CyberSecurity news

FlagThis

Ashish Khaitan@The Cyber Express //
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.

The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network.

To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities.

Recommended read:
References :
  • Daily CyberSecurity: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
  • The DefendOps Diaries: Exploitation of End-of-Life Routers: A Growing Cybersecurity Threat
  • BleepingComputer: FBI: End-of-life routers hacked for cybercrime proxy networks
  • Davey Winder: FBI Warns Of Router Attacks — Is Yours On The List Of 13?
  • www.scworld.com: Attacks surge against antiquated routers, FBI warns
  • bsky.app: The FBI IC3 has published a new PSA warning companies and home consumers that threat actors are exploiting old and outdated end-of-life routers to create massive botnets and that they should probably buy a new device
  • BleepingComputer: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • cyberinsider.com: FBI Warns Hackers Are Exploiting EoL Routers in Stealthy Malware Attacks
  • www.bleepingcomputer.com: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • bsky.app: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life†(EOL).
  • thecyberexpress.com: TheMoon Malware Targets Aging Routers, FBI Issues Alert
  • The Hacker News: BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation
  • securityonline.info: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
  • securityaffairs.com: The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks.
  • www.techradar.com: FBI warns outdated routers are being hacked
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware.
  • BleepingComputer: Police dismantles botnet selling hacked routers as residential proxies
  • thecyberexpress.com: Law Enforcement Takes Down Botnet Made Up of Thousands of End-Of-Life Routers
  • techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • infosec.exchange: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • www.justice.gov: A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.
  • www.csoonline.com: The FBI is warning that cybercriminals are exploiting that are no longer being patched by manufacturers. Specifically, the “5Socks†and “Anyproxy†criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, and Cradlepoint.
  • The Register - Security: The FBI also issued a list of end-of-life routers you need to replace Earlier this week, the FBI urged folks to bin aging routers vulnerable to hijacking, citing ongoing attacks linked to TheMoon malware. In a related move, the US Department of Justice unsealed indictments against four foreign nationals accused of running a long-running proxy-for-hire network that exploited outdated routers to funnel criminal traffic.…
  • iHLS: FBI Warns: Old Routers Exploited in Cybercrime Proxy Networks
  • Peter Murray: FBI and Dutch police seize and shut down botnet of hacked routers
  • The DefendOps Diaries: Explore the dismantling of the Anyproxy botnet and the global efforts to secure digital infrastructure against cybercrime.
  • securityaffairs.com: Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services
  • Anonymous ???????? :af:: BREAKING: $46M cybercrime empire busted. FBI & Dutch forces take down a botnet run on hacked home routers—active since 2004.
  • www.itpro.com: FBI takes down botnet exploiting aging routers
  • Metacurity: US feds seize two top botnet sites in Operation Moonlander

@cyble.com //
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.

The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.

To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • Phishing Tackle: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.

Dissent@DataBreaches.Net //
In December 2024, PowerSchool, a major provider of K-12 software serving 60 million students across North America, experienced a significant data breach. Hackers gained access to sensitive student and teacher data, including personally identifiable information such as Social Security numbers and health data, through a single stolen credential. The company, believing it was the best course of action, paid an undisclosed ransom to the threat actor to prevent the data from being made public, however this has proven to be unsuccessful.

Months later, it has been revealed that the threat actors are now directly targeting individual school districts with extortion demands, using the stolen data from the initial breach. The Toronto District School Board (TDSB), along with other schools in North America, has confirmed receiving ransom demands from the attackers. The exposed information includes names, contact details, birth dates, Social Security numbers, and even some medical alert data. PowerSchool has confirmed that these extortion attempts are related to the original breach and is working with law enforcement.

Cybersecurity experts have warned against paying ransoms, as there is no guarantee that hackers will delete the stolen data. This case exemplifies the risk of paying extortion demands, as the threat actors have resurfaced to revictimize affected individuals and institutions with additional demands. PowerSchool is offering two years of free identity protection to affected individuals, however there will be pressure for them to improve its security and reassure stakeholders that it can prevent similar incidents in the future.

Recommended read:
References :
  • bsky.app: The hacker behind PowerSchool's December breach is now extorting schools, threatening to release stolen student and teacher data.
  • Threats | CyberScoop: The large education tech vendor was hit by a cyberattack and paid a ransom in December. Now, a threat actor is attempting to extort the company’s customers with stolen data.
  • The Register - Security: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied
  • The DefendOps Diaries: Report discussing the PowerSchool data breach and its implications.
  • BleepingComputer: PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. [...]
  • www.bleepingcomputer.com: BleepingComputer reports on PowerSchool hacker extorting school districts.
  • cyberscoop.com: PowerSchool customers hit by downstream extortion threats
  • BleepingComputer: PowerSchool hacker now extorting individual school districts
  • malware.news: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (2)
  • DataBreaches.Net: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • PCMag UK security: UK PCMag covers PowerSchool attackers extorting teachers.
  • go.theregister.com: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied Now individual school districts extorted by fiends
  • Metacurity: PowerSchool hackers are extorting schools despite the company's ransom payment
  • techcrunch.com: TechCrunch article on PowerSchool being hacked.
  • hackread.com: PowerSchool Paid Ransom, Now Hackers Target Teachers for More
  • ExpressVPN Blog: Teachers report that bad actors are now targeting them with threatening emails demanding payment following a massive 2024 breach affecting schools across the US and Canada. One of the largest hacks of US schools continues as teachers across the country say that threat actors are extorting them for more money and threatening to release the data.
  • www.metacurity.com: PowerSchool hackers are extorting schools despite the company's ransom payment
  • thecyberexpress.com: Toronto School Board Hit with Extortion Demand After PowerSchool Data Breach
  • Blog: PowerSchool clients now targeted directly by threat actor
  • cyberinsider.com: PowerSchool Ransom Fallout: Extortion Attempts Hit Schools Months After Data Breach
  • www.techradar.com: PowerSchool hackers return, and may not have deleted stolen data as promised
  • malware.news: Double-extortion tactics used in PowerSchool ransomware attack
  • CyberInsider: Months after paying a ransom to suppress the fallout of a major data breach, PowerSchool is facing renewed turmoil as threat actors have begun extorting individual school districts using the same stolen data.
  • Matthew Rosenquist: More extortions, same - a perfect example of how not to deal with risks. The nightmare continues for schools, students, and teachers who's private data was exposed by PowerSchool.
  • matthewrosenquist.substack.com: PowerSchool data breach round 2 extortions
  • aboutdfir.com: Reports an education tech provider paid thieves to delete stolen student, teacher data.
  • MeatMutts: The educational sector has been rocked by a significant data breach involving PowerSchool, a leading education technology provider serving over 60 million students globally.

