Information Security News | AI Aggregator

Please be mindful of possible hallucinations. Verify information prior to taking action.
Multiple sites hijacked for bogus support number injections
Date: 2025-06-20 | Source: SC Magazine
High-profile organizations, including Microsoft, Apple, Facebook, Bank of America, and PayPal, had their websites compromised to inject fraudulent customer support numbers in a search parameter injection scam. Attackers used Google Ads to redirect users to these compromised sites, aiming to steal personal and financial information. Malwarebytes recommends using their Browser Guard tool for detection and advises users to verify support numbers through trusted sources before calling.
Multiple sites hijacked for bogus support number injections
2025-06-20 | Cyber Security News: Threat Actors Poisoning Google Search Results to Display The Scammer’s Phone Number Instead of Real Number
Cybercriminals are manipulating Google search results to display fraudulent contact numbers instead of legitimate ones, creating a sophisticated scam. By purchasing sponsored ads that mimic official listings, users are directed to authentic company websites, unaware that the displayed phone number is fraudulent. This technique exploits vulnerabilities in how search results are rendered, allowing scammers to extract sensitive information from victims who believe they are contacting legitimate customer support.
2025-06-20 | TechRadar: Tech support scammers are forcing their fake phone numbers into real webpages
Scammers are injecting fake tech support phone numbers into legitimate websites, affecting major companies like Apple, PayPal, and Netflix. This tactic, known as search parameter injection or reflected input vulnerability, modifies URLs to display malicious content while maintaining the legitimate domain. Users are advised to verify phone numbers in URLs, watch for high-pressure language, and navigate directly to official sites for support, as scammers often use ads to lure victims.
2025-06-20 | The Register: Netflix, Apple, BofA websites hijacked with fake help-desk numbers
Scammers are hijacking search results for support from major companies like Netflix and Apple, using SEO manipulation to promote malicious websites. By purchasing ads that lead to real help pages with fake phone numbers, they exploit a reflected input vulnerability in Netflix's search functionality. Victims may unknowingly provide personal information or grant remote access to their computers. Malwarebytes advises vigilance against suspicious URLs and warns that legitimate support will never ask for sensitive information.
Aflac says it stopped attack launched by ‘sophisticated cybercrime group’
Date: 2025-06-20 | Source: Recorded Future
Aflac reported a ransomware attack by a "sophisticated cybercrime group," identified on June 12, which breached its systems and potentially stole sensitive data, including claims, health information, and Social Security numbers. The attack was halted within hours, with no disruption to business functions. Aflac suspects the involvement of the Scattered Spider group, known for targeting the insurance sector. The company is offering two years of identity theft protection to affected individuals.
Aflac says it stopped attack launched by ‘sophisticated cybercrime group’
2025-06-20 | Cybersecurity Dive: Aflac discloses cyber intrusion linked to wider crime spree targeting insurance industry
Aflac Inc. disclosed a cyber intrusion on June 12, linked to a broader crime spree targeting the insurance industry by the group Scattered Spider. The attack was contained quickly, and Aflac's systems remain operational. The incident involved potential access to sensitive data, including health records and Social Security numbers. Aflac is reviewing affected files and plans to notify regulators and impacted individuals, offering credit monitoring and identity-theft services.
2025-06-20 | BleepingComputer: Aflac discloses breach amidst Scattered Spider insurance attacks
Aflac disclosed a data breach affecting its systems, part of a broader campaign targeting U.S. insurance companies by a sophisticated cybercrime group, likely Scattered Spider. The breach may have involved the theft of personal and health information, including social security numbers. Aflac confirmed no ransomware was deployed. The company activated its cyber incident response protocols and engaged external experts to investigate. Other recent targets of Scattered Spider include MGM Resorts and Philadelphia Insurance Companies.
2025-06-20 | Cyberscoop: Aflac duped by social-engineering attack, marking another hit on insurance industry
Aflac disclosed a cyberattack on June 12, potentially impacting its data, following unauthorized network access. The company activated its cybersecurity protocols and contained the intrusion within hours. Aflac, along with Erie Insurance and Philadelphia Insurance Companies, was targeted by a cybercrime campaign, likely by the group Scattered Spider, known for using social engineering tactics. Preliminary findings suggest claims information and personal data may be affected, but no evidence of ransomware has been found.
2025-06-20 | SC Magazine: Aflac among victims in cyberattacks targeting US insurance industry
Aflac reported a cyberattack on June 12, 2023, attributed to a sophisticated cybercrime group using social engineering tactics. The attack potentially impacted claims information, health data, Social Security numbers, and personal information of customers and employees. Aflac contained the attack quickly, and no ransomware was involved. Experts noted a shift in targeting vulnerable individuals and emphasized the need for enhanced security measures, particularly against social engineering and AI-assisted attacks.
2025-06-20 | The Register: Looks like Aflac is the latest insurance giant snagged in Scattered Spider’s web
Aflac disclosed a security breach on June 12, linked to the cybercrime group Scattered Spider. The unauthorized access did not involve ransomware, and business operations remained unaffected. However, the intruder may have accessed sensitive customer data, including claims information and Social Security numbers. Aflac is engaging third-party cybersecurity experts for incident response. This breach follows similar incidents affecting Erie Insurance and Tokio Marine, prompting warnings for the insurance sector.
Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
Date: 2025-06-20 | Source: The Hacker News
Cloudflare reported blocking a record 7.3 Tbps DDoS attack in mid-May 2025, targeting an unnamed hosting provider. The attack delivered 37.4 TB in 45 seconds, utilizing a multi-vector approach with UDP flood traffic accounting for 99.996%. It originated from over 122,145 IPs across 161 countries, with Telefonica Brazil contributing 10.5% of the traffic. Additionally, the RapperBot DDoS botnet was linked to attacks on AI company DeepSeek, exploiting devices with weak passwords and firmware vulnerabilities.
Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
2025-06-20 | SC Magazine: Another record-breaking DDoS attack neutralized
Cloudflare neutralized a record-breaking DDoS attack against a hosting provider in the previous month, peaking at 7.3 terabits per second, surpassing the prior record of 6.5 Tbps. The attack lasted 45 seconds, sending over 37.4 TB of data from more than 122,000 IP addresses across 161 countries, primarily from Brazil and Vietnam. The attack involved UDP floods, and Cloudflare utilized automated systems and mitigation rules. Organizations are advised to adopt tailored security measures to prevent DDoS attacks.
2025-06-20 | Cyber Security News: Record Breaking 7.3 Tbps DDoS Attack Blasting 37.4 Terabytes in Just 45 Seconds
In mid-May 2025, Cloudflare thwarted a record DDoS attack peaking at 7.3 Tbps, delivering 37.4 TB of traffic in 45 seconds. The attack, targeting a hosting provider, utilized 99.996% UDP floods and sophisticated amplification techniques, originating from 122,145 IPs across 161 countries. Key sources included Brazil and Vietnam. Cloudflare's autonomous mitigation employed advanced packet sampling and heuristic engines, achieving zero-touch containment without human intervention.
2025-06-20 | BleepingComputer: Cloudflare blocks record 7.3 Tbps DDoS attack against hosting provider
Cloudflare mitigated a record 7.3 Tbps DDoS attack in May 2025, targeting a hosting provider. The attack peaked with 37.4 TB of data in 45 seconds, using 122,145 source IPs from 161 countries. It employed multiple vectors, primarily UDP floods (99.996% of traffic), and exploited legacy services. Cloudflare utilized its 'Magic Transit' service and anycast network to disperse traffic across 477 data centers. Valuable IoCs were added to its DDoS Botnet Threat Feed, urging organizations to subscribe for preemptive blocking.
2025-06-20 | Ars Technica: Record DDoS pummels site with once-unimaginable 7.3Tbps of junk traffic
On Friday, Cloudflare reported a record DDoS attack measuring 7.3 terabits per second, delivering 37.4 terabytes of junk traffic in just 45 seconds. The attack targeted a single IP address, bombarding nearly 22,000 destination ports. Most of the traffic was in the form of User Datagram Protocol (UDP) packets, which can overwhelm a target's resources without requiring a connection handshake. This type of attack can saturate Internet links, leading to denial of service for legitimate users.
New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud, and NFC Theft
Date: 2025-06-19 | Source: The Hacker News
Cybersecurity researchers have identified the Android malware AntiDot, linked to the LARVA-398 group, affecting over 3,775 devices across 273 campaigns. It functions as a Malware-as-a-Service, enabling screen recording, SMS interception, and data extraction. The malware is delivered via malicious ads or targeted phishing. Additionally, the GodFather trojan uses on-device virtualization to hijack banking apps, while SuperCard X targets NFC transactions in Russia. Malicious apps like RapiPlata have also been found on official app stores, engaging in data theft and extortion.
New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud, and NFC Theft
2025-06-20 | Cyber Security News: AntiDot – 3-in-1 Android Malware Let Attackers Full Control of Compromised Devices
A new Android botnet malware named AntiDot poses a significant threat, offering attackers extensive control over infected devices. Marketed by LARVA-398, it operates as a Malware-as-a-Service (MaaS) tool, combining a loader, packer, and botnet infrastructure. AntiDot features capabilities like screen recording, SMS interception, and data exfiltration. It utilizes at least 11 command-and-control servers managing over 3,775 devices, employing sophisticated evasion techniques. The malware supports overlay attacks on cryptocurrency apps, enhancing its targeting flexibility.
2025-06-20 | SC Magazine: Thousands of Android devices compromised with AntiDot malware
More than 3,775 Android devices have been infected with the AntiDot malware-as-a-service botnet across 273 campaigns. Deployed via malicious emails or ad networks, it tricks users into granting accessibility permissions through a fake update bar. Managed by LARVA-398, AntiDot enables phone call monitoring, notification tracking, and is supported by a command-and-control panel for real-time communication. Researchers highlight its scalable design for financial gain, coinciding with the resurgence of the GodFather banking trojan.
16 billion hit in ‘one of largest data breaches in history’ — what’s been exposed and how to protect yourself
Date: 2025-06-19 | Source: Tomsguide
More than 16 billion login credentials have been exposed in one of the largest data breaches in history, including Apple, Gmail, and Facebook accounts. Researchers identified 30 datasets, some containing up to 3.5 billion records each, likely compiled by infostealer malware. The datasets were briefly accessible via unsecured storage. To protect against account takeover and identity theft, enabling two-factor authentication (2FA) is highly recommended.
16 billion hit in ‘one of largest data breaches in history’ — what’s been exposed and how to protect yourself
2025-06-20 | Times Now: 16 Billion Accounts Exposed Online In A Biggest Data Leak Ever: Apple, Gmail, Facebook Hit, How To Protect Yourself
Over 16 billion login credentials have been exposed in one of the largest data breaches, affecting platforms like Apple, Gmail, and Facebook. Researchers found at least 30 datasets, each containing up to 3.5 billion records, organized with usernames and passwords, likely stolen via infostealer malware. The data is recent and poses a significant risk for identity theft and targeted phishing. Recommendations for protection include enabling Two-Factor Authentication, using unique passwords, and checking for breaches on HaveIBeenPwned.com.
2025-06-20 | Cyber Security News: Massive 16 Billion Passwords From Apple, Facebook, Google and More Leaked From 320 Million Computers
A leak of 16 billion login credentials from platforms like Apple, Facebook, and Google has been discovered across 30 datasets, posing a severe cybersecurity threat. The data, often from infostealer malware, includes usernames, passwords, authentication tokens, and session cookies. Many datasets were previously accessible via unsecured Elasticsearch instances. The breach enables credential stuffing and phishing attacks, emphasizing the need for robust multi-factor authentication and strong password policies. Organizations should enhance endpoint detection and response measures.
2025-06-20 | Tomsguide: 16 billion password data breach hits Apple, Google, Facebook and more — LIVE updates and how to stay safe
A data breach has exposed 16 billion login credentials from major platforms including Apple, Google, and Facebook. Over 30 databases were compromised, with records containing URLs, usernames, and passwords. The breach may include data from previous incidents. To enhance security, users are advised to enable two-factor authentication (2FA) and check their email on Have I Been Pwned to determine if their credentials have been affected.
2025-06-20 | Tomsguide: Worried about the 16 billion data breach? I've been hacked, and this is everything I did to fix it
The article discusses the implications of a recent discovery of a database containing 16 billion records, including passwords. It emphasizes the importance of not reusing passwords and suggests using password managers for secure storage. It advocates enabling two-factor authentication (2FA) to enhance account security and recommends deleting unused accounts to minimize exposure. The author also highlights the utility of the website "Have I Been Pwned" for monitoring account breaches and suggests considering a fresh start with a new email for better security practices.
2025-06-20 | ABC News: Billions of login credentials have been leaked online, Cybernews researchers say
Researchers at Cybernews report that 16 billion login credentials have been leaked across 30 datasets, providing cybercriminals with significant access to consumer accounts. The data includes passwords for major platforms like Google, Facebook, and Apple, likely compiled from multiple breaches over time. Infostealers are suspected to be responsible. Users are advised to change passwords, avoid reusing credentials, consider password managers, and enable multifactor authentication to enhance security.
2025-06-21 | The Guardian: Internet users advised to change passwords after 16bn logins exposed
Internet users are urged to change passwords after researchers revealed 16 billion login records from infostealers and leaks. The datasets, briefly exposed on remote servers, include credentials for services like Facebook, Apple, and Google, though no centralized breach occurred at these companies. Experts recommend using password managers and multifactor authentication. The data, primarily from infostealers, highlights the ongoing risk of credential theft and the importance of proactive security measures.
US recovers $225 million of crypto stolen in investment scams
Date: 2025-06-19 | Source: BleepingComputer
The U.S. Department of Justice seized over $225 million in cryptocurrency linked to investment fraud and money laundering, marking the largest crypto seizure by the Secret Service. Investigators traced funds from over 400 victims through a complex laundering network. The seizure involved multiple agencies and private partners, with Tether freezing and burning the tokens. Legal statutes were invoked for forfeiture, and the next step involves identifying victims for restitution.
US recovers $225 million of crypto stolen in investment scams
2025-06-19 | Recorded Future: DOJ moves to seize $225 million in crypto stolen by scammers
The U.S. Justice Department is seeking to recover over $225.3 million in cryptocurrency linked to scams originating from Vietnam and the Philippines. A civil forfeiture complaint filed in D.C. details how fraudsters used numerous crypto wallets to deceive over 430 victims across multiple states. The investigation, aided by blockchain analysis, revealed a network of accounts tied to Vietnamese nationals operating from a "scam compound." The FBI reported $5.8 billion lost in crypto investment fraud last year.
2025-06-20 | SC Magazine: Over $225M nabbed in US's largest crypto scam seizure yet
The U.S. Department of Justice has forfeited over $225.3 million in cryptocurrency linked to investment fraud, marking the largest seizure of illicit crypto in the country. This operation involved the FBI, Secret Service, TRM Labs, and Tether, targeting a blockchain-based money laundering network that defrauded over 400 victims globally. Law enforcement used Last-In-First-Out tracing to identify funds merged into seven USDT wallet groups, which were subsequently frozen and destroyed by Tether, with equivalent amounts reissued to the U.S. government.
60+ GitHub Repositories Exploited to Store Windows-Based Payloads to Steal Sensitive Data
Date: 2025-06-19 | Source: Cyber Security News
A supply chain attack campaign by the threat actor Banana Squad has exploited over 60 GitHub repositories, deploying trojanized Python files to steal sensitive Windows-based data. The campaign involved creating fake accounts with repositories mimicking legitimate projects, accumulating significant downloads before detection. The malicious payloads extract extensive data, using advanced obfuscation techniques to hide malicious code. ReversingLabs identified the network and provided tools for analysis to enhance threat detection and mitigation.
60+ GitHub Repositories Exploited to Store Windows-Based Payloads to Steal Sensitive Data
2025-06-20 | The Hacker News: 200+ Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
Cybersecurity researchers identified 67 trojanized GitHub repositories in a campaign targeting gamers and developers, codenamed Banana Squad. These repositories masquerade as Python hacking tools but deliver malicious payloads. This follows a 2023 campaign involving bogus packages on PyPI. The repositories, linked to account cleaning and game cheat tools, have been removed by GitHub. The trend highlights GitHub's growing role as a malware distribution vector, with multiple campaigns exploiting the platform.
