news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Europe
- United Kingdom
- Imi
- Manufacturing
- Government
- Israel
- Asia
- Israel Police - Cyber Crime Unit
- Handala
- Middle East
- Input Capture
- Eastern Asia
- Phishing
- Pebbledash
- South Korea
- Scripting
- Forcecopy
- Data From Local System
- Proxy
- Latin America And The Caribbean
- Oihec
- Mexico
- Ministry Of National Defense
- Application Access Token
- Healthcare
- Microsoft
- Application Layer Protocol
- Account Manipulation
- Education
- Multi-Factor Authentication Request Generation
- Credentials In Files
- Account Discovery
- Archive Via Utility
- System Service Discovery
- Central Asia
- Keylogging
- Query Registry
- Network Service Discovery
- Silent Lynx
- Email Addresses
- Domain Accounts
- Finance
- Ministry Of Economy And Finance Of Kyrgyzstan
- Powershell
- Remote System Discovery
- Registry Run Keys / Startup Folder
- Kyrgyzstan
- File And Directory Discovery
- System Network Configuration Discovery
- Exfiltration To Cloud Storage
- National Bank Of The Kyrgyz Republic
- Malicious File
- Asynchrat
- Grubhub
- United States
- North America
- Automotive
- Amos
- Angel Drainer
- Os Credential Dumping
- Automated Exfiltration
- System Information Discovery
- Obfuscated Files Or Information
- Web Protocols
- Drive-By Compromise
- Stealc
- Spearphishing Link
- Exfiltration Over C2 Channel
- Spearphishing Attachment
- Dna
- The Knesset
- Western Europe
- Energyweaponuser
- Daxium
- Intelbroker
- Retail
- France
- CVE-2024-41710
- Aquabot
- Cve-2024-41710
- Mitel
- 0Mid16B
- Cardinal Health
- Ministry Of National Security
- exclusive
- Energy
- Varun
- E.Leclerc
- Tornet
- Eastern Europe
- Agent Tesla
- Purecrypter
- Poland
- Germany
- Frederick Health
- Business Services
- Smiths Group
- Deepseek
- China
- Technology
- Sweden
- Northern Europe
- Sportadmin
- Fratelli D'Italia
- Italy
- Southern Europe
- Truth-Chan
- Philippines
- Argentina
- Lumma Stealer
- South-Eastern Asia
- Colombia
- Telecommunications
- B0Nd
- Talktalk
- Sorb
- Acobro
- Chile
- Tcobro
- Peru
- Octagon
- Ministry Of Defense Of Spain
- Guardia Civil
- Spain
- Homebrew
- Web Service
- Exploitation For Client Execution
- Visual Basic
- Javascript
- Cve-2017-11882
- CVE-2017-11882
- Embedded Payloads
- CVE-2024-12856
- Mirai
- Cve-2024-12856
- Cve-2025-0282
- CVE-2025-0282
- Ivanti
- Hewlett Packard Enterprise (Hpe)
- Zjj
- CVE-2024-49415
- Cve-2024-49415
- Cve-2024-56337
- CVE-2024-56337
- CVE-2024-44243
- Cve-2024-44243
- CVE-2024-10811
- Cve-2024-13161
- CVE-2024-13160
- CVE-2024-13159
- Cve-2024-13160
- Cve-2024-13159
- Cve-2024-10811
- CVE-2024-13161
- Cve-2024-12085
- Cve-2024-12087
- Cve-2024-12088
- CVE-2024-12747
- CVE-2024-12085
- CVE-2024-12084
- Cve-2024-12086
- Cve-2024-12747
- CVE-2024-12087
- CVE-2024-12086
- CVE-2024-12088
- Cve-2024-12084
- The Otelier
- Ay4Me
- Zodiac_Killer
- National Bureau Of Investigation (Nbi)
- Cold River
- Ukraine
- Spear Phishing
- Qualirede
- Health Services
- Brazil
- F4B52
- Zerosevengroup
- Úgkk Sr
- Slovakia
- India
- Northern Africa
- Egypt
- Lazarus Group
- Southern Asia
- Africa
- Indonesia
- Pakistan
- Financial Theft
- Nominet Uk
- Wangjn
- Mining
- Horizon Oil
- 0Blivi0Nx
- Hellcat
- Telefónica
- Netherlands
- Eindhoven University Of Technology
-
Feb 09, 2025
U.K.-Based Engineering Firm IMI Informs Investors of a Data Breach
In February 2025, UK engineering giant IMI became the victim of a data breach when threat actors managed to gain unauthorized access to its systems. According to IMI, the nature and extent of the data compromised have not been disclosed, but the company is currently responding to the cyber security incident and has engaged external experts to investigate and contain the attack.