@securityonline.info //
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.

The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes.

The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.

Recommended read:
References :
  • securityaffairs.com: Security Affairs reports Play ransomware affiliate leveraged zero-day to deploy malware
  • The DefendOps Diaries: The Defend Ops Diaries discusses Understanding the Play Ransomware Threat: Exploiting Zero-Day Vulnerabilities.
  • The Hacker News: The Hacker News reports Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
  • BleepingComputer: BleepingComputer reports Play ransomware exploited Windows logging flaw in zero-day attacks.
  • www.csoonline.com: Windows flaw exploited as zero-day by more groups than previously thought
  • securityonline.info: Zero-Day CLFS Vulnerability (CVE-2025-29824) Exploited in Ransomware Attacks
  • bsky.app: The Play ransomware group has exploited a Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
  • Davey Winder: Play Ransomware Zero-Day Attacks — US, Saudi Arabia Have Been Targeted
  • www.techradar.com: Ransomware hackers target a new Windows security flaw to hit businesses
  • www.scworld.com: Windows CLFS zero-day leveraged in Play ransomware attacks

@sec.cloudapps.cisco.com //
Cisco has issued a critical security advisory to address CVE-2025-20188, a severe vulnerability affecting its IOS XE Wireless LAN Controllers (WLCs). This flaw, which has been assigned a CVSS score of 10.0, allows an unauthenticated, remote attacker to upload arbitrary files to a vulnerable system. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT) present within the affected system, enabling attackers to potentially gain root privileges. The vulnerability impacts several products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs.

The exploitation requires the Out-of-Band AP Image Download feature to be enabled, which is not enabled by default. An attacker can exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges, leading to a complete compromise of the affected system. Cisco advises administrators to check if the Out-of-Band AP Image Download feature is enabled by using the `show running-config | include ap upgrade` command. If the command returns `ap upgrade method https`, the feature is enabled, and the device is vulnerable.

Currently, there are no direct workarounds available to address this vulnerability. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed. Cisco has released free software updates to address this vulnerability, advising customers with service contracts to obtain these security fixes through their usual update channels, urging them to upgrade to the fixed release as soon as possible. As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability.

Recommended read:
References :
  • securityonline.info: Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
  • The Hacker News: Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
  • Rescana: Detailed Analysis Report on Cisco Security Advisory: cisco-sa-wlc-file-uplpd-rHZG9UfC Overview The Cisco Security Advisory ID...
  • Anonymous ???????? :af:: New Cisco flaw scores a perfect 10.0 CVSS. A hardcoded token. Root access. No login needed. If you run Catalyst 9800 wireless controllers, you’ll want to check this fast.
  • securityaffairs.com: Cisco fixed a critical flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files.
  • thecyberexpress.com: News about Cisco fixing a 10.0-rated wireless controller flaw (CVE-2025-20188).
  • securityonline.info: SecurityOnline reports on critical CVE-2025-20188 flaw in Cisco IOS XE WLCs allowing remote root access.
  • sec.cloudapps.cisco.com: Security Advisory - Security updates available for Cisco IOS and IOS XE Software
  • BleepingComputer: Cisco fixed a maximum severity IOS XE flaw letting attackers hijack devices
  • Security Risk Advisors: Critical Vulnerability in Cisco IOS XE Wireless Controllers Allows Unauthenticated Remote Code Execution
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices. The flaw, tracked as CVE-2025-20188, is caused by a hardcoded JWT token that lets you bypass authentication and ultimately execute commands as root.
  • www.scworld.com: Cisco patches maximum severity vulnerability in IOS XE Software
  • www.bleepingcomputer.com: Critical vulnerability in Cisco IOS XE Wireless Controllers allows unauthenticated remote code execution
  • darkwebinformer.com: Cisco IOS XE Wireless Controllers Vulnerable to Unauthenticated Root Exploits via JWT (CVE-2025-20188)
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices.
  • www.csoonline.com: Cisco patches max-severity flaw allowing arbitrary command execution
  • nvd.nist.gov: CVE-2025-20188 Details

Shivani Tiwari@cysecurity.news //
References: bsky.app , slcyber.io , cyble.com ...
The UK's National Cyber Security Centre (NCSC) has issued an advisory following a series of cyberattacks targeting major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods. These incidents, which began in April 2025, have prompted warnings for organizations to remain vigilant and implement robust cybersecurity measures. The NCSC is working closely with affected organizations to understand the nature of the intrusions and provide targeted advice to the broader retail sector.

The NCSC's advice strongly suggests the involvement of Scattered Spider, a group of English-speaking cyber criminals previously linked to breaches at MGM Resorts and Caesars Entertainment in the U.S. Scattered Spider is believed to have deployed ransomware to encrypt key systems at M&S, causing significant disruption, including the suspension of online sales. Authorities are urging security teams to implement multi-factor authentication, monitor for risky logins, and review help desk login procedures to mitigate potential ransomware attacks.

While investigations are ongoing to determine if the attacks are linked or the work of a single actor, reports suggest that a group called DragonForce may also be involved. DragonForce operates as a ransomware-as-a-service, providing tools and infrastructure for contracted hackers. The NCSC emphasizes that all organizations should follow the advice on its website to ensure they have appropriate measures in place to prevent attacks and effectively respond to and recover from them.