2025-06-20 | SC Magazine: Novel Banana Squad campaign taps GitHub repos for malware distribution
The Banana Squad hacking operation has exploited 67 now-removed GitHub repositories to distribute malware targeting developers. Each compromised GitHub account hosted a single repository, linked to the domains 1312services[.]ru and dieserbenni[.]ru. The attackers used Base64, Fernet, and Hex encryption to hide malicious payloads. Developers are advised to verify repositories, avoid inactive accounts, use source code differential analysis tools, and monitor suspicious domain activity.
DuckDuckGo beefs up scam defense to block fake stores, crypto sites
Date: 2025-06-19 | Source: BleepingComputer
DuckDuckGo has enhanced its Scam Blocker tool to protect users from a wider array of online scams, including fake e-commerce sites, cryptocurrency scams, and scareware. The tool, part of DuckDuckGo's privacy features since 2018, now scans URLs against an updated threat list from Netcraft every 20 minutes. Users receive warnings when a scam site is detected. Unlike other browsers, DuckDuckGo's Scam Blocker prioritizes user privacy without external data sharing. It is enabled by default and requires no account.
DuckDuckGo beefs up scam defense to block fake stores, crypto sites
2025-06-20 | TechRadar: Forget Chrome and Edge - this challenger browser now offers greater protection from online scams
DuckDuckGo has launched a new browser edition featuring a Scam Blocker tool to protect users from online scams, including phishing sites and malware. With online fraud costing Americans $12.5 billion in 2024, the Scam Blocker prevents malicious pages from loading and blocks tracker-powered ads to mitigate risks from 'malvertising.' The tool operates without tracking user data, maintaining privacy by keeping a 'dangerous site list' locally. It is available for free on both mobile and desktop.
2025-06-21 | Cyber Security News: DuckDuckGo Rolls Out New Scam Blocker to Protect Users from Online Threats
DuckDuckGo has enhanced its Scam Blocker to protect users from a wider array of online threats, including fraudulent investment sites, scareware, phishing hubs, malware distributors, and malicious ads. This upgrade responds to the FTC's report of $12.5 billion in fraud losses in 2024. The system uses a two-layer architecture for anonymous threat detection, updating a local threat list every 20 minutes and performing encrypted checks for rare threats. The feature is enabled by default and extends to all device traffic for Privacy Pro subscribers.
Krispy Kreme says November data breach impacts over 160,000 people
Date: 2025-06-19 | Source: BleepingComputer
Krispy Kreme confirmed a November 2024 data breach affecting 161,676 individuals, revealing that personal information, including social security numbers and financial data, was compromised. The breach was detected on November 29, with an SEC filing made on December 11. The Play ransomware gang claimed responsibility, stating they stole extensive data and released it on their dark web site after negotiations failed. The FBI warned of the gang's activities, having breached around 300 organizations globally by October 2023.
Krispy Kreme says November data breach impacts over 160,000 people
2025-06-19 | Cyber Security News: Krispy Kreme Confirms Data Breach – Personal Information Stolen by Attackers
Krispy Kreme confirmed a data breach affecting thousands of current and former employees and their families, discovered on November 29, 2024. A six-month investigation revealed unauthorized access to sensitive personal information, including Social Security numbers, financial details, and biometric data. While no misuse of the data has been reported, the company is offering credit monitoring services. Krispy Kreme has implemented enhanced security measures and advises vigilance in monitoring financial accounts.
2025-06-19 | The Register: Glazed and confused: Hole lotta highly sensitive data nicked from Krispy Kreme
Krispy Kreme disclosed that a November cyberattack compromised data of 161,676 individuals, including sensitive information such as Social Security numbers, financial account details, and biometric data. The breach raised concerns about the company's security practices, particularly the storage of sensitive information together. Krispy Kreme is offering 12 months of credit monitoring and has incurred approximately $4.4 million in cleanup costs. The Play ransomware group claimed responsibility, although ransomware may not have been involved.
2025-06-20 | Recorded Future: Krispy Kreme: Over 160,000 people had data stolen during November 2024 cyberattack
Krispy Kreme reported a data breach affecting 161,676 individuals following a cyberattack in November 2024. The stolen data includes Social Security numbers, financial account details, and biometric information. The attack disrupted online ordering and operations, leading to an estimated $5 million in losses. The Play ransomware gang claimed responsibility, with the FBI noting it as one of the most active ransomware groups in 2024. Krispy Kreme has since restored operations but continues to incur related costs.
2025-06-20 | TechRadar: Whole big mess - Krispy Kreme data breach sees data on over 160,000 people exposed
On November 29, 2024, Krispy Kreme reported a data breach affecting 161,676 individuals, primarily employees and their families. Exposed data includes names, Social Security numbers, financial information, and biometric data. The breach may have resulted from a single database vulnerability. Victims are offered 12 months of credit monitoring. The Play ransomware gang claimed responsibility, asserting the stolen files contain sensitive information, though no evidence of misuse has been confirmed.
Ryuk ransomware’s initial access expert extradited to the U.S.
Date: 2025-06-19 | Source: BleepingComputer
A 33-year-old member of the Ryuk ransomware operation, specializing in initial access to corporate networks, was extradited to the U.S. on June 18, 2025, after being arrested in Kyiv in April. The investigation, involving Ukrainian and international law enforcement, targeted ransomware attacks on companies in multiple countries. The suspect, previously on an FBI wanted list, is charged with various crimes related to cyberattacks. Ryuk, active from 2018 to 2020, is estimated to have earned $150 million in ransom payments.
Ryuk ransomware’s initial access expert extradited to the U.S.
2025-06-19 | Recorded Future: Alleged Ryuk ransomware gang member arrested in Ukraine and extradited to US
A member of the Ryuk ransomware gang was arrested in Ukraine and extradited to the U.S. for charges related to cyberattacks that extorted over $100 million globally. The 33-year-old suspect, arrested in April, was involved in identifying vulnerabilities in corporate networks. Authorities seized over $600,000 in crypto, luxury vehicles, and land. The Ryuk group has conducted over 2,400 attacks since 2018, primarily targeting corporations and critical infrastructure. The extradition follows a broader international crackdown on ransomware actors.
2025-06-20 | SC Magazine: US extradites suspected Ryuk ransomware member
Ukraine's Office of the Prosecutor General announced the extradition of a suspected Ryuk ransomware hacker to the U.S. after an arrest in Kyiv. The hacker faces charges for cyberattacks causing over $100 million in losses. Authorities seized over $600,000 in cryptocurrency, luxury vehicles, and land during the arrest. The individual is on the FBI's Cyber Most Wanted list. The U.S. Department of Justice has not yet confirmed the extradition. This follows a significant international ransomware crackdown in 2023.
North Korean hackers deepfake execs in Zoom call to spread Mac malware
Date: 2025-06-18 | Source: BleepingComputer
North Korean BlueNoroff hackers are using deepfake technology to impersonate company executives in Zoom calls, tricking employees into downloading custom macOS malware. Discovered on June 11, 2025, the attack involved a fake Zoom link and a malicious AppleScript that installed malware after the victim was misled about a microphone issue. The malware includes various components for persistence, remote control, and data exfiltration, highlighting the increasing threat to macOS users as they become more prevalent in enterprises.
North Korean hackers deepfake execs in Zoom call to spread Mac malware
2025-06-19 | The Hacker News: BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware
BlueNoroff, a North Korea-aligned threat actor, targeted a cryptocurrency foundation employee using deepfake Zoom calls to install backdoor malware on macOS. The attack involved a fake Calendly link leading to a malicious Zoom domain. The employee was tricked into downloading an AppleScript that executed a shell script, disabling logging and installing additional malware. Eight distinct malicious binaries were discovered, including keyloggers and information stealers. Security experts emphasize the need for training to recognize such social engineering attacks.
2025-06-19 | Cyber Security News: North Korean Hackers Using Weaponized Calendly and Google Meet Link to Deliver Malware
A North Korean APT group, TA444, is using weaponized Calendly and Google Meet links to deliver malware targeting cryptocurrency organizations. The attack begins with seemingly benign meeting invitations, leading to a sophisticated surveillance and cryptocurrency theft toolkit. Victims are lured into fake meetings featuring deepfakes of company leaders, prompting them to download a malicious Zoom extension. The malware employs advanced evasion techniques and installs multiple malicious binaries for keylogging and wallet theft.
GodFather banking malware creates virtual environment on victim devices
Date: 2025-06-18 | Source: SC Magazine
A sophisticated evolution of the GodFather banking malware targets 12 Turkish banks and scans nearly 500 apps globally, including cryptocurrency wallets. It employs a "Virtualization-as-a-Weapon" technique to create an isolated virtual environment on victim devices, allowing it to hijack legitimate apps and capture sensitive information. Experts emphasize the need for robust security strategies to protect backend APIs and address sophisticated client-side breaches, as this malware undermines the integrity of financial transactions.
GodFather banking malware creates virtual environment on victim devices
2025-06-18 | Tomsguide: Godfather malware is now hijacking legitimate banking apps — and you won’t see it coming
An updated version of the Godfather malware targets Android banking apps, allowing hackers to create virtualized instances of these apps to steal user credentials in real-time. This malware scans infected devices for installed financial apps and launches its clones when users attempt to access them. Currently, attacks are focused on Turkish users, but the threat could expand globally. Recommendations for protection include disabling app installations from unknown sources, using Google Play Protect, and keeping devices updated.
2025-06-19 | TechRadar: Mobile banking users beware - "Godfather" malware is now hijacking official bank apps
A new version of the Godfather malware has been detected by Zimperium, specifically targeting Turkish Android users. This banking trojan creates virtualized instances of legitimate banking apps in a sandbox, allowing it to exfiltrate login credentials, PIN codes, and unlock patterns without requiring excessive permissions. The malware can also remotely control devices to conduct wire transfers while victims are asleep. While currently observed in Turkey, it poses a potential threat to banking users globally.
2025-06-19 | BleepingComputer: Godfather Android malware now uses virtualization to hijack banking apps
A new version of the Godfather Android malware uses virtualization to steal data from over 500 banking, cryptocurrency, and e-commerce apps. It creates isolated environments to execute legitimate app interfaces, enabling real-time credential theft and transaction manipulation. The malware employs a StubActivity to trick Android into running the virtualized app, capturing sensitive data while displaying a fake lock screen. To mitigate risks, users should download apps only from trusted sources and monitor permissions.
2025-06-20 | Cyber Security News: GodFather Android Malware Leverages On-Device Virtualization Technique to Hijack Legitimate Banking Apps
A new variant of the GodFather banking malware uses on-device virtualization to hijack legitimate banking and cryptocurrency apps. It creates isolated virtual environments to execute financial fraud, targeting nearly 500 applications, particularly in Turkey. This malware intercepts user interactions in real-time, capturing credentials while users believe they are using genuine apps. It employs advanced techniques to evade detection, undermining trust in mobile applications and enabling complete account takeovers.
Facebook rolls out passkey support to fight phishing attacks
Date: 2025-06-18 | Source: The Verge
Facebook is introducing passkey support on its mobile app to enhance security against phishing attacks. Users can log in using device authentication methods like fingerprints or face scans, making accounts harder to compromise. Passkeys are more secure than traditional passwords and protect against phishing by linking to specific domains. Meta plans to roll out this feature soon on Android and iOS, including the Messenger app. Users can still log in with passwords or other methods like two-factor authentication.
Facebook rolls out passkey support to fight phishing attacks
2025-06-19 | The Hacker News: Meta Adds Passkey Login Support to Facebook for Android and iOS Users
Meta Platforms announced the addition of passkey support for Facebook on Android and iOS, enhancing security and ease of login. Passkeys, a passwordless authentication method backed by the FIDO Alliance, will also be available for Messenger soon. This feature allows users to auto-fill payment information with Meta Pay. Passkeys are designed to resist phishing and password theft. Meta previously implemented passkeys for WhatsApp in October 2023 and plans to introduce them for Instagram in the future.
2025-06-19 | TechRadar: Your Facebook account just got even more secure – and it could make phishing a thing of the past
Meta is rolling out passkey support for Facebook on iOS and Android, enhancing security by allowing users to log in using biometrics or a PIN instead of passwords. This change aims to reduce phishing risks and improve user experience. Passkeys will also be available for Messenger and will be used for verifying payments through Meta Pay and securing encrypted message backups. Users can set up passkeys via the Settings menu in the Facebook app.
2025-06-20 | Times Now: Meta Brings Passkey Login to Facebook: Easy and Safe Sign-Ins
Meta has launched passkey login for Facebook on iOS and Android, allowing users to sign in using biometric methods like fingerprints or face scans instead of passwords. Passkeys consist of two parts: one stored on the user’s device and the other on Facebook’s server, enhancing security against phishing and hacking. Messenger will soon support passkeys, and WhatsApp already does. Setup involves accessing Settings in the Facebook app and selecting Create Passkey.
2025-06-20 | SC Magazine: Passkeys on Facebook, Messenger for mobile imminent
Meta plans to introduce passkeys for Facebook on Android and iOS, and for Messenger in the coming months, enhancing user account security. Passkeys, which resist phishing and password spraying attacks, will also facilitate auto-filling payment details for Meta Pay purchases. This follows passkey support added for WhatsApp in October 2023 and April 2024. The announcement comes after Microsoft implemented passkeys for new consumer accounts, with Apple also updating its Passwords app for passkey management.
Unusually patient suspected Russian hackers pose as State Department in ‘sophisticated’ attacks on researchers
Date: 2025-06-18 | Source: Cyberscoop
Suspected Russian hackers, linked to APT29, executed a sophisticated attack on researcher Keir Giles by impersonating the State Department. They used a realistic email domain and social engineering to convince him to share an app-specific password (ASP), bypassing multi-factor authentication. Google intervened by locking Giles' accounts after detecting suspicious activity. The attack highlights the evolving tactics of cybercriminals, focusing on individual targets rather than larger organizations.
Unusually patient suspected Russian hackers pose as State Department in ‘sophisticated’ attacks on researchers
2025-06-18 | Recorded Future: Takeover of British Russia expert’s email accounts used novel phishing tactic
A British Russia expert, Keir Giles, was targeted in a sophisticated phishing attack that bypassed multi-factor authentication (MFA) using app-specific passwords (ASPs). The attack, likely executed by a Russian state-sponsored group (UNC6923), began on May 22 with a deceptive email from a supposed State Department official. The attackers tricked Giles into generating and sharing an ASP, granting them full access to his email accounts. Google detected the suspicious activity on June 4 and is investigating the incident.
2025-06-19 | The Hacker News: Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign
Threat actors linked to Russia, identified as APT29 (UNC6293), exploited Google app passwords to bypass two-factor authentication in a targeted phishing campaign from April to June 2025. They impersonated the U.S. Department of State, using social engineering tactics to convince victims to create and share app passwords. This allowed attackers persistent access to victims' email accounts. Google and Citizen Lab reported the campaign's meticulous planning, including the use of fictitious email addresses to enhance credibility.
2025-06-19 | Cyber Security News: New Sophisticated Attack Exploits Google App Passwords to Bypass Multi-Factor Authentication
A Russian state-sponsored group, UNC6293, exploited Google’s App-Specific Passwords to bypass multi-factor authentication, targeting critics of Russia, including academic Keir Giles. The attackers used a sophisticated social engineering approach, posing as U.S. State Department officials and building trust over weeks. They manipulated Giles into creating an ASP for a fake platform, gaining persistent access to his email. Google recommends high-risk individuals enroll in their Advanced Protection Program to mitigate such attacks.
2025-06-20 | Risky.Biz: Risky Bulletin: Russian hackers abuse app-specific passwords to bypass MFA
Russian hackers, identified as UNC6293 and linked to APT29, are using social engineering to extract application-specific passwords (ASPs) from targets, allowing them to bypass multi-factor authentication and access Gmail accounts. The campaign, which targeted experts on Russian politics and the Ukraine war, was highlighted after Keir Giles received a security alert following suspicious activity on his account. This tactic aligns with recent complex Russian cyber operations exploiting lesser-known authentication methods.
1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub
Date: 2025-06-18 | Source: The Hacker News
A multi-stage malware campaign targeting Minecraft users has infected over 1,500 players through malicious Java mods on GitHub, utilizing the Stargazers Ghost Network. The malware masquerades as game cheats, delivering a .NET information stealer capable of extensive data theft, including credentials and cryptocurrency information. The campaign, first detected in March 2025, employs anti-detection techniques and is suspected to involve a Russian-speaking threat actor. Users are advised to exercise caution when downloading third-party content.