-
Feb 09, 2025
Handala Hack Claims Breach of Israeli Police
Handala Hack claims to have breached the Israeli police, allegedly obtaining 2.1TB of sensitive internal data. The group has released samples of the purported data, including photos of police officers, screenshots of documents such as permits and diplomas, and a link to download what they claim are 350,000 internal documents.
-
Feb 09, 2025
Kimsuky Group Uses Spear-Phishing to Deploy ForceCopy Info-Stealer Malware
The North Korean hacking group Kimsuky has been observed conducting spear-phishing attacks to deliver a new information-stealer malware called forceCopy. The attacks begin with phishing emails containing a Windows shortcut file disguised as a Microsoft Office or PDF document. Opening the attachment triggers PowerShell or mshta.exe to download additional malicious payloads, including the PEBBLEDASH trojan, a custom Remote Desktop utility (RDP Wrapper), and proxy malware for persistent external communications. Kimsuky also uses a PowerShell-based keylogger and forceCopy to steal files from web browser directories, targeting credentials stored in browser configurations.
-
Feb 06, 2025
Data Breach Exposes 100GB of Information from the Mexican Secretariat of National Defense
A threat actor group known as "OIHEC" claimed on the dark net forum "BreachForums," to have leaked confidential information from the "Mexican Secretariat of National Defense." According to the threat actor group, the data includes soldiers' credentials, emails, and more, all of which are available for purchase.
-
Feb 06, 2025
Phishing Campaign Targets Microsoft ADFS to Bypass MFA and Steal Credentials
A phishing campaign targets organizations using Microsoft's "Active Directory Federation Services" (ADFS) to steal credentials and bypass multi-factor authentication (MFA). The threat actors primarily target education, healthcare, and government sectors, sending phishing emails impersonating IT teams and leading victims to spoofed ADFS login pages. Once the victim submits their username, password, and MFA details, the threat actors gain access to corporate email accounts, enabling them to conduct "business email compromise" (BEC) attacks and steal sensitive data. The threat actors also use techniques like VPNs to obscure their location and evade detection.
-
Feb 05, 2025
Silent Lynx: New Threat Actor Targets Central Asia with Sophisticated Cyber Espionage Campaigns
The previously unknown cyber threat group Silent Lynx has been linked to cyberattacks targeting entities in Kyrgyzstan and Turkmenistan, including embassies, government-backed banks, and think tanks. The group's activities, believed to originate from Kazakhstan, focus on espionage against Eastern European and Central Asian organizations, particularly in economic decision-making and banking sectors. Their attacks typically begin with spear-phishing emails containing malicious RAR archives that deploy remote access payloads. The group uses multi-stage attack strategies, including ISO files, C++ binaries, PowerShell scripts, and Golang implants, often relying on Telegram bots for command execution and data exfiltration.
-
Feb 05, 2025
AsynchRAT Campaign
Threat Actors are utilizing a new malware campaign that delivers the AsyncRAT remote access trojan (RAT) through a multi-stage attack chain exploiting Python payloads and TryCloudflare tunnels. The attack begins with a phishing email containing a Dropbox URL, which leads to a ZIP archive download. Inside, an internet shortcut file triggers a Windows shortcut (LNK) file that further escalates the infection. The LNK file uses TryCloudflare, a legitimate service, to expose a server and download a batch script that eventually deploys AsyncRAT.
