info@thehackernews.com (The@The Hacker News
//
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.
Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks.
Recommended read:
References :
- Open Source Security: Multiple vulnerabilities in ingress-nginx
- The Hacker News: Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
- Wiz Blog | RSS feed: IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
- The Register - Software: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw
- Open Source Security: [kubernetes] Multiple vulnerabilities in ingress-nginx
- ciso2ciso.com: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw – Source: go.theregister.com
- securityonline.info: CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
- dragosr: "CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required." ingress-nginx is deployed in 40% of k8s clusters.
- research.kudelskisecurity.com: Critical Unauthenticated Remote Code Execution Vulnerabilities inIngress NGINX
- securityboulevard.com: Security Boulevard answers FAQs about IngressNightmare.
- : Wiz Security finds four critical RCE vulnerabilities in the Ingress NGINX Controller for Kubernetes
- Resources-2: IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
- www.csoonline.com: Critical RCE flaws put Kubernetes clusters at risk of takeover
- www.cybersecuritydive.com: Critical vulnerabilities put Kubernetes environments in jeopardy
- Arctic Wolf: CVE-2025-1974: Critical Unauthenticated RCE Vulnerability in Ingress NGINX for Kubernetes
- Tenable Blog: CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare
- open-appsec: On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsanitized user...
- Threats | CyberScoop: String of defects in popular Kubernetes component puts 40% of cloud environments at risk
- Blog: Ingress NGINX Kubernetes Controller vulnerabilities a ‘nightmare’ for impacted users
- circl: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. CVE-2025-1974 but also CVE-2025-1097 CVE-2025-1098 CVE-2025-24513 CVE-2025-24514 🔗 For more details about Ingress NGINX Controller for Kubernetes release
- Sysdig: Detecting and Mitigating IngressNightmare – CVE-2025-1974
- thecyberexpress.com: Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise
- Datadog Security Labs: The "IngressNightmare" vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation
- Information Security Buzz: Five critical security vulnerabilities have been found in the Ingress NGINX Controller for Kubernetes, potentially enabling unauthenticated remote code execution. This exposure puts over 6,500 clusters at immediate risk by making the component accessible via the public internet.
- MSSP feed for Latest: Researchers aren’t aware of active exploitation in the wild, but they warn the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.
- Latest Bulletins: Addresses issues with Kubernetes ingress-nginx controller
- nsfocusglobal.com: Kubernetes Ingress-nginx Remote Code Execution Vulnerability (CVE-2025-1974)
- Dynatrace news: NGINX vulnerability: Quickly detect and mitigate IngressNightmare vulnerabilities with Dynatrace
- securityonline.info: ingress-nginx maintainers released fixes for multiple vulnerabilities that could allow threat actors to take over Kubernetes clusters.
- Delinea Blog: Discusses vulnerabilities enabling access to Kubernetes clusters’ secrets.
- Kali Linux Tutorials: Details on IngressNightmare Vulnerabilities
info@thehackernews.com (The@The Hacker News
//
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.
Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.
Recommended read:
References :
- The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
- : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
- www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
- Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
- The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
- www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
- Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
- hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
- Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
- www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
- Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
- gbhackers.com: The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
- Security Affairs: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
- www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
- Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.
- The Stack: Phishing kits going to great lengths to personalise attacks
- Malwarebytes: Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that generates multiple phishing kits and spoofs login pages of over 100 brands using DNS mail exchange (MX) records.
- securityaffairs.com: Morphing Meerkat phishing kits exploit DNS MX records
- www.bleepingcomputer.com: A new phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. [...]
- bsky.app: A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
- Talkback Resources: Morphing Meerkat phishing kits exploit DNS MX records
- Security Risk Advisors: 🚩Morphing Meerkat’s Phishing-as-a-Service Leverages DNS MX Records for Targeted Attacks
- Talkback Resources: New Morphing Meerkat PhaaS platform examined
Dissent@DataBreaches.Net
//
A data breach at Oracle Health has impacted multiple healthcare organizations and hospitals across the United States. The breach involved a threat actor gaining unauthorized access to legacy servers and stealing patient data. The incident, which occurred on February 20, 2025, was initially discovered by Oracle Health, formerly known as Cerner, but has only recently been publicly disclosed by BleepingComputer on March 28, 2025, after Oracle Health failed to respond to requests for comments.