1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub
2025-06-18 | BleepingComputer: 'Stargazers' use fake Minecraft mods to steal player passwords
A malware campaign targeting Minecraft players has been uncovered by Check Point Research, linked to the Stargazers Ghost Network. This operation uses fake mods and cheats on GitHub to distribute infostealers that compromise credentials and cryptocurrency wallets. The malware evades antivirus detection and has infected over 17,000 systems. Recommendations include downloading mods only from reputable sources and using a separate account for testing. Full indicators of compromise (IoCs) are provided for detection.
2025-06-18 | The Register: Minecraft cheaters never win ... but they may get malware
Trojanized Minecraft cheat tools on GitHub have been found to install malware that steals credentials and sensitive data. Check Point Research identified around 500 malicious repositories, potentially infecting over 1,500 devices since March. The malware, masquerading as cheat tools, executes a multi-stage attack, collecting data from browsers, cryptocurrency wallets, and applications, and exfiltrating it via Discord webhooks. The operation is linked to Russian-speaking developers in the Stargazers Ghost Network.
2025-06-19 | Cyber Security News: Gamers Under Attack! Fake Minecraft Mods Allow Attackers to Control Your System
Cybercriminals are targeting Minecraft users with advanced malware disguised as fake mods, exploiting the game's popularity. The campaign, active since March 2025, utilizes the Stargazers Ghost Network to create convincing GitHub repositories. The malware, which remains undetected by antivirus solutions, harvests sensitive data like Discord tokens and cryptocurrency credentials. Its design requires Minecraft runtime environments, evading traditional analysis. The infection begins when users install malicious JAR files into their mods directory.
2025-06-19 | TechRadar: Minecraft players watch out - these fake mods are hiding password-stealing malware
Check Point Research has identified a large-scale operation by the Stargazers Ghost Network targeting Minecraft players through hundreds of malicious GitHub repositories. These repositories impersonate legitimate mods and cheats, aiming to steal login credentials, authentication tokens, and crypto wallet information. The malware, written in Java, evades antivirus detection. The attack occurs in two phases: the first targets Minecraft account tokens and user data, while the second deploys the infostealer “44 Caliber” to extract broader data.
2025-06-20 | Times Now: Playing Minecraft? Beware! Hackers Are Using This Trick To Steal Your Personal Data
A hacking campaign targeting Minecraft players has been identified, spreading malware disguised as game mods. Active since March 2025, the attack is linked to the Stargazer’s Ghost Network, using distribution-as-a-service methods via GitHub. The malware steals personal data, including passwords and cryptocurrency details, and can take screenshots. Over 1,500 devices have been compromised. Players are advised to download mods only from verified sources, avoid cheats, and keep systems updated.
Healthcare SaaS firm says data breach impacts 5.4 million patients
Date: 2025-06-18 | Source: BleepingComputer
Episource reported a data breach affecting 5.4 million patients due to a cyberattack between January 27 and February 6, 2025. The breach exposed sensitive information, including names, addresses, emails, phone numbers, insurance details, medical records, dates of birth, and Social Security numbers, but not banking information. Notifications to affected individuals began on April 23, 2025. Patients are advised to monitor for suspicious activity and review benefits statements.
Healthcare SaaS firm says data breach impacts 5.4 million patients
2025-06-18 | Recorded Future: More than 5 million affected by data breach at healthcare tech firm Episource
A data breach at healthcare tech firm Episource has affected 5,418,866 individuals, with hackers accessing sensitive information between January 27 and February 6. Stolen data includes Social Security numbers, health insurance IDs, and medical records. Episource has engaged law enforcement and temporarily shut down its systems to protect customers. The company is coordinating notifications for affected individuals and advises them to monitor benefit statements for unauthorized charges.
2025-06-19 | TechRadar: Major US healthcare data provider hit by data breach - over 5 million patients affected, here's what we know
Episource, a major US healthcare data provider, confirmed a cyberattack affecting over 5 million patients. The breach, detected on February 6, 2025, involved the theft of sensitive data, including health plans, Medicaid information, medical records, and personal details like Social Security numbers. The attack occurred between January 27 and February 6, 2025. The company notified affected individuals starting April 23, 2025, and advised vigilance against potential scams and impersonation attempts.
2025-06-20 | Healthcare Dive: Data breach at healthcare services firm Episource affects 5.4M
A data breach at healthcare services firm Episource exposed information from 5.4 million individuals, as reported to federal regulators. The breach, detected in February, involved unauthorized access to sensitive data, including health insurance details, medical records, and personal information such as Social Security numbers. Episource is notifying affected individuals and working with impacted healthcare organizations. Sharp Healthcare is one affected customer, reporting breaches of over 26,000 individuals.
Famous Chollima deploying Python version of GolangGhost RAT
Date: 2025-06-18 | Source: Cisco Talos
In May 2025, Cisco Talos identified "PylangGhost," a Python-based RAT used by the North Korean-aligned group Famous Chollima, targeting Windows systems. This variant mirrors the GolangGhost RAT, previously documented. The group employs fake job sites to lure individuals with cryptocurrency expertise, leading them to execute malicious commands that install the RAT. PylangGhost can steal credentials from over 80 browser extensions. Cisco recommends using its security products to detect and block these threats.
Famous Chollima deploying Python version of GolangGhost RAT
2025-06-18 | Cyber Security News: Famous Chollima Hackers Attacking Windows and MacOS Users With GolangGhost RAT
North Korean-aligned Famous Chollima hackers have launched a campaign using a new Python-based remote access trojan, PylangGhost, targeting Windows and macOS users in the cryptocurrency sector. The group employs fake job recruitment sites impersonating companies like Coinbase to lure victims. The malware can steal credentials from over 80 browser extensions, including cryptocurrency wallets. The campaign primarily affects users in India, with no reported impact on Cisco customers.
2025-06-18 | Cisco Talos: A week with a "smart" car
Cisco Talos has identified the North Korean-aligned threat actor Famous Chollima targeting cryptocurrency and blockchain professionals in India through phishing campaigns. They have transitioned from the GolangGhost trojan to a new Python variant called PylangGhost, affecting Windows users, while MacOS users still face the Golang version. Organizations are advised to enhance their security measures against Python and Golang malware and educate employees on recognizing phishing attempts.
2025-06-18 | Recorded Future: North Korea targeting Indian crypto job applicants with malware
North Korean hackers, identified as "Famous Chollima," are targeting Indian job applicants in the cryptocurrency sector with malware. Since mid-2024, they create fake job postings to lure candidates to skill-testing sites mimicking legitimate companies like Coinbase and Uniswap. The malware, named "PylangGhost," steals browser credentials and session cookies. This campaign aims to gather data on successful applicants and potentially access devices later when victims are hired.
Asana warns MCP AI feature exposed customer data to other orgs
Date: 2025-06-18 | Source: BleepingComputer
Asana's Model Context Protocol (MCP) feature exposed customer data to other organizations due to a logic flaw, not a hack. This issue persisted for over a month, affecting around 1,000 customers. Exposed data included task-level information and project metadata, potentially containing sensitive information. Asana recommends admins review logs and AI-generated content, restrict LLM access, and pause bot pipelines. The MCP server was taken offline but resumed normal operations on June 17, 2025.
Asana warns MCP AI feature exposed customer data to other orgs
2025-06-18 | TechRadar: Asana admits one of its AI features might have exposed your data to other users
Asana disclosed that a bug in its AI-powered Model Context Protocol (MCP) tool may have exposed user data to other users for about a month, from early May to June 4, 2025. The leak affected approximately 1,000 customers, potentially revealing sensitive information like project metadata and discussions. Asana is notifying impacted organizations and recommends users review logs, AI summaries, and restrict LLM integration access while pausing auto-reconnections.
2025-06-18 | The Register: Asana's cutting-edge AI feature ran into a little data leakage problem
Asana fixed a vulnerability in its Model Context Protocol (MCP) server that could have allowed users to access other organizations' data. The issue was identified on June 4, leading to a two-week downtime for maintenance. Asana stated that no evidence suggests the bug was exploited. Customers were notified and required to manually reconnect to the MCP server. Recommendations include enforcing strict tenant isolation and logging LLM-generated queries to enhance security.
CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability
Date: 2025-06-18 | Source: The Hacker News
CISA has added CVE-2023-0386, a Linux kernel privilege escalation vulnerability (CVSS score: 7.8), to its Known Exploited Vulnerabilities catalog due to active exploitation. This improper ownership bug allows local users to escalate privileges by manipulating the OverlayFS subsystem. The flaw was patched in early 2023. Federal Civilian Executive Branch agencies must apply patches by July 8, 2025. Related vulnerabilities, CVE-2023-32629 and CVE-2023-2640, also allow privilege escalation on Unix systems.
CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability
2025-06-18 | Cyber Security News: CISA Warns of Linux Kernel Improper Ownership Management Vulnerability Exploited in Attacks
CISA has added CVE-2023-0386, a critical vulnerability in the Linux kernel's OverlayFS subsystem, to its Known Exploited Vulnerabilities catalog, warning of active exploitation. This flaw allows local attackers to escalate privileges by manipulating setuid files during file operations across different mount points. Affected systems include various Linux distributions and Red Hat Enterprise Linux versions. Organizations must apply vendor patches by July 8, 2025, or implement alternative mitigations to secure their environments.
2025-06-18 | BleepingComputer: CISA warns of attackers exploiting Linux flaw with PoC exploit
CISA has alerted U.S. federal agencies about the exploitation of a high-severity Linux kernel vulnerability (CVE-2023-0386) affecting the OverlayFS subsystem, allowing root privilege escalation. Patched in January 2023, PoC exploits emerged in May 2023, making it easier to exploit. The flaw impacts various Linux distributions using kernel versions below 6.2. Agencies must patch their systems by July 8, as mandated by BOD 22-01. Qualys TRU also reported on two other LPE vulnerabilities affecting major Linux distributions.
Critical Linux Privilege Escalation Vulnerabilities Let Attackers Gain Full Root Access
Date: 2025-06-18 | Source: Cyber Security News
Two critical vulnerabilities, CVE-2025-6018 and CVE-2025-6019, allow unprivileged attackers to gain root access on major Linux distributions. CVE-2025-6018 exploits PAM configuration flaws in SUSE systems, while CVE-2025-6019 targets the udisks daemon across various distributions. Immediate mitigation is required, including modifying polkit rules to require admin authentication. Patching is essential as these vulnerabilities pose a severe risk to Linux environments globally, potentially compromising entire infrastructures.
Critical Linux Privilege Escalation Vulnerabilities Let Attackers Gain Full Root Access
2025-06-18 | BleepingComputer: New Linux udisks flaw lets attackers get root on major Linux distros
Two local privilege escalation vulnerabilities (CVE-2025-6018 and CVE-2025-6019) have been discovered in major Linux distributions, allowing attackers to gain root access. The first flaw affects the PAM framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, while the second, in libblockdev, enables root access via the udisks daemon, present on most Linux systems. Qualys advises immediate patching to mitigate risks, as unpatched systems could lead to severe security breaches.
2025-06-19 | The Hacker News: New Linux Flaws Enable Full Root Access via PAM and Udisks Across Major Distributions
Cybersecurity researchers from Qualys identified two local privilege escalation (LPE) vulnerabilities in major Linux distributions: CVE-2025-6018 in SUSE's PAM, allowing unprivileged users to escalate to "allow_active," and CVE-2025-6019 in libblockdev via udisks, enabling full root access. Both flaws can be exploited by attackers with active GUI or SSH sessions. A high-severity flaw (CVE-2025-6020) in Linux PAM was also disclosed, allowing privilege escalation via symlink attacks. Patches are recommended.
Researchers say AI hacking tools sold online were powered by Grok, Mixtral
Date: 2025-06-17 | Source: Cyberscoop
Researchers from Cato Networks revealed that AI hacking tools sold on forums, termed "WormGPTs," are powered by Mistral AI's Mixtral and xAI's Grok. These tools, which can generate phishing emails and malware, bypass guardrails meant to prevent malicious use. One variant, marketed as an "Uncensored Assistant," was found to be accessible via Telegram. Pricing for these tools ranges from €550 for a yearly license to €5,000 for private setups, indicating a focus on profit-driven cybercrime.
Researchers say AI hacking tools sold online were powered by Grok, Mixtral
2025-06-18 | Cyber Security News: BlackHat AI Hacking Tool WormGPT Variant Powered by Grok and Mixtral
New variants of the WormGPT hacking tool, powered by AI models Grok and Mixtral, have emerged following the original's shutdown in August 2023. These variants, launched by “xzin0vich” and “keanu,” utilize existing commercial AI systems to generate malicious content like phishing emails and PowerShell scripts. They bypass AI safety measures through sophisticated prompt engineering. Security experts recommend enhanced threat detection, Zero Trust Network Access, and monitoring of unauthorized GenAI tool usage to mitigate risks.
2025-06-18 | SC Magazine: AI hacking tools developed via commercial LLMs, report finds
Mistral AI's Mixtral and xAI's Grok have been exploited to create jailbroken AI tools, termed WormGPTs, marketed on cybercrime forums. Mixtral's variant, "WormGPT / 'Hacking & UNCENSORED AI," offers insights on cyberattacks and vulnerability detection. Grok supports the "Uncensored Assistant" on Telegram, enabling phishing email creation and credential theft. Both tools operate on a subscription model, with costs from $631 annually to $5,740 for private setups, as reported by Cato Networks.
New Veeam RCE flaw lets domain users hack backup servers
Date: 2025-06-17 | Source: BleepingComputer
Veeam released security updates to address a critical remote code execution (RCE) vulnerability, CVE-2025-23121, affecting Veeam Backup & Replication 12 and later. Authenticated domain users can exploit this flaw to execute code on Backup Servers. The vulnerability was fixed in version 12.3.2.3617. Many organizations have improperly joined backup servers to Windows domains, contrary to Veeam's recommendations. Previous RCE vulnerabilities have also been exploited by ransomware gangs targeting VBR servers.
New Veeam RCE flaw lets domain users hack backup servers
2025-06-17 | Cyber Security News: New Veeam Vulnerabilities Enables Malicious Remote Code Execution on Backup Servers
Critical vulnerabilities in Veeam's backup software allow remote code execution on backup servers, posing significant risks. CVE-2025-23121 has a CVSS score of 9.9, affecting domain-joined servers. CVE-2025-24286 (7.2) allows Backup Operators to modify jobs for code execution. CVE-2025-24287 (6.1) enables local users to execute code with elevated permissions. Patches are available; organizations should update to Veeam Backup & Replication 12.3.2 and Veeam Agent for Microsoft Windows 6.3.2 immediately.
2025-06-18 | The Hacker News: Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication
Veeam has released patches for a critical RCE vulnerability (CVE-2025-23121) in its Backup & Replication software, rated 9.9 CVSS. This flaw affects all version 12 builds, including 12.3.1.1139, and is addressed in version 12.3.2 (build 12.3.2.3617). Additionally, CVE-2025-24286 (7.2 CVSS) and CVE-2025-24287 (6.1 CVSS) vulnerabilities have also been patched. Rapid7 reported that over 20% of its 2024 incident responses involved Veeam, highlighting the need for immediate updates.
2025-06-18 | The Register: Veeam patches third critical RCE bug in Backup & Replication in space of a year
Veeam has released patches for a critical remote code execution (RCE) vulnerability, CVE-2025-23121, affecting domain-joined Backup & Replication servers, with a CVSS score of 9.9. This follows previous vulnerabilities, CVE-2025-23120 and CVE-2024-40711, also linked to BinaryFormatter. Veeam plans to eliminate BinaryFormatter in version 13, expected in H2 2025. The latest update addresses the RCE flaw and two other code execution issues. Ransomware groups have exploited these vulnerabilities in attacks.
2025-06-18 | Cybersecurity Dive: Researchers urge vigilance as Veeam releases patch to address critical flaw
Researchers are urging Veeam Backup & Replication users to upgrade to the latest version following a patch for a critical remote code execution vulnerability (CVE-2025-23121). This flaw allows authenticated domain users to execute code on backup servers. Previous patches were bypassed, prompting the new update. Veeam emphasizes the importance of timely patching to prevent exploitation, as over 20% of their incident response cases in 2024 involved Veeam vulnerabilities.
Russia detects first SuperCard malware attacks skimming bank data via NFC
Date: 2025-06-17 | Source: Recorded Future
Russian cybersecurity researchers have identified SuperCard malware, a modified version of the NFCGate program, involved in data-stealing attacks targeting bank information via NFC technology. First deployed in Russia in May 2023, it was initially spotted in Italy in April. Attackers use social engineering to trick victims into downloading the malware, which identifies payment systems for fraudulent transactions. SuperCard is marketed as malware-as-a-service, with a subscription model and customer support, targeting banks in the U.S., Australia, and Europe.