-
Feb 04, 2025
Grubhub Confirms Data was Taken in Recent Data Breach
In February 2025, Grubhub became the victim of a data breach when threat actors managed to gain access to its internal systems. According to Grubhub, personal details belonging to an undisclosed number of customers, merchants, and drivers were taken, including names, email addresses, phone numbers, and partial payment card information.
-
Feb 04, 2025
Spear Phishing Campaign by Crazy Evil
The Russian-speaking cybercrime group Crazy Evil has been linked to over 10 active social media scams that use personalized lures to trick victims into installing malware like StealC, AMOS, and Angel Drainer. Specializing in identity fraud and cryptocurrency theft, Crazy Evil employs "traffers" to redirect legitimate traffic to malicious phishing pages, with the goal of compromising systems running on both Windows and macOS. The group, which has been active since at least 2021, operates primarily through Telegram and has made over $5 million in illicit revenue by targeting digital assets like NFTs, payment cards, and cryptocurrencies. Crazy Evil runs several sub-teams, each responsible for a specific scam, such as fake job offers or investment schemes, and has been known to provide affiliates with instructional materials to carry out attacks.
-
Feb 03, 2025
Knesset of Israel Data Leak: Over 26,000 Documents Exposed
A data leak involving the "Knesset of Israel" and several other entities has surfaced on the dark web forum "BreachForums." The leaked dataset, attributed to the threat actor "dna," includes over 26,000 documents, totaling 16GB in size, primarily in PDF format.
-
Feb 02, 2025
Data Breach by Threat Actors IntelBroker and EnergyWeaponUser on Daxium Exposes Sensitive User Information
In January 2025, "Daxium" experienced a data breach that exposed the personal information of 52,000 users. The compromised data includes email addresses and full names. The breach, published by the threat actors "IntelBroker" and "EnergyWeaponUser" on the dark net forum "BreachForums," contains sensitive data, such as personal details tied to various documents and files. This leak includes information like user IDs, document details, and various associated files, which have been available for download. The breach impacts multiple users, with associated metadata and files linked to their accounts.
-
Feb 02, 2025
New aquabot botnet exploits cve-2024-41710 in mitel phones for DDoS attacks
A new variant of the Mirai botnet known as "Aquabot," which has been observed exploiting a medium-severity vulnerability (CVE-2024-41710) in Mitel phones to incorporate them into a network for launching Distributed Denial-of-Service (DDoS) attacks. This vulnerability, which allows command injection during the boot process of specific Mitel phone models, was addressed by Mitel in July 2024. The article highlights that the Aquabot variant has been active since November 2023 and has been detected attempting to exploit this vulnerability since January 2025. The botnet is reportedly being offered as a DDoS service on Telegram under various aliases.
-
Feb 02, 2025
Threat Actor Leaks CSMP Database Allegedly Belonging to Cardinal Health As a Result of a Supply Chain Attack
On February 1, 2025, a threat actor named "0mid16B" claimed responsibility for leaking the Controlled Substance Monitoring (CSMP) database of Cardinal Health, Inc., the third-largest pharmaceutical wholesaler in the U.S. The data, dated January 18, 2025, was stolen following a supply chain attack on APEX Custom Software on January 16, 2025. The breach affected numerous pharmacy and healthcare clients, exposing sensitive information such as usernames, passwords, and facility details.
-
Jan 29, 2025
'Handala Hack' Claims Breach of Israeli Ministry of National Security
'Handala Hack' claims to have breached the Israeli Ministry of National Security, allegedly obtaining 4 TB of classified data. The stolen information reportedly includes confidential documents, screenshots of security officers' identification cards, recordings of police calls, and more. In addition, they purportedly compromised several emergency systems, triggering red alerts and broadcasting messages containing Hamas propaganda.
-
Jan 29, 2025
E.Leclerc - Breach - 2025-01-23
A threat actor aliased "varun" announced the sale of a huge database belonging to Primes Energie Leclerc, a green energy supplier from France known for their bonus system, wherein they pay financial aid to beneficiaries who conduct energy-saving work. 4.7 million customers might be affected, as the threat actor claims that their sample data includes sensitive PII. At the time of writing, the threat actor had announced that the database had been sold.