The compromised data includes sensitive information from electronic health records, single sign-on credentials, Lightweight Directory Access Protocol passwords, OAuth2 keys, and tenant data. It is believed that the breach was facilitated through the use of compromised customer credentials, aligning with known attack techniques. The implications for healthcare organizations are substantial, particularly concerning compliance with HIPAA regulations, and could lead to legal repercussions and financial penalties for affected entities.
Oracle Health is facing criticism for its lack of transparency regarding the incident. The company is reportedly telling hospitals that they will not notify patients directly, placing the responsibility on them to determine if the stolen data violates HIPPA laws. However, Oracle Health has committed to assisting in identifying impacted individuals and providing notification templates to help with notifications.
Recommended read:
References :
- bsky.app: Oracle Health breach compromises patient data at US hospitals
- BleepingComputer: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
- Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...
- DataBreaches.Net: Oracle Health breach compromises patient data at US hospitals
- The DefendOps Diaries: The Oracle Health breach highlights urgent need for healthcare IT modernization to protect patient data and comply with regulations.
- Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
- bsky.app: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
- DataBreaches.Net: Oracle customers confirm data stolen in alleged cloud breach is valid
- BleepingComputer: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers.
- SecureWorld News: Alleged Oracle Cloud Breach Triggers Industry Scrutiny, Supply Chain Concerns
- BleepingComputer: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. This is not related to the alleged Oracle Cloud breach.
- aboutdfir.com: Oracle customers confirm data stolen in alleged cloud breach is valid Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
- www.cybersecuritydive.com: Cybersecurity firms brace for impact of potential Oracle Cloud breach
- Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
- bsky.app: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. This is not related to the alleged Oracle Cloud breach.
- Risky Business Media: Oracle’s Health Tech division gets hacked and its customers extorted, the Italian government admits it used Paragon to spy on an NGO, a WordPress feature is being abused to silently install malicious plugins, and the Dutch public prosecutor pulls systems offline after a cyber incident.
- DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
- techxplore.com: Oracle warns health customers of patient data breach
- www.healthcareitnews.com: Oracle Health customers notified of data compromise, reports say
- Techzine Global: Hackers have gained access to Oracle’s computer systems. They stole patient data to extort money from several American healthcare providers, as evident from a message that the company sent to its customers. The FBI has launched an investigation.
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.
This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.
Recommended read:
References :
- : Malicious npm Packages Deliver Sophisticated Reverse Shells
- Blog (Main): Malware found on npm infecting local package with reverse shell
- thehackernews.com: Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks
- hackread.com: New npm Malware Attack Infects Popular Ethereum Library with Backdoor
- www.bleepingcomputer.com: Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor.
- The DefendOps Diaries: Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.
- Datadog Security Labs: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
- www.csoonline.com: Malicious npm packages found to create a backdoor in legitimate code
- BleepingComputer: Infostealer campaign compromises 10 npm packages, targets devs
- www.scworld.com: reports on NPM related infostealer campaigns
- securityonline.info: A recent report by ReversingLabs (RL) has uncovered malicious packages on the npm repository that employ sophisticated techniques
- www.techradar.com: Malicious npm packages use devious backdoors to target users
@itpro.com
//
Advanced Computer Software Group, an NHS software supplier, has been fined £3 million by the Information Commissioner's Office (ICO) for security failures that led to a disruptive ransomware attack in 2022. The ICO determined that Advanced Computer Software Group failed to implement appropriate security measures prior to the attack, which compromised the personal information of tens of thousands of NHS patients. The LockBit ransomware group was identified as the perpetrator, gaining access through a customer account lacking multi-factor authentication (MFA).
Personal information belonging to 79,404 people was taken in the attack, including instructions for carers on how to gain entry into the properties of 890 people who were receiving care at home. The stolen data included checklists for medics on how to get into vulnerable people's homes. The ICO cited gaps in applying MFA policies across the organization, a lack of vulnerability scanning, and inadequate patch management as the primary facilitators of the attack.