Recommended read:
References :
  • bsky.app: Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre. The NCSC advice is the strongest hint yet the hackers are using tactics most commonly associated with a collective of English-speaking cyber criminals nicknamed Scattered Spider.
  • slcyber.io: Scattered Spider Linked to Marks & Spencer Cyberattack
  • www.cybersecuritydive.com: UK authorities warn of retail-sector risks following cyberattack spree
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025.
  • research.checkpoint.com: For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered
  • www.itpro.com: Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
  • www.ncsc.gov.uk: A joint blog post by the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse.
  • BleepingComputer: UK shares security tips after major retail cyberattacks
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025. The UK’s National Cyber Security Centre (NCSC) is currently working alongside these retailers to investigate the attacks and mitigate potential damage.
  • phishingtackle.com: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen. The National Cyber Security Centre (NCSC) has since warned that cybercriminals are impersonating IT … The post appeared first on .
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • www.cysecurity.news: The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,†said NCSC CEO Dr Richard Horne.
  • Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.

Dissent@DataBreaches.Net //
References: Davey Winder , DataBreaches.Net , bsky.app ...
Hackers claiming affiliation with Anonymous have targeted GlobalX Airlines, an airline reportedly used by the Trump administration for deportations to El Salvador. The hacktivists defaced the airline's website, leaving a message aimed at former President Trump. They also claimed to have stolen sensitive data, including flight records and passenger manifests, potentially exposing details about deportees. The attackers asserted that they were acting because GlobalX was ignoring lawful orders against what they called "fascist plans."

The leaked data, as reported by 404 Media, provides granular insight into who was deported on GlobalX flights, when, and to where. The breached information includes flight logs, passenger lists, and itinerary details spanning from January to May 2025. Concerns have been raised about the potential impact on individuals deported, especially those whose whereabouts were previously unknown, with at least one case showing the hacked data held more accurate records than official government lists.

The hack exposed vulnerabilities in GlobalX's cybersecurity, as the hackers claim to have accessed the company's AWS cloud infrastructure and GitHub account through a developer token. They also claimed to have sent messages to pilots through a flight operations tool. As of this report, neither GlobalX nor the U.S. immigration authorities have issued an official response to the security breach.

Recommended read:
References :
  • Davey Winder: Anonymous Hacks Airline Used In Trump El Salvador Deportations
  • DataBreaches.Net: GlobalX, Airline for Trump’s Deportations, Hacked
  • techcrunch.com: GlobalX, airline used for Trump deportations, gets hacked: Report
  • bsky.app: Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for "Donnie" Trump
  • www.404media.co: Man ‘Disappeared’ by ICE Was on El Salvador Flight Manifest, Hacked Data Shows
  • www.bitdefender.com: Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for “Donnie†Trump

@source.android.com //
Google has released its May 2025 Android security bulletin, addressing a total of 46 vulnerabilities. The update includes a fix for CVE-2025-27363, a critical Remote Code Execution (RCE) flaw that is already being actively exploited in the wild. The RCE flaw exists within the Android System component, enabling local code execution without requiring user interaction or elevated privileges.

This vulnerability stems from FreeType, an open-source font rendering library widely embedded in Android. Google's advisory underscores the severity of this actively exploited bug, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities Catalog. U.S. federal agencies are now under directive to apply the patch by May 27, 2025.

The May 2025 Android security bulletin resolves several other high-impact issues across Android versions 13 through 15. These include multiple Elevation of Privilege (EoP) flaws affecting both the framework and system components. Among them are CVE-2025-0087 and CVE-2025-26426. Users are encouraged to check for updates to ensure their devices are protected from these vulnerabilities. The update is available for Android 13, 14, and 15, with Android vendors notified of the issues at least a month before publication.

Recommended read:
References :
  • CyberScoop: Google addresses 1 actively exploited vulnerability in May’s Android security update
  • Malwarebytes: Malwarebytes discusses Android fixes 47 vulnerabilities, including one zero-day.
  • securityaffairs.com: SecurityAffairs Google fixed actively exploited Android flaw CVE-2025-27363
  • The Hacker News: The hackernews update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
  • socradar.io: SocRadar: Android’s May 2025 Update Tackles CVE-2025-27363 & More
  • www.bleepingcomputer.com: bleepingcomputer: Google fixes actively exploited FreeType flaw on Android
  • thecyberexpress.com: Google Rolls Out May 2025 Android Security Bulletin, Fixes 46 Vulnerabilities Including CVE-2025-27363

Rescana@Rescana //
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.

Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe.

ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards.

Recommended read:
References :
  • securityonline.info: Critical Security Flaws Found in ASUS DriverHub: Update Immediately
  • Rescana: Vulnerabilities in ASUS DriverHub Exposed: CVE-2025-3462 and CVE-2025-3463 Analysis
  • cyberinsider.com: Critical Flaw in ASUS DriverHub Exposes Users to Remote Code Execution
  • securityaffairs.com: Researchers found one-click RCE in ASUS’s pre-installed software DriverHub
  • The DefendOps Diaries: ASUS DriverHub Vulnerability: Understanding and Mitigating CVE-2025-3463
  • The Hacker News: ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files
  • BleepingComputer: The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
  • bsky.app: ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.

@The DefendOps Diaries //
Ascension, one of the largest private healthcare systems in the United States, is facing scrutiny following a significant data breach. The company revealed that the personal and healthcare information of over 430,000 patients was exposed in an incident disclosed last month. The breach stemmed from a compromise affecting a former business partner, highlighting the inherent risks associated with third-party vendors and the critical need for robust cybersecurity measures within the healthcare ecosystem.