-
Jan 29, 2025
Ongoing Phishing Campaign Targets Poland and Germany With a Wide Range of Malware
A new phishing campaign targeting users in Poland and Germany has been detected, the campaign, has been conducted by a financially motivated threat actor since at least July 2024. The attacks, which begin with phishing emails disguised as financial institution or company communications, use malicious ".tgz" file attachments to deliver malware. Once opened, these files launch a .NET loader that activates PureCrypter, which in turn installs a previously undocumented backdoor, TorNet. TorNet communicates with the attacker’s server over the TOR network, allowing for persistence and further intrusions. The actor employs various techniques to evade detection, such as disconnecting and reconnecting the victim’s machine from the network and running anti-debugger and anti-malware checks. The malware also has the ability to execute arbitrary code, increasing the attack surface for further exploitation.
-
Jan 29, 2025
Frederick Health Hospital Affected by Ransomware Incident, Emergency Services Impacted
"Frederick Health Hospital's" systems were taken offline this Monday following a ransomware incident, leading to significant disruptions in operations, including the diversion of ambulances to other emergency departments. The hospital was placed under a “mini disaster” designation, and its emergency department suspended operations, as it faced red and yellow alerts for no available beds and limited capacity to treat new patients.
-
Jan 28, 2025
Smiths Group - Breach - 2024-12-27
British engineering firm Smiths Group is managing a cybersecurity incident that involved unauthorized access to its systems. Smiths Group said it was working with experts to recover its systems and to determine any wider impact. It added it would comply with all relevant regulatory requirements. The company did not provide further details and said it would give further updates as and when appropriate.
-
Jan 28, 2025
DeepSeek AI Platform Temporarily Disables Registrations Due to DDoS Incident
Chinese AI platform "DeepSeek" has disabled new registrations on its DeepSeek-V3 chat platform following a believed large-scale DDoS incident. The incident, which targeted its API and Web Chat services, led the company to restrict new sign-ups to maintain service stability. Despite the issue, existing users can still log in, and new users can gain access via Google login. However, they will share personal information like name, email, and profile picture with "DeepSeek." The incident comes amid growing competition in the AI industry following the platform's recent surge in popularity due to its advanced AI model.
-
Jan 27, 2025
SportAdmin - Breach - 2025-01-16
SportAdmin experienced a cybersecurity incident involving a data breach by an external attacker, resulting in system downtime and potential exposure of personal data. An investigation is underway, and the company is cooperating with authorities, with efforts in place to restore services and support affected users.
-
Jan 27, 2025
Fratelli d'Italia Political Party Website Breach Exposes Personal Data
In 2024, a directory listing vulnerability on the website of "Fratelli d'Italia," a political party in Italy, was exploited by the threat actor known as "Truth-chan" to scrape and leak a large amount of personal data from approximately 12-13,000 curriculums. The exposed data includes sensitive information such as names, emails, addresses, work experience, education, languages spoken, and more. The data was published on the dark web forum "BreachForums."
-
Jan 26, 2025
Fake CAPTCHA Campaign Delivers Lumma Information Stealer
Threat Actors have been using fake CAPTCHA verification pages to deliver the Lumma information stealer in a new campaign, affecting victims in multiple countries, including Argentina, Colombia, the US, and the Philippines. The attack begins when a user visits a compromised site and is tricked into running a command that downloads an HTA file. This file executes a series of PowerShell scripts, eventually loading the Lumma payload while bypassing detection mechanisms. The campaign targets various industries, especially telecom, and leverages techniques that evade browser defenses by exploiting user interactions outside of the browser. The Lumma Stealer is part of a malware-as-a-service model and has become more difficult to detect due to its evolving delivery methods, including counterfeit domains mimicking popular sites like Reddit and WeTransfer.
-
Jan 26, 2025
TalkTalk Data Leak Exposes Over 18 Million Users’ Personal Information
In January 2025, a data leak involving "TalkTalk," a UK-based telecommunications provider, exposed the personal information of 18,839,551 current and former customers. The leaked dataset includes sensitive details such as full names, email addresses, phone numbers (both home and business), subscriber PINs, and IP addresses. This leak is being sold on the underground forum "BreachForums" by the threat actor known as "b0nd," with a price of $30,000, payable in XMR or BTC.
