Found 62 bookmarks
Newest
Bitcoin Depot breach exposes data of nearly 27,000 crypto users
Bitcoin Depot breach exposes data of nearly 27,000 crypto users
Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information. In the letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23. Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was completed. “On July 18, 2024, the investigation was complete, and we identified your personal information contained within documents related to certain of our customers that the unauthorized individual obtained,” explains Bitcoin Depot in the letter. “Unfortunately, we were not able to inform you sooner due to an ongoing investigation. Federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation.” The type of data that has been exposed in this incident varies from individual to individual and may include: Full name Phone number Driver’s license number Address Date of birth Email address Bitcoin Depot is one of the largest Bitcoin ATM networks in the United States, operating 8,800 machines in the U.S., Canada, and Australia.
#bleepingcomputer#EN#2025#Bitcoin#Bitcoin-Depot#Customer-Data#Data-Breach#Notification
·bleepingcomputer.com·
Bitcoin Depot breach exposes data of nearly 27,000 crypto users
Atomic macOS infostealer adds backdoor for persistent attacks
Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. The new component allows executing arbitrary remote commands, it survives reboots, and permits maintaining control over infected hosts indefinitely. MacPaw's cybersecurity division Moonlock analyzed the backdoor in Atomic malware after a tip from independent researcher g0njxa, a close observer of infostealer activity. "AMOS malware campaigns have already reached over 120 countries, with the United States, France, Italy, the United Kingdom, and Canada among the most affected," the researchers say. "The backdoored version of Atomic macOS Stealer now has the potential to gain full access to thousands of Mac devices worldwide."
#bleepingcomputer#EN#2025#AMOS#Atomic#Backdoor#Info-Stealer#Information-Stealer#macOS
·bleepingcomputer.com·
Atomic macOS infostealer adds backdoor for persistent attacks
Ingram Micro outage caused by SafePay ransomware attack
Ingram Micro outage caused by SafePay ransomware attack
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Update 7/6/25: Added Ingram Micro's confirmation it suffered a ransomware attack below. Also updated ransom note with clearer version. An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide. Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues. BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices. The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack. It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.
#bleepingcomputer#EN#2025#Cyberattack#Note#Computer#Security#Ransom#MicroIngram#Ransomware#VPN#SafePay
·bleepingcomputer.com·
Ingram Micro outage caused by SafePay ransomware attack
Johnson Controls starts notifying people affected by 2023 breach
Johnson Controls starts notifying people affected by 2023 breach
Building automation giant Johnson Controls is notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023. Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, HVAC systems, and fire safety equipment for buildings. The company employs over 100,000 people through its corporate operations and subsidiaries across 150 countries, reporting sales of $27.4 billion in 2024. As BleepingComputer first reported, Johnson Controls was hit by a ransomware attack in September 2023, following a breach of the company's Asian offices in February 2023 and subsequent lateral movement through its network. "Based on our investigation, we determined that an unauthorized actor accessed certain Johnson Controls systems from February 1, 2023 to September 30, 2023 and took information from those systems," the company says in data breach notification letters filed with California's Attorney General, redacted to conceal what information was stolen in the attack. "After becoming aware of the incident, we terminated the unauthorized actor's access to the affected systems. In addition, we engaged third-party cybersecurity specialists to further investigate and resolve the incident. We also notified law enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023."
#bleepingcomputer#EN#2025#Breach#Cyberattack#Dark-Angels#Data-Breach#Johnson-Controls#Ransomware
·bleepingcomputer.com·
Johnson Controls starts notifying people affected by 2023 breach
NimDoor crypto-theft macOS malware revives itself when killed
NimDoor crypto-theft macOS malware revives itself when killed
North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations. Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism. The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff. Advanced macOS malware In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice." One of the Nim-compiled binaries, 'installer', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries - 'GoogIe LLC,' 'CoreKitAgent', onto the victim's system. GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages. The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution. It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions. The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.