Recommended read:
References :
- bsky.app: NHS provider Advanced has been fined £3m by ICO for security failures that led to the hugely disruptive ransomware hack in 2022. One shocking new detail - not only was personal info of 79k people taken - it included instructions for carers on how to gain entry into 890 patient's homes.
- The Register - Security: Data stolen included checklist for medics on how to get into vulnerable people's homes The UK's data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary's security failings led to a ransomware attack affecting NHS care.
- techcrunch.com: NHS vendor Advanced will pay just over £3 million ($3.8 million) in fines for not implementing basic security measures before it suffered a ransomware attack in 2022, the U.K.’s data protection regulator has confirmed.
- www.itpro.com: The Information Commissioner's Office (ICO) said Advanced Computer Software Group failed to use appropriate security measures before the 2022 attack, which put the personal information of tens of thousands of NHS patients at risk.
- DataBreaches.Net: The UK’s data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary’s security failings led to a ransomware attack affecting NHS care. This is nearly half the fine the Information Commissioner’s Office provisionally floated...
- www.cybersecurity-insiders.com: NHS LockBit ransomware attack yields £3.07 million penalty on tech provider
- www.bleepingcomputer.com: UK fines software provider £3.07 million for 2022 ransomware breach
- The DefendOps Diaries: Understanding the 2022 NHS Ransomware Attack: Lessons and Future Preparedness
- Tech Monitor: UK ICO fines Advanced Computer Software £3m after NHS data breach
- www.scworld.com: Advanced slapped with almost $4M fine after LockBit hack
Anna Ribeiro@Industrial Cyber
//
Cybersecurity researchers have uncovered 46 new vulnerabilities in solar inverters from leading vendors Sungrow, Growatt, and SMA. These flaws could be exploited by malicious actors to seize control of the devices remotely, posing severe risks to electrical grids. The vulnerabilities, collectively named SUN:DOWN by Forescout Vedere Labs, can enable attackers to execute arbitrary commands, take over accounts, and gain a foothold in vendor infrastructure, potentially leading to control of inverter owners' devices.
Researchers found that these flaws could be used to conduct coordinated large-scale cyber-attacks that target power generation and ultimately, grid failures. The vulnerabilities impact various components within solar power systems, including panels, PV inverters, and communication dongles. While Sungrow and SMA have patched the reported issues, Growatt's response was slower, and the researchers believe an attacker gaining control of a large number of inverters could cause instability to power grids, leading to potential blackouts.
Recommended read:
References :
- ciso2ciso.com: Researchers Uncover 46 Critical Flaws in Solar Inverters From Sungrow, Growatt, and SMA – Source:thehackernews.com
- The Hacker News: Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.
- : Solar Power System Vulnerabilities Could Result in Blackouts
- www.scworld.com: 46 new bugs in solar power inverters raise concerns over power grid stability
- Industrial Cyber: Forescout SUN:DOWN research uncovers critical vulnerabilities in solar inverters that threaten power grid stability
- www.cybersecuritydive.com: Solar power gear vulnerable to remote sabotage
- www.techradar.com: Several top solar invertor products were found to have vulnerabilities that could lead to device takeover.
- The DefendOps Diaries: Securing Solar Inverters: Addressing Vulnerabilities in Renewable Energy Systems
- Cyber Security News: Critical security flaws in global solar power infrastructure could potentially allow malicious actors to seize control of solar inverters and manipulate power generation at scale.
- Cyber Security News: 46 New Vulnerabilities in Solar Inverters Let Attackers Manipulate Settings
- www.techradar.com: Hackers could exploit weak security in solar inverters, manipulating energy production, stealing user data, and even disrupting entire power networks with alarming ease.
do son@Daily CyberSecurity
//
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.
RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.
Recommended read:
References :
- securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
- Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
- bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
- thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features
- securityaffairs.com: CISA warns of RESURGE malware exploiting Ivanti flaw
- Help Net Security: CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.
- The Stack: It’s the end of March 2025...of course CISOs still need to worry about Ivanti Connect Secure flaws.