Russia detects first SuperCard malware attacks skimming bank data via NFC
2025-06-18 | SC Magazine: SuperCard malware intrusions hit Russia
SuperCard malware has targeted Android users in Russia, utilizing NFCGate-based techniques and social engineering to install itself. It compromises payment systems to facilitate fraudulent transactions, affecting over 175,000 devices and resulting in losses of nearly $5.5 million. The malware has been linked to attacks on U.S., European, and Australian banks, and is promoted via Telegram channels. Researchers note its distribution by Chinese-speaking actors as part of a malware-as-a-service model.
2025-06-18 | Cyber Security News: New SuperCard Malware Using Hacked Android Phones to Relay Data from Users Payment Cards to Attackers Device
Cybersecurity experts have identified a new malware strain named “SuperCard,” which exploits hacked Android devices to steal payment card data. First detected in April 2025 by Cleafy, it targets European banking customers and operates as part of a malware-as-a-service platform. The malware uses social engineering to trick users into installing it, then captures NFC transaction data while allowing legitimate payments to proceed. Over 175,000 devices in Russia have been compromised, with damages exceeding 432 million rubles.
Ransomware Gangs Collapse as Qilin Seizes Control
Date: 2025-06-17 | Source: Cybereason
The ransomware landscape is shifting as Qilin emerges, taking advantage of the collapse of groups like RansomHub, LockBit, and BlackLock. RansomHub disappeared in March 2025, with DragonForce claiming its assets. LockBit and Everest faced defacements by "XOXO from Prague," damaging their reputations. Qilin, active since October 2022, offers advanced Ransomware-as-a-Service features, including custom malware, legal support, and network propagation, positioning itself as a significant threat with over 50 recent attacks.
Ransomware Gangs Collapse as Qilin Seizes Control
2025-06-18 | Cyber Security News: Qilin Emerges as a New Dominant Ransomware Attacking Windows, Linux, and ESXi Systems
A new ransomware strain named Qilin has emerged, targeting Windows, Linux, and ESXi systems across various sectors, including finance and healthcare. It employs a double-extortion model, demanding ransoms between $500,000 and $3 million. Qilin uses advanced evasion techniques, including phishing emails and shellcode injection, and implements AES-256 and RSA-4096 for encryption. Its modular architecture allows it to adapt to different environments, complicating detection and attribution efforts.
2025-06-19 | Cyber Security News: Qilin Ransomware Emerges as World’s Top Threat, Demands $50 Million Ransom
Qilin ransomware has emerged as the leading global ransomware threat, amassing over $50 million in ransom payments in 2024. Initially developed as 'Agent' in 2022, it targets critical infrastructure in over 25 countries, particularly VMware ESXi systems. Linked to North Korean actors, it features a “Call Lawyer” service. The U.S. Department of Health and Human Services reports losses of $6 million to $40 million per incident. Defense recommendations include immutable backups, Zero Trust Architecture, and vulnerability patch management.
2025-06-20 | The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
The Qilin ransomware group has introduced a "Call Lawyer" feature to its affiliate panel, aiming to pressure victims into paying larger ransoms. Active since October 2022, Qilin has become a leading ransomware group, with 72 victims reported in April 2025. The group offers extensive support and advanced tools, including DDoS capabilities and spam services. This expansion follows the decline of other ransomware groups, positioning Qilin as a comprehensive cybercrime platform.
2025-06-20 | The Register: Qilin ransomware top dogs treat their minions to on-call lawyers for fierier negotiations
The Qilin ransomware group has introduced a "Call lawyer" feature for affiliates, allowing them to summon legal experts during ransom negotiations. This service includes legal assessments of stolen data, potential violations, and cleanup costs. Additionally, Qilin claims to have an in-house team for crafting blog posts to pressure victims. Cybereason reports Qilin is becoming a dominant ransomware-as-a-service (RaaS) group, noted for high-profile attacks on critical infrastructure since its emergence in 2022.
Hacker steals 1 million Cock.li user records in webmail data breach
Date: 2025-06-17 | Source: BleepingComputer
Cock.li, a Germany-based email hosting provider, confirmed a data breach affecting over 1 million user records due to vulnerabilities in its retired Roundcube webmail platform. Exposed data includes email addresses, login timestamps, and contact information for 10,400 accounts. User passwords and email content were not compromised. The breach is linked to CVE-2021-44026, prompting Cock.li to discontinue Roundcube. Users are advised to reset passwords, and the service will now require IMAP or SMTP/POP3 clients for access.
Hacker steals 1 million Cock.li user records in webmail data breach
2025-06-17 | Cyber Security News: Email Hosting Provider Cock.li Hacked – 1 Million Email Addresses Stolen
A security breach at email hosting provider Cock.li has compromised data from over 1 million users, specifically targeting its Roundcube webmail platform. The breach exposed email addresses, login timestamps, and user settings, but not passwords or email content. Cock.li has discontinued the Roundcube service and advised users to change passwords. The breach was linked to CVE-2021-44026, an SQL injection vulnerability. Cock.li plans to remove Roundcube permanently and may explore alternative webmail solutions.
2025-06-18 | SC Magazine: Addressed Google Chrome zero-day leveraged to spread Trinper backdoor
A breach of the German privacy-focused email hosting server Cock.li has compromised the information of over 1 million users since 2016. This incident is linked to vulnerabilities in the deprecated Roundcube webmail platform. The report highlights the significant impact on user data due to the exploitation of these vulnerabilities. Recommendations for affected users were not specified in the article.
2025-06-18 | TechRadar: Top email hosting provider Cock.li hacked - over a million user records stolen
Cock.li, a German email hosting provider, was hacked, resulting in over a million user records being sold on the dark web. The breach involved a vulnerability in the retired Roundcube webmail platform, affecting all users who logged in since 2016. The stolen data includes email addresses, login timestamps, and user preferences for approximately 1,023,800 users, along with 93,000 contact entries from about 10,400 users. Users are advised to change their passwords.
UK watchdog fines 23andMe for 'profoundly damaging' data breach
Date: 2025-06-17 | Source: BBC News
DNA testing firm 23andMe has been fined £2.31m by the UK Information Commissioner's Office (ICO) for a data breach in October 2023 that affected approximately 6.9 million individuals. The breach, caused by a "credential stuffing" attack, compromised sensitive personal information of 155,592 UK residents, including names, birth years, and health reports. The ICO criticized 23andMe for inadequate security measures. The company is set to be sold to TTAM Research Institute, which has committed to enhancing data protection.
UK watchdog fines 23andMe for 'profoundly damaging' data breach
2025-06-17 | Recorded Future: UK data privacy regulator fines 23andMe over cyber practices in wake of hack
The UK Information Commissioner's Office fined 23andMe £2.31 million ($3.14 million) for inadequate cybersecurity practices following a data breach in 2023 that exposed genetic data of millions. The breach involved a credential stuffing attack that began in April 2023, with 23andMe failing to implement multifactor authentication and other security measures. The company did not fully investigate the breach until October 2023, six months after it started, impacting nearly 156,000 U.K. residents.
2025-06-17 | The Guardian: DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack
23andMe was fined £2.3m by the UK Information Commissioner’s Office for failing to protect the personal data of over 150,000 UK residents during a cyberattack in 2023. The breach exposed sensitive information, including health reports and family histories, affecting 7 million individuals. The company was criticized for inadequate security measures, including poor user authentication. Following the incident, 23andMe has committed to enhancing data protection and offering customers identity theft monitoring.
2025-06-17 | DIGIT: ICO Fines 23andMe £2.31M For Data Protection Failures
The ICO has fined 23andMe £2.31 million for data protection failures after a credential stuffing attack in 2023 compromised the personal information of 155,592 UK users. The investigation revealed inadequate security measures, including the absence of multi-factor authentication and poor incident response. Despite multiple warning signs, 23andMe only initiated a full investigation in October 2023 after stolen data was found for sale online. The company is expected to implement necessary security improvements by the end of 2024.
2025-06-17 | TechCrunch: UK watchdog fines 23andMe over 2023 data breach
The U.K. Information Commissioner’s Office fined 23andMe £2.31 million ($3.1m) for failing to protect personal and genetic data during a 2023 breach affecting over 155,000 U.K. residents. Hackers accessed accounts using stolen credentials, exploiting the lack of multi-factor authentication. The breach compromised data for more than 6.9 million users. In response, 23andMe implemented mandatory multi-factor authentication and is in contact with its trustee following its bankruptcy filing.
2025-06-17 | The Register: 23andMe hit with £2.3M fine after exposing genetic data of millions
23andMe has been fined £2.31 million ($3.13 million) by the UK's ICO for a 2023 data breach affecting nearly 7 million users. The breach, caused by inadequate security measures including lack of MFA and poor password policies, allowed attackers to access 14,000 accounts via credential stuffing. The ICO noted a five-month delay in 23andMe's response. The breach exposed sensitive data of 155,592 UK residents. 23andMe is currently in Chapter 11 bankruptcy, raising questions about fine payment.
2025-06-17 | BleepingComputer: UK fines 23andMe for ‘profoundly damaging’ breach exposing genetics data
The UK Information Commissioner's Office fined 23andMe £2.31 million for serious security failings leading to a data breach in 2023. The breach exposed sensitive data of 4.1 million UK and German residents, including health reports and personal information, due to credential stuffing attacks. The data was leaked on forums, prompting 23andMe to implement two-factor authentication and password resets. The breach has resulted in class-action lawsuits and a $30 million settlement in 2024.
2025-06-18 | TechRadar: UK watchdog hits 23andMe with multi-million pound fine over 2023 data breach
The ICO fined 23andMe £2.31 million ($3.1 million) for failing to secure UK users' personal data following a 2023 cyberattack that affected approximately 14,000 individuals. An investigation revealed serious security failings, including inadequate measures and a delayed response to the breach. The exposed data, including sensitive ancestry and health information, increases risks of identity theft and sophisticated social engineering attacks. Users are advised to remain vigilant against unexpected communications.
Cyberattack purportedly compromises Scania's corporate insurance subsidiary
Date: 2025-06-17 | Source: SC Magazine
Major Swedish vehicle manufacturer Scania's corporate insurance arm, Scania Financial Services, was allegedly compromised by the threat actor "hensi," resulting in the exfiltration of 34,000 confidential files. The attack targeted the insurance subdomain, with the attacker not disclosing the specific types of compromised information. Scania has not confirmed the breach, but the affected website is currently unavailable due to maintenance. This incident highlights the growing cyber threats facing automakers.
Cyberattack purportedly compromises Scania's corporate insurance subsidiary
2025-06-17 | BleepingComputer: Scania confirms insurance claim data breach in extortion attempt
Scania confirmed a cybersecurity incident where attackers used compromised credentials to breach its Financial Services systems, stealing insurance claim documents. The breach occurred on May 28, 2025, via credentials stolen by infostealer malware. Attackers extorted Scania employees, threatening to leak data unless demands were met. The compromised application is now offline, and an investigation is underway. Scania reported limited impact and has notified privacy authorities.
2025-06-18 | Cyber Security News: Hackers Allegedly Claim Breach of Scania Financial Services, Sensitive Data Stolen
A threat actor named “hensi” claims to have breached Scania Financial Services’ insurance subdomain, allegedly stealing around 34,000 files. The hacker asserts full system compromise and is selling the data on cybercriminal marketplaces, emphasizing exclusivity in transactions. The breach raises concerns about vulnerabilities in financial services cybersecurity, particularly regarding sensitive customer information and compliance with regulations like GDPR. Security analysts recommend enhanced subdomain monitoring and regular vulnerability assessments.
2025-06-18 | SC Magazine: Data breach confirmed by Scania
Scania, a Swedish commercial vehicle manufacturer, confirmed a data breach involving the theft of insurance claim documents from its financial services arm. The breach occurred between May 28 and 29 through stolen credentials from a third-party IT partner, leading to the exfiltration of personal, financial, and medical information. Following the breach, Scania employees received extortion emails from the attacker and a compromised third-party email, with the data ultimately leaked by the actor "Hensi.
2025-06-18 | TechRadar: Scania hit by cyberattack - thousands of customers potentially affected, here's what we know
Swedish automotive manufacturer Scania confirmed a cyberattack linked to an external IT partner, where hackers accessed sensitive customer data via stolen credentials. The breach occurred on May 28-29, 2025, allowing the download of insurance-related documents. The attackers attempted to extort Scania for ransom and later advertised the stolen database on a dark web forum. The extent of the data compromised and the number of affected individuals remain unknown.
Pro-Israel hackers claim breach of Iranian bank amid military escalation
Date: 2025-06-17 | Source: Recorded Future
A hacking group named Predatory Sparrow, linked to Israel, claimed responsibility for a cyberattack on Iran's Bank Sepah, disrupting customer services and affecting gas station transactions. The attack is seen as retaliation for the bank's alleged financing of Iran's military. Several branches were closed, and delays in salary payments were reported. The incident follows increased cyber activity amid escalating military tensions between Israel and Iran. Bank Sepah was previously sanctioned by the U.S. for missile development assistance.
Pro-Israel hackers claim breach of Iranian bank amid military escalation
2025-06-17 | TechCrunch: Pro-Israel hacktivist group claims reponsibility for alleged Iranian bank hack
Pro-Israel hacktivist group Predatory Sparrow claimed responsibility for hacking Iran's Bank Sepah, alleging it funded terrorism and military programs. Reports indicate widespread banking disruptions in Iran, with several branches closed and customers unable to access accounts. The attack coincides with escalating conflict between Israel and Iran. Cybersecurity experts note Predatory Sparrow's history of impactful cyberattacks, including previous incidents affecting Iranian infrastructure.
2025-06-17 | TechCrunch: Pro-Israel hacktivist group claims responsibility for alleged Iranian bank hack
Pro-Israel hacktivist group Predatory Sparrow claimed responsibility for hacking Iran’s Bank Sepah, alleging the attack destroyed data linked to the Islamic Revolutionary Guard Corps. Reports indicate widespread banking disruptions in Iran, with several branches closed and customers unable to access accounts. The attack coincides with escalating military conflict between Israel and Iran. Cybersecurity experts note Predatory Sparrow's history of impactful cyberattacks on Iranian infrastructure.
2025-06-17 | Cyberscoop: Iran’s Bank Sepah disrupted by cyberattack claimed by pro-Israel hacktivist group
Bank Sepah's website is offline following a cyberattack claimed by the pro-Israel hacktivist group Predatory Sparrow. The attack has disrupted services, closing branches and preventing customer access to accounts. The group stated it targeted the bank for financing Iran's military and terrorist activities. This incident underscores the increasing role of cyber warfare amid escalating Israel-Iran tensions. The Central Bank of Iran's website is also down, indicating broader infrastructure impacts.
2025-06-18 | The Hacker News: Iran Slows Internet to Prevent Cyber Attacks Amid Escalating Regional Conflict
Iran has throttled internet access to hinder Israel's cyber operations following missile attacks between the two nations. The Iranian Cyber Police stated the slowdown is temporary and controlled. Concurrently, the pro-Israeli group Predatory Sparrow claimed responsibility for a cyber attack on Iran's Bank Sepah, disrupting its services. The U.S. Department of State is seeking information on Iranian hackers targeting critical infrastructure using IOCONTROL malware. Cyber Av3ngers, linked to Iran's IRGC, has been implicated in these activities.
2025-06-18 | Recorded Future: Iran curbs internet access to ward off Israel’s cyberattacks
Internet access in Iran has been intentionally disrupted amid escalating tensions with Israel, described as a measure to maintain network stability during alleged Israeli cyberattacks. A pro-Israel group, Predatory Sparrow, claimed responsibility for attacks on an Iranian bank and cryptocurrency exchange Nobitex, resulting in significant outages and the theft of $81.7 million in digital assets. Iranian officials accused Israel of waging a “massive cyber war,” while citizens faced difficulties accessing essential services and news.
2025-06-18 | TechCrunch: Hackers steal and destroy millions from Iran’s largest crypto exchange
Hackers targeted Iran's largest crypto exchange, Nobitex, draining at least $90 million from its hot wallet. The exchange reported unauthorized access and is investigating the incident, with its website and app currently unavailable. The pro-Israel group Predatory Sparrow claimed responsibility, alleging Nobitex financed terrorism and evaded sanctions. The attack coincides with escalating military tensions between Israel and Iran, with reports of a broader cyber offensive against Iranian infrastructure.