#bleepingcomputer#EN#2025#macOS#Malware#Nim#NimDoor#Persistence#North-Korea
·bleepingcomputer.com·
NimDoor crypto-theft macOS malware revives itself when killed
Cisco warns that Unified CM has hardcoded root SSH credentials
Cisco warns that Unified CM has hardcoded root SSH credentials
Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features. The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing.
#bleepingcomputer#EN#CVE-2025-20309#2025#CUCM#CallManager#Unified#Security#Password#Root#Hardcoded#Communications#Cisco
·bleepingcomputer.com·
Cisco warns that Unified CM has hardcoded root SSH credentials
Hawaiian Airlines discloses cyberattack, flights not affected
Hawaiian Airlines discloses cyberattack, flights not affected
Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific. The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack. Hawaiian Airlines also hired external cybersecurity experts to asses the attack's impact and help restore affected systems. "Hawaiian Airlines is addressing a cybersecurity event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled," the airline said. "Upon learning of this incident, we engaged the appropriate authorities and experts to assist in our investigation and remediation efforts. We are currently working toward an orderly restoration and will provide updates as more information is available." A banner on the airline's website notes that the incident hasn't impacted flights in any way and that travel hasn't been affected. The same alert is also displayed on the Alaska Airlines website, which is owned by Alaska Air Group, a company that acquired Hawaiian Airlines last year.
#bleepingcomputer#EN#2025#Airline#Cyberattack#Hawaii#Hawaiian-Airlines#USA
·bleepingcomputer.com·
Hawaiian Airlines discloses cyberattack, flights not affected
Microsoft 365 'Direct Send' abused to send phishing as internal users
Microsoft 365 'Direct Send' abused to send phishing as internal users
An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials. Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company. However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain. Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down.. "We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft. "You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication." The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.
#bleepingcomputer#EN#2025#Credentials#Direct-Send#Email#Microsoft#Microsoft-365#Phishing
·bleepingcomputer.com·
Microsoft 365 'Direct Send' abused to send phishing as internal users
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
CISA says a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software, which enables attackers to hijack and brick servers, is currently under active exploitation. CISA has confirmed that a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software is now actively exploited in attacks. The MegaRAC BMC firmware provides remote system management capabilities for troubleshooting servers without being physically present, and it's used by several vendors (including HPE, Asus, and ASRock) that supply equipment to cloud service providers and data centers. This authentication bypass security flaw (tracked as CVE-2024-54085) can be exploited by remote unauthenticated attackers in low-complexity attacks that don't require user interaction to hijack and potentially brick unpatched servers.
#bleepingcomputer#EN#2025#Actively-Exploited#American-Megatrends-International#AMI#Authentication-Bypass#CISA#MegaRAC#CVE-2024-54085
·bleepingcomputer.com·
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
No, the 16 billion credentials leak is not a new data breach
No, the 16 billion credentials leak is not a new data breach
News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks. To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials. Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet. Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide. ... The infostealer problem has gotten so bad and pervasive that compromised credentials have become one of the most common ways for threat actors to breach networks.
#bleepingcomputer#EN#2025#Credential-Stuffing#Data-Breach#FUD#Infostealer#Leaked-Credentials
·bleepingcomputer.com·
No, the 16 billion credentials leak is not a new data breach
Police seizes Archetyp Market drug marketplace, arrests admin
Police seizes Archetyp Market drug marketplace, arrests admin
Law enforcement authorities from six countries took down the Archetyp Market, an infamous darknet drug marketplace that has been operating since May 2020. Archetyp Market sellers provided the market's customers with access to high volumes of drugs, including cocaine, amphetamines, heroin, cannabis, MDMA, and synthetic opioids like fentanyl through more than 3,200 registered vendors and over 17,000 listings. Over its five years of activity, the marketplace amassed over 612,000 users with a total transaction volume of over €250 million (approximately $289 million) in Monero cryptocurrency transactions. As part of this joint action codenamed 'Operation Deep Sentinel' (led by German police and supported by Europol and Eurojust), investigators in the Netherlands took down the marketplace's infrastructure, while a 30-year-old German national suspected of being Archetyp Market's administrator was apprehended in Barcelona, Spain. One Archetyp Market moderator and six of the marketplace's highest vendors were also arrested in Germany and Sweden. In total, law enforcement officers seized 47 smartphones, 45 computers, narcotics, and assets worth €7.8 million from all suspects during Operation Deep Sentinel.