The vulnerability in third-party software allowed attackers access to sensitive patient data. Depending on the patient, the attackers could access personal health information related to inpatient visits, including the physician's name, admission and discharge dates, diagnoses, and more. The data breach underscores the importance of healthcare organizations thoroughly vetting and continuously monitoring third-party vendors and their software solutions. This situation exemplifies how a single point of failure in the supply chain can have far-reaching consequences for patient privacy and data security.

The Ascension data breach has broader implications for healthcare cybersecurity. The incident serves as a stark reminder of the vulnerabilities in healthcare systems, especially those involving third-party software. The lessons learned emphasize the need for strengthening cybersecurity defenses against third-party and ransomware threats. Healthcare providers must prioritize data protection, regularly assess the security of their partners, and implement robust measures to protect patient information from evolving cyber threats.

Recommended read:
References :
  • bsky.app: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • securityaffairs.com: Ascension reveals personal data of 437,329 patients exposed in cyberattack
  • The DefendOps Diaries: Lessons from the Ascension Data Breach: Strengthening Healthcare Cybersecurity
  • www.bleepingcomputer.com: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • BleepingComputer: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • BleepingComputer: Ascension, one of the largest private healthcare systems in the United States, has revealed that a data breach disclosed last month affects the personal and healthcare information of over 430,000 patients.
  • MeatMutts: Human Error Reveals Massive Data Breach in Ascension Healthcare System
  • Tech Monitor: Ascension data breach exposes information of over 430,000 patients

Dissent@DataBreaches.Net //
Pearson, the global education and publishing giant, has confirmed it suffered a cyberattack resulting in the theft of corporate data and customer information. The breach was discovered by BleepingComputer, who reported that the attackers gained unauthorized access to Pearson's systems. Pearson, a UK-based company, is a major player in academic publishing, digital learning tools, and standardized assessments, serving schools, universities, and individuals across over 70 countries.

Pearson stated that after discovering the unauthorized access, they acted to stop the breach, investigate the incident, and ascertain what data was affected with forensics experts. They also supported law enforcements investigation. Furthermore, Pearson said they've taken steps to deploy additional security measures onto their systems, including enhanced security monitoring and authentication. BleepingComputer was tipped off that someone used an exposed GitLab Personal Access token to compromise Pearson’s development environment in January 2025. The token was found in a public .git/config file, with the attackers using this access to find even more login credentials, hardcoded in the source code, which they then used to infiltrate the company’s network and steal corporate and customer information.

The company downplayed the significance of the breach, suggesting the stolen data was largely outdated, referring to it as "legacy data." Pearson has not disclosed the number of individuals affected, nor the specific types of information exposed. There was no employee information among the stolen files, it was confirmed.

Recommended read:
References :
  • DataBreaches.Net: Lawrence Abrams reports: Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned.
  • BleepingComputer: Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned.
  • www.techradar.com: Another case of exposed Git configuration files leading up to a larger compromise, this time against education giant Pearson.
  • malware.news: Cyberattack compromises Pearson data

@blog.checkpoint.com //
Ransomware attacks have surged in 2025, evolving into more sophisticated and dangerous threats than ever before. What started as simple file encryption schemes has morphed into full-blown extortion ecosystems. These modern attacks now involve data exfiltration, public shaming of victims, and even DDoS attacks, marking a significant escalation in cybercriminal tactics. According to Check Point Research, the first quarter of 2025 saw a record-breaking 2,289 victims published on data leak sites, representing a staggering 126% year-over-year increase, demonstrating the growing threat volume and the evolving tactics employed by attackers.

The rise of Ransomware-as-a-Service (RaaS) has also significantly contributed to the increased threat landscape. Check Point's 2024 Annual Ransomware Report revealed that 46 new ransomware groups emerged in that year alone, a 48% increase compared to the previous year. These groups offer ready-made ransomware kits, lowering the barrier to entry for cybercriminals and enabling a wider range of actors to launch attacks. Experts are particularly concerned about the potential for "triple extortion" models, which combine DDoS attacks, public leak threats, and direct harassment of customers or partners to pressure victims into paying ransoms.

In addition to the increasing sophistication of ransomware itself, cybercriminals are also abusing legitimate tools to blend in with compromised environments. The Cactus ransomware gang, for example, has been known to direct victims to initiate Microsoft Quick Assist remote access sessions, even assisting them with the installation of the program. With Anti-Ransomware Day being on May 12, organizations are urged to prioritize proactive defenses, incident response planning, and employee awareness training to mitigate the growing risk of ransomware attacks in 2025 and beyond.

Recommended read:
References :

TIGR Threat@Security Risk Advisors //
A supply chain attack has successfully compromised the 'rand-user-agent' npm package, injecting obfuscated code designed to activate a remote access trojan (RAT) on unsuspecting users' systems. This JavaScript library, used for generating randomized user-agent strings beneficial for web scraping and automated testing, has been averaging 45,000 weekly downloads despite being deprecated. The malicious activity was detected by an automated malware analysis pipeline on May 5, 2025, which flagged the [email protected] version for containing unusual code indicative of a supply chain attack.

The injected RAT was designed to establish a persistent connection with a command and control (C2) server at http://85.239.62[.]36:3306. Upon activation, the RAT transmits critical machine identification data, including hostname, username, operating system type, and a generated UUID, enabling attackers to uniquely identify and manage compromised systems. Once connected, the RAT listens for commands from the C2 server, allowing attackers to manipulate the file system, execute arbitrary shell commands, and exfiltrate data from affected systems.

Researchers at Aikido noted that threat actors exploited the package's semi-abandoned but still popular status to inject malicious code into unauthorized releases. The compromised versions of the package were promptly removed from the npm repository. Users are advised to check their systems for any installations of the compromised package and implement robust security practices to mitigate the risk of similar supply chain attacks. This incident underscores the critical importance of vigilant monitoring and dependency management in software development to protect against supply chain vulnerabilities.