2025-06-18 | Wired: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
The Israel-linked hacker group Predatory Sparrow has targeted Iran's financial system, claiming responsibility for attacks on the crypto exchange Nobitex and Sepah Bank. They destroyed over $90 million in Nobitex holdings, accusing it of facilitating sanctions violations and terrorism financing. The group also claimed to have wiped all data from Sepah Bank, disrupting online banking and ATMs. The attacks reflect political motivations, with funds moved to unmanageable crypto addresses, effectively burning them.
2025-06-18 | Cyberscoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
On Wednesday, a pro-Israel hacktivist group, Predatory Sparrow, stole over $90 million from Nobitex, Iran's largest cryptocurrency exchange, marking the second cyberattack on Iran's financial sector in two days. The group claimed Nobitex finances terrorism and threatened to leak its source code. Researchers confirmed the funds were sent to vanity addresses, effectively burning them as a political statement. Nobitex's website is offline, and Iran has reduced internet speeds to mitigate further attacks.
2025-06-18 | Chainalysis: Nobitex, Sanctions, and The $90 Million Exploit: A Window into Iran’s Largest Crypto Exchange
On June 18, 2025, Nobitex, Iran's largest cryptocurrency exchange, was exploited, resulting in over $90 million in losses across various cryptocurrencies. The attack, claimed by the pro-Israel group Gonjeshke Darande, appears politically motivated. Nobitex has been linked to illicit activities, including transactions with sanctioned entities. In response, Nobitex assured users of fund safety and moved Bitcoin to cold storage. The Central Bank of Iran has since imposed operating hour restrictions on domestic exchanges to enhance oversight.
2025-06-18 | BleepingComputer: Pro-Israel hackers hit Iran's Nobitex exchange, burn $90M in crypto
On June 18, 2025, the pro-Israel hacking group "Predatory Sparrow" claimed responsibility for a cyberattack on Iran's largest crypto exchange, Nobitex, stealing over $90 million in cryptocurrency and burning the funds in vanity addresses. Nobitex reported unauthorized access to its infrastructure and hot wallet on June 19. The attack is politically motivated, targeting the exchange's ties to the IRGC and Iranian leadership. Nobitex's website remains offline as investigations continue.
2025-06-19 | The Register: Iran’s internet goes offline for hours amid claims of ‘enemy abuse’
Iran's government has reportedly shut down internet access to prevent "enemy abuse," following claims of cyberattacks linked to Israel. Internet traffic in Iran dropped significantly, with Cloudflare and NetBlocks confirming the outage. The group Predatory Sparrow, believed to have Israeli ties, claimed responsibility for disrupting Bank Sepah and Iranian crypto exchange Nobitex. This action coincided with remarks from an Israeli military official hinting at upcoming cyber offensives. Access to .IR websites is currently unavailable.
2025-06-19 | Ars Technica: Israel-tied Predatory Sparrow hackers are waging cyberwar on Iran’s financial system
The Israel-linked hacker group Predatory Sparrow has targeted Iran's financial system, claiming responsibility for attacks on the crypto exchange Nobitex and Sepah bank. They destroyed over $90 million in Nobitex holdings, accusing it of facilitating sanctions violations and terrorism financing. In a separate incident, they claimed to have wiped all data from Sepah bank, linking it to the Iranian military. The group warns that associations with the regime's financial infrastructure pose risks to assets.
2025-06-20 | The Hacker News: Iran's State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
Iran's state TV was hacked to air protest videos against the government, with accusations directed at Israel. Concurrently, Bank Sepah and Nobitex, Iran's largest crypto exchange, were breached, resulting in over $90 million stolen. Cybersecurity firm Radware noted a surge in DDoS attacks against Israel, with 40% of hacktivist activity targeting the nation. Companies are advised to enhance vigilance as critical infrastructure may be at risk amid escalating cyber conflicts between Iran and Israel.
2025-06-20 | TechCrunch: Iran’s government says it shut down internet to protect against cyberattacks
Iran's government confirmed a near-total internet blackout to protect against perceived Israeli cyberattacks, citing threats to critical infrastructure and recent hacks on Bank Sepah and cryptocurrency exchange Nobitex by the hacker group Predatory Sparrow. The shutdown has severely limited communication for Iranians amid ongoing conflict, with all forms of external contact disrupted. Some individuals manage to bypass restrictions using virtual private servers, but access remains largely unavailable.
Hard-Coded 'b' Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments
Date: 2025-06-17 | Source: The Hacker News
Cybersecurity researchers have identified three vulnerabilities in Sitecore Experience Platform (XP) that could lead to pre-authenticated remote code execution. A hard-coded password "b" for the user "sitecore\ServicesAPI" allows unauthorized access to APIs and endpoints. Exploits include uploading a web shell via a ZIP file and an unrestricted file upload flaw in PowerShell Extensions. Users of Sitecore versions 10.1 and above are urged to patch immediately due to the significant risk, as the software is widely used in critical sectors.
Hard-Coded 'b' Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments
2025-06-17 | Cyber Security News: Critical Sitecore CMS Platform Vulnerabilities Let Attackers Gain Full Control of Deployments
Critical vulnerabilities in Sitecore Experience Platform expose over 22,000 instances to full system compromise. Researchers found hardcoded credentials, specifically a weak password ("b") for the sitecore\ServicesAPI user account, affecting versions 10.1 and above. Attackers can exploit post-authentication vulnerabilities for remote code execution via file upload flaws. Sitecore has issued patches, and organizations are urged to verify versions and apply updates promptly.
2025-06-17 | BleepingComputer: Sitecore CMS exploit chain starts with hardcoded 'b' password
A chain of vulnerabilities in Sitecore Experience Platform (XP) allows remote code execution (RCE) without authentication. Discovered by watchTowr, it involves a hardcoded password for an internal user, enabling unauthorized access. Attackers can exploit a Zip Slip flaw to upload malicious files and execute code. A third vulnerability in the PowerShell Extensions module further facilitates RCE. Affects Sitecore XP versions 10.1-10.4, with over 22,000 exposed instances. Patches were released in May 2025, but exploitation risk remains high.
2025-06-17 | The Register: Sitecore CMS flaw let attackers brute-force 'b' for backdoor
Security researchers from watchTowr disclosed three vulnerabilities in the Sitecore Experience Platform, used by major companies like United Airlines and Microsoft. One flaw involves hardcoded internal account passwords set to "b," easily brute-forced. The second is a path traversal vulnerability allowing remote code execution (RCE) via a ZIP upload. The third is an unrestricted file upload flaw, also leading to RCE, particularly when the Sitecore PowerShell Extension is installed. Over 22,000 instances are exposed.
2025-06-18 | TechRadar: One of the world's most popular CMS tools has an embarrassing security flaw, so patch immediately
The Sitecore CMS has a critical security flaw involving a hardcoded password for an internal user, allowing threat actors to gain authenticated access to internal endpoints. This vulnerability, combined with a "Zip Slip" flaw in the Upload Wizard, enables attackers to upload malicious files, potentially leading to remote code execution (RCE). All Sitecore versions from 10.1 to 10.4 are affected, with around 22,000 instances exposed. Users are urged to patch immediately, as no abuse has been reported yet.
2025-06-18 | SC Magazine: Total Sitecore CMS takeover possible with exploit chain
More than 22,000 instances of Sitecore Experience Platform are vulnerable to takeover due to a chain of three security flaws. The first flaw involves hardcoded credentials allowing brute-force attacks. The second is a path traversal vulnerability enabling remote code execution (RCE). The third flaw involves unrestricted file uploads. Attackers can exploit these vulnerabilities, particularly if the Sitecore PowerShell Extension is installed. Sitecore has issued patches for all identified flaws.
TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert
Date: 2025-06-17 | Source: The Hacker News
CISA has added CVE-2023-33538, a command injection vulnerability in TP-Link routers (CVSS score: 8.8), to its KEV catalog due to active exploitation. Affected models include TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2. Users are urged to discontinue use if no mitigations are available. Additionally, exploit attempts targeting Zyxel firewalls (CVE-2023-28771, CVSS score: 9.8) have increased, with recommendations to update devices and monitor for anomalies.
TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert
2025-06-17 | Tomsguide: These three TP-Link routers are being targeted by hackers – here’s what to know
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that three TP-Link router models (TL-WR940N, TL-WR841N, TL-WR740N) are vulnerable to a command injection flaw (CVSS score 8.8). This vulnerability allows unauthorized command execution via the web interface. Affected routers, all at end-of-life with no further updates, must be removed by federal agencies by July 7, 2025. Users are advised to replace these routers and consider enhanced security measures.
2025-06-18 | TechRadar: These popular TP-Link routers could be facing some serious security threats - find out if you're affected
CISA has flagged a command injection vulnerability (CVE-2023-33538) affecting multiple end-of-life TP-Link router models, including TL-WR940N and TL-WR841N, with a severity score of 8.8/10. This vulnerability allows attackers to execute arbitrary commands. As these models no longer receive updates, users are urged to replace them by July 7, 2025. The vulnerability poses significant risks, especially for routers with remote access features. CISA recommends discontinuing use of these devices.
Minnesota Shooting Suspect Allegedly Used Data Broker Sites to Find Targets’ Addresses
Date: 2025-06-17 | Source: Wired
A Minnesota shooting suspect, Vance Boelter, allegedly used data broker sites to obtain addresses of his victims, including Democratic state representative Melissa Hortman and state senator John Hoffman. Court documents reveal he had notebooks listing over 45 public officials' details. Advocates call for regulation of data brokers, emphasizing the risks posed by easily accessible personal information. The incident highlights the urgent need for data privacy legislation to protect individuals from targeted violence.
Minnesota Shooting Suspect Allegedly Used Data Broker Sites to Find Targets’ Addresses
2025-06-17 | 404 Media: The People Search Sites in the Suspected Minnesota Killer's Notebook Are a Failure of Congress
The article discusses the case of Vance Boelter, charged with the murders of Minnesota Rep. Melissa Hortman and her husband. An FBI affidavit revealed a notepad in Boelter's SUV listing various people search sites, which can expose personal information. Notably, Hortman's address was publicly available. Senator Ron Wyden emphasized the danger of data brokers, stating they pose a risk to public safety. The article highlights the potential misuse of such data in acts of violence against public officials.
2025-06-17 | Recorded Future: Minnesota lawmaker’s alleged killer had list of data broker websites in car, FBI says
A list of 11 data broker websites was found in the SUV of Vance Boelter, who allegedly murdered Minnesota state Rep. Melissa Hortman and her husband. The FBI affidavit revealed that Boelter had detailed notes on accessing personal information, including addresses of over 45 officials. This case highlights the dangers posed by data brokers, prompting renewed calls for regulation. Lawmakers are seeking to advance legislation to restrict data brokers following this incident, which underscores the risks associated with publicly available personal data.
Hackers Actively Exploiting Langflow RCE Vulnerability to Deploy Flodrix Botnet
Date: 2025-06-17 | Source: Cyber Security News
Security researchers have identified an active campaign exploiting CVE-2025-3248, a critical RCE vulnerability in Langflow (versions <1.3.0). Rated 9.8 CVSS, it allows attackers to execute malicious Python code via unauthenticated requests. Exploitation leads to the deployment of the Flodrix botnet, which conducts DDoS attacks and evades detection. Organizations must upgrade to version 1.3.0, restrict public access, and monitor for indicators of compromise to mitigate risks.
Hackers Actively Exploiting Langflow RCE Vulnerability to Deploy Flodrix Botnet
2025-06-17 | The Hacker News: New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks
A new variant of the Flodrix botnet is exploiting a critical vulnerability (CVE-2025-3248, CVSS 9.8) in Langflow, a Python framework for AI applications, to launch DDoS attacks. Attackers execute downloader scripts on compromised servers to install Flodrix, which communicates with a remote server for commands. The flaw allows unauthenticated code execution via crafted HTTP requests. The vulnerability was patched in March 2025. Flodrix is an evolution of the LeetHozer botnet, featuring enhanced obfuscation and new DDoS attack types.
2025-06-17 | SC Magazine: Flodrix botnet deployed via Langflow security issue
Internet-exposed instances of the Python-based AI framework Langflow are being targeted by the Flodrix botnet due to a critical remote code execution vulnerability (CVE-2025-3248). This flaw allows attackers to gain remote shell access and execute commands, leading to the deployment of Flodrix, which conducts DDoS attacks and other malicious activities. Recommendations include updating Langflow to version 1.3.0 or later, restricting public endpoint access, and monitoring for indicators of compromise.
Hackers switch to targeting U.S. insurance companies
Date: 2025-06-16 | Source: BleepingComputer
Threat intelligence researchers warn that hackers are now targeting U.S. insurance companies using tactics associated with the Scattered Spider group. This group employs sophisticated social engineering to breach security, previously targeting retail sectors. Organizations are advised to enhance visibility across infrastructure, implement strong authentication, and educate employees on impersonation attempts. Recommendations include activating multi-factor authentication and monitoring for unauthorized logins to prevent breaches.
Hackers switch to targeting U.S. insurance companies
2025-06-16 | Cybersecurity Dive: Threat group linked to UK, US retail attacks now targeting insurance industry
Hackers linked to the group Scattered Spider are now targeting the insurance industry after previously attacking U.K. and U.S. retailers since April. Google researchers report multiple confirmed incidents in the insurance sector, with a surge in activity noted recently. Erie Insurance is investigating a suspected cyberattack discovered on June 7, which caused a network outage. The company is collaborating with law enforcement and security teams to assess the incident's impact and has warned customers against sharing personal information.
2025-06-16 | Cyberscoop: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
Scattered Spider, a cybercrime group tracked as UNC3944, has shifted focus from retail to the insurance industry, impacting multiple U.S. insurance companies. Erie Insurance reported unusual network activity on June 7, activating incident response protocols. The nature of the attack remains undisclosed, but systems are offline, hindering customer access. The company is collaborating with law enforcement and cybersecurity experts for a thorough investigation. Mandiant noted that attacks on the insurance sector began approximately a week and a half ago.
2025-06-16 | The Register: Scattered Spider has moved from retail to insurance
Cyber-crime group Scattered Spider has shifted focus to the insurance sector, targeting US insurance companies following ransomware attacks on retailers. Google warns the industry to be vigilant against social engineering schemes. Erie Insurance reported a network outage on June 8, linked to an information security event, while Philadelphia Insurance Companies experienced similar issues starting June 9. Both companies are conducting forensic investigations and working with law enforcement to address the breaches.
2025-06-17 | The Hacker News: Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
Google's Threat Intelligence Group warns that the cybercrime group Scattered Spider (UNC3944) is now targeting U.S. insurance firms, employing advanced social engineering tactics. The group has a history of impersonating employees and bypassing multi-factor authentication. They are also collaborating with the DragonForce ransomware cartel. Recommendations for mitigation include enhancing authentication, enforcing identity controls, implementing access restrictions, and training help desk personnel to verify employee identities.
2025-06-17 | SC Magazine: US insurance sector newly targeted by Scattered Spider
Hacking collective Scattered Spider (UNC3944) has shifted its focus to the U.S. insurance sector, targeting several firms after previous attacks on retailers. The Google Threat Intelligence Group reported multiple intrusions, advising heightened vigilance against social engineering schemes aimed at help desks and call centers. This activity follows a cyberattack on Erie Insurance, which experienced outages earlier this month. Further details on the attacks are still under investigation.
2025-06-17 | TechRadar: After hitting top retail stores, experts warn this infamous criminal gang is now going after US insurance giants
The Scattered Spider cybercrime gang has shifted its focus from high-end retailers to US insurance companies, according to Google Threat Intelligence Group. Multiple intrusions have been reported, with Erie Insurance and Philadelphia Insurance Company suspected victims. The gang employs social engineering tactics, including fake helpdesk calls, to gain access to systems and deploy DragonForce ransomware. Organizations are advised to enhance employee awareness of phishing and social engineering to mitigate risks.
2025-06-17 | SC Magazine: Scattered Spider group attacking US insurance industry, Google says
On June 16, Google Threat Intelligence Group reported multiple intrusions into the U.S. insurance industry linked to the Scattered Spider ransomware group, shifting from their previous focus on retail. Erie Insurance experienced a cyberattack on June 7, while Scania Financial Services allegedly had 34,000 files stolen. Scattered Spider targets sectors for ransomware and data theft, exploiting complex digital environments and social engineering vulnerabilities. Insurance firms' reliance on help desks makes them particularly susceptible to attacks.