#bleepingcomputer#EN#2025#Archetyp-Market#Arrest#Dark-Web#Drugs#Law-Enforcement#Marketplace#Monero
·bleepingcomputer.com·
Police seizes Archetyp Market drug marketplace, arrests admin
Over 46,000 Grafana instances exposed to account takeover bug
Over 46,000 Grafana instances exposed to account takeover bug
More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover. The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics. The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.
#bleepingcomputer#EN#2025#Account-Takeover#Grafana#Open-Redirect#Vulnerability#Vulnerability-Management#XSS
·bleepingcomputer.com·
Over 46,000 Grafana instances exposed to account takeover bug
Hackers exploited Windows WebDav zero-day to drop malware
Hackers exploited Windows WebDav zero-day to drop malware
An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen. Stealth Falcon (aka 'FruityArmor') is an advanced persistent threat (APT) group known for conducting cyberespionage attacks against Middle East organizations. The flaw, tracked under CVE-2025-33053, is a remote code execution (RCE) vulnerability that arises from the improper handling of the working directory by certain legitimate system executables. Specifically, when a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one. This allows attackers to force devices to execute arbitrary code remotely from WebDAV servers under their control without dropping malicious files locally, making their operations stealthy and evasive. The vulnerability was discovered by Check Point Research, with Microsoft fixing the flaw in the latest Patch Tuesday update, released yesterday.
#bleepingcomputer#EN#2025#CVE-2025-33053#Patch-Tuesday#Actively-Exploited#Espionage#Remote-Code-Execution#Stealth-Falcon#Vulnerability#WebDAV#Windows#Zero-Day
·bleepingcomputer.com·
Hackers exploited Windows WebDav zero-day to drop malware
Microsoft Outlook to block more risky attachments used in attacks
Microsoft Outlook to block more risky attachments used in attacks
Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. The company said on Monday in a Microsoft 365 Message Center update that Outlook will block .library-ms and .search-ms file types beginning in July. "As part of our ongoing efforts to enhance security in Outlook Web and the New Outlook for Windows, we're updating the default list of blocked file types in OwaMailboxPolicy," Microsoft said. "Starting in early July 2025, the [.library-ms and .search-ms] file types will be added to the BlockedFileTypes list."
#bleepingcomputer#EN#2025#Microsoft#New-Outlook#Outlook#Outlook-on-the-web#Windows
·bleepingcomputer.com·
Microsoft Outlook to block more risky attachments used in attacks
Hacker selling critical Roundcube webmail exploit as tech info disclosed
Hacker selling critical Roundcube webmail exploit as tech info disclosed
Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. The security issue has been present in Roundcube for over a decade and impacts versions of Roundcube webmail 1.1.0 through 1.6.10. It received a patch on June 1st. It took attackers just a couple of days to reverse engineer the fix, weaponize the vulnerability, and start selling a working exploit on at least one hacker forum. Roundcube is one of the most popular webmail solutions as the product is included in offers from well-known hosting providers such as GoDaddy, Hostinger, Dreamhost, or OVH. "Email armageddon" CVE-2025-49113 is a post-authentication remote code execution (RCE) vulnerability that received a critical severity score of 9.9 out of 10 and is described as “email armageddon.” It was discovered and reported by Kirill Firsov, the CEO of the cybersecurity company FearsOff, who decided to publish the technical details before the end of the responsible disclosure period because an exploit had become available.
#bleepingcomputer#EN#2025#Actively-Exploited#Exploit#PHP#RCE#Remote-Code-Execution#Roundcube#CVE-2025-49113
·bleepingcomputer.com·
Hacker selling critical Roundcube webmail exploit as tech info disclosed
Cisco warns of ISE and CCP flaws with public exploit code
Cisco warns of ISE and CCP flaws with public exploit code
Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments. The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments. Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud. "A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.