- www.cybersecuritydive.com: CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.
- : CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
@itpro.com
//
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.
The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025.
Recommended read:
References :
- Full Disclosure: Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions.
- The DefendOps Diaries: Understanding Security Bypasses in Ubuntu's Unprivileged User Namespaces
- www.itpro.com: Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
- www.networkworld.com: Ubuntu namespace vulnerability should be addressed quickly: Expert
- BleepingComputer: New Ubuntu Linux security bypasses require manual mitigations
- bsky.app: Details of how Qualys identifies security byasses on Ubuntu
- BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
- securityonline.info: Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions
- BleepingComputer: Three security bypasses have been discovered in Ubuntu Linux's unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components.
- Cyber Security News: New Ubuntu Security Bypasses Allow Attackers to Exploit Kernel Vulnerabilities
rohansinhacyblecom@cyble.com
//
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.
Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection.
Recommended read:
References :
- cyble.com: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
- thehackernews.com: New Android Trojan Crocodilus Abuses Accessibility to Steal Banking and Crypto Credentials
- gbhackers.com: “Crocodilus� A New Malware Targeting Android Devices for Full Takeover
- securityaffairs.com: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
- ciso2ciso.com: Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that’s primarily designed to target users in Spain and Turkey.
- BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
- The DefendOps Diaries: Discover how Crocodilus malware exploits Android devices, threatening cryptocurrency security with advanced RAT capabilities and social engineering.
- cointelegraph.com: Android malware ‘Crocodilus’ can take over phones to steal crypto
- Talkback Resources: TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications
- www.scworld.com: Advanced Crocodilus Android trojan emerges Widely known cryptocurrency wallets, as well as banks in Spain and Turkey, have already been targeted in attacks involving the novel sophisticated Crocodilus Android trojan, which combines bot and remote access trojan capabilities to facilitate banking and cryptocurrency credential compromise, according to Security Affairs.
- Metacurity: The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey.
- Blog: New Crocodilus malware snaps up crypto wallets
- BleepingComputer: A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
- thecyberexpress.com: Cyble researchers have discovered a new Android banking trojan that uses overlay attacks and other techniques to target more than 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications.
Pierluigi Paganini@Security Affairs
//
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.
The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013.
Recommended read:
References :
- Cisco Talos Blog: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
- Cyber Security News: A sophisticated cyber espionage campaign targeting Ukrainian entities has been uncovered, revealing the latest tactics of the Russia-linked Gamaredon threat actor group.
- Christoffer S.: Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor.
- gbhackers.com: Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting Ukrainian users with malicious LNK files to deliver the Remcos backdoor.
- buherator's timeline: Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine.
- securityonline.info: A new targeted malware campaign linked to the Russian state-aligned group Gamaredon is exploiting Windows shortcut (.LNK) files
- Know Your Adversary: 090. Hunting for Gamaredon's PowerShell Abuse
- The Hacker News: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to
- securityaffairs.com: Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine
- Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader. The downloader contacts geo-fenced servers located in Russia & Germany to deploy the second stage Zip file containing the Remcos backdoor.
- OODAloop: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon.
@www.infosecurity-magazine.com
//
Cybersecurity researchers are raising concerns about a new sophisticated malware loader called CoffeeLoader, designed to stealthily download and execute secondary payloads while evading detection. The malware, first observed around September 2024, shares behavioral similarities with SmokeLoader, another known malware loader. CoffeeLoader employs a variety of techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers.
CoffeeLoader's infection sequence starts with a dropper that attempts to execute a DLL payload packed by Armoury, impersonating ASUS's Armoury Crate utility. The malware establishes persistence by creating scheduled tasks and uses call stack spoofing and sleep obfuscation to evade antivirus and EDR solutions. Upon successful connection to a command-and-control server, CoffeeLoader receives commands to inject and execute Rhadamanthys shellcode, highlighting the potential for significant harm. While there are notable similarities between CoffeeLoader and SmokeLoader, researchers are still determining the exact relationship between the two malware families.