Recommended read:
References :
  • bsky.app: A threat actor has compromised the rand-user-agent JavaScript library and released a malicious version containing a remote access trojan.
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • The DefendOps Diaries: Understanding the Supply Chain Attack on 'rand-user-agent' npm Package
  • www.bleepingcomputer.com: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • Secure Bulletin: Malicious npm packages hijack macOS Cursor AI IDE
  • Security Risk Advisors: Malicious npm Packages Target macOS Cursor Editor and Cryptocurrency Users in Coordinated Supply Chain Attacks
  • The Hacker News: Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Security Risk Advisors: RATatouille RAT Discovered in Compromised rand-user-agent NPM Package Affecting Thousands of Weekly Downloads
  • BleepingComputer: An npm package named 'rand-user-agent' has been compromised in a supply chain attack to inject obfuscated code that activates a remote access trojan (RAT) on the user's system.
  • socket.dev: Malicious #npm packages targeting #Cursor editor and #crypto users steal credentials and execute remote code. #cybersecurity #supplychain

Mayura Kathir@gbhackers.com //
Scattered Spider, a sophisticated hacking collective known for its social engineering tactics, has allegedly breached Marks & Spencer by targeting the company's IT help desk. The cybercriminals reportedly duped an IT help desk employee into resetting a password, which then granted them access to internal networks. This breach is said to have disrupted M&S's online operations, leading to the temporary suspension of online orders, as reported between April and May 2025. Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, has become prominent for using social engineering to exploit corporate service desks.

This attack on Marks & Spencer is part of a broader trend impacting UK retailers. The National Cyber Security Centre (NCSC) has issued warnings to organizations, urging them to be wary of phony IT helpdesk calls. Other retailers such as Co-op and Harrods have also been linked to attacks resulting in stolen member data and crippled payment systems. Any organization with a service desk is theoretically vulnerable to these low-tech, high-impact tactics employed by Scattered Spider and similar groups.

Scattered Spider is believed to be composed of young US and UK citizens who are part of a collective known as "The Comm," an underground community of English-speaking criminals that communicates and coordinates using social media platforms like Discord or Telegram. While five users associated with Scattered Spider, including the alleged leader, were detained in the first half of 2024, the complete composition of the group remains undetermined. After a period of relative silence following these arrests, Scattered Spider has resurfaced with this latest string of attacks on UK retail brands, prompting renewed cybersecurity concerns.

Recommended read:
References :
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • specopssoft.com: Scattered Spider service desk attacks: How to defend your organization
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • Malware ? Graham Cluley: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • www.cysecurity.news: M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
  • gbhackers.com: Cyberattackers Targeting IT Help Desks for Initial Breach
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security

@securityonline.info //
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.

The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF).

Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development.

Recommended read:
References :
  • securityonline.info: Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
  • Talkback Resources: Microsoft addressed critical vulnerabilities in various Azure services, including Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, emphasizing the need for proactive security measures in cloud-native development environments.
  • Davey Winder: Microsoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
  • Davey Winder: Critical 10/10 Microsoft Cloud Security Vulnerability Confirmed

@owaspai.org //
References: OWASP , Bernard Marr
The Open Worldwide Application Security Project (OWASP) is actively shaping the future of AI regulation through its AI Exchange project. This initiative fosters collaboration between the global security community and formal standardization bodies, driving the creation of AI security standards designed to protect individuals and businesses while encouraging innovation. By establishing a formal liaison with international standardization organizations like CEN/CENELEC, OWASP is enabling its vast network of security professionals to directly contribute to the development of these crucial standards, ensuring they are practical, fair, and effective.

OWASP's influence is already evident in the development of key AI security standards, notably impacting the AI Act, a European Commission initiative. Through the contributions of experts like Rob van der Veer, who founded the OWASP AI Exchange, the project has provided significant input to ISO/IEC 27090, the global standard on AI security guidance. The OWASP AI Exchange serves as an open-source platform where experts collaborate to shape these global standards, ensuring a balance between strong security measures and the flexibility needed to support ongoing innovation.

The OWASP AI Exchange provides over 200 pages of practical advice and references on protecting AI and data-centric systems from threats. This resource serves as a bookmark for professionals and actively contributes to international standards, demonstrating the consensus on AI security and privacy through collaboration with key institutes and Standards Development Organizations (SDOs). The foundation of OWASP's approach lies in risk-based thinking, tailoring security measures to specific contexts rather than relying on a one-size-fits-all checklist, addressing the critical need for clear guidance and effective regulation in the rapidly evolving landscape of AI security.

Recommended read:
References :
  • OWASP: OWASP Enables AI Regulation That Works with OWASP AI Exchange
  • Bernard Marr: Take These Steps Today To Protect Yourself Against AI Cybercrime

@industrialcyber.co //
The UK's National Cyber Security Centre (NCSC) has issued a warning that critical systems in the United Kingdom face increasing risks due to AI-driven vulnerabilities. The agency highlighted a growing 'digital divide' between organizations capable of defending against AI-enabled threats and those that are not, exposing the latter to greater cyber risk. According to a new report, developments in AI are expected to accelerate the exploitation of software vulnerabilities by malicious actors, intensifying cyber threats by 2027.

The report, presented at the NCSC's CYBERUK conference, predicts that AI will significantly enhance the efficiency and effectiveness of cyber intrusions. Paul Chichester, NCSC director of operations, stated that AI is transforming the cyber threat landscape by expanding attack surfaces, increasing the volume of threats, and accelerating malicious capabilities. He emphasized the need for organizations to implement robust cybersecurity practices across their AI systems and dependencies, ensuring up-to-date defenses.

The NCSC assessment emphasizes that by 2027, AI-enabled tools will almost certainly improve threat actors' ability to exploit known vulnerabilities, leading to a surge in attacks against systems lacking security updates. With the time between vulnerability disclosure and exploitation already shrinking, AI is expected to further reduce this timeframe. The agency urges organizations to adopt its guidance on securely implementing AI tools while maintaining strong cybersecurity measures across all systems.