#bleepingcomputer#EN#2025#CVE-2025-20286#Cisco#Cisco-Customer-Collaboration-Platform#Credentials#Exploit#Hotfix#Identity-Services-Engine#Patch#Proof-of-Concept#Vulnerability
·bleepingcomputer.com·
Cisco warns of ISE and CCP flaws with public exploit code
DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems. Sophos was brought in to investigate the attack and believe the threat actors exploited a chain of older SimpleHelp vulnerabilities tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 to breach the system. SimpleHelp is a commercial remote support and access tool commonly used by MSPs to manage systems and deploy software across customer networks. The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP's customers, including device names and configuration, users, and network connections. The threat actors then attempted to steal data and deploy decryptors on customer networks, which were blocked on one of the networks using Sophos endpoint protection. However, the other customers were not so lucky, with devices encrypted and data stolen for double-extortion attacks. Sophos has shared IOCs related to this attack to help organizations better defend their networks. MSPs have long been a valuable target for ransomware gangs, as a single breach can lead to attacks on multiple companies. Some ransomware affiliates have specialized in tools commonly used by MSPs, such as SimpleHelp, ConnectWise ScreenConnect, and Kaseya. This has led to devastating attacks, including REvil's massive ransomware attack on Kaseya, which impacted over 1,000 companies.
#bleepingcomputer#EN#2025#CVE-2024-57727#Data-Theft#DragonForce#Managed-Service-Provider#MSP#Ransomware#RMM#SimpleHelp-RMM
·bleepingcomputer.com·
DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
Fake Zenmap. WinMRT sites target IT staff with Bumblebee malware
Fake Zenmap. WinMRT sites target IT staff with Bumblebee malware
The Bumblebee malware SEO poisoning campaign uncovered earlier this week aimpersonating RVTools is using more typosquatting domainsi mimicking other popular open-source projects to infect devices used by IT staff. BleepingComputer was able to find two cases leveraging the notoriety of Zenmap, the GUI for the Nmap network scanning tool, and the WinMTR tracerout utility. Both of these tools are commonly used by IT staff to diagnose or analyze network traffic, requiring administrative privileges for some of the features to work This makes users of these tools prime targets for threat actors looking to breach corporate networks and spread laterally to other devices. The Bumblebee malware loader has been pushed through at least two domains - zenmap[.]pro and winmtr[.]org. While the latter is currently offline, the former is still online and shows a fake blog page about Zenmap when visited directly. When users are redirected to zenmap[.]pro from from search results, though, it shows a clone of the legitimate website for the nmap (Network Mapper) utility: The two sites received traffic through SEO poisoning and rank high in Google and Bing search results for the associated terms. Bleepingcolputer's tests show that if you visit the fake Zenmap site directly, it shows several AI-generated articles instead, as seen in the image below: The payloads delivered through the download section ‘zenmap-7.97.msi’ and ‘WinMTR.msi, and they both evade detection from most antivirus engines on VirusTotal [1, 2]. The installers deliver the promised application along with a malicious DLL, as in the case of RVTools, which drops a Bumblebee loader on users' devices. From there, the backdoor can be used to profile the victim and introduce additional payloads, which may include infostealers, ransomware, and other types of malware. Apart from the open-source tools mentioned above, BleepingComputer has also seen the same campaign targeting users looking for Hanwha security camera management software WisenetViewer. Cyjax’s researcher Joe Wrieden also spotted a trojanized version of the video management software Milestone XProtect being part of the same campaign, the malicious installers being delivered ‘milestonesys[.]org’ (online).