-
Jan 23, 2025
Threat Actor selling database of Chilean outsorcing company ACobro
The threat actor under the name "Sorb" is offering for sale a database potentially related to the outsourcing company from Chile "ACobro" on the cybercrime forum known as "breachforums". According to the threat actor and the sample provided the data base contains 995K records with multiple users' details such as, rut, name, phone, email, address, doc number, etc. The price posted by the threat actor is $600
-
Jan 23, 2025
Threat Actor selling database of Peruvian consulting company TCobro
The threat actor under the name "Sorb" is offering for sale a database potentially related to the consulting company from Peru "TCobro" on the cybercrime forum known as "breachforums". According to the threat actor the data base was copied in csv format and includes 832K users' details. Furthermore, the threat actor claims that there is access to the mysql server and web crm panel. Based sample provide the details include document id, phone number and client's name. The price posted by the threat actor is $400, where "Sorb" mentions that the fastest buyer will have time to get access to mysql and web panel crm administrator level
-
Jan 23, 2025
Octagon Reports Data Breach Affecting Consumer Information
"Octagon," a global sports and entertainment agency, has reported a data breach involving unauthorized access to sensitive consumer information, including names, Social Security numbers, driver’s license numbers, and financial account details. The company began notifying affected individuals on December 31.
-
Jan 22, 2025
Spanish Guardia Civil and Ministry of Defense Data Leak
On January 20, 2025, it was revealed that a significant data leak had compromised members of Spain's Guardia Civil, Armed Forces, and Ministry of Defense. The leak is believed to be linked to a ransomware attack on Medios de Prevención Externos Sur SL, a third-party contractor responsible for medical examinations in March 2024. Three databases containing sensitive data have been published on the dark web, with two reportedly linked to Guardia Civil members and one to the Ministry of Defense. The exposed information includes names, email addresses, professional identifiers, dates of birth, and medical examination results, potentially affecting 109,000 Guardia Civil members and 84,000 Ministry of Defense personnel.
-
Jan 22, 2025
Fake Homebrew Google Ads Spread Malware to Mac Users
A recent malicious Google ads campaign targeted "Homebrew" users, redirecting them to a fake "Homebrew" site (brewe.sh) that delivered "AMOS" malware to Mac and Linux devices. The malware, an infostealer, steals sensitive data such as credentials, browser information, and cryptocurrency wallets. "Homebrew" is a popular open-source package manager for macOS and Linux that allows users to easily install and manage software from the command line.
-
Jan 21, 2025
Threat Actors Embed Malware in Images to Distribute InfoStealers
Threat actors have been using images to deliver malware such as the VIP Keylogger and 0bj3ctivity Stealer through separate campaigns. The attacks begin with phishing emails disguised as invoices or purchase orders, containing malicious attachments that exploit a known security vulnerability in Equation Editor (CVE-2017-11882) to run a VBScript file. This script decodes and executes a PowerShell script that retrieves an image from archive[.]org, extracting a Base64-encoded code which is converted into a .NET executable. This executable then downloads and runs malware, including the VIP Keylogger for data theft or 0bj3ctivity Stealer in a different variant.
-
Jan 21, 2025
Mirai botnet variant exploits four-faith router vulnerability for ddos attacks
A new variant of the Mirai botnet, named "gayfemboy," has been discovered exploiting a zero-day vulnerability in Four-Faith industrial routers. This malware has been active since February 2024 and is primarily targeting routers with default credentials, utilizing over 20 known vulnerabilities for initial access. The botnet maintains around 15,000 daily active IP addresses, with infections mainly in China, Iran, Russia, Turkey, and the United States. The vulnerability, identified as CVE-2024-12856, has a CVSS score of 7.2 and allows for OS command injection on specific router models. The botnet has been conducting DDoS attacks against various entities, generating significant traffic.