Recommended read:
References :
  • Industrial Cyber: GCHQ’s National Cyber Security Centre (NCSC) has warned that U.K. critical systems are facing growing risks due to...
  • NCSC News Feed: NCSC warns that organisations unable to defend AI-enabled threats are exposed to greater cyber risk and AI-driven vulnerabilities and threats
  • Tech Monitor: Report predicts that AI will enhance cyber intrusion efficiency and effectiveness by 2027

@cyberpress.org //
A joint investigation by SentinelLABS and Validin has exposed a massive cryptocurrency phishing operation named "FreeDrain." This industrial-scale network has been siphoning digital assets for years by exploiting weaknesses in free publishing platforms. FreeDrain utilizes aggressive SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, along with sophisticated layered redirection techniques to lure unsuspecting victims. The operation's primary goal is to steal cryptocurrency wallet login credentials and seed phrases, often resulting in rapid fund exfiltration.

FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials.

Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site.

Recommended read:
References :

Jacob Santos@feeds.trendmicro.com //
The Agenda ransomware group, also known as Qilin, has enhanced its attack capabilities by incorporating SmokeLoader and NETXLOADER into its campaigns. Trend Micro researchers discovered this shift, highlighting the group's ongoing evolution and increased sophistication. The group is actively targeting organizations across multiple sectors, including healthcare, technology, financial services, and telecommunications. These attacks are spanning across various geographical regions, with a primary focus on the US, the Netherlands, Brazil, India, and the Philippines, demonstrating a broad and aggressive targeting strategy.

The newly identified NETXLOADER plays a crucial role in these attacks by stealthily deploying malicious payloads, including the Agenda ransomware and SmokeLoader. NETXLOADER is a .NET-based loader protected by .NET Reactor 6, making it difficult to analyze. Its complexity is enhanced by the utilization of JIT hooking techniques, obfuscated method names, and AES-decrypted GZip payloads to evade detection, indicating a significant leap in malware delivery methods. SmokeLoader further contributes to the group's arsenal with its own set of evasion tactics, including virtualization/sandbox detection and process injection, which complicates attribution and defense efforts.

Qilin has emerged as a dominant ransomware group, leading in data leak disclosures in April 2025. This surge in activity is partly attributed to the group gaining affiliates from the RansomHub uncertainty. Cyble reported that Qilin claimed responsibility for 74 attacks in April, surpassing other groups in ransomware activity. The incorporation of NETXLOADER and SmokeLoader, coupled with their stealthy delivery methods, further solidifies Qilin's position as a formidable threat in the current ransomware landscape, posing a significant risk to organizations worldwide.

Recommended read:
References :
  • Virus Bulletin: Trend Micro researchers discovered that the Agenda ransomware group added SmokeLoader & NETXLOADER to its recent campaigns. Targets include healthcare, technology, financial services & telecommunications sectors in the US, the Netherlands, Brazil, India & the Philippines.
  • securityonline.info: Agenda Ransomware Evolves with NETXLOADER and SmokeLoader in Global Campaigns
  • www.trendmicro.com: Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
  • The Hacker News: Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures
  • cyble.com: Cyble stated that Qilin gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April.
  • redpiranha.net: Red Piranha stated that the threat group Qilin has been active for over one year or for multiple years and Qilin also Tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.
  • MeatMutts: Qilin Ransomware Gang Targets Hamilton County Sheriff's Office

@Talkback Resources //
The Co-op has confirmed a significant data breach following a cyberattack carried out by the ransomware group DragonForce. The attackers claim to have stolen sensitive data from current and former Co-op members, including names and contact details. While financial information and passwords were not compromised, the breach impacts a substantial number of individuals signed up for the Co-op's membership scheme, with DragonForce claiming access to the private information of around 20 million people. The NCSC is working with The Co-op to understand the full scope of the incident and provide expert advice.

DragonForce gained initial access to Co-op's IT networks by exploiting a vulnerability in internal communication systems, such as Microsoft Teams. They then exfiltrated large volumes of customer and employee data, using the stolen information to demand a ransom payment. Screenshots of extortion messages sent to Co-op's head of cyber security via an internal Microsoft Teams chat were shared with the BBC as proof of the breach. In response, the Co-op has implemented immediate security measures, including verifying meeting participants and requiring cameras to be turned on during calls.

The attack on Co-op is believed to be part of a broader campaign targeting major UK retailers, with similar incidents recently affecting Marks & Spencer and Harrods. These attacks are linked to affiliates of the DragonForce ransomware group, believed to be part of the Scattered Spider cybercrime community. This group is known for employing aggressive extortion tactics and sophisticated entry methods such as SIM swapping and MFA fatigue. The Co-op is currently rebuilding its Windows domain controllers and strengthening its defenses in collaboration with Microsoft DART and KPMG.

Recommended read:
References :
  • Talkback Resources: DragonForce hackers claim responsibility for cyberattack on Co-op, stealing major customer and employee data and targeting other companies with ransomware tactics.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
  • Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
  • phishingtackle.com: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.

@cyberpress.org //
Critical security vulnerabilities have been discovered in Mitel SIP phones, potentially exposing enterprise communication systems to unauthorized access and control. The flaws impact widely deployed models, including the 6800, 6900, and 6900w Series, as well as the 6970 Conference Unit. These vulnerabilities include a command injection flaw (CVE-2025-47188) and an unauthenticated file upload vulnerability (CVE-2025-47187). Mitel has issued a security advisory, MISA-2025-0004, urging users to update their devices immediately.

Mitel's critical command injection vulnerability (CVE-2025-47188) allows unauthenticated attackers with network access to execute arbitrary commands on affected phones. The flaw stems from insufficient sanitization of parameters within the device’s web management interface. With a CVSS score of 9.8, exploitation of this vulnerability could grant attackers control over the device, enabling them to exfiltrate sensitive data, alter system settings, and disrupt operations. This could also allow attackers to use the compromised device as a foothold to pivot deeper into enterprise networks.