#bleepingcomputer#EN#2025#Malware-Loader#SEO-Poisoning#WinMRT#Zenmap
·bleepingcomputer.com·
Fake Zenmap. WinMRT sites target IT staff with Bumblebee malware
Arla Foods confirms cyberattack disrupts production, causes delays
Arla Foods confirms cyberattack disrupts production, causes delays
Arla Foods has confirmed to BleepingComputer that it was targeted by a cyberattack that has disrupted its production operations. The Danish food giant clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations. "We can confirm that we have identified suspicious activity at our dairy site in Upahl that impacted the local IT network," stated an Arla spokesperson. "Due to the safety measures initiated as a result of the incident, production was temporarily affected." Arla Foods is an international dairy producer and a farmer-owned cooperative with 7,600 members. It employs 23,000 people in 39 countries. The firm has an annual revenue of €13.8 billion ($15.5 billion), and its products, including the brands Arla, Lurpak, Puck, Castello, and Starbucks, are sold in 140 countries worldwide. The company told BleepingComputer that it is currently working to resume operations at the impacted facility, which should bring results before the end of the week. "Since then, we've been working diligently to restore full operations. We expect to return to normal operations at the site in the next few days. Production at other Arla sites is not affected." Considering that the first reports about a disruption at Arla's production operations surfaced on Friday, it is bound to cause shortages in some cases. "We have informed our affected customers about possible delivery delays and cancellations," explained Arla's spokesperson. BleepingComputer has asked the firm if the attack involved data theft or encryption, both staples of a ransomware attack, but Arla declined to share any additional information at this time. Meanwhile, there have been no announcements about Arla on ransomware extortion portals, so the type of attack and the perpetrators remain unknown.
#bleepingcomputer#EN#2025#Arla#Business-Disruption#Cyberattack#Security#InfoSec#Computer-Security
·bleepingcomputer.com·
Arla Foods confirms cyberattack disrupts production, causes delays
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems. Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed. Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions. Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed. Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
#bleepingcomputer#EN#2025#Authentication-Bypass#RCE#Remote-Code-Execution#Versa-Concerto#Vulnerability#CVE-2025-34027#CVE-2025-34026#CVE-2025-34025
·bleepingcomputer.com·
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Twilio denies breach following leak of alleged Steam 2FA codes
Twilio denies breach following leak of alleged Steam 2FA codes
Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes. The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000. When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number. Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users. Valve did not respond to our requests for a comment on the threat actor's claims. Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio. MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.
#bleepingcomputer#EN#2025#Sale#SMS#Steam#Supply-Chain#Supply-Chain-Attack#Third-Party-Data-Breach#Twilio#denied
·bleepingcomputer.com·
Twilio denies breach following leak of alleged Steam 2FA codes
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own
During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit. Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw. Palo Alto Networks' Edouard Bochin and Tao Yan also demoed an out-of-bounds write zero-day in Mozilla Firefox, while Gerrard Tai of STAR Labs SG escalated privileges to root on Red Hat Enterprise Linux using a use-after-free bug, and Viettel Cyber Security used another out-of-bounds write for an Oracle VirtualBox guest-to-host escape. In the AI category, Wiz Research security researchers used a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server. On the first day, competitors were awarded $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox, reaching a total of $695,000 earned over the first two days of the contest after demonstrating 20 unique 0-days. ​​​The Pwn2Own Berlin 2025 hacking competition focuses on enterprise technologies, introduces an AI category for the first time, and takes place during the OffensiveCon conference between May 15 and May 17.