2025-06-17 | Recorded Future: Scattered Spider hackers targeting insurance industry following retail hits, Google warns
A warning from Google's Threat Intelligence Group indicates that the Scattered Spider hacker group has shifted its focus from retail to the insurance industry, with multiple intrusions reported in the U.S. Insurance firms, including Erie Insurance and Philadelphia Insurance Companies, have experienced cyber incidents leading to network outages. Scattered Spider is known for social engineering attacks targeting IT departments. The group has previously attacked major retailers and is linked to the threat actor UNC3944.
2025-06-18 | Cyber Security News: SCATTERED SPIDER Using Aggressive Social Engineering Techniques to Deceive IT Support Teams
A series of cyberattacks attributed to SCATTERED SPIDER has targeted major organizations in the UK and US, utilizing aggressive social engineering tactics, particularly vishing, to deceive IT support teams. Active since 2022, they collaborate with DragonForce for ransomware deployment. A notable incident involved a 2023 attack on MGM Resorts, leveraging simple phone-based manipulation. Recommendations include enhancing help desk verification protocols and implementing phishing-resistant MFA solutions.
Remorseless extortionists claim to have stolen thousands of files from Freedman HealthCare
Date: 2025-06-16 | Source: The Register
An extortion gang claims to have breached Freedman HealthCare, threatening to release 52.4 GB of sensitive data, including 42,204 files, on Tuesday morning. The breach could expose financial and protected health information of millions, affecting state agencies and healthcare providers. Freedman HealthCare has worked with states like California and Delaware on critical healthcare databases. The group, now known as World Leaks, has a history of targeting organizations in the healthcare sector for extortion.
Remorseless extortionists claim to have stolen thousands of files from Freedman HealthCare
2025-06-17 | SC Magazine: Widespread data breach reported by Zoomcar
A data breach involving Freedman HealthCare has resulted in the compromise of 52.4 GB of data, including 42,204 files. The World Leaks hacking operation, previously known as Hunters International, is responsible for this breach and has threatened to expose the stolen information by Tuesday morning.
2025-06-17 | SC Magazine: Freedman HealthCare allegedly subjected to massive hack
Freedman HealthCare, a U.S. health data management provider, reportedly suffered a significant data breach involving 52.4 GB of data and 42,204 files, allegedly compromised by the World Leaks hacking group. If confirmed, this breach could rank among the largest in recent healthcare history. Freedman HealthCare collaborates with California and Delaware on healthcare payments and claims databases, impacting millions. World Leaks, formerly known as Hunters International, has a history of targeting critical services.
2025-06-17 | TechRadar: Cybercrime gang hacks major health data provider - millions of highly personal files could be at risk of breach
A cybercrime gang named World Leaks claims to have breached Freedman HealthCare, a US consulting firm handling sensitive health data. They allege to have exfiltrated 42,204 files totaling over 50GB, although the nature of the files and ransom amount remain undisclosed. Freedman HealthCare has not confirmed the breach. World Leaks operates on an "extortion-as-a-service" model and is believed to be a rebrand of Hunters International, which has a history of targeting notable organizations.
ASUS Armoury Crate bug lets attackers get Windows admin privileges
Date: 2025-06-16 | Source: BleepingComputer
A high-severity vulnerability in ASUS Armoury Crate, tracked as CVE-2025-3464 with a score of 8.8, allows privilege escalation to SYSTEM level on Windows. The flaw affects versions 5.9.9.0 to 6.1.18.0 and involves improper caller verification in the AsIO3.sys driver. Exploitation requires an attacker to be on the system. Users are advised to update Armoury Crate to mitigate the risk. No exploitation has been observed in the wild, but the vulnerability presents a significant attack surface.
ASUS Armoury Crate bug lets attackers get Windows admin privileges
2025-06-17 | Cyber Security News: ASUS Armoury Crate Vulnerability Let Attackers Escalate to System User on Windows Machine
A critical authorization bypass vulnerability (CVE-2025-3464) in ASUS Armoury Crate allows attackers to escalate privileges on Windows systems via hard link manipulation. The flaw, affecting the AsIO3.sys driver (v5.9.13.0), has a CVSS score of 8.8. Discovered by Cisco Talos, it was reported on February 18, 2025, and patched by ASUS on June 16, 2025. Users are urged to update immediately to mitigate risks associated with this vulnerability, which can lead to complete system compromise.
2025-06-17 | SC Magazine: Windows privilege escalation possible with ASUS Armoury Crate flaw
A high-severity vulnerability in ASUS Armoury Crate, tracked as CVE-2025-3464, allows attackers to escalate privileges to SYSTEM on Windows machines. The flaw arises from hardcoded SHA-256 hashes and a PID allowlist in the driver, enabling exploitation through a benign app linked to a malicious executable. This could lead to complete OS compromise. Users with Armoury Crate versions 5.9.9.0 to 6.1.18.0 are advised to update immediately, though active exploitation has not been observed.
2025-06-17 | TechRadar: A key Asus Windows tool has a worrying security flaw - here's how to stay safe
Asus has patched CVE-2025-3464, a high-severity authentication bypass flaw in Armoury Crate, affecting versions 5.9.9.0 to 6.1.18.0. Discovered by Cisco Talos, the vulnerability allows unauthorized driver access, potentially leading to full device takeover. Users must update to the latest version by navigating to Settings > Update Center > Check for Updates. Asus found no evidence of exploitation but strongly recommends immediate updates to mitigate risks. The flaw has a severity score of 8.4/10.
Washington Post's email system hacked, journalists' accounts compromised
Date: 2025-06-16 | Source: BleepingComputer
Email accounts of several Washington Post journalists were compromised in a cyberattack attributed to a foreign government, discovered on June 15. An internal memo informed employees of a potential unauthorized intrusion into their Microsoft accounts, particularly affecting those covering national security and economic policy. The attack highlights ongoing threats from advanced persistent threats (APTs), particularly from Chinese hackers exploiting vulnerabilities in Microsoft Exchange. No further details about the attack have been disclosed.
Washington Post's email system hacked, journalists' accounts compromised
2025-06-16 | Cyber Security News: Washington Post Journalists’ Microsoft Accounts Hacked in Targeted Cyberattack
The Washington Post's email accounts of multiple journalists were hacked in a targeted cyberattack, suspected to involve a foreign government. Discovered during routine monitoring, the breach prompted immediate security measures, including a mandatory password reset for all staff. A forensic investigation is underway to assess the extent of data accessed, particularly focusing on reporters covering China-related issues. The attack highlights vulnerabilities in news organizations to state-sponsored cyber espionage.
2025-06-17 | Security Magazine: Washington Post Journalists Targeted in Cyberattack
The Washington Post experienced a cyberattack affecting journalists, particularly those covering national security and economic policy. The attack highlights the risks journalists face, including zero-click exploits from commercial surveillance vendors. Following the discovery of the breach last Thursday, the newspaper reset login credentials for all employees. The identity of the attackers remains unknown.
Whole Foods supplier making progress on restoration after cyberattack left shelves empty
Date: 2025-06-16 | Source: Recorded Future
On June 5, United Natural Foods (UNFI) experienced a cyberattack that disrupted operations, leading to empty shelves at Whole Foods and other grocery stores. As of a recent statement, UNFI has made significant progress in restoring electronic ordering systems and is using alternative methods to fulfill customer needs. The company, which serves over 30,000 locations, reported that most distribution centers are now operational, but manual processes are still in use. Investigations are ongoing, with law enforcement notified.
Whole Foods supplier making progress on restoration after cyberattack left shelves empty
2025-06-16 | TechCrunch: As grocery shortages persist, UNFI says it’s recovering from cyberattack
On June 5, 2023, United Natural Foods (UNFI) suffered a cyberattack, leading to significant disruptions in grocery supply chains across North America. The company is working to restore its electronic ordering systems but has not disclosed the attack's nature. Whole Foods, a primary distributor for UNFI, reported shelf shortages due to the outage. UNFI has not provided a recovery timeline, and various grocery stores continue to experience supply issues.
2025-06-17 | TechRadar: Whole Foods supplier targeted by cyberattack says it is making ‘significant progress’ towards recovery
A cyberattack targeted United Natural Foods Inc (UNFI), a major food distributor, causing widespread delays and system shutdowns. UNFI is making significant progress in restoring electronic ordering systems but warns of potential ongoing delays. The attack, suspected to be ransomware, led to the shutdown of its entire network to prevent further encryption and protect sensitive data. Whole Foods, a primary customer, has been notably affected. The incident highlights ongoing cybersecurity threats to retailers in 2025.
2025-06-18 | Cybersecurity Dive: How the cyberattack against UNFI affected 4 independent grocers
United Natural Foods, Inc. (UNFI) suffered a cyberattack on June 6, leading to a complete shutdown of its online ordering system. As of June 8, grocers like Darlings Grocery and Orcas Food Co-op faced supply challenges, relying on alternative suppliers. Whole Foods Market also experienced delivery delays. UNFI is working to restore its electronic systems but has not provided a timeline. Pharmacies in its Cub grocery chain have resumed filling prescriptions following the disruptions.
Police seizes Archetyp Market drug marketplace, arrests admin
Date: 2025-06-16 | Source: BleepingComputer
Law enforcement from six countries dismantled the Archetyp Market, a darknet drug marketplace active since May 2020, during 'Operation Deep Sentinel.' The operation led to the arrest of a 30-year-old German suspect in Barcelona and the seizure of 47 smartphones, 45 computers, narcotics, and assets worth €7.8 million. The marketplace had over 612,000 users and facilitated €250 million in transactions. This action significantly disrupts the supply of dangerous substances on the dark web.
Police seizes Archetyp Market drug marketplace, arrests admin
2025-06-16 | Recorded Future: Police dismantle Archetyp dark web drug market, arrest administrator
International law enforcement has dismantled the Archetyp dark web drug marketplace, arresting its alleged 30-year-old German administrator in Barcelona. The operation, conducted from June 11-13, involved raids across multiple countries, targeting moderators and vendors. Archetyp, operational since 2020, had over 600,000 users and processed approximately €250 million in transactions. Authorities seized assets worth €7.8 million, including luxury vehicles and cryptocurrency, disrupting a major supply line for dangerous substances.
2025-06-16 | Cyber Security News: Darknet Market Archetyp Takedown by Authorities in Joint Action ‘Operation Deep Sentinel’
International law enforcement dismantled the Archetyp Market, a major darknet marketplace, on June 11, 2025, arresting its 30-year-old German administrator in Barcelona. The operation, led by German, Spanish, and Dutch authorities, seized €7.8 million in assets and extensive digital evidence. Archetyp facilitated the sale of various narcotics, processing €250 million in transactions via Monero cryptocurrency. The Dutch police also seized the server infrastructure, effectively shutting down the platform.
2025-06-16 | The Register: Eurocops arrest suspected Archetyp admin, shut down mega dark web drug shop
Operation Deep Sentinel led to the takedown of Archetyp, a major dark web drug marketplace, with the arrest of its 30-year-old German admin in Barcelona. The operation involved over 300 officers across Germany and Sweden, resulting in seven arrests and the search of 20 properties. Authorities seized 47 smartphones, 45 computers, and narcotics. Archetyp had over 600,000 users and facilitated transactions exceeding €250 million, primarily using Monero for payments.
2025-06-17 | TechRadar: Major police operation takes down notorious dark web marketplace Archetyp Market
Europol dismantled Archetyp Market, a dark web drug marketplace operational for over five years, with more than 600,000 users and $280 million in transactions. The operation, conducted from June 11-13 across five European countries, resulted in the arrest of a 30-year-old German national in Spain and the seizure of $9 million in assets. The takedown disrupts a major supply line for dangerous substances, including fentanyl, and involved extensive investigative work by multiple law enforcement agencies.
PyPI, npm, and AI Tools Exploited in Malware Surge Targeting DevOps and Cloud Environments
Date: 2025-06-16 | Source: The Hacker News
Cybersecurity researchers identified a malicious PyPI package named chimera-sandbox-extensions, which targets users of the Chimera Sandbox by stealing sensitive data, including AWS tokens and CI/CD environment variables. The package, downloaded 143 times, connects to a domain via a domain generation algorithm to download a payload that extracts various credentials and system information. This incident highlights the increasing sophistication of malware in open-source repositories.
PyPI, npm, and AI Tools Exploited in Malware Surge Targeting DevOps and Cloud Environments
2025-06-16 | Cyber Security News: Hackers Upload Weaponized Packages to PyPI Repositories to Steal AWS, CI/CD and macOS Data
A malware campaign targeting the Python Package Index (PyPI) has been identified, with the malicious package "chimera-sandbox-extensions" designed to steal AWS credentials, CI/CD pipeline data, and more. The attack employs a multi-stage sequence connecting to command-and-control servers using a domain generation algorithm. JFrog analysts discovered the package and reported it for removal. The malware's targeted nature indicates a deep understanding of enterprise security architectures, posing significant risks to organizations with cloud infrastructure.
2025-06-16 | SC Magazine: PyPI repositories targeted by malicious 'Chimera-Sandbox Extensions'
A malicious package named “Chimera-Sandbox Extensions” was uploaded to the PyPI repository, targeting credentials and sensitive information, including Jamf MacOS data and AWS tokens. This incident highlights risks in open-source software, as compromised packages can infect numerous applications. Experts recommend using curated package registries like JFrog Artifactory for better control over dependencies and emphasize the need for a multi-layered defense strategy to mitigate such supply chain attacks.
WestJet investigates cyberattack disrupting internal systems
Date: 2025-06-14 | Source: BleepingComputer
WestJet is investigating a cyberattack that disrupted access to internal systems and the WestJet app, affecting user access. The airline has activated specialized teams in cooperation with law enforcement and Transport Canada to limit impacts and safeguard sensitive data. While services have been restored, the nature of the attack—whether ransomware or a precautionary shutdown—remains unclear. The airline assures that operations continue safely despite the disruptions.
WestJet investigates cyberattack disrupting internal systems
2025-06-16 | TechRadar: WestJet investigating possible cyberattack - make sure your data is safe
WestJet is investigating a cyber incident that has disrupted its website and mobile app, affecting user access. The airline has activated internal teams and is collaborating with law enforcement and Transport Canada to address the situation. While operations remain stable, users may experience intermittent issues. No details on the attackers or the nature of the breach have been disclosed, but the disruption suggests a potential ransomware attack. Regular updates will be provided as more information becomes available.
2025-06-16 | The Register: Canada's WestJet says 'expect interruptions' online as it navigates cybersecurity turbulence
Canadian airline WestJet is experiencing "intermittent interruptions or errors" on its app and website due to a cybersecurity incident first noted on June 13. The airline has engaged external experts and law enforcement to investigate, though it has not confirmed malicious intent. WestJet advises caution when sharing personal information but states that flight operations remain unaffected. Customers have raised concerns about password changes, which have not been addressed. Regular updates will follow.
Anubis ransomware adds wiper to destroy files beyond recovery
Date: 2025-06-14 | Source: BleepingComputer
Anubis ransomware has introduced a wiper module that irreversibly destroys targeted files, complicating recovery even if the ransom is paid. First observed in December 2024, Anubis operates as a RaaS, offering affiliates up to 80% of proceeds. The wiper, activated via the ‘/WIPEMODE’ command, reduces file sizes to 0 KB while retaining filenames. Anubis employs ECIES for encryption, appending the ‘.anubis’ extension to files. Attacks typically start with phishing emails containing malicious links or attachments.
Anubis ransomware adds wiper to destroy files beyond recovery
2025-06-16 | Cyber Security News: Anubis Ransomware With Wipe Mode That Permanently Erases File With No Recovery Option
Anubis ransomware, launched in early 2025, features a destructive "wipe mode" that permanently erases file contents, making recovery impossible even after ransom payment. Evolving from the Sphinx variant, Anubis targets sectors like healthcare and engineering in Australia, Canada, Peru, and the U.S. It uses spear phishing for initial access and employs sophisticated privilege escalation. The wipe mode, activated via the /WIPEMODE parameter, erases files while maintaining their structure, ensuring total data loss.
2025-06-16 | The Hacker News: Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Payment
Anubis Ransomware, active since December 2024, features a dual-threat capability to encrypt and permanently erase files, making recovery impossible even after ransom payment. Targeting sectors like healthcare and hospitality in Australia, Canada, Peru, and the U.S., it employs phishing emails for initial access. The ransomware's affiliate program offers an 80-20 revenue split. Its wiper feature reduces file sizes to 0 KB, increasing pressure on victims to comply.