The affected devices are Mitel 6800, 6900, and 6900w Series SIP Phones, and the 6970 Conference Unit running firmware version R6.4.0.SP4 or earlier. Mitel recommends upgrading to firmware version R6.4.0.SP5 or newer releases to mitigate these risks. While Mitel suggests keeping SIP phones on protected internal networks, organizations with expansive and poorly segmented networks remain at heightened risk.

Recommended read:
References :
  • cyberpress.org: Hackers Can Exploit Mitel SIP Phone Vulnerabilities to Run Malicious Commands
  • Cyber Security News: Critical Vulnerabilities in Mitel SIP Phones Let Attackers Inject Malicious Commands
  • gbhackers.com: Mitel SIP Phone Flaws Allow Attackers to Inject Malicious Commands
  • securityonline.info: Critical Vulnerabilities Uncovered in Mitel SIP Phones: Command Injection and File Upload Risks

@thecyberexpress.com //
More than 40 hacktivist groups have launched a coordinated cyber campaign against India following a terror attack in Pahalgam, Jammu and Kashmir, on April 22. The cyberattacks are a reflection of the ongoing tensions between India and Pakistan, particularly concerning the Kashmir region. These hacktivist groups, united under the banner of #OpIndia, are targeting key Indian government portals, healthcare infrastructure, and cyber defense agencies.

The coordinated cyber campaign involves various types of attacks, including website defacements and Denial-of-Service (DoS) attacks aimed at disrupting services. Hacktivist groups have also claimed data breaches. The attacks reflect a familiar pattern where cyber activity escalates during times of real-world tension between India and Pakistan, with hacktivist groups from both sides launching attacks in response to events on the ground.

The cyber retaliation between India and Pakistan is not new, with digital skirmishes becoming more frequent during political or military flare-ups. Over the years, cyber activity related to India has grown, including hacktivist campaigns, data leaks, and the sale of stolen information on the Dark Web. While some incidents are low impact or symbolic, they often align with events on the ground, demonstrating how the conflict now extends into cyberspace.

Recommended read:
References :
  • cyble.com: India Experiences Surge in Hacktivist Group Activity Amid Military Tensions
  • thecyberexpress.com: Over 40 Hacktivist Groups Target India in Coordinated Cyber Campaign: High Noise, Low Impact
  • Secure Bulletin: Tactical reality behind the India-Pakistan hacktivist surge
  • securebulletin.com: Tactical reality behind the India-Pakistan hacktivist surge

@cyberinsider.com //
References: cyberinsider.com
Recent reports highlight a surge in the exploitation of critical software vulnerabilities across various platforms. These vulnerabilities, affecting both widely used software like Microsoft products and open-source tools such as the Linux kernel, pose significant risks to system security. A particularly concerning flaw has been identified in ASUS DriverHub, potentially allowing remote code execution with administrative privileges. This highlights the persistent challenge of maintaining secure software ecosystems and the importance of vigilant monitoring and rapid patching.

The vulnerabilities span a range of severity levels, with some enabling privilege escalation and remote code execution, as demonstrated by the ASUS DriverHub flaw. Cyble has issued weekly vulnerability reports, emphasizing the presence of zero-day vulnerabilities and active exploits targeting popular IT products. Specific details include Commvault updating its advisory for a critical Commvault Command Center Vulnerability (CVE-2025-34028) and Ubuntu releasing a security notice (USN-7506-3) addressing multiple vulnerabilities within the Linux kernel (FIPS). These instances underscore the need for comprehensive vulnerability management strategies for both enterprises and individual users.

Security experts emphasize the critical role of timely patching and robust vulnerability management practices in mitigating these risks. For example, Arctic Wolf noted that updating to Commvault versions 11.38.20 or 11.38.25 alone is insufficient to fully address the CVE-2025-34028 vulnerability. Ubuntu users are advised to perform a standard system update followed by a reboot to apply the necessary Linux kernel fixes, while also being aware of the need to recompile and reinstall third-party kernel modules due to an unavoidable ABI change. Organizations are urged to implement proactive security measures, including continuous monitoring, vulnerability scanning, and rapid deployment of security patches to protect their systems from exploitation.

Recommended read:
References :
  • cyberinsider.com: Critical Flaw in ASUS DriverHub Exposes Users to Remote Code Execution

@cyberpress.org //
References: cyberpress.org , gbhackers.com , MeatMutts ...
A new method has emerged for stealing Microsoft Entra refresh tokens using Beacon Command & Control (C2) frameworks. This novel technique leverages browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms, allowing attackers to maintain persistent access to cloud resources, even on devices not joined to a domain. The exploit utilizes Beacon Object Files (BOFs) to extract Entra tokens from compromised endpoints, posing a significant risk to enterprise cloud environments. By exploiting the OAuth 2.0 authorization code flow with modifications for offensive operations, attackers can initiate a hidden browser session and scrape the authorization code from the browser window title using the GetWindowTextA Win32 API.

The attack method capitalizes on First-Party Client IDs (FOCI) such as Microsoft Teams, allowing access to multiple Microsoft services through "family refresh tokens." This provides operational advantages by blending token requests with legitimate user activity as they originate from the compromised host's IP address. Furthermore, it is compatible with Bring Your Own Device (BYOD) scenarios, where traditional Primary Refresh Token (PRT) extraction methods fail. After acquiring refresh tokens, attackers can conduct AzureAD reconnaissance via tools like ROADrecon.

A separate but related flaw in Microsoft Entra ID's legacy login process has also been exploited to bypass MFA and Conditional Access, targeting admin accounts across various sectors including finance, healthcare, manufacturing, and technology. This vulnerability resides in the Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method that allows authentication using simple usernames and passwords. The attacks, which occurred between March 18 and April 7, 2025, demonstrate the dangers of outdated authentication protocols in cloud environments, highlighting how attackers can circumvent modern protections by exploiting compatibility features within Entra ID.