#bleepingcomputer#EN#2025#Firefox#NVIDIA#Pwn2Own#Red-Hat#Redis#SharePoint#VirtualBox#Vmware-ESXi#Zero-Day#BugBounty
·bleepingcomputer.com·
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own
Ivanti warns of critical Neurons for ITSM auth bypass flaw
Ivanti warns of critical Neurons for ITSM auth bypass flaw
​Ivanti has released security updates for its Neurons for ITSM IT service management solution that mitigate a critical authentication bypass vulnerability. Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers gain administrative access to unpatched systems in low-complexity attacks, depending on system configuration. As the company highlighted in a security advisory released today, organizations that followed its guidance are less exposed to attacks. "Customers who have followed Ivanti's guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment," Ivanti said. "Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ." Ivanti added that CVE-2025-22462 only impacts on-premises instances running versions 2023.4, 2024.2, 2024.3, and earlier, and said that it found no evidence that the vulnerability is being exploited to target customers. Product Name Affected Version(s) Resolved Version(s) Ivanti Neurons for ITSM (on-prem only) 2023.4, 2024.2, and 2024.3 2023.4 May 2025 Security Patch 2024.2 May 2025 Security Patch 2024.3 May 2025 Security Patch The company also urged customers today to patch a default credentials security flaw (CVE-2025-22460) in its Cloud Services Appliance (CSA) that can let local authenticated attackers escalate privileges on vulnerable systems. While this vulnerability isn't exploited in the wild either, Ivanti warned that the patch won't be applied correctly after installing today's security updates and asked admins to reinstall from scratch or use these mitigation steps to ensure their network is protected from potential attacks.
#bleepingcomputer#EN#2025#Authentication#Authentication-Bypass#Bypass#Ivanti#Neurons-for-ITSM#Vulnerability
·bleepingcomputer.com·
Ivanti warns of critical Neurons for ITSM auth bypass flaw
Hackers now testing ClickFix attacks against Linux targets
Hackers now testing ClickFix attacks against Linux targets
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware. These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware. However, a 2024 campaign using bogus Google Meet errors also targeted macOS users. ClickFix targeting Linux users A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems. The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.
#bleepingcomputer#EN#2025#APT36#ClickFix#Linux#Social-Engineering
·bleepingcomputer.com·
Hackers now testing ClickFix attacks against Linux targets
LockBit ransomware gang hacked, victim negotiations exposed
LockBit ransomware gang hacked, victim negotiations exposed
The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit dark web site defaced with link to database As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database. From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including: A 'btc_addresses' table that contains 59,975 unique bitcoin addresses. A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds. A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt. A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th. Affiliate panel 'chats' table Affiliate panel 'chats' table A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'. In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost. Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025. It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.
#bleepingcomputer#EN#2025#Affiliates#Data-Breach#Defacement#LockBit#MySQL
·bleepingcomputer.com·
LockBit ransomware gang hacked, victim negotiations exposed
Police takes down six DDoS-for-hire services, arrests admins
Police takes down six DDoS-for-hire services, arrests admins
​Polish authorities have detained four suspects linked to six DDoS-for-hire platforms, believed to have facilitated thousands of attacks targeting schools, government services, businesses, and gaming platforms worldwide since 2022. Such platforms are often marketed as legitimate testing tools on the dark web and hacking forums, but are mainly used to disrupt online services, servers, and websites by flooding them with traffic in distributed denial-of-service (DDoS) attacks and causing outages for real users. The six DDoS services, named Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, have been taken down in a coordinated law enforcement action involving authorities from Germany, the Netherlands, Poland, and the United States. "In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide," Europol said on Wednesday. "The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."
#bleepingcomputer#EN#2025#Booter#DDoS#Distributed-Denial-of-Service#Europol#Operation-PowerOFF#Poland#Stresser
·bleepingcomputer.com·
Police takes down six DDoS-for-hire services, arrests admins
Linux wiper malware hidden in malicious Go modules on GitHub
Linux wiper malware hidden in malicious Go modules on GitHub
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub. The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them. Complete disk destruction The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity. Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute. An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure. The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations. “By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform: github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy
#bleepingcomputer#EN#2025#Data-Wiper#GitHub#Golang#Linux#Server#supply-chain-attack
·bleepingcomputer.com·
Linux wiper malware hidden in malicious Go modules on GitHub
Hitachi Vantara takes servers offline after Akira ransomware attack
Hitachi Vantara takes servers offline after Akira ransomware attack
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom. In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online. "On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer. "Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident. "We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."
#bleepingcomputer#EN#2025#Akira#Cyberattack#Hitachi#Hitachi-Vantara#Ransomware
·bleepingcomputer.com·
Hitachi Vantara takes servers offline after Akira ransomware attack