2025-06-16 | TechRadar: This new ransomware could be deadly for your most precious files - here's how to stay protected
Anubis ransomware has introduced a file-wiping feature that irreversibly destroys files by reducing them to 0 KB, complicating recovery efforts. This tactic increases pressure on victims during ransom negotiations. Trend Micro's report highlights that ransomware actors typically exfiltrate sensitive data before encryption and demand payment for decryption keys. Organizations are advised to enhance security measures and maintain air-gapped backups to mitigate risks. Additionally, DDoS attacks may accompany ransom demands.
Cyber weapons in the Israel-Iran conflict may hit the US
Date: 2025-06-13 | Source: The Register
The ongoing Israel-Iran conflict may escalate into cyber warfare, with Iran expected to retaliate against Israel's military actions through cyber operations that could target the U.S. as well. Experts warn that Iranian cyber capabilities, while historically limited, could threaten U.S. critical infrastructure. Recent intrusions by Iran's CyberAv3ngers into U.S. water systems highlight vulnerabilities. Analysts predict an increase in destructive cyberattacks, potentially involving alliances with Russia and China.
Cyber weapons in the Israel-Iran conflict may hit the US
2025-06-16 | SC Magazine: US at risk of being caught up in Israel-Iran cyber warfare
Ongoing cyber warfare between Israel and Iran may lead to increased cyberattacks against the U.S., as noted by cybersecurity experts. Iran could target U.S. critical infrastructure, which is less resilient than Israel's. Experts recommend U.S. companies remain vigilant to avoid becoming targets. Iran may also collaborate with Russia and China in its cyber campaign. However, there are concerns that Iran might exaggerate the success of its cyber intrusions, with potential disruptive attacks anticipated in both Israel and the U.S.
2025-06-16 | Cybersecurity Dive: US critical infrastructure could become casualty of Iran-Israel conflict
Security researchers warn that the Iran-Israel conflict may lead to cyberattacks on U.S. critical infrastructure by state-linked actors and hacktivist groups. Pro-Iran threats have surged, with warnings to Saudi Arabia and Jordan about potential attacks. Experts advise U.S. infrastructure providers to strengthen defenses against intrusions and supply chain attacks. Iranian cyber activity could shift focus to U.S. targets, necessitating heightened monitoring and education on threat groups.
2025-06-16 | Recorded Future: US offering $10 million for info on Iranian hackers behind IOControl malware
The U.S. State Department is offering up to $10 million for information on Iranian hackers linked to the CyberAv3ngers group, responsible for targeting critical infrastructure with IOControl malware. This malware affects Industrial Control Systems and has been used against U.S. and Israeli water utilities. Tied to Iran's Islamic Revolutionary Guard Corps, CyberAv3ngers has claimed attacks on Telegram. Analysts warn that Iranian cyber threats may escalate due to ongoing military conflicts with Israel.
2025-06-17 | SC Magazine: Bureau of Industry and Security's cyber threat response found lacking
The U.S. State Department is offering up to $10 million in bounties for information on Iranian hacker Mr. Soul (Mr. Soll), associated with the state-sponsored CyberAv3ngers hacking operation. This group has targeted critical infrastructure entities, highlighting concerns over cybersecurity vulnerabilities. The report emphasizes the need for improved responses to such cyber threats.
8-K - Zoomcar Holdings, Inc. (0001854275) [Material]
Date: 2025-06-13 | Source: U.S. Securities and Exchange Commission (Filings)
On June 9, 2025, Zoomcar Holdings, Inc. reported a cybersecurity incident involving unauthorized access to its information systems, affecting approximately 8.4 million users. The compromised data included names, phone numbers, car registration numbers, personal addresses, and email addresses. No financial information or sensitive identifiers were reported as compromised. The Company activated its incident response plan, enhanced security measures, and is cooperating with regulatory authorities while assessing the incident's potential impacts.
8-K - Zoomcar Holdings, Inc. (0001854275) [Material]
2025-06-16 | Cyber Security News: Zoomcar Hacked – 8.4 Million Users’ Sensitive Details Exposed
Car-sharing company Zoomcar Holdings, Inc. reported a cybersecurity breach on June 9, 2025, exposing sensitive data of approximately 8.4 million users, including names, phone numbers, vehicle registration details, addresses, and email addresses. The attack targeted specific datasets, with no financial information or plaintext passwords compromised. Zoomcar activated its incident response plan, isolating affected systems and engaging third-party cybersecurity specialists for investigation and enhanced security measures.
2025-06-16 | Recorded Future: 8.4 million people affected by data breach at Indian car share company Zoomcar
Hackers stole personal information of 8.4 million users from Indian car share company Zoomcar, discovered on June 9. The breach includes names, phone numbers, car registration numbers, addresses, and emails, but no financial data or passwords were compromised. Zoomcar has implemented additional safeguards and hired a cybersecurity firm for response. The incident may lead to reputational and remediation costs. Zoomcar previously experienced a significant breach in July 2018 affecting 3.6 million customers.
2025-06-16 | BleepingComputer: Zoomcar discloses security breach impacting 8.4 million users
Zoomcar Holdings disclosed a data breach affecting 8.4 million users, detected on June 9, 2025, after a threat actor alerted employees. Sensitive data exposed includes full names, phone numbers, car registration numbers, home addresses, and email addresses. No financial information or plaintext passwords were compromised. The company is investigating the incident's scope and impact, with no determination on the attack type or responsibility claimed by any ransomware group.
2025-06-16 | TechCrunch: Car-sharing giant Zoomcar says hacker accessed personal data of 8.4 million users
On June 9, 2023, Zoomcar reported a data breach affecting 8.4 million users, compromising names, phone numbers, and car registration numbers. The breach was discovered after employees received communications from a hacker. Zoomcar activated its incident response plan and stated that no financial information or sensitive identifiers were compromised. The company has enhanced security measures and is cooperating with regulatory authorities. It has not confirmed if affected customers have been notified.
2025-06-17 | TechRadar: Major hack against car-sharing firm Zoomcar sees 8.4 million users at risk
Zoomcar confirmed a cyberattack on June 9, 2025, affecting approximately 8.4 million users. The breach involved the theft of personal data, including names, phone numbers, car registration numbers, postal addresses, and email addresses. Financial information and passwords were reportedly not compromised. The company activated its incident response plan, implemented additional safeguards, and engaged a third-party cybersecurity expert. No ransom was paid, and the incident has not disrupted operations, though potential impacts are under evaluation.
Meta AI App Under Fire For Major Privacy Lapses: Users Accidentally Sharing Personal Chats Publicly
Date: 2025-06-13 | Source: Times Now
Meta's AI app, launched on April 29, has faced criticism for allowing users to unintentionally share private conversations publicly due to a flawed "share" feature and unclear privacy settings. Users have shared sensitive information, including medical inquiries and personal details, without realizing their posts were public. Cybersecurity expert Rachel Tobac noted disturbing examples, such as court documents and home addresses being exposed. Meta has not commented on the issue, and downloads remain modest at 6.5 million.
Meta AI App Under Fire For Major Privacy Lapses: Users Accidentally Sharing Personal Chats Publicly
2025-06-13 | BBC News: Meta AI searches made public - but do all its users realise?
Meta AI has unintentionally made user searches public, raising significant privacy concerns. Users' prompts and results are visible in a public feed, potentially exposing sensitive information linked to their social media profiles. An expert highlighted this as a major security issue. While sharing prompts requires user consent, warnings about public visibility may not be clear. Instances include users asking for help with test answers and generating inappropriate content. Meta has been approached for comment.
2025-06-13 | Tomsguide: Meta AI’s discover feed is full of revealing personal info — here's how to protect your privacy
Meta AI's discover feed has exposed users' private conversations, including text, audio, and images, due to a lack of clear privacy settings. Users unknowingly publish their interactions publicly, leading to sensitive information being shared. If linked to a public Instagram profile, this activity is also visible. Meta has not commented on the issue. Users are advised to be cautious with personal information, adjust privacy settings, and consider the implications of sharing online to avoid potential security risks.
270K websites injected with ‘JSF-ck’ obfuscated code
Date: 2025-06-12 | Source: SC Magazine
Nearly 270,000 websites were compromised with malicious JavaScript injections using a technique called "JSF-ck," revealed by Palo Alto Networks’ Unit 42. This method employs six ASCII characters to create obfuscated code, leveraging JavaScript's type coercion. The attacks began on April 12, 2025, potentially leading to malware downloads or phishing. Unit 42 recommends that website administrators keep servers updated and check for signs of infection.
270K websites injected with ‘JSF-ck’ obfuscated code
2025-06-13 | Cyber Security News: Threat Actors Compromise 270+ Legitimate Websites With Malicious JavaScript Using JSFireTruck Obfuscation
Cybersecurity researchers identified a malware campaign that compromised over 269,000 legitimate websites using a sophisticated JavaScript obfuscation technique called JSFireTruck. Active from March to April 2025, the campaign injected obfuscated code to redirect visitors from search engines to fraudulent content. The obfuscation method, utilizing only six ASCII characters, enhances evasion of detection systems. The malicious scripts create full-screen iframes to overlay legitimate content, facilitating phishing and fake downloads.
2025-06-13 | The Hacker News: Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
Cybersecurity researchers report over 269,000 websites infected with JSFireTruck JavaScript malware from March 26 to April 25, 2025. The obfuscated code redirects users from search engines to malicious URLs for malware and scams. A spike of over 50,000 infections occurred on April 12. Additionally, Gen Digital launched HelloTDS, a Traffic Distribution Service that redirects users to fake CAPTCHA pages and scams based on device fingerprinting. Attackers use .top, .shop, and .com domains to host malicious code.
Trend Micro fixes critical vulnerabilities in multiple products
Date: 2025-06-12 | Source: BleepingComputer
Trend Micro has released security updates for critical remote code execution and authentication bypass vulnerabilities in its Apex Central and Endpoint Encryption PolicyServer products. Key vulnerabilities include CVE-2025-49212, CVE-2025-49213, CVE-2025-49216, and CVE-2025-49217, affecting all versions up to 6.0.0.4013. Apex Central also had critical flaws (CVE-2025-49219, CVE-2025-49220) fixed in Patch B7007. Immediate updates are recommended, though no active exploitation has been reported.
Trend Micro fixes critical vulnerabilities in multiple products
2025-06-13 | TechRadar: Trend Micro patches several worrying security flaws, so update now
Trend Micro has patched multiple critical-severity vulnerabilities in its Apex Central and Endpoint Encryption PolicyServer products, including six remote code execution and authentication bypass flaws (CVE-2025-49212, CVE-2025-49213, CVE-2025-49216, CVE-2025-49217, CVE-2025-49219). Users are urged to update to TMEE version 6.0.0.4013 (Patch 1 Update 6) and install Patch B7007 for Apex Central. No evidence of exploitation has been found, but prompt updates are recommended to prevent potential attacks.
2025-06-13 | SC Magazine: Trend Micro patches four 9.8 bugs in encryption PolicyServer products
Trend Micro released security updates for four critical vulnerabilities (CVEs: CVE-2025-49212, CVE-2035-49216, CVE-2025-49217) in its Apex Central and Trend Micro Endpoint Encryption PolicyServer products, rated 9.8. These include remote code execution and authentication bypass flaws. While no exploitation has been observed, immediate patching is advised. Experts emphasize the importance of securing remote access and auditing for potential misuse of affected systems, particularly due to ties with Active Directory.
WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
Date: 2025-06-12 | Source: The Hacker News
The VexTrio group operates a sophisticated cybercriminal network distributing scams and malware through compromised WordPress sites. Their affiliate companies, including Los Pollos and Taco Loco, utilize traffic distribution systems to redirect users to malicious content. Following a November 2024 revelation, Los Pollos ceased operations, causing affiliates to shift to other networks. Analysis of DNS records indicates distinct command-and-control servers linked to Russian infrastructure, with VexTrio being part of a larger ecosystem of malicious adtech firms.
WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
2025-06-13 | SC Magazine: Other TDS services linked to VexTrio uncovered
Traffic distribution services Help TDS and Disposable TDS have been linked to the VexTrio Viper TDS, indicating an expansion of the scam network. VexTrio facilitates intrusions into WordPress sites with malicious scripts, as noted in various campaigns. Help TDS, associated with Russia, has transitioned to the Monetizer platform for web traffic management. The report suggests that VexTrio and its affiliates possess information to identify malware actors involved in these activities.
2025-06-14 | Cyber Security News: Hundreds of WordPress Websites Hacked By VexTrio Viper Group to Run Massive TDS Services
A cybercriminal group named VexTrio has compromised hundreds of thousands of WordPress sites since 2015, using them to run extensive traffic distribution systems (TDS) for scams. The operation, linked to the Swiss-Czech firm Los Pollos, utilizes DNS TXT records for command and control, allowing attackers to tailor responses based on victim data. This sophisticated infrastructure has persisted for years, with multiple affiliate networks involved, complicating remediation efforts for affected website administrators.
Predator spotted in Mozambique for first time, another sign of spyware’s availability
Date: 2025-06-12 | Source: Recorded Future
The Insikt Group reports the first link between Predator spyware and operators in Mozambique, highlighting its ongoing availability despite U.S. sanctions since July 2023. The report reveals connections to the Intellexa Consortium, which has faced restrictions from the U.S. The investigation also ties Predator to Dvir Horef Hazan, alleged to have received significant funds from Intellexa. While the spyware's infrastructure remains largely unchanged, it has been adapted to evade detection on devices.
Predator spotted in Mozambique for first time, another sign of spyware’s availability
2025-06-12 | Cyberscoop: Predator spyware activity surfaces in new places with new tricks
Recorded Future reported on Intellexa's Predator spyware, linking it to new locations and tactics. A previously unknown customer in Mozambique and a Czech connection were identified, alongside a brief cluster in Eastern Europe. Despite a decline in activity due to sanctions, Predator remains adaptive, employing complex corporate structures and fake websites to evade detection. Strategies include fake 404 pages and counterfeit login sites, indicating ongoing efforts to obscure operations.
2025-06-13 | Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
Intellexa continues operations despite US sanctions, establishing new infrastructure for its Predator spyware, including servers for hosting and anonymizing traffic. Recorded Future reports that Predator is active in multiple countries, with a significant presence in Africa. Additionally, a ransomware attack has disrupted operations at South Korean bookstore Yes24, and Maine hospitals are still recovering from a ransomware incident linked to Covenant Health. The Royal Canadian Mounted Police experienced a breach involving unencrypted sensitive data.
2025-06-13 | SC Magazine: New Predator spyware activity identified
Intellexa's Predator spyware has resurfaced with enhanced obfuscation techniques, detected in Mozambique and the Czech Republic, as reported by Recorded Future's Insikt Group. The spyware has been active in Eastern Europe from August to November, suggesting ongoing testing or development. Intellexa employs various methods to mask its activities, including fake 404 error pages, fraudulent login pages, and misleading websites, complicating detection efforts. Sanctions may be prompting these increased complexities in operations.
2025-06-13 | Cyber Security News: Predator Mobile Spyware Remains Consistent with New Design Changes to Evade Detection
Predator mobile spyware, developed by Cytrox and operated by the Intellexa alliance, continues to evolve to evade detection despite international sanctions. Active since 2019, it employs both "1-click" and "zero-click" attack vectors, targeting high-value individuals. Recent findings reveal its operations in over a dozen countries, with a complex four-tier infrastructure for obfuscation. Enhanced detection evasion tactics include fake websites and varied server configurations, indicating a commitment to operational security.
Threat Actors Exploiting Expired Discord Invite Links to Deliver Multi-Stage Malware
Date: 2025-06-12 | Source: Cyber Security News
Cybercriminals are exploiting a flaw in Discord's invitation system to hijack expired invite links, redirecting users to malicious servers. This attack, identified by Check Point researchers in June 2025, uses custom vanity links from premium servers to deliver multi-stage malware, including AsyncRAT and a variant of Skuld Stealer targeting cryptocurrency wallets. The campaign employs sophisticated social engineering, using a bot named "Safeguard" to trick users into executing malicious PowerShell commands, impacting over 1,300 potential victims globally.
Threat Actors Exploiting Expired Discord Invite Links to Deliver Multi-Stage Malware
2025-06-13 | BleepingComputer: Discord flaw lets hackers reuse expired invites in malware campaign
Hackers are exploiting a flaw in Discord's invitation system, allowing them to reuse expired or deleted invite links to redirect users to malicious sites delivering remote access trojans and information-stealing malware. This campaign has impacted 1,300 users across several countries. Attackers hijack legitimate invites, trick users into executing PowerShell commands, and deploy malware like AsyncRAT and Skuld Stealer. Users are advised to avoid old invites and be cautious with verification requests and PowerShell commands.
