grab underway – Source: go.theregister.com
  • ciso2ciso.com: UK telco TalkTalk confirms probe into alleged data grab underway – Source: go.theregister.com
  • The Register: UK telco TalkTalk confirms probe into alleged data grab underway Spinner says crim's claims 'very significantly overstated' UK broadband and TV provider TalkTalk says it's currently investigating claims made on cybercrime forums alleging data from the company was up for grabs.…
  • ciso2ciso.com: UK telco TalkTalk confirms probe into alleged data grab underway – Source: go.theregister.com
  • BleepingComputer: UK telecommunications company TalkTalk is investigating a third-party supplier data breach after a threat actor began selling alleged customer data on a hacking forum.
  • go.theregister.com: UK telco TalkTalk confirms probe into alleged data grab underway
  • Pyrzout :vm:: UK broadband and TV provider TalkTalk says it’s currently investigating claims made on cybercrime forums alleging data from the company was up for grabs.
  • www.bleepingcomputer.com: UK telecommunications company TalkTalk is investigating a third-party supplier data breach after a threat actor began selling alleged customer data on a hacking forum.
  • techcrunch.com: TalkTalk has confirmed it’s investigating a data breach after a hacker claimed to have stolen the personal information of millions of subscribers. However, the telecoms giant says the number of customers allegedly impacted is “wholly inaccurate and very significantly overstated"
  • ciso2ciso.com: TalkTalk Confirms Data Breach, Downplays Impact – Source: www.securityweek.com
  • Carly Page: TalkTalk has confirmed it’s investigating a data breach after a hacker claimed to have stolen the personal information of millions of subscribers. However, the telecoms giant says the number of customers allegedly impacted is “wholly inaccurate and very significantly overstated"
  • ciso2ciso.com: TalkTalk Confirms Data Breach, Downplays Impact