Recommended read:
References :
  • cyberpress.org: A novel technique for extracting Microsoft Entra refresh tokens via Beacon Command & Control (C2) frameworks has emerged, leveraging browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms.
  • gbhackers.com: A novel exploit method leveraging Beacon Object Files (BOFs) has emerged, enabling attackers to extract Microsoft Entra (formerly Azure AD) tokens from compromised endpoints
  • cyberpress.org: Legacy Protocol Flaws in Microsoft Entra ID Let Hackers Bypass MFA and Conditional Access
  • MeatMutts: Legacy Authentication Exploited: Microsoft Entra ID Breach Exposes Cloud Security Risks

@cyberpress.org //
The North Korea-linked threat group APT37 has been identified as the perpetrator of a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. Genians Security Center researchers analyzed the campaign, dubbed "Operation: ToyBox Story," which involved the use of fake academic forum invites from a South Korean national security think tank to lure victims. The attackers leveraged Dropbox to deliver malicious LNK files, demonstrating an evolution in their attack methodology.

The spear phishing emails were cleverly disguised as invitations and information from a legitimate South Korean national security think tank, referencing real-world events such as "Trump 2.0 Era: Prospects and South Korea’s Response" to enhance credibility. These emails contained Dropbox links leading to compressed ZIP archives, which, upon extraction, harbored malicious shortcut (LNK) files. When a user opens the malicious LNK file, it initiates a multi-stage malware loader chain.

The campaign highlighted APT37's ongoing use of trusted cloud platforms like Dropbox as command and control (C2) infrastructure, a tactic known as "Living off Trusted Sites" (LoTS). This approach allows the attackers to blend malicious traffic with legitimate cloud service activity, complicating detection and response efforts. The malicious LNK files are designed to execute hidden PowerShell commands, which deploy a decoy document while simultaneously creating hidden files and ultimately injecting shellcode directly into memory to install a variant of the RoKRAT malware family. RoKRAT collects system information and allows for further exploitation of the victim's system.

Recommended read:
References :
  • cyberpress.org: The North Korea-linked threat group APT37 launched a sophisticated spear phishing campaign targeting activists and organizations focused on North Korean affairs. The attackers disguised their emails as invitations and information from a South Korean national security think tank, referencing real-world events such as “Trump 2.0 Era: Prospects and South Korea’s Response” to enhance credibility. These
  • www.genians.co.kr: Genians Security Center (GSC) researchers analyse APT37's “Operation: ToyBox Story”, in which the group used fake academic forum invites from a South Korean security think tank to lure victims and delivered malicious LNK files via the Dropbox cloud platform.

@www.webroot.com //
Cybercriminals are increasingly using sophisticated tactics to deceive individuals and steal sensitive information. One common method involves sending fraudulent text messages, known as smishing, that impersonate legitimate businesses like delivery services or banks. These scams often entice victims to click on malicious links, leading to identity theft, financial loss, or the installation of malware. Webroot emphasizes mobile security, particularly protecting phones from text scams with potential identity theft and malware planting. The Federal Trade Commission reported that consumers lost $470 million to scams initiated through text messages in 2024.

Google is intensifying its efforts to combat these online threats by integrating artificial intelligence across its various platforms. The company is leveraging AI in Search, Chrome, and Android to identify and block scam attempts more effectively. Google's AI-powered defenses are capable of detecting 20 times more scam pages than before, significantly improving the quality of search results. Furthermore, AI is used to identify fraudulent websites, app notifications, calls, and direct messages, helping to safeguard users from various scam tactics.

A key component of Google's enhanced protection is the integration of Gemini Nano, a lightweight, on-device AI model, into Chrome. This allows for instant identification of scams, even those that haven't been previously encountered. When a user navigates to a potentially dangerous page, Chrome evaluates the page using Gemini Nano, which extracts security signals to determine the intent of the page. This information is then sent to Safe Browsing for a final verdict, adding an extra layer of protection against evolving online threats.

Recommended read:
References :
  • www.eweek.com: Google is intensifying efforts to combat online scams by integrating artificial intelligence across Search, Chrome, and Android, aiming to make fraud more difficult for cybercriminals.
  • www.webroot.com: It all starts so innocently. You get a text saying “Your package couldn’t be delivered. Click here to reschedule.†Little do you know, clicking that link could open the door for scammers to steal your identity, empty your bank account, or even plant malicious software (malware) on your device. Unless you know what to look out

@arcticwolf.com //
References: Arctic Wolf , malware.news
Commvault has issued updated advisories regarding a critical vulnerability, CVE-2025-34028, affecting Commvault Command Center. The flaw allows for remote code execution, posing a significant risk to organizations utilizing the platform. Initial patches were released, but Commvault has since clarified that simply being on versions 11.38.20 or 11.38.25 is not enough to fully remediate the vulnerability. Specific updates within those versions are required to effectively address the security gap, an update which was clarified on May 7, 2025.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the Commvault Command Center vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This designation underscores the severity of the flaw and the potential for active exploitation, prompting immediate action from organizations to apply the necessary updates. Fortunately, Commvault seems to have resolved the issue where the "Upgrade software" option was not working for unregistered systems. It is now possible to obtain the necessary fixes for CVE-2025-34028 by clicking "Upgrade now," even without being registered with Commvault.

However, the "Check updates" button in the "Download or copy software" section is still malfunctioning. It incorrectly reports systems as "Up-to-date" even when they are not fully patched against CVE-2025-34028. Users must ensure they have the appropriate specific updates within versions 11.38.20 or 11.38.25 as mentioned in Commvault's clarified advisory to achieve full remediation. Staying vigilant, monitoring security advisories, and diligently applying patches and updates are crucial for maintaining a robust security posture and mitigating potential cyber threats.

Recommended read:
References :
  • Arctic Wolf: Follow-Up: Commvault Updates Advisory With Fixed Versions for Critical Commvault Command Center Vulnerability (CVE-2025-34028)
  • malware.news: News about Commvault updates addressing a critical vulnerability.