Recommended read:
References :
- The Hacker News: Researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
- : Security firm spots stealthy CoffeeLoader used in attacks
- www.scworld.com: Windows devices have been targeted with attacks involving the novel CoffeeLoader malware that masquerades as Taiwanese computer hardware firm ASUS's Armoury Crate utility to covertly distribute the Rhadamanthys information-stealing malware and other malicious payloads, Cybernews reports.
- ciso2ciso.com: Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads.
- bsky.app: Zscaler has spotted a new malware loader named CoffeeLoader, used in the wild since September of last year. The malware was used together and appears to bear similarities with SmokeLoader.
- securityaffairs.com: CoffeeLoader uses a GPU-based packer to evade detection
- securityonline.info: GPU-Powered Evasion: Unpacking the Sophisticated CoffeeLoader Malware
@itpro.com
//
Cybersecurity firm Resecurity successfully infiltrated the BlackLock ransomware gang's network by exploiting a local file inclusion vulnerability on their data leak site (DLS). This vulnerability, a misconfiguration in the site, allowed Resecurity to access the gang's network infrastructure, configuration files, and even account credentials. By gaining access, Resecurity could observe the gang's operations, identify potential victims, and alert both the victims and authorities, providing valuable insights into the gang's modus operandi.
Resecurity's actions have provided law enforcement with crucial information about BlackLock, also known as El Dorado, which had successfully attacked at least 46 organizations worldwide. The compromised DLS revealed that the gang was actively recruiting affiliates to spread the ransomware further. By uncovering the gang's methods and infrastructure, Resecurity has potentially disrupted BlackLock's operations and protected numerous organizations from falling victim to their attacks.
Recommended read:
References :
- PCMag UK security: Cybersecurity Firm Hacks Ransomware Group, Alerts Potential Victims
- www.itpro.com: Security researchers hack BlackLock ransomware gang in push back against rising threat actor
- securityaffairs.com: BlackLock Ransomware Targeted by Cybersecurity Firm
- The Hacker News: BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability
- thehackernews.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
- securityaffairs.com: In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
- www.cybersecurity-insiders.com: For the first time, a team of security researchers has successfully infiltrated the network of a ransomware operation
Bill Toulas@BleepingComputer
//
WordPress sites are under attack as threat actors exploit the "mu-plugins" directory to conceal malicious code, enabling persistent remote access and redirecting visitors to bogus sites. The "mu-plugins," or must-use plugins, are automatically executed by WordPress without explicit activation, making them an ideal location for staging malware and evading detection. This approach represents a concerning trend because these plugins are often overlooked during routine security checks, making them easier to ignore.
Researchers have identified three kinds of malicious code in the "wp-content/mu-plugins" directory. One, named "redirect.php," redirects site visitors to malicious websites. Another, named "index.php," offers web shell-like functionality, letting attackers execute arbitrary code. The third, named "custom-js-loader.php," injects unwanted spam onto infected websites, replacing images with explicit content and hijacking outbound links.
The "redirect.php" script disguises itself as a web browser update to trick victims into installing malware that steals data. The script is designed to avoid detection by search engine crawlers, only redirecting regular site visitors. The attacks are likely facilitated by vulnerable plugins or themes, compromised admin credentials, and server misconfigurations. To protect against such attacks, administrators should keep WordPress, plugins, and themes updated, use strong passwords, and enable two-factor authentication.
Recommended read:
References :
- The DefendOps Diaries: Understanding the Threat: WordPress MU-Plugins and Security Risks
- The Hacker News: Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images
- BleepingComputer: Hackers abuse WordPress MU-Plugins to hide malicious code
- www.scworld.com: WordPress attackers hide malware in overlooked plugins directory
- Vulnerable U: Stealthy WordPress Malware Exploits Mu-Plugins Directory
- bsky.app: Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection.
- Cyber Security News: Threat Actors Hide Malware in WordPress Sites to Execute Remote Code
- gbhackers.com: Threat Actors Embed Malware in WordPress Sites to Enable Remote Code Execution
Pierluigi Paganini@Security Affairs
//
Sam's Club, the membership warehouse club chain owned by Walmart, is currently investigating claims of a Clop ransomware breach. The Clop ransomware group has reportedly taken responsibility for the alleged security incident. The investigation aims to determine the scope and nature of the potential data compromise, with Sam's Club stating they are actively looking into the matter.