-
Jan 21, 2025
Ivanti flaw cve-2025-0282 actively exploited, impacts connect secure and policy secure
A critical security vulnerability (CVE-2025-0282) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has been actively exploited since mid-December 2024. With a CVSS score of 9.0, this vulnerability is a stack-based buffer overflow that allows unauthenticated remote code execution. Ivanti has acknowledged that a limited number of its customers have been exploited due to this vulnerability. Mandiant, a cybersecurity company, has linked the exploitation of this vulnerability to a China-nexus threat actor known as UNC5337, which is considered part of a larger group (UNC5221). The attacks have led to deploying new malware families, including Dryhook and Phasejam. The article also highlights the sophisticated methods the threat actor uses, including log manipulation and the establishment of persistence mechanisms.
-
Jan 21, 2025
Hewlett Packard Enterprise (HPE) Data Breach Exposes Sensitive Code and User Information
A data breach involving "Hewlett Packard Enterprise" (HPE) has been reported by threat actors on the dark net forum "BreachForums," including "IntelBroker," "zjj," and "EnergyWeaponUser." The breach has been ongoing for about two days and has compromised a wide range of sensitive data. This includes private source code from GitHub repositories, Docker builds, SAP Hybris, and certificates (both private and public keys). Additional data exposed includes product source code for Zerto and iLO, as well as old user PII related to deliveries. The stolen data is being offered for sale in exchange for Monero (XMR).
-
Jan 20, 2025
google project zero researcher uncovers zero-click exploit targeting samsung devices
A newly discovered security vulnerability in the Monkey's Audio (APE) decoder on Samsung smartphones has been patched. This high-severity vulnerability tracked as CVE-2024-49415 has a CVSS score of 8.1 and affects Samsung devices running Android versions 12, 13, and 14. The flaw allows remote attackers to execute arbitrary code through an out-of-bounds write in the `libsaped.so` library, specifically when Google Messages is configured for Rich Communication Services (RCS). The vulnerability can be exploited without user interaction, making it a zero-click attack. The researcher who identified this flaw is Natalie Silvanovich from Google Project Zero.
-
Jan 20, 2025
apache tomcat vulnerability cve-2024-56337 exposes servers to rce attacks
The Apache Software Foundation (ASF) has released a security update for its Tomcat server software to address a significant vulnerability that could lead to remote code execution (RCE) under specific conditions. This vulnerability, identified as CVE-2024-56337, is an incomplete mitigation of another critical flaw, CVE-2024-50379, which was previously addressed. Both vulnerabilities are time-of-check time-of-use (TOCTOU) race condition issues that can allow code execution on case-insensitive file systems when the default servlet is enabled for writing. Users of affected Tomcat versions are advised to make specific configuration changes based on their Java version to fully mitigate the risks.
-
Jan 20, 2025
Multiple Israeli Organizations Report Disruptions Linked to an Unknown Threat Actor
Several Israeli organizations have reported incidents where their printers were commandeered to produce pages containing pro-Palestinian propaganda. Additionally, reports indicate that files were corrupted, desktop wallpapers were altered, and other disruptions occurred. The identity of the attacker remains unconfirmed, and the full scope of the campaign has yet to be determined. The following hashes have been identified in connection with this campaign: - C316C600E82B91ECE48EF74615F121DE5E05B79A - 8cefad76c013e714c5cd8cff549b8c092ab2c9aa62ec9f22d2edf0e2c3cfdb9f (SHA256)
-
Jan 20, 2025
microsoft uncovers macos vulnerability cve-2024-44243 allowing rootkit installation
Microsoft has reported a newly discovered vulnerability in Apple's macOS, identified as CVE-2024-44243, which has been patched in macOS Sequoia 15.2. This medium-severity flaw (CVSS score: 5.5) allows attackers running as "root" to bypass the system integrity protection (SIP) of macOS, potentially enabling the installation of malicious kernel drivers and persistent malware. The vulnerability is characterized as a "configuration issue" that could allow malicious applications to modify protected areas of the file system. Jonathan Baror from Microsoft's threat intelligence team highlighted the serious implications of this vulnerability, including the potential for attackers to install rootkits and expand their attack surface. The vulnerability exploits the "com.apple.rootless.install.heritable" entitlement of the storage kit daemon (storagekitd) to bypass SIP protections.