2025-06-14 | The Hacker News: Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets
A malware campaign is exploiting Discord's invite system to deliver AsyncRAT and Skuld Stealer, targeting crypto wallets. Attackers hijack expired or deleted invite links, redirecting users to malicious servers. The campaign uses social engineering tactics, including a "Verify" button that executes a PowerShell command to download the malware. Skuld steals sensitive data from various platforms, including crypto wallets. Discord has disabled the malicious bot, disrupting the attack chain. Victims are primarily in the U.S. and Europe.
2025-06-16 | Cyber Security News: Hackers Hijacked Discord Invite to Inject Malicious Links That Deliver AsyncRAT
Cybercriminals are exploiting Discord's invite system to distribute AsyncRAT malware and cryptocurrency-stealing software. They monitor expired invite codes from boosted servers, redirecting users to malicious servers. Once users join, they encounter a fake verification process that triggers a multi-stage infection via a PowerShell script. This script downloads AsyncRAT and a customized Skuld Stealer targeting cryptocurrency wallets. The campaign has affected users in multiple countries, with over 1,300 payload downloads noted.
Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
Date: 2025-06-12 | Source: CISA Cybersecurity Advisories
Ransomware actors are exploiting unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise utility billing software providers. Specifically, CVE-2024-57727, a path traversal vulnerability in versions 5.5.7 and earlier, has been leveraged since January 2025. CISA recommends immediate upgrades, isolation of vulnerable servers, and threat hunting actions. Organizations should also maintain robust asset inventories and offline backups to mitigate risks.
Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider
2025-06-12 | The Register: Ransomware scum disrupted utility services with SimpleHelp attacks
Ransomware actors disrupted utility services by exploiting unpatched versions of SimpleHelp's remote monitoring and management tool, specifically CVE-2024-57727, a high-severity path traversal vulnerability. This exploitation has been ongoing since January 2025, leading to service disruptions and double-extortion incidents. CISA advises organizations using SimpleHelp to check for compromises and patch the vulnerability. The advisory follows similar warnings about the Play ransomware gang's activities.
2025-06-13 | Cyber Security News: Ransomware Actors Exploit Unpatched SimpleHelp RMM to Compromise Billing Software Provider
Cybersecurity researchers have identified a ransomware campaign exploiting unpatched vulnerabilities in SimpleHelp RMM systems, specifically CVE-2024-57727, affecting versions 5.5.7 and earlier. This vulnerability allows unauthorized access to remote systems, enabling attackers to compromise utility billing software providers. The campaign employs double extortion tactics, threatening to leak sensitive data. CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog on February 13, 2025, highlighting its active exploitation.
2025-06-13 | The Hacker News: Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
Ransomware actors are exploiting unpatched SimpleHelp Remote Monitoring and Management (RMM) flaws (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) to target customers of a utility billing software provider. CISA advises isolating SimpleHelp instances, updating software, and conducting threat hunting. Additionally, Fog ransomware has targeted a financial institution using dual-use tools and employee monitoring software. LockBit ransomware has focused on China, earning $2.3 million, while adapting to affiliate changes after a panel leak.
2025-06-13 | SC Magazine: CISA: Utility billing provider customers compromised via SimpleHelp exploit
CISA reported that customers of a utility billing provider were compromised via a high-severity path traversal flaw in the SimpleHelp remote monitoring tool, tracked as CVE-2024-57727. Ransomware attacks exploiting this vulnerability have caused service interruptions and double extortion since January. The Play and DragonForce ransomware groups have leveraged this flaw for data theft and encryption. CISA urged immediate remediation to mitigate risks associated with this vulnerability.
2025-06-13 | Recorded Future: CISA warns of SimpleHelp ransomware compromises after string of retail attacks
CISA has issued a warning regarding the exploitation of CVE-2024-57727, a vulnerability in SimpleHelp remote access software, linked to recent ransomware attacks on retail companies. Ransomware gangs are using this vulnerability to compromise customers of a utility billing software provider, leading to double extortion scenarios. The advisory connects this campaign to DragonForce ransomware and highlights ongoing concerns about vulnerabilities in remote management tools, including those from ConnectWise and Kaseya.
2025-06-13 | Cybersecurity Dive: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
CISA has issued a warning regarding ransomware gangs exploiting a vulnerability in the SimpleHelp remote support program, leading to breaches of customers associated with a utility billing software vendor. This advisory highlights the supply chain risks posed by such vulnerabilities and emphasizes the need for organizations to assess their security measures against potential exploitation. Recommendations for mitigation were not specified in the provided content.
New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
Date: 2025-06-12 | Source: The Hacker News
Cybersecurity researchers have identified the TokenBreak attack, which bypasses large language model (LLM) safety measures through single-character text alterations. This technique manipulates tokenization strategies, leading to false negatives in text classification models. Examples include changing "instructions" to "finstructions." The attack is effective against models using BPE or WordPiece tokenization but not Unigram. Recommendations include using Unigram tokenizers and training models on bypass examples to enhance security.
New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
2025-06-13 | Cyber Security News: New TokenBreak Attack Bypasses AI Model’s with Just a Single Character Change
A critical vulnerability known as the "TokenBreak" attack allows attackers to bypass AI content moderation systems by altering text with a single character. This technique exploits differences in tokenization methods, enabling malicious prompts to evade detection. Models like BERT and DistilBERT are vulnerable, while Unigram-based models like DeBERTa-v2 and v3 are secure. The attack poses significant risks, particularly in email security, prompting recommendations for organizations to assess their AI models and consider multi-layered defenses.
2025-06-13 | SC Magazine: AI moderation guardrails circumvented by novel TokenBreak attack
Malicious actors can exploit the TokenBreak attack to bypass safety measures in large language models by altering input words, confusing text classification models. This technique facilitates prompt injection intrusions. Researchers from HiddenLayer emphasize the importance of understanding the tokenization strategy to assess vulnerability. Recommendations include using Unigram tokenizers, aligning tokenization with model logic, and logging misclassifications. These findings follow reports of backronyms used for AI chatbot jailbreaking.
2025-06-13 | TechRadar: This cyberattack lets hackers crack AI models just by changing a single character
Researchers from HiddenLayer introduced a new attack technique called TokenBreaker, which exploits vulnerabilities in Large Language Models (LLMs) by altering a single character in key words. This manipulation allows malicious prompts to bypass protective mechanisms, as the LLM still understands the original intent. For instance, changing “instructions” to “finstructions” can trick spam filters. Models using Unigram tokenizers are resistant to this attack, suggesting a mitigation strategy of selecting more robust tokenization methods.
Researchers confirm two journalists were hacked with Paragon spyware
Date: 2025-06-12 | Source: TechCrunch
Two European journalists, Ciro Pellegrino and an unnamed individual, were confirmed hacked using Paragon spyware, as reported by The Citizen Lab. The forensic investigation revealed both were targeted by the same Paragon customer. Pellegrino received an Apple notification in April 2025, indicating a mercenary spyware attack. The report raises questions about the Italian government's involvement, as it was previously denied by COPASIR. The spyware, Graphite, utilized a zero-click attack via iMessage, with the infection linked to Italian intelligence agencies.
Researchers confirm two journalists were hacked with Paragon spyware
2025-06-12 | The Guardian: European journalists targeted with Paragon Solutions spyware, say researchers
European journalists, including Francesco Cancellato and Ciro Pellegrino, were targeted with Graphite spyware from Paragon Solutions, linked to Italy's intelligence agencies. A Citizen Lab report confirmed the spyware's digital fingerprints on their devices. Italy's parliamentary committee noted that the spyware was used for various investigations, including organized crime and terrorism. Paragon claimed it only sells to democratic nations and prohibits targeting journalists. A debate in the European Parliament is scheduled for June 16.
2025-06-12 | Cyberscoop: Paragon spyware found on the phones of Euro journos
Paragon spyware has been confirmed on the phones of European journalists, including Italian journalist Ciro Pellegrino, according to a report by the University of Toronto’s Citizen Lab. This marks the first detection of Paragon spyware on an Apple device. The spyware is linked to a customer targeting journalists critical of the Italian government. Paragon, an Israeli company, faces scrutiny similar to that of NSO Group amid ongoing surveillance scandals. The Italian government's contract with Paragon ended recently amid controversy.
2025-06-12 | Recorded Future: Paragon spyware activity found on more journalists’ devices
Two European journalists' devices were confirmed targeted by Paragon spyware, with one successful infection. The Citizen Lab reported that both journalists, linked to the Italian outlet Fanpage, received notifications from Apple about potential spyware attacks. The spyware, Graphite, utilized a zero-click exploit tracked as CVE-2025-43200. Paragon has since ended its contract with the Italian government amid ongoing investigations into its spyware use against civil society members.
2025-06-12 | BleepingComputer: Graphite spyware used in Apple iOS zero-click attacks on journalists
Forensic investigation confirms the use of Paragon's Graphite spyware in zero-click attacks targeting Apple iOS devices of journalists, including Ciro Pellegrino, in early 2025. The attacks exploited CVE-2025-43200, a zero-day vulnerability in iOS 18.2.1, allowing remote code execution via iMessage without user interaction. Apple notified the victims on April 29, and the vulnerability was addressed in iOS 18.3.1 on February 10. The spyware connected to a command-and-control server linked to Paragon's infrastructure.
2025-06-13 | Times Now: Apple Silently Fixed Critical iPhone Flaw That Was Used To Spy On Journalists: All Details
A critical security flaw in the iPhone's Messages app, exploited by the "Graphite" spyware from Paragon, was patched in the iOS 18.3.1 update released in February 2025. The vulnerability was used in targeted attacks against journalists, allowing attackers to access devices via malicious media links. The flaw was first identified by The Citizen Lab, which linked the compromise to a specific journalist's device. Apple acknowledged the issue only after the findings were disclosed, raising concerns about spyware use against vulnerable individuals.
2025-06-13 | Cyber Security News: Graphite Spyware Exploits Apple iOS Zero-Click Vulnerability to Attack Journalists
Graphite spyware, developed by Paragon, exploits a zero-click vulnerability (CVE-2025-43200) in iOS to target journalists, confirmed in at least three cases. The attack, using iMessage, allows device infiltration without user interaction. Apple patched the vulnerability in iOS 18.3.1, but earlier versions remain at risk. Notable targets include journalists from Fanpage.it, raising concerns about oversight in spyware use. Recommendations include taking spyware warnings seriously and seeking expert assistance.
2025-06-13 | The Hacker News: Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
Apple disclosed a zero-click vulnerability in its Messages app, tracked as CVE-2025-43200, exploited to target journalists with Paragon's Graphite spyware. The flaw, patched on February 10, 2025, allowed attackers to compromise devices without user interaction. Two journalists were infected while using iOS 18.2.1. Apple notified them on April 29, 2025. The Citizen Lab reported that Graphite can access sensitive data, raising concerns over spyware use against journalists and prompting calls for regulatory reforms in the EU.
2025-06-13 | SC Magazine: Zero-click attacks target journalists' iPhones with Graphite spyware
Vulnerable instances of the SimpleHelp remote monitoring tool, affected by the high-severity path traversal flaw CVE-2024-57727, have been targeted in ransomware attacks against customers of a utility billing service provider. This information was reported by the Cybersecurity and Infrastructure Security Agency, highlighting the ongoing risks associated with unpatched vulnerabilities in enterprise software.
2025-06-13 | The Register: Apple fixes zero-click exploit underpinning Paragon spyware attacks
Apple has addressed a zero-click vulnerability (CVE-2025-43200) in iOS/iPadOS 18.3.1, linked to Paragon spyware attacks on journalists. The flaw, which involved maliciously crafted media shared via iCloud, was exploited against two journalists between January and February. The Citizen Lab confirmed the infections and noted that Graphite spyware operates covertly, making detection challenging. The Italian government has terminated its contract with Paragon amid ongoing scrutiny of spyware use. Users are advised to update devices and enable Lockdown Mode for enhanced security.
2025-06-16 | The Hacker News: ⚡ Weekly Recap: iPhone Spyware, Microsoft 0-Day, TokenBreak Hack, AI Data Leaks and More
Apple disclosed a zero-click vulnerability (CVE-2025-43200) in its Messages app exploited to deliver Paragon spyware targeting journalists. Microsoft patched a WebDAV zero-day exploited by Stealth Falcon to deploy Horus Agent. Google fixed a flaw leaking recovery phone numbers. A zero-click AI vulnerability in Microsoft 365 (CVE-2025-32711) allowed data exfiltration without user interaction. New malware BrowserVenom was found on a phishing site impersonating DeepSeek, affecting multiple countries.
2025-06-17 | Cyber Security News: CISA Warns of iOS 0-Click Vulnerability Exploited in the Wild
CISA has added a critical zero-click vulnerability, CVE-2025-43200, to its Known Exploited Vulnerabilities catalog, affecting multiple Apple products. This flaw allows attackers to compromise devices via malicious media shared through iCloud Links without user interaction. Confirmed exploitation targeted journalists using Graphite spyware. Apple patched the vulnerability in iOS 18.3.1, but earlier versions remain at risk. Organizations are urged to apply updates and follow CISA's mitigation recommendations.
2025-06-17 | TechRadar: Apple says it patched flaw that allows Paragon spyware to hack phones - but are you really safe?
Apple has patched a critical security flaw (CVE-2025-43200) in iOS 18.3.1 that was exploited by the Paragon spyware campaign targeting journalists and high-profile individuals. The flaw allowed zero-click attacks via maliciously crafted media shared through iCloud Links. The spyware could access sensitive data without user detection. Experts recommend keeping devices updated, enabling Lockdown mode, and using specialized security tools to mitigate risks from such advanced threats.
Fog ransomware attack uses unusual mix of legitimate and open-source tools
Date: 2025-06-12 | Source: BleepingComputer
Fog ransomware attackers are employing an unusual mix of legitimate and open-source tools, including Syteca, an employee monitoring software, to compromise networks. Initially observed in May 2022, they exploit VPN credentials and use "pass-the-hash" attacks to gain admin access. Recent incidents involved exploiting flaws in Veeam Backup & Replication and SonicWall SSL VPN. Symantec's report highlights the atypical toolset, which includes Stowaway, GC2, and Adapt2x C2, aiding in evasion of detection.
Fog ransomware attack uses unusual mix of legitimate and open-source tools
2025-06-12 | SC Magazine: Fog ransomware uses legit monitoring software, open-source tools
Fog ransomware, identified in a May 2025 attack on a financial institution, utilized a mix of legitimate employee monitoring software (Syteca) and open-source pentesting tools (GC2, Adaptix, Stowaway). Researchers noted the unusual persistence established by attackers post-deployment. Compromised Exchange servers and VPN credentials were potential entry points. This attack exemplifies a shift in ransomware tactics, blending cybercrime with espionage, using legitimate tools for covert credential harvesting and monitoring.
2025-06-13 | Cyber Security News: Fog Ransomware Actors Exploits Pentesting Tools to Exfiltrate Data and Deploy Ransomware
The Fog ransomware group targeted a financial institution in Asia in May 2025, utilizing legitimate pentesting tools like Syteca and GC2 for data exfiltration and ransomware deployment. The attackers maintained access for two weeks, employing reconnaissance techniques and establishing persistence through a service named “SecurityHealthIron” post-attack. This operation blurs the lines between espionage and financial crime, indicating a shift in threat actor behavior towards dual-purpose operations.
2025-06-13 | TechRadar: Fog ransomware attacks use employee monitoring tool to break into business networks
Fog ransomware has been observed using the legitimate employee monitoring tool Syteca to log keystrokes and capture passwords, facilitating network access and deployment of its encryptor. The attackers also utilized open-source tools like Stowaway for payload delivery and SMBExec for execution. Fog ransomware, which emerged in April 2024, has targeted organizations including Melexis and EUMETSAT, employing atypical methods not commonly seen in ransomware attacks.
2025-06-16 | Security Magazine: Fog Ransomware Group Uses Unconventional Toolset, New Research Finds
Research from Symantec and Carbon Black reveals that the Fog ransomware group employs an unconventional toolset, including open-source pentesting tools and Syteca, an employee monitoring software. This approach allows attackers to blend in and conduct covert operations, utilizing legitimate software for credential harvesting and monitoring. Experts recommend organizations adopt proactive security measures, including limiting privileged access and monitoring for unusual activity, to combat these evolving threats effectively.
Bluesky X Buy Me a Coffee RSS Feed