The alleged breach is tied to the Clop ransomware operation's exploitation of vulnerabilities in Cleo file transfer software. Cybernews reports that Sam's Club is among the numerous organizations purportedly affected. Sam's Club has acknowledged the situation and initiated an internal investigation, though specific details regarding the alleged compromise remain limited. The company has affirmed its commitment to protecting the privacy and security of its members' information.
Recommended read:
References :
- securityaffairs.com: The Walmart-owned membership warehouse club chain Sam’s Club is investigating claims of a Cl0p ransomware security breach.
- bsky.app: Sam's Club investigates Clop ransomware breach claims
- BleepingComputer: Retail giant Sam’s Club investigates Clop ransomware breach claims
- cyberinsider.com: Walmart has confirmed to CyberInsider it launched an internal investigation following claims by the Clop ransomware group that it compromised Sam’s Club, a membership-based retail warehouse chain owned and operated by Walmart Inc.
- www.scworld.com: Cybernews reports that Walmart's membership-only warehouse chain Sam's Club was among the hundreds of other organizations most recently claimed to have been breached by the Clop ransomware operation as part of its attacks leveraging a Cleo file transfer software vulnerability.
- securityaffairs.com: Sam’s Club Investigates Alleged Cl0p Ransomware Breach
info@thehackernews.com (The@The Hacker News
//
A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.
Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection.
Recommended read:
References :
- ciso2ciso.com: PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps – Source:thehackernews.com
- The Hacker News: An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
- www.infosecurity-magazine.com: PJobRAT malware targets Taiwan Android users, stealing data through fake messaging platforms
- Sophos X-Ops: Back in 2021, researchers reported on PJobRAT, an Android RAT targeting Indian military personnel by imitating various dating and instant messaging apps. After that, everything seemed to go quiet. But during a recent threat hunt, Sophos X-Ops researchers uncovered a more recent PJobRAT campaign appearing to target users in Taiwan – the earliest sample being Jan 2023, and the most recent in October 2024.
- Cyber Security News: Sophos X-Ops researchers have uncovered a new campaign involving PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019. This latest iteration, which appeared to target users in Taiwan, disguised itself as instant messaging apps such as ‘SangaalLite’ and ‘CChat’.
- gbhackers.com: PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.
- Sophos News: PJobRAT makes a comeback, takes another crack at chat apps
- Sophos X-Ops: We can’t confirm how users were directed to these sites, but PJobRAT previously used a variety of tricks, including third-party app stores, link shortening, phishing pages, fictitious personae, and posting links on forums. Once on a user’s device, the malware requests various permissions, and can steal SMS messages, phone contacts, device and app info, documents, and media files. The latest variant does not have a built-in function for stealing WhatsApp messages. But it does have a new functionality – running shell commands. This greatly increases the malware’s capabilities.
@www.silentpush.com
//
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.
Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.
Recommended read:
References :
- gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
- hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
- www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
- Cyber Security News: In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
- securityonline.info: Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest
info@thehackernews.com (The@The Hacker News
//
A massive malware campaign, identified as ZuizhongJS, has compromised over 150,000 websites through JavaScript injection to promote Chinese gambling platforms. Threat actors are breaching websites to drive traffic to illicit gambling sites. This campaign which injects obfuscated JavaScript and PHP code into the compromised sites hijacks browser windows. The primary goal is to generate revenue by redirecting users to full-screen overlays of fake betting websites, including impersonations of legitimate platforms like Bet365.
The attackers are believed to be linked to the Megalayer exploit, known for distributing Chinese-language malware and employing similar domain patterns and obfuscation tactics. The injected code is often hidden using HTML entity encoding and hexadecimal to evade detection. This campaign underscores the growing threat of client-side attacks and the need for robust website security measures, including regular script audits and strict Content Security Policies, to protect users from malicious redirects and potential financial harm.