-
Jan 20, 2025
researcher uncovers critical flaws in multiple versions of ivanti endpoint manager
Ivanti has released security updates to address several critical vulnerabilities affecting its Endpoint Manager (EPM), Avalanche, and Application Control Engine. Four critical flaws, rated 9.8 on the CVSS scale, are related to absolute path traversal vulnerabilities in EPM, which could allow remote unauthenticated attackers to leak sensitive information. The vulnerabilities are identified by the following CVEs: CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159. These flaws affect EPM versions prior to the January 2025 security update. The vulnerabilities were discovered and reported by security researcher Zach Hanley from Horizon3.ai. Additionally, Ivanti patched multiple high-severity bugs in Avalanche and Application Control Engine that could allow attackers to bypass authentication and leak sensitive information. The company has stated that there is no evidence of these vulnerabilities being exploited in the wild and has enhanced its internal security measures.
-
Jan 20, 2025
google cloud researchers uncover flaws in rsync file synchronization tool - CVE-2024-12084
These vulnerabilities could allow attackers to execute arbitrary code on connected clients by exploiting a malicious server. The vulnerabilities include issues such as heap-buffer overflow, information disclosure, and path traversal. The vulnerabilities have been assigned CVE codes, and the most severe one (CVE-2024-12084) has a CVSS score of 9.8. Researchers from Google Cloud and a security researcher named Aleksei Gorban have been credited with discovering these flaws. Patches have been released to address these vulnerabilities, and mitigations are suggested for users unable to apply the updates. Vulnerability Discovered: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747
-
Jan 20, 2025
Otelier Data Breach Exposes Millions of Hotel Reservation Records
A significant data breach has compromised the cloud-based hotel management platform "Otelier," affecting over 10,000 hotels globally. The breach exposed 7.8TB of sensitive data, including 7.4 million documents, MongoDB and SQL database dumps, email automation records, and more. It contains personal information such as guest names, phone numbers, addresses, credit card details, and hotel reservation data for guests of major hotel chains like "Marriott," "Hilton," and "Hyatt." The breach occurred between July and October 2024, and the data was leaked by threat actor "Ay4me," who has made it available for sale on the darknet forum "BreachForums."
-
Jan 20, 2025
Philippines NBI Investigates Data Breach Linked to Third-Party Provider
The "National Bureau of Investigation" (NBI) in the Philippines is investigating a data leak after a threat actor, known as "ZODIAC_KILLER," posted allegedly leaked NBI-related information on the darknet forum "BreachForums." NBI Director confirmed the breach, stating it originated from a third-party provider handling clearance applications, not the NBI's own database. The compromised data includes transaction IDs, applicant names, payment statuses, and other sensitive information.
-
Jan 19, 2025
Star Blizzard Shifts Tactics with WhatsApp Phishing Campaign
Star Blizzard, a Russia-linked cyber espionage group, has shifted its tactics in a new spear-phishing campaign aimed at compromising WhatsApp accounts, marking a departure from its traditional credential harvesting methods. The group's targets primarily include government officials, diplomats, defense policy experts, and those involved in assisting Ukraine during the ongoing war with Russia. Previously known for using Evilginx-powered pages to harvest credentials through phishing emails, Star Blizzard is now using broken QR codes and shortened links to trick victims into scanning a fraudulent WhatsApp QR code, granting attackers unauthorized access to their accounts. This new approach, likely prompted by previous disclosures about the group's activities, was reportedly limited to late November 2024. Victims are encouraged to exercise caution with emails containing suspicious links or QR codes, particularly those from the sectors most affected by this campaign.
-
Jan 19, 2025
Threat Actor leaked 500K customer details of Brazilian health management company Qualirede
The threat actor under the name of "f4b52" posted on the cybercrime forum known as "breachforums" a thread related to a database of potential customers of the Brazilian health management company Qualirede. According to the post the database includes 500K records of customer's Personal information. Based on the post and the sample the database exposed the following details: Full name, CPF, sex, date of birth, and beneficiary card.