Recommended read:
References :
- Cyber Security News: Hackers Breach 150,000 Websites to Drive Traffic to Chinese Gambling Sites
- gbhackers.com: Threat Actors Compromise 150,000 Websites to Promote Chinese Gambling Platforms
- The Hacker News: 150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms
- www.techradar.com: Thousands of websites have now been hijacked by this devious, and growing, malicious scheme
Alex Lekander@CyberInsider
//
Amnesty International's Security Lab has uncovered evidence that two investigative journalists from the Serbia-based Balkan Investigative Reporting Network (BIRN) were targeted with NSO Group’s Pegasus spyware in February 2025. This marks the third time in two years that Amnesty International has found Pegasus being used against civil society members in Serbia, building upon previous findings detailed in their December 2024 report, "A Digital Prison." The journalists received suspicious text messages, and research confirmed the links led to a domain previously identified as part of NSO Group's infrastructure.
These latest findings reinforce concerns about Serbian authorities abusing invasive spyware to target journalists, activists, and other members of civil society. NSO Group responded to Amnesty International's findings by stating they cannot comment on specific customers or disclose technical information, while reiterating their commitment to respecting human rights and upholding the UN Guiding Principles on Business and Human Rights. Despite this commitment, security researchers are increasingly able to detect Pegasus attacks, suggesting challenges for NSO Group in maintaining operational security and concealing their activities.
Recommended read:
References :
- securitylab.amnesty.org: Journalists targeted with Pegasus spyware - Amnesty International Security Lab
- CyberInsider: Viber Messenger Abused for Delivering Pegasus Spyware on Targets
- thecyberexpress.com: Investigative Journalists in Serbia Hit by Advanced Spyware Attack
- techcrunch.com: Again and again, NSO Group’s customers keep getting their spyware operations caught
- infosec.exchange: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,” said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
- PrivacyDigest: Again and again, Group’s customers keep getting their operations caught | TechCrunch On Thursday, published a new report detailing attempted against two , allegedly carried out with NSO Group’s spyware .
- ESET Research: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,� said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
- The420.in: The murky world of cyber surveillance has once again been thrust into the spotlight as Amnesty International uncovered an attempt to hack two Serbian journalists using Pegasus, the notorious spyware developed by Israeli firm NSO Group.
Lenart Bermejo@feeds.feedburner.com
//
Earth Alux, a China-linked advanced persistent threat (APT) group, has been identified launching cyberespionage attacks aimed at critical industries. Since the second quarter of 2023, this group has been targeting organizations in the Asia-Pacific (APAC) and Latin American regions, with a focus on sectors including government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Trend Micro's monitoring and investigation efforts have uncloaked the group's stealthy activities and advanced techniques, highlighting the significant risk they pose to sensitive data and operational continuity.
Earth Alux primarily employs the VARGEIT malware as its main backdoor and control tool. VARGEIT is utilized at multiple stages of an attack to maintain persistence, collect data, and execute malicious operations. The malware operates as a multi-channel configurable backdoor with capabilities such as drive information collection, process monitoring, file manipulation, and command line execution. It can also inject additional tools into processes like mspaint.exe for fileless operations, making detection challenging. The group uses sophisticated techniques, including DLL sideloading, timestomping, and encrypted communication channels, to ensure stealth and evade conventional security systems.
Recommended read:
References :
- Cyber Security News: Earth Alux Hackers Deploy VARGIET Malware in Targeted Organizational Attacks
- Cyber Security News: The cybersecurity landscape has been disrupted by Earth Alux, a China-linked advanced persistent threat (APT) group actively conducting espionage operations since the second quarter of 2023. Initially targeting the Asia-Pacific region, the group expanded its operations to Latin America by mid-2024, primarily focusing on government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors in
- gbhackers.com: Earth Alux Hackers Use VARGIET Malware to Target Organizations
- Osint10x: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data. The post appeared first on .
- www.trendmicro.com: The cyberespionage techniques of Earth Alux, a China-linked APT group, are putting critical industries at risk. The attacks, aimed at the APAC and Latin American regions, leverage powerful tools and techniques to remain hidden while stealing sensitive data.
|
|
FlagThis