-
Jan 19, 2025
Full Network Access to Italian Government Department Advertised for Sale
A recent post on BreachedForums has advertised full network access to a department within an Italian ministry. The seller, a threat actor named ZeroSevenGroup claims the access includes Command and Control (C2) capabilities, VPN entry points, and administrator-level privileges to Active Directory (AD), all for $10,000. The transaction is proposed through a trusted middleman, with interested parties directed to contact the seller via private message.
-
Jan 16, 2025
Large-Scale Cyber-Attack Targets Slovakia's Land Registry Office
Slovakia experienced one of the largest cyber-attacks in its history, targeting the Office of Geodesy, Cartography, and Cadastre (ÚGKK). This significant event led to the complete shutdown of all related systems, severely disrupting public services and private sector operations dependent on land registry data. The attackers reportedly demanded a seven-figure ransom for system restoration and decryption of affected data. Slovakian officials confirmed that while systems were compromised, all data was backed up, eliminating the risk of changes or fraudulent transcriptions in ownership data. It is suspected that the attack may have originated from Ukraine, citing that similar cyber-attacks were reported in Russia during the same period. However, investigations are ongoing, and no definitive evidence has been presented to confirm these suspicions.
-
Jan 16, 2025
Lazarus Group Launches "Operation 99" Targeting Web3 and Cryptocurrency Developers
The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign, "Operation 99," targeting software developers in the Web3 and cryptocurrency sectors. The campaign begins with fake recruiters on platforms like LinkedIn, who lure developers into participating in project tests and code reviews. Victims are then tricked into cloning malicious GitLab repositories, which connect to command-and-control servers and embed malware in their systems. The malware, including variants like Main5346 and Brow99, is designed to steal sensitive data such as source code, cryptocurrency wallet keys, and other secrets. The campaign, identified globally with a high concentration in Italy, exploits the growing Web3 and cryptocurrency sectors, aiming to steal digital assets and intellectual property to support North Korea's financial goals. The attack also uses sophisticated tactics, such as AI-generated profiles and realistic communication, to deceive even cautious individuals, highlighting the Lazarus Group's continually evolving methods.
-
Jan 14, 2025
UK Domain Registry Nominet Confirms Cyber Attack
Nominet, the official registry for .uk domain names and one of the largest country code registries globally, has disclosed a significant cybersecurity breach linked to a recently discovered zero-day vulnerability in Ivanti’s Virtual Private Network (VPN) software. The incident, which came to light in early January 2025, marks the first publicly confirmed case of exploitation related to the critical Ivanti Connect Secure flaw, tracked as CVE-2025-0282.
-
Jan 14, 2025
Data Leak of Indian Property Database - 3.69 Million Records
A data leak involving 3.69 million fresh records of Indian property data has been put up for sale by the threat actor "wangjn" on the dark net forum "BreachForums." The exposed information includes sensitive personal details such as names, email addresses, phone numbers, and residential addresses.
-
Jan 13, 2025
Horizon Oil Database Reportedly Leaked
A post on the BreachedForums by the threat actor 0blivi0nX has highlighted a data breach involving Horizon Oil Company Ltd., accusing the company of poor website security. The leaked data, shared via file.io links, allegedly includes sensitive operational information and has sparked concerns about the company's cybersecurity practices.
-
Jan 13, 2025
Telefonica Confirms Breach
Spanish telecommunications company Telefónica confirms an internal ticketing system was breached after stolen data was leaked on a hacking forum. Telefónica is a Spanish multinational telecommunications company operating in twelve countries with over 104,000 employees. The company is the largest telecommunications firm in Spain, operating under the name Movistar. Three people behind this attack, Grep, Pryx, and Rey, are also members of a recently launched ransomware operation known as Hellcat Ransomware.
-
Jan 13, 2025
Breach Forces Eindhoven University of Technology to Shut Down Network, Disrupting Operations
"Eindhoven University of Technology" (TU/e) was affected by a breach on Saturday, January 11, 2025, prompting the institution to take its entire network offline as a precautionary measure. The breach has suspended all educational activities until Tuesday, January 14, affecting critical services such as email systems, WiFi, Canvas, and Microsoft Teams. While physical campus access remains unaffected, students and staff cannot access online